Every release,
every story.

"Approve all visible" button on the Changes / Approvals page

• add "Approve all visible" button on the Changes / Approvals page. Renders only when respira_enable_bulk_approvals is on AND there are pending duplicates. The button shows the live pending count next to its label (Approve all
• add respira_list_pending_duplicate_ids AJAX endpoint. Returns the array of every post ID where _respira_duplicate=1 AND post_status IN ('draft','pending'), ordered by post_modified DESC. Same nonce + manage_options gate as t
• add bulk_approvals_enabled + pending_duplicate_count flags in the localized respira_admin JS object. Lets the new button gate itself client-side without an extra round trip — hidden when the setting is off or the queue is em
• note No new permission surface. The same manage_options capability + respira_enable_bulk_approvals toggle that gated the backend handler since 4.0.11 still gate the UI. The default for the toggle stays OFF for safety; admins
• note The bulk handler is conservative — it never force-approves (every per-item call passes force: false). If a duplicate's original has changed since the duplicate was created, that one item shows in the per-item failure lis

Skills catalog URL points at the right GitHub org

• fix Skills catalog URL points at the right GitHub org. The Respira_Admin::fetch_skills_catalog() helper still pulled from https://raw.githubusercontent.com/webmyc/agent-skills-wordpress/main/skills.json, but the repo was tra
• note Because the pre-fix code path returned the error without setting the transient cache, no client-side cache needs busting. The fix takes effect on the first page load after upgrade.
• note One-line URL change in admin/class-respira-admin.php plus a comment block that records why raw.githubusercontent.com is fragile to repo transfers, so the next maintainer doesn't reintroduce the same bug.

rest_no_route errors now carry the attempted path

• fix rest_no_route errors now carry the attempted path. Previously, when WordPress returned rest_no_route (54 hits across two sites the week of 2026-05-24), the MCP recorded the generic WP string "No route was found matching
• change inject_builder_content description now lists Divi render-critical attrs. When any of the 10 Divi module types in the validator is missing its required attr (e.g. divi/heading without title, divi/button without button_tex
• change read_theme_file description hardened against non-stylesheet attempts. The schema already enforced .css / .scss / .less / .json, but agents kept trying .php / .html (5 hits the week of 2026-05-24, returning respira_theme_

Generic Error bucket in tool telemetry

• fix Generic Error bucket in tool telemetry. The dispatch wrapper at server.ts recorded error_code from Error.name, but ~6 tool wrappers (find_element, inject_builder_content, upload_media, batch_update, update_custom_post, a

respira_run_pagespeed_audit + respira_analyze_pagespeed

• add respira_run_pagespeed_audit + respira_analyze_pagespeed (Phase E Tier 2). Real PageSpeed Insights v5 audit replaces the heuristic CWV path. respira_run_pagespeed_audit returns Lighthouse lab data (scores for performance/
• add get_accessibility_scan schema accepts UUID strings. N15 — pre-fix the input schema declared scan_id: number but list_accessibility_scans returns UUID strings, so the two tools couldn't be paired
• add list_accessibility_scans pagination + summary mode. N16 — added limit, offset, summary_only (default true) params. Summary mode strips violations[].nodes and per-violation AI fix prompts; full payload remains via get_acc
• add get_snapshot include opt-in. N26 — defaults to metadata-only (~5KB); pass include=content for the full builder payload (~78KB)
• fix N6: site_id envelope leak. Every tool response carried site: <default site> even when a per-call site_id override resolved correctly. The MCP correctly serviced the call against the override but reported the default in t
• fix N9: schema gaps on 5 destructive tools. create_user, update_user, delete_user, delete_custom_post, delete_menu all enforce server-side approval/force gates but the MCP schemas didn't expose the params. Added approval_tok

Divi is_builder_used() vetoes itself when _et_pb_use_builder='off'

• fix Divi is_builder_used() vetoes itself when _et_pb_use_builder='off'. The explicit 'off' value is the user's signal that Divi is NOT active on this post (even though stale _et_pb_page_* meta from a previous Divi-active per
• add update_element response now carries builder.name and builder.version. Surfaces the picked adapter directly in the response envelope so silent-write reports can name the adapter that claimed the post without a separate re
• note The Lite plugin's is_divi_page() already vetoed on 'off' === $et_pb_use (only returns true on 'on'), so Lite was never affected and no sync port is needed.
• note Once the customer confirms v7.0.56 lands the write correctly, the broader detect_builder() audit (theme-tiebreaker rule should also respect explicit per-post disables across all builders, not just Divi) is queued separat

expected_type opt-in pre-write validation on update_module for Divi 4

• add expected_type opt-in pre-write validation on update_module for Divi 4. Callers (MCP clients, apply_builder_patch, batch_update) can pass expected_type: 'et_pb_text' in the updates payload. If the resolver lands on a modu
• add expected_type and _skip_truncation_check are now also stripped from the attribute patch automatically so they cannot accidentally land in module attributes if a caller forgets to extract them.
• note The root-cause fix (rewriting the path resolver to follow the nested children[] tree rather than the flat row-column merge) is queued for v7.0.56. Until then, agent clients calling Divi 4 update_module on multi-column ro
• note The MCP server's update_module tool description will get a matching update in the next mcp-server release to advertise expected_type and recommend its use on Divi 4. Plugin-side ship goes out first so the surface is ther

Gutenberg is_builder_used() disqualifier checks values, not just key presence

• fix Gutenberg is_builder_used() disqualifier checks values, not just key presence. Each "other-builder" meta key now carries a predicate matching the source builder's own activity convention:
• note Verified the failure mode against M.P.'s exact scenario: a post duplicated from an original that has _et_pb_use_builder=off will, pre-v7.0.54, fall through Gutenberg's claim check despite Gutenberg being the only sensibl
• note The pre-v7.0.54 disqualifier list pattern (presence-only) is a common code-smell across builder adapters. Future cleanup is queued to audit the cross-builder claim logic for the same stale-key class of bug, but for v7.0.

Bricks option-group read endpoints scrub _respira_* keys

• fix Bricks option-group read endpoints scrub _respira_* keys. handle_get_option_group (covering global-classes, color-palette, theme-styles, typography, global-variables, breakpoints, pseudo-classes) and handle_design_system
• fix Bricks option-group write endpoints recursively strip _respira_* keys from request bodies. handle_create_item was already stripping _respira_key_data at the top level only; expanded to recursive scrub_respira_internals()
• fix update_element / element-ops envelope is_duplicate now matches the actually-resolved write target. Pre-v7.0.53, Respira_Element_Ops::target_metadata() read is_duplicate from resolve_mutation_target()'s output, which eval
• fix Gutenberg inject_content now guards the write against third-party save_post reverts AND verifies persistence. The customer report: 9 successive duplicates (340148, 340151, 340153, 340155, 340157, 340159, 340161, 340163,
• note The Gutenberg silent-revert family also lives in the Divi adapter's update path for posts (Divi was enabled-then-disabled mid-session on the customer site, so duplicate detection may still route through Divi while Gutenb
• note The Bricks scrub does not delete leaked data from already-corrupted rows — it strips at READ + WRITE. A separate one-shot migration to scrub stored values is queued but not blocking: the READ scrub keeps the leak out of

B-7: inject_builder_content rejects simplified types

• fix B-7: inject_builder_content rejects simplified types. Pre-fix the detector returned unknown for payloads using simplified types (section, row, column, heading, etc. without divi/ or et_pb_ prefix) and hard-failed with "D
• fix {content: [...]} wrapper unwrap. Round-tripped extracts come back as {content: [...]}. The new unwrapBuilderContent helper normalises before forwarding so every downstream caller sees the same shape
• fix Camrin@cspmarketingsolutions friendly→canonical param translation. Three structural tools (move_element, duplicate_element, reorder_elements) advertised friendly param names but the REST endpoints required typed pairs. D

Truncation guard in Respira_API::update_element only fires on REAL truncation now

• fix Truncation guard in Respira_API::update_element only fires on REAL truncation now. Pre-v7.0.52 the guard at class-respira-api.php line 6159 compared the byte length of $updates['content'] (input) to the byte length of th
• fix content + text identifier_types skip the verify step entirely. For those identifier shapes the post-write find_module is unreliable BY DESIGN (the identifier string was the thing we just changed). No verify, no false pos
• fix New updates._skip_truncation_check: true opt-out for callers that know the verify-find would land on the wrong node. Safety hatch — the guard stays opt-in-default for paths where it does catch real truncation
• note Bug #1 from Morgan's report (update_element with match_content targets the FIRST match instead of the DEEPEST match) is actually addressed correctly by the v6.11.1+ find_divi4_shortcode deepest-match logic at class-build
• note Bug #3 (4-minute timeout on update_page / inject_builder_content for ~113KB Divi shortcode pages) is the same large-page complexify-tree-walk overhead that bit M.P. on Fischers Fritze. Belongs to v7.1.
• note The customer-facing impact of the false positive was severe: Morgan saw "tool failed" on a write that had actually persisted his changes correctly, retried via a workaround that bypassed type validation, and corrupted hi

Respira_Builder_Tree_Utility::matches() content identifier_type now deep-searches options / attrs / settings

