plugins/woocommerce/composer.json (2)

35-39: Pin MCP Adapter source for reproducible builds.

Using a VCS repo + dev branch is fine for a draft, but please pin to a tag or commit before merge to ensure repeatable builds and avoid surprise breakages when the trunk moves.

---

56-58: Avoid requiring dev-trunk in core.

wordpress/mcp-adapter: dev-trunk will float. Prefer a tagged release or a specific commit reference (and update when cutting a WC release). Also confirm wordpress/abilities-api range is correct against production sites.

plugins/woocommerce/src/Internal/MCP/ApiKeyManager.php (1)

29-37: Avoid implicit key generation on read.

get_api_key() creates a key when missing; this is invoked from the feature description, which can generate a secret merely by viewing the page. Split into ensure_api_key() (explicit generation) and get_api_key() (read-only), or gate generation behind an explicit admin action.

plugins/woocommerce/includes/class-woocommerce.php (1)

358-360: Gate MCP services behind the feature flag to avoid unnecessary boot.

Avoid instantiating MCP services unless the feature is enabled.

Apply this diff:

-		$container->get( AbilitiesRegistry::class );
-		$container->get( MCPAdapterProvider::class );
+		if ( wc_get_container()->get( FeaturesController::class )->feature_is_enabled( 'mcp_integration' ) ) {
+			$container->get( AbilitiesRegistry::class );
+			$container->get( MCPAdapterProvider::class );
+		}

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (1)

10-14: Remove unused import.

use WP_Error; is unused when instantiating errors with \WP_Error. Either drop the import or use the imported symbol consistently.

plugins/woocommerce/src/Internal/Abilities/AbilitiesRegistry.php (2)

30-37: Consider gating ability initialization behind the feature flag.

If MCP is disabled, you may not want to register MCP-facing abilities at all. Optional, depending on intended reuse outside MCP.

---

44-63: Naming consistency.

Method mixes camelCase with snake_case methods in the same class. Prefer get_ability_ids() and keep getAbilitiesIDs() as a deprecated alias for BC.

-	public function getAbilitiesIDs(): array {
+	/** @deprecated Use get_ability_ids(). */
+	public function getAbilitiesIDs(): array {
+		return $this->get_ability_ids();
+	}
+
+	public function get_ability_ids(): array {
 		...
 	}

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (5)

35-37: Hook timing comment doesn’t match the hook; prefer plugins_loaded.

Use plugins_loaded to ensure dependencies are loaded before checking the adapter class.

-		// Hook into WordPress plugins loaded to ensure proper timing
-		add_action( 'init', array( $this, 'maybe_initialize' ) );
+		// Initialize after all plugins are loaded to ensure proper timing.
+		add_action( 'plugins_loaded', array( $this, 'maybe_initialize' ) );

---

89-101: Make server configuration overridable.

Expose a filter so site owners can adjust namespace/route if needed.

-		// Create MCP server
-		try {
-			$adapter->create_server(
-				'woocommerce-mcp',
-				'woocommerce',
-				'mcp',
-				__( 'WooCommerce MCP Server', 'woocommerce' ),
-				__( 'AI-accessible WooCommerce operations via MCP', 'woocommerce' ),
-				'1.0.0',
-				array( WooCommerceRestTransport::class ),
-				\WP\MCP\Infrastructure\ErrorHandling\ErrorLogMcpErrorHandler::class,
-				\WP\MCP\Infrastructure\Observability\NullMcpObservabilityHandler::class,
-				$abilities_ids,
-			);
+		$args = apply_filters(
+			'woocommerce_mcp_server_args',
+			array(
+				'id'            => 'woocommerce-mcp',
+				'namespace'     => 'woocommerce',
+				'route'         => 'mcp',
+				'name'          => __( 'WooCommerce MCP Server', 'woocommerce' ),
+				'description'   => __( 'AI-accessible WooCommerce operations via MCP', 'woocommerce' ),
+				'version'       => '1.0.0',
+				'transports'    => array( WooCommerceRestTransport::class ),
+				'error_handler' => \WP\MCP\Infrastructure\ErrorHandling\ErrorLogMcpErrorHandler::class,
+				'observability' => \WP\MCP\Infrastructure\Observability\NullMcpObservabilityHandler::class,
+				'abilities'     => $abilities_ids,
+			)
+		);
+		try {
+			$adapter->create_server(
+				$args['id'],
+				$args['namespace'],
+				$args['route'],
+				$args['name'],
+				$args['description'],
+				$args['version'],
+				$args['transports'],
+				$args['error_handler'],
+				$args['observability'],
+				$args['abilities']
+			);

---

61-69: Re-initialization safety when adapter loads late.

If the adapter class isn’t available at this point, there’s no retry. Optionally add a late hook (e.g., rest_api_init) to re-attempt initialization.

---

76-77: Param type documentation.

Add a docblock @param \WP\MCP\Core\McpAdapter $adapter for clarity since the method is public and untyped.

---

1-112: Security follow-up: avoid admin-context execution in transport.

Given WooCommerceRestTransport currently elevates to the first admin user after API-key validation (see Transport/WooCommerceRestTransport.php lines 22–89), prioritize implementing per-key user association and least-privilege execution before enabling this by default.

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

plugins/woocommerce/src/Internal/Abilities/AbilitiesRegistry.php (1)

38-62: Do not auto-expose every woocommerce/* ability to MCP. Use an allowlist + filter.

This recreates the previously flagged security issue: any extension can register a woocommerce/* ability and it becomes MCP‑exposed (executed under admin context via the transport). Ship with a minimal core allowlist and a filter for opt‑in.

Apply:

 	/**
 	 * Get WooCommerce ability IDs from the WordPress Abilities API.
 	 *
 	 * @return array Array of WooCommerce ability IDs.
 	 */
 	public function getAbilitiesIDs(): array {
-		// Check if the abilities API is available
-		if ( ! function_exists( 'wp_get_abilities' ) ) {
-			return array();
-		}
-
-		// Get all registered abilities
-		$all_abilities = wp_get_abilities();
-		
-		// Filter for WooCommerce-specific abilities
-		$woocommerce_abilities = array();
-		foreach ( array_keys( $all_abilities ) as $ability_id ) {
-			// Check if ability ID starts with 'woocommerce/'
-			if ( strpos( $ability_id, 'woocommerce/' ) === 0 ) {
-				$woocommerce_abilities[] = $ability_id;
-			}
-		}
-
-		return $woocommerce_abilities;
+		$all_ids = array();
+		if ( function_exists( 'wp_get_abilities' ) ) {
+			$all = wp_get_abilities();
+			$all_ids = is_array( $all ) ? array_keys( $all ) : array();
+		}
+		// Core allowlist (safe by default).
+		$default = array(
+			'woocommerce/store-info',
+		);
+		$allowed = array_values( array_intersect( $default, $all_ids ) );
+		/**
+		 * Filter the list of Woo abilities exposed to MCP.
+		 *
+		 * Extensions must explicitly opt in; no wildcard prefixing.
+		 *
+		 * @param string[] $allowed Allowlisted and registered ability IDs.
+		 * @param string[] $all_ids All registered ability IDs.
+		 */
+		return apply_filters( 'woocommerce_mcp_ability_ids', $allowed, $all_ids );
 	}

plugins/woocommerce/src/Internal/Abilities/REST/RestAbility.php (1)

33-36: Silence the unused parameter warning.

Use the variable to appease linters.

Apply:

-	protected function validate_output( $output ) {
+	protected function validate_output( $output ) {
+		// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
+		$output = $output;

(If you adopt the previous diff, this nit is covered.)

plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php (1)

99-111: Hook exists but consider early-return if Abilities API is missing.

Minor: add a function_exists guard to avoid scheduling a no-op action in older WP environments.

Apply:

 	public static function init(): void {
-		// Register abilities when Abilities API is ready
-		add_action( 'abilities_api_init', array( __CLASS__, 'register_abilities' ) );
+		if ( function_exists( 'wp_register_ability' ) ) {
+			add_action( 'abilities_api_init', array( __CLASS__, 'register_abilities' ) );
+		}
 	}

plugins/woocommerce/src/Internal/Abilities/AbilitiesRegistry.php (1)

30-36: Init only when Abilities API exists.

Small guard to avoid touching classes/hooks on older WP.

Apply:

 	private function init_abilities(): void {
-		// Initialize store info ability
-		StoreInfoAbility::init();
-
-		// Initialize REST bridge for REST endpoint abilities
-		AbilitiesRestBridge::init();
+		if ( function_exists( 'wp_register_ability' ) ) {
+			StoreInfoAbility::init();
+			AbilitiesRestBridge::init();
+		}
 	}

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (2)

146-177: Input schema isn’t proper JSON Schema; avoid passing WP REST arg arrays verbatim.

get_collection_params()/get_endpoint_args_for_item_schema() include callbacks and WP-specific keys. Either convert to JSON Schema or relax input validation for these abilities.

