You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: add auth gate to test-delays fixture and harden performance-audit recipe
- tools/qm-bridge/ai-ddtk-test-delays.php: add current_user_can('manage_options')
gate to both template_redirect action and shortcode handler so anonymous
visitors cannot trigger slow queries or CPU-bound loops via query param
- recipes/performance-audit.md: add mu-plugins path confirmation step before
writing any instrumentation files; add Phase 5 Cleanup with security warning
about test-delays fixture; renumber Phase 5 Report to Phase 6; update
WP Performance Timer link to Hypercart-Dev-Tools org; prefer MCP tool for
WPCC scan in agent summary; add cleanup step to agent workflow
Copy file name to clipboardExpand all lines: recipes/performance-audit.md
+21-6Lines changed: 21 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,6 +57,8 @@ Focus on:
57
57
58
58
### Phase 3: Runtime Profiling
59
59
60
+
> **Before writing any mu-plugin or instrumentation file**, confirm the target site's mu-plugins path with the user. For Local by Flywheel, this is typically `~/Local Sites/<site-name>/app/public/wp-content/mu-plugins/`. Do not assume the path — show it and get confirmation first.
61
+
60
62
For each confirmed issue, add performance timers:
61
63
62
64
```php
@@ -98,7 +100,18 @@ if (isset($timer) && function_exists('perf_timer_stop')) {
98
100
- NeoLog session files
99
101
- Admin → Tools → Performance Logs
100
102
101
-
### Phase 5: Report
103
+
### Phase 5: Cleanup
104
+
105
+
After profiling is complete, remove all instrumentation before merging or deploying:
106
+
107
+
1.**Remove `perf_timer_start()` / `perf_timer_stop()` wrappers** from the code under test
108
+
2.**Remove `ai-ddtk-test-delays.php`** from `mu-plugins/` if it was installed (see security warning below)
109
+
3.**Remove `PERF_LOG_ALL`** from `wp-config.php` if it was added
110
+
4.**Verify** the site loads cleanly without debug artifacts
111
+
112
+
> **Security warning:**`ai-ddtk-test-delays.php` has no auth gate — any visitor can trigger `?aiddtk_test_delays=1` to force slow queries, external HTTP calls, and CPU-bound loops. **Never leave it installed on a public-facing site.** It is a fixture for local profiling only.
1. Run WPCC scan on the target path (prefer `wpcc_run_scan` MCP tool if available; fall back to `wpcc --paths <path> --format json` via shell if MCP is not connected)
171
184
2. Triage findings for performance-related issues
172
-
3. Guide user to add timers around flagged code
173
-
4. Help interpret the runtime metrics
174
-
5. Provide optimization recommendations based on confirmed bottlenecks
185
+
3.**Confirm the target site's mu-plugins path** with the user before writing any files
186
+
4. Guide user to add timers around flagged code
187
+
5. Help interpret the runtime metrics
188
+
6. Provide optimization recommendations based on confirmed bottlenecks
189
+
7.**Run cleanup** — remove all instrumentation, test fixtures, and debug config before finishing
0 commit comments