• fix Respira_Builder_Tree_Utility::matches() content identifier_type now deep-searches options / attrs / settings. Pre-7.0.51 the content matcher only checked $element['content'] (Elementor / Divi 4 top-level string) and $ele
• fix update_element adds a normalize_element_updates($existing_element, $updates, $wrap_target) hook on Respira_Builder_Interface; Oxygen overrides it to route ct_image / ct_image_overlay flat patches into options.original. P
• note Verified end-to-end on Studio :8882 with Oxygen Classic 4.9.7. Test fixture: synthetic page with a ct_text_block whose options.ct_content is "Hello world<br>this is a paragraph ending in br" plus a ct_image with options.
• note The normalize_element_updates hook lands on the interface as an optional method — adapters that don't override it pay no cost. Future adapter-specific patch normalisations (Beaver's nested font field family, Breakdance's
• note Wider M.P. Härtetest findings: items #1, #2, #3, #5 are addressed by v7.0.47 → v7.0.50 (already shipped); the 4-minute timeout he flagged separately should also clear once v7.0.49's auto-heal removes the upstream 500 tri

divi_render_critical_attrs() no longer flags divi/column nodes missing attrs.type

• fix divi_render_critical_attrs() no longer flags divi/column nodes missing attrs.type. The render-critical-attrs map was introduced in v7.0.0 Bloom Phase B to catch LLM hand-writes that would render empty (heading without ti
• note Verified on Studio :8882 with synthetic 5-section Divi 5 tree containing 9 divi/column nodes with attrs => [] (the round-trip shape): validator returns 0 entries. Counter-test with deliberately bad leaf modules (heading
• note This release narrows the validator surface but does NOT fix the broader inconsistency between build_page (skip validator) and inject_builder_content (apply validator). That's a deliberate scope decision: the column rule
• note The Nettl reporter posted a very precise repro (5 sections, 4 rows, exact node counts) plus a working hypothesis pointing at content.innerContent. The actual root was different but the report's structured shape made the

update_page auto-heals a poisoned _wp_page_template before wp_update_post fires

• fix update_page auto-heals a poisoned _wp_page_template before wp_update_post fires. Reads the existing value, validates against wp_get_theme()->get_page_templates($post, $post_type) (same method WP core's REST controller us
• note Verified on Studio :8882 with uncode theme active (registers 0 page templates). Test fixture: page poisoned with _wp_page_template=ct_template, then wp_update_post fired. Pre-v7.0.49: WP_Error invalid_page_template. Post
• note Resolves the persisted-bad-state half of the M.P. bug. The 4-minute read timeout signal he separately flagged is almost certainly a follow-on of the 500 — a save_post hook chain (Cloudflare cache purge / Wordfence rescan
• note The v7.0.48 guard stays in place. Defence-in-depth: v7.0.48 prevents new poisoned writes; v7.0.49 cleans up existing poisoned values; v7.0.47's shutdown handler still localises any remaining throws. M.P. should see clean
• note The auto-heal only fires when needed (existing value present + not registered + not baseline). Pages with a registered template are unchanged. Pages with no template are unchanged. Zero behavioural impact on the 99% of i

Respira_API::update_post_meta_fields() validates _wp_page_template against the active theme's registered templates

• fix Respira_API::update_post_meta_fields() validates _wp_page_template against the active theme's registered templates. Uses wp_get_theme()->get_page_templates($post, $post_type) (the same method WP core's REST controller us
• fix Respira_Builder_Oxygen::inject_content() validates ct_template before the auto-set. Pre-7.0.48 the Oxygen adapter wrote _wp_page_template=ct_template whenever the existing value was empty or 'default', no matter whether
• note Verified end-to-end on Studio :8882 with Uncode theme active and Oxygen Classic 4.9.7 active. get_page_templates() returns an empty array on that stack. Test fixture: API call with _wp_page_template=ct_template correctly
• note The v7.0.39 diagnostic envelope + v7.0.47 shutdown handler stay in place. Together with the v7.0.48 source-side guard the layered defence is: (a) bad value never reaches WP_REST_Posts_Controller (this release), (b) if so
• note The Oxygen adapter still logs the skip explicitly because losing the page-template auto-set CAN matter on themes that override the page render. The customer-facing impact in that case is "page renders via theme template

New Respira_Analyzable_Content::html_for($post_id) shared content extractor; SEO / readability / Rank Math / performance / image / AEO analy

• fix New Respira_Analyzable_Content::html_for($post_id) shared content extractor; SEO / readability / Rank Math / performance / image / AEO analyzers all route through it. Detects the active builder via Respira_Builder_Interf
• fix update_element REST handler now wraps register_shutdown_function around the request lifecycle. v7.0.39 added try/catch \Throwable on every userland exit site, but PHP-level fatals (memory exhaustion mid-request, max_exec
• note The new extractor file (includes/analyzers/class-respira-analyzable-content.php) is included once per analyzer class file via if ( ! class_exists ) require_once. The five existing analyzer classes (class-respira-seo-anal
• note WPBakery / Bricks / Breakdance extractors are queued for the next ship. Today the dispatcher returns $post->post_content for those builders, which is at worst the same false negative the audit reported before this fix —
• note Studio test pattern for the next builders to come online: build a fresh page with empty post_content + populate the builder's native postmeta key with a minimal synthetic tree, then call each analyzer's analyze_* method
• note The shutdown-handler change is additive over v7.0.39's userland try/catch — both run, and the userland catch still wins on every non-fatal throw. The shutdown hook only fires when PHP-level shutdown carries a fatal error

Tree_Utility::matches() type+match_content branch deep-searches attributes / attrs / settings for the needle

• fix Tree_Utility::matches() type+match_content branch deep-searches attributes / attrs / settings for the needle. Pre-7.0.46 the branch only ran stripos($element['content'], $match_content). Self-closing Divi 4 modules (et_p
• note Closes the github #32 follow-up surface P.L. raised — third increment on this issue but the underlying bug was always one piece deeper than the previous fix suggested. v7.0.29 added attribute-text matching for update_mod
• note Verified by inspection: the new match path uses text_contains for the content body (HTML-tolerant via the existing v6.5.1 sanitiser) and any_string_contains for the attribute buckets (recursive deep-search). Both helpers

batch_update per-operation resolver now forwards match_content to Tree_Utility::find()

• fix batch_update per-operation resolver now forwards match_content to Tree_Utility::find(). Pre-7.0.45 the call site only passed 4 args (the optional 5th match_content was dropped), so any batch operation targeting a specifi
• fix batch_update remove action gets the same fix. Both actions in the same method use the same shared $op_match_content variable
• note Operator-trapping severity: pre-fix the API returned success: true with the write landing on the wrong element. Mid-batch silent data loss with a green-status response.
• note Closes github #32. The Divi 4 customer surface arc (P.L. / Catholic Mass Times) over the v7.0.29 -> v7.0.45 chain: kses corruption (closed v7.0.29), column corruption (closed v7.0.29), silent no-op (closed v7.0.29), per-

Respira_Builder_Tree_Utility::matches() extends id lookup to Oxygen's options.ct_id + options.selector

• fix Respira_Builder_Tree_Utility::matches() extends id lookup to Oxygen's options.ct_id + options.selector. Both the integer form ("24") and the full selector form ("headline-24-303668") now resolve via the id identifier pat
• fix Same matches() extends class lookup to Oxygen's options.selector + options.classes. Substring-match (consistent with the existing class semantics for other adapters). Lets callers target a specific Oxygen element by its
• note Closes M.P.'s third finding from the v7.0.40 Härtetest (identifier_type variants mostly broken on Oxygen). The fourth identifier — content with HTML-preserving text matching — is queued for the next ship (the current tex
• note Does not address the third-party-hook 500 still wrapping every Oxygen write — that one needs the v7.0.39 diagnostic envelope, which is only visible to clients running MCP 6.17+. M.P. is on MCP 6.11.4 via the stale .mcpb
• note The update_page 500 with invalid_page_template M.P. flagged is a separate finding — the meta-write goes through before WP core's page-template validator throws. Queued for the next ship.

respira_no_builder (find_element on a post without builder content) now carries actionable hints

• fix respira_no_builder (find_element on a post without builder content) now carries actionable hints. Returns a data.instructions array with five concrete next steps: read raw content via respira_read_page + include="content
• fix respira_element_not_found (find_element with a wrong identifier) now names the failing identifier in the message AND carries recovery hints. Five instructions: call respira_find_builder_targets for the populated identifi
• note Companion release: @respira/wordpress-mcp-server@6.18.1 ships the error-classification fix so the error_code column on the admin dashboard now reads respira_no_builder and respira_element_not_found instead of the literal
• note No data shape change for clients that ignore data.instructions. Error code, message, and HTTP status are unchanged. This is additive metadata only.
• note Lite plugin v1.2.2 ships the same hint pattern on respira_page_not_found from its extract/inject path.

Republished respira-wordpress-latest.mcpb bundle at 6.18.5

• fix Republished respira-wordpress-latest.mcpb bundle at 6.18.5. The .mcpb bundle in /downloads had been pinned at MCP 6.11.11 since first publish — ten minor versions stale. Bumped to 6.18.5 and rebuilt the 7.5MB bundle
• fix Node version preflight on the --setup CLI. Adds a clean "Node ≥20 required; you have v18.x" error instead of letting the MCP boot half-loaded on stale Windows Node installs

respira_scan_page_accessibility wrapper resolves page_id to permalink before calling the endpoint

• fix respira_scan_page_accessibility wrapper resolves page_id to permalink before calling the endpoint. Calls getPage(pageId) first, reads the url field off the returned page object, sends both { url, page_id, standard } to /
• note Wrapper-side fix only — no plugin change required. The WP endpoint at class-respira-accessibility.php line 138 has always required url; that contract is unchanged.
• note Verified by inspection of the type definition (Page.url exists on the getPage() response).
• note Customer who reported can pull the new MCP server via npx -y @respira/wordpress-mcp-server@6.18.3 or wait for their AI host to pick up the latest npm on next session.

resolveClient no-site throw now sets error.name = respira_no_site_configured

• fix resolveClient no-site throw now sets error.name = respira_no_site_configured. Previously the throw name was the literal Error, so the admin/mcp-quality dashboard couldn't tell a pre-setup state (user hasn't redeemed a to
• fix .local / localhost / .test URL detection in WordPressClient.handleError. When axios fails on a connection-level error AND the configured site URL is a local dev address, the error name flips to respira_local_url_unreacha
• fix Network errors in general now name themselves network_<code> (network_econnrefused, network_enotfound, network_etimedout, network_cert_has_expired, etc.) so the admin dashboard groups them distinctly from WP-level errors
• note The third cause in the trace was a real auth bug for one customer (token mismatch on ksmannequin.com). That's a config issue handled out-of-band, not a code fix.