Option A (convert minimal fields): keep types/required/default and drop callbacks.
Option B (pragmatic): mark input schema as generic and rely on REST validation:

-					return array(
-						'type'       => 'object',
-						'properties' => $controller->get_collection_params(),
-					);
+					return array( 'type' => 'object' );

Same for create/update.

---

25-37: Guard against missing Abilities API.

Early-return if wp_register_ability is absent; you’ve done it inside, but avoid instantiating controllers unnecessarily.

Apply:

 	public static function register_controller_abilities( array $config ): void {
+		if ( ! function_exists( 'wp_register_ability' ) ) {
+			return;
+		}
 		$controller_class = $config['controller'];

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

plugins/woocommerce/src/Internal/Abilities/StoreInfoAbility.php (1)

101-108: Avoid loading all orders into memory; use wc_orders_count() (cached, HPOS-safe).

wc_get_orders with limit -1 is unbounded and can OOM on large stores.

-			// Orders using wc_get_orders for accurate counting
-			$completed_orders = wc_get_orders( array(
-				'status' => 'completed',
-				'limit'  => -1,
-				'return' => 'ids',
-			) );
-			$completed_count = count( $completed_orders );
+			// Orders: use cached counter
+			$completed_count = (int) wc_orders_count( 'completed' );

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (2)

113-116: Good: user context now matches the API key owner (no blanket admin).

This addresses the prior “impersonate first admin” risk noted in earlier reviews. Nice improvement.

---

24-32: Require a WP_REST_Request; avoid nullable parameter here.

validate_request() unconditionally expects a WP_REST_Request, but check_permission() accepts null. Passing null would fatal when calling $request->get_header(...). Align the signature and drop the default null. If the parent method is already typed, mirror it.

Apply this diff (verify compatibility with the parent RestTransport before merging):

-	public function check_permission( $request = null ) {
+	public function check_permission( \WP_REST_Request $request ) {
 		return $this->validate_request( $request );
 	}

If the parent is untyped, keep it untyped but still remove the nullable default:

-	public function check_permission( $request = null ) {
+	public function check_permission( $request ) {
 		return $this->validate_request( $request );
 	}

plugins/woocommerce/src/Internal/Abilities/StoreInfoAbility.php (6)

41-51: Localize property description in input schema.

Wrap the description with translation helpers.

-						'include_stats' => array(
-							'type'        => 'boolean',
-							'description' => 'Whether to include basic store statistics (product count, order count, etc.)',
-							'default'     => false,
-						),
+						'include_stats' => array(
+							'type'        => 'boolean',
+							'description' => __( 'Whether to include basic store statistics (product count, order count, etc.)', 'woocommerce' ),
+							'default'     => false,
+						),

---

86-94: Use home_url() for the public-facing store URL.

site_url() can point to wp-admin or a subdirectory; home_url() reflects the storefront address.

-			'store_url'           => get_site_url(),
+			'store_url'           => home_url(),

---

109-113: Clarify whether order_count is “total orders” or “completed orders only”.

If “total,” sum all wc-* statuses via wc_orders_count; if “completed,” rename the field or document it in schema.

Option (total orders + breakdown):

-			$order_count = $completed_count;
+			$statuses     = function_exists( 'wc_get_order_statuses' ) ? array_keys( wc_get_order_statuses() ) : array();
+			$total_orders = 0;
+			$order_breakdown = array( 'completed' => $completed_count );
+			foreach ( $statuses as $st ) {
+				// wc_orders_count accepts slugs without 'wc-' prefix.
+				$slug          = preg_replace( '/^wc-/', '', $st );
+				$count         = (int) wc_orders_count( $slug );
+				$total_orders += $count;
+				if ( ! isset( $order_breakdown[ $slug ] ) ) {
+					$order_breakdown[ $slug ] = $count;
+				}
+			}
+			$order_count = $total_orders;

And in schema (if following this path), list known keys or keep it generic as an object. See earlier schema diff.

Also applies to: 62-70

---

96-124: Type-safety and defaults for input.

Normalize include_stats to bool to avoid truthy surprises from non-bool inputs.

-		if ( ! empty( $input['include_stats'] ) ) {
+		$include_stats = ! empty( $input['include_stats'] ) && (bool) $input['include_stats'];
+		if ( $include_stats ) {

---

79-87: Ask for tests covering permission and stats toggles.

Please add unit/E2E tests for:

• permission gate behavior,
• include_stats true/false,
• order counting on HPOS and posts table stores,
• inclusion gating for admin_email (if adopted).

I can draft PHPUnit tests for the ability execution and schema conformance if helpful.

Also applies to: 126-137

---

101-113: Optional: small performance tidy-up.

product_count uses wp_count_posts()->publish which is fine; consider caching the result for the request (transient not needed) if used multiple times. Not blocking.

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (4)

44-58: Localize and harden error messages; don’t leak header format details.

User‑visible strings should be translatable. Also avoid revealing exact header format in errors.

Apply this diff:

-			return new \WP_Error(
-				'missing_api_key',
-				'X-MCP-API-Key header required. Format: consumer_key:consumer_secret',
-				array( 'status' => 401 )
-			);
+			return new \WP_Error(
+				'missing_api_key',
+				__( 'API key required in the X-MCP-API-Key header.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
 		}
 
 		if ( strpos( $api_key, ':' ) === false ) {
-			return new \WP_Error(
-				'invalid_api_key',
-				'X-MCP-API-Key must be in format consumer_key:consumer_secret',
-				array( 'status' => 401 )
-			);
+			return new \WP_Error(
+				'invalid_api_key',
+				__( 'Malformed API key.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
 		}

---

45-49: Avoid credential enumeration in responses.

Returning distinct messages/codes for “invalid consumer key” vs “invalid consumer secret” enables enumeration. Prefer a single invalid_credentials code/message for both failure paths.

Apply this simplified diff if you agree:

-				'invalid_consumer_key',
-				__( 'Invalid credentials.', 'woocommerce' ),
+				'invalid_credentials',
+				__( 'Invalid credentials.', 'woocommerce' ),
@@
-				'invalid_consumer_secret',
-				__( 'Invalid credentials.', 'woocommerce' ),
+				'invalid_credentials',
+				__( 'Invalid credentials.', 'woocommerce' ),

Also applies to: 54-57, 98-101, 107-110

---

10-13: Unused imports.

use WP_REST_Request; and use WP_Error; aren’t used (you reference FQCNs). Either use the imports or drop them.

---

40-70: Tests needed for auth paths and headers.

Please add unit/integration tests covering:

• Missing header → 401.
• Malformed header → 401.
• Valid key/secret → sets current user to the key owner.
• Invalid key and invalid secret → 401 with the same error when enumeration mitigation is applied.
• Permission mismatch → 403.
• HTTPS enforcement toggle via woocommerce_mcp_allow_insecure_transport.

I can scaffold WP_UnitTestCase tests for these cases if helpful.

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (2)

39-39: Avoid front‑end initialization; defer to REST or guard with REST_REQUEST.

Running on init adds overhead on non‑REST requests. Prefer rest_api_init or guard in maybe_initialize.

-		add_action( 'init', array( $this, 'maybe_initialize' ) );
+		add_action( 'init', array( $this, 'maybe_initialize' ) );

 	public function maybe_initialize(): void {
 		// Check if MCP integration feature is enabled
 		if ( ! FeaturesUtil::feature_is_enabled( 'mcp_integration' ) ) {
 			return;
 		}
+		// Only proceed for REST requests to avoid front-end overhead.
+		if ( ! defined( 'REST_REQUEST' ) || ! REST_REQUEST ) {
+			return;
+		}

Alternatively, move the hook to rest_api_init:

-		add_action( 'init', array( $this, 'maybe_initialize' ) );
+		add_action( 'rest_api_init', array( $this, 'maybe_initialize' ) );

Please confirm timing with the MCP adapter’s mcp_adapter_init firing order.

Also applies to: 45-59

---

87-115: Harden server initialization: type‑check adapter and localize metadata.

Guard against unexpected $adapter and localize server name/description.

 	public function initialize_mcp_server( $adapter ): void {
 		// Get abilities from the registry
 		$abilities_registry = wc_get_container()->get( AbilitiesRegistry::class );
 		$abilities_ids = $abilities_registry->getAbilitiesIDs();

 		// Bail if no abilities are available
 		if ( empty( $abilities_ids ) ) {
 			return;
 		}
+		// Ensure adapter has the expected API.
+		if ( ! is_object( $adapter ) || ! method_exists( $adapter, 'create_server' ) ) {
+			return;
+		}

 		// Temporarily disable MCP validation during server creation
 		// Workaround for validator bug with union types (e.g., ["integer", "null"])
 		// TODO: Remove once mcp-adapter validator bug is fixed
 		add_filter( 'mcp_validation_enabled', '__return_false', 999 );

 		try {
 			// Create MCP server
 			$adapter->create_server(
 				'woocommerce-mcp',
 				'woocommerce',
 				'mcp',
-				'WooCommerce MCP Server',
-				'AI-accessible WooCommerce operations via MCP',
+				__( 'WooCommerce MCP Server', 'woocommerce' ),
+				__( 'AI-accessible WooCommerce operations via MCP', 'woocommerce' ),
 				'1.0.0',
 				array( WooCommerceRestTransport::class ),
 				\WP\MCP\Infrastructure\ErrorHandling\ErrorLogMcpErrorHandler::class,
 				\WP\MCP\Infrastructure\Observability\NullMcpObservabilityHandler::class,
 				$abilities_ids,
 			);

plugins/woocommerce/src/Internal/Abilities/StoreInfoAbility.php (2)

44-53: Do not expose admin_email by default; gate behind explicit flag and stronger cap.

