Fix: Chat now accepts HTML and JavaScript code snippets (e.g. WPCode tracking scripts with <script> tags). Messages are no longer stripped by over-aggressive sanitization, and code payloads are base64-encoded in transit so hosting WAF rules do not block admin-ajax requests.
1.8.0
Feature: Guided onboarding. First-time setup includes a site scan and initial report; returning users without an AI provider see a continuity state with clear next steps; connecting a provider triggers a one-time welcome grounded in scan data.
Feature: Spanish (Spain) translation for wp-admin settings, the chat widget, ability labels, and user-facing messages (es_ES; other locales fall back to English).
Improvement: Settings UI reorganized for a clearer overview of Lola’s capabilities and optional extensions.
Improvement: Admin navigation — dedicated Addons screen under the Lola menu and a shortcut from the Plugins list row. The screen lists available addons, including the free LolaCore for Elementor (91 abilities), and explains how cross-domain memory works.
Improvement: Admin notice when WordPress is below the recommended version (7.0).
Security: Hardened the chat confirmation card against malicious markup in action parameters (output escaping).
Security: Chat sessions are now bound to the admin who created them, so a session cannot be read or continued by another user.
Security: Expanded the protected-options list so role, plugin/theme activation, mail server, and upload-path settings cannot be changed through the generic option editor.
1.7.2
Improvement: Plugin Builder additional pre-delivery safety checks. Block generated plugins missing direct-access guards (ABSPATH) or using forbidden functions (eval, shell_exec, and similar) before they reach your library.
Improvement: Runtime load test validates the same normalized PHP used for install and Playground, and bootstraps declared dependencies (e.g. WooCommerce admin bases) when possible.
Improvement: Delivery cards and the Built Plugins library show Load test (Passed / Skipped / Failed) separately from the Code review score, so the percentage is not mistaken for activation safety.
Improvement: Safety findings and load-test status are stored on each built plugin entry for library diagnostics.
1.7.1
Fix: Remove development-only CLI repro scripts from the WordPress.org distribution package (they remain in the source repo for local debugging). Packaging-only release, no functional changes.
1.7.0
Feature: Plugin Builder. Describe a custom plugin for your site in chat; Lola reads site render context, co-designs an optional approved mini-plan with you, generates a standard three-file WordPress plugin (PHP, JS, CSS) in a background worker with progress in chat, and saves it to the Built Plugins library under Lola in wp-admin. Delivery cards explain the MVP iteration loop (you as architect, Lola as engineer).
Feature: Nine Plugin Builder abilities: getSiteRenderContext, createPlugin, updatePluginCode, listBuiltPlugins, getBuiltPluginDetails, getInstalledPluginState, testPluginPlayground, installPluginLocal, and deleteBuiltPlugin.
Feature: Built Plugins admin library: version, install status, Try in Playground, Install, review note and suggestions, and a read-only code viewer (PHP / JS / CSS tabs) on each entry.
Feature: WordPress Playground testing. One-click disposable WordPress instance with your generated plugin installed and activated; when the plugin needs WooCommerce, the blueprint installs WooCommerce, skips onboarding, creates shop pages, and seeds demo products so cart and storefront behavior can be tested safely.
Feature: Playground gate. Local install stays blocked until you attest Playground testing for the current library version.
Feature: Local install. Copy built plugins into wp-content/plugins/ with PHP syntax validation and optional backup advisory on dry run; plugins stay inactive until you explicitly activate them (LolaCore modal with optional Activate now or open the Plugins screen).
Feature: Chat artifact cards for async build progress, delivery preview, Playground links, and post-save success (no extra slow LLM round-trip for Playground URLs).
Feature: Failed-build recovery. When generation cannot pass internal safety checks, the chat card offers Try again and preserves the last artifact for fix-mode retries.
Feature: Automatic post revisions for each plugin update so you can roll back from the library entry.
Feature: Internal quality pipeline. PHP syntax lint, deterministic fatal-safety rules (e.g. unknown parent classes at file scope), runtime load validation when possible, AI code review, and up to two automatic retries before delivery fails.
Feature: Four built-in skills for plugin craft, Playground blueprints, security baseline, and plugin review methodology when you build, test, or debug generated plugins.
Improvement: Plugin generation sends site context to the AI (active theme, plugins, block vs classic integration signals, and WooCommerce free-shipping minimum when configured) so store-specific defaults are more realistic.
