Release 2.0.1

[zackkatz]

Release 2.0.1

Connector fix for local development sites served over HTTPS with locally-trusted certificates.

Changes

• fix(connect): surface TLS failure causes and propagate NODE_EXTRA_CA_CERTS
  • The credential exchange now names the underlying network/TLS cause code instead of reporting a bare fetch failed, with an actionable NODE_EXTRA_CA_CERTS hint on certificate-trust failures (Node ignores the OS trust store, so certs from Laravel Herd/Valet, Local, OrbStack, mkcert fail even when the browser trusts them).
  • NODE_EXTRA_CA_CERTS set during connect is copied into every generated MCP client config (Cursor, Claude Desktop, claude mcp add, printed configs) so the server can keep reaching the site after setup.
• Version bumps: plugin 2.0.1 (header, constant, stable tag), MCP server package.json 2.0.1, changelog + Upgrade Notice.

Verification

• Vitest: 723/723 (11 new tests, written failing-first)
• tsc --noEmit: clean
• composer lint: 0 errors / 0 warnings · composer analyze: [OK]
• PHPUnit: 995 + 24 + 4 tests OK (main / yoast / multisite)
• Live end-to-end: connect → exchange → claude mcp add → authenticated REST call verified against a Herd-served local site

Summary by CodeRabbit

• New Features

  • Improved error messaging when authenticating with local development sites, including TLS certificate troubleshooting guidance
  • Support for custom certificate authorities via NODE_EXTRA_CA_CERTS propagation in MCP configurations

• Bug Fixes

  • Resolved issue where local-site access was lost following setup

💾 Build file (58c9c99).

[coderabbitai]

Walkthrough

This patch release (v2.0.1) enhances credential-exchange failure reporting by detecting TLS certificate trust errors and propagating NODE_EXTRA_CA_CERTS into MCP server configurations. The same changes are implemented across both the Node.js connector and WordPress plugin, with comprehensive test coverage and user-facing documentation updates.

Changes

TLS Error Handling and CA Certificate Configuration

Layer / File(s)	Summary
Node.js TLS error formatting helper src/connect.ts	Introduces describeExchangeFetchError that extracts cause.code and cause.message from fetch errors, detects TLS certificate trust failures, and appends actionable guidance for setting NODE_EXTRA_CA_CERTS.
Node.js credential exchange error handling src/connect.ts	exchangeCode now uses describeExchangeFetchError to throw detailed error messages when credential POST requests fail, replacing simple .message extraction.
Node.js MCP config builders with NODE_EXTRA_CA_CERTS src/connect.ts	buildMcpEntry and claudeCodeAddArgs accept optional extraCaCerts parameter (defaulting to process.env.NODE_EXTRA_CA_CERTS) and conditionally include the environment variable in generated MCP server configurations and Claude mcp add arguments.
Node.js connector tests tests/connect.test.ts	Extended with vitest mocking support and two test groups: (1) network-failure diagnostics asserting TLS trust errors surface codes and CA hints while non-trust failures do not, and (2) NODE_EXTRA_CA_CERTS propagation verifying environment variable flows through buildMcpEntry, cursorConfig, and claudeCodeAddArgs.
WordPress plugin TLS error formatting wordpress-plugin/gk-block-mcp/assets/mcp-server/index.cjs	Plugin bundle updated with TLS_TRUST_ERROR_CODES set, CA_TRUST_HINT string, and describeExchangeFetchError formatter mirroring the Node.js implementation.
WordPress plugin MCP config builders wordpress-plugin/gk-block-mcp/assets/mcp-server/index.cjs	buildMcpEntry and claudeCodeAddArgs in the plugin bundle updated to accept extraCaCerts and conditionally include NODE_EXTRA_CA_CERTS in generated configurations.
Version bumps and release documentation package.json, wordpress-plugin/gk-block-mcp/gk-block-mcp.php, wordpress-plugin/gk-block-mcp/readme.txt	Version bumped to 2.0.1 across all metadata. README includes upgrade notice and changelog describing improved connection error messaging, post-setup access fix, and NODE_EXTRA_CA_CERTS propagation for local development certificate support.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.71% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Release 2.0.1' is generic and does not clearly convey the main technical change (credential exchange failure reporting and NODE_EXTRA_CA_CERTS propagation for local dev HTTPS sites).	Consider a more descriptive title that highlights the key fix, such as 'feat: improve TLS error reporting and propagate NODE_EXTRA_CA_CERTS in MCP configs' or similar.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/connect.test.ts (1)

694-699: ⚡ Quick win

Assert every trust code used by production logic.

This list is missing UNABLE_TO_GET_ISSUER_CERT and CERT_UNTRUSTED, so regressions on those codes would slip through.

