Every release,
every story.

Runtime Abilities API collision guard, in the plugin's own source

• fix Runtime Abilities API collision guard, in the plugin's own source. 7.4.6's per-class guard is injected into the bundled wordpress/abilities-api by a Composer post-install script, which a from-source composer install --no
• fix Oxygen Classic page JSON now matches an editor-saved page exactly. build_page wrote the canonical _ct_builder_json tree with a bare id root and no per-node depth / ct_depth; a natively saved Oxygen 4.9.x page uses ct_id

No more Cannot declare class WP_Ability_Category site-down on Bedrock/Kinsta (WP 6.9+/7.0)

• fix No more Cannot declare class WP_Ability_Category site-down on Bedrock/Kinsta (WP 6.9+/7.0). On Bedrock layouts ABSPATH has no trailing slash, so the 7.4.2 collision guard's ABSPATH . WPINC join produced a malformed path,
• fix One-click "Connect to respira.press" no longer dead-ends on "you are not allowed to access this page." The OAuth round-trip returned the browser to a hidden admin alias that WordPress de-registers, so the final redirect
• fix In-place Divi 5 edits no longer collapse settings-shaped multi-element content. validate_render_critical_attrs is now settings-aware, so the validated inject path (used when an agent rebuilds an existing page) accepts th

Patch. Divi 5 page generation now produces native, editable, rendering modules from the looser content shapes agents actually send. Before, a homepage request often came back as

• fix FIX: Divi 5 builds collapsed to plain text / a raw code block instead of native editable sections and modules. A new normalization pass lifts loose content synonyms (heading text, button text + url, paragraph content, ne
• fix FIX: native Divi 5 modules could render as empty containers. The normalized content is now written to the settings bucket (which the complexifier expands into the title.innerContent.desktop.value / content.innerContent.d
• fix FIX: a build whose attributes.content was a scalar string (e.g. divi/text) could fatal in the Divi 5 attribute-group deep-merge. The merge now runs only when the existing group is itself an array.

Patch. Oxygen 6 native page building. The agent now writes real, editable Oxygen 6 elements (sections, headings, text, buttons, images) instead of falling back to a single HTML

• fix FIX: Oxygen 6 page generation collapsed to a single HTML code block instead of native, editable sections and modules. Respira's build path emitted Breakdance EssentialElements\* element classes, which a pure Oxygen 6 sit
• fix FIX: update_element and extract/inject round-trips on Oxygen 6 could report success while persisting nothing — the edit landed in an attribute bucket the rebuild ignored. The Oxygen 6 build path now reads content from th

SmartCrawl Pro (WPMU DEV) SEO support

• add SmartCrawl Pro (WPMU DEV) SEO support. Respira now detects SmartCrawl and writes and reads its native _wds_* post and term meta — title, meta description, focus keyword, canonical, and the split index/follow robots flags
• fix Elementor v4 atomic styles applied through an explicit styles:{} block were generated but never worn by the element. The flat-CSS write path already linked the minted style id into the element's class list; the styles-bl
• fix Elementor global colours: the kit's system colours (primary, secondary, text, accent) could not be changed. update_elementor_global_colors only ever wrote custom_colors, so passing a system _id appended a duplicate custo
• fix Divi 5: a blurb's image was written to a group the renderer ignores, so it never appeared. Divi 5 reads the blurb image from imageIcon.innerContent.desktop.value.src and shows it only when useIcon is off; Respira wrote s
• fix Divi 5: the bar counter targeted a module slug Divi 5 does not register. The number/percent → barProgress routing was keyed on divi/bar-counter / divi/bar-counters-item, which do not exist, so a counter rendered at 0%. I
• fix Divi 5: an image's click-through link did not apply. image_url on divi/image wrote to …value.url, but Divi 5 reads the link from …value.linkUrl. It now writes linkUrl

Site-down fatal on WordPress 6.9+ ("Cannot declare class WP_Ability_Category")

• fix Site-down fatal on WordPress 6.9+ ("Cannot declare class WP_Ability_Category"). The bundled wordpress/abilities-api polyfill loaded through Composer's files-autoload the moment the plugin required vendor/autoload.php, wh

Security validator false positive

• fix Security validator false positive. The inline-event-handler pattern (/on\w+\s*=/i) matched onXXX= anywhere in content — including inside shortcode attribute values like button_text="Start minikursus for 222 kr.". The pat
• fix Playbooks not appearing in the ChatGPT tool list. get_ability_ids_for_adapter() called Respira_Playbooks::get_registered_ability_ids(), which reads from a static array populated during wp_abilities_api_init. That action
• fix Divi 5.7 Visual Builder opens blank after Respira writes. Divi 5.7 changed its VB initialisation to read content from the WordPress autosave revision ({post_id}-autosave-v1) rather than the _et_pb_page_content meta. Page
• fix Duplicated Divi 5.7 page appears empty in Visual Builder. Same root cause: newly duplicated pages have no autosave revision. Respira now seeds the revision at duplication time so the VB opens with the correct content
• fix Divi code module becomes inaccessible after a CSS or HTML update. The same autosave-revision gap applied to targeted element updates: updating a code module's content wrote the new post_content but left the autosave revi
• fix Divi 5 column widths collapse to 0px on a 3-column row. When an asymmetric flex column structure (e.g. 60/20/20) was distributed across 3 or more columns, the fractional percentages were computed correctly but the third

respira_redeem_token returned an empty response in non-Cowork agents

• fix respira_redeem_token returned an empty response in non-Cowork agents (e.g. Antigravity). The redeem path bypasses the normal tool-call wrapper and returned a plain object; non-Claude clients that expect the standard {con
• fix Cowork token redemption now surfaces a RESPIRA_CONFIG_B64 update hint. When the MCP server is configured via the RESPIRA_CONFIG_B64 environment variable (common in managed hosting setups), redeeming a new Cowork token wr
• add post_parent schema exposed on update_page, create_post, update_post, and build_page tools. The plugin has always forwarded post_parent to WordPress, but the MCP schema didn't declare the parameter, so agents couldn't set

Divi 5 builds with rich native modules by default

• add Divi 5 builds with rich native modules by default. The agent now advertises divi/heading, divi/text, divi/image, divi/button, and divi/blurb alongside the structural blocks. Before this, the only content block offered by
• add Dropped Divi 5 styling now fails loudly. When a style attribute is not supported on a Divi 5 module, the write still saves the content but now returns a clear dropped_settings summary naming exactly which styles did not
• change Connecting an AI assistant moved to the respira.press dashboard. The plugin's connect screen is now a status band plus one button that opens the dashboard MCP page with this site preselected (you land signed in). Pick yo

inject_builder_content now accepts target_path to add modules to an existing column

• add inject_builder_content now accepts target_path to add modules to an existing column. Pass the path of the target container (e.g. target_path: "sections[0].rows[0].columns[0]") along with content containing the new module
• fix Playbooks now appear in the streamable MCP tools/list. get_ability_ids_for_adapter() never read from the WP Abilities registry, so respira-playbooks/* IDs (registered dynamically at boot) were invisible to ChatGPT and Cl
• fix inject_builder_content now accepts target_path to add modules to an existing column. Pass the path of the target container (e.g. target_path: "sections[0].rows[0].columns[0]") along with content containing the new module
• fix Divi 5 column nodes now appear as columns[n] in path strings instead of modules[n]. build_path_string() previously used modules[n] for every node at depth 2 or deeper, making columns and leaf modules indistinguishable. A
• fix WebMCP input size limit raised from 100 KB to 10 MB. The wmcp_max_input_size default was set in 2023 before Divi 5 adoption. Pages with > ~50 KB of builder content failed silently with Tool execution failed. Raised to 10
• fix Elementor Pro Global Widgets no longer cause a PHP 500 after any page edit. simplify_structure() only preserved id/elType/settings/elements/widgetType/isInner, so the top-level templateID property on Global Widget elemen