Improvement: Router debug logging is concise under WP_DEBUG (ability counts by category instead of dumping every tool name).
Fix: Daily WP-Cron maintenance hooks (lolacore_daily_decay, lolacore_log_cleanup) now execute their handlers. Memory facts decay and archive on schedule, and action log entries older than Log Retention Days in Settings are purged automatically.
1.6.3
Fix: Database optimization (optimizeDatabase) now processes revisions, spam comments, orphaned postmeta, and expired transients in safe batches of 1,000 rows, preventing timeouts and table locks on large databases with 100k+ revisions.
Fix: Database optimization now verifies each batch for errors and stops safely on failure, reporting exactly what was cleaned and what remains.
Improvement: Database optimization now reports actual space recovered (MB) instead of a hardcoded zero.
Improvement: A time guard stops the cleanup at 80% of max_execution_time and reports partial progress. The user can run it again to continue where it left off.
Improvement: Orphaned wp_postmeta rows (left behind by deleted revisions) are now cleaned automatically.
Improvement: Expired transients are now included in the database cleanup.
1.6.2
Fix: Gemini compatibility. Empty tool-call arguments now serialize as {} instead of [], preventing HTTP 400 errors when replaying chat history or calling no-parameter tools like optimizeDatabase.
Fix: Gemini empty responses. When the intent router injected the full toolset (130+ declarations), Gemini returned candidates without content parts. Google provider requests now cap function declarations and use a discover-first toolset (getSiteStatus, getDiscoveredAbilities, requestFullToolset, addMemoryFact).
Improvement: Google free-tier quota. The semantic intent classifier LLM call is skipped for Gemini to reduce API requests per message; quota and rate-limit errors now show a clear user-facing message instead of a generic server configuration warning.
1.6.1
Fix: Resolved a critical issue where LolaCore’s global MCP filters inadvertently blocked third-party standalone MCP servers (like lolacore-for-elementor) from discovering and executing their tools. Global tool filters are now strictly scoped to the LolaCore server ID.
Fix: Prevented a JSON schema validation error (“action_id is a required property”) by correctly formatting raw external tool responses (e.g. from Elementor) into the standard LolaCore action shape via ActionExecutor.
Fix: Silenced a PHP 8.1 deprecation warning in the vendorized MCP adapter (McpObservabilityHelperTrait) that could corrupt JSON payloads when WP_DEBUG was active.
1.6.0
Feature: Zero-Config MCP Server. LolaCore now natively bundles the Model Context Protocol (MCP) Adapter. You no longer need to install or configure external plugins to connect Lola to your IDE.
Feature: Full IDE Parity. Lola now lives inside Cursor, Windsurf, and Claude Desktop with the exact same 52 capabilities she has in the Web Chat. The tools you enable and the domains you configure in wp-admin are instantly and perfectly mirrored in your IDE.
Feature: Cross-Environment Persistent Memory. What Lola learns in your IDE, she remembers in the Web Chat. What you tell her in the Web Chat, she applies in Cursor. One agent, one memory bank, accessible through any interface you choose to work in.
Improvement: Dynamic Tool Syncing. The MCP bridge now dynamically reads your exact active toolset and categories from your LolaCore panel in real time.
1.5.0
Feature: Theme management. 5 new abilities (searchThemes, installTheme, updateTheme, bulkUpdateThemes, deleteTheme) bring themes to full parity with the existing plugin lifecycle. Lola can now discover themes on WordPress.org, install, update one or many, and safely delete (active theme and parents of active child themes are protected).
UX Fix: When approved actions succeed but the follow-up summary call to the AI provider fails, the chat now confirms the actions ran instead of showing a misleading “I couldn’t get a response” error. Users keep visibility into what executed.
UX Fix: Tool confirmation cards are now idempotent on the client. A second submission of the same action_id (rare reload-and-reclick scenarios, accessibility tools firing duplicate events) is silently ignored, preventing the spurious “That confirmation has expired” message after a successful execution.
1.4.1
Fix: Resolved a critical “Bad Request (400)” error triggered by orphan tool_call_ids during multi-tool execution (e.g. bulk plugin updates). The root cause was non-deterministic message ordering. MySQL’s 1-second datetime resolution caused tool responses to appear out of sequence when multiple tools executed within the same second.
Fix: Message history query now uses the auto-increment primary key for ordering instead of the datetime column, guaranteeing insertion-order fidelity regardless of timestamp collisions.
