diff --git a/AGENTS.md b/AGENTS.md
index 67981e7..9d492f0 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -562,6 +562,17 @@ The MCP server version is informational; the plugin version is what site owners
    - If the MCP server side also moved, bump `package.json` in the same commit
 3. Push.
 
+### Tagging the release
+
+Every plugin version bump gets a matching annotated git tag. Tags live on the merge commit on `main`; never on a feature branch tip.
+
+- **Format**: `v{plugin-version}` — e.g. `v1.7.0`. Match the plugin version, not the MCP server version. (When the MCP server bumps independently without a plugin bump, no tag — server versions are informational.)
+- **Annotated, not lightweight**: `git tag -a v1.7.0 -m "<release notes>"`. Lightweight tags don't carry a message and don't show up in `git show`.
+- **Tag message**: the same prose as the `readme.txt` `Upgrade Notice` for that version, plus a `Highlights:` bulleted list of the headline changes. Look at `git show v1.6.0` for the canonical shape.
+- **Push the tag explicitly**: `git push origin v1.7.0`. Bare `git push` does not push tags. Without this step the tag exists locally only and `gh release create` can't find it.
+- **When to tag**: after the version-bump commit has landed on `main` (via PR merge or direct push). Tagging on the feature branch and merging via squash strands the tag on a dead commit.
+- **GitHub release**: optional, but if you create one, attach it to the tag (`gh release create v1.7.0 --notes-file …` or via the UI). The marketplace pin / Composer installer reads the tag, not the release.
+
 ### Backfilling missing entries
 
 If a version was bumped without a corresponding `readme.txt` entry (it happens — historically `1.4.1`, `1.4.2`, and `1.5.0` all shipped without changelog updates), audit the commits that landed between the previous bump and the version bump commit (`git log <prev-bump>..<this-bump> -- wordpress-plugin/gk-block-api/`) and write the missing entries. Keep the Upgrade Notice and Changelog sections in strict reverse-chronological order across all versions.
diff --git a/dist/index.cjs b/dist/index.cjs
index f284fc4..129d01d 100755
--- a/dist/index.cjs
+++ b/dist/index.cjs
@@ -39771,7 +39771,7 @@ var StdioServerTransport = class {
 // package.json
 var package_default = {
   name: "@gravitykit/block-mcp",
-  version: "1.6.0",
+  version: "1.7.1",
   description: "MCP server for WordPress block-level content management with preference-aware editing",
   main: "dist/index.cjs",
   type: "module",
@@ -44424,6 +44424,110 @@ var WordPressBlockClient = class {
   }
 };
 
+// src/instructions.ts
+var BASELINE = `Block-level WordPress CRUD. URL \u2192 post_id is resolved server-side \u2014 pass URLs directly to get_page_blocks / resolve_url; never shell out to curl or wp-json.
+
+After a write, the response already includes the canonical post-save snapshot (\`saved.inner_html\` + \`saved.attributes\` on update_block; \`saved\` per result on update_blocks with \`verbose:true\`). Use that for verification \u2014 do not fetch the public page to confirm edits. If you need a single-block re-read later, call get_block(ref) \u2014 same shape, no extra plumbing.
