The intelligence layer on top of WooCommerce core's MCP server: analytics skills, knowledge resources, prompts, and an AI-readiness scoring engine, registered as WordPress Abilities and exposed through the single MCP endpoint at /wp-json/woocommerce/mcp.
WordPress plugin, PHP 7.4+, GPL-3.0-or-later. Public repo — never commit secrets, internal-only URLs, or anything not intended for public distribution.
Read CONTRIBUTING.md first. It is the authoritative reference for:
- Architecture (
Plugin (PHP) → Abilities API → WC core MCP server) - The privacy rule — analytics responses are aggregated only; no PII flows to AI by default
- The merchant-scope rule — tools never suggest "build a new skill / endpoint"; the merchant can't action that
- WooCommerce tables and known edge cases (refund sub-orders, returning-customer flag, refunds formula)
- Caching (don't use WC core's DataStore cache; use transients with stable cache keys)
- The full how-to for adding a new analytics Skill (questions-first, ability registration, mandatory PHPUnit test, coverage guard)
- Design patterns worth knowing — silence-isn't-signal, guardrail bad/good phrasing pairs, narrative-layer pre-compute, small-N honesty, two-frame responses, mode-switching, tool-vs-resource affordances, custom-header vs OAuth auth, regulatory thresholds
Re-stating the two highest-stakes rules because they're load-bearing for every ability description and a single violation ships to a public release:
- Privacy. Analytics responses are aggregated counts/sums/averages only. No customer names, emails, or addresses unless the
hey_woo_allow_customer_piioption is opt-in and the response shape clearly justifies it. Default off. - Merchant scope. The AI is talking to a merchant. They can't add a tool, register a REST endpoint, or edit plugin code. Tool descriptions and merchant-facing text MUST NOT suggest "a future X skill would answer this" — substitute with something the merchant can action (a setting, a manual workflow, a connector, or an honest "this isn't something we can answer"). The static guardrail-sweep test (
tests/integration/test-ability-description-guardrails.php) catches the obvious violations on every./bin/check.
hey-woo/
├── hey-woo.php # Plugin bootstrap (HPOS declaration, requirements, options migration)
├── includes/
│ ├── class-plugin.php # Singleton — wires hooks, MCP filter, mcp_adapter_init injection
│ ├── abilities/ # One file per skill. wc-analytics/* (analytics tools),
│ │ # hey-woo/* (store/readiness/search tools), wc-knowledge/*
│ │ # (resources), wc-prompts/* (prompts), hey-woo-integrations/*
│ │ # (dev-only prototype scaffolds — gated by wp_get_environment_type)
│ ├── api/ # REST controllers + AnalyticsController (shared SQL helper —
│ │ # no REST routes; abilities call into it)
│ ├── knowledge/ # Provider pattern (store profile / catalog / product / policy)
│ ├── scoring/ # Engine + 4 factors (product, schema, content, policy)
│ ├── settings/ # WC > Settings > Hey Woo tab
│ └── telemetry/ # SkillTelemetry + handlers (log, Tracks-gated by opt-in toggle)
├── tests/integration/ # PHPUnit; runs inside wp-env tests-cli container
├── tools/
│ ├── seed-demo-store.php # 24-month, 5k-order seeded demo store (mt_srand(42))
│ └── mu-plugins/ # dev-only mu-plugins (allow-insecure-transport for HTTP wp-env)
├── skills/ # Reference Claude Code / Codex skills (catalog-audit,
│ # product-content-generator, store-health-monitor)
├── bin/
│ ├── check # Local CI mirror — PHPCS + composer audit + PHPUnit + DCC
│ └── check-dcc # Data Consistency Checker (gated; auto-skips if not installed)
├── docs/performance-and-hosting.md
├── .wp-env.json # wp-env (port 8888, mounts plugin + tools/mu-plugins)
└── .github/workflows/ # ci.yml (PHPCS + PHPUnit) · release.yml (tag → plugin zip)
npx @wordpress/env start # boots WP 6.9 + WC + this plugin on http://localhost:8888
# afterStart enables the MCP feature flag, activates WC + Hey Woo,
# installs WC pages, sets a UK store address (London / GBP)
./bin/check # full pre-push gate (PHPCS, composer audit, PHPUnit, DCC)To seed a realistic demo store (deterministic — mt_srand(42)):
npx @wordpress/env run cli -- bash -c "cat > /tmp/seed.php" < tools/seed-demo-store.php
npx @wordpress/env run cli -- wp eval-file /tmp/seed.phpThese are validated decisions. MUST NOT relitigate without strong new signal.