Upload axios timeout default drops from 120s to 90s

• fix Upload axios timeout default drops from 120s to 90s so the helpful "Upload timeout: <filename> (<size>KB)..." message fires before the watchdog wins the race. The watchdog envelope is generic; the axios envelope names th
• fix Host-context detection on upload timeout. The error message now appends a specific recovery hint when the site URL matches a known slow substrate:
• fix These three substrates collectively account for a non-trivial slice of trial-user setups, where the upload-timeout failure mode is bandwidth-cap not WordPress-config.
• note This doesn't fix the underlying free-host bandwidth problem (i can't). It tells the agent (and through it, the customer) exactly what to do next. Worth it.

(prior release notes from interim

Response-size cap

• fix Response-size cap. Every tool result is now serialized + length-checked before returning to the host. Default cap is 100 KiB. Anything above returns a structured truncation envelope with the original size, a per-tool pag
• fix Per-tool pagination hints baked in for the worst offenders: list_options, get_builder_info, list_pages, list_posts, list_users, list_media, extract_builder_content, list_plugins. Each carries the exact arg shape to retry
• fix Envelope preserves result.site when present so callers that branch on the site shape don't crash on truncation
• note The truncation envelope shape is additive. Tools that already returned { ... } objects keep their shape under the cap. Above the cap, callers see { _truncated: true, _hint, _original_size_bytes, _cap_bytes, ... }.
• note No upstream-host change shipped here. The supervisor-reaping bug is filed separately with Anthropic.

Error classification reaches telemetry

• fix Error classification reaches telemetry. WordPressClient.handleError() and formatErrorWithInstructions() now stamp the WP_Error code field (e.g. respira_no_builder, respira_element_not_found, respira_post_not_found) onto
• fix Companion to plugin v7.0.43. The Pro plugin patches respira_no_builder and respira_element_not_found with data.instructions arrays. The MCP server's existing formatErrorWithInstructions() already renders that bullet list
• note Existing customers running 6.18.0 keep working. error.name = "Error" was never a contract, just an unobserved default. The change is backward-compatible for any consumer that doesn't rely on the literal string "Error".

respira_*_theme_file REST endpoints under /respira/v2/theme-files/{base64_path}

• add respira_*_theme_file REST endpoints under /respira/v2/theme-files/{base64_path}. Three endpoints, all gated behind the same API-key permission check the rest of the plugin uses plus a user_can( $user_id, 'edit_themes' )
• add CSS-family scope. PHP / JS deliberately out of scope. Allowlist for v1 is css, scss, less, json — formats WordPress never includes server-side, so the worst a bad write can do is produce a frontend visual regression. The
• add Path encoding. The path is passed base64-url encoded so slashes don't fight the REST route pattern. The decoded path must be relative, must have no leading slash, no .. segments, no null bytes, no backslashes. After real
• add Size cap. Every write or append caps the resulting file at 1 MiB. Real-world theme stylesheets (including Tailwind-compiled child-theme output) rarely exceed 300 KB, so the cap is conservative without being restrictive.
• add Audit log. Every successful write or append calls Respira_Auth::log_action with action='theme_file_write' / 'theme_file_append', so the Activity page in admin shows what the agent touched on disk — same surface admins al
• note Read-only theme filesystems (some managed hosts mount /wp-content/themes read-only and require deploys via Git / SSH) return a clean respira_theme_file_not_writable 403 rather than a 500. The error message names the file

normalize_bricks_settings strips wrapping quotes from var(--token) references inside _typography

• fix normalize_bricks_settings strips wrapping quotes from var(--token) references inside _typography. New strip_var_wrapping_quotes() helper runs as transform T5b after the existing typography migration (T5). Pattern: /^([\'
• note The wrapping quotes come from upstream templating / serialisation: callers (and AI agents) tend to template font values as quoted strings because that's the safe shape for multi-name font lists. The templating step doesn
• note Standalone unit tested (11 cases) before ship: wrapping double quotes stripped, wrapping single quotes stripped, padded values trimmed, bare var() no-op, real font name no-op, font list no-op, var() inside compound value
• note The v7.0.27 K.B. bug bundle (5 Bricks typography normalisation rules) plus v7.0.41 (font-family var() preservation) together close out the typography write-path surface K.B. has been raising. Future Bricks reports from h

update_element base class wrap-target is now introspected from the existing element shape

• fix update_element base class wrap-target is now introspected from the existing element shape. Pre-7.0.40, a call like update_element({type: ct_headline, updates: {ct_content: "new"}}) wrapped to {settings: {ct_content: "new
• note Verified end-to-end on Studio :8882 with Oxygen Classic 4.9.7 active. Pre-fix: synthetic ct_headline fixture, update_element({type: ct_headline, updates: {ct_content: "...2026"}}) → success: true, persisted options.ct_co
• note v7.0.39's diagnostic envelope stays in place. Customers seeing 500s now get exception_file + exception_line surfaced via WP_Error data envelope; customers seeing silent-success "but my edit didn't apply" now get a real p
• note M.P.'s Reproducer 1 (update_element on ct_headline ct_id 24) is the canonical test case. The shape of his report — success: true from his agent followed by "the page still shows the old value" — fits the silent-write sig
• note Bricks, Beaver, Divi (4 + 5), Elementor (3 + 4), WPBakery, Flatsome behavior unchanged: existing elements have settings → wrap target stays settings.
• note Mauricio's Reproducer 3 (find_element + match_content 404 on matching content) and his "list_pages returns only products" finding are queued separately. Diagnostic envelope keeps them debuggable.

extract_content self-heal write now in try/catch \Throwable

• fix extract_content self-heal write now in try/catch \Throwable. The v7.0.18 canonical-JSON self-heal write at the end of extract_content (re-wraps the components array in Oxygen's root object {id:0,name:"root",depth:0,child
• fix update_element REST handler (class-respira-element-ops.php) wrapped in try/catch \Throwable. Mirrors the existing per-adapter wrap inside Respira_Builder_Oxygen::inject_content. Catches any throw upstream of the builder
• note This release does NOT fix the underlying 500. It makes the 500 diagnosable in one round-trip. Pre-v7.0.39 Mauricio's report says "internal_server_error" with no detail; on v7.0.39 the same call will return a WP_Error env
• note The same envelope-widening approach will be extended to inject_builder_content, apply_builder_patch, remove_element, move_element, and batch_update in v7.0.40 if the M.P. trace points back at a Respira-internal site (rat
• note find_element + match_content (Mauricio's Reproducer 3) and list_pages returning only products (his "Other findings" section) are separate bugs queued for the same 7.0.40 window.

Bug #1 — add_* widget shortcuts now fall back to the site-wide active builder

• fix Bug #1 — add_* widget shortcuts now fall back to the site-wide active builder. Pre-fix, calling any add_button / add_heading / add_section / add_* shortcut on a fresh draft (just created via create_custom_post or build_p
• fix Bug #3 — get_page_outline auto-detects when builder is omitted or auto. Pre-fix the endpoint required a builder param and returned a hard respira_builder_not_active error when MCP callers tried to follow up a build_page
• fix Bug #8 — find_element surfaces matches[] + count on multi-match. Pre-fix the API returned a single element and a 200 status even when a page contained 3+ elements satisfying the same identifier (e.g. two vc_btn of the sa
• fix Bug #9 — security validator allows first-party builder shortcodes + names offending pattern. Pre-fix [vc_gmaps link="#E-8_JTNDaWZyYW1lJTIw..."] was getting rejected because the URL-encoded value decodes to <iframe> and t
• fix Bug #11 — vc_message label resolver drops the color attr. Pre-fix derive_wpbakery_label() had 'vc_message' => array( 'message_box_color', 'el_id' ) in its catalog. message_box_color returns the style ("warning" / "info"
• fix Bug #13 — add_* responses thread element_id + index back to the caller. Pre-fix the response shape was {success, shortcut, widget, post_id, message} — no way for the agent to reference the newly-added element on the next

Mirror every _fl_builder_data write to _fl_builder_data_published

• fix Mirror every _fl_builder_data write to _fl_builder_data_published. Beaver Builder stores layout data on two parallel postmeta keys. _fl_builder_data is the draft data the editor reads; _fl_builder_data_published is the p
• note This closes a bug family the smartdigital.design surface raised over the v7.0.17 → v7.0.25 → v7.0.35 → v7.0.37 arc: missing-size default (v7.0.17), font-field-must-stay-array (v7.0.25), and now draft/published mirror (v7
• note Side-effect tested: BB's own UI continues to work normally on these pages because both keys hold identical data; opening a page in BB after a Respira write reads the (now-aligned) draft, and clicking Save still copies dr
• note The FLBuilder::delete_all_asset_cache($post_id) call already in the inject paths still runs after the mirror, so the per-page compiled CSS file gets regenerated on the next frontend hit.