Divi 5 build guidance points the agent at the rich native modules

• change Divi 5 build guidance points the agent at the rich native modules. The server's Divi 5 blurb now says heading, text, image, button, and blurb are advertised by default and safe to build with, and to prefer them over divi
• change No more per-inject Divi 4 vs Divi 5 round-trip. The editing contract now tells the agent to auto-detect the version from the page (respira_get_builder_info / respira_read_page, with the plugin already flipping into Divi
• add Dropped-styling warnings are hoisted to the top of build results. When a Divi 5 (or any builder) write drops style settings the builder does not recognise, wordpress_inject_builder_content, wordpress_build_page, and word

The plugin details screen no longer reports "Compatible up to: 6.7"

• fix The plugin details screen no longer reports "Compatible up to: 6.7". The update checker hardcoded a stale tested-up-to value, so WordPress 7.0 sites saw a "This plugin has not been tested with your current version of Wor
• improved Print / Save PDF on the activity report prints the report, not the admin screen. The button called window.print() on the live wp-admin page, so the PDF captured the whole admin chrome (the dark sidebar) and had no report

OAuth discovery now rides the REST API instead of /.well-known/

• fix OAuth discovery now rides the REST API instead of /.well-known/. Connecting Claude Desktop by URL runs an OAuth handshake that starts by fetching a small discovery document. That document was only served at /.well-known/

Playbook runs are bracketed in one snapshot session

• add Playbook runs are bracketed in one snapshot session. Every write a playbook step makes already captured a before + after snapshot; those snapshots now all join one session for the run, and the playbook result returns rec

Playbook steps accept the hyphenated tool names MCP clients emit

• fix Playbook steps accept the hyphenated tool names MCP clients emit. A step naming a tool in the client form (e.g. respira_wordpress-create-page-duplicate, as ChatGPT exposes it) was rejected as "not in the playbook executi
• fix Element-level tools reach their v2 routes from a playbook. The executor dispatched every step to the v1 REST namespace, but find_element, update_element, and the snapshot tools register only on v2, so those steps failed
• fix update_element routes to the element-update endpoint, not update_module. The allowlist mapped respira_update_element to the update_module path (a whole-tree round trip that is lossy on Divi 4) and required a spurious bui

Element and widget tools no longer reject a valid post_id on the native MCP / WebMCP path

• fix Element and widget tools no longer reject a valid post_id on the native MCP / WebMCP path. The WebMCP argument normalizer treated a self-referential argument map (post_id -> post_id) as a rename and deleted post_id befor

Cascade rollback (session-level recovery)

• add Cascade rollback (session-level recovery). Destructive structure operations that previously captured nothing — deleting an ACF field group, a custom post type, a taxonomy, or changing/deleting an option — now capture a r
• add Editable ACF field groups from the no-code path. Field groups the agent creates now persist as real, wp-admin-editable acf-field-group posts instead of read-only PHP-registered groups, so a no-coder can adjust what the a
• add ACF field-quality guidance. The create-field-group path now steers the agent to the right field type (taxonomy / relationship / post_object / url / image) instead of defaulting everything to text, to set return_format on
• change Media sideload by default for add_image. A remote image URL is now downloaded into the Media Library and the widget points at the local copy instead of hotlinking a third-party URL that can rot or hotlink-block. Re-addin
• change Reversibility wording matched to behavior. In-product and agent-facing copy now states that snapshot + rollback covers every page/post edit and every destructive structure change, with whole-session cascade rollback, rat

Plugin version telemetry on activate and license check

• add Plugin version telemetry on activate and license check. The plugin now includes its version in the activation payload and the periodic license validation request. Both are guarded, so an older build that does not define

report_issue over the site-URL MCP endpoint

• add report_issue over the site-URL MCP endpoint. OAuth and dashboard-token clients (ChatGPT, Claude Desktop, claude.ai) can now file a structured bug report from inside the chat. It validates title/brief/steps, attaches the
• add list_playbooks and create_playbook over the site-URL MCP endpoint. The playbook management verbs were registered only as REST routes, never as MCP abilities, so the native endpoint never surfaced them (the npm server cal
• fix A full-page Divi write could fail security_validation_failed on its own legitimate markup. The trusted-builder-shortcode check stripped opening tags and leaf modules but left orphan closing tags ([/et_pb_column] ...) on
• fix The documented id module identifier silently returned module_not_found on Divi. update_module accepts module_identifier.id (the Divi module_id, e.g. "ole") and the API mapped it, but the Divi resolver had no case for it,
• fix Divi section paths accept a bare or slash-prefixed index. path: "6" and path: "/6" now target the seventh top-level section (equivalent to sections[6]), alongside the existing sections[6] and dotted-index forms

update_module on Elementor returned a bare "module not found" (HTTP 500) for a widget id that find_element had just resolved

• fix update_module on Elementor returned a bare "module not found" (HTTP 500) for a widget id that find_element had just resolved. On template-heavy sites the hero/H1 is often rendered into the page from a global widget or a

v2 tools over the native MCP endpoint returned "Missing required v2 scope: read_basic"

• fix v2 tools over the native MCP endpoint returned "Missing required v2 scope: read_basic". Tools that dispatch through the WebMCP route-callback bridge (every *-v2 read/write tool: read-page-v2, read-post-v2, etc.) ran the

Cascade rollback tools

• add Cascade rollback tools. wordpress_restore_session undoes a whole session of changes in one call, restoring every distinct object a destructive multi-step task touched (pages, ACF field groups, post types, taxonomies, opt
• change ACF field-group tool guidance. wordpress_create_acf_field_group now steers the agent to pick the right field type (taxonomy / relationship / post_object / url / image) rather than defaulting to text, to set return_format
• change Reversibility wording matched to behavior in the server instructions and snapshot tool descriptions: rollback covers every page/post edit and every destructive structure change, with whole-session cascade rollback

update_module reported success but wrote nothing when an Elementor widget edit was sent under the builder-native settings bucket

• fix update_module reported success but wrote nothing when an Elementor widget edit was sent under the builder-native settings bucket. Elementor stores widget attributes under settings (what get_attributes_key() returns and w

Playbook steps referencing a tool by its wordpress_* alias were still rejected as unknown

• fix Playbook steps referencing a tool by its wordpress_* alias were still rejected as unknown. 7.2.1 added six element/builder tools to the playbook executor allowlist, but the allowlist is keyed only by the respira_* canoni

Elementor v4 atomic widget writes (e.g. e-heading) could false-fail with respira_elementor_meta_write_unverified even though the write succe

• fix Elementor v4 atomic widget writes (e.g. e-heading) could false-fail with respira_elementor_meta_write_unverified even though the write succeeded. After writing _elementor_data, verify_elementor_meta_write() re-reads the

New Gutenberg blocks injected with mode:append could be invisible in the block editor even though they were saved

• fix New Gutenberg blocks injected with mode:append could be invisible in the block editor even though they were saved. complexify_blocks() used an agent-supplied simplified content field verbatim as a block's innerHTML, so a

get_site_context failed strict output validation over the native /mcp (OAuth) connector on any site with a page builder

• fix get_site_context failed strict output validation over the native /mcp (OAuth) connector on any site with a page builder. The ability's declared output_schema said page_builder was a plain string, but the handler returns
• fix update_plugin could leave a private plugin deactivated. Core's Plugin_Upgrader::upgrade() deactivates a plugin during the file swap and only reactivates it on success, so an update that fails or no-ops (e.g. a private pl