PII leakage risk. Add an input flag and require manage_options (or manage_woocommerce) before returning admin_email. Also localize the new description.

 				'input_schema'      => array(
 					'type'       => 'object',
 					'properties' => array(
 						'include_stats' => array(
 							'type'        => 'boolean',
-							'description' => 'Whether to include basic store statistics (product count, order count, etc.)',
+							'description' => __( 'Whether to include basic store statistics (product count, order count, etc.)', 'woocommerce' ),
 							'default'     => false,
 						),
+						'include_sensitive' => array(
+							'type'        => 'boolean',
+							'description' => __( 'Include sensitive fields (e.g., admin_email). Requires manage_options.', 'woocommerce' ),
+							'default'     => false,
+						),
 					),
 				),

 		$result = array(
 			'store_name'          => get_bloginfo( 'name' ),
-			'store_url'           => get_site_url(),
-			'admin_email'         => get_bloginfo( 'admin_email' ),
+			'store_url'           => get_site_url(),
 			'woocommerce_version' => WC()->version,
 			'wordpress_version'   => get_bloginfo( 'version' ),
 			'currency'            => get_woocommerce_currency(),
 			'country'             => WC()->countries->get_base_country(),
 		);
+
+		// Optionally include PII if explicitly requested and caller has elevated caps.
+		if ( ! empty( $input['include_sensitive'] ) && current_user_can( 'manage_options' ) ) {
+			$result['admin_email'] = (string) get_bloginfo( 'admin_email' );
+		}

Also applies to: 59-59, 88-96

---

64-71: Schema/result mismatch: stats.order_breakdown is returned but not declared.

Declare order_breakdown in the output schema to avoid validation/runtime mismatches. Keys match the returned breakdown.

 						'stats'               => array(
 							'type'       => 'object',
 							'properties' => array(
 								'product_count'  => array( 'type' => 'integer' ),
 								'order_count'    => array( 'type' => 'integer' ),
 								'customer_count' => array( 'type' => 'integer' ),
+								'order_breakdown' => array(
+									'type'       => 'object',
+									'properties' => array(
+										'completed'  => array( 'type' => 'integer' ),
+										'processing' => array( 'type' => 'integer' ),
+										'pending'    => array( 'type' => 'integer' ),
+										'on-hold'    => array( 'type' => 'integer' ),
+										'cancelled'  => array( 'type' => 'integer' ),
+										'refunded'   => array( 'type' => 'integer' ),
+										'failed'     => array( 'type' => 'integer' ),
+									),
+								),
 							),
 						),

Also applies to: 112-121, 128-133

plugins/woocommerce/src/Internal/Abilities/StoreInfoAbility.php (4)

49-51: Localize schema description strings.

Wrap the input_schema description in translation functions for i18n.

-							'description' => 'Whether to include basic store statistics (product count, order count, etc.)',
+							'description' => __( 'Whether to include basic store statistics (product count, order count, etc.)', 'woocommerce' ),

---

103-123: Future‑proof order_count by summing all current wc- statuses.*

If new statuses are added (extensions), they won’t be reflected. Sum over wc_get_order_statuses for order_count while retaining the explicit breakdown you already return.

-			$order_count = $completed_count + $processing_count + $pending_count + $on_hold_count + $cancelled_count + $refunded_count + $failed_count;
+			$order_count = 0;
+			if ( function_exists( 'wc_get_order_statuses' ) ) {
+				foreach ( array_keys( wc_get_order_statuses() ) as $status ) {
+					$order_count += (int) wc_orders_count( $status );
+				}
+			} else {
+				$order_count = $completed_count + $processing_count + $pending_count + $on_hold_count + $cancelled_count + $refunded_count + $failed_count;
+			}

---

90-90: Consider home_url() for public-facing store URL.

home_url() better represents the storefront URL when WordPress and site URLs differ.

-			'store_url'           => get_site_url(),
+			'store_url'           => home_url(),

---

75-77: Add tests to cover schema shape, PII gating, and permission checks.

Please add unit/E2E tests ensuring:

• order_breakdown schema matches returned keys
• admin_email only returns when include_sensitive=true and user has manage_options
• permission_callback enforces access

I can scaffold tests for Abilities API execution and permission gating if helpful.

Also applies to: 144-147

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (2)

60-66: Enforce permissions in ability permission_callback (don’t return true).

Gate at the ability level; map to REST permissions and pass route for context.

-					'execute_callback'    => function( $input ) use ( $controller, $ability_config, $route ) {
-						return self::execute_operation( $controller, $ability_config['operation'], $input, $route );
-					},
-					'permission_callback' => function( $input ) use ( $controller, $ability_config ) {
-						return self::check_permission( $controller, $ability_config['operation'], $input );
-					},
+					'execute_callback'    => function( $input ) use ( $ability_config, $route ) {
+						return self::execute_operation( $ability_config['operation'], $input, $route );
+					},
+					'permission_callback' => function( $input ) use ( $controller, $ability_config, $route ) {
+						return self::check_permission( $controller, $ability_config['operation'], $input, $route );
+					},

---

240-244: Implement real permission checks (map to controller permission methods; fallback to REST probe).

Return boolean or WP_Error.

-	private static function check_permission( $controller, string $operation, array $input ): bool {
-		// We return true here and let the controller handle permissions
-		// The REST controller will check permissions when its methods are called
-		return true;
-	}
+	private static function check_permission( $controller, string $operation, array $input, string $route ) {
+		$perm_map = array(
+			'list'   => 'get_items_permissions_check',
+			'get'    => 'get_item_permissions_check',
+			'create' => 'create_item_permissions_check',
+			'update' => 'update_item_permissions_check',
+			'delete' => 'delete_item_permissions_check',
+		);
+		$method_map = array(
+			'list'   => 'GET',
+			'get'    => 'GET',
+			'create' => 'POST',
+			'update' => 'PUT',
+			'delete' => 'DELETE',
+		);
+		$req_method   = $method_map[ $operation ] ?? 'GET';
+		$request_route = rtrim( $route, '/' );
+		if ( isset( $input['id'] ) && in_array( $operation, array( 'get', 'update', 'delete' ), true ) ) {
+			$request_route .= '/' . absint( $input['id'] );
+		}
+		// Prefer controller permission method if present.
+		$perm_fn = $perm_map[ $operation ] ?? null;
+		if ( $perm_fn && method_exists( $controller, $perm_fn ) ) {
+			$request = new \WP_REST_Request( $req_method, $request_route );
+			if ( isset( $input['id'] ) ) {
+				$request->set_param( 'id', absint( $input['id'] ) );
+			}
+			$allowed = $controller->{$perm_fn}( $request );
+			if ( true === $allowed ) {
+				return true;
+			}
+			if ( is_wp_error( $allowed ) ) {
+				return $allowed;
+			}
+			return new \WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to perform this action.', 'woocommerce' ), array( 'status' => 403 ) );
+		}
+		// Fallback probe through REST.
+		$probe = new \WP_REST_Request( $req_method, $request_route );
+		$response = rest_do_request( $probe );
+		if ( is_wp_error( $response ) ) {
+			return $response;
+		}
+		$status = $response instanceof \WP_REST_Response ? $response->get_status() : 200;
+		return $status < 400;
+	}

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (13)

190-200: Handle unknown operations explicitly.

Avoid defaulting to GET; surface a clear error.

-		$method = $method_map[ $operation ] ?? 'GET';
+		$method = $method_map[ $operation ] ?? null;
+		if ( null === $method ) {
+			return new \WP_Error(
+				'woocommerce_mcp_unknown_operation',
+				sprintf( 'Unknown operation "%s".', $operation ),
+				array( 'status' => 400 )
+			);
+		}

---

201-207: Normalize route and sanitize id.

Prevent double slashes and use absint.

-		$request_route = $route;
+		$request_route = '/' . ltrim( rtrim( $route, '/' ), '/' );
 		if ( isset( $input['id'] ) && in_array( $operation, array( 'get', 'update', 'delete' ), true ) ) {
-			$request_route .= '/' . intval( $input['id'] );
+			$request_route .= '/' . absint( $input['id'] );
 			unset( $input['id'] );
 		}

---

208-213: Send body for mutating requests.

Some controllers expect body params; keep params for GET.

