feat: GravityKit abilities plane (dynamic product tools via Foundation) + credential-aware auth

.env.example

@@ -1,58 +1,113 @@
 # GravityKit MCP Configuration
 
-# Required: Gravity Forms REST API v2 Credentials
-# Generate these in your WordPress admin: Forms > Settings > REST API
-GRAVITY_FORMS_CONSUMER_KEY=ck_your_consumer_key_here
-GRAVITY_FORMS_CONSUMER_SECRET=cs_your_consumer_secret_here
+# ============================================================
+# REQUIRED: WordPress credentials
+#
+# Recommended: a WordPress application password (Users > Profile >
+# Application Passwords). KEY = your username, SECRET = the generated
+# password. Access follows your WordPress capabilities, and on sites
+# running GravityKit Foundation the same credential powers the
+# GravityKit product tools too.
+#
+# Alternative (scoped access, e.g. read-only): a Gravity Forms API
+# key from Forms > Settings > REST API (ck_... / cs_...).
+#
+# Either way, check "Enable access to the API" on Forms > Settings >
+# REST API once — Gravity Forms doesn't register its REST routes
+# without it.
+# ============================================================
+GRAVITY_FORMS_CONSUMER_KEY=your_wp_username
+GRAVITY_FORMS_CONSUMER_SECRET="xxxx xxxx xxxx xxxx xxxx xxxx"
+# GRAVITY_FORMS_CONSUMER_KEY=ck_your_consumer_key_here
+# GRAVITY_FORMS_CONSUMER_SECRET=cs_your_consumer_secret_here
 
 # Required: Your WordPress site URL (no trailing slash)
 GRAVITY_FORMS_BASE_URL=https://yoursite.com
 
-# Example for local development:
-# GRAVITY_FORMS_CONSUMER_KEY=ck_3f4d5e6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e
-# GRAVITY_FORMS_CONSUMER_SECRET=cs_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b
-# GRAVITY_FORMS_BASE_URL=https://local.gravityforms.test
+# Shorthand aliases also supported (used internally by test-config):
+# GF_CONSUMER_KEY=ck_...
+# GF_CONSUMER_SECRET=cs_...
+# GF_URL=https://yoursite.com
 
-# Example for live site:
-# GRAVITY_FORMS_CONSUMER_KEY=ck_production_key_from_wordpress_admin
-# GRAVITY_FORMS_CONSUMER_SECRET=cs_production_secret_from_wordpress_admin
-# GRAVITY_FORMS_BASE_URL=https://www.yourwebsite.com
+# ============================================================
+# AUTHENTICATION
+# ============================================================
+# The client auto-selects the transport from your credentials:
+# app-password creds use Basic (HTTPS or local URLs); ck_/cs_ key
+# pairs use Basic on HTTPS and OAuth 1.0a on plain HTTP (Gravity
+# Forms only accepts key-pair Basic auth over HTTPS). Set this ONLY
+# to override — an explicit value is always honored, everywhere.
+# GRAVITY_FORMS_AUTH_METHOD=basic
 
-# Authentication Settings
-# Authentication method: 'basic' (recommended) or 'oauth'
-GRAVITY_FORMS_AUTH_METHOD=basic
-
-# Security Settings
-# Set to 'true' to enable DELETE operations (forms and entries)
+# ============================================================
+# SECURITY
+# ============================================================
+# Set to 'true' to enable DELETE operations (forms, entries, feeds)
 # WARNING: This allows permanent deletion of data
 GRAVITY_FORMS_ALLOW_DELETE=false
 
-# Optional: Connection Settings
-GRAVITY_FORMS_TIMEOUT=30000
-GRAVITY_FORMS_MAX_RETRIES=3
-GRAVITY_FORMS_RETRY_DELAY=1000
-
 # SSL Certificate Validation (for local development only)
 # Set to 'true' to allow self-signed SSL certificates (Laravel Valet, MAMP, Local WP, etc.)
-# ⚠️ SECURITY WARNING: Only enable for local development, never in production!
-# MCP_ALLOW_SELF_SIGNED_CERTS=true
+# SECURITY WARNING: Only enable for local development, never in production!
+# GRAVITY_FORMS_ALLOW_SELF_SIGNED_CERTS=true
 
-# Optional: Debug Settings
-# ⚠️ SECURITY WARNING: Debug logs may contain sensitive data (API keys, user info)
-# Only enable in secure development environments. Never share debug logs publicly.
-# Logs are automatically sanitized but review before sharing with support.
+# ============================================================
+# CONNECTION
+# ============================================================
+GRAVITY_FORMS_MAX_RETRIES=3
+GRAVITY_FORMS_TIMEOUT=30000
+
+# ============================================================
+# DEBUG
+# ============================================================
+# SECURITY WARNING: Debug logs may contain sensitive data (API keys, user info).
+# Only enable in secure development environments.
 GRAVITY_FORMS_DEBUG=false
 
