AI Plugin Information
Plugin Name	Comment Mirror Network
Version	10
Original Specification	Click to view
Tasks	Private: D3jvSCIjv8FOHrs2YQKtlif6M Private: kxGRxznUS1LiA8EIRapoxMD8r Private: Kxpege23OnyCpfHediIKPnGCS Private: IW3jPZTeKEf3fEsojBTZQWo8k Private: lw65P3HQY7afA4k9mazCXJKl4 Click to expand (1 more) Private: 569Le7NviQxSWqmjHBeJfSsJx
Download	Download Plugin

Plugin Summary

Comment Mirror Network turns a WordPress site into a node in a comment-aggregation network. Comments approved on one site are forwarded to a central “Drop Site,” where they are republished — attributed to a shared Assistant user — into a single designated Drop Post. The result is a feed of cross-site discussion gathered in one place, with admin tools on the Drop Post for pruning the aggregated thread.

Features

Outbound comment mirroring: when a comment is approved on this site, it is POSTed to a configured remote “Drop Site” via REST API.
Inbound REST API endpoint (/wp-json/comment-mirror/v1/intake) that receives mirrored comments from other sites and re-posts them as a single aggregated comment on a designated Drop Post.
Automatic WordPress user creation: incoming comments by email get a matching WP user provisioned on the fly (random password, no notification emails).
Assistant-user authentication: the API endpoint only accepts requests from the configured “Assistant” user, authenticated via WordPress Application Password (Basic Auth).
Loop prevention: comments on the Drop Post are never re-mirrored, and URL matches between Drop URL and the source post are skipped.
Drop-post comment management UI: admins/editors viewing the Drop Post see per-comment Delete buttons and a Reset All Comments button, wired to AJAX handlers with nonces and capability checks.
Admin settings screen under Settings → Comment Mirror for Drop URL, Drop Post ID, Assistant Application Password, plus Assistant-user status indicator and the live intake endpoint URL.
Styled inbound comment rendering: mirrored comments are inserted with a bordered box containing the source author’s Gravatar, the source domain as a link, and the original comment body (HTML preserved by temporarily removing wp_filter_kses / wp_rel_nofollow).
Self-updating: ships with the Plugin Update Checker library pointed at https://aiplugin.dev/wp-content/aiplugins/aiplugin3829_details.json.

User-Facing Behavior

Site visitors / commenters: No visible change to the normal comment flow. After a comment is approved, it is silently mirrored to the Drop Site in the background (non-blocking HTTP request).
Drop Site visitors: See aggregated comments on the Drop Post, each rendered in a styled card with the original commenter’s Gravatar, source domain link, and content.
Editors / admins on Drop Post: See a Delete button next to each mirrored comment and a Reset All Comments button above the comment form (only when comments exist). Both confirm before destructive action.
Site administrators: Configure the plugin via Settings → Comment Mirror Network. The settings page also surfaces whether the Assistant user is detected and the exact intake endpoint URL to share with peer sites.

Important User Information

Admin screen: Settings → Comment Mirror (options-general.php?page=comment-mirror-network), requires manage_options.
Settings (wp_options):
- cmn_drop_url — URL of the Drop Site / Drop Post.
- cmn_drop_post_id — Local post ID where inbound mirrored comments are aggregated.
- cmn_assistant_password — Application Password used to authenticate outbound mirror requests.
REST route: POST /wp-json/comment-mirror/v1/intake
- Auth: Basic Auth as the Assistant user (Application Password).
- Body (JSON): permalink, author_email, content (all required).
- Responses: 201 with comment_id; 400/401/403/404/500 on validation, auth, or config errors.
Assistant user resolution: uses CACBOT_get_assistant_user_id() if available, otherwise falls back to a user with login assistant, then to email assistant@localhost.
Capabilities:
- Settings page: manage_options.
- Front-end Delete / Reset on Drop Post: edit_posts.
AJAX actions: cmn_delete_comment, cmn_reset_comments (nonce-protected; restricted to the Drop Post only).
Hooks: comment_post (outbound), rest_api_init (inbound), comment_text filter and comment_form_before action (Drop Post UI).
Assets: src/js/aiplugin3829.js (front-end), src/css/comment-styles.css (Drop Post, with dark-mode overrides).
No shortcodes or blocks are registered.

Development Status

Functional and reasonably structured: a single-instance orchestrator (CommentMirrorNetwork) composes five focused classes (UserManager, ApiEndpoint, OutboundMirror, AdminSettings, CommentManagement). The repo carries Codeception with acceptance / phpunit / wpunit suites and developer docs (docs/), plus a test-analysis.md indicating active test work. Versioned at 10 with an update-checker pointing to a live distribution URL, suggesting it is in active deployment. The plugin header Description field is empty, and the codebase still uses the placeholder package name aiplugin3829, which hints at a generated scaffold not yet fully branded.

Technical Notes

Namespaced under aiplugin3829; bootstrapped from aiplugin3829.php on plugins_loaded.
Outbound HTTP uses wp_remote_post with blocking => false so mirroring never stalls the commenter’s request.
Inbound handler removes wp_filter_kses and wp_rel_nofollow around wp_insert_comment so the inline-styled `
` survives; filters are restored immediately after.
New users created from inbound emails get a 24-char random password; password-change and email-change notifications are suppressed; _doing_it_wrong warnings are also suppressed during creation.
Loop prevention is double-layered: (a) skip if the source comment is on the local Drop Post, (b) skip if Drop URL and the source post permalink contain each other.
Inline JS/CSS for the Drop Post UI is emitted via wp_add_inline_script / wp_add_inline_style; styles include prefers-color-scheme: dark and .dark-mode overrides for the reset warning.
Update checker: YahnisElsts\PluginUpdateChecker\v5\PucFactory against aiplugin.dev.

Known Gaps, Risks, or Open Questions

Empty plugin description in the main header; user-facing metadata is minimal.
Assistant-user discovery is fragile: relies on an external CACBOT_get_assistant_user_id() function or a magic username/email. There is no setup routine to provision the Assistant user; admins must create it out of band.
Stored credential in plaintext: cmn_assistant_password is saved with sanitize_text_field to wp_options; consider encryption or use of secrets storage.
HTML injection surface: the inbound endpoint disables KSES filtering around insertion. Although the content is wrapped in a server-built template and the body passes through wpautop, the raw $content is only sanitized with sanitize_textarea_field (which does not strip HTML). Worth a security review.
Asset path inconsistency: CommentManagement::enqueue_drop_post_scripts() builds asset URLs via plugin_dir_url(dirname(__FILE__)) . 'aiplugin3829/...', which assumes the plugin folder is literally named aiplugin3829. Renaming the folder would break CSS/JS loading.
Non-blocking outbound requests mean failures are only logged via error_log; there is no retry queue, dead-letter handling, or admin visibility into mirror failures.
Outbound auth uses Basic Auth over whatever scheme the Drop URL provides — if the Drop URL is HTTP, the Application Password is sent in clear text.
No uninstall hook: settings (cmn_*) and any auto-created users persist after deactivation/uninstall.
Repo contains many aiplugin3829-N.zip build artifacts committed alongside source; intended distribution flow is unclear.
Tested up to WordPress 6.3 per aiplugin3829_details.json, which is behind current WP releases.