-		$request = new \WP_REST_Request( $method, $request_route );
-		foreach ( $input as $key => $value ) {
-			$request->set_param( $key, $value );
-		}
+		$request = new \WP_REST_Request( $method, $request_route );
+		if ( in_array( $method, array( 'POST', 'PUT', 'PATCH' ), true ) ) {
+			$request->set_body_params( $input );
+		} else {
+			foreach ( $input as $key => $value ) {
+				$request->set_param( $key, $value );
+			}
+		}

---

221-226: Return pagination metadata for list operations.

Expose X-WP-Total and X-WP-TotalPages.

-		// For list operations, wrap in data object to match schema
-		if ( 'list' === $operation ) {
-			return array( 'data' => $data );
-		}
+		// For list operations, wrap in data object and include pagination meta.
+		if ( 'list' === $operation ) {
+			$headers = $response instanceof \WP_REST_Response ? $response->get_headers() : array();
+			$meta    = array();
+			if ( isset( $headers['X-WP-Total'] ) ) {
+				$meta['total'] = (int) $headers['X-WP-Total'];
+			}
+			if ( isset( $headers['X-WP-TotalPages'] ) ) {
+				$meta['total_pages'] = (int) $headers['X-WP-TotalPages'];
+			}
+			return array( 'data' => $data, 'meta' => $meta );
+		}

---

147-162: Align list output schema with meta.

Add meta.total and meta.total_pages.

-				return array(
-					'type'       => 'object',
-					'properties' => array(
-						'data' => array(
-							'type'  => 'array',
-							'items' => $schema,
-						),
-					),
-				);
+				return array(
+					'type'       => 'object',
+					'properties' => array(
+						'data' => array(
+							'type'  => 'array',
+							'items' => $schema,
+						),
+						'meta' => array(
+							'type'       => 'object',
+							'properties' => array(
+								'total'       => array( 'type' => 'integer', 'minimum' => 0 ),
+								'total_pages' => array( 'type' => 'integer', 'minimum' => 0 ),
+							),
+						),
+					),
+				);

---

86-91: Normalize WP REST arg defs into valid JSON Schema (capture required).

WP param defs embed “required” per-field; JSON Schema expects top-level required[]. Convert args before returning schema.

-					return array(
-						'type'       => 'object',
-						'properties' => $controller->get_collection_params(),
-					);
+					return self::convert_wp_args_to_json_schema( $controller->get_collection_params() );

-					return array(
-						'type'       => 'object',
-						'properties' => $args,
-					);
+					return self::convert_wp_args_to_json_schema( $args );

-					$args       = $controller->get_endpoint_args_for_item_schema( \WP_REST_Server::EDITABLE );
-					$args['id'] = array(
+					$args       = $controller->get_endpoint_args_for_item_schema( \WP_REST_Server::EDITABLE );
+					$args['id'] = array(
 						'type'        => 'integer',
 						'description' => __( 'Unique identifier for the resource', 'woocommerce' ),
+						'minimum'     => 1,
 					);
-					return array(
-						'type'       => 'object',
-						'properties' => $args,
-						'required'   => array( 'id' ),
-					);
+					$schema = self::convert_wp_args_to_json_schema( $args );
+					$schema['required'] = array_values( array_unique( array_merge( $schema['required'] ?? array(), array( 'id' ) ) ) );
+					return $schema;

Add helper:

+	/**
+	 * Convert WP REST arg definitions to JSON Schema (object) and extract required fields.
+	 *
+	 * @param array $args WP-style arg defs.
+	 * @return array JSON Schema with properties + required[].
+	 */
+	private static function convert_wp_args_to_json_schema( array $args ): array {
+		$required   = array();
+		$properties = array();
+		foreach ( $args as $name => $def ) {
+			$prop = array();
+			foreach ( array( 'type', 'items', 'enum', 'format', 'properties', 'description', 'minimum', 'maximum', 'minItems', 'maxItems', 'default' ) as $k ) {
+				if ( isset( $def[ $k ] ) ) {
+					$prop[ $k ] = $def[ $k ];
+				}
+			}
+			if ( isset( $def['sanitize_callback'] ) && 'absint' === $def['sanitize_callback'] ) {
+				$prop['minimum'] = $prop['minimum'] ?? 0;
+			}
+			$properties[ $name ] = $prop ?: array( 'type' => 'string' );
+			if ( ! empty( $def['required'] ) ) {
+				$required[] = $name;
+			}
+		}
+		$schema = array(
+			'type'       => 'object',
+			'properties' => $properties,
+		);
+		if ( $required ) {
+			$schema['required'] = array_values( array_unique( $required ) );
+		}
+		return $schema;
+	}

Also applies to: 99-102, 105-118

---

121-134: Tighten ID schema for get/delete.

Add minimum 1.

 				return array(
 					'type'       => 'object',
 					'properties' => array(
 						'id' => array(
 							'type'        => 'integer',
 							'description' => __( 'Unique identifier for the resource', 'woocommerce' ),
+							'minimum'     => 1,
 						),
 					),
 					'required'   => array( 'id' ),
 				);

---

47-51: Don’t fail silently when Abilities API is missing.

Log a warning (Woo logger) to aid debugging.

-		if ( ! function_exists( 'wp_register_ability' ) ) {
-			return;
-		}
+		if ( ! function_exists( 'wp_register_ability' ) ) {
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->warning(
+					sprintf( 'Abilities API not available; skipping ability "%s".', $ability_config['id'] ?? '(unknown)' ),
+					array( 'source' => 'rest-ability-factory' )
+				);
+			} else {
+				error_log( sprintf( '[woocommerce] Abilities API not available; skipping ability "%s".', $ability_config['id'] ?? '(unknown)' ) );
+			}
+			return;
+		}

---

70-72: Use WooCommerce logger instead of error_log.

Consistent logging with context.

-			error_log( "Failed to register ability {$ability_config['id']}: " . $e->getMessage() );
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->error(
+					sprintf( 'Failed to register ability %s: %s', $ability_config['id'] ?? '(unknown)', $e->getMessage() ),
+					array( 'source' => 'rest-ability-factory' )
+				);
+			} else {
+				error_log( sprintf( '[woocommerce] Failed to register ability %s: %s', $ability_config['id'] ?? '(unknown)', $e->getMessage() ) );
+			}

---

25-37: Validate config keys and guard against missing entries.

Harden against absent abilities/route keys; log and continue.

 	public static function register_controller_abilities( array $config ): void {
-		$controller_class = $config['controller'];
+		if ( empty( $config['controller'] ) || empty( $config['abilities'] ) || empty( $config['route'] ) ) {
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->warning( 'Invalid REST ability config: missing controller/abilities/route.', array( 'source' => 'rest-ability-factory' ) );
+			}
+			return;
+		}
+		$controller_class = $config['controller'];

---

147-179: Optional: mark delete output required fields.

Ensure deleted/previous presence.

 			} elseif ( 'delete' === $operation ) {
 				// For delete operations, return simple confirmation
 				return array(
 					'type'       => 'object',
 					'properties' => array(
 						'deleted' => array( 'type' => 'boolean' ),
 						'previous' => $schema,
 					),
+					'required' => array( 'deleted' ),
 				);

---

190-229: Nit: drop unused $controller param from execute_operation (cleans PHPMD warning).

Signature not using it after above changes.

-	private static function execute_operation( $controller, string $operation, array $input, string $route ) {
+	private static function execute_operation( string $operation, array $input, string $route ) {

---

60-62: Nit: align execute_callback with updated signature.

Remove unused $controller capture.

-					'execute_callback'    => function( $input ) use ( $controller, $ability_config, $route ) {
-						return self::execute_operation( $controller, $ability_config['operation'], $input, $route );
-					},
+					'execute_callback'    => function( $input ) use ( $ability_config, $route ) {
+						return self::execute_operation( $ability_config['operation'], $input, $route );
+					},

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

Learnt from: tpaksu
PR: woocommerce/woocommerce#60735
File: plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version4/Fulfillments/class-wc-rest-fulfillments-v4-controller-tests.php:10-10
Timestamp: 2025-09-03T11:50:02.208Z
Learning: For REST API controller tests in plugins/woocommerce/tests/**/*.php, test classes should extend WC_REST_Unit_Test_Case instead of WC_Unit_Test_Case because REST routes need to be registered before tests run.

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (5)

57-60: Require HTTPS for credentialed MCP calls (dev override allowed).

Prevent API key leakage over plaintext HTTP; allow opt‑in for local/dev via a filter.

 	public function validate_request( \WP_REST_Request $request ) {
+		// Require TLS by default; allow explicit opt-in for non-SSL (e.g., local dev).
+		if ( ! is_ssl() && ! apply_filters( 'woocommerce_mcp_allow_insecure_transport', false, $request ) ) {
+			return new \WP_Error(
+				'insecure_transport',
+				__( 'HTTPS is required for MCP requests.', 'woocommerce' ),
+				array( 'status' => 403 )
+			);
+		}
 		// Get X-MCP-API-Key header

---

99-101: Do not sanitize secrets; trim only before hashing.

sanitize_text_field() mutates values and will break valid keys.

