@@ -7,6 +7,193 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77
88## [ Unreleased]
99
10+ ## [ 1.3.3] - 2026-01-13
11+
12+ ### Added
13+ - ** MCP (Model Context Protocol) Support - Tier 1** - AI assistants can now directly access scan results
14+ - ** MCP Server** (` dist/bin/mcp-server.js ` ) - Node.js server exposing scan results as MCP resources
15+ - ** Resources Exposed:**
16+ - ` wpcc://latest-scan ` - Most recent JSON scan log
17+ - ` wpcc://latest-report ` - Most recent HTML report
18+ - ` wpcc://scan/{scan-id} ` - Individual scans by timestamp ID
19+ - ** Supported AI Tools:**
20+ - Claude Desktop (macOS, Windows)
21+ - Cline (VS Code extension)
22+ - Any MCP-compatible AI assistant
23+ - ** Features:**
24+ - Automatic discovery of last 10 scans
25+ - JSON and HTML resource types
26+ - Error handling for missing scans
27+ - Stdio transport (standard MCP)
28+ - ** Files Added:**
29+ - ` dist/bin/mcp-server.js ` (227 lines) - MCP server implementation
30+ - ` package.json ` - Node.js dependencies (` @modelcontextprotocol/sdk ` )
31+ - ` PROJECT/1-INBOX/PROJECT-MCP.md ` (538 lines) - Comprehensive MCP documentation
32+ - ** Impact:** AI assistants can now read scan results without manual copy/paste, enabling automated triage and fix suggestions
33+
34+ ### Changed
35+ - ** README.md** - Added MCP Protocol Support section with:
36+ - Quick start guide for Claude Desktop configuration
37+ - Developer guide for AI agents using MCP
38+ - AI agent instructions for analyzing scan results
39+ - Links to comprehensive MCP documentation
40+ - ** MARKETING.md** - Added MCP protocol support to comparison table
41+ - WP Code Check: ✅ MCP support
42+ - PHPCS, PHPStan, Psalm: ❌ No MCP support
43+ - Differentiates WP Code Check as AI-first tool
44+
45+ ### Technical Details
46+ - ** MCP Version:** 1.0.0 (Tier 1 - Basic Resources)
47+ - ** Node.js Requirement:** >=18.0.0
48+ - ** Dependencies:** ` @modelcontextprotocol/sdk ` ^0.5.0
49+ - ** Protocol:** stdio transport (standard MCP)
50+ - ** Performance:** <100ms startup, <50ms resource reads
51+ - ** Memory:** ~ 30MB (Node.js + SDK)
52+
53+ ### Roadmap
54+ - ** Tier 2 (Planned):** Interactive tools (` scan_wordpress_code ` , ` filter_findings ` )
55+ - ** Tier 3 (Planned):** Real-time streaming, prompts, dynamic resources
56+
57+ ## [ 1.3.2] - 2026-01-13
58+
59+ ### Added
60+ - ** GitHub Issue Creation Tool** (` dist/bin/create-github-issue.sh ` )
61+ - Automatically create GitHub issues from scan results with AI triage data
62+ - Interactive preview before creating issues
63+ - Supports both ` --repo owner/repo ` flag and template-based repo detection
64+ - Generates clean, actionable issues with:
65+ - Scan metadata (plugin/theme name, version, scanner version)
66+ - Confirmed issues section with checkboxes
67+ - Needs review section with confidence levels
68+ - Links to full HTML and JSON reports
69+ - Requires GitHub CLI (` gh ` ) installed and authenticated
70+ - Uses ` --body-file ` for reliable issue creation with large bodies
71+
72+ ### Changed
73+ - ** README.md** : Added GitHub Issue Creator to tools table and usage documentation
74+ - ** Template Support** : Templates now support optional ` GITHUB_REPO ` field for automated issue creation
75+ - ** GitHub Issue Footer** : Changed from broken relative links to local file paths in code blocks for better usability
76+ - ** GitHub Issue Creator** : Made ` GITHUB_REPO ` truly optional - script will generate issue body without creating the issue if no repo is specified
77+ - ** Issue Persistence** : When no GitHub repo is specified, issue bodies are now saved to ` dist/issues/GH-issue-{SCAN_ID}.md ` for manual copy/paste to GitHub or project management apps
78+ - ** AI Instructions** : Updated ` dist/TEMPLATES/_AI_INSTRUCTIONS.md ` with complete Phase 3 (GitHub Issue Creation) workflow documentation