Divi 4 modules with a bracketed attribute value could be truncated on edit

• fix Divi 4 modules with a bracketed attribute value could be truncated on edit. When a module carried an attribute whose value contains a ] inside quotes (the common case is a global color, which Divi serializes as global_co
• fix batch_update on Elementor wrote to the wrong attribute bucket. batch_update hardcoded 'attrs' as the key it patched, but Elementor stores element attributes under 'settings'. Batched edits on Elementor therefore wrote in
• fix Six element and builder primitives were unreachable from playbooks. respira_create_page_duplicate, respira_create_post_duplicate, respira_extract_builder_content, respira_get_page_outline, respira_get_builder_inline_sche
• fix Claude Desktop / claude.ai rejected the whole tool list when an inhaled ability had a union-typed input schema. The native /mcp endpoint passed each ability's inputSchema through unchanged. Some inhaled third-party abili

Connect by browser sign-in (OAuth 2.0)

• add Connect by browser sign-in (OAuth 2.0). Claude Desktop, claude.ai, Claude Code, ChatGPT (Developer Mode), Cursor, and Codex can now add your site as a custom connector by URL. The app discovers respira.press as the autho
• add The native /mcp endpoint now advertises OAuth discovery per the MCP 2025-06-18 authorization spec: it serves /.well-known/oauth-protected-resource (RFC 9728) and its 401 carries a WWW-Authenticate: Bearer resource_metada
• add New "Connect by browser sign-in" panel on the Setup screen, showing your site's MCP URL and step-by-step instructions, with a copy-paste starter prompt. A new **Connected apps** page in the respira.press dashboard lists
• sec OAuth access tokens are bound to a single site (RFC 8707) and validated by introspection at respira.press: a token issued for one site is rejected on every other site. Tokens are short-lived, refresh on rotation with reu

Cowork token redemption could hang instead of failing with a clear error

• fix Cowork token redemption could hang instead of failing with a clear error. The respira_redeem_token fetch to respira.press was the only network call in the package without a timeout. On a slow network, a corporate proxy,

--doctor no longer hangs

• fix --doctor no longer hangs. The health-check command is implemented, shown in --help, and recommended in error messages, but it was missing from the CLI dispatch in index.ts — so running npx @respira/wordpress-mcp-server -

Tool calls no longer get stuck on https://example.com

• fix Tool calls no longer get stuck on https://example.com. If the connector was ever started without a configuration, it wrote a placeholder file to ~/.respira/config.json pointing at example.com, and that placeholder then w
• fix The connector now accepts the credential names people actually reach for. Alongside WORDPRESS_URL / WORDPRESS_API_KEY, it now also reads RESPIRA_URL / RESPIRA_API_KEY and the --wordpress-url / --api-key command-line flag

Claude Desktop connector no longer crashes on connect

• fix Claude Desktop connector no longer crashes on connect. The 7.1.0 bundle added a TLS bootstrap that relaunched the connector in a second Node process (to pass --use-system-ca). That re-exec works in a plain shell but brea

The connector now fails loud instead of stalling silently on startup

• fix The connector now fails loud instead of stalling silently on startup. An older installed build handed a newer dashboard setup code used to start, accept the connect handshake, then hang until Claude Desktop killed it abo

Nested Gutenberg blocks were dropped when updating or appending

• fix Nested Gutenberg blocks were dropped when updating or appending. A group, columns/column, or any container block round-tripped through the block simplifier came back as an empty wrapper, silently discarding every nested
• fix delete_plugin (and activate/deactivate/update) failed on plugin slugs containing dots. A mispackaged inactive plugin with a directory like three-dh-shopkit-0.5.58 returned rest_no_route because the plugin REST routes onl

path identifier returned "element not found" on every builder

• fix path identifier returned "element not found" on every builder. find_builder_targets emits a positional path like /0/0/0, but the shared tree resolver returned false for path matches and never walked to the node, so batch
• fix Array-wrapped SEO meta corrupted the Rank Math / Yoast editor. When an agent sent a scalar SEO field (e.g. rank_math_title) wrapped as an array, it was stored as an array, which crashed the SEO editor in wp-admin (Rank M

Approval token rejected when retrying a slow destructive tool

• fix Approval token rejected when retrying a slow destructive tool. The one-time approval token issued for tools like update_plugin was consumed on first validation. When the underlying operation ran long (a plugin download +

Screen Options pushed the admin layout

• fix Screen Options pushed the admin layout. WordPress's Screen Options tab forced the v7.1 React admin header down and crowded the sidebar rail, which hid the light/dark theme toggle. The tab is now hidden on Respira admin s
• fix MCP setup connection failed on 7.x. MCP clients up to v6.19.11 (the latest published) verify the connection against GET /wp-json/respira/v2/health. That probe had moved to /v2/status and /v2/health was no longer register

Claude Desktop connector now trusts your system certificate store

• fix Claude Desktop connector now trusts your system certificate store. The .mcpb wrapper relaunches with Node's --use-system-ca flag when the bundled Node supports it, and the MCP server also merges OS roots into its per-sit
• fix TLS trust loading is additive only. Respira keeps Node's built-in roots, adds OS roots, then adds a bundled Mozilla fallback CA file when no custom CA is configured. Certificate verification remains on. Working setups sh
• fix Better certificate failure guidance. If certificate verification still fails, the error now explains that the connector already trusts the system store and points to the explicit per-site "insecureTLS": true override in
• add .mcpb TLS settings. Claude Desktop extension settings now expose Skip TLS verification as a last-resort opt-out and Custom CA bundle path for private CA or corporate proxy roots

A customer on a LiteSpeed/cPanel site with a perfectly valid certificate (SSL Labs A, full chain) kept getting an SSL/TLS error and spent days checking a cert that was never the

• fix The UNABLE_TO_VERIFY_LEAF_SIGNATURE / SELF_SIGNED_CERT_IN_CHAIN connection hint now says the certificate could not be verified on this machine (and the site cert is probably fine), and points at local antivirus HTTPS sca
• add A real TLS escape hatch that takes effect: per-site insecureTLS: true in ~/.respira/config.json, or RESPIRA_TLS_INSECURE=1 per process. Sets rejectUnauthorized: false on the client's own HTTPS agent (so it works even whe

Setup wizard points to the one-command AI-tool

• change printNextSteps now leads with npx add-mcp "npx -y @respira/wordpress-mcp-server", which auto-detects the AI tool (Cursor, Claude Code, Windsurf, Codex, and more) and writes its config while preserving other MCP servers.

Clearer first-run setup

• change --setup prerequisites now lead with "a free respira.press account" and explain the plugin download and license key both live in the dashboard.
• change The "not ready" exit message and the in-prompt API-key hint point to signing in at respira.press and downloading from the dashboard, instead of /releases.
• change --help Links: plugin location updated to the dashboard download.

routing_notice on write responses (default on)

• add routing_notice on write responses (default on). When a write tool runs against the default site because the caller omitted site_id AND more than one site is connected, the response envelope now carries a one-line routing
• add RESPIRA_REQUIRE_SITE_ID strict-scoping flag (opt-in, default off). When set (1/true/yes/on) on a multi-site configuration, a write tool called without an explicit site_id is refused with respira_site_id_required instead
• note This is NOT a fix for a broken site_id wiring. Per-call site_id has been honoured by every write tool (including inject_builder_content) since v6.12.0 — they all resolve through the same resolveClient(args) path, and an