-		// Hash the consumer key as WooCommerce does
-		$hashed_consumer_key = wc_api_hash( sanitize_text_field( $consumer_key ) );
+		// Hash the consumer key as WooCommerce does (trim only; do not mutate secrets).
+		$hashed_consumer_key = wc_api_hash( trim( (string) $consumer_key ) );

---

112-119: Unify auth errors (i18n), trim secret, and keep messages generic.

Avoid leaking which credential failed; keep timing-safe compare and translate strings.

-			return new \WP_Error(
-				'invalid_consumer_key',
-				'Consumer key is invalid.',
-				array( 'status' => 401 )
-			);
+			return new \WP_Error(
+				'invalid_consumer_key',
+				__( 'Invalid credentials.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
@@
-		if ( ! hash_equals( $user_data->consumer_secret, $consumer_secret ) ) {
-			return new \WP_Error(
-				'invalid_consumer_secret',
-				'Consumer secret is invalid.',
-				array( 'status' => 401 )
-			);
+		if ( ! hash_equals( $user_data->consumer_secret, trim( (string) $consumer_secret ) ) ) {
+			return new \WP_Error(
+				'invalid_consumer_secret',
+				__( 'Invalid credentials.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);

Also applies to: 121-128

---

130-137: Enforce allowed key permissions and ensure user exists before switching context.

Prevents orphaned keys and too‑permissive scopes.

-		// Store permissions for tool-level checking
-		self::$current_mcp_permissions = $user_data->permissions;
-
-		// Set the current user
-		wp_set_current_user( $user_data->user_id );
+		// Store permissions for tool-level checking.
+		self::$current_mcp_permissions = $user_data->permissions;
+
+		// Enforce minimal permissions for MCP (filterable).
+		$allowed_permissions = apply_filters( 'woocommerce_mcp_allowed_key_permissions', array( 'read', 'read_write' ) );
+		if ( ! in_array( self::$current_mcp_permissions, $allowed_permissions, true ) ) {
+			return new \WP_Error(
+				'insufficient_api_key_permissions',
+				__( 'The API key does not grant required permissions for MCP.', 'woocommerce' ),
+				array( 'status' => 403 )
+			);
+		}
+
+		// Ensure the user exists before switching context.
+		$user = get_user_by( 'id', (int) $user_data->user_id );
+		if ( ! $user ) {
+			return new \WP_Error(
+				'mcp_user_not_found',
+				__( 'The user associated with this API key no longer exists.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
+		}
+		wp_set_current_user( $user->ID );

---

44-49: Fix nullable param: avoid fatal in strict mode and match parent signature.

validate_request() requires \WP_REST_Request; passing null from check_permission() can fatally error. Type the param and drop the default.

-	 * @param WP_REST_Request|null $request The REST request object.
+	 * @param \WP_REST_Request $request The REST request object.
@@
-	public function check_permission( $request = null ) {
+	public function check_permission( \WP_REST_Request $request ) {
 		return $this->validate_request( $request );
 	}

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (4)

61-67: Localize error messages (i18n) and align phrasing.

User‑facing strings must be translatable.

-			return new \WP_Error(
-				'missing_api_key',
-				'X-MCP-API-Key header required. Format: consumer_key:consumer_secret',
-				array( 'status' => 401 )
-			);
+			return new \WP_Error(
+				'missing_api_key',
+				__( 'API key required in X-MCP-API-Key header. Format: consumer_key:consumer_secret', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
@@
-			return new \WP_Error(
-				'invalid_api_key',
-				'X-MCP-API-Key must be in format consumer_key:consumer_secret',
-				array( 'status' => 401 )
-			);
+			return new \WP_Error(
+				'invalid_api_key',
+				__( 'X-MCP-API-Key must be in format consumer_key:consumer_secret.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);

Also applies to: 69-75

---

96-96: Strengthen types on private auth method.

Add scalar types for clarity and static analysis.

-	private function authenticate( $consumer_key, $consumer_secret ) {
+	private function authenticate( string $consumer_key, string $consumer_secret ) {

---

24-39: Avoid duplicate filter registration across multiple instances.

Make the filter hook idempotent to prevent duplicate callbacks.

 	/**
 	 * Current MCP user's API key permissions.
@@
 	private static $current_mcp_permissions = null;
+
+	/**
+	 * Whether the permission filter has been registered (avoid duplicate callbacks).
+	 *
+	 * @var bool
+	 */
+	private static $permission_filter_hooked = false;
@@
-		// Register permission filter callback
-		add_filter( 'woocommerce_check_rest_ability_permissions_for_method', array( $this, 'check_ability_permission' ), 10, 3 );
+		// Register permission filter callback once.
+		if ( ! self::$permission_filter_hooked ) {
+			add_filter( 'woocommerce_check_rest_ability_permissions_for_method', array( $this, 'check_ability_permission' ), 10, 3 );
+			self::$permission_filter_hooked = true;
+		}

---

156-178: Silence unused param warning and defer on unknown methods.

Rename the unused param and return $allowed for unknown HTTP verbs.

-	public function check_ability_permission( $allowed, $method, $controller ) {
+	public function check_ability_permission( $allowed, $method, $_controller ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
@@
-			default:
-				return false;
+			default:
+				// Unknown HTTP method; defer to prior filters/default.
+				return $allowed;

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (5)

10-10: Remove unused import.

WooCommerceRestTransport is not referenced in this file.

-use Automattic\WooCommerce\Internal\MCP\Transport\WooCommerceRestTransport;

---

27-39: Guard config keys and normalize the route to avoid notices/misroutes.

Ensure controller, route, and abilities are present/typed; normalize the route once.

-	public static function register_controller_abilities( array $config ): void {
-		$controller_class = $config['controller'];
+	public static function register_controller_abilities( array $config ): void {
+		$controller_class = $config['controller'] ?? null;
+		$route            = isset( $config['route'] ) ? '/' . ltrim( (string) $config['route'], '/' ) : null;
+		$abilities        = isset( $config['abilities'] ) && is_array( $config['abilities'] ) ? $config['abilities'] : array();
 
-		if ( ! class_exists( $controller_class ) ) {
+		if ( ! $controller_class || ! class_exists( $controller_class ) || ! $route ) {
 			return;
 		}
 
 		$controller = new $controller_class();
 
-		foreach ( $config['abilities'] as $ability_config ) {
-			self::register_single_ability( $controller, $ability_config, $config['route'] );
+		foreach ( $abilities as $ability_config ) {
+			self::register_single_ability( $controller, $ability_config, $route );
 		}
 	}

---

62-67: Drop unused $controller in execute_operation and normalize route in one place.

Removes PHPMD warning and makes routing resilient if a route without leading slash slips in.

-					'execute_callback'    => function( $input ) use ( $controller, $ability_config, $route ) {
-						return self::execute_operation( $controller, $ability_config['operation'], $input, $route );
+					'execute_callback'    => function( $input ) use ( $ability_config, $route ) {
+						return self::execute_operation( $ability_config['operation'], $input, $route );
 					},

-	private static function execute_operation( $controller, string $operation, array $input, string $route ) {
+	private static function execute_operation( string $operation, array $input, string $route ) {
 		$method = self::get_http_method_for_operation( $operation );
 
-		// Build final route - add ID for single item operations
-		$request_route = $route;
+		// Build final route - add ID for single item operations
+		$request_route = '/' . ltrim( $route, '/' );
 		if ( isset( $input['id'] ) && in_array( $operation, array( 'get', 'update', 'delete' ), true ) ) {
 			$request_route .= '/' . intval( $input['id'] );
 			unset( $input['id'] );
 		}

Also applies to: 192-201

---

71-74: Use WooCommerce logger instead of error_log.

Aligns with WC logging and allows filtering by source.

-		} catch ( \Throwable $e ) {
-			// Log the error for debugging but don't break the registration of other abilities
-			error_log( "Failed to register ability {$ability_config['id']}: " . $e->getMessage() );
-		}
+		} catch ( \Throwable $e ) {
+			$logger = function_exists( 'wc_get_logger' ) ? wc_get_logger() : null;
+			if ( $logger ) {
+				$logger->error(
+					sprintf( 'MCP: Failed to register ability %s: %s', $ability_config['id'], $e->getMessage() ),
+					array( 'source' => 'mcp-abilities' )
+				);
+			}
+		}

---

250-262: Return WP_Error on denial for clearer failures; suppress PHPMD unused param.

Improves DX by surfacing 403 with a message, and silences PHPMD for $input.

-	 * @return bool Whether permission is granted.
+	 * @return bool|\WP_Error Whether permission is granted.
 	 */
-	private static function check_permission( $controller, string $operation, array $input ): bool {
+	// @SuppressWarnings(PHPMD.UnusedFormalParameter)
+	private static function check_permission( $controller, string $operation, array $input ) {
 		// Get HTTP method for the operation
 		$method = self::get_http_method_for_operation( $operation );
 
 		/**
 		 * Filter to check REST ability permissions for HTTP method.
 		 *
 		 * @param bool   $allowed    Whether the operation is allowed. Default false.
 		 * @param string $method     HTTP method (GET, POST, PUT, DELETE).
 		 * @param object $controller REST controller instance.
 		 */
-		return apply_filters( 'woocommerce_check_rest_ability_permissions_for_method', false, $method, $controller );
+		$allowed = apply_filters( 'woocommerce_check_rest_ability_permissions_for_method', false, $method, $controller );
+		if ( $allowed ) {
+			return true;
+		}
+		return new \WP_Error(
+			'rest_forbidden',
+			__( 'You are not allowed to perform this operation via MCP.', 'woocommerce' ),
+			array( 'status' => 403 )
+		);
 	}

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (1)

88-116: Type‑check adapter and localize server strings.

