WordPress plugin: Abilities API integration for per-tool permissions

[BlueHotDog]

Problem

Currently every Frontman tool requires manage_options — admin-only, all-or-nothing. Editors, authors, and contributors cannot use Frontman even for post/block work they're otherwise allowed to do.

Proposed Solution

Use WP 7.0's Abilities API to register named abilities per-tool, and gate each tool on its corresponding ability rather than a blanket cap check.

// Register in frontman_init()
if (function_exists('abilities')) {
    abilities()->register('frontman:edit_posts', [
        'callback' => fn($user) => $user->has_cap('edit_posts'),
    ]);
    abilities()->register('frontman:manage_options', [
        'callback' => fn($user) => $user->has_cap('manage_options'),
    ]);
    abilities()->register('frontman:edit_files', [
        'callback' => fn($user) => $user->has_cap('edit_themes'),
    ]);
}

Tool capability mapping:

Tools	Required Ability
wp_post, wp_block	frontman:edit_posts
wp_option, wp_template	frontman:manage_options
read_file, write_file, edit_file, grep	frontman:edit_files
wp_menu, wp_widget	frontman:edit_posts

The Abilities API auto-exposes registered abilities to JS via REST — the Frontman client can query available abilities and hide tools the user can't access before they attempt a call.

Compatibility

WP 6.x: function_exists('abilities') check prevents any errors. Falls back to the existing manage_options blanket check — identical behaviour to today.

WP 7.0+: fine-grained permissions activate automatically.

No version gate in plugin headers needed.

Parent

Part of #848