+
+Tier policy is per-site config, surfaced inline (block.preference) and via list_block_types. Read block-mcp://agent-guide for the editing workflow.`;
+var MAX_ADDENDUM_LENGTH = 2e3;
+var FETCH_TIMEOUT_MS = 3e3;
+var FETCH_MAX_BYTES = 16 * 1024;
+var OFF_ENV_VAR = "BLOCK_MCP_INSTRUCTIONS_OFF";
+function sanitizeAddendum(input) {
+  if (typeof input !== "string") {
+    return "";
+  }
+  let s2 = input;
+  s2 = s2.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+  s2 = s2.replace(/[\u200B-\u200D\u2060\uFEFF\u202A-\u202E\u2066-\u2069]/g, "");
+  s2 = s2.replace(/\r\n?/g, "\n");
+  s2 = s2.trim();
+  const codePoints = Array.from(s2);
+  if (codePoints.length > MAX_ADDENDUM_LENGTH) {
+    s2 = codePoints.slice(0, MAX_ADDENDUM_LENGTH).join("");
+  }
+  return s2;
+}
+function combineInstructions(baseline, addendum) {
+  const clean = addendum.trim();
+  if (clean.length === 0) {
+    return baseline;
+  }
+  return `${baseline}
+
+${clean}`;
+}
+async function fetchAddendum(wordpressUrl) {
+  if (process.env[OFF_ENV_VAR] === "1") {
+    return "";
+  }
+  const base = wordpressUrl.replace(/\/+$/, "");
+  const url3 = `${base}/wp-json/gk-block-api/v1/instructions`;
+  try {
+    const response = await axios_default.get(url3, {
+      timeout: FETCH_TIMEOUT_MS,
+      // Disable axios's automatic redirect following entirely. Without
+      // this, a compromised or misconfigured WP site could redirect us
+      // to a different origin (an exfil endpoint, an SSRF target on the
+      // internal network, etc.). Admins should configure
+      // WORDPRESS_URL with the canonical scheme + host so the first
+      // hop returns 200 directly. If the site needs an HTTP → HTTPS
+      // redirect, fix the env var instead of relying on axios to
+      // follow it for us.
+      //
+      // The corollary is a 3xx response now surfaces as an axios
+      // error and we fall back to baseline-only. Logged to stderr.
+      maxRedirects: 0,
+      // Hard cap the response body size. Primary defense against an
+      // unbounded payload — `sanitizeAddendum` still truncates after,
+      // but we never want raw bytes past this cap to hit our process.
+      maxContentLength: FETCH_MAX_BYTES,
+      // Lower-case Accept so caches see a stable Vary key.
+      headers: {
+        Accept: "application/json"
+      },
+      // We treat 2xx as success; 3xx (any redirect) and 4xx/5xx fall
+      // back to empty via the catch block.
+      validateStatus: (status) => status >= 200 && status < 300
+    });
+    if (!response.data || typeof response.data !== "object") {
+      console.error(
+        `[block-mcp] /instructions returned non-object payload; using baseline only.`
+      );
+      return "";
+    }
+    return sanitizeAddendum(response.data.addendum);
+  } catch (err) {
+    const message = formatFetchError(err);
+    console.error(`[block-mcp] Failed to fetch /instructions (${message}); using baseline only.`);
+    return "";
+  }
+}
+async function getInstructions(wordpressUrl) {
+  const addendum = await fetchAddendum(wordpressUrl);
+  return combineInstructions(BASELINE, addendum);
+}
+function formatFetchError(err) {
+  if (axios_default.isAxiosError(err)) {
+    const axiosErr = err;
+    if (axiosErr.code === "ECONNABORTED" || axiosErr.message.includes("timeout")) {
+      return `timeout after ${FETCH_TIMEOUT_MS}ms`;
+    }
+    if (axiosErr.response) {
+      return `HTTP ${axiosErr.response.status}`;
+    }
+    if (axiosErr.code) {
+      return axiosErr.code;
+    }
+    return axiosErr.message;
+  }
+  if (err instanceof Error) {
+    return err.message;
+  }
+  return String(err);
+}
+
 // src/preferences.ts
 function getNamespace(blockName) {
   return blockName.split("/")[0] ?? blockName;
@@ -57835,31 +57939,48 @@ registerBlockEnricher("kevinbatdorf/code-block-pro", async (block) => {
   const attrs = block.attributes ?? {};
   const code = attrs.code;
   if (!code) return null;
