Linux 软件免费装
Banner图

Secure MCP Connector for Claude, ChatGPT and other AI providers

开发者 cyberlord92
更新时间 2026年7月15日 18:01
PHP版本: 7.4 及以上
WordPress版本: 7.0
版权: Expat
版权网址: 版权信息

标签

ai oauth mcp abilities governance

下载

1.1.1 1.0.0 1.2.0 1.1.0 1.2.1 1.2.2 1.2.3 1.3.0

详情介绍:

miniOrange Secure MCP Server helps WordPress administrators with AI governance and policy enforcement: understanding, and controlling, what AI assistants and MCP clients are allowed to do on their site. The WordPress Abilities API (available in WordPress 6.9 and later) lets plugins and WordPress core expose discrete, machine-callable capabilities — for example: get site info, create a post, or generate a summary. This plugin turns those abilities into a remote Model Context Protocol (MCP) server so AI clients can discover and invoke them, protected by a self-hosted OAuth 2.1 authorization server. What this version does Every MCP request runs as the WordPress user who authorized it, so what an AI client can do is bounded by that user's own capabilities.

安装:

  1. Upload the plugin files to the /wp-content/plugins/miniorange-secure-mcp-server directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the "Plugins" screen in WordPress.
  3. Open the "Secure MCP Server" menu item (under Tools) to review the NHI Registry and abilities registered on your site.
  4. Connect an MCP client (see the FAQ) to https://YOUR-SITE/wp-json/mosmcp/v1/mcp.

升级注意事项:

1.3.0 Adds a full execution activity log and a redesigned dashboard. Existing installs are migrated automatically; no manual upgrade steps are required. 1.2.3 UI refinements to the role & ability editor and general polish and fixes 1.2.2 Adds role-based access control to the NHI Registry and a member "My AI Access" view. Existing NHIs are migrated automatically and continue to work; review each one to scope its abilities per role. No manual upgrade steps are required. 1.2.1 Adds a floating Contact Support button, a quick Setup Guide link, and an improved deactivation feedback experience. No database changes or upgrade steps are required. 1.2.0 Adds the NHI Registry screen for managing connected AI clients, per-ability toggles on the Abilities screen, and a revamped plugin UI. No database changes; no upgrade steps required. 1.1.1 Adds support and deactivation feedback forms. No database changes; no upgrade steps required. 1.1.0 Introduces the OAuth-protected MCP server. The plugin now creates database tables; review the updated privacy note in the FAQ. 1.0.0 Initial release. No upgrade steps required.

常见问题:

How do ChatGPT and Claude connect?

Add a custom connector pointing at your MCP endpoint, https://YOUR-SITE/wp-json/mosmcp/v1/mcp. The client discovers the OAuth endpoints automatically, registers itself, walks you through logging in to WordPress and approving access, and then connects. The site must be reachable over HTTPS (cloud clients cannot reach localhost); for local development, expose the site through an HTTPS tunnel such as ngrok or cloudflared.

Does this plugin store any data?

Yes. To run the OAuth server it creates three database tables for registered clients, short-lived authorization codes, and access/refresh tokens. Tokens and client secrets are stored only as keyed hashes, never in plaintext. A single options row holds the plugin's hash salt. All of this is removed when the plugin is deleted.

My server returns 401 even with a valid token.

Some Apache configurations strip the Authorization header before it reaches PHP. Add the following to your WordPress root .htaccess: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Why does the "Source" column show a namespace instead of a plugin name?

The Abilities API does not record which plugin registered a given ability. The namespace prefix (the part before the slash in the ability name) is the most reliable indicator of where an ability comes from.

What is the NHI Registry?

The NHI (Non-Human Identity) Registry is where you create and manage named, role-based ability policies for AI clients. Each NHI maps WordPress roles to the abilities those roles may invoke. When an AI client makes an MCP request, the effective set of allowed abilities is the union — across every enabled NHI — of the abilities granted to the connecting user's role(s). So two users connecting the same client to the same site can see different tools, based on their roles. You can create as many NHIs as you need and toggle them on or off independently.

How do I control which abilities an AI client can access?

There are two levels of control. First, use the per-ability toggle on the Abilities screen to exclude an individual ability from being exposed as an MCP tool entirely — this applies regardless of any NHI policy. Second, use the NHI Registry to grant abilities per role: only the abilities mapped to the connecting user's role(s), across enabled NHIs, are reachable. The builder also flags "capability conflicts" — granting a role an ability whose required WordPress capability the role lacks — and blocks saving until they are resolved, so a grant can never silently do nothing.

Can I disable an NHI without deleting it?

Yes. Every NHI has an enable/disable toggle in the NHI Registry screen. A disabled NHI has no effect on MCP requests but its name and ability list are preserved, so you can re-enable it at any time without reconfiguring it.

更新日志:

1.3.0 1.2.3 1.2.2 1.2.1 1.2.0 1.1.1 1.1.0 1.0.0