Skip to content

Development to Main#9

Merged
noelsaw1 merged 113 commits intomainfrom
development
Mar 24, 2026
Merged

Development to Main#9
noelsaw1 merged 113 commits intomainfrom
development

Conversation

@noelsaw1
Copy link
Copy Markdown
Contributor

@noelsaw1 noelsaw1 commented Mar 7, 2026
edited
Loading

[1.0.10] - 2026-03-07

Changed

  • Version updates
    • README.md updated to 1.0.10
    • install.sh updated to 1.0.10
    • AGENTS.md updated to v2.7.2
  • Playwright Auth instructions now explicitly tell agents to run pw-auth login immediately before browser automation and rerun with --force if the one-time login URL expires or auth is stale

Changed

  • Version updates
    • README.md updated to 1.0.9
    • install.sh updated to 1.0.9
  • Playwright Auth docs now clarify that some imported/proxied Local sites still need WP_ENVIRONMENT_TYPE defined for browser requests, even if WP-CLI is already running in local

Fixed

  • pw-auth false-positive error detection — the Playwright login flow now detects real WordPress wp_die() / fatal pages using error-page markers and specific fatal messages instead of matching generic not allowed text from normal admin markup
  • Dev Login mu-plugin template host allowlisttemplates/dev-login-cli.php now accepts *.test hosts in addition to localhost and *.local
  • Dev Login mu-plugin template user resolution — the WP-CLI command now falls back to WP_CLI::get_runner()->config['user'] so wrappers that pass --user as a global WP-CLI flag still resolve the requested user correctly

[1.0.8] - 2026-03-07

Added

  • Playwright Auth helper (pw-auth) for passwordless WP admin login in Playwright sessions
    • New bin/pw-auth CLI with login, status, and clear commands
    • Generates one-time login URLs via WP-CLI, captures auth state via Playwright
    • Caches storageState to ./temp/playwright/.auth/<user>.json relative to CWD (12h default, configurable)
    • Supports Local by Flywheel via --wp-cli "local-wp <site>", custom --redirect paths, --force re-auth
    • Per-user auth files (e.g., admin.json, editor.json)
    • --site-url validated against WP-CLI login URL origin to catch mismatches
    • Auth verification: checks wordpress_logged_in_ cookie, /wp-admin/ accessibility, error page detection
    • Playwright module resolution: pre-check with fallback to playwright-core, temp script file (avoids node -e resolution issues), and automatic npm root -g / NODE_PATH recovery before failing
  • Dev Login CLI mu-plugin template (templates/dev-login-cli.php)
    • One-time, short-lived login tokens via WP-CLI (wp dev login)
    • Host allowlist (localhost, 127.0.0.1, ::1, *.local) with dev_login_allowed_hosts filter
    • --format=url for clean scripting output, --redirect for custom landing pages
    • Disabled in production environments, limited to users with edit_posts capability
    • PHP 7.0+ compatible (no str_ends_with() dependency)
  • Playwright Auth documentation across the toolkit
    • AGENTS.md: Dedicated Playwright Auth section, Available Tools table, Workflow Triggers, Quick CLI Commands
    • README.md: Playwright Auth section with setup, usage, prerequisites, and troubleshooting table
    • temp/README.md: Updated Playwright section with pw-auth workflow, CWD storage note, and Playwright auto-resolution guidance

Changed

  • Version updates
    • README.md updated to 1.0.8
    • install.sh updated to 1.0.8
    • AGENTS.md updated to v2.7.1
  • Playwright Auth guidance now explains that pw-auth auto-attempts global npm-root / NODE_PATH recovery before falling back to manual export instructions
  • 4X4.md trimmed completed Playwright-auth sprint checklist items after they were captured in this changelog