Skills library Download action now points at the right GitHub org

• fix Skills library Download action now points at the right GitHub org. Companion fix to v7.0.57: the catalog URL was corrected when the agent-skills-wordpress repo transferred webmyc → respira-press, but the per-skill Respir
• note Bundled with companion mcp-server v6.19.7 which fixes the respira_duplicate_element schema. Pre-fix, the MCP tool exposed a single element_id arg, but the plugin route /builder/elements/duplicate/{id} has always required

write_was_noop detector is now builder-aware

• fix write_was_noop detector is now builder-aware. Pre-fix the v7.0.61 byte-conservation check snapshotted post_content before and after the write. Four of the seven adapters (Elementor, Bricks, Beaver, Oxygen, Breakdance, Br
• fix Elementor update_element repeater controls can now shrink. Pre-fix, update_element merged the wrap-target attrs via array_replace_recursive. For repeater controls (icon_list, gallery, tabs, social_icons) that's index-bas
• fix Elementor _elementor_data decode survives stray invalid UTF-8 bytes. Pre-fix, payloads containing a single bad byte (lone surrogate, mid-codepoint splice from copy-paste) tripped json_decode → JSON_ERROR_UTF8 and fell ba
• fix build_page on Elementor preserves declared children + canonicalises widget shorthand. Pre-fix, complexify_structure only walked $item['elements'] for children — payloads using the cross-builder children key (the document
• fix read_theme_file extension parse is now locale-independent. Pre-fix, pathinfo($relative, PATHINFO_EXTENSION) returned ?y? for vds/css/custom.css and empty-string for vds/style.css on at least one VMG-Agency host with an e
• fix MCP per-page builder auto-detect now reads active_builder.name. Pre-fix, the fallback resolver in extractBuilderContent / getPageOutline / getBuilderInlineSchemas read info?.name from /context/builder-info. The endpoint

Preserve the structured WP_Error envelope across the wire

• fix Preserve the structured WP_Error envelope across the wire. wordpress-client.ts constructed an Error(API error (status): message) and mapped data.code to error.name, but every other field from the plugin's WP_Error data b

delete_media schema exposes approval_token + force

• add delete_media schema exposes approval_token + force. The destructive gate landed on the WP side in v7.1.0-beta.1 but the MCP schema didn't expose the params, so agents couldn't complete the two-step approval round-trip. N
• fix B3 / N20: inject_builder_content Divi detector misclassified wrapped extracts. detectDiviContentFormat now unwraps the {content: [...]} round-trip shape via the shared helper before walking. Pre-fix, wrapped extracts ret

respira_duplicate_element schema now matches the plugin route contract

• fix respira_duplicate_element schema now matches the plugin route contract. Pre-fix, the tool exposed a single element_id arg, but the plugin route /builder/elements/duplicate/{id} has always required identifier_type + ident

Per-page builder auto-detect now reads active_builder.name

• fix Per-page builder auto-detect now reads active_builder.name. The fallback resolver in extractBuilderContent, getPageOutline, and getBuilderInlineSchemas read info?.name when builder was omitted, but /context/builder-info
• note The companion plugin v7.0.64 bundles five plugin-side fixes; the most important is making write_was_noop builder-aware so Elementor / Oxygen / Bricks / Beaver writes stop tripping the noop signal on every successful call

beforeSend filter requires at least one Respira stack frame

• fix beforeSend filter requires at least one Respira stack frame. The existing filter only matched third-party errors with at least one stack frame under /wp-content/plugins/. Errors from /wp-content/mu-plugins/ (GoDaddy gd-s
• fix Bulk-resolved the 17 pre-existing noise issues in Sentry so the dashboard reflects only actionable errors going forward. Confirmed pattern across all 17: WordPress core wp.media, mediaelement, jQuery UI accordion, GoDadd
• note Going forward, the actionable Sentry queue should stay near zero except when a real Respira-side error fires. If the new filter is too strict and drops a real Respira bug, the symptom will be "user reports issue but Sent
• note This is plugin-side (admin JS); server-side PHP exception capture via \Sentry\init() upstream is unchanged.

Tree_Utility::reorder() accepts new_order as element IDs, not just integer positions

• fix Tree_Utility::reorder() accepts new_order as element IDs, not just integer positions. Pre-fix the method expected [2, 0, 1] integer positions in the container's current children array. Every MCP caller naturally passes e
• note This is the third v7.0.59 aftermath ship (move_element 400 in 7.0.60, reorder_elements TypeError in 7.0.60, reorder_elements wrong-shape in 7.0.62). Same reporter found all three. The v7.0.59 11-bug bundle release exerci
• note Verified the new path against synthetic shapes covering: integer-position legacy callers, MCP id-shape callers, mixed-case where one id is unknown (must reject the whole reorder, not partial), and root-level container re

update_element response now carries write_diag + write_was_noop warning

• add update_element response now carries write_diag + write_was_noop warning. Byte-conservation detector: snapshots post_content length pre-write, compares post-write (cache-bust + re-read), surfaces a write_was_noop boolean
• improved delete_page / delete_post respira_not_duplicate error message now names the existing duplicate id and tells the agent which call to make next. Pre-fix: "Only Respira duplicates can be deleted." Post-fix: "Cannot delete t
• improved get_option respira_option_not_found now returns fuzzy-name suggestions. Up to 5 closest matches from the site's actual options table, ranked by Levenshtein distance against the requested name. Tool at 64% success on 193
• note Verified all three changes lint clean and preserve back-compat. write_was_noop is purely additive (response shape gains two new top-level keys plus a conditional warning + warning_hint pair). Existing clients ignore unkn
• note The update_element noop guard works across every builder adapter because it operates on post_content bytes after the adapter has run, not on the adapter's internal tree shape. Catches the bug class even when a specific a
• note Next in this MCP-quality batch (queued for v7.0.62): read_post suggest-next-tool on respira_post_not_found, apply_builder_patch concrete-example error envelope, update_module p95 latency profiling (currently 21.4s p95 on

move_element HTTP 400 "Missing parameter(s): element_id_type, element_id_value"

• fix move_element HTTP 400 "Missing parameter(s): element_id_type, element_id_value" (bug 7f34f776). The MCP 6.19.3 align-to-identifier_type/identifier_value shift landed cleanly on the MCP side AND on the move_element HANDLE
• fix reorder_elements HTTP 500 TypeError: explode(): Argument #2 ($string) must be of type string, array given (bug 30c083e3). Double-parse of container_path between layers. The REST handler at Respira_Element_Ops::reorder_el
• note Both fixes are narrow (1 route registration entry + 1 typecheck block). No data migration, no breaking change for any existing caller shape.
• note Same reporter noted the documented respira_report_issue 401 from MCP — the bearer-on-license_key fix shipped yesterday in d89601b6 and is already live on respira.press. Their next bug should flow through the tool.

Divi 4 extract+inject round trip preserves per-column children order

• fix Divi 4 extract+inject round trip preserves per-column children order. parse_divi_shortcodes flattened columns via array_merge and lost per-column boundaries; build_divi_shortcodes then round-robin'd children back across
• fix Elementor v3 Nested Element widgets — page-level saves no longer strip widget-level elements[]. complexify_structure only re-emitted $element['elements'] when the elType was a known container (v3 section/container/column
• fix Gutenberg update_element with {content: "..."} now persists to post_content. The universal interface wrapped any flat patch missing a "structural" key into the adapter's attrs bucket. For Gutenberg that meant {content: "
• fix Divi 5 layout validator no longer over-rejects on append writes. B.W. reported every add_section / add_html / append-mode inject_builder_content failing with 16 verbatim "row should be inside section or column" errors —
• fix Divi 5 approve/merge no longer corrupts < and > to literal "u003c". approve_duplicate_by_merging_into_original passed the duplicate's unslashed post_content straight to wp_update_post, which wp_unslash()s internally befo
• fix move_element no longer silently deletes; reorder_elements no longer 500s. The MCP schemas shipped param names the plugin handlers never read. move_element sent element_id + target_container_id while the plugin expected i

wordpress_create_playbook

• add wordpress_create_playbook. Authors a JSON workflow composition that registers itself as a WordPress Ability and shows up as a callable tool on the next MCP handshake. The agent describes the workflow once, Respira stores
• add wordpress_list_playbooks. Read-only enumeration of every Playbook on the site, with id / ability_id / label / step count / invocation_count / last_invoked_at. Use for "what playbooks are available" discovery before autho
• add wordpress_get_playbook. Read one Playbook's full definition (input_schema, steps, returns template, audit metadata)
• add wordpress_update_playbook. Modify an existing Playbook in place. Id is immutable. The destructive-tool check runs again on every update
• add wordpress_delete_playbook. Drops a Playbook + its registered Ability. The Ability disappears from the MCP catalog on next handshake. Existing posts / data created by past invocations are not touched
• internal All five route through the generic callRestV1 wrapper added in v6.20.0 — no new client wrappers needed.