-# Optional: Rate Limiting
-GRAVITY_FORMS_RATE_LIMIT=100
-GRAVITY_FORMS_RATE_WINDOW=60000
+# ============================================================
+# TEST ENVIRONMENT
+# Use a separate test/staging site to avoid affecting production data.
+# ============================================================
 
-# Test Settings (for integration tests)
-# Use a separate test site to avoid affecting production data
+# Primary test env var names:
 GRAVITY_FORMS_TEST_BASE_URL=https://test.yoursite.com
 GRAVITY_FORMS_TEST_CONSUMER_KEY=ck_test_key_here
 GRAVITY_FORMS_TEST_CONSUMER_SECRET=cs_test_secret_here
 
-# Enable test mode (MCP-specific setting)
+# Additional test overrides (remapped to primary vars in test mode):
+# GRAVITY_FORMS_TEST_URL=https://test.yoursite.com    (alias for TEST_BASE_URL)
+# GRAVITY_FORMS_TEST_AUTH_METHOD=basic
+# GRAVITY_FORMS_TEST_TIMEOUT=30000
+
+# Shorthand aliases also supported:
+# TEST_GF_URL=https://test.yoursite.com
+# TEST_GF_CONSUMER_KEY=ck_test_key_here
+# TEST_GF_CONSUMER_SECRET=cs_test_secret_here
+
+# WordPress credentials (used by test scripts, not the MCP server itself):
+# TEST_WP_USER=admin
+# TEST_WP_PASSWORD=password
+
+# Enable test mode — when true, GRAVITY_FORMS_TEST_* vars are remapped
+# to their primary equivalents so the client connects to the test site.
 # GRAVITYKIT_MCP_TEST_MODE=true
-# Legacy name also supported: GRAVITYMCP_TEST_MODE=true
+# Legacy name also supported: GRAVITYMCP_TEST_MODE=true
+# Also activated when NODE_ENV=test
+# =============================================
+# GravityKit Abilities (gv_* and other product tools)
+# =============================================
+# WordPress credentials for the abilities transport (Foundation catalog
+# at /wp-json/gravitykit/v1 + WP core /wp-json/wp-abilities/v1).
+# Optional — falls back to GRAVITY_FORMS_BASE_URL and the
+# GRAVITY_FORMS_CONSUMER_KEY/SECRET pair when unset.
+# GRAVITYKIT_WP_URL=https://your-site.com
+# GRAVITYKIT_WP_USERNAME=admin
+# GRAVITYKIT_WP_APP_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx"
+# GRAVITYKIT_TIMEOUT=30000
+
+# Security-coverage fixtures for the integration suite (all optional —
+# the deny tests skip cleanly when unset):
+# GRAVITY_FORMS_TEST_LOWPRIV_USER=subscriber_login
+# GRAVITY_FORMS_TEST_LOWPRIV_APP_PASSWORD="app password for a user WITHOUT GF capabilities"
+# GRAVITY_FORMS_TEST_READONLY_CONSUMER_KEY=ck_key_with_read_permissions
+# GRAVITY_FORMS_TEST_READONLY_CONSUMER_SECRET=cs_matching_secret

.gitignore

@@ -65,6 +65,9 @@ test-results/
 test-artifacts/
 tmp/
 
+# Review reports (codex / adversarial output)
+reports/
+
 # MCP specific
 mcp-server.log
 debug.log

.mcp.json

@@ -151,13 +151,13 @@
     "optional": [
       {
         "name": "GRAVITY_FORMS_AUTH_METHOD",
-        "description": "Authentication method: 'basic' (recommended) or 'oauth'",
+        "description": "Authentication method: 'basic' (recommended) or 'oauth'/'oauth1'. Basic requires HTTPS; falls back to OAuth on HTTP.",
         "type": "string",
         "default": "basic"
       },
       {
         "name": "GRAVITY_FORMS_ALLOW_DELETE",
-        "description": "Set to 'true' to enable DELETE operations (forms and entries)",
+        "description": "Set to 'true' to enable DELETE operations (forms, entries, feeds)",
         "type": "boolean",
         "default": false
       },
@@ -175,7 +175,13 @@
       },
       {
         "name": "GRAVITY_FORMS_DEBUG",
-        "description": "Enable debug logging",
+        "description": "Enable debug logging (output goes to stderr)",
+        "type": "boolean",
+        "default": false
+      },
+      {
+        "name": "GRAVITY_FORMS_ALLOW_SELF_SIGNED_CERTS",
+        "description": "Allow self-signed SSL certificates (local development only, never in production)",
         "type": "boolean",
         "default": false
       }
@@ -187,7 +193,7 @@
     "repository": "https://github.com/GravityKit/MCP",
     "documentation": "https://github.com/GravityKit/MCP#readme",
     "api_coverage": "100%",
-    "total_tools": 24,
+    "total_tools": 26,
     "authentication_methods": ["OAuth 1.0a", "Basic Authentication"],
     "features": [
       "Complete REST API v2 coverage",