Suggested patch

     const trustCodes = [
       'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
       'DEPTH_ZERO_SELF_SIGNED_CERT',
       'SELF_SIGNED_CERT_IN_CHAIN',
+      'UNABLE_TO_GET_ISSUER_CERT',
       'UNABLE_TO_GET_ISSUER_CERT_LOCALLY',
+      'CERT_UNTRUSTED',
     ];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/connect.test.ts` around lines 694 - 699, The test's trustCodes array
(variable trustCodes) is missing two production-used error codes; update the
trustCodes declaration to include 'UNABLE_TO_GET_ISSUER_CERT' and
'CERT_UNTRUSTED' alongside the existing entries so the test asserts all
trust-related SSL error codes used by production logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/connect.ts`:
- Around line 485-487: The check uses extraCaCerts.trim() but writes the
untrimmed extraCaCerts into env/args; change the code to compute a trimmed value
(e.g., const trimmedExtraCa = extraCaCerts.trim()), use that for the hasCaCerts
check and assign trimmedExtraCa to env.NODE_EXTRA_CA_CERTS and to any args (the
other occurrence around the args assignment) so leading/trailing whitespace
can't produce an invalid path.

---

Nitpick comments:
In `@tests/connect.test.ts`:
- Around line 694-699: The test's trustCodes array (variable trustCodes) is
missing two production-used error codes; update the trustCodes declaration to
include 'UNABLE_TO_GET_ISSUER_CERT' and 'CERT_UNTRUSTED' alongside the existing
entries so the test asserts all trust-related SSL error codes used by production
logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d0eac44-b4ef-4106-9459-f747d5322586

📥 Commits

Reviewing files that changed from the base of the PR and between ddb6b7a and 58c9c99.

📒 Files selected for processing (6)

• package.json
• src/connect.ts
• tests/connect.test.ts
• wordpress-plugin/gk-block-mcp/assets/mcp-server/index.cjs
• wordpress-plugin/gk-block-mcp/gk-block-mcp.php
• wordpress-plugin/gk-block-mcp/readme.txt

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Trim extraCaCerts before writing it into env/args.

The presence check uses trim(), but the untrimmed value is persisted/forwarded. Leading/trailing whitespace can produce an invalid path and break TLS trust loading.

Suggested patch

 export function buildMcpEntry(
   creds: Credentials,
   extraCaCerts: string | undefined = process.env.NODE_EXTRA_CA_CERTS
 ): McpServerEntry {
+  const normalizedExtraCaCerts =
+    typeof extraCaCerts === 'string' ? extraCaCerts.trim() : '';
+
   const env: Record<string, string> = {
     WORDPRESS_URL: creds.site,
     WORDPRESS_USER: creds.user,
     WORDPRESS_APP_PASSWORD: creds.password,
   };
-  const hasCaCerts = typeof extraCaCerts === 'string' && extraCaCerts.trim() !== '';
-  if (hasCaCerts) {
-    env.NODE_EXTRA_CA_CERTS = extraCaCerts;
+  if (normalizedExtraCaCerts !== '') {
+    env.NODE_EXTRA_CA_CERTS = normalizedExtraCaCerts;
   }
   return {
     command: 'npx',
     args: ['-y', '`@gravitykit/block-mcp`'],
     env,
@@
 export function claudeCodeAddArgs(
   creds: Credentials,
   name: string = 'block-mcp',
   extraCaCerts: string | undefined = process.env.NODE_EXTRA_CA_CERTS
 ): string[] {
+  const normalizedExtraCaCerts =
+    typeof extraCaCerts === 'string' ? extraCaCerts.trim() : '';
+
   const envArgs = [
     '--env',
     `WORDPRESS_URL=${creds.site}`,
     '--env',
     `WORDPRESS_USER=${creds.user}`,
     '--env',
     `WORDPRESS_APP_PASSWORD=${creds.password}`,
   ];
-  const hasCaCerts = typeof extraCaCerts === 'string' && extraCaCerts.trim() !== '';
-  if (hasCaCerts) {
-    envArgs.push('--env', `NODE_EXTRA_CA_CERTS=${extraCaCerts}`);
+  if (normalizedExtraCaCerts !== '') {
+    envArgs.push('--env', `NODE_EXTRA_CA_CERTS=${normalizedExtraCaCerts}`);
   }
   return ['mcp', 'add', name, '--scope', 'user', ...envArgs, '--', 'npx', '-y', '`@gravitykit/block-mcp`'];
 }

Also applies to: 582-584

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/connect.ts` around lines 485 - 487, The check uses extraCaCerts.trim()
but writes the untrimmed extraCaCerts into env/args; change the code to compute
a trimmed value (e.g., const trimmedExtraCa = extraCaCerts.trim()), use that for
the hasCaCerts check and assign trimmedExtraCa to env.NODE_EXTRA_CA_CERTS and to
any args (the other occurrence around the args assignment) so leading/trailing
whitespace can't produce an invalid path.