AICOM – AI Commander

AI Agent → AICOM Endpoint → WordPress

read.wp, `write.wp.posts`, `manage.taxonomies`, `manage.meta`, `manage.wordpress.settings`, `manage.media`, `manage.users`, `manage.plugins`, `manage.woocommerce.products`, `manage.woocommerce.settings`, `manage.elementor`, `manage.polylang`

Authorization: Bearer aicom_XXXXXXXX_<secret>

X-API-Key: aicom_XXXXXXXX_<secret>

{"jsonrpc":"2.0","method":"tools/call","params":{"name":"wp.posts.list","arguments":{"post_type":"post","posts_per_page":10}},"id":1}

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Changelog

3.1.0

• New: Working Hours Schedule — automatically apply Soft or Hard Lock outside configured working hours and days.
• The manual lock always takes precedence; the schedule only adds additional restrictions.

3.0.0

• New: Resource Boundaries UI — configure post type, taxonomy, meta key, WP option, file path, and language restrictions per API key directly from the edit/create form.
• New: Preset Rename — rename any custom preset in-place via a prompt dialog.
• New: Preset Duplicate — clone any custom preset; the copy appears instantly in the preset grid.

2.9.2

• Fix: Toolbar lock buttons (Unlock / Soft Lock / Hard Lock) now work on frontend pages, not only in wp-admin.

2.9.1

• Improvement: Session description now shown inside the expanded session card in Audit Logs (hidden when collapsed).
• Improvement: tools/list response now includes an instructions field telling the agent whether a session is active, and prompting it to call session.open with both name and description before making changes.
• Improvement: session.open tool description updated to explicitly request a meaningful name and description from the agent.

2.9.0

• New: Backups page redesigned into 3 tabs — Dashboard (total count, storage used, activity by period, auto-cleanup status), Cleanup Settings, and Backup Snapshots.
• New: Backup Snapshots table now shows Class badge (colour-coded by tool class) and Session column with a direct link to the corresponding session in Audit Logs, including scroll-to + highlight on arrival.
• New: Toolbar lock controls — Unlock / Soft Lock / Hard Lock buttons in the AICOM Keys dropdown; toolbar badge turns red on Hard Lock and amber on Soft Lock.
• New: Stacked bar chart in Audit Logs Sessions tab — each bar segment is colour-coded by tool class (read/write/destructive/admin_sensitive); legend shown below graph.
• New: Clicking a graph bar navigates to that day’s sessions via server-side filtering (log_date).
• New: Class column added to session log tables in Audit Logs.
• New: Session filter added to Audit Logs Filters tab.
• Improvement: Cleanup Settings form redesigned — each field on its own row with description on the right; fields separated by dividers.
• Improvement: Tab navigation on Backups and Audit Logs pages now uses consistent aicom-tab-bar / aicom-tab-btn styles matching API Keys page.
• Fix: Graph bars no longer show tool classes from orphaned logs (sessions that were deleted); uses INNER JOIN to exclude them.
• Fix: DB v4.4 — added tool_class column to wp_aicom_logs with backfill migration.

2.8.0

• New: Named sessions — agents must call session.open(name: “…”) before making any changes; all write operations blocked until a session is opened; sessions auto-close after 2h of inactivity.
• New: Session restore — Audit Logs → Sessions tab shows all sessions with a 30-day activity graph; click Restore to undo all backups from a session in reverse chronological order.
• New: Backup cleanup — set a max age (days) and/or max size (MB) for automatic backup pruning; runs daily via cron.
• Improvement: Audit Logs split into Logs / Sessions / Filters tabs for easier navigation.
• Fix: session_id now correctly populated in backup rows.

2.7.0

• New: API Key Lifecycle — optional expiry date (TTL) on any key; keys expire automatically via hourly cron; expired/archived status badges in the key table.
• New: Archive/Unarchive — hide inactive keys from the main list without deleting them; restore with one click (unarchived keys come back as suspended).
• New: Edit scopes — repurpose an existing key without revoking it; update scopes, IP allowlist, dry-run flag, and expiry date from a dedicated edit view.
• New: Rotate secret inside the edit form — optionally generate a fresh API key string as part of a scope-edit, with live diff preview of permission changes.
• New: Scope diff preview — while editing, the UI shows which scopes were added (+) and removed (−) compared to the original key, in real time.
• New: Full i18n — all admin strings wrapped for translation; POT template generated at languages/aicom.pot.

2.6.0

• New: Save custom presets — name and save any scope selection as a reusable preset that appears alongside the system presets. Custom presets are stored in the database and can be deleted with one click.

2.5.0

• New: Preset picker for key creation — 6 system presets (Read-only, Content Assistant, Elementor Editor, WooCommerce Catalog, Site Maintenance, Full Admin) plus Custom mode to auto-select common scope bundles with one click.
• New: Scope tree UI — scopes now grouped into 5 categories (WordPress Core, Media & Files, Users & Roles, Site Configuration, Integrations) with LOW/MED/HIGH/CRITICAL risk labels on every scope.
• New: Live search filter for scopes in the key creation form.
• New: Collapsible scope groups — click a group header to expand/collapse.

2.4.0

• New: AICOM Keys menu in the WordPress admin bar — lists all active and suspended API keys with one-click suspend/unsuspend via AJAX (no page reload). Shows a green badge with the count of active keys. Last item links to the full API Keys management page. Works in both wp-admin and frontend toolbar.

2.3.0

• New: elementor.page.create_from_template — create a new page by cloning Elementor data from a source page or template. Copies _elementor_data, _elementor_edit_mode, and _wp_page_template in one call. Supports dry_run and returns preview URL + admin edit URL.
• New: wp.posts.preview_url — get a preview URL for any post or page. Returns get_preview_post_link() for drafts/private, get_permalink() for published. Also includes admin_edit_url.