79+
80+ ## [ 1.3.1] - 2026-01-12
81+
82+ ### Fixed
83+ - ** Phase 2.1: Critical Quality Improvements**
84+ - ** Issue #2 (Suppression)** : Removed aggressive suppression logic
85+ - Findings with guards+sanitizers now emit as LOW severity (not suppressed)
86+ - Prevents false negatives from heuristic misattribution
87+ - Still provides context signals for manual triage
88+ - ** Issue #4 (user_can)** : Removed ` user_can() ` from guard detection
89+ - ` user_can($user_id, 'cap') ` checks OTHER users, not current request
90+ - Reduces false confidence from non-guard capability checks
91+ - Only ` current_user_can() ` is now detected as a guard
92+ - ** Issue #1 (Function Scope)** : Implemented function-scoped guard detection
93+ - Guards now scoped to same function using ` get_function_scope_range() `
94+ - Guards must appear BEFORE the superglobal access (not after)
95+ - Prevents branch misattribution (guards in different if/else)
96+ - Prevents cross-function misattribution
97+ - ** Issue #3 (Taint Propagation)** : Added basic variable sanitization tracking
98+ - Detects sanitized variable assignments: ` $x = sanitize_text_field($_POST['x']) `
99+ - Tracks sanitized variables within function scope
100+ - Detects two-step sanitization: ` $x = $_POST['x']; $x = sanitize($x); `
101+ - Reduces false positives for common safe patterns
102+ - ** Issue #5 (Test Coverage)** : Added comprehensive test fixtures
103+ - ` phase2-branch-misattribution.php ` : Tests guards in different branches/functions
104+ - ` phase2-sanitizer-multiline.php ` : Tests multi-line sanitization patterns
105+ - ` verify-phase2.1-improvements.sh ` : Automated verification script
106+
107+ ### Changed
108+ - ** Library Version** : Updated ` false-positive-filters.sh ` to v1.3.0
109+ - Added ` get_function_scope_range() ` helper function
110+ - Enhanced ` detect_guards() ` with function scoping
111+ - Added ` is_variable_sanitized() ` for taint propagation
112+ - Fixed variable scope issues (explicit local declarations)
113+
114+ ### Technical Details
115+ - ** Function Scope Detection** : Uses brace counting to find function boundaries
116+ - ** Guard Detection** : Scans backward within function, stops at access line
117+ - ** Variable Tracking** : Matches assignment patterns with sanitizer functions
118+ - ** Limitations Documented** : Heuristic-based, not full PHP parser
119+
120+ ## [ 1.3.0] - 2026-01-12
121+
122+ ### Added
123+ - ** Phase 2: Context Signals (Guards + Sanitizers)**
124+ - ** Guard Detection** : Automatically detects security guards near superglobal access
125+ - Detects nonce checks: ` wp_verify_nonce() ` , ` check_ajax_referer() ` , ` check_admin_referer() `
126+ - Detects capability checks: ` current_user_can() ` , ` user_can() `
127+ - Scans 20 lines backward from finding to detect guards
128+ - Guards are included in JSON output as array: ` "guards":["wp_verify_nonce","current_user_can"] `
129+ - ** Sanitizer Detection** : Automatically detects sanitizers wrapping superglobal reads
130+ - Detects ` sanitize_* ` functions: ` sanitize_text_field() ` , ` sanitize_email() ` , ` sanitize_key() ` , ` sanitize_url() `
131+ - Detects ` esc_* ` functions: ` esc_url_raw() ` , ` esc_url() ` , ` esc_html() ` , ` esc_attr() `
132+ - Detects type casters: ` absint() ` , ` intval() ` , ` floatval() `
133+ - Detects slashing functions: ` wp_unslash() ` , ` stripslashes_deep() `
134+ - Detects WooCommerce sanitizer: ` wc_clean() `
135+ - Sanitizers are included in JSON output as array: ` "sanitizers":["sanitize_text_field","absint"] `
136+ - ** SQL Safety Detection** : Distinguishes safe literal SQL from unsafe concatenated SQL
137+ - Safe literal SQL (only wpdb identifiers): Downgraded to LOW/MEDIUM (best-practice)
138+ - Unsafe concatenated SQL (user input): Remains HIGH/CRITICAL (security)