Fixed

  • pw-auth command injection — replaced eval with bash array invocation for WP-CLI command execution; --wp-cli, --user, and --redirect values no longer pass through a shell parser
  • .mjs + require() incompatibility — temp Playwright script now uses .js extension (CJS) so require() works correctly
  • Subdirectory WordPress installs — Playwright verification now uses the full --site-url base path (not just origin) for /wp-admin/ reachability check
  • --redirect double-encoding — removed rawurlencode() from CLI side; add_query_arg() handles encoding, PHP $_GET auto-decodes on the receiving end
  • PHP 7 compatibility — replaced str_ends_with() with substr() in mu-plugin host check
  • Auth file stored in toolkit root — default path changed from AI-DDTK's temp/ to CWD ./temp/playwright/.auth/ so each project gets its own cache
  • --site-url was unused — now validated against the login URL origin returned by WP-CLI; mismatches fail immediately with a clear error
  • Weak auth verification — Playwright script now checks 4 conditions: not on wp-login.php, no WP error page, wordpress_logged_in_ cookie present, /wp-admin/ accessible without redirect
  • Global Playwright installs not resolvable by Nodepw-auth now auto-discovers npm root -g, appends it to NODE_PATH without duplication, re-checks playwright / playwright-core, and logs the auto-configured path before failing

[1.0.7] - 2026-03-06

Added

  • Experimental theme-crash-loop.sh workflow under experimental/
    • Moves the proven crash-loop prototype out of the repo root and into an explicit incubation area
    • Accepts reusable parameters for Local site name, target project root, fallback/target theme slugs, and log overrides
    • Stores run artifacts under the target project's temp/theme-crash-loop/<run-id>/
    • Can launch itself via aiddtk-tmux for unattended repro/debug loops

Changed

  • Version updates
    • README.md updated to 1.0.7
    • install.sh updated to 1.0.7
  • README.md now documents the new experimental/ folder and the initial crash-loop helper
  • 4X4.md trimmed completed tmux-only checklist items and added an experimental crash-loop promotion backlog item
  • Tmux validation status recorded for release hygiene; the previously-open dashboard item is now complete

Fixed

  • Crash-loop workflow portability no longer depends on the script living inside a specific theme repository or on one hardcoded Local site/theme combination
  • Experimental crash-loop verification fixes
    • experimental/theme-crash-loop.sh now supports --dry-run even when the inferred Local site path does not exist yet
    • The experimental helper was marked executable so it can be invoked directly as documented

[1.0.6] - 2026-03-06

Added

  • Optional aiddtk-tmux wrapper for resilient AI-agent terminal sessions
    • New bin/aiddtk-tmux helper with start, status, list, send, capture, attach, and stop
    • Deterministic AI-DDTK session naming based on workspace folders
    • Session output logging to temp/logs/tmux/
    • Friendly fallback messaging when tmux is not installed
  • Tmux proxy documentation across the toolkit
    • README quick-start, usage, dedicated tmux section, and troubleshooting updates
    • AGENTS.md guidance for when agents should switch to tmux-backed workflows
    • temp/README.md updates for tmux log storage and commands

Changed

  • install.sh updated to v1.0.6
    • Status output now reports optional tmux availability
    • Usage and first-run next steps now advertise aiddtk-tmux
    • Internal repository structure comments updated to reflect current toolkit layout
  • Version updates
    • README.md updated to 1.0.6
    • AGENTS.md updated to v2.7.0

Fixed

  • Agent terminal recovery guidance now points to a persistent tmux-backed workflow instead of relying solely on IDE terminal state