Fix: The history sanitizer now detects and drops stale tool messages that reference tool_call_ids never declared by any assistant message in the session.
Improvement: Added a defense-in-depth architecture for tool_call/tool_response pairing with four validation layers: deterministic DB ordering, history sanitizer with per-ID logging, post-sanitization assertion, and an HTTP-layer safety net that patches orphans in the final API request body.
Improvement: Sanitizer telemetry now logs the exact orphaned tool_call_ids and function names, replacing the previous generic message.
1.4.0
Feature: Skills.MD. Lola can now author, store and apply behavioral skills described in plain Markdown with YAML frontmatter. Skills inject specialized instructions into Lola’s reasoning under deterministic conditions (always-on, keyword triggers, or environment conditions) without touching PHP.
Feature: Skills are loaded from four sources with documented precedence (built-in, addon-registered, user filesystem at wp-content/lolacore-skills/, and database). The lolacore_register_skills filter lets addons register their own skill directories.
Feature: Settings → Skills panel. Visualize every loaded skill grouped by origin, toggle each one on or off, view the source markdown, import skills from .md files, and configure advanced parameters (max active, char budget, max per prompt).
Feature: Conversational skill authoring. Ask Lola “create a skill that…” and she generates the markdown, saves it inactive, and asks before activating. Full toolset: addSkill, activateSkill, deactivateSkill, updateSkill, deleteSkill, listSkills.
Architecture: Single-axis state model for skills. Each skill is either active (firing) or inactive (off), managed by one toggle in the admin, one verb in the chat. Runtime diagnostics (no-triggers, incompatible, unmet-dependencies) surface as informational badges, not as states the user manipulates.
Architecture: Two-layer skill cache. Hot transient with filesystem-hash validation and cold snapshot in wp_lolacore_config (capped at 1 MB serialized). Keeps the loader budget under 5 ms on the cache-hit path.
Architecture: Skills system is gated behind a master toggle (Beta) so the entire feature can be disabled with a single switch without uninstalling.
Database: Migration to schema version 0.3.0. Adds the wp_lolacore_skills table and consolidates legacy in-progress states into the unified active/inactive model.
Improvement: SystemPromptBuilder enforces a ground-truth rule (listSkills before answering any state question) that prevents Lola from confabulating phantom skills from stale session summaries.
Improvement: Session summaries now respect the language the user spoke in during the conversation rather than forcing a single locale.
1.3.0
Performance: Memory fact extraction (extractFacts) is now deferred out of the user-facing response path via a non-blocking background request. Reduces perceived response time by ~5–19s on fact-heavy sessions (47% of observed median latency). Compatible with all PHP SAPIs. Uses fastcgi_finish_request() on PHP-FPM (Linux/production) and wp_remote_post(blocking=false) with HMAC authentication on CGI/other environments.
Performance: DeepSeek V4 think-mode is now disabled for the intent classifier call. The classifier task is pure JSON categorization; disabling reasoning reduces classifier latency by ~34% with no accuracy regression.
Fix: Meta-tool query patterns (“¿qué puedes hacer?”, “¿qué funciones tienes?”) were stored with mojibake-encoded characters that never matched real UTF-8 input. Replaced with accent-agnostic character classes (qu[eé], cu[aá]ntas, etc.).
Fix: Holistic and meta-intent detectors now inspect only the current user message, not the conversation history window. Eliminates false positives on subsequent turns when a prior message happened to contain a capability-query phrase.
1.2.0
Feature: Memory Bootstrap. Lola now seeds baseline facts from each active addon on activation and refreshes them every 6 hours via a unified background job. Compatible addons (WooCommerce Pro, WPCode Snippets, Fluent Support) contribute live site-state data so Lola has meaningful context from the very first conversation, with no manual “remember this” prompting required.
Feature: Holistic monitoring queries (“what needs my attention?”, “give me a full site overview”, “morning briefing”) now automatically activate the full tool set across all active domains without requiring a round-trip escalation. Extensible via the lolacore_holistic_monitoring_patterns filter.
Architecture: Added MemoryBootstrapInterface and MemoryBootstrapRunner with an adaptive global budget (24 baseline facts, minimum 2 guaranteed per addon, competitive allocation by importance score). Bootstrap facts are immune to the memory decay engine and capped at 40% of the context window to prevent crowding out conversational memory.
