Feature/mcp v1#63
Conversation
The MCP module uses PSR-style camelCase naming which conflicts with WordPress coding standards. Add path-specific exclusions for ValidFunctionName and ValidVariableName rules in the MCP directory.
Wraps GuzzleHttp to provide get/post/put/delete methods against the WordPress REST API with JSON decoding and error handling.
Implements the JSON-RPC stdin/stdout loop with method handlers for initialize, tools/list, tools/call, resources/list, resources/read. Routes requests to the tool and resource providers.
Includes create, read, update, delete, and list operations for any registered post type via the WordPress REST API.
Provides list and create operations for categories, tags, and custom taxonomy terms via the WordPress REST API.
Entry script with --help, --setup, and --reconfigure flags. Handles autoloading, try/catch guards around config operations.
Configures test bootstrap, MCP test suite, and source coverage inclusion for the src/MCP/ directory.
Add PHPDoc array generic annotations to ToolInterface, ToolProvider, and the first 4 post CRUD tools to satisfy PHPStan level 7.
Add PHPDoc array shapes to getDefinitions and resolve methods.
Add static fromEnv() factory to Config that reads SALTUS_WP_URL, SALTUS_WP_USERNAME, and SALTUS_WP_PASSWORD from environment. Delete ConfigManager — file-based config, encryption key management, and interactive wizard are no longer needed.
Remove dead config/initialized properties and ConfigManager dependency. Add PromptProvider and Validator wiring into the request dispatch loop.
Add 12 tests for required field validation, type checking (string, number, boolean, object), enum validation, multiple errors, empty schema, and optional fields.
Mark PHPUnit tests, --help flag, and README update as completed.
Wrap Guzzle handler with exponential backoff retry for 429/5xx and connection timeouts.
Remove --setup/--reconfigure flags. Read config from env vars only.
Run phpunit, phpstan, and phpcs across PHP 7.4-8.3 on every push and PR to main. All tests use WordPress stubs so no real WP install is needed.
The anonymous class implementations of AuditDatabase used the 'mixed' type hint (PHP 8.0+) and :array return types on get_results(), which caused fatal errors on PHP 7.4 (parse error) and PHP 8.x (interface signature mismatch). Remove them to match the interface declaration.
ReflectionProperty::getValue() on private properties requires setAccessible(true) before PHP 8.1. The :mixed return type was removed from the same methods for PHP 7.4 parse compat.
The mixed type hint (PHP 8.0+) caused parse errors on PHP 7.4 in WordPress function stub signatures (get_param, set_param, current_user_can, is_wp_error, set_transient).
Bump PHPUnit test count from 195 to 201.
Record the PHP 7.4 test compatibility fix in CURRENT.md.
Two helper methods (routeController, describeRouteController) accessed private RestRouteDefinition:: via ReflectionProperty::getValue without setAccessible(true), failing on PHP 7.4.
The '@' . float format for DateTimeImmutable does not support fractional
seconds before PHP 8.0. Use createFromFormat('U.u') instead.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request upgrades the Saltus Framework to version 2.0.0, introducing WordPress-native MCP/Abilities integration for WordPress 7.0+ and removing the standalone stdio server. It establishes a comprehensive REST API namespace (saltus-framework/v1) with 9 routes, backed by shared service classes to eliminate duplication between REST and MCP paths. The release also adds transient caching, sliding-window rate limiting, database audit logging, and a robust PHPUnit test suite. Feedback on these changes focuses on preventing backward-compatibility breaks by keeping core constants public, deferring REST server instantiation to the rest_api_init hook to reduce page-load overhead, using standard WordPress functions like wp_clear_scheduled_hook() for cron cleanup, making SQL query rewriting case-insensitive, and gating database table creation checks to optimize audit logging performance.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Instantiating RestServer and all route definitions during register() incurs overhead on every WordPress page load. Deferring inside rest_api_init ensures these classes are only loaded when a REST request is processed.
wp_clear_scheduled_hook is the standard WordPress API for unscheduling all events on a hook. It handles duplicate and orphaned scheduled events safely and avoids the manual wp_next_scheduled query.
