WebMCP Bridge

1.6.0

• JS: migrated browser registration to navigator.modelContext.provideContext() per current WebMCP spec; legacy ai.tools.register() kept as fallback
• JS: corrected tool field from parameters to inputSchema (WebMCP/Anthropic spec)
• Discovery: added service-desc and service-doc Link relations alongside api-catalog and webmcp-manifest
• Discovery: OAuth authorization-server and oauth-protected-resource now served on all sites (not WooCommerce-only) — explains WordPress nonce auth to agents
• Discovery: HTML tags updated to include service-desc and service-doc

1.5.0

• Added WooCommerce commerce agent discovery (active only when WooCommerce is installed):
  • OAuth Authorization Server metadata at /.well-known/oauth-authorization-server (RFC 8414)
  • OAuth Protected Resource metadata at /.well-known/oauth-protected-resource (RFC 9728)
  • Universal Commerce Protocol profile at /.well-known/ucp (ucp.dev)
  • Agentic Commerce Protocol discovery at /.well-known/acp.json (agenticcommerce.dev)
• Added /wp-json/webmcp-bridge/v1/nonce endpoint — agents can fetch a fresh WP REST nonce for authenticated tool calls
• Discovery endpoint now includes commerce URLs when WooCommerce is active

1.4.4

• Added Content-Signal directives to robots.txt (contentsignals.org): ai-train=yes, search=yes, ai-input=yes — filterable via webmcp_bridge_content_signals hook
• Added Vary: Accept header so nginx/CDN caches correctly serve Markdown for Agents requests separately from HTML responses

1.4.3

• Fixed RFC 8288 Link discovery for cached sites: added tags in HTML via wp_head
• Link tags are part of the cached HTML so agents find them even when nginx serves cached pages without running PHP
• HTTP Link headers still added via wp_headers as secondary channel on cache misses

1.4.2

• Fixed RFC 8288 Link headers: switched from send_headers action to wp_headers filter for reliable delivery through nginx/cache layers
• Link headers now added to all pages (not just homepage) so agents can discover the API from any entry point

1.4.1

• Fixed Agent Skills index: added sha256 digest field to each skill entry (required by v0.2.0 spec)

1.4.0

• Added RFC 8288 Link response headers on homepage: advertises manifest, API catalog and MCP Server Card to agents
• Added /.well-known/mcp/server-card.json (SEP-1649): MCP Server Card for agent discovery
• Added /.well-known/api-catalog (RFC 9727): machine-readable API catalog including WebMCP and Mescio endpoints
• Added /.well-known/agent-skills/index.json: Agent Skills discovery index listing all site capabilities
• Added /wp-json/webmcp-bridge/v1/discovery: convenience endpoint listing all discovery URLs
• All well-known endpoints include Mescio for Agents data automatically when plugin is active

1.3.2

• Fixed PHP syntax error in sanitize_markdown() regex (inline event handler pattern)
• All PHP files pass WordPress.org pre-commit syntax check

1.3.1

• Security: sanitize Markdown output in get_markdown_content and get_llms_txt — prevents stored XSS and prompt injection via post content
• Removed admin_email from get_site_info response — not needed by agents, sensitive data
• Removed author display_name from get_post response — exposes internal WordPress usernames
• Added global rate limiting on /execute endpoint (default: 120 calls/60s, configurable in settings)
• Rate limit is global (not per-IP) — effective against proxy rotation attacks; returns HTTP 429

1.3.0

• Removed admin_email from get_site_info — sensitive data not needed by agents
• Removed author field from get_post — avoids exposing internal WordPress usernames
• Added global rate limiting on /execute: configurable max calls per time window in settings
• Rate limit counter uses WP transients; returns HTTP 429 when exceeded
• Rate limit and window now editable from Settings → WebMCP Bridge

1.2.0

• Added Live API Examples section in admin: test every tool directly from the settings page
• curl and JavaScript snippets auto-generated for each tool with real site URL
• Added Mescio for Agents examples (llms.txt, get_markdown_content) when plugin is active
• Admin JS extracted to separate file for better caching and CSP compatibility
• Added full Italian translation (it_IT) — .po, .mo and .pot files included
• Admin UI: tab navigation for examples, live JSON output viewer

1.1.0

• Added integration with Mescio for Agents plugin: when active, unlocks get_markdown_content and get_llms_txt tools
• Manifest now filters tools based on enabled settings — disabled groups no longer appear
• Added site_url and mescio_for_agents fields to manifest response
• Tool groups refactored: core split into content, navigation, forms for finer control
• Improved error handling: registry now catches all Throwable (not just Exception)
• Fixed wp_remote_get in llms-full.txt fetch: proper timeout, user-agent, SSL filter
• Fixed: tools disabled in settings were still executable via REST — now correctly blocked

1.0.1

• Added automatic compatibility with Autoptimize, WP Rocket, LiteSpeed Cache, W3 Total Cache, SG Optimizer
• Fixed duplicate textdomain and deactivation hooks
• Added ABSPATH protection to all PHP files
• Fixed output escaping in exception messages

1.0.0

• Initial release
• Core tools: search_posts, get_post, get_menu, get_categories, get_site_info, submit_contact_form
• WooCommerce tools: product search, cart management, coupon, checkout fields
• REST API manifest and execution endpoints
• JavaScript frontend bridge with WebMCP browser API support and fallback
• Admin settings page