Avoid relying on exceptions for flow control and ensure UI strings are translatable.

Apply this diff:

 public function initialize_mcp_server( $adapter ): void {
+		// Ensure adapter exposes the expected API.
+		if ( ! is_object( $adapter ) || ! method_exists( $adapter, 'create_server' ) ) {
+			return;
+		}
@@
-			$adapter->create_server(
+			$adapter->create_server(
 				'woocommerce-mcp',
 				'woocommerce',
 				'mcp',
-				'WooCommerce MCP Server',
-				'AI-accessible WooCommerce operations via MCP',
+				__( 'WooCommerce MCP Server', 'woocommerce' ),
+				__( 'AI-accessible WooCommerce operations via MCP', 'woocommerce' ),
 				'1.0.0',
 				array( WooCommerceRestTransport::class ),
 				\WP\MCP\Infrastructure\ErrorHandling\ErrorLogMcpErrorHandler::class,
 				\WP\MCP\Infrastructure\Observability\NullMcpObservabilityHandler::class,
 				$abilities_ids,
 			);

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (2)

98-101: Temporarily disabling validation: verify blast radius and track upstream.

Disabling mcp_validation_enabled globally (even briefly) could affect other MCP servers created in the same request. If the filter supports context args, gate it by server id; otherwise, keep as is but link the upstream issue in the TODO so we know when to remove.

Could you add a reference to the upstream validator bug (issue URL/ID) in the TODO and confirm whether the mcp_validation_enabled filter receives arguments that would allow scoping?

Also applies to: 124-127

---

117-123: Enrich error log context.

Include exception class/code and useful context to speed up debugging.

Apply this diff:

-			if ( function_exists( 'wc_get_logger' ) ) {
-				wc_get_logger()->error(
-					'MCP server initialization failed: ' . $e->getMessage(),
-					array( 'source' => 'woocommerce-mcp' )
-				);
-			}
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->error(
+					sprintf( 'MCP server initialization failed: [%s:%s] %s', get_class( $e ), (string) $e->getCode(), $e->getMessage() ),
+					array(
+						'source'          => 'woocommerce-mcp',
+						'server_id'       => 'woocommerce-mcp',
+						'abilities_count' => is_array( $abilities_ids ) ? count( $abilities_ids ) : 0,
+					)
+				);
+			}

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (1)

62-67: Route‑level permission enforced. LGTM.

Permission is checked via filter before execution; addresses earlier feedback.

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (6)

10-10: Remove unused import.

WooCommerceRestTransport isn’t referenced in this file.

- use Automattic\WooCommerce\Internal\MCP\Transport\WooCommerceRestTransport;

---

27-39: Validate config and normalize route upfront.

Harden against missing keys and malformed routes; avoid notices and 404s.

 public static function register_controller_abilities( array $config ): void {
-	$controller_class = $config['controller'];
+	if ( empty( $config['controller'] ) || empty( $config['abilities'] ) || empty( $config['route'] ) || ! is_array( $config['abilities'] ) ) {
+		return;
+	}
+	$controller_class = $config['controller'];
 
 	if ( ! class_exists( $controller_class ) ) {
 		return;
 	}
 
 	$controller = new $controller_class();
 
-	foreach ( $config['abilities'] as $ability_config ) {
-		self::register_single_ability( $controller, $ability_config, $config['route'] );
+	$route = '/' . ltrim( (string) $config['route'], '/' );
+	foreach ( $config['abilities'] as $ability_config ) {
+		self::register_single_ability( $controller, $ability_config, $route );
 	}
 }

---

55-75: Prefer WooCommerce logger over error_log.

Use wc_get_logger() with a context; avoids noisy PHP error logs and integrates with WC logging.

-		} catch ( \Throwable $e ) {
-			// Log the error for debugging but don't break the registration of other abilities
-			error_log( "Failed to register ability {$ability_config['id']}: " . $e->getMessage() );
-		}
+		} catch ( \Throwable $e ) {
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->error(
+					sprintf( 'Failed to register ability %s: %s', $ability_config['id'], $e->getMessage() ),
+					array( 'source' => 'rest-ability-factory' )
+				);
+			}
+		}

---

156-215: Harden arg sanitation against unexpected shapes.

Guard non‑array args; only copy array enums; avoid leaking unknown nested keys.

 private static function sanitize_args_to_schema( array $args ): array {
 	$properties = array();
 	$required   = array();
 
 	foreach ( $args as $key => $arg ) {
-		$property = array();
+		if ( ! is_array( $arg ) ) {
+			continue;
+		}
+		$property = array();
 
 		// Copy valid JSON Schema fields
 		if ( isset( $arg['type'] ) ) {
-			$property['type'] = $arg['type'];
+			$property['type'] = $arg['type'];
 		}
 		if ( isset( $arg['description'] ) ) {
 			$property['description'] = $arg['description'];
 		}
 		if ( isset( $arg['default'] ) ) {
 			$property['default'] = $arg['default'];
 		}
-		if ( isset( $arg['enum'] ) ) {
-			$property['enum'] = array_values( $arg['enum'] );
+		if ( isset( $arg['enum'] ) && is_array( $arg['enum'] ) ) {
+			$property['enum'] = array_values( $arg['enum'] );
 		}
-		if ( isset( $arg['items'] ) ) {
-			$property['items'] = $arg['items'];
+		if ( isset( $arg['items'] ) && is_array( $arg['items'] ) ) {
+			$property['items'] = $arg['items'];
 		}
 		if ( isset( $arg['minimum'] ) ) {
 			$property['minimum'] = $arg['minimum'];
 		}
 		if ( isset( $arg['maximum'] ) ) {
 			$property['maximum'] = $arg['maximum'];
 		}
 		if ( isset( $arg['format'] ) ) {
 			$property['format'] = $arg['format'];
 		}
-		if ( isset( $arg['properties'] ) ) {
-			$property['properties'] = $arg['properties'];
+		if ( isset( $arg['properties'] ) && is_array( $arg['properties'] ) ) {
+			$property['properties'] = $arg['properties'];
 		}
 
 		// Convert readonly to readOnly (JSON Schema format)
 		if ( isset( $arg['readonly'] ) && $arg['readonly'] ) {
 			$property['readOnly'] = true;
 		}
 
 		// Collect required fields
 		if ( isset( $arg['required'] ) && $arg['required'] === true ) {
 			$required[] = $key;
 		}
 
 		$properties[ $key ] = $property;
 	}
 
 	$schema = array(
 		'type'       => 'object',
 		'properties' => $properties,
 	);
 
 	if ( ! empty( $required ) ) {
-		$schema['required'] = array_unique( $required );
+		$schema['required'] = array_values( array_unique( $required ) );
 	}
 
 	return $schema;
 }

---

267-297: Remove unused parameters and normalize route when executing.

Silences PHPMD warnings and avoids malformed routes.

-					'execute_callback'    => function( $input ) use ( $controller, $ability_config, $route ) {
-						return self::execute_operation( $controller, $ability_config['operation'], $input, $route );
+					'execute_callback'    => function( $input ) use ( $ability_config, $route ) {
+						return self::execute_operation( $ability_config['operation'], $input, $route );
 					},
-					'permission_callback' => function( $input ) use ( $controller, $ability_config ) {
-						return self::check_permission( $controller, $ability_config['operation'], $input );
+					'permission_callback' => function( $input ) use ( $controller, $ability_config ) {
+						return self::check_permission( $controller, $ability_config['operation'] );
 					},

-	private static function execute_operation( $controller, string $operation, array $input, string $route ) {
+	private static function execute_operation( string $operation, array $input, string $route ) {
 		$method = self::get_http_method_for_operation( $operation );
 
 		// Build final route - add ID for single item operations
-		$request_route = $route;
+		$request_route = '/' . ltrim( $route, '/' );
 		if ( isset( $input['id'] ) && in_array( $operation, array( 'get', 'update', 'delete' ), true ) ) {
 			$request_route .= '/' . intval( $input['id'] );
 			unset( $input['id'] );
 		}

-	private static function check_permission( $controller, string $operation, array $input ): bool {
+	private static function check_permission( $controller, string $operation ): bool {
 		// Get HTTP method for the operation
 		$method = self::get_http_method_for_operation( $operation );

Also applies to: 63-67, 325-337

---

278-281: Use query params for GET to avoid mixing transport layers.

Minor: for GET, prefer set_query_params for clarity.