respira_read_theme_file / respira_write_theme_file / respira_append_theme_file

• add respira_read_theme_file / respira_write_theme_file / respira_append_theme_file. Three new tools that talk to the corresponding REST endpoints under /respira/v2/theme-files/* shipped in plugin v7.0.42. Each takes a relati
• note CSS-family only, scope-bounded by design. Allowlist is css, scss, less, json. PHP and JS theme writes are intentionally out of scope (separate RCE-class security review queued for a later release). On a write to a .php /
• note Path encoding. The MCP client base64-url-encodes the relative path before hitting the REST endpoint so slashes don't fight the route pattern. Callers pass a normal relative path string; the encoding is invisible
• note Capability + size guards. Each call goes through the plugin's standard API-key check plus an edit_themes capability check on the user behind the API key (Subscriber / Author / Contributor / Editor are blocked even with a
• note Filesystem-not-writable cases (managed hosts that mount wp-content/themes read-only) return a clean respira_theme_file_not_writable 403 with the file path in the message, so the agent can suggest the appropriate next ste
• note Audit log. Every successful write or append calls Respira_Auth::log_action plugin-side, so the Activity page in WP admin shows the agent's filesystem touches alongside its page edits

RESPIRA_SITES filter visibility

• add RESPIRA_SITES filter visibility. When the RESPIRA_SITES env var is set, the bootstrap stderr now logs the active allow-list and the names of any configured sites it hides. Previously, a stale value baked into claude_desk
• add respira_list_sites returns hidden_by_filter. When the filter hides one or more sites, the tool result now includes a hidden_by_filter array (full site summaries) plus a filter_note string explaining where to fix it. The
• add Orphan-process detection at boot. If other wordpress-mcp-server processes are running when this one starts, the bootstrap stderr lists their PIDs and recommends pkill -f wordpress-mcp-server. The supervisor (Claude Code
• add Global-install warning. If the running binary path is under /opt/homebrew/ or /usr/local/ (a global Homebrew or npm i -g install), the bootstrap stderr warns that npm exec is ignoring any @latest pin in claude_desktop_co
• add respira_diagnose_connection runtime + filter blocks. Adds two new top-level keys to the diagnose response:
• add Bootstrap stderr includes PID. respira-mcp vX.Y.Z ready · pid 12345 · N sites: ... (was: respira-mcp vX.Y.Z ready · N sites: ...). Lets the customer cross-reference the printed PID against ps -ef to confirm which exact p

npm package description rewritten

• change npm package description rewritten to lead with v6.17.0 (SOUL.md, respira_search_docs, respira_report_issue, 30s diagnose probe default, bootstrap stderr log), then v6.16.0 (telemetry-by-default), then a tighter run throu
• change README "What's New" section refreshed. Old block led with v6.0 Storefront context-aware filtering; new block leads with v6.17.0 (SOUL.md + the three new tools + triage rule), then v6.16.0, then v6.3, then v6.0 in that or

wp.org review fixes

• change Display name updated to "Inhale: MCP Abilities by Respira" so the author attribution is visible in wp-admin plugin lists. Slug inhale-mcp-abilities is unchanged.
• change Contributors field in readme.txt now lists urbankidro (the wp.org username that owns the plugin) instead of the brand string. The Author header still reads "Respira" so the visible attribution on the directory page is un
• change uninstall.php updated to remove the new primary key, the v0.4.0 migration flag, the canonical compat key, and every legacy key from v0.1.x and v0.2.x. Single-site and multisite sweep.

All 8 Divi _et_pb_page_content / _et_pb_layout_content meta writes now wrap in wp_slash()

• fix All 8 Divi _et_pb_page_content / _et_pb_layout_content meta writes now wrap in wp_slash(). Four pairs across the file (v2 builder/build inject at line 2294, simplifier inject at 1680, per-attribute update_element writer
• note The Divi 4 adapter's wp_update_post() write paths already wrap in wp_slash() for the same reason (wp_update_post also runs wp_unslash() on its values). That defence has been in place since the v7.0.x kses + slash hardeni
• note Existing pages with already-bare u003c content in their meta need a separate recovery / re-encode pass that catches the bare sequences on read and restores them to valid HTML on the next write. Queued for v7.1. The wp_sl
• note The PageForge → Respira path mentioned in v7.0.34 / 7.0.35 customer reports is one of many producers of this shape, not a special case. Any Divi 5 inject path producing serialised blocks with JSON-encoded HTML hits the s

SOUL.md — agent persona + rules of engagement loaded at every handshake

• add SOUL.md — agent persona + rules of engagement loaded at every handshake. Every AI agent that connects to the Respira MCP now reads SOUL.md before its first tool call. Defines identity (single-builder product, no team, no
• add respira_search_docs tool. Full-text search over the Respira documentation corpus (mirrored from webmyc/Respira.press-Documentation-and-Community). The agent calls this BEFORE offering to file a bug — most "bugs" are docu
• add respira_report_issue tool. File a structured bug report from inside the AI chat. The agent calls this with title/brief/severity/steps_to_reproduce/expected/actual/error_messages/last_tool; the MCP server auto-attaches si
• change respira_diagnose_connection probe timeout: default 30000ms (was 15000ms). New probe_timeout_ms arg, clamped to [5000, 60000]. Sites behind Cloudflare custom rules routinely cross 15s on first-hit HEADs while curl from th
• change tool_timeout error hint expanded. The structured tool_timeout response now also points to respira_diagnose_connection (to triangulate which network layer is slow) and respira_report_issue (to file a structured bug report
• change Bootstrap stderr log includes site list. The line printed on await server.connect(transport) now reads respira-mcp vX.Y.Z ready · N sites: hostname1, hostname2, ... instead of the generic running on stdio. Tells the cust

usage-emitter.ts — 3-tier auth (OTEL bearer → per-site license api_token → off)

• change usage-emitter.ts — 3-tier auth (OTEL bearer → per-site license api_token → off). The emitter now accepts per-site api_token registrations via registerSiteToken(siteUrl, apiToken). The MCP server iterates each configured
• change /api/mcp-spend/track (server-side) — accepts api_token bearers. The endpoint now recognises two token shapes: rp_otel_* (resolved against ai_spend_tokens as before) and anything else (resolved against sites.api_token, wi

WordPress.org Plugin Directory submission

• change Canonical option key. v0.2.0+ stores the opted-in list under mcp_adapter_public_abilities — the same key proposed first-party in [WordPress/mcp-adapter#184](https://github.com/WordPress/mcp-adapter/pull/184). A one-shot
• change Brand-aligned chrome. Header with "by respira.press" Baskervville italic subtitle and a tiny version pill in the right-side toolbar. Light and dark themes both render with AA contrast
• change iOS-style toggle in the Status column for fast per-row inhale / exhale, on top of the standard wp-admin bulk-actions pattern
• change Foreign admin notices suppressed on the Inhale settings page only, so the screen stays focused on the one decision it exists to support
• change Hardened uninstall. Removes every option the plugin has ever written, single-site and multisite
• change Plugin Directory readiness pass. ABSPATH guards on every shipped PHP file. Every output escaped. Every state-changing request nonce-verified and capability-gated. No remote calls, no tracking, no obfuscation, no bundled

Respira_Builder_WPBakery::parse_shortcode_attrs preserves "0" attribute values

• fix Respira_Builder_WPBakery::parse_shortcode_attrs preserves "0" attribute values. Pre-v7.0.35 the three regex-capture branches (double-quoted, single-quoted, unquoted) were guarded by ! empty( $match[N] ). empty("0") retur
• note Full crash chain captured from the live debug.log: wp_update_post → save_post action → Yoast SEO Indexable_Post_Watcher::build_indexable → Indexable_Link_Builder::build → apply_filters('the_content', ...) → do_shortcode
• note v7.0.34's CSS regen fix was correct on its own merits — buildShortcodesCss() does need to run on every Respira write to keep the per-post CSS caches in sync. It just wasn't the root cause of the cekt-reported 500. Both f
• note The same ! empty() pattern can hide in other parsers in the codebase; future audit candidate — but the immediate fire is out.
• note Verified end-to-end on cekt.ro itself via SSH'd WP-CLI: duplicate of 119462 + remove_element on the marquee row returns ok from the writer and the resulting URL returns HTTP 200 with 206 KB body and the row 3 vc_row shor

WordPressClient — exponential-backoff retry on transient failures

• change WordPressClient — exponential-backoff retry on transient failures. The axios response interceptor now retries up to 3 times (200ms / 600ms / 1800ms) on either an HTTP 5xx response or a transient connection error (ECONNRE
• change index.ts — top-level panic boundary. Pre-v6.15.0 the uncaughtException handler logged the error and then process.exit(1), taking the entire MCP stdio session down whenever any unexpected throw escaped a handler. The unha
• change usage-emitter.ts — explicit 3s AbortSignal.timeout on the dashboard POST. v6.14.0 shipped the per-tool-call usage telemetry with an unbounded fetch() — if the customer's machine couldn't reach www.respira.press/mcp-spend
• note The 30-call parallel respira_delete_comment batch dropping 28/30 calls (cekt.ro report) is NOT addressed by this release. That's likely either an MCP SDK request-multiplexer limit or a WordPress 6.4-side batch endpoint b
• note Stdio heartbeat / $/disconnect notification on intentional exit are also queued for a later release. They require MCP protocol-level work; this release is purely server-side reliability.
• note Pairs with no plugin release. Safe to upgrade independently; existing clients keep working without a restart, though they need a restart to actually pick up the new build.