- No separate MCP server process. Everything ships through WC core's MCP at
/wp-json/woocommerce/mcp. This plugin registers WordPress Abilities (wp_register_ability) and opts them in viawoocommerce_mcp_include_abilityfor tools andmcp_adapter_init(priority 20, after WC's 10) for resources/prompts. WC core's component registry exposesregister_resources()/register_prompts()— that's the injection seam. - Single Abilities API namespace. Every analytics skill is at
wp-abilities/v1/abilities/wc-analytics/{skill}/run. Earlier customhey-woo/v1/analytics/*REST routes were folded into Abilities so MCP and direct callers hit one surface. - Three plugin-owned ability prefixes, declared in
Plugin::OWNED_ABILITY_NAMESPACES:wc-analytics/,hey-woo/,hey-woo-integrations/. The WC auth scope filter trusts only routes under these prefixes — a Hey Woo consumer key cannot be replayed against abilities registered by other plugins. Adding a fourth prefix is a single-edit operation; theinclude_wc_analytics_in_mcpfilter must be updated in lockstep. - Aggregated-only privacy by default. PII gate (
hey_woo_allow_customer_pii) is off; merchants opt in only when chaining with email/CRM MCPs that need real addresses.wc_string_to_boolreads the option (not(bool)—'no'would otherwise be truthy). - HPOS-compatible. Declared via
FeaturesUtil::declare_compatibility('custom_order_tables', __FILE__, true). SQL must read from HPOS tables (wp_wc_orders_metafor attribution) when available, falling back towp_postmetaonly when HPOS isn't enabled. The runtime branch lives inAnalyticsController::get_order_meta_source(). - No background work. No cron, no polling, no sync jobs. The plugin runs only when an MCP/REST request arrives. This is the contract that lets the perf doc say "lighter than loading WC Analytics a few times an hour."
- Transient cache with stable keys. Never pass live
DateTimeobjects into cache-key generation; normalise toY-m-d H:i:sstrings before hashing. WC core's DataStore cache has a known microseconds-in-key bug — don't reach for it.
- PHP 7.4+ (Composer platform pinned to 7.4 to match CI; PHPCompatibilityWP enforces the floor)
- WordPress 6.9+ (Abilities API requires it)
- WooCommerce 10.6+ (tested up to 10.7)
- PHPCS:
WordPress-Extra+WordPress-Docs+WooCommercerulesets viadealerdirect/phpcodesniffer-composer-installer - PHPUnit 9.6 +
yoast/phpunit-polyfills— runs inside the wp-envtests-clicontainer, not on host PHP @wordpress/scripts plugin-zipfor release builds; CI tag (v*) triggers.github/workflows/release.yml
Step 4 of the script (PHPUnit) shells into npx @wordpress/env run tests-cli. If wp-env isn't running, the script aborts with an explicit message before running PHPUnit. Start it once per session:
npx @wordpress/env startThe DCC step (bin/check-dcc) is gated — it auto-skips when vendor-plugins/wca-data-consistency/ isn't present, or when the dev store has no orders. Don't try to "fix" the skip; the upstream plugin is privately distributed and there's no public install path yet.
Local wp-env runs on plain HTTP. The mu-plugin at tools/mu-plugins/dev-allow-insecure-transport.php sets woocommerce_mcp_allow_insecure_transport for the dev environment only. Don't move that filter into the plugin proper — it's dev-only, deliberately.
A new analytics skill needs code + PHPUnit test + two static-sweep constants in the same PR. The coverage guard at tests/integration/test-ability-registration.php fails CI when:
- The new ability ID isn't in
Test_Ability_Registration::EXPECTED_ABILITY_IDS, or - There's no
tests/integration/test-<slug>.phpfile with at least onetest_*method.
The full how-to is in CONTRIBUTING.md (Adding a new analytics Skill). Don't shortcut the test — the coverage guard is the substitute for "did anyone actually verify this against real data?"
.wp-env.json mounts the repo into the dev environment as hey-woo and into the tests environment as hey-woo-tests. The PHPUnit container's working dir is wp-content/plugins/hey-woo-tests — that's why bootstrap.php does glob($plugin_dir . '/hey-woo/...') to find the production-side mount when loading WC. Don't rename either mount; the bootstrap and the CI workflow both rely on the slug.
The plugin is published as a UK-Automattic-shaped product (default seed store is London / GBP). British English everywhere — text strings, comments, docblocks, error messages, README/CONTRIBUTING. WP-Docs sniffs don't enforce this; rely on review.
- Branch per change. One feature / fix per branch. PR back to
trunk. - Conventional commits.
feat:,fix:,chore:,docs:. The release workflow expects this for auto-generated release notes (generate_release_notes: true). - Definition of done for a PR:
./bin/checkexits green locally (PHPCS + composer audit + PHPUnit + DCC).- New analytics skill = code + PHPUnit test + the two static-sweep constants in the same PR.
- Tool/ability descriptions don't violate the merchant-scope rule (the description-guardrail sweep enforces the obvious cases; review catches the rest).
- CONTRIBUTING.md "Design patterns worth knowing" section updated when a new reusable pattern is established.
- AGENTS.md (this file) updated when a new gotcha, command, or convention is introduced.
- Don't commit
hey-woo.zip. It's checked into the repo as a one-off artefact, but*.zipis in.gitignoreand the release workflow rebuilds it from the tag. Don't update it in regular commits.