noelsaw1 and others added 8 commits March 5, 2026 21:25
@noelsaw1
Add Tmux terminal wrapper
e03f248
@noelsaw1
Update README.md
6c54b1e
@noelsaw1
Add Tmux Crash Loop Script
1a3e215
@noelsaw1
Update README.md
3eade00
@noelsaw1 @claude
Add Playwright Auth helper (pw-auth) for WP admin login
78617ad 
New pw-auth CLI and dev-login-cli mu-plugin template that generate
one-time WP login URLs via WP-CLI and cache Playwright storageState
for headless browser automation. Updated all docs with usage,
prerequisites, and troubleshooting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@noelsaw1
Create P1-AUTO-LOGIN.md
f292d13
@noelsaw1
Update WP auto login
1a62811
@noelsaw1
Improve Playwright auth and allow .test dev login hosts
9039407
@noelsaw1 noelsaw1 requested a review from mrtwebdesign March 7, 2026 18:23
noelsaw1 and others added 21 commits March 7, 2026 10:36
@noelsaw1
Add one time login clarification
01ee272
@noelsaw1
Harden pw-auth Local auth flow
c00e940
@noelsaw1
Canonicalize local-wp bin wrapper
b600e83
@noelsaw1
Deprecate root local-wp shim
d6cd2f7
@noelsaw1
Fix wrapper temp cleanup edge cases
befa999
@noelsaw1
Add wrapper cleanup regression harness
937f502
@noelsaw1
Fix local-wp matching and dev login host validation
78b46bc
@noelsaw1
Create ROADMAP-PERPLEXITY.md
4424179
@noelsaw1
Add Roadmap and MCP plans
df585ab
@noelsaw1
Update P1-MCP-SERVER.md
7101289
@noelsaw1
Update P1-MCP-SERVER.md
df11356
@noelsaw1
Add MCP server Phase 1 LocalWP tools
11f614b
@noelsaw1
Add MCP server Phase 2 WPCC tools
1685b47
@noelsaw1
Complete MCP server Phase 2 WPCC resources
0e31c5f
@noelsaw1
Harden MCP allowlist and WPCC scan validation
1f6ee5a
@noelsaw1
Clarify MCP pw-auth cache status contract
446f6a2
@noelsaw1
Harden MCP tmux send and AJAX URL validation
13b8fd9
@noelsaw1
feat: ship MCP server integration and docs
6eecf5d
@noelsaw1
Merge pull request #10 from Hypercart-Dev-Tools/feat/add-mcp-server
523c793 
feat: ship MCP server integration and onboarding docs
@noelsaw1
Add pw-auth doctor and complete Phase 1 validation
7789149
@noelsaw1
Add pw-auth check dom MVP and real-site validation
2ab3cd2
noelsaw1 and others added 24 commits March 22, 2026 21:17
@noelsaw1
Update Gitignore
c50c7c9
@noelsaw1
Merge development into feat/mcp-adapter-official and resolve .DS_Stor…
ac0a94e 
…e conflicts
@noelsaw1
Merge pull request #21 from Hypercart-Dev-Tools/feat/mcp-adapter-offi…
670c5e3 
…cial

Feat/mcp adapter official
@noelsaw1
Update CHANGELOG.md
49262e5
@noelsaw1
Update P1-WP-MCP-ADAPTER.md
dceef98
@noelsaw1
fix: refresh install.sh MCP guidance and updater
e10b0ac
@noelsaw1
Add roadmap for Theme Crash Script in comments
6d99e48
@noelsaw1
Add segmentation fault detection to theme-crash-loop.sh log scanning
4f3020e 
- Extended scan_log_delta() grep pattern to detect PHP-FPM segmentation faults
  (segmentation fault, segfault, core dumped) that would otherwise be missed
- These patterns are now caught as alert events and counted in log_alert_count
- Improves evidence collection for theme crash diagnosis, complementing HTTP status
  and wp-die detection
@noelsaw1
Add PHPStan setup and harden AJAX and QM handlers
a86435f
@noelsaw1
Harden wp-ajax-test nonce field parsing
7c47c5a
@noelsaw1
Genericize MCP site configuration for distribution
c9ec9ad
@noelsaw1
Add local MCP config helper and example
99ae4e8
@noelsaw1
Expand local MCP workflow guidance
661ba61
@noelsaw1
Add MCP dry-run mode and temp scaffold
e8afc79
@noelsaw1
Fix wp-ajax-test nopriv flow and validate MCP snippets
81037d8
@claude
Redesign README as a feature-driven home page
4f43298 
Restructure the README from a technical reference into a marketing-style
home page: hero tagline, core features with usage examples at top,
MCP server overview and everyday workflows in the middle, security model,
and a Hidden Gems section at the bottom surfacing non-obvious capabilities
like headless QM profiling, AI triage contracts, and domain-specific
pattern detection.

https://claude.ai/code/session_0166hobYmJGamoeagjxg72rK
@claude
docs: add Phase 3 update-options ability plan to mcp-adapter-abilitie…
c19293d 
…s.md