-  const rawLang = (attrs.language || "plaintext").toLowerCase();
+  const rawLangAttr = typeof attrs.language === "string" ? attrs.language.trim() : "";
+  const rawLang = rawLangAttr.toLowerCase();
+  const PLAINTEXT_ALIASES = /* @__PURE__ */ new Set(["plaintext", "text", "plain", "txt", "none"]);
+  const shouldInfer = rawLang === "" || rawLang === "auto";
+  const lang254 = shouldInfer ? inferLanguage(code) : PLAINTEXT_ALIASES.has(rawLang) ? "plaintext" : rawLang;
   const { langs } = await getHighlighter();
-  const lang254 = rawLang === "plaintext" || rawLang === "text" || rawLang === "" ? inferLanguage(code) : rawLang;
   const effectiveLang = langs.has(lang254) ? lang254 : "plaintext";
   const themeName = attrs.theme || void 0;
   const codeHTML = await shikiHighlight(code, effectiveLang, themeName);
   const highestLineNumber = code.split("\n").length;
-  if (codeHTML === attrs.codeHTML && lang254 === rawLang) return null;
+  const incomingInnerHTML = block.innerHTML ?? "";
+  if (codeHTML === attrs.codeHTML && lang254 === rawLang && incomingInnerHTML !== "") {
+    return null;
+  }
   const updatedAttrs = { ...attrs, language: lang254, codeHTML, highestLineNumber };
-  let updatedInnerHTML = block.innerHTML;
-  if (updatedInnerHTML) {
-    updatedInnerHTML = updatedInnerHTML.replace(
+  const encodedCode = code.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  let updatedInnerHTML;
+  if (incomingInnerHTML !== "") {
+    updatedInnerHTML = incomingInnerHTML.replace(
       /<pre class="shiki[\s\S]*?<\/pre>/,
       codeHTML
     );
-    const encoded = code.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
     updatedInnerHTML = updatedInnerHTML.replace(
       /(<textarea[^>]*>)([\s\S]*?)(<\/textarea>)/,
-      (_m, open, _old, close) => `${open}${encoded}${close}`
+      (_m, open, _old, close) => `${open}${encodedCode}${close}`
     );
+  } else {
+    const styleParts = [];
+    if (typeof attrs.fontFamily === "string") styleParts.push(`font-family:${attrs.fontFamily}`);
+    if (typeof attrs.fontSize === "string") styleParts.push(`font-size:${attrs.fontSize}`);
+    if (typeof attrs.lineHeight === "string") styleParts.push(`line-height:${attrs.lineHeight}`);
+    if (typeof attrs.bgColor === "string") styleParts.push(`background-color:${attrs.bgColor}`);
+    if (typeof attrs.textColor === "string") styleParts.push(`color:${attrs.textColor}`);
+    const styleAttr = styleParts.length ? ` style="${styleParts.join(";")}"` : "";
+    const classNameExtra = typeof attrs.className === "string" && attrs.className.trim() !== "" ? ` ${attrs.className.trim()}` : "";
+    const copyTextarea = attrs.copyButton ? `<textarea style="display:none" aria-hidden="true">${encodedCode}</textarea>` : "";
+    updatedInnerHTML = `<div class="wp-block-kevinbatdorf-code-block-pro${classNameExtra}"${styleAttr}>${codeHTML}${copyTextarea}</div>`;
   }
   return {
     ...block,
     attributes: updatedAttrs,
-    ...updatedInnerHTML !== block.innerHTML ? { innerHTML: updatedInnerHTML } : {}
+    innerHTML: updatedInnerHTML
   };
 });
 
@@ -59047,24 +59168,6 @@ var client = new WordPressBlockClient({
     application_password: WORDPRESS_APP_PASSWORD
   }
 });
-var server = new McpServer(
-  {
-    name: "block-mcp",
-    version: package_default.version
-  },
-  {
-    capabilities: {
-      tools: {},
-      resources: {},
-      prompts: {}
-    },
-    instructions: `Block-level WordPress CRUD. URL \u2192 post_id is resolved server-side \u2014 pass URLs directly to get_page_blocks / resolve_url; never shell out to curl or wp-json.
-
-After a write, the response already includes the canonical post-save snapshot (\`saved.inner_html\` + \`saved.attributes\` on update_block; \`saved\` per result on update_blocks with \`verbose:true\`). Use that for verification \u2014 do not fetch the public page to confirm edits. If you need a single-block re-read later, call get_block(ref) \u2014 same shape, no extra plumbing.