2.2.0

• New: Clautron module — 11 tools for blueprint and capability management (catalog.list/install, primitives.list, blueprint.examples/list/validate/create/compile/smoke_test, capability.meta.get/set). Requires Clautron plugin.
• New: Yoast SEO module — 9 tools for reading and writing Yoast SEO meta (yoast.post.get/set, yoast.post.social.get/set, yoast.posts.bulk_get for audits, yoast.term.get/set, yoast.site.get). Supports free and premium. Requires Yoast SEO plugin.

2.1.1

• Fix: wp.posts.create now accepts post_name (URL slug) and post_excerpt directly — no more 2-step create+update workaround.
• Fix: wp.posts.update now applies post_name and post_author — previously these were silently ignored despite returning updated:true.
• Fix: wp.posts.create defaults post_author to the user associated with the API key — prevents author=0 on REST-context requests.
• Fix: wp.posts.get now includes a terms map in the response, grouped by taxonomy (category, post_tag, custom taxonomies).
• New: wp.meta.set_many — set multiple post meta keys in one call. Accepts a meta object of key→value pairs; allowlist enforced per key.

2.1.0

• New: Ele Custom Skin (ECS) module — 26 tools for reading and writing ECS Color Schemes, Font Schemes, Custom Looks, Custom CSS, Alt Logos, and Dynamic Repeater Builder (DRB) presets and bindings. Works with both ele-custom-skin (free) and ele-custom-skin-pro. Activate a color scheme site-wide in one call via ecs.color_schemes.activate_global.

2.0.11

• Fix: wp.posts.update and wp.posts.create now support post_date parameter — previously the parameter was silently ignored and the tool returned success without changing the date. Accepts YYYY-MM-DD HH:MM:SS or ISO 8601; invalid format returns a clear error.
• Fix: wp.posts.update now also exposes post_excerpt in its input schema (was handled in code but not documented).

2.0.10

• Fix: replaced match() expression with if/elseif for PHP 7.4 compatibility — caused parse error on API Keys page for sites running PHP < 8.0

2.0.9

• New: Suspend/Unsuspend for API keys — temporarily block a key without revoking it. Suspended keys return 401 automatically (auth query filters status = active). Active keys show Suspend button; suspended keys show Unsuspend + Revoke.

2.0.8

• New: wp.plugins.list — list all installed plugins with version, update availability, and status. Optional force_refresh=true for a live check against wordpress.org.
• New: wp.plugins.update_all — update all plugins with available updates in one call (dry_run and include[] filter supported). Uses WordPress’s native Plugin_Upgrader + Automatic_Upgrader_Skin, identical to background auto-updates.
• New scope: manage.plugins — dedicated scope for plugin management tools, separate from manage.wordpress.settings.

2.0.7

• New: elementor.template.set_conditions — dedicated tool that writes _elementor_conditions meta AND rebuilds the global elementor_pro_theme_builder_conditions option, then flushes the conditions cache. Uses Elementor Pro Conditions_Manager API when available, falls back to a manual option rebuild. Fixes Theme Builder templates not attaching to pages when conditions were set via wp.meta.set + wp.options.set.

2.0.6

• Fix: wp.meta.set now applies wp_slash() on string values before passing to update_post_meta() — prevents backslash stripping that broke Elementor JSON stored in post meta

2.0.5

• Fix: pll.string.set no longer calls PLL()->model->get_language() which is null in REST API context — replaced with direct pll_languages_list() lookup

2.0.4

• Fix: pll.strings.list, pll.string.get, pll.string.set no longer depend on pll_get_strings() (Polylang Pro only) — now works on Polylang free via direct PLL_MO access
• WordPress core strings (blogname, blogdescription, date_format, time_format) can be set per-language using wp_option parameter without Polylang Pro

2.0.3

• New: pll.strings.list — list all registered Polylang strings with current translations per language
• New: pll.string.get — get a specific string and all its translations
• New: pll.string.set — set the translation of a registered string for a specific language (supports dry-run)

2.0.2

• Fix: wp.menus.delete and wp.menus.items.remove now document confirm=true in their input schema — agents can now discover this requirement via tools/list
• Fix: wp.menus.items.add no longer requires url for custom type items — WordPress supports label-only menu items with an empty URL

2.0.1

• Fix: pll.post.link_translation and pll.term.link_translation now preserve existing translation group members when adding a new language — previously a third language (e.g. UK) was dropped when linking two posts
• Changed: link_translation tools now accept a translations map {“lang”: id} instead of pairs, supporting any number of languages in a single call

2.0.0

• Complete rewrite with modular, autoloaded architecture
• 87 tools across 7 modules: WP Core, Media, Users, Backup, WooCommerce, Elementor, Polylang
• Full MCP JSON-RPC 2.0 support — tools/call and tools/list methods
• Shorthand request format also supported for simpler integrations
• Scope-based access control per API key — 12 granular scopes
• Hard lock / soft lock / unlocked safety modes switchable from admin
• Full audit logging: timestamp, IP, key label, tool, params, result, duration
• Dry-run mode — validate and simulate without applying changes
• Confirm flag required for all destructive operations
• IP allowlist per API key
• Backup and restore for posts and terms stored in database
• WooCommerce, Elementor, Polylang modules auto-activate when plugins present
• Fallback endpoint /?aicom=1 for servers without mod_rewrite
• bcrypt-hashed API keys with prefix-based fast lookup
• Admin UI: Dashboard, API Keys, Audit Logs, Safety, Modules, Backups pages