Respira_Builder_WPBakery::inject_content regenerates _wpb_shortcodes_custom_css + _wpb_shortcodes_default_css after every write

• fix Respira_Builder_WPBakery::inject_content regenerates _wpb_shortcodes_custom_css + _wpb_shortcodes_default_css after every write. Root cause: WPBakery's Vc_Post_Admin::setPostMeta (the save_post hook that calls buildShort
• fix Respira_Builder_WPBakery::rebuild_wpbakery_shortcodes_css($post_id) — new protected helper that does the regen. Centralised so any future inject path (build_page, batch_update, apply_builder_patch) routes through the sam
• note Verified live on Studio :8881 with Uncode 2.9.4.7 theme + uncode-js_composer 7.8 active. Fixture: two rows, each with css=".vc_custom_{id}{padding;background;}" annotations. After remove_element on row A: stale row-A CSS
• note This pairs with v7.0.33: v7.0.33 fixed the SAVE side (attribute serialisation, the silent attr-drop bug) and v7.0.34 fixes the RENDER side (CSS meta sync). The end-to-end agent-driven WPBakery + Uncode workflow is unbloc
• note The fix is unconditional on WPBakery being active because wpbakery() is only present when js_composer (any variant) is loaded; the helper short-circuits cleanly when the function doesn't exist, so this is a no-op on non-

build_wpbakery_shortcodes reads the attribute bag from any of attrs / attributes / settings (Primary fix)

• fix build_wpbakery_shortcodes reads the attribute bag from any of attrs / attributes / settings (Primary fix). Pre-v7.0.33 the writer only read $shortcode['attrs'], but the v7.0.31 simplifier populates attributes (canonical)
• fix update_element on a WPBakery container with updates.content now parses + replaces children (Secondary fix). New Respira_Builder_WPBakery::update_element() override intercepts targets whose type is in container_shortcode_
• fix Respira_Builder_WPBakery::container_shortcode_types() — new public helper listing the shortcode types treated as containers for the override above and for future container-aware features
• add MCP server v6.14.2 — wordpress_delete_page exposes approval_token. Pre-v6.14.2 the schema only had id and force even though the plugin returned respira_approval_required with a fresh approval_token on every blocked call.
• note Verified live on Studio :8881 with the cekt.ro Row 8 team-grid fixture: extract → inject preserves every attribute (media, media_ratio, width, medium_width, uncode_shortcode_id, text_font, inner heading text); update_ele
• note The build-site read-fallback fix is a one-character change that retroactively restores correctness for every previous WPBakery write since v7.0.31. Sites whose only edit pattern was "update an element via the editor → re

fold_divi5_children_aliases() — Divi-vocabulary aliases for children

• fix fold_divi5_children_aliases() — Divi-vocabulary aliases for children. New static helper on Respira_Builder_Divi collapses rows, cols, columns, modules, elements, and innerBlocks into the canonical children list before co
• fix Respira_Builder_Tree_Utility::walk() traverses the same alias set. Pre-v7.0.32 count_elements only walked the configured children_key, so an alias-shaped payload reported element_count: 1 on a 5-element nested tree — act
• fix collect_children_drops() — hard error on silent children drops. New static helper on Respira_Builder_Divi walks the post-complexify block tree side-by-side with the input payload and returns every node whose actual inner
• add MCP server v6.13.1 — description-only updates on wordpress_build_page and wordpress_inject_builder_content that document the canonical children shape with a Divi 5 example, name the accepted aliases, and mention the resp
• note Verified live on Studio :8881 against Divi 5.4.1 with S.O.'s exact rows/cols/modules payload. Section + row + column + heading + text blocks all emit correctly; element_count reports 5; canonical children form still work
• note The fold is intentionally narrow (Divi-vocabulary + generic). Other builders (Bricks, Beaver, etc.) keep their adapter-native alias handling — this change is scoped to the Divi 5 complexify path.

respira_get_page_outline (#7)

• add respira_get_page_outline (#7) — new MCP tool + REST endpoint /respira/v1/builder/{builder}/outline/{post_id}. Returns one entry per top-level row with { index, type, kind, primary_heading, child_count, child_types }. Lig
• add respira_get_builder_inline_schemas (#5) — new MCP tool + REST endpoint /respira/v1/builder/{builder}/inline-schemas. Returns per-shortcode attribute schemas (param_name, type, heading, description, value, dependency, gro
• add Uncode adapter pack (#6) — parser extended from vc_* only to vc_* | uncode_* | tdb_* via a single prefix-alternation source (Respira_Builder_WPBakery::supported_shortcode_prefix_alt()). Uncode shortcodes (uncode_hl_text,
• fix WPBakery find_builder_targets no longer returns null labels (#1). simplify_structure now derives a label / admin_label / text for every node by decoding content-bearing shortcode attrs via Respira_Builder_WPBakery::deriv
• fix MCP find_builder_targets pagination (#2). total_matches is now the true full-tree match count, independent of limit. New offset parameter + has_more boolean + next_offset integer in the response so callers can paginate w
• fix WPBakery parser preserves document order across paired + self-closing passes. Pre-v7.0.31 paired matches were appended before self-closing ones, so a row like [vc_custom_heading][vc_column_text]…[/vc_column_text][vc_btn]

update_element by id now resolves on Divi 5 trees

• fix update_element by id now resolves on Divi 5 trees. Tree_Utility::matches for the id identifier only checked a top-level id key on the simplified node. Divi 5 stores its per-block identifier as _nodeId inside the attrs /
• fix respira_approve_duplicate stale-base check no longer false-positives on untouched originals. Pre-v7.0.30 the staleness gate compared base_snapshot.hashes vs current_hashes across builder_hash, rendered_hash, AND allowlis
• note The id-matcher fix is universal across every adapter that walks trees through Respira_Builder_Tree_Utility::find(). Builders that use top-level id (Bricks atomic, Elementor) continue to match as before; the _nodeId fallb
• note Mid-term: the wider complexify_divi5_blocks vs Divi 5 renderer alignment audit Z.R. flagged in the v7.0.28 thread is queued for v7.1 (the redesign release that lands mid next week).

inject_content kses-bypass wrap (Bug 1, the convergence-point fix)

• fix inject_content kses-bypass wrap (Bug 1, the convergence-point fix). Every Divi 4 write tool that mutates the structure rather than the per-attribute writer — respira_batch_update, respira_apply_builder_patch, respira_rem
• fix Column extract → inject round-trip no longer corrupts column type (Bug 2, the silent data-loss fix). The extractor regex (\d+)_12 only matched the legacy "N_12" notation; every modern Divi 4 column type ("4_4", "1_2", "1
• fix update_module + apply_builder_patch now honour flat-attribute payloads (Bug 3, the silent-no-op fix). Setting updates: {"button_text": "TEST", "button_url": "..."} (the flat shape advertised by the simplified API and use
• fix module_matches_type now finds Divi 4 modules by attribute text (Bug 4, the resolver fix). match_content="COPIAR LINK" lookups on Divi 4 buttons / headings / blurb titles always returned false because the resolver only ch
• fix Legacy-block opaque guard whitelists Divi 4 structural wrappers (Bug 5, the inject_builder_content fix). inject_builder_content on a Divi 4 page hard-rejected at the validator with "Legacy block at index 0 must remain op
• fix update_module REST endpoint accepts JSON-string params (Bug 6, the MCP param-shape fix). MCP clients sometimes auto-JSON-stringify nested-object params at the transport layer. The validation gate that follows expected PH

wordpress_delete_page — approval_token param

• add wordpress_delete_page — approval_token param. Pre-v6.14.2 the schema only exposed id and force even though the plugin returned respira_approval_required with a fresh approval_token on every blocked call. Agents could see

wordpress_build_page description + structure schema description

• change wordpress_build_page description + structure schema description — now documents the canonical nested children: [...] shape with a full Divi 5 example (section → row → column → heading + text), names the accepted Divi-voc
• change wordpress_inject_builder_content description — same shape documentation appended (canonical example + alias list + drop guard). Pre-v6.14.1 the schema gave only a flat single-section example and a generic "Use extract_bu

usage-emitter.ts — per-tool-call telemetry batcher

• add usage-emitter.ts — per-tool-call telemetry batcher. Times every handleToolCall invocation, classifies the tool as read / write from its name prefix, and batches up to 50 events (or every 5 seconds, whichever first) to ht
• add RESPIRA_USAGE_OPT_OUT=1 env var. Disables the emitter entirely. The MCP process still works in every other respect; only the dashboard cost-attribution feed stops

wordpress_get_page_outline

• add wordpress_get_page_outline — row-level outline of a builder page. Returns one entry per top-level row with { index, type, kind, primary_heading, child_count, child_types }. Lighter than extract_builder_content; designed
• add wordpress_get_builder_inline_schemas — per-shortcode / per-block attribute schemas for the requested builder. Currently populated for WPBakery + Uncode + TagDiv via vc_map() at runtime (cached as a transient for 1h plugi
• change wordpress_find_builder_targets — pagination + populated labels. Three changes: (1) total_matches is now the true full-tree match count, independent of limit — pre-v6.13.0 the walker bailed out as soon as results.length h

hardening pass

• change wp_die response code 403 + back link on the settings page permission denial path. Access logs and automated clients now see an authorization failure instead of a generic error
• change Row class escaping normalised: the abilities table's <tr class="…"> attribute is always rendered through esc_attr() instead of conditionally injecting the attribute fragment. No behavioral change, but conforms more stric

first public release

• change Discovers every ability registered via the WordPress Abilities API and lists them in a wp-admin native list table.
• change Standard wp-admin selection + bulk-action UX: row checkboxes are selection; Bulk Actions dropdown plus Apply commits Inhale or Exhale immediately. No save-changes step.
• change Row-hover quick actions for single-ability inhale or exhale.
• change Annotation badges on each ability (read-only, destructive, idempotent) sourced from the ability's declared meta; falls back to heuristic inference from the ability name when the registering plugin didn't tag it.
• change Filter views (All, Inhaled, Read-only, Destructive, Unannotated), a search box that matches across name / source / description, sortable columns, multi-select source filter, client-side pagination (20/50/100/All).
• change Sources summary card above the table listing every plugin or theme that registers abilities, with the count per source and deep-links to each source's wp-admin home.