Adds a planned implementation checklist for the ai-ddtk/update-options
ability, covering the core ability registration, a hardcoded blocklist for
dangerous keys (siteurl, home, template, stylesheet, active_plugins), the
double-confirm UX contract (confirm_dangerous param + error_log), an optional
prefix allowlist filter, decision-tree/table updates, and required unit +
integration tests. No functional code changes.

https://claude.ai/code/session_0166hobYmJGamoeagjxg72rK
@claude
feat: Phase 3 — add ai-ddtk/update-options ability with dangerous-key…
e5084ee 
… blocklist

Adds the ai-ddtk/update-options ability to templates/ai-ddtk-abilities.php:

- _ai_ddtk_options_blocklist() helper (filterable via ai_ddtk_options_blocklist)
  with two-tier safety model: always_refuse (active_plugins,
  active_sitewide_plugins) and require_confirm (siteurl, home, template,
  stylesheet, admin_email)
- update_option() used for each key so sanitization callbacks fire; no raw SQL
- Per-key result objects with previous_value, new_value, changed bool
- autoload hint (yes/no/unchanged) passed through to update_option()
- confirm_dangerous: true required for require_confirm keys; overrides are
  written to PHP error_log with user ID and timestamp for audit
- dangerous_keys_present flag included in every response

Documentation updates (docs/mcp-adapter-abilities.md):
- Full Phase 3 API reference section with input/output schema tables and
  example calls including blocked-key error response
- Quick reference table, Rule of Thumb table, and decision tree updated
- Phase 3 verify-via-mcp scenario row added
- All implemented Phase 3 checklist items checked off

Tests (test/test-update-options-ability.php):
- 23 standalone PHP unit tests covering: blocklist helper contents,
  happy-path writes, autoload hint passthrough, always-refused key
  hard-stop, require-confirm soft-stop, audit log output, and input validation
- All 23 tests pass (php test/test-update-options-ability.php exits 0)

https://claude.ai/code/session_0166hobYmJGamoeagjxg72rK
@noelsaw1
Merge pull request #22 from Hypercart-Dev-Tools/claude/document-mcp-s…
6b7caeb 
…ervices-WzdjN

Claude/document mcp services wzdj n into Development
@claude
fix: add value validation for dangerous keys, fix doc contradictions,…
cf1991d 
… add integration recipe

Addresses 4 review findings from Phase 3 implementation:

1. (High) Safety claims vs implementation mismatch — siteurl/home are now
   validated via esc_url_raw() + wp_http_validate_url() before update_option();
   template/stylesheet are validated against wp_get_themes(). Invalid values
   are rejected with descriptive errors even when confirm_dangerous is true.

2. (Medium) Contradictory Phase 3 status — updated header from
   "Status: Planned — no functional code yet" to "Status: Implemented" with
   cross-reference to the API section. Checklist wording now accurately
   describes the validation that exists.

3. (Medium) No live integration coverage — added
   recipes/integration-test-update-options.md with 7 manual test scenarios
   covering safe writes, always-refused keys, soft-stop, URL validation,
   theme validation, and autoload hints.

4. (Medium) No post-sanitize key validation — keys that sanitize to empty
   string are now skipped (not written) and returned in a skipped_keys array.

Tests: 31/31 passing (8 new tests for value validation and key sanitization).

https://claude.ai/code/session_0166hobYmJGamoeagjxg72rK
@noelsaw1
Add canonical Valet clone helper and docs
ad08952 
- Add tools/valet-site-copy.sh for clone/teardown workflows

- Update Valet recipe, CLI reference, README, and AGENTS to point to helper

- Record changes in changelog
@claude
fix: add admin_email validation and redact_values flag for secret pro…
6173f17 
…tection

Addresses two additional review findings:

1. (High) Sensitive values leaked in responses — Added `redact_values: true`
   input parameter that replaces `previous_value` and `new_value` with
   "[REDACTED]" in response payloads. Prevents API keys, SMTP creds, and
   license keys from leaking into MCP transcripts or agent context.

2. (Medium) admin_email not value-validated — Now validated via
   `sanitize_email()` + `is_email()` alongside existing URL and theme
   validation. Invalid emails are rejected before `update_option()` runs.

