Npcink Abilities Toolkit helps a WordPress site expose, review, and safely inspect Abilities API capabilities for AI hosts and clients.<\/p>\n\n
The admin page is built for site operators first. It shows whether the site's ability package is working, which abilities are available, which abilities are read-only, and which write-like abilities require host approval.<\/p>\n\n
For developers and host runtimes, the plugin also provides ability registration helpers, category helpers, schema normalization, annotation normalization, REST discovery values, and optional canonical projection for Npcink AI when Npcink AI is installed.<\/p>\n\n
It can be used by any WordPress plugin or client that consumes the WordPress Abilities API. Npcink AI is one optional consumer, not the owner of this plugin.<\/p>\n\n
It does not run AI models, execute workflows, route prompts, contact model providers, manage billing or quotas, own MCP governance, or approve final WordPress writes.<\/p>\n\n
Read-only host composition recipe metadata may document how hosts can compose abilities, but those records do not run queues, schedule jobs, execute workflows, or create a second registry.<\/p>\n\n
Host composition recipe metadata is available through read-only helpers and Abilities API discovery abilities for hosts that need catalog discovery without execution ownership.<\/p>\n\n
This plugin does not automatically contact Npcink AI, model providers, analytics services, tracking services, or cloud services.<\/p>\n\n
Some abilities can prepare request payloads for a separate host or cloud add-on, but this plugin does not send those payloads to an external service by itself.<\/p>\n\n
The Provider plugins should wait until Do not include files from this plugin's Use REST clients should first discover the catalog through:<\/p>\n\n The contract endpoint is a compatibility and boundary discovery endpoint for\nauthenticated host runtimes. It does not replace the WordPress Abilities API\ncatalog and does not run abilities.<\/p>\n\n Full provider examples and REST client notes are maintained in the public\nrepository:<\/p>\n\n If the After activation with a Npcink AI host plugin, open Npcink AI -> AI Abilities in wp-admin. When this standalone package is installed without a Npcink AI host menu, open Tools -> Site AI Abilities instead.<\/p>\n\n The page is designed for site operators first: it shows site ability status, groups available abilities with plain labels and risk posture, and can run two official read-only checks: site info and bounded redacted diagnostics summary. The Checks tab explains what each check proves and what it does not prove before it runs. Check results are shown as a plain summary table, with raw JSON kept behind a support disclosure. Developer Access keeps copyable REST endpoint values, raw discovery fetches, and ability ID export available for host\/client setup. It does not run showcase workflows, model calls, write abilities, approval flows, or demo abilities.<\/p>\n\n The plugin includes migrated low-risk WordPress read abilities, deterministic comment helpers, and host-governed WordPress write\/destructive abilities using canonical It also includes It also includes It also includes Core governance handoff docs include a catalog snapshot, permission matrix, and schema boundary audit for hosts that consume this plugin through For the default local source gate, run:<\/p>\n\n When the plugin is installed in a local WordPress site, run:<\/p>\n\n For isolated bounded-chain performance validation, run:<\/p>\n\n No. Npcink Abilities Toolkit exposes WordPress abilities and support information through the WordPress Abilities API. Model routing, prompt selection, hosted runtime execution, and workflow execution belong to a separate host product or client.<\/p><\/dd>\n No. The admin page checks are read-only. Some built-in abilities describe write-like or destructive operations, but final commits require a host runtime with its own approval, authorization, and audit layer.<\/p><\/dd>\n No. Npcink AI is an optional consumer. The plugin can also be used by other plugins or clients that consume the WordPress Abilities API.<\/p><\/dd>\n Site Info proves that an authorized ability client can read basic WordPress site information. Redacted Diagnostics proves that the site can return a support-friendly environment summary with sensitive fields omitted. These checks do not call models, generate content, contact external services, or fix configuration automatically.<\/p><\/dd>\n No. The diagnostics summary intentionally omits Npcink AI settings, MCP settings, API keys, database names, table prefixes, filesystem paths, error logs, and external HTTP probes.<\/p><\/dd>\n Open Tools -> Site AI Abilities, or Npcink AI -> AI Abilities when a Npcink AI host menu is present. Use the Checks tab to confirm safe read-only responses, then use Available Abilities to review what the site exposes. Developers and host products can use Developer Access for REST endpoint values and raw discovery responses.<\/p><\/dd>\n The WordPress Abilities API routes must be available before clients can discover and run abilities. Enable the WordPress Abilities API baseline or compatibility plugin for the target site.<\/p><\/dd>\n\n<\/dl>\n\n\nnpcink-abilities-toolkit\/upload-media-from-url<\/code> ability can download a media file from a URL provided by an authenticated caller when an approved host runtime commits that ability. In that case WordPress sends an HTTP request to the caller-provided URL in order to fetch the media file for the local media library. The remote endpoint is chosen by the caller, not by this plugin.<\/p>\n\nRequirements<\/h3>\n\n