wordpress_create_post_type / update / delete / list_custom_post_types

• add wordpress_create_post_type / update / delete / list_custom_post_types. Agent provisions a new CPT in one call. Slug allowlist enforced server-side (lowercase, letters/digits/underscore, 1-20 chars, no reserved slugs like
• add wordpress_create_taxonomy / update / delete / list_custom_taxonomies. Same shape as the CPT surface. Attaches to one or more post types via the post_types array. Hierarchical (category-like) or flat (tag-like) via the hi
• add wordpress_create_acf_field_group / update / delete / list_acf_field_groups. ACF (free or Pro) must be active — all four refuse with respira_acf_not_active otherwise. Fields and location rules pass through ACF's canonical
• internal New callRestV1 helper on wordpress-client.ts. Mirror of the existing callRestV2 for endpoints under /wp-json/respira/v1/. The 12 new tools route through this so no per-tool wrapper method was needed
• note All twelve write tools are manage_options-gated on the WP side. Lite version stays read-only — Pro-only for the v7.1 ship.
• note Structure definitions are stored in wp_options (respira_custom_post_types, respira_custom_taxonomies, respira_custom_acf_field_groups). Site export/import via wp-cli covers them automatically; no migration script require

respira_update_element exposes edit_target + confirm_live_edit at the top level

• add respira_update_element exposes edit_target + confirm_live_edit at the top level. [#3](https://github.com/respira-press/respira-wordpress-mcp/issues/3) (madeat3am, 2026-05-21). On a Bricks site with respira_allow_direct_e
• note [#1](https://github.com/respira-press/respira-wordpress-mcp/issues/1) (remove_element parameter shape) was already resolved. Filed 2026-04-07 against MCP v5.5.0 and plugin v5.5.5. The MCP schema sent element_id while the
• note [#2](https://github.com/respira-press/respira-wordpress-mcp/issues/2) (move_element parameter shape) was already resolved. Filed 2026-04-07 against the same setup. End-to-end fix landed in plugin v7.0.60 (which accepts b

wordpress_update_element surfaces the plugin's new write_was_noop warning at the tool-result level

• add wordpress_update_element surfaces the plugin's new write_was_noop warning at the tool-result level. Plugin v7.0.61 adds write_diag + warning: "write_was_noop" to the update_element response when post_content did not chan
• add wordpress_upload_media pre-flight size check. Dashboard showed 50.7% success / p95 = 120 SECONDS / 34.8% timeout >60s. Almost the entire long tail is the agent passing a base64 payload of a large image — the per-call wat
• change Node floor raised from 18 → 20. Node 18 went end-of-life 2025-04-30, npm 11 requires Node 20.17+, and @supabase/supabase-js already prints a deprecation warning on Node 18. Telemetry shows the median customer Node versio

Per-client HTTP agents + destroy-on-watchdog-trip

• fix Per-client HTTP agents + destroy-on-watchdog-trip. Pre-v6.19.3 the WordPressClient axios instances used Node's shared http.globalAgent / https.globalAgent. When a write tool hung past RESPIRA_MAX_TOOL_TIMEOUT_MS the watc
• fix restore_snapshot polls for completion when the request times out. Heavy Divi / Oxygen pages can take 1-3 min to restore; pre-v6.19.3 the synchronous POST exceeded axios's 30s timeout even though the server-side restore c
• rm wordpress_search_abilities MCP tool. Hit /wp-json/respira/v1/abilities/search, a route the plugin never registered. Every call 404'd. wordpress_get_builder_info + wordpress_search_docs cover the discoverable surface; wor
• schema wordpress_move_element + wordpress_reorder_elements aligned with the plugin contract. The MCP schemas shipped param names the plugin handlers never read; the plugin handlers had to be patched in 7.0.59 to accept the lega

Released 2026-05-27.

• change Released 2026-05-27.
• add Product brand support (product_brand taxonomy). The update-product and create-product abilities now accept brand_ids so an AI can assign or clear brands on a product the same way it already assigns categories and tags. Full CRUD endpoints l
• add Featured-image removal. The update-product ability now accepts image_id. Pass an attachment ID to set; pass 0 or null to remove the featured image. Previously the only image-related field on the response was a read-only URL; agents had no w
• schema Product response shape gains brand_ids, brands, and image_id. image is unchanged.

"Approve all visible" button on the Changes / Approvals page

• add "Approve all visible" button on the Changes / Approvals page. Renders only when respira_enable_bulk_approvals is on AND there are pending duplicates. The button shows the live pending count next to its label (Approve all
• add respira_list_pending_duplicate_ids AJAX endpoint. Returns the array of every post ID where _respira_duplicate=1 AND post_status IN ('draft','pending'), ordered by post_modified DESC. Same nonce + manage_options gate as t
• add bulk_approvals_enabled + pending_duplicate_count flags in the localized respira_admin JS object. Lets the new button gate itself client-side without an extra round trip — hidden when the setting is off or the queue is em
• note No new permission surface. The same manage_options capability + respira_enable_bulk_approvals toggle that gated the backend handler since 4.0.11 still gate the UI. The default for the toggle stays OFF for safety; admins
• note The bulk handler is conservative — it never force-approves (every per-item call passes force: false). If a duplicate's original has changed since the duplicate was created, that one item shows in the per-item failure lis

Skills catalog URL points at the right GitHub org

• fix Skills catalog URL points at the right GitHub org. The Respira_Admin::fetch_skills_catalog() helper still pulled from https://raw.githubusercontent.com/webmyc/agent-skills-wordpress/main/skills.json, but the repo was tra
• note Because the pre-fix code path returned the error without setting the transient cache, no client-side cache needs busting. The fix takes effect on the first page load after upgrade.
• note One-line URL change in admin/class-respira-admin.php plus a comment block that records why raw.githubusercontent.com is fragile to repo transfers, so the next maintainer doesn't reintroduce the same bug.

rest_no_route errors now carry the attempted path

• fix rest_no_route errors now carry the attempted path. Previously, when WordPress returned rest_no_route (54 hits across two sites the week of 2026-05-24), the MCP recorded the generic WP string "No route was found matching
• change inject_builder_content description now lists Divi render-critical attrs. When any of the 10 Divi module types in the validator is missing its required attr (e.g. divi/heading without title, divi/button without button_tex
• change read_theme_file description hardened against non-stylesheet attempts. The schema already enforced .css / .scss / .less / .json, but agents kept trying .php / .html (5 hits the week of 2026-05-24, returning respira_theme_

