Npcink Governance Core
| 开发者 | muze233 |
|---|---|
| 更新时间 | 2026年6月21日 11:20 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- Discovers available WordPress abilities for governance intake.
- Stores proposals for AI-assisted WordPress operations.
- Supports approve and reject decisions with audit evidence.
- Provides commit-preflight context before a trusted host or adapter performs final writes.
- Manages scoped app keys for trusted governance clients.
- Records audit events for proposal creation, policy evaluation, approval, rejection, commit preflight, and execution-result handoff.
- Keeps governance separate from content generation, model routing, cloud service billing, and final write execution.
/wp-json/npcink-governance-core/v1/. Trusted adapters and host plugins can use those endpoints to create proposals, approve or reject proposals, request commit preflight, and record external execution results.
Privacy and data
Npcink Governance Core does not call external AI services, does not load remote assets, and does not send site data to third parties. It stores governance records locally in WordPress database tables, including proposal data, audit events, app-key metadata, and rate-limit state. App-key secrets are hashed before storage, and one-time bearer tokens are shown only when created.
Boundaries
Core does not generate content, route models, run MCP or workflow runtimes, store provider credentials, proxy ability execution, or perform final WordPress mutations. Final writes belong to a trusted host, adapter, or runtime outside Core after the governance step is complete.
安装:
- Upload the plugin to
wp-content/plugins/npcink-governance-core. - Activate Npcink Governance Core in WordPress.
- Open Npcink AI > Core to review governance status, proposals, audit entries, and advanced Core app-key controls.
常见问题:
Who is this plugin for?
It is for site administrators, host plugins, adapters, and developers that need reviewable governance for AI-assisted WordPress operations. It is especially useful when AI tools can prepare changes but the site still needs approval, commit preflight, and audit evidence before those changes are applied.
Is this an AI content generator?
No. Core does not write articles, generate media, create SEO copy, reply to comments, choose AI models, or store provider credentials. It governs proposed operations created by separate tools, adapters, or WordPress Abilities API providers.
Does Core execute AI writes?
No. Core records governance proposals and returns commit-preflight context. Final writes belong to a trusted host, Adapter, or runtime outside Core.
What is a proposal?
A proposal is a stored request for an AI-assisted WordPress operation. It includes the target ability, input summary, preview or dry-run evidence, status, caller metadata, and audit trail needed for review.
What is commit preflight?
Commit preflight is the governance check that runs after approval and before a trusted external component performs the final write. It returns bounded context, correlation data, and input binding so the downstream component can verify that it is acting on the approved request.
Do I need another plugin for abilities?
For full ability intake, yes. Core governs abilities exposed by WordPress Abilities API providers. Npcink Abilities Toolkit is the reference provider, and third-party providers can also integrate by exposing stable ability ids, schemas, permissions, risk metadata, and dry-run previews.
Does this plugin send data to an external AI service?
No. Core does not call external AI services and does not send site data to third parties. It stores governance records locally in WordPress database tables.
What data does Core store?
Core stores proposal records, approval and rejection decisions, commit-preflight evidence, execution-result handoff records, audit events, app-key metadata, and rate-limit state. App-key secrets are stored as hashes, and one-time bearer tokens are only shown when created.
What are scoped app keys used for?
Scoped app keys allow trusted governance clients to call specific Core REST endpoints without giving them broad administrator access. They are intended for controlled hosts, adapters, and internal governance clients.
Should OpenClaw connect directly to Core?
Productized OpenClaw setup should connect through a trusted adapter. Direct Core app keys are only for internal governance clients and fallback testing.
Can third-party ability providers use Core?
Yes. The proposal lifecycle is provider-neutral at the base layer. Third-party providers can expose WordPress Abilities API definitions with schemas, permission callbacks, risk metadata, and dry-run previews, then submit write or destructive operations for Core review.