divi/number-counter typed envelope restored (Bug 1 — regression)

• fix divi/number-counter typed envelope restored (Bug 1 — regression). v7.0.3 stopped routing the counter's number, percent_sign, and subtitle settings into the typed envelope (number.innerContent.desktop.value) and started w
• fix divi/button text colour dual-write to the typography sibling (Bug 2 — pre-existing). Setting button_color / button_text_color wrote the value to button.decoration.button.desktop.value.color — the path the editor's colour
• note Standalone test harness at tests/standalone/v7028-divi5-number-counter-and-button-color.php drives the real complexify_divi5_blocks_public path with the failing input shapes from the bug report and asserts the output att
• note The stale v7.0.3 test at tests/standalone/v703-divi5-number-counter-flat-keys.php is removed — its assertions encoded the wrong routing belief.
• note The mid-term fix for the broader typed-envelope vs renderer alignment family across all Divi 5 styling groups (border, font, spacing, overlay) lands in v7.1 as part of the Divi 5 renderer audit. v7.0.28 only addresses th

_typography: null no longer breaks the Bricks Builder Typography panel (Bug 1)

• fix _typography: null no longer breaks the Bricks Builder Typography panel (Bug 1). Pre-v7.0.27, calling update_element with updates: { _typography: null } persisted a literal null value into the Bricks JSON, which rendered
• fix _background.color strings now lift to the {hex, raw} object shape Bricks' CSS emitter requires (Bug 2). Bricks' Assets::generate_css_color() only emits a rule when the colour is in that object shape (verified against the
• fix _color on text elements now syncs into _typography.color automatically (Bug 3). Bricks stores text colour in two places: _color (the editor's colour picker) and _typography.color (CSS generation). Pre-v7.0.27 setting onl
• fix Typography-related root keys now migrate into _typography with the kebab-case Bricks expects (Bug 4). textAlign, _textAlign, text-align, fontFamily, font-family, fontSize, font-size, fontWeight, font-weight, lineHeight,
• fix _gap on grid containers now fans out to _columnGap + _rowGap (Bug 5). Bricks' grid CSS generation reads _columnGap and _rowGap separately, not the unified _gap shorthand. Transform 6 populates the missing one(s) from _ga
• note Universal element-type application instead of element-gated: the rules are idempotent and harmless on elements that don't render the property (writing _typography.color on a button that doesn't honour it does nothing on

Dashboard site token no longer hardcodes user_id => 0

• fix Dashboard site token no longer hardcodes user_id => 0. Respira_Auth::validate_dashboard_site_token() now resolves a real WP admin in this order: explicit respira_run_as_user_id option, then respira_dashboard_site_token_r
• fix license.php: Reconnect / refresh-key button is now always visible when the license is active, alongside Deactivate. Pre-7.0.26 the only way to find that button was to deactivate the license first — T.S. hit the dead end
• fix Beaver Builder typography itself needed to be a PHP array, not stdClass. v7.0.25 fixed top-level font-typed fields (text_font, etc.) but the v6.0.2 fix_typography_subfields helper explicitly converted the typography cont
• fix Bricks v2 PUT route was claiming POST too, routing every create_bricks_global_class call to the full-replace handler and corrupting the entire registry. Root cause traced live during Studio verification. The v2 /bricks/<
• fix create_bricks_global_class was persisting the auth context blob into the registry. Each created item ended up with a _respira_key_data field stored alongside its real fields, leaking the caller's API key permissions into
• fix Global classes registered via create_bricks_global_class were not applied to elements written through Respira. Respira's Bricks write paths (inject_builder_content, meta._bricks_page_content_2 via update_page, and build_

Optional site_id parameter on every tool schema

• add Optional site_id parameter on every tool schema. Auto-injected by getTools() into all 100+ tools before generateDualTools() so both wordpress_* and respira_* aliases get it. When present, the call uses that site for this
• add resolveClient(args) helper on RespiraMCPServer. Returns the args.site_id-resolved WordPressClient when supplied (and in this MCP configuration group), else falls back to currentSite, else throws a clean structured error
• change dispatchToolCall rewritten to use the per-call resolved client. 131 references to this.currentSite.X(args) inside the dispatcher rewritten to client.X(args). client is computed once at the top of the function via SITE_AG
• change handleToolCall no longer requires a pre-configured currentSite. The pre-v6.12.0 eager if (!this.currentSite) throw new Error('No WordPress site configured') guard at the top of handleToolCall is removed. Site resolution
• note This is the Cowork multi-chat fix. Each Cowork chat can now instruct its agent: "always pass site_id: <X> on every tool call" (system prompt, or per-message). The agent's tool calls then route exclusively to site X regar
• note Backwards compatible by construction. Every existing caller that relies on the implicit-currentSite pattern keeps working without any change. The site_id parameter is optional and additive; older agents that haven't lear

Top-level font-typed fields stayed as stdClass after Respira writes, crashing BB on enqueue

• fix Top-level font-typed fields stayed as stdClass after Respira writes, crashing BB on enqueue. v6.0.2 added fix_typography_subfields to keep typography sub-fields (font_size, line_height, letter_spacing, text_shadow, text_
• note Existing pages corrupted by an earlier Respira write are NOT auto-repaired by this release. To recover an affected page: restore the most recent pre-Respira snapshot via respira_restore_snapshot, or recreate the module f

cssLoading = "file" per-element styling now lands in the regenerated post CSS file

• fix cssLoading = "file" per-element styling now lands in the regenerated post CSS file. v7.0.23 primed Database::set_page_data + Elements::load_elements but the regenerated file still only contained Bricks' built-in element
• fix Render-validator now catches the silent styling-missing failure mode. v7.0.16's Respira_Render_Validator checked structure (min_children, must_have_keys, forbidden_keys) but passed when element styling settings were writ
• note v7.0.23 documented cssLoading = "inline" as the immediate workaround for the file-mode gap. With v7.0.24 the workaround is no longer needed; file mode is now the same level of correctness as inline. The Bricks Settings →
• note No element-type-specific behaviour changed beyond the regen state priming and the post-regen sanity check.

Partial page-meta writes to _bricks_page_settings now deep-merge instead of replacing the whole object

• fix Partial page-meta writes to _bricks_page_settings now deep-merge instead of replacing the whole object. Pre-7.0.23 an agent sending meta: {_bricks_page_settings: {customCss: "..."}} to set a page-level stylesheet wiped e
• fix Bricks per-post CSS regeneration calls the real Bricks API instead of a noop. The pre-7.0.23 adapter fired do_action('bricks/generate_css_file', $post_id) with the wrong arity — that hook is Bricks' post-generation NOTIF
• fix Element-level styling round-trips end-to-end on cssLoading = "inline" (Bricks default). Verified on Studio :8882 with a REST inject_content writing a section + heading with _typography (color, font-size, font-weight), _p
• known cssLoading = "file" per-element styling generated from REST writes lands in the meta but not yet in the regenerated post CSS file in this release. Bricks' Assets::generate_inline_css_from_element walks each element's con
• note No element-type-specific behaviour changed beyond the page-meta write path and the regen API call site. Element trees, validators, and the v7.0.16 element settings-patch normalisation all behave as before.

inject_builder_content with mode:"append" no longer 500s on Breakdance

• fix inject_builder_content with mode:"append" no longer 500s on Breakdance. Calling append against a Breakdance page returned TypeError: Unsupported operand types: string + int. Root cause was a wrapper-normalisation gap: th
• fix inject_builder_content with mode:"replace" is reachable again on pages that already have content. The v7.0.16 replace-confirmation gate (which prevents silent data loss) is satisfied by confirm_replace=true — but that pa
• note The companion @respira/wordpress-mcp-server already carries confirm_replace in the inject_builder_content schema as of v6.11.13. Customers on an older MCP server should npm update to get the confirm_replace path; v7.0.22
• note No element-type-specific behaviour changed. Append and replace route through the same inject_content writer as before; only the pre-merge normalisation and the confirmation gate changed.