Generic Error bucket in tool telemetry

• fix Generic Error bucket in tool telemetry. The dispatch wrapper at server.ts recorded error_code from Error.name, but ~6 tool wrappers (find_element, inject_builder_content, upload_media, batch_update, update_custom_post, a

respira_run_pagespeed_audit + respira_analyze_pagespeed

• add respira_run_pagespeed_audit + respira_analyze_pagespeed (Phase E Tier 2). Real PageSpeed Insights v5 audit replaces the heuristic CWV path. respira_run_pagespeed_audit returns Lighthouse lab data (scores for performance/
• add get_accessibility_scan schema accepts UUID strings. N15 — pre-fix the input schema declared scan_id: number but list_accessibility_scans returns UUID strings, so the two tools couldn't be paired
• add list_accessibility_scans pagination + summary mode. N16 — added limit, offset, summary_only (default true) params. Summary mode strips violations[].nodes and per-violation AI fix prompts; full payload remains via get_acc
• add get_snapshot include opt-in. N26 — defaults to metadata-only (~5KB); pass include=content for the full builder payload (~78KB)
• fix N6: site_id envelope leak. Every tool response carried site: <default site> even when a per-call site_id override resolved correctly. The MCP correctly serviced the call against the override but reported the default in t
• fix N9: schema gaps on 5 destructive tools. create_user, update_user, delete_user, delete_custom_post, delete_menu all enforce server-side approval/force gates but the MCP schemas didn't expose the params. Added approval_tok

Divi is_builder_used() vetoes itself when _et_pb_use_builder='off'

• fix Divi is_builder_used() vetoes itself when _et_pb_use_builder='off'. The explicit 'off' value is the user's signal that Divi is NOT active on this post (even though stale _et_pb_page_* meta from a previous Divi-active per
• add update_element response now carries builder.name and builder.version. Surfaces the picked adapter directly in the response envelope so silent-write reports can name the adapter that claimed the post without a separate re
• note The Lite plugin's is_divi_page() already vetoed on 'off' === $et_pb_use (only returns true on 'on'), so Lite was never affected and no sync port is needed.
• note Once the customer confirms v7.0.56 lands the write correctly, the broader detect_builder() audit (theme-tiebreaker rule should also respect explicit per-post disables across all builders, not just Divi) is queued separat

expected_type opt-in pre-write validation on update_module for Divi 4

• add expected_type opt-in pre-write validation on update_module for Divi 4. Callers (MCP clients, apply_builder_patch, batch_update) can pass expected_type: 'et_pb_text' in the updates payload. If the resolver lands on a modu
• add expected_type and _skip_truncation_check are now also stripped from the attribute patch automatically so they cannot accidentally land in module attributes if a caller forgets to extract them.
• note The root-cause fix (rewriting the path resolver to follow the nested children[] tree rather than the flat row-column merge) is queued for v7.0.56. Until then, agent clients calling Divi 4 update_module on multi-column ro
• note The MCP server's update_module tool description will get a matching update in the next mcp-server release to advertise expected_type and recommend its use on Divi 4. Plugin-side ship goes out first so the surface is ther

Gutenberg is_builder_used() disqualifier checks values, not just key presence

• fix Gutenberg is_builder_used() disqualifier checks values, not just key presence. Each "other-builder" meta key now carries a predicate matching the source builder's own activity convention:
• note Verified the failure mode against M.P.'s exact scenario: a post duplicated from an original that has _et_pb_use_builder=off will, pre-v7.0.54, fall through Gutenberg's claim check despite Gutenberg being the only sensibl
• note The pre-v7.0.54 disqualifier list pattern (presence-only) is a common code-smell across builder adapters. Future cleanup is queued to audit the cross-builder claim logic for the same stale-key class of bug, but for v7.0.

Bricks option-group read endpoints scrub _respira_* keys

• fix Bricks option-group read endpoints scrub _respira_* keys. handle_get_option_group (covering global-classes, color-palette, theme-styles, typography, global-variables, breakpoints, pseudo-classes) and handle_design_system
• fix Bricks option-group write endpoints recursively strip _respira_* keys from request bodies. handle_create_item was already stripping _respira_key_data at the top level only; expanded to recursive scrub_respira_internals()
• fix update_element / element-ops envelope is_duplicate now matches the actually-resolved write target. Pre-v7.0.53, Respira_Element_Ops::target_metadata() read is_duplicate from resolve_mutation_target()'s output, which eval
• fix Gutenberg inject_content now guards the write against third-party save_post reverts AND verifies persistence. The customer report: 9 successive duplicates (340148, 340151, 340153, 340155, 340157, 340159, 340161, 340163,
• note The Gutenberg silent-revert family also lives in the Divi adapter's update path for posts (Divi was enabled-then-disabled mid-session on the customer site, so duplicate detection may still route through Divi while Gutenb
• note The Bricks scrub does not delete leaked data from already-corrupted rows — it strips at READ + WRITE. A separate one-shot migration to scrub stored values is queued but not blocking: the READ scrub keeps the leak out of

B-7: inject_builder_content rejects simplified types

• fix B-7: inject_builder_content rejects simplified types. Pre-fix the detector returned unknown for payloads using simplified types (section, row, column, heading, etc. without divi/ or et_pb_ prefix) and hard-failed with "D
• fix {content: [...]} wrapper unwrap. Round-tripped extracts come back as {content: [...]}. The new unwrapBuilderContent helper normalises before forwarding so every downstream caller sees the same shape
• fix Camrin@cspmarketingsolutions friendly→canonical param translation. Three structural tools (move_element, duplicate_element, reorder_elements) advertised friendly param names but the REST endpoints required typed pairs. D

Truncation guard in Respira_API::update_element only fires on REAL truncation now

• fix Truncation guard in Respira_API::update_element only fires on REAL truncation now. Pre-v7.0.52 the guard at class-respira-api.php line 6159 compared the byte length of $updates['content'] (input) to the byte length of th
• fix content + text identifier_types skip the verify step entirely. For those identifier shapes the post-write find_module is unreliable BY DESIGN (the identifier string was the thing we just changed). No verify, no false pos
• fix New updates._skip_truncation_check: true opt-out for callers that know the verify-find would land on the wrong node. Safety hatch — the guard stays opt-in-default for paths where it does catch real truncation
• note Bug #1 from Morgan's report (update_element with match_content targets the FIRST match instead of the DEEPEST match) is actually addressed correctly by the v6.11.1+ find_divi4_shortcode deepest-match logic at class-build
• note Bug #3 (4-minute timeout on update_page / inject_builder_content for ~113KB Divi shortcode pages) is the same large-page complexify-tree-walk overhead that bit M.P. on Fischers Fritze. Belongs to v7.1.
• note The customer-facing impact of the false positive was severe: Morgan saw "tool failed" on a write that had actually persisted his changes correctly, retried via a workaround that bypassed type validation, and corrupted hi

Respira_Builder_Tree_Utility::matches() content identifier_type now deep-searches options / attrs / settings

• fix Respira_Builder_Tree_Utility::matches() content identifier_type now deep-searches options / attrs / settings. Pre-7.0.51 the content matcher only checked $element['content'] (Elementor / Divi 4 top-level string) and $ele
• fix update_element adds a normalize_element_updates($existing_element, $updates, $wrap_target) hook on Respira_Builder_Interface; Oxygen overrides it to route ct_image / ct_image_overlay flat patches into options.original. P
• note Verified end-to-end on Studio :8882 with Oxygen Classic 4.9.7. Test fixture: synthetic page with a ct_text_block whose options.ct_content is "Hello world<br>this is a paragraph ending in br" plus a ct_image with options.
• note The normalize_element_updates hook lands on the interface as an optional method — adapters that don't override it pay no cost. Future adapter-specific patch normalisations (Beaver's nested font field family, Breakdance's
• note Wider M.P. Härtetest findings: items #1, #2, #3, #5 are addressed by v7.0.47 → v7.0.50 (already shipped); the 4-minute timeout he flagged separately should also clear once v7.0.49's auto-heal removes the upstream 500 tri

divi_render_critical_attrs() no longer flags divi/column nodes missing attrs.type

