Security & Rollback
Control what AI can do, then keep a record of what changed.
StifLi Flex MCP is designed around least privilege, explicit capabilities, client authentication and recoverable changes.
Profiles
A profile is a curated set of enabled tools. Profiles reduce risk and token cost by exposing only the operations a workflow needs.
| Profile | Use case |
|---|---|
| Safe Mode | Non-sensitive reads only. |
| WordPress Read Only | Inspect public WordPress content. |
| WooCommerce Read Only | Review products, orders and reports. |
| Development/Debug | Diagnostics, site health and environment checks. |
| Complete Site | Full site access for trusted workflows only. |
OAuth clients
External clients use OAuth 2.1 with PKCE. Administrators can inspect connected clients, view active tokens, revoke tokens and delete registered clients from the MCP Server settings.
Tool confirmations
The AI Chat Agent can run in Ask User mode. When enabled, write tools show a confirmation request with the tool name and arguments before execution.
Changelog
Mutating operations can be recorded with source, tool, operation, object, user, arguments, before state and after state.
- Sources include MCP Connection, AI Chat Agent, Copilot Editor, Automation Task, Event Automation and WP Admin.
- Filters help review changes by operation, object type, source, status and date.
- CSV export supports support and audit workflows.
Rollback and redo
Individual changes can be rolled back with one click when a before state is available. Rolled-back entries can be redone, and entire sessions can be reverted in reverse order.
Best practices
- Start every new client in Safe Mode.
- Prefer custom profiles over Complete Site.
- Require confirmations for write-heavy workflows.
- Review changelog entries after automation tests.
- Revoke unused clients and tokens.