Tests: 36/36 passing (5 new: admin_email validation + redaction tests).
Docs: input schema table, blocklist tier table, and checklist updated.

https://claude.ai/code/session_0166hobYmJGamoeagjxg72rK
@noelsaw1
Merge pull request #23 from Hypercart-Dev-Tools/claude/phase-3-update…
576235f 
…-options-WzdjN

feat: Phase 3 — add ai-ddtk/update-options ability with dangerous-key…
@noelsaw1 @claude
Restructure CHANGELOG: drop Unreleased, add maintainer rules, add 1.1…
7f75be8 
….0 and 1.2.0 entries

- Remove [Unreleased] section; promote content to dated [1.1.0] block
- Add [1.2.0] entry for ai-ddtk/update-options Phase 3 ability
- Add concise LLM maintainer rules as HTML comment at top of file
- Drop Keep a Changelog reference (diverging from that convention)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
noelsaw1 and others added 3 commits March 23, 2026 18:34
@noelsaw1 @claude
fix: code review audit fixes — security, error handling, and repo hyg…
b170a6d 
…iene

Addresses 12 of 20 items from @mrtwebdesign code review (P1-AUDIT-MATT.md):

Security & repo hygiene:
- Remove committed npx/playwright symlinks, add to .gitignore
- Remove stale BACKLOG-DEPRECATED.md and ROADMAP-DEPRECATED.md
- Add plaintext password warning to AGENTS.md sensitive data section
- Add 1MB Content-Length limit on MCP HTTP transport (413 response)

Error handling:
- Preserve error cause chain in withResourceError() (index.ts)
- Return structured error for missing WPCC binary instead of crash (wpcc.ts)
- Guard against undefined site name with actionable message (local-wp.ts)

Code quality:
- Add JSDoc to regex patterns in allowlist.ts, tmux.ts, wpcc.ts
- Fix POSIX compliance: &> to >/dev/null 2>&1 (wp-ajax-test/install.sh)
- Add timeout 10 wrap on WP-CLI call (theme-crash-loop.sh)
- Add file-existence guard for curl timeout (theme-crash-loop.sh)
- Bump MCP server README version 0.6.2 → 0.6.3

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
feat: add --auth-state flag to wp-ajax-test for pw-auth cookie reuse
1e6f727 
Adds passwordless authentication to wp-ajax-test by reading Playwright
auth state files from pw-auth. This eliminates the need for plaintext
credentials in temp/auth.json.

- New --auth-state flag reads cookies from pw-auth's cached auth state
- Filters cookies by target domain, skips expired, verifies wordpress_logged_in_*
- --auth-state takes precedence when both --auth and --auth-state are provided
- Deprecation warning on --auth pointing users to --auth-state
- MCP wp_ajax_test tool gains authState parameter (preferred over auth)
- Updated error suggestions to recommend pw-auth workflow
- 2 new MCP tests: auth-state precedence + flag-shaped path rejection
- README quick start updated to show pw-auth workflow first

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
fix: quote $log_file in tmux pipe-pane and glob prefix in wpcc
ba6063d 
- aiddtk-tmux: use escaped double quotes so $log_file expands correctly
  for paths with spaces inside tmux's sh -c
- wpcc: quote underscore prefix in [[ ]] pattern for clarity

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 noelsaw1 merged commit efe596f into main Mar 24, 2026
3 checks passed
noelsaw1 added a commit that referenced this pull request Apr 5, 2026
@noelsaw1
feat: wp-ajax-test tool specification
37010be 
- Add tools/wp-ajax-test/SPEC.md (complete tool specification)
- Add tools/wp-ajax-test/AI-INSTRUCTIONS.md (AI agent guidance)
- Design principle: Centralized by default, local copy when needed
- AI agents call ~/bin/ai-ddtk/bin/wp-ajax-test directly
- Create project wrapper only if customization required
- Auto-authentication with nonce/cookie handling
- JSON I/O for AI parsing
- Batch testing support
- Add to ROADMAP.md as opportunity #9
- Update CHANGELOG.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrtwebdesign mrtwebdesign Awaiting requested review from mrtwebdesign

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@noelsaw1 @claude