-		foreach ( $input as $key => $value ) {
-			$request->set_param( $key, $value );
-		}
+		if ( 'GET' === $method ) {
+			$request->set_query_params( $input );
+		} else {
+			foreach ( $input as $key => $value ) {
+				$request->set_param( $key, $value );
+			}
+		}

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (5)

70-76: Localize error message for missing API key.

The error message for missing API key is not localized, while other error messages in this file are using the __() function.

Apply this diff to localize the error message:

 		if ( empty( $api_key ) ) {
 			return new \WP_Error(
 				'missing_api_key',
-				'X-MCP-API-Key header required. Format: consumer_key:consumer_secret',
+				__( 'X-MCP-API-Key header required. Format: consumer_key:consumer_secret', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}

---

121-137: Localize and unify error messages for invalid credentials.

The error messages expose whether the consumer key or secret is invalid, which could aid attackers. Consider using a generic message for both cases. Also, these messages should be localized.

Apply this diff to unify and localize error messages:

 		// Check if user data was found
 		if ( empty( $user_data ) ) {
 			return new \WP_Error(
 				'invalid_consumer_key',
-				'Consumer key is invalid.',
+				__( 'Invalid credentials.', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}
 
 		// Validate consumer secret using hash_equals for timing attack protection
 		if ( ! hash_equals( $user_data->consumer_secret, $consumer_secret ) ) {
 			return new \WP_Error(
 				'invalid_consumer_secret',
-				'Consumer secret is invalid.',
+				__( 'Invalid credentials.', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}

---

131-131: Apply trimming to consumer_secret for consistency.

The consumer_secret should also be trimmed (but not sanitized) before comparison to ensure consistency with how the consumer_key is handled.

Apply this diff:

 		// Validate consumer secret using hash_equals for timing attack protection
-		if ( ! hash_equals( $user_data->consumer_secret, $consumer_secret ) ) {
+		if ( ! hash_equals( $user_data->consumer_secret, trim( (string) $consumer_secret ) ) ) {

---

108-109: Avoid sanitizing API keys as it may alter their values.

Using sanitize_text_field() on the consumer key can potentially alter the key value (e.g., stripping special characters), which would cause valid keys to fail authentication. API keys should only be trimmed to remove whitespace.

Apply this diff to only trim the consumer key:

 		// Hash the consumer key as WooCommerce does
-		$hashed_consumer_key = wc_api_hash( sanitize_text_field( $consumer_key ) );
+		$hashed_consumer_key = wc_api_hash( trim( (string) $consumer_key ) );

---

139-145: Validate API key permissions and ensure user exists before setting context.

The code should verify that:

1. The API key has appropriate permissions for MCP (at least 'read')
2. The user associated with the API key still exists in the system

Apply this diff to add permission and user validation:

 		// Store permissions for tool-level checking
 		self::$current_mcp_permissions = $user_data->permissions;
 
+		// Enforce minimal permissions for MCP (filterable).
+		$allowed_permissions = apply_filters( 'woocommerce_mcp_allowed_key_permissions', array( 'read', 'read_write' ) );
+		if ( ! in_array( $user_data->permissions, $allowed_permissions, true ) ) {
+			return new \WP_Error(
+				'insufficient_api_key_permissions',
+				__( 'The API key does not grant required permissions for MCP.', 'woocommerce' ),
+				array( 'status' => 403 )
+			);
+		}
+
+		// Ensure the user exists before switching context.
+		$user = get_user_by( 'id', (int) $user_data->user_id );
+		if ( ! $user ) {
+			return new \WP_Error(
+				'mcp_user_not_found',
+				__( 'The user associated with this API key no longer exists.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
+		}
+
 		// Set the current user
-		wp_set_current_user( $user_data->user_id );
+		wp_set_current_user( $user->ID );

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (3)

47-49: Consider adding proper parameter typing to check_permission method.

The method accepts $request = null but then passes it directly to validate_request which expects a typed \WP_REST_Request parameter. This could cause a runtime error if null is passed.

Apply this diff to add proper typing:

-	public function check_permission( $request = null ) {
+	public function check_permission( \WP_REST_Request $request ) {
 		return $this->validate_request( $request );
 	}

---

78-84: Localize error message for invalid API key format.

The error message for invalid API key format is not localized.

Apply this diff to localize the error message:

 		if ( strpos( $api_key, ':' ) === false ) {
 			return new \WP_Error(
 				'invalid_api_key',
-				'X-MCP-API-Key must be in format consumer_key:consumer_secret',
+				__( 'X-MCP-API-Key must be in format consumer_key:consumer_secret', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}

---

165-187: Consider using the $controller parameter or documenting why it's unused.

The static analysis tool flagged that $controller parameter is unused. While this may be intentional (as permissions are based purely on HTTP method and API key permissions), you might want to use it for more granular permission checks in the future.

Consider either:

1. Adding a comment explaining why $controller is intentionally unused
2. Using it for more granular permission checks based on the specific REST controller

Example documentation:

/**
 * Check REST ability permissions for HTTP method.
 *
 * @param bool   $allowed    Whether the operation is allowed. Default false.
 * @param string $method     HTTP method (GET, POST, PUT, DELETE).
 * @param object $controller REST controller instance (unused - permissions based on method only).
 * @return bool Whether permission is granted.
 */

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (5)

24-31: Add a scoped callback property to avoid clobbering third‑party filters.

We add/remove a global __return_false callback later; keeping our own callable avoids removing someone else’s identical callback.

Apply this diff:

 class MCPAdapterProvider {

 	/**
 	 * Whether MCP adapter is initialized.
 	 *
 	 * @var bool
 	 */
 	private bool $initialized = false;
+
+	/**
+	 * Scoped callback used to temporarily disable MCP validation.
+	 * @var callable|null
+	 */
+	private $validation_disable_cb = null;

---

65-73: Log when MCP adapter class is unavailable.

Currently this fails silently; logging helps diagnose missing deps/config.

Apply this diff:

 	private function initialize_mcp_adapter(): void {
 		// Check if MCP adapter class exists (should be autoloaded by WooCommerce's composer)
 		if ( ! class_exists( 'WP\MCP\Core\McpAdapter' ) ) {
-			return;
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->warning(
+					'MCP adapter class not found. Skipping MCP initialization.',
+					array( 'source' => 'woocommerce-mcp' )
+				);
+			}
+			return;
 		}

---

97-101: Don’t remove other plugins’ mcp_validation_enabled filters.

Using __return_false risks removing someone else’s identical callback at the same priority. Use a scoped closure stored on the instance.

Apply this diff:

-		// Temporarily disable MCP validation during server creation
-		// Workaround for validator bug with union types (e.g., ["integer", "null"])
-		// TODO: Remove once mcp-adapter validator bug is fixed
-		add_filter( 'mcp_validation_enabled', '__return_false', 999 );
+		// Temporarily disable MCP validation during server creation (workaround for union-types bug).
+		// Use an instance-scoped callback to avoid removing third-party filters.
+		$this->validation_disable_cb = static function (): bool {
+			return false;
+		};
+		add_filter( 'mcp_validation_enabled', $this->validation_disable_cb, 999 );
@@
-			// Re-enable MCP validation immediately after server creation
-			remove_filter( 'mcp_validation_enabled', '__return_false', 999 );
+			// Re-enable MCP validation immediately after server creation
+			if ( null !== $this->validation_disable_cb ) {
+				remove_filter( 'mcp_validation_enabled', $this->validation_disable_cb, 999 );
+				$this->validation_disable_cb = null;
+			}

Also applies to: 124-126

---

102-116: Type-check the adapter and localize server labels.

• Add a lightweight type/method check (defensive; avoids hard errors if the hook is misused).
• Wrap name/description with __() for i18n.

Apply this diff:

-	public function initialize_mcp_server( $adapter ): void {
+	public function initialize_mcp_server( $adapter ): void {
 		// Get filtered abilities for MCP server
 		$abilities_ids = $this->get_woocommerce_mcp_abilities();
@@
-		try {
+		try {
+			// Ensure adapter has the expected API.
+			if ( ! is_object( $adapter ) || ! method_exists( $adapter, 'create_server' ) ) {
+				if ( function_exists( 'wc_get_logger' ) ) {
+					wc_get_logger()->error(
+						'MCP server initialization failed: invalid adapter instance (missing create_server).',
+						array( 'source' => 'woocommerce-mcp' )
+					);
+				}
+				return;
+			}
 			// Create MCP server
 			$adapter->create_server(
 				'woocommerce-mcp',
 				'woocommerce',
 				'mcp',
-				'WooCommerce MCP Server',
-				'AI-accessible WooCommerce operations via MCP',
+				__( 'WooCommerce MCP Server', 'woocommerce' ),
+				__( 'AI-accessible WooCommerce operations via MCP', 'woocommerce' ),
 				'1.0.0',
 				array( WooCommerceRestTransport::class ),
 				\WP\MCP\Infrastructure\ErrorHandling\ErrorLogMcpErrorHandler::class,
 				\WP\MCP\Infrastructure\Observability\NullMcpObservabilityHandler::class,
 				$abilities_ids,
 			);

---

1-166: Add tests for key flows.