Improvement: Category affinity map expanded with bidirectional links across all Business Bundle domains (WooCommerce Pro, WPCode Snippets, Fluent Support). Cross-addon queries now resolve in a single pass without requiring a follow-up escalation.
Improvement: The semantic intent classifier maximum category cap is now adaptive, scales from 3 to 5 based on the number of active addon domains, allowing genuine multi-domain queries (e.g., “compare my WooCommerce revenue against open support tickets”) to resolve correctly on complex sites.
Fix: Resolved “insufficient tool messages following tool_calls message” (HTTP 400) errors that could surface after an abandoned write confirmation, leaving the chat session permanently broken until reload. Affected DeepSeek and OpenAI-compatible providers.
Fix: Added a defensive history sanitizer that detects orphan tool_call_ids in stored conversation history and injects synthetic placeholders before each provider request, preserving the assistant/tool pairing contract required by the OpenAI message format.
Fix: Widened executor exception capture from Exception to Throwable so that a TypeError in any Domain Handler still produces a valid tool message instead of orphaning the assistant’s tool_call.
Fix: Provider responses with missing or null tool_call_id are now backfilled with a synthetic UUID, preventing silent round-trip pairing failures.
Fix: Memory extraction job now uses an explicit 30-second transport timeout, eliminating silent extraction failures (cURL error 28) on reasoning-capable providers such as DeepSeek.
Fix: DeepSeek V4 reasoning_content is now re-injected only when the assistant message includes tool_calls, following the V4 spec exactly. Previously re-injected unconditionally, wasting 500–2,000 tokens per conversational turn.
Improvement: DeepSeek V4 models (deepseek-v4-pro, deepseek-v4-flash) now appear first in the model selector. Legacy V3 models (deepseek-chat, deepseek-reasoner, deprecated 2026-07-24) are sorted last.
Improvement: Reduced average token usage per request by ~30–40% through four independent optimizations: system prompt restructuring to maximise prefix cache hits, site scan summary compression (JSON to compact text), adaptive memory budget that scales with message length (10/20/30 facts), and tool schema description compression for always-present tools.
1.1.3
Architecture: Major overhaul of the Long-Term Memory persistence pipeline to prevent “amnesia” and ensure context retention across sessions.
Architecture: Introduced “Immortal Facts” (is_pinned schema column). Important memory facts can now be pinned, making them permanently immune to the decay relevance engine.
Architecture: Importance-Aware Decay. The memory decay formula now scales mathematically based on fact importance. Critical facts decay 2x slower than trivial observations.
Feature: Proactive Memory Directives. Lola is now instructed at the system-prompt level to automatically save structural decisions, stack choices, and business preferences without waiting to be told “remember this”.
Feature: Contextual Fact Boosting. The retrieval engine now dynamically filters and boosts memory relevance in real-time based on keyword matches with your current chat message.
Feature: Session Summary Persistence. Chat session summaries are now preserved as high-priority memory facts instead of being destructively overwritten by the newest session.
Fix: Multi-Turn Memory Extraction. The background memory extraction job now observes the last 5 conversation turns (instead of just 1), preventing blind spots in extended discussions.
Fix: Model Desync. Memory extraction now actively resolves the selected AI provider/model from settings, fixing a bug where extraction would fail silently on non-default models like DeepSeek.
Fix: Scanner Budgeting. Scanner-generated facts (site_state) are now hard-capped at 35% of the memory window, preventing plugin lists from crowding out actual conversational memory.
Fix: Added robust local PHP diagnostic logging (via error_log) to the memory extraction background job to eliminate silent failures.
Compliance: Replaced hardcoded AJAX endpoint with dynamically localized URL via wp_localize_script.
Compliance: Migrated widget state injection from inline script tag to wp_add_inline_script for WordPress enqueue standards.
Compliance: Updated DOMPurify to 3.4.2 and marked.js to 18.0.3 (latest stable releases).
Compliance: Escaped all dynamic values in exception messages across all Domain Handlers (esc_html).
Compliance: Converted raw DB_NAME concatenation to $wpdb->prepare() in database size query.
Compliance: Fixed translators comment placement for PHPCS MissingTranslatorsComment compliance.
Compliance: Removed development-only files (scratch.php, extractor.php) from plugin root.