Breakdance content now lands at the native properties.content.content.* path the renderer reads

• fix Breakdance content now lands at the native properties.content.content.* path the renderer reads. Confirmed against Breakdance 2.7.2's own element definitions: heading's defaultProperties() is ['content' => ['content' =>
• note This closes the content path for the common Breakdance content elements. Element-specific design properties (the Badge's colour, spacing, typography) live under properties.design.<section>.<control> where the section nam
• note Image2 is intentionally excluded from the nesting set — its content section is image, not content. HTML_img (the more common image element, section content) is included.
• note Builds on the v7.0.20 resolve_breakdance_properties() shape-acceptance fix; the two together take a build_page payload from "empty properties / blank page" through to "populated native properties / renders correctly."

build_page now writes the content the caller passed in the structure, instead of empty properties

• fix build_page now writes the content the caller passed in the structure, instead of empty properties. complexify_structure read content *only* from $item['attributes'] — the canonical Respira simplified shape produced by ex
• fix update_element no longer 500s on flat element-specific keys. apply_breakdance_updates recognised only text / content / design / attributes; any other shape (e.g. build_page-style button_text, or title / description / ite
• note Verified end-to-end on Studio (WP 6.9.4 + Breakdance 2.7.2): a build_page call with Ian's exact {type, data: {content: {...}}} payload now persists populated data.properties on every content element (_breakdance_data ins
• note The full per-element-type key schema (so button_text maps to content.text rather than content.button_text, etc.) is a larger piece of work queued for v7.1 alongside the Divi 5 contact-field schema endpoints. v7.0.20 stop
• note Oxygen 6 and other builders are untouched; this is Breakdance-only.

update_element on Divi 4 now applies a flat updates payload (github #29)

• fix update_element on Divi 4 now applies a flat updates payload (github #29). The respira_update_element tool advertises updates as "key-value pairs of settings", so callers and LLMs send { "button_text": "Go", "button_url":
• fix update_element on Divi 4 no longer strips <script>/<style> from sibling et_pb_code modules (github #28). The kses-bypass shipped in v6.11.0 for the duplicator (#23) was never extended to update_element_divi4()'s wp_updat
• fix update_element on Divi 4 with identifier_type="content" resolves the deepest match, not the outermost section (github #30). find_divi4_shortcode() walked [et_pb_* tags in document order and returned the first hit, which
• fix update_element on Divi 4 with identifier_type="type" honours match_content (github #30). find_divi4_shortcode() took no match_content argument, so on a page with two et_pb_button modules it always returned the first one
• note No MCP-server-side change is required. The fixes are entirely within the plugin's Divi 4 write path and the shared update_element REST handler.
• note The update_element REST handler only folds a top-level match_content param into updates when the resolved builder is Divi. Other builders treat unknown updates keys as element settings to write, so the fold is deliberate

Oxygen Classic _ct_builder_json now persists with the canonical root object instead of a bare array

• fix Oxygen Classic _ct_builder_json now persists with the canonical root object instead of a bare array. Native Oxygen Classic stores _ct_builder_json as { "id": 0, "name": "root", "depth": 0, "children": [ ...sections... ]
• note M.P.'s diff flagged three other differences from native Oxygen pages — missing ct_sign_sha256 shortcode signatures, _wp_page_template = ct_template vs default, and the absence of the _ct_template_* postmeta family. None
• note The _wp_page_template difference specifically is theme-dependent (M.P.'s site uses default + _ct_builder_active; a clean Oxygen install uses ct_template), so changing the Respira default globally would break clean instal
• note Oxygen 6 sites are unaffected — they route through the Oxygen 6 adapter and _oxygen_data, a different storage format. This fix is Oxygen Classic only.

Beaver Builder column nodes now default to size: "100" when the agent doesn't specify one

• fix Beaver Builder column nodes now default to size: "100" when the agent doesn't specify one. Pre-7.0.17 flatten_tree_recursive (class-builder-beaver.php) wrote node settings through verbatim. When the agent emitted {type:"
• fix Oxygen Classic inject_content wraps the entire write body in try/catch \Throwable and surfaces the exception through WP_Error. Pre-7.0.17 the four update_post_meta calls in class-builder-oxygen.php (lines 887/899/902/909
• note Both fixes ship with no MCP-server-side change. The companion v6.11.13 MCP release from yesterday already handles the WP_Error envelope on the inject path; no new MCP capabilities are required to consume v7.0.17.
• note Verified end-to-end on Studio (WP 6.9.4 + Beaver Builder Pro 2.10.2) against P.S.'s exact "Test Page 11" brief shape: a build_page payload with two rows, columns lacking explicit sizes, and heading + rich-text + button m

Divi 5 section / row / column background overlay now actually renders

• fix Divi 5 section / row / column background overlay now actually renders. Pre-7.0.16 the Divi 5 simplified-setting mapper wrote module.decoration.background.desktop.value.overlay.enabled = "on" (past participle), but Divi 5
• fix Base-class update_element now applies updates as a settings patch instead of an element-root shallow merge. The MCP tool description has always documented updates as "key-value pairs of settings to update on the matched
• fix Beaver Builder typed nodes with non-canonical child keys now flatten correctly. Respira_Builder_Beaver::normalize_nested_nodes only rewrote columns / cols / modules / elements to children for nodes without a type field.
• fix respira/v1/pages/{id} GET (get_page) no longer 404s on custom post types. The handler used to if ( ! $post || 'page' !== $post->post_type ) and respond 404. Now it only requires the post to exist; the response envelope (
• fix respira/v2/pages/{id} GET (get_page_v2) no longer 404s on custom post types. Same root cause, same fix. build_v2_post_envelope was already post-type-agnostic
• fix respira/v2/pages/{id} POST/PUT (update_page_v2) no longer rejects CPT writes. The endpoint passed a hard-coded 'page' as the third argument to resolve_mutation_target, which then rejected the post on $post->post_type !==

wordpress_extract_builder_content auto-detects the active builder when builder is omitted

• change wordpress_extract_builder_content auto-detects the active builder when builder is omitted. Pre-6.11.13 the schema marked builder as required (required: ['builder', 'page_id']) and the WP-side dispatcher then rejected wor
• change wordpress_inject_builder_content schema exposes confirm_replace. Matches the plugin v7.0.16 confirmation gate. When the page already has content and the caller asks for mode="replace" (or doesn't pass mode, since replace
• change wordpress_update_element schema exposes editTarget. Matches the plugin v7.0.16 element-ops change. editTarget=duplicate (the default) routes the write to the Respira duplicate of the post (auto-creates one if needed); ed
• fix Server self-identifies as the actual installed version instead of a stale literal. Pre-6.11.13 the MCP handshake, the instructions block, and the version-checker all read from RespiraWordPressServer.MCP_SERVER_VERSION =
• add wordpress_diagnose_connection now detects edge-layer write blocks. New probe issues OPTIONS /wp-json/respira/v1/ping alongside the existing GET probes; when GET returns 2xx but OPTIONS returns 4xx/5xx, the diagnostic sur

Connect Automatically now actually redirects to respira.press/wp-auth

• fix Connect Automatically now actually redirects to respira.press/wp-auth. handle_license_form_submission() was only called from the page-render callbacks (display_dashboard_page / display_setup_page / display_license_page).
• fix Legacy hidden admin pages no longer trip strpos(null, …) deprecation warnings on PHP 8.1+. The add_submenu_page( null, '', '', …, $legacy_slug, '__return_null' ) calls registered the hidden pages with a literal null pare
• fix respira_install_plugin no longer fatals with Call to undefined function plugins_api(). class-respira-plugin-manager.php required wp-admin/includes/class-wp-upgrader.php + class-wp-ajax-upgrader-skin.php before instantiat
• fix MCP-side wordpress_delete_page returns the WP response body and auto-sends confirm_live_edit=true. WordPressClient.deletePage was typed Promise<void> and await this.client.delete(...) discarded the response. So when the

wordpress_delete_page returns the WordPress response body and auto-sends confirm_live_edit=true

• fix wordpress_delete_page returns the WordPress response body and auto-sends confirm_live_edit=true. WordPressClient.deletePage was typed Promise<void> and await this.client.delete(...) discarded the response. So when the WP

PHP 7.4 activation no longer fatals on the add-on SDK

• critical PHP 7.4 activation no longer fatals on the add-on SDK. Replaced PHP 8.0+ constructor property promotion in ToolDescriptor, RequestContext, ToolResponse, and ToolError with explicit PHP 7.4-compatible typed property decla
• critical PHP 7.4 no longer fatals on the bundled WebMCP REST API. Respira\WebMCP\REST_API::tools_permission_check(), execute_permission_check(), and execute_tool() declared bool|\WP_Error / \WP_REST_Response|\WP_Error union retur
• critical PHP 7.4 no longer fatals on the comment submission tool. Respira\WebMCP\Builtin_Tools::handle_create_comment() used a match expression (PHP 8.0+) to map comment_approved → status. Rewritten as if/elseif/else on the raw v
• critical PHP 7.4 no longer fatals on add-on tool execution. Addon_Loader::execute_tool() constructed RequestContext with PHP 8.0+ named arguments (addon_slug: …, tool_name: …, user_id: …). Converted to positional arguments matchi
• carried Box-rooted inject_builder_content now succeeds on Beaver Builder 2.x. Respira_Beaver_Validator::validate_module exempts root-capable BB layout primitives (box, fl-*, *-container, *-wrapper — same set is_root_capable_beav

Released on 2026-05-11 to deliver the Beaver Builder 2.x Box-first injection unblock

Oxygen inject path no longer fires admin_init from inside a REST request

• fix Oxygen inject path no longer fires admin_init from inside a REST request. The "last resort" branch in force_load_oxygen_cache_helpers (introduced in 7.0.0 to load Oxygen's cache helper outside admin context) called do_ac
• fix clear_oxygen_cache wrapped in try/catch \Throwable inside inject_content. Cache invalidation talks to Oxygen, WP Rocket, and any plugin listening on oxygen_after_save_components_meta. The DB write happens before this ste

"Delete all versions" confirmation modal no longer flies top-left

• fix "Delete all versions" confirmation modal no longer flies top-left. Reported by Mihai 2026-05-11 against the Respira → Changes admin page: clicking the "Delete all" button on a post card opened the confirmation modal posi

output_page_custom_css hook on wp_head priority 100

• rm output_page_custom_css hook on wp_head priority 100. Pre-7.0.10 this filter read _et_pb_custom_css (Divi per-page custom CSS) or _elementor_page_settings.custom_css from the current post and emitted a <style> tag at the