-
-Tier policy is per-site config, surfaced inline (block.preference) and via list_block_types. Read block-mcp://agent-guide for the editing workflow.`
-  }
-);
 var ALL_TOOLS = [
   ...DISCOVERY_TOOLS,
   ...READ_TOOLS,
@@ -59147,123 +59250,141 @@ How to behave:
 - Reuse existing patterns before building from scratch \u2014 call \`list_patterns\` first.
 - For patterns that need per-page customization, use \`synced: false\` to inline them.
 - When you encounter legacy blocks on a page during a read, note them but do not replace unless asked.`;
-server.server.setRequestHandler(ListToolsRequestSchema, async () => {
-  return { tools: ALL_TOOLS };
-});
-server.server.setRequestHandler(CallToolRequestSchema, async (request) => {
-  const { name, arguments: args } = request.params;
-  const toolArgs = args ?? {};
-  try {
-    const handle2 = TOOL_DISPATCH.get(name);
-    if (!handle2) {
-      throw new Error(`Unknown tool: ${name}`);
+function registerHandlers(server) {
+  server.server.setRequestHandler(ListToolsRequestSchema, async () => {
+    return { tools: ALL_TOOLS };
+  });
+  server.server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    const toolArgs = args ?? {};
+    try {
+      const handle2 = TOOL_DISPATCH.get(name);
+      if (!handle2) {
+        throw new Error(`Unknown tool: ${name}`);
+      }
+      const result = await handle2(name, toolArgs, client);
+      const toolDef = ALL_TOOLS.find((t) => t.name === name);
+      const response = {
+        content: [
+          { type: "text", text: JSON.stringify(result, null, 2) }
+        ]
+      };
+      if (toolDef && toolDef.outputSchema !== void 0 && result !== null && typeof result === "object") {
+        response.structuredContent = result;
+      }
+      return response;
+    } catch (error2) {
+      const err = error2;
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify(
+              {
+                error: true,
+                tool: name,
+                message: err.message || "Unknown error occurred",
+                code: err.wpCode,
+                statusCode: err.wpStatus ?? err.response?.status,
+                hint: err.wpData ?? null
+              },
+              null,
+              2
+            )
+          }
+        ],
+        isError: true
+      };
     }
-    const result = await handle2(name, toolArgs, client);
-    const toolDef = ALL_TOOLS.find((t) => t.name === name);
-    const response = {
-      content: [
-        { type: "text", text: JSON.stringify(result, null, 2) }
+  });
+  server.server.setRequestHandler(ListResourcesRequestSchema, async () => {
+    return {
+      resources: [
+        {
+          uri: AGENT_GUIDE_RESOURCE_URI,
+          name: "Block MCP \u2014 Agent Guide",
+          description: "Editing workflow + how to discover the live block-preference policy on this site. Read this before editing pages.",
+          mimeType: "text/plain"
+        },
+        // Legacy alias kept for one release; resolves to the same content.
+        {
+          uri: LEGACY_PREFERENCES_RESOURCE_URI,
+          name: "Block MCP \u2014 Agent Guide (legacy URI)",
+          description: "Renamed to block-mcp://agent-guide. Same content; kept for backwards compatibility.",
+          mimeType: "text/plain"
+        }
       ]
     };
-    if (toolDef && toolDef.outputSchema !== void 0 && result !== null && typeof result === "object") {
-      response.structuredContent = result;
+  });
+  server.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+    const { uri } = request.params;
+    if (uri === AGENT_GUIDE_RESOURCE_URI || uri === LEGACY_PREFERENCES_RESOURCE_URI) {
+      return {
+        contents: [
+          { uri, mimeType: "text/plain", text: AGENT_GUIDE_CONTENT }
+        ]
+      };
     }
-    return response;
-  } catch (error2) {
-    const err = error2;
-    return {
-      content: [
+    throw new Error(`Unknown resource: ${uri}`);
+  });
+  const PROMPTS = [
+    {
+      name: "edit-block-page",
+      description: "Bundle: workflow guidance + reminder to call get_page_blocks first. Pass `url` to seed a specific page.",
+      arguments: [
         {
-          type: "text",
-          text: JSON.stringify(
-            {
-              error: true,
-              tool: name,
-              message: err.message || "Unknown error occurred",
-              code: err.wpCode,
-              statusCode: err.wpStatus ?? err.response?.status,
-              hint: err.wpData ?? null
-            },
-            null,
-            2
-          )
+          name: "url",
+          description: "Optional. Full URL or path of the page being edited.",
+          required: false
         }
-      ],
-      isError: true
-    };
-  }
-});
-server.server.setRequestHandler(ListResourcesRequestSchema, async () => {
-  return {
-    resources: [
-      {
-        uri: AGENT_GUIDE_RESOURCE_URI,
-        name: "Block MCP \u2014 Agent Guide",
-        description: "Editing workflow + how to discover the live block-preference policy on this site. Read this before editing pages.",
-        mimeType: "text/plain"
-      },
-      // Legacy alias kept for one release; resolves to the same content.