1.1.2
Architecture: Complete refactoring of ActionExecutor into 12 modular Domain Handlers (ContentHandler, PluginHandler, UserHandler, SystemHandler, MediaHandler, MetaHandler, TaxonomyHandler, CommentHandler, NavigationHandler, MemoryHandler, WooReadHandler, WooWriteHandler) behind a HandlerRouter with ActionHandlerInterface contract.
Architecture: Introduced HandlerRouter with deterministic dispatch. Each handler declares its owned actions via getSupportedActions(), eliminating the monolithic switch/case in ActionExecutor.
Feature: Added getDiscoveredAbilities tool for Lola to introspect all registered WordPress Abilities at runtime.
Feature: Added manageRoles tool enabling Lola to create, delete, and modify WordPress user roles and capabilities from chat.
Fix: Intent Router reordering. Meta-intent detection (Layer 0.5) now executes before keyword matching (Layer 1), preventing false-positive category captures on meta-queries like “What tools do you have?”.
Fix: Enabled ‘meta’ as a valid category in the semantic classifier (Layer 2), providing a second safety net for meta-queries that bypass Layer 0.5.
Fix: Plugin search (searchPlugins) now handles both object and array response formats from the WordPress.org plugins_api(), resolving empty results on certain PHP/WP versions.
Fix: Chat UI now auto-links plain-text URLs in assistant responses, converting them into clickable links.
Fix: Export download links (.xml, .json, .csv, .zip) now include the HTML download attribute, forcing browser download instead of inline rendering.
Fix: URL autolink regex excludes backtick characters to prevent trailing %60 in generated links.
Improvement: Keyword inference from tool descriptions is now isolated from meta-query routing, reducing false-positive matches in the intent router.
Improvement: Removed legacy direct-method dispatch from ActionExecutor. All 51 actions now route exclusively through Domain Handlers.
Improvement: Addon integration updated. WooCommerce Pro tools route through category affinity system for reliable domain escalation.
Architecture: New LolaCoreI18n namespace with ErrorMessages and StatusMessages classes. Every user-facing string is now centralized and WordPress i18n-ready (__() wrappers for future translation).
Architecture: Backend error sanitization via ErrorMessages::wrapServerError(). Stack traces, PHP class names, and raw exception details are filtered before reaching the frontend.
Improvement: Chat error messages rewritten for cognitive ergonomics. First-person voice, no jargon, actionable next step in every message.
Improvement: Replaced emoji-prefixed error indicators (⚠️) with CSS-driven visual treatment (.lola-error-message class with salmon accent border and tinted background).
Improvement: appendMessage() in chat JS now accepts an isError flag for proper error styling without breaking Markdown rendering or autolink functionality.
Improvement: All hardcoded error strings in Controller.php, Settings.php, and WPAIClientAdapter.php replaced with centralized ErrorMessages / StatusMessages method calls.
1.1.1
Fix: Added full taxonomy assignment support (categories and tags) to createContent and editContent.
Fix: Added featured_image assignment support to createContent and editContent.
Feature: Added uploadMedia tool to allow autonomous sideloading of external images into the Media Library.
1.1.0
UI Redesign: Complete overhaul of the settings panel to match LolaCore’s design system.
Feature: Added ability to manage Lola’s persistent memory directly from the settings panel (Maintenance ops: Scan, Export, Import, Compact).
Feature: Autonomous Tool Escalation added. Lola can now dynamically break out of restricted domains when she determines a tool is needed but restricted.
Improvement: Modularized system prompt generation and unified safety toggles using a SafetyConfig architecture.
Improvement: Integrated addon infrastructure (Door 4 & 5) enabling unified management and license validation for extensions like WPCode.
Improvement: Minor UI updates and padding adjustments for broader screen compatibility.
1.0.2
Fix: Preserved raw HTML/code syntax in user chat messages without stripping tags.
Enhancement: Implemented Markdown rendering in chat UI for rich text, tables, and formatted code blocks (ChatGPT-like experience).
Enhancement: Enqueued marked.js and DOMPurify for secure frontend Markdown parsing.
1.0.1
Added: lolacore_execute_external_action filter for external addon action dispatch.
Added: lolacore_sop_map filter for dynamic SOP injection by addon plugins.
Improvement: LolaCore is now fully extensible for third-party addon plugins.
1.0.0
Initial public release.
51 abilities across 13 domains (27 read + 24 write).
Persistent memory engine with decay-based relevance scoring.
Algorithmic site scanner with 11 data collection modules.