\n
Public API<\/h3>\n\n
\n
npcink_abilities_toolkit_register_category( $category_id, $args )<\/code><\/li>\nnpcink_abilities_toolkit_register_readonly( $ability_id, $definition )<\/code><\/li>\nnpcink_abilities_toolkit_register_write_proposal( $ability_id, $definition )<\/code><\/li>\nnpcink_abilities_toolkit_normalize_schema( $schema, $default_type )<\/code><\/li>\nnpcink_abilities_toolkit_normalize_annotations( $annotations, $risk_level )<\/code><\/li>\nnpcink_abilities_toolkit_get_registered()<\/code><\/li>\nnpcink_abilities_toolkit_get_workflow_definitions()<\/code><\/li>\nnpcink_abilities_toolkit_get_workflow_definition( $recipe_id )<\/code><\/li>\n<\/ul>\n\nThird-Party Integration Quickstart<\/h3>\n\n
plugins_loaded<\/code>, check that the public\nhelper exists, and then register their abilities through the helper functions:<\/p>\n\nif ( function_exists( 'npcink_abilities_toolkit_register_readonly' ) ) { npcink_abilities_toolkit_register_readonly( 'acme\/site-summary', $definition ); }\n<\/code><\/pre>\n\nincludes\/<\/code> directory or instantiate\nclasses in the Npcink_Abilities_Toolkit<\/code> namespace. Those are implementation\ndetails.<\/p>\n\nnpcink_abilities_toolkit_register_readonly()<\/code> for read-only context and\ndiagnostic abilities. Use npcink_abilities_toolkit_register_write_proposal()<\/code>\nonly when the callback returns a proposal, preview, diff, or handoff payload.\nThird-party provider callbacks should not perform final host-governed commits.\nApproval, audit, quota, and final write authorization belong to the consuming\nhost runtime.<\/p>\n\n\n
\/wp-json\/wp-abilities\/v1\/categories<\/code><\/li>\n\/wp-json\/wp-abilities\/v1\/abilities<\/code><\/li>\n\/wp-json\/wp-abilities\/v1\/abilities\/{namespace}\/{name}\/run<\/code><\/li>\n\/wp-json\/npcink-abilities-toolkit\/v1\/contract<\/code><\/li>\n<\/ul>\n\nhttps:\/\/github.com\/muze-page\/npcink-abilities-toolkit\n<\/code><\/pre>\n\nwp-abilities\/v1<\/code> REST routes are missing, enable the WordPress\nAbilities API baseline or compatibility plugin before connecting third-party\nproviders or clients.<\/p>\n\nAdmin Page<\/h3>\n\n
Built-In Abilities<\/h3>\n\n
npcink-abilities-toolkit\/*<\/code> ids.<\/p>\n\nnpcink-abilities-toolkit\/wp-diagnostics-summary<\/code>, a redacted WordPress-only diagnostics summary for Abilities API clients. This summary intentionally omits Npcink AI settings, MCP settings, API keys, database names, table prefixes, filesystem paths, error logs, and external HTTP probes.<\/p>\n\nnpcink-abilities-toolkit\/search-posts<\/code> and npcink-abilities-toolkit\/search-post-meta<\/code>, bounded local WordPress search helpers for keyword and explicit post-meta discovery. These are read-only helpers and do not call external search indexes or mutate content.<\/p>\n\nnpcink-abilities-toolkit\/list-workflow-recipes<\/code> and npcink-abilities-toolkit\/get-workflow-recipe<\/code>, read-only host composition recipe metadata discovery abilities. These expose metadata only and do not execute workflow runtime behavior.<\/p>\n\nnpcink-ai-core<\/code>.<\/p>\n\nDeveloper Verification<\/h3>\n\n
composer test:all\n<\/code><\/pre>\n\nWP_PATH=\/path\/to\/wordpress composer smoke:wp\n<\/code><\/pre>\n\ncomposer perf:smoke\n<\/code><\/pre>\n\n\n\n
Does this plugin run AI models?<\/h3><\/dt>\n
Will this plugin change my posts, media, terms, comments, or settings by itself?<\/h3><\/dt>\n
Do I need Npcink AI to use this plugin?<\/h3><\/dt>\n
What do the Safe Checks prove?<\/h3><\/dt>\n
Does Redacted Diagnostics expose secrets?<\/h3><\/dt>\n
What should I do if abilities are not visible to a host product or AI client?<\/h3><\/dt>\n
What if the wp-abilities\/v1 REST routes are missing?<\/h3><\/dt>\n
0.5.2<\/h4>\n\n
\n
0.5.1<\/h4>\n\n
\n
actions\/checkout@v5<\/code>.<\/li>\n<\/ul>\n\n0.5.0<\/h4>\n\n
\n
test<\/code> terminology in released ability ids and schema fields.<\/li>\n0.4.0<\/h4>\n\n
\n
requires_approval<\/code>, explicit dry-run and commit defaults, and bounded idempotency keys.<\/li>\n0.3.0<\/h4>\n\n
\n
core_wordpress_read<\/code> profile.<\/li>\nnpcink-abilities-toolkit\/*<\/code> as the canonical id namespace for abilities owned by this plugin.<\/li>\n0.2.0<\/h4>\n\n
\n
0.1.0<\/h4>\n\n
\n