wp-execute-phplisted

# WP Execute PHP Last-resort power tool. Bypasses every safer layer (REST, wp-cli, introspect) to run arbitrary PHP in the WP request lifecycle. Five-layer safety chain. Audit-logged. Production-blocked unconditionally. ## Iron Rule <EXTREMELY-IMPORTANT> 1. NEVER call `rolepod_wp_execute_php` if the same outcome is reachable through `wp-content` (REST), `wp-edit-plugin` (adapter REST), `wp-introspect` (read), or `wp-execute-php`'s sibling `wp_cli_run`. Power tool = last resort. 2. NEVER pass `confirm: true` automatically on the user's behalf — the flag exists so the user accepts personal responsibility for the payload; auto-confirming defeats it. 3. ALWAYS read the AST blocklist in `references/ast-rules.md` before composing a payload. `eval`, `system`, `shell_exec`, `proc_open`, `popen`, dynamic include, out-of-scope file ops, pcntl_*, dl, backtick — all are forbidden on both sides and the screen catches them up front. </EXTREMELY-IMPORTANT> ## When to use - "Fire `do_action('save_post', 42)` and observe what happens" — runtime hook trigger. - "Instantiate WC_Order(123) and dump its meta" — internal API call. - "Set a transient programmatically for testing" — read/write the cache layer. - "Run `wp_schedule_event` to register a cron" — internal scheduler call. - Any case where REST/wp-cli/adapter does not expose the surface and a small PHP snippet is the cleanest fix. Skip when: - The work is post/option/user → `wp-content`. - The work is a plugin's config → `wp-edit-plu