=== EchoOps MCP ===
Contributors: alessandro-bagalini
Tags: mcp, oauth, automation, content, ai
Requires at least: 6.9
Tested up to: 7.0
Stable tag: 0.1.0
Requires PHP: 8.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Secure OAuth-protected MCP bridge for controlled, audited WordPress abilities.

== Description ==

EchoOps MCP exposes a secure MCP endpoint on your own WordPress site so compatible AI assistants and automation tools can work through controlled WordPress abilities.

Core is usable on its own. No EchoOps Cloud account is required.

EchoOps MCP 0.1.0 requires PHP 8.4. Compatibility with earlier PHP 8.x versions may be evaluated in a future release.

The plugin includes:

* OAuth2 Authorization Code with PKCE.
* Dynamic Client Registration.
* A protected MCP endpoint at `/wp-json/echoops-mcp/v1/mcp`.
* Controlled EchoOps abilities for site information, posts, pages, media, taxonomies, and terms.
* Safe defaults: read abilities are enabled by default, write abilities are disabled by default.
* No delete abilities, direct publish abilities, or user management abilities.
* Admin controls for allowed OAuth users, ability toggles, active sessions, settings, and audit log review.
* A first-run Setup page with generic connection templates and downloadable non-secret client configuration.
* An admin OAuth Test Helper for manual testing without displaying tokens or secrets.
* Redacted audit logging for ability execution attempts.

Client templates are generic setup aids unless a specific client has been separately verified. The plugin does not overclaim compatibility with any particular third-party MCP client.

= Privacy And External Services =

EchoOps MCP Core runs on your WordPress site. It does not require an EchoOps Cloud account and does not send usage telemetry or audit data to EchoOps services.

Authorized OAuth clients connect to your site's OAuth-protected MCP endpoint. Admins control which WordPress users may authorize clients and which EchoOps abilities are enabled.

The optional `echoops/media-upload-from-url` ability is a write ability and is disabled by default. If an administrator enables it and an authorized client executes it, your WordPress site sends HTTP HEAD and GET requests to the URL supplied by that client to validate and download the media file. The remote server may receive request metadata such as your site's server IP address and standard HTTP headers.

Audit input summaries redact keys containing password, secret, token, authorization, cookie, nonce, and key. Content-like fields such as content, post_content, description, body, and html are stored only as length and SHA-256 hash summaries.

Access tokens, refresh tokens, authorization codes, client secrets, private keys, cookies, nonces, and authorization headers are not displayed in admin screens or written to audit logs.

Uninstall currently retains OAuth, audit, and settings data until a retention/export policy is implemented.

== Installation ==

1. Upload the `echoops-mcp` folder to `/wp-content/plugins/`, or install the plugin ZIP from WordPress Admin.
2. Activate the plugin.
3. Open `EchoOps MCP -> Setup`.
4. Allow your current administrator user to authorize OAuth clients, or add allowed users from `EchoOps MCP -> Connections`.
5. Review the Setup checklist.
6. Copy endpoint values, download the non-secret client configuration JSON, or use the generic client templates.
7. Use OAuth Authorization Code with PKCE to authorize a compatible MCP/OAuth client.
8. Review `EchoOps MCP -> Abilities` before enabling any write ability.
9. Review `EchoOps MCP -> Audit Log` after testing.

== Frequently Asked Questions ==

= Does EchoOps MCP require EchoOps Cloud? =

No. Core runs on your own WordPress site and is usable without an EchoOps Cloud account.

= Is EchoOps MCP affiliated with Anthropic or MCP client providers? =

No. EchoOps MCP is not affiliated with or endorsed by Anthropic or any MCP client provider.

= Does this plugin expose my WordPress site publicly? =

The plugin exposes an OAuth-protected MCP endpoint on your WordPress site. Requests must use a valid Bearer token issued by the site's OAuth flow. Admins control allowed OAuth users and ability toggles.

= Are write actions enabled by default? =

No. Read-only abilities are enabled by default. Write abilities are disabled by default and must be enabled individually by an administrator. Delete, direct publish, and user management abilities are not included.

= Are tokens or secrets displayed in the admin? =

No. Access tokens, refresh tokens, authorization codes, client secrets, private keys, cookies, nonces, and authorization headers are not displayed or written to audit logs.

= What does the downloadable client configuration JSON contain? =

It contains non-secret endpoint and discovery values such as the MCP endpoint, OAuth URLs, supported auth flow, default scope, plugin version, site name, and generation time. It does not contain tokens, client secrets, private keys, cookies, nonces, or authorization headers.

= Does the OAuth Test Helper bypass OAuth security? =

No. The helper creates a normal public PKCE test client, generates PKCE values, validates callback state, exchanges a code only after explicit admin action, and uses a temporary user-scoped token for MCP self-tests. Tokens are not displayed.

= Does the plugin contact third-party services? =

Core does not contact EchoOps Cloud or send telemetry. The `echoops/media-upload-from-url` ability can contact the URL supplied by an authorized client, but only when that write ability is enabled and executed.

= What happens on uninstall? =

Uninstall currently retains OAuth, audit, and settings data until a retention/export policy exists.

== Screenshots ==

No screenshots are bundled in the 0.1.0 submission package.

== Changelog ==

= 0.1.0 =

* Initial public MVP package.
* Added OAuth2 Authorization Code with PKCE, Dynamic Client Registration, token validation, and OAuth metadata endpoints.
* Added protected MCP endpoint using `wordpress/mcp-adapter`.
* Added EchoOps MVP abilities for site info, site health, posts, pages, media, taxonomies, and terms.
* Added safe-by-default ability toggles.
* Added Setup, Dashboard, Abilities, Connections, Audit Log, Settings, manual callback, and OAuth Test Helper admin pages.
* Added allowed OAuth users, session revocation, audit logging, and redaction.

== Upgrade Notice ==

= 0.1.0 =

Initial public MVP package.