139+ - Detects superglobal concatenation: ` $_GET ` , ` $_POST ` , ` $_REQUEST ` , ` $_COOKIE `
140+ - Detects variable concatenation vs safe wpdb identifiers
141+ - ** New Helper Functions** (in ` dist/bin/lib/false-positive-filters.sh ` v1.2.0)
142+ - ` detect_guards() ` : Scans backward to find security guards
143+ - ` detect_sanitizers() ` : Analyzes code for sanitization functions
144+ - ` detect_sql_safety() ` : Determines if SQL is safe literal or potentially tainted
145+
146+ ### Changed
147+ - ** Enhanced JSON Output Schema**
148+ - All findings now include ` "guards":[] ` and ` "sanitizers":[] ` arrays
149+ - Provides context for faster triage and prioritization
150+ - Enables automated risk assessment based on protective measures
151+ - ** Intelligent Severity Downgrading**
152+ - ** Guards only** : Severity downgraded one level (e.g., HIGH → MEDIUM)
153+ - ** Sanitizers only** : Severity downgraded one level (e.g., HIGH → MEDIUM)
154+ - ** Guards + Sanitizers** : Finding suppressed (fully protected)
155+ - ** Safe literal SQL** : Downgraded to LOW/MEDIUM with "(literal SQL - best practice)" note
156+ - ** No guards/sanitizers** : Original severity maintained
157+ - ** Improved Triage Messages**
158+ - Findings include context notes: "(has guards: wp_verify_nonce)"
159+ - Findings include context notes: "(has sanitizers: sanitize_text_field)"
160+ - SQL findings include: "(literal SQL - best practice)" for safe queries
161+ - ** Updated ` add_json_finding() ` Function**
162+ - Now accepts optional 8th parameter: ` guards ` (space-separated list)
163+ - Now accepts optional 9th parameter: ` sanitizers ` (space-separated list)
164+ - Backward compatible: existing calls work without modification
165+
166+ ### Fixed
167+ - ** Removed ` local ` keyword from loop contexts** (bash compatibility)
168+ - Fixed "local: can only be used in a function" errors
169+ - Variables in while loops no longer use ` local ` keyword
170+ - ** Improved superglobal detection accuracy**
171+ - Guards and sanitizers now properly detected and reported
172+ - Fully protected code (guards + sanitizers) no longer flagged
173+ - Context-aware severity adjustment reduces false positive noise
174+
175+ ### Testing
176+ - ** Created Phase 2 Test Fixtures**
177+ - ` dist/tests/fixtures/phase2-guards-detection.php ` : Tests guard detection (nonce, capability checks)
178+ - ` dist/tests/fixtures/phase2-wpdb-safety.php ` : Tests SQL safety detection (literal vs concatenated)
179+ - ** Created Phase 2 Verification Script**
180+ - ` dist/tests/verify-phase2-context-signals.sh ` : Automated testing for Phase 2 features
181+ - Verifies guards array in JSON output
182+ - Verifies sanitizers array in JSON output
183+ - Verifies SQL safety detection and severity downgrading
184+
185+ ### Known Limitations (Phase 2.1 Improvements Required)
186+
187+ ⚠️ ** IMPORTANT:** Phase 2 provides valuable context signals but has limitations that require refinement:
188+
189+ 1 . ** Guard Misattribution Risk** : Window-based detection may attribute guards to unrelated access (different branch/function)
190+ 2 . ** Suppression Too Aggressive** : Suppressing findings when guards+sanitizers detected risks false negatives
191+ 3 . ** Single-Line Sanitizer Detection** : Misses multi-line patterns like ` $x = sanitize_text_field($_GET['x']); use($x); `
192+ 4 . ** user_can() Overcounting** : May count non-guard uses; needs conditional context detection
193+ 5 . ** Limited Branch Coverage** : Test fixtures don't cover all branch misattribution cases
194+
195+ ** Recommendation for v1.3.0:** Use guard/sanitizer arrays in JSON output for manual triage. Consider disabling automatic severity downgrading until Phase 2.1 improvements are complete. See ` PROJECT/1-INBOX/PHASE2-QUALITY-IMPROVEMENTS.md ` for improvement plan.
196+
10197## [ 1.2.4] - 2026-01-12
11198
12199### Added
0 commit comments