Npcink Governance Core is the Npcink AI governance layer for WordPress operations. It gives site administrators and trusted host plugins a reviewable approval layer before AI-assisted actions are committed to a WordPress site.
Core discovers available WordPress Abilities API operations, records proposed AI actions, supports approval and rejection, returns commit-preflight context, and stores audit evidence. It is designed for installations where AI tools, adapters, or product plugins may request WordPress changes, but the site still needs a clear governance record.
What Core does
- Discovers available WordPress abilities for governance intake.
- Stores proposals for AI-assisted WordPress operations.
- Supports approve and reject decisions with audit evidence.
- Provides commit-preflight context before a trusted host or adapter performs final writes.
- Manages scoped app keys for trusted governance clients.
- Records audit events for proposal creation, policy evaluation, approval, rejection, commit preflight, and execution-result handoff.
- Keeps governance separate from content generation, model routing, cloud service billing, and final write execution.
Who should use this plugin
Npcink Governance Core is for WordPress administrators, host plugins, adapters, and developers that need a local approval and audit boundary for AI-assisted WordPress operations. It is useful when AI tools can prepare or request changes, but a site owner or trusted governance client must review, approve, and track those changes.
This plugin is not a one-click AI writer, SEO assistant, image generator, chatbot, or workflow runtime. Product workflows and ability callbacks belong in separate provider, adapter, or product plugins.
Requirements and integrations
Core works best with WordPress 7.0 or later and WordPress Abilities API providers. The reference first-party provider is Npcink Abilities Toolkit, but the base governance lifecycle can also govern third-party WordPress Abilities API providers that expose stable ability ids, schemas, permission callbacks, risk metadata, and dry-run previews.
Core exposes governance REST endpoints under /wp-json/npcink-governance-core/v1/. Trusted adapters and host plugins can use those endpoints to create proposals, approve or reject proposals, request commit preflight, and record external execution results.
Privacy and data
Npcink Governance Core does not call external AI services, does not load remote assets, and does not send site data to third parties. It stores governance records locally in WordPress database tables, including proposal data, audit events, app-key metadata, and rate-limit state. App-key secrets are hashed before storage, and one-time bearer tokens are shown only when created.
Boundaries
Core does not generate content, route models, run MCP or workflow runtimes, store provider credentials, proxy ability execution, or perform final WordPress mutations. Final writes belong to a trusted host, adapter, or runtime outside Core after the governance step is complete.