Calling ensure_table() on every audit write issues a CREATE TABLE IF NOT EXISTS query that acquires a metadata lock. Gating it behind a DB version option check avoids this overhead on subsequent requests while still creating the table automatically on first run.
Replace the fragile string-equality check (comparing against a pre-computed query) with a regex-based structural matcher (is_fake_date_export_query). This handles whitespace and formatting variations from WordPress core's export query construction. Add a wp_die fallback when the fake date fingerprint is found but the query shape does not match, converting silent data leaks into hard failures. Update LegacyFeatureTest assertion for the new single-space query format and add an exception test for the wp_die edge case. Add esc_html__ and wp_die test stubs in functions.php.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces version 2.0.0 of the Saltus Framework, transitioning to a WordPress-native MCP/Abilities integration. It adds a comprehensive REST API layer under the saltus-framework/v1 namespace with controllers for models, duplication, exporting, settings, meta fields, reordering, and health monitoring. Additionally, it extracts inline REST controller logic into shared service classes (ReorderPostsService, MetaFieldProvider, SettingsManager, SaltusSingleExport) to align with MCP tools, implements robust runtime controls (caching, rate limiting, audit logging), and introduces an extensive PHPUnit test suite. Feedback on the changes highlights critical improvements to error handling and safety. Specifically, replacing wp_die() with exceptions in SaltusSingleExport is recommended to prevent abrupt process termination during REST/MCP requests. Additionally, using get_object_vars() instead of property_exists() in ModelRestPolicy is advised to safely access public properties. Finally, aligning read-only tool permissions with their REST controller counterparts in AbilityDefinitionFactory and migrating the audit log's created_at column from varchar(32) to a native datetime(3) type will enhance security and database efficiency.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Replace wp_die() with RuntimeException in single_export_query() to avoid terminating the PHP process with an HTML error page in REST/MCP contexts. The exception is caught in export_post() and returned as a structured WP_Error with a 500 status. Replace property_exists() with get_object_vars() in ModelRestPolicy to avoid fatal errors when $args or $options properties are non-public.
Map list_models, get_model, list_meta_fields, and get_meta_fields to edit_posts capability in can_use_tool() so advertised permissions match REST controller requirements. Change AuditLogger created_at column from varchar(32) to datetime(3) for native database date functions and indexed query performance.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a major upgrade (v2.0.0) to the Saltus Framework, implementing a WordPress-native MCP/Abilities integration with 17 tools, a framework REST API with 9 routes, and production hardening features including sliding-window rate limiting, transient caching, an audit trail, and health monitoring. It also includes extensive documentation, a comprehensive PHPUnit test suite, and refactoring of legacy paths into shared service classes. The review feedback highlights two critical issues: first, an unsafe use of property_exists in MetaFieldProvider that could lead to fatal errors on non-public properties; and second, the fact that WordPress core's export_wp() function terminates execution with die(), which would prevent the REST controller from returning a valid JSON response in REST/MCP contexts.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
property_exists() returns true for non-public properties, but accessing ->args directly from outside triggers a Fatal Error when the property is protected or private. get_object_vars() only retrieves public properties, matching the existing pattern in ModelRestPolicy::get_model_args.
\Throwable catches both \Exception and PHP 7+ \Error types (TypeError, ParseError, etc.), making the MCP/REST recovery context more resilient by returning a WP_Error instead of crashing on engine-level errors.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request upgrades the Saltus Framework to version 2.0.0, introducing a WordPress-native MCP/Abilities integration with 17 registered tools, a new REST API namespace (saltus-framework/v1) with 9 routes, and a robust caching, rate-limiting, and audit logging layer. Shared service classes were extracted to eliminate duplication between REST controllers and MCP tools, and a comprehensive PHPUnit test suite was added. The review feedback highlights several critical issues: a potential hook priority race condition in Core.php that could prevent REST route registration; a database overhead issue in TransientCache::clear() during batch operations; a locale-aware float formatting bug in AuditEntry.php that can crash the application; and an unsafe property check in RestTool.php that could trigger a Fatal Error.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
add mcp for saltus features