• fix divi_render_critical_attrs() no longer flags divi/column nodes missing attrs.type. The render-critical-attrs map was introduced in v7.0.0 Bloom Phase B to catch LLM hand-writes that would render empty (heading without ti
• note Verified on Studio :8882 with synthetic 5-section Divi 5 tree containing 9 divi/column nodes with attrs => [] (the round-trip shape): validator returns 0 entries. Counter-test with deliberately bad leaf modules (heading
• note This release narrows the validator surface but does NOT fix the broader inconsistency between build_page (skip validator) and inject_builder_content (apply validator). That's a deliberate scope decision: the column rule
• note The Nettl reporter posted a very precise repro (5 sections, 4 rows, exact node counts) plus a working hypothesis pointing at content.innerContent. The actual root was different but the report's structured shape made the

update_page auto-heals a poisoned _wp_page_template before wp_update_post fires

• fix update_page auto-heals a poisoned _wp_page_template before wp_update_post fires. Reads the existing value, validates against wp_get_theme()->get_page_templates($post, $post_type) (same method WP core's REST controller us
• note Verified on Studio :8882 with uncode theme active (registers 0 page templates). Test fixture: page poisoned with _wp_page_template=ct_template, then wp_update_post fired. Pre-v7.0.49: WP_Error invalid_page_template. Post
• note Resolves the persisted-bad-state half of the M.P. bug. The 4-minute read timeout signal he separately flagged is almost certainly a follow-on of the 500 — a save_post hook chain (Cloudflare cache purge / Wordfence rescan
• note The v7.0.48 guard stays in place. Defence-in-depth: v7.0.48 prevents new poisoned writes; v7.0.49 cleans up existing poisoned values; v7.0.47's shutdown handler still localises any remaining throws. M.P. should see clean
• note The auto-heal only fires when needed (existing value present + not registered + not baseline). Pages with a registered template are unchanged. Pages with no template are unchanged. Zero behavioural impact on the 99% of i

Respira_API::update_post_meta_fields() validates _wp_page_template against the active theme's registered templates

• fix Respira_API::update_post_meta_fields() validates _wp_page_template against the active theme's registered templates. Uses wp_get_theme()->get_page_templates($post, $post_type) (the same method WP core's REST controller us
• fix Respira_Builder_Oxygen::inject_content() validates ct_template before the auto-set. Pre-7.0.48 the Oxygen adapter wrote _wp_page_template=ct_template whenever the existing value was empty or 'default', no matter whether
• note Verified end-to-end on Studio :8882 with Uncode theme active and Oxygen Classic 4.9.7 active. get_page_templates() returns an empty array on that stack. Test fixture: API call with _wp_page_template=ct_template correctly
• note The v7.0.39 diagnostic envelope + v7.0.47 shutdown handler stay in place. Together with the v7.0.48 source-side guard the layered defence is: (a) bad value never reaches WP_REST_Posts_Controller (this release), (b) if so
• note The Oxygen adapter still logs the skip explicitly because losing the page-template auto-set CAN matter on themes that override the page render. The customer-facing impact in that case is "page renders via theme template

New Respira_Analyzable_Content::html_for($post_id) shared content extractor; SEO / readability / Rank Math / performance / image / AEO analy

• fix New Respira_Analyzable_Content::html_for($post_id) shared content extractor; SEO / readability / Rank Math / performance / image / AEO analyzers all route through it. Detects the active builder via Respira_Builder_Interf
• fix update_element REST handler now wraps register_shutdown_function around the request lifecycle. v7.0.39 added try/catch \Throwable on every userland exit site, but PHP-level fatals (memory exhaustion mid-request, max_exec
• note The new extractor file (includes/analyzers/class-respira-analyzable-content.php) is included once per analyzer class file via if ( ! class_exists ) require_once. The five existing analyzer classes (class-respira-seo-anal
• note WPBakery / Bricks / Breakdance extractors are queued for the next ship. Today the dispatcher returns $post->post_content for those builders, which is at worst the same false negative the audit reported before this fix —
• note Studio test pattern for the next builders to come online: build a fresh page with empty post_content + populate the builder's native postmeta key with a minimal synthetic tree, then call each analyzer's analyze_* method
• note The shutdown-handler change is additive over v7.0.39's userland try/catch — both run, and the userland catch still wins on every non-fatal throw. The shutdown hook only fires when PHP-level shutdown carries a fatal error

Tree_Utility::matches() type+match_content branch deep-searches attributes / attrs / settings for the needle

• fix Tree_Utility::matches() type+match_content branch deep-searches attributes / attrs / settings for the needle. Pre-7.0.46 the branch only ran stripos($element['content'], $match_content). Self-closing Divi 4 modules (et_p
• note Closes the github #32 follow-up surface P.L. raised — third increment on this issue but the underlying bug was always one piece deeper than the previous fix suggested. v7.0.29 added attribute-text matching for update_mod
• note Verified by inspection: the new match path uses text_contains for the content body (HTML-tolerant via the existing v6.5.1 sanitiser) and any_string_contains for the attribute buckets (recursive deep-search). Both helpers

batch_update per-operation resolver now forwards match_content to Tree_Utility::find()

• fix batch_update per-operation resolver now forwards match_content to Tree_Utility::find(). Pre-7.0.45 the call site only passed 4 args (the optional 5th match_content was dropped), so any batch operation targeting a specifi
• fix batch_update remove action gets the same fix. Both actions in the same method use the same shared $op_match_content variable
• note Operator-trapping severity: pre-fix the API returned success: true with the write landing on the wrong element. Mid-batch silent data loss with a green-status response.
• note Closes github #32. The Divi 4 customer surface arc (P.L. / Catholic Mass Times) over the v7.0.29 -> v7.0.45 chain: kses corruption (closed v7.0.29), column corruption (closed v7.0.29), silent no-op (closed v7.0.29), per-

wp.org review fixes

• change Display name updated to "Inhale: MCP Abilities by Respira" so the author attribution is visible in wp-admin plugin lists. Slug inhale-mcp-abilities is unchanged.
• change Contributors field in readme.txt now lists urbankidro (the wp.org username that owns the plugin) instead of the brand string. The Author header still reads "Respira" so the visible attribution on the directory page is un
• change uninstall.php updated to remove the new primary key, the v0.4.0 migration flag, the canonical compat key, and every legacy key from v0.1.x and v0.2.x. Single-site and multisite sweep.

WordPress.org Plugin Directory submission

• change Canonical option key. v0.2.0+ stores the opted-in list under mcp_adapter_public_abilities — the same key proposed first-party in [WordPress/mcp-adapter#184](https://github.com/WordPress/mcp-adapter/pull/184). A one-shot
• change Brand-aligned chrome. Header with "by respira.press" Baskervville italic subtitle and a tiny version pill in the right-side toolbar. Light and dark themes both render with AA contrast
• change iOS-style toggle in the Status column for fast per-row inhale / exhale, on top of the standard wp-admin bulk-actions pattern
• change Foreign admin notices suppressed on the Inhale settings page only, so the screen stays focused on the one decision it exists to support
• change Hardened uninstall. Removes every option the plugin has ever written, single-site and multisite
• change Plugin Directory readiness pass. ABSPATH guards on every shipped PHP file. Every output escaped. Every state-changing request nonce-verified and capability-gated. No remote calls, no tracking, no obfuscation, no bundled

hardening pass

• change wp_die response code 403 + back link on the settings page permission denial path. Access logs and automated clients now see an authorization failure instead of a generic error
• change Row class escaping normalised: the abilities table's <tr class="…"> attribute is always rendered through esc_attr() instead of conditionally injecting the attribute fragment. No behavioral change, but conforms more stric

first public release

• change Discovers every ability registered via the WordPress Abilities API and lists them in a wp-admin native list table.
• change Standard wp-admin selection + bulk-action UX: row checkboxes are selection; Bulk Actions dropdown plus Apply commits Inhale or Exhale immediately. No save-changes step.
• change Row-hover quick actions for single-ability inhale or exhale.
• change Annotation badges on each ability (read-only, destructive, idempotent) sourced from the ability's declared meta; falls back to heuristic inference from the ability name when the registering plugin didn't tag it.
• change Filter views (All, Inhaled, Read-only, Destructive, Unannotated), a search box that matches across name / source / description, sortable columns, multi-select source filter, client-side pagination (20/50/100/All).
• change Sources summary card above the table listing every plugin or theme that registers abilities, with the count per source and deep-links to each source's wp-admin home.