• Feature flag gating: ensure no init when disabled; init when enabled on REST only.
• Validation filter scoping: assert filter state is restored after exceptions.
• Abilities filtering: only woocommerce/ by default; custom include via filter.
• Logging: assert error is logged on invalid adapter.

I can scaffold PHPUnit tests targeting these behaviors if helpful.

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (1)

103-106: Prefer runtime/feature detection instead of a version check for removing this workaround

composer.json requires wordpress/mcp-adapter: "dev-trunk" (composer.lock also lists version "dev-trunk" / commit 95981e865bde0424a177dacb6fb06be03cc76320), so there is no stable package version to reliably check. Replace the TODO/version-check suggestion with a runtime approach: if the adapter exposes a VERSION constant or get_version() accessor, use that; otherwise add a small validator compatibility test at runtime (e.g., attempt a minimal union-type validation) and only disable mcp validation when that test fails. Keep the existing try/finally that re-enables validation.
Location: plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (around the add_filter at ~lines 103–106).

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (2)

103-107: Document the temporary workaround with specific details.

The comment mentions a "validator bug with union types" but lacks specifics about the issue or expected resolution timeline.

-		// Temporarily disable MCP validation during server creation
-		// Workaround for validator bug with union types (e.g., ["integer", "null"])
-		// TODO: Remove once mcp-adapter validator bug is fixed
+		// Temporarily disable MCP validation during server creation
+		// Workaround for MCP adapter validator incorrectly rejecting valid union types
+		// like ["integer", "null"] in JSON Schema validation
+		// TODO: Remove once wordpress/mcp-adapter issue is resolved

---

148-162: Consider caching filtered abilities for performance.

The abilities filtering runs every time the server is initialized. For better performance, consider caching the filtered results if abilities don't change frequently during a request cycle.

+	/**
+	 * Cached MCP abilities.
+	 *
+	 * @var array|null
+	 */
+	private ?array $cached_mcp_abilities = null;
+
 	/**
 	 * Get WooCommerce abilities for MCP server.
 	 *
 	 * Filters abilities to include only those with 'woocommerce/' namespace by default,
 	 * with a filter to allow inclusion of abilities from other namespaces.
 	 *
 	 * @return array Array of ability IDs for MCP server.
 	 */
 	private function get_woocommerce_mcp_abilities(): array {
+		// Return cached abilities if available
+		if ( $this->cached_mcp_abilities !== null ) {
+			return $this->cached_mcp_abilities;
+		}
+
 		// Get all abilities from the registry
 		$abilities_registry = wc_get_container()->get( AbilitiesRegistry::class );
 		$all_abilities_ids = $abilities_registry->getAbilitiesIDs();
 
 		// Filter abilities based on namespace and custom filter
 		$mcp_abilities = array_filter(
 			$all_abilities_ids,
 			function( $ability_id ) {
 				// Include WooCommerce abilities by default
 				$include = str_starts_with( $ability_id, 'woocommerce/' );
 
 				// Allow filter to override inclusion decision
 				return apply_filters( 'woocommerce_mcp_include_ability', $include, $ability_id );
 			}
 		);
 
-		// Re-index array
-		return array_values( $mcp_abilities );
+		// Re-index array and cache result
+		$this->cached_mcp_abilities = array_values( $mcp_abilities );
+		return $this->cached_mcp_abilities;
 	}

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Learnt from: budzanowski
PR: woocommerce/woocommerce#60901
File: plugins/woocommerce/src/Internal/Abilities/AbilitiesRestBridge.php:27-94
Timestamp: 2025-09-17T16:16:48.098Z
Learning: The WooCommerce MCP integration is intentionally designed for comprehensive store data manipulation, including orders (with PII) and write operations (create/update/delete). This is by design, not a security oversight, and relies on existing WooCommerce API key authentication and permission scoping for security.

plugins/woocommerce/src/Internal/MCP/Transport/WooCommerceRestTransport.php (2)

70-84: i18n and stricter header validation for X‑MCP‑API‑Key.

Localize messages and ensure both parts are present/non-empty.

-		if ( empty( $api_key ) ) {
+		if ( empty( $api_key ) ) {
 			return new \WP_Error(
 				'missing_api_key',
-				'X-MCP-API-Key header required. Format: consumer_key:consumer_secret',
+				__( 'X-MCP-API-Key header required. Format: consumer_key:consumer_secret', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}
 
-		if ( strpos( $api_key, ':' ) === false ) {
+		if ( strpos( $api_key, ':' ) === false ) {
 			return new \WP_Error(
 				'invalid_api_key',
-				'X-MCP-API-Key must be in format consumer_key:consumer_secret',
+				__( 'X-MCP-API-Key must be in format consumer_key:consumer_secret', 'woocommerce' ),
 				array( 'status' => 401 )
 			);
 		}
 
-		list( $consumer_key, $consumer_secret ) = explode( ':', $api_key, 2 );
+		list( $consumer_key, $consumer_secret ) = explode( ':', $api_key, 2 );
+		if ( '' === trim( (string) $consumer_key ) || '' === trim( (string) $consumer_secret ) ) {
+			return new \WP_Error(
+				'invalid_api_key',
+				__( 'X-MCP-API-Key must include both consumer key and secret.', 'woocommerce' ),
+				array( 'status' => 401 )
+			);
+		}

---

165-187: Silence PHPMD: $controller is unused here.

No behavior change.

 	public function check_ability_permission( $allowed, $method, $controller ) {
+		// $controller is part of the filter signature; not used here.
+		unset( $controller );

plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php (5)

27-39: Guard required config and derive route when missing.

Avoid fatals when 'route' isn’t provided.

 	public static function register_controller_abilities( array $config ): void {
 		$controller_class = $config['controller'];
 
 		if ( ! class_exists( $controller_class ) ) {
 			return;
 		}
 
-		$controller = new $controller_class();
+		$controller = new $controller_class();
+		$route      = $config['route'] ?? null;
+		if ( ! $route && property_exists( $controller, 'namespace' ) && property_exists( $controller, 'rest_base' ) ) {
+			$route = '/' . ltrim( (string) $controller->namespace, '/' ) . '/' . trim( (string) $controller->rest_base, '/' );
+		}
+		if ( ! $route ) {
+			return;
+		}
 
-		foreach ( $config['abilities'] as $ability_config ) {
-			self::register_single_ability( $controller, $ability_config, $config['route'] );
+		foreach ( $config['abilities'] as $ability_config ) {
+			self::register_single_ability( $controller, $ability_config, $route );
 		}
 	}

---

71-75: Prefer wc_get_logger over error_log.

Aligns with WooCommerce logging and respects filters.

-		} catch ( \Throwable $e ) {
-			// Log the error for debugging but don't break the registration of other abilities
-			error_log( "Failed to register ability {$ability_config['id']}: " . $e->getMessage() );
+		} catch ( \Throwable $e ) {
+			if ( function_exists( 'wc_get_logger' ) ) {
+				wc_get_logger()->error(
+					"Failed to register ability {$ability_config['id']}: " . $e->getMessage(),
+					array( 'source' => 'woocommerce-mcp' )
+				);
+			}
 		}

---

271-275: Normalize route formatting.

Ensure a leading slash and strip trailing slashes to avoid dispatch edge cases.

-		$request_route = $route;
+		$request_route = '/' . ltrim( (string) $route, '/' );
+		$request_route = rtrim( $request_route, '/' );

---

267-299: Remove unused $controller parameter from execute_operation (or unset).

Either drop it and update the call site, or unset to satisfy static analysis.

-	private static function execute_operation( $controller, string $operation, array $input, string $route ) {
+	private static function execute_operation( string $operation, array $input, string $route ) {

And update the caller:

-					'execute_callback'    => function( $input ) use ( $controller, $ability_config, $route ) {
-						return self::execute_operation( $controller, $ability_config['operation'], $input, $route );
+					'execute_callback'    => function( $input ) use ( $ability_config, $route ) {
+						return self::execute_operation( $ability_config['operation'], $input, $route );
 					},

If you prefer not to change the signature now:

+		// $controller is unused; keep signature for BC.
+		unset( $controller );

---

325-337: Silence PHPMD: $input unused in check_permission.

No behavior change.

 	private static function check_permission( $controller, string $operation, array $input ): bool {
+		unset( $input );
 		// Get HTTP method for the operation
 		$method = self::get_http_method_for_operation( $operation );

plugins/woocommerce/src/Internal/MCP/MCPAdapterProvider.php (1)

143-162: Feature-scope filter looks good; minor: tolerate non-string IDs.

Cast ability_id to string before str_starts_with to avoid accidental warnings.

-			function( $ability_id ) {
+			function( $ability_id ) {
+				$ability_id = (string) $ability_id;
 				// Include WooCommerce abilities by default
-				$include = str_starts_with( $ability_id, 'woocommerce/' );
+				$include = str_starts_with( $ability_id, 'woocommerce/' );