feature request: access to functions.php (and others?)

  • Resolved michealdupont

    (@michealdupont)


    1 week, 4 days ago

    would be awesome to give opencode access to php files, keep in mind that child themes exists :), just asking, expecting nothing.

    Note: I cannot write to functions.php — the Royal MCP tools only expose CSS/customizer editing, not PHP file editing. The CSS approach achieves the same goal: sidebars are hidden and content is full-width for all posts/pages, including future ones.

Viewing 1 replies (of 1 total)
  • Plugin Support rpteam

    (@rpteam)

    1 day, 22 hours ago

    Hi @michealdupont — thanks for the request, good thing to surface so we can
    explain where we draw the line.

    Short answer: PHP file editing isn’t on the roadmap and probably never will be,
    and I want to give you the why so it doesn’t feel arbitrary.

    The threat model. Every Royal MCP tool today operates on content that lives in
    the database — posts, pages, products, taxonomy, comments, settings. All of
    that is recoverable from a backup, and the worst-case scenario for a leaked API
    key is “someone messes with your content.” Adding PHP file write turns that
    into “someone plants a backdoor in functions.php and hides their tracks.” Same
    credential, completely different blast radius. We’d need to assume every
    install was one phished API key away from full code execution, and that’s not a
    trade we want to make for a free WP.org plugin.

    WP-side constraints. A meaningful percentage of production installs define
    DISALLOW_FILE_EDIT or DISALLOW_FILE_MODS in wp-config.php specifically to
    prevent any plugin (or admin user) from editing PHP files. Honoring those
    constants means the tool silently no-ops on those sites. Not honoring them
    breaks WordPress best practice. Either way the feature is unreliable by design.

    Existing paths that already do this safely. WP-CLI over SSH (wp eval-file,
    wp shell), an IDE with SFTP/SSH access, or a “Code Snippets”-style plugin
    that stores PHP in a DB row with syntax validation and an instant kill switch.
    Each of those has guardrails (atomic write, lint, rollback) that an MCP
    file_put_contents tool would lack without a substantial engineering investment
    that doesn’t fit our scope.

    For your specific case — hiding sidebars and going full-width — the CSS via
    Customizer route the AI suggested is actually the cleanest answer regardless
    of capabilities. It’s theme-update-safe, doesn’t need a child theme, and
    reverts with one click if it ever causes layout issues.

    Hope that explains the stance, assuming since haven’t heard anything more on
    this in over a week that the CSS approach worked, so marking as resolved for now.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.