Zero-touch Cowork onboarding (Open in Cowork)

• change .mcp.json sets RESPIRA_BOOTSTRAP_OK=1 so the npx server boots even without a config file present.
• change Existing RESPIRA_CONFIG_FILE, RESPIRA_AGENT_CLIENT, RESPIRA_AGENT_TRANSPORT env vars unchanged.
• change Version label bumped in plugin.json and README.md.
• change Server companion: [@respira/wordpress-mcp-server@6.11.6](https://github.com/webmyc/respira-wordpress/blob/main/mcp-server/CHANGELOG.md#6116---2026-05-11)
• change Zero-touch design doc: drafted 2026-05-10, shipping Family 3b

unified ~/.respira/config.json flow + connect-site rewrite

• change The skill-documented config shape ({url, apiKey}) crashed the MCP server silently on startup because the server required four fields (id, name, url, apiKey). User saw "MCP server still connecting…" forever.
• change The Cowork form echoed pasted API keys into the chat transcript, contradicting the skill's own privacy promise.
• change .mcp.json points RESPIRA_CONFIG_FILE at ~/.respira/config.json.
• change npm dependency pinned to @respira/wordpress-mcp-server@latest so the server schema fix lands immediately.
• change /respira:connect-site skill rewritten: check for ~/.respira/config.json, point user at the dashboard to download it if missing, restart Cowork, test. Includes a "if startup fails" branch that reads ~/.respira/last-startu
• change README.md and INSTALL.md updated to describe the unified flow.

audience-first README rewrite

• change Edit a page without opening WP admin ("Update the headline on my client's homepage to say 'spring collection arriving'", about thirty seconds end to end)
• change Migrate a client site between page builders (sixteen supported paths, week of work into an afternoon)
• change Audit a site before a client meeting (SEO, AI search visibility, accessibility, mobile, technical debt, WooCommerce, with one-click fixes)
• change Clean up a media library in one pass (alt text, compression, dimensions)
• change Manage ten client sites from one conversation (multi-site context follows the conversation naturally)
• change No code changes.

README accuracy pass: 30 skills

• change 8 slash commands for the most common workflows
• change 30 auto activating skills, broken down as:
• change 1 visual reviewer sub agent that shows what changed after every edit
• change Full access to all 180+ Respira MCP tools through the bundled @respira/wordpress-mcp-server
• change All 12 supported page builders: Elementor, Divi 4, Divi 5, Bricks, Oxygen, Breakdance, Beaver Builder, WPBakery, Flatsome UX Builder, Brizy, Thrive Architect, Gutenberg
• change Restructured "What you get" with the correct skill count.

README hero KV + signup copy accuracy

• change Add the canonical Respira-for-Cowork hero image to the top of the README.
• change Drop the "free Lite tier available" line (Lite is not shipped yet).
• change Restate the trial as Maker, 7 days, no credit card required.
• change Show current version and respira.press/cowork link in the README header.
• change Bump plugin.json to 1.0.7.
• change v1.0.6: bundle 26 skills from agent-skills-wordpress, revert to name=respira (slug validation enforces lowercase).

Self-updater fatal on every WP cron tick. class-updater.php:104 called \Respira_License::get_license_key() which has never existed on the core License class — every site that activated the add-on threw Uncaught Error: Call to undefined meth

• fix Self-updater fatal on every WP cron tick. class-updater.php:104 called \Respira_License::get_license_key() which has never existed on the core License class — every site that activated the add-on threw Uncaught Error: Call to undefined meth

drop keytar, fix whoami after login, unstick terminal, warm welcome

• 3. [@respira/cli 0.1.3](https://www.npmjs.com/package/@respira/cli)
• 3. [@respira/sdk 0.1.3](https://www.npmjs.com/package/@respira/sdk)
• 3. [@respira/cli-core 0.1.3](https://www.npmjs.com/package/@respira/cli-core)

fix 307 redirect breaking respira auth login

• change [@respira/cli 0.1.2](https://www.npmjs.com/package/@respira/cli)
• change [@respira/sdk 0.1.2](https://www.npmjs.com/package/@respira/sdk)
• change [@respira/cli-core 0.1.2](https://www.npmjs.com/package/@respira/cli-core)

per-package READMEs on npm

• change [@respira/cli](https://www.npmjs.com/package/@respira/cli) — 9.4 kB README: marketing-forward, WP-CLI comparison, architecture summary, quick start, 34-command reference, AI agent integration, pricing.
• change [@respira/sdk](https://www.npmjs.com/package/@respira/sdk) — 5.7 kB README: developer-focused, createRespiraClient usage, anonymous mode, seven namespaces, builder-native examples, error taxonomy.
• change [@respira/cli-core](https://www.npmjs.com/package/@respira/cli-core) — 6.3 kB README: advanced/builder-facing, documents every frozen v0.1 export (ExecutionCycle, FrameworkHook, ToolChainFunction, TraceEmitter, CycleErro

Foundation release

• change Six-phase execution cycle: LoadContext -> PreHooks -> Resolve -> Execute -> PostHooks -> Return. Deterministic. Traceable. Every command runs through every phase
• change Five framework hook contracts, frozen for v0.1: before_resolve, filter_plan, before_execute, filter_result, after_execute. In v0.1 no callbacks register. v0.2 populates them. NullHookRegistry swaps for ManifestBackedHook
• change Typed ToolChainFunction<T> abstraction for all 34 commands. Each function declares capability (read | write | destructive), domain tags, and prerequisites
• change File-organization convention: one BaseCommand subclass per file, one ToolChainFunction per file, always co-located. Named export <camelCasePath>Function
• change Structured JSON tracing via --verbose, written to ~/.respira/traces/{invocationId}.json. Hard cap 10,000 entries per invocation
• change [@respira/cli 0.1.0](https://www.npmjs.com/package/@respira/cli)

Thrive Architect product pages — description edits didn't appear on the frontend — bulk_update_products with description / short_description wrote to post_content via WooCommerce setters, but Thrive Architect renders from its own wp_postmet

• fix Thrive Architect product pages — description edits didn't appear on the frontend — bulk_update_products with description / short_description wrote to post_content via WooCommerce setters, but Thrive Architect renders from its own wp_postmet

Product category CRUD endpoints and MCP tools (list/get/create/update/delete).

• add Product category CRUD endpoints and MCP tools (list/get/create/update/delete).
• add Product tag CRUD endpoints and MCP tools (list/get/create/update/delete).
• change Product create/update now supports category and tag assignment payloads for safer taxonomy-aware catalog workflows.

Release pipeline reliability: ensures fresh tag/release creation behavior.

• change Release pipeline reliability: ensures fresh tag/release creation behavior.
• change Security hardening parity with experimental-feature gating patterns in core plugin.

Initial WooCommerce add-on release.

• change Initial WooCommerce add-on release.