Oxygen validator accepts ct_id as a fallback for id

• fix Oxygen validator accepts ct_id as a fallback for id. Native Oxygen payloads carry ct_id (the runtime element ID Oxygen's shortcode renderer uses). Pre-7.0.9 the validator demanded a generic id and rejected payloads with
• fix Option-value semantic checks no longer block writes. Pre-7.0.9 the validator ran Respira_Oxygen_Settings_Validator::validate() (which checks color formats, enum allow-lists, numeric coercion, etc.) and lumped every miss
• add Validator errors travel inline in the WP_Error message + data.errors. The message now reads Content validation failed (3 rules, first: <rule>) instead of Content validation failed. The data envelope carries the full erro

GET /respira/v1/options/{name} no longer triggers a global cache reload

• fix GET /respira/v1/options/{name} no longer triggers a global cache reload. The pre-7.0.8 handler called wp_cache_delete( 'alloptions', 'options' ) before reading the option, forcing WordPress to rebuild the entire alloptio
• add Try/catch envelope on the read-option REST handler. Any future fatal inside Respira_API::get_option now returns a structured respira_option_read_failed WP_Error with the error class, message, file, and line — instead of
• add Per-section try/catch on Respira_Diagnostic::get_report. The diagnostic endpoint surfaced as 500-with-no-detail whenever any helper (security/cache/CDN probes, rewrite audit, authorization audit, recent debug log read) f
• add Structured failure flag on key backfill. Pre-7.0.8 a backfill failure stamped respira_keys_backfilled_v704 = failed:<timestamp> with zero context. v7.0.8 additionally writes respira_keys_backfilled_v704_last_error with {

Oxygen Classic empty-render on fresh installs

• fix Oxygen Classic empty-render on fresh installs. resolve_oxygen_meta_key() checked only the oxy_meta_keys_prefixed / oxy_migrated_to_prefixed_meta options to decide between ct_builder_json and _ct_builder_json. On a fresh
• fix Oxygen 6 reported the wrong version + the wrong documentation. get_version() returned the bundled CT_VERSION (4.9.7) instead of the Oxygen 6 plugin header version (6.1.0-beta.1), because Soflyy's Oxygen 6 (BREAKDANCE_MOD
• fix Postmeta detection no longer false-positives Oxygen on Breakdance sites. is_oxygen_6() and detect_with_reason() fell through to has_oxygen6_postmeta() (any post with _oxygen_data → Oxygen) even when no Oxygen plugin slug
• fix Breakdance catalog jumped from 68 to 158 elements. scan_module_catalog() walked only plugin/elements (the 56 wrappers) and subplugins/breakdance-design-system/components (absent on 2.7.x). It never opened subplugins/brea
• fix Render-validation gate no longer false-positives on draft posts. check_render() HEAD-fetched get_preview_post_link(), which carries a nonce keyed to the authoring user. Anonymous HEAD from the validator's HTTP context re
• add Oxygen Classic variables CRUD. list_variables(color) reads oxygen_vsb_global_colors and projects each entry onto the universal { id, type, name, value, meta } shape. list_variables(breakpoints) projects ct_global_setting

Zero-touch Cowork onboarding (Open in Cowork)

• change .mcp.json sets RESPIRA_BOOTSTRAP_OK=1 so the npx server boots even without a config file present.
• change Existing RESPIRA_CONFIG_FILE, RESPIRA_AGENT_CLIENT, RESPIRA_AGENT_TRANSPORT env vars unchanged.
• change Version label bumped in plugin.json and README.md.
• change Server companion: [@respira/wordpress-mcp-server@6.11.6](https://github.com/webmyc/respira-wordpress/blob/main/mcp-server/CHANGELOG.md#6116---2026-05-11)
• change Zero-touch design doc: drafted 2026-05-10, shipping Family 3b

unified ~/.respira/config.json flow + connect-site rewrite

• change The skill-documented config shape ({url, apiKey}) crashed the MCP server silently on startup because the server required four fields (id, name, url, apiKey). User saw "MCP server still connecting…" forever.
• change The Cowork form echoed pasted API keys into the chat transcript, contradicting the skill's own privacy promise.
• change .mcp.json points RESPIRA_CONFIG_FILE at ~/.respira/config.json.
• change npm dependency pinned to @respira/wordpress-mcp-server@latest so the server schema fix lands immediately.
• change /respira:connect-site skill rewritten: check for ~/.respira/config.json, point user at the dashboard to download it if missing, restart Cowork, test. Includes a "if startup fails" branch that reads ~/.respira/last-startu
• change README.md and INSTALL.md updated to describe the unified flow.

audience-first README rewrite

• change Edit a page without opening WP admin ("Update the headline on my client's homepage to say 'spring collection arriving'", about thirty seconds end to end)
• change Migrate a client site between page builders (sixteen supported paths, week of work into an afternoon)
• change Audit a site before a client meeting (SEO, AI search visibility, accessibility, mobile, technical debt, WooCommerce, with one-click fixes)
• change Clean up a media library in one pass (alt text, compression, dimensions)
• change Manage ten client sites from one conversation (multi-site context follows the conversation naturally)
• change No code changes.

README accuracy pass: 30 skills

• change 8 slash commands for the most common workflows
• change 30 auto activating skills, broken down as:
• change 1 visual reviewer sub agent that shows what changed after every edit
• change Full access to all 180+ Respira MCP tools through the bundled @respira/wordpress-mcp-server
• change All 12 supported page builders: Elementor, Divi 4, Divi 5, Bricks, Oxygen, Breakdance, Beaver Builder, WPBakery, Flatsome UX Builder, Brizy, Thrive Architect, Gutenberg
• change Restructured "What you get" with the correct skill count.

README hero KV + signup copy accuracy

• change Add the canonical Respira-for-Cowork hero image to the top of the README.
• change Drop the "free Lite tier available" line (Lite is not shipped yet).
• change Restate the trial as Maker, 7 days, no credit card required.
• change Show current version and respira.press/cowork link in the README header.
• change Bump plugin.json to 1.0.7.
• change v1.0.6: bundle 26 skills from agent-skills-wordpress, revert to name=respira (slug validation enforces lowercase).

Self-updater fatal on every WP cron tick. class-updater.php:104 called \Respira_License::get_license_key() which has never existed on the core License class — every site that activated the add-on threw Uncaught Error: Call to undefined meth

• fix Self-updater fatal on every WP cron tick. class-updater.php:104 called \Respira_License::get_license_key() which has never existed on the core License class — every site that activated the add-on threw Uncaught Error: Call to undefined meth

drop keytar, fix whoami after login, unstick terminal, warm welcome

• 3. [@respira/cli 0.1.3](https://www.npmjs.com/package/@respira/cli)
• 3. [@respira/sdk 0.1.3](https://www.npmjs.com/package/@respira/sdk)
• 3. [@respira/cli-core 0.1.3](https://www.npmjs.com/package/@respira/cli-core)

fix 307 redirect breaking respira auth login

• change [@respira/cli 0.1.2](https://www.npmjs.com/package/@respira/cli)
• change [@respira/sdk 0.1.2](https://www.npmjs.com/package/@respira/sdk)
• change [@respira/cli-core 0.1.2](https://www.npmjs.com/package/@respira/cli-core)

per-package READMEs on npm

• change [@respira/cli](https://www.npmjs.com/package/@respira/cli) — 9.4 kB README: marketing-forward, WP-CLI comparison, architecture summary, quick start, 34-command reference, AI agent integration, pricing.
• change [@respira/sdk](https://www.npmjs.com/package/@respira/sdk) — 5.7 kB README: developer-focused, createRespiraClient usage, anonymous mode, seven namespaces, builder-native examples, error taxonomy.
• change [@respira/cli-core](https://www.npmjs.com/package/@respira/cli-core) — 6.3 kB README: advanced/builder-facing, documents every frozen v0.1 export (ExecutionCycle, FrameworkHook, ToolChainFunction, TraceEmitter, CycleErro

Foundation release

• change Six-phase execution cycle: LoadContext -> PreHooks -> Resolve -> Execute -> PostHooks -> Return. Deterministic. Traceable. Every command runs through every phase
• change Five framework hook contracts, frozen for v0.1: before_resolve, filter_plan, before_execute, filter_result, after_execute. In v0.1 no callbacks register. v0.2 populates them. NullHookRegistry swaps for ManifestBackedHook
• change Typed ToolChainFunction<T> abstraction for all 34 commands. Each function declares capability (read | write | destructive), domain tags, and prerequisites
• change File-organization convention: one BaseCommand subclass per file, one ToolChainFunction per file, always co-located. Named export <camelCasePath>Function
• change Structured JSON tracing via --verbose, written to ~/.respira/traces/{invocationId}.json. Hard cap 10,000 entries per invocation
• change [@respira/cli 0.1.0](https://www.npmjs.com/package/@respira/cli)

Thrive Architect product pages — description edits didn't appear on the frontend — bulk_update_products with description / short_description wrote to post_content via WooCommerce setters, but Thrive Architect renders from its own wp_postmet

• fix Thrive Architect product pages — description edits didn't appear on the frontend — bulk_update_products with description / short_description wrote to post_content via WooCommerce setters, but Thrive Architect renders from its own wp_postmet

Product category CRUD endpoints and MCP tools (list/get/create/update/delete).

• add Product category CRUD endpoints and MCP tools (list/get/create/update/delete).
• add Product tag CRUD endpoints and MCP tools (list/get/create/update/delete).
• change Product create/update now supports category and tag assignment payloads for safer taxonomy-aware catalog workflows.

Release pipeline reliability: ensures fresh tag/release creation behavior.

• change Release pipeline reliability: ensures fresh tag/release creation behavior.
• change Security hardening parity with experimental-feature gating patterns in core plugin.

Initial WooCommerce add-on release.

• change Initial WooCommerce add-on release.