-      {
-        uri: LEGACY_PREFERENCES_RESOURCE_URI,
-        name: "Block MCP \u2014 Agent Guide (legacy URI)",
-        description: "Renamed to block-mcp://agent-guide. Same content; kept for backwards compatibility.",
-        mimeType: "text/plain"
-      }
-    ]
-  };
-});
-server.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
-  const { uri } = request.params;
-  if (uri === AGENT_GUIDE_RESOURCE_URI || uri === LEGACY_PREFERENCES_RESOURCE_URI) {
-    return {
-      contents: [
-        { uri, mimeType: "text/plain", text: AGENT_GUIDE_CONTENT }
       ]
-    };
-  }
-  throw new Error(`Unknown resource: ${uri}`);
-});
-var PROMPTS = [
-  {
-    name: "edit-block-page",
-    description: "Bundle: workflow guidance + reminder to call get_page_blocks first. Pass `url` to seed a specific page.",
-    arguments: [
-      {
-        name: "url",
-        description: "Optional. Full URL or path of the page being edited.",
-        required: false
-      }
-    ]
-  }
-];
-server.server.setRequestHandler(ListPromptsRequestSchema, async () => ({
-  prompts: PROMPTS
-}));
-server.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
-  const { name, arguments: args } = request.params;
-  if (name !== "edit-block-page") {
-    throw new Error(`Unknown prompt: ${name}`);
-  }
-  const url3 = args?.url ?? "";
-  const seed = url3 ? `Editing target: ${url3}
+    }
+  ];
+  server.server.setRequestHandler(ListPromptsRequestSchema, async () => ({
+    prompts: PROMPTS
+  }));
+  server.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    if (name !== "edit-block-page") {
+      throw new Error(`Unknown prompt: ${name}`);
+    }
+    const url3 = args?.url ?? "";
+    const seed = url3 ? `Editing target: ${url3}
 
 First tool call: get_page_blocks({ url: ${JSON.stringify(url3)}, summary_only: true }) for cheap orientation, then re-fetch with search/block_name filters as needed.
 
 ` : "";
-  return {
-    description: "Workflow primer for editing a WordPress page via block-mcp.",
-    messages: [
-      {
-        role: "user",
-        content: {
-          type: "text",
-          text: `${seed}${AGENT_GUIDE_CONTENT}`
+    return {
+      description: "Workflow primer for editing a WordPress page via block-mcp.",
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `${seed}${AGENT_GUIDE_CONTENT}`
+          }
         }
-      }
-    ]
-  };
-});
+      ]
+    };
+  });
+}
 async function main2() {
+  const instructions = await getInstructions(WORDPRESS_URL);
+  const server = new McpServer(
+    {
+      name: "block-mcp",
+      version: package_default.version
+    },
+    {
+      capabilities: {
+        tools: {},
+        resources: {},
+        prompts: {}
+      },
+      instructions
+    }
+  );
+  registerHandlers(server);
   const transport = new StdioServerTransport();
   await server.connect(transport);
   console.error("Block MCP Server running on stdio");
diff --git a/package.json b/package.json
index 32fcb7e..7fbbc15 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@gravitykit/block-mcp",
-  "version": "1.6.0",
+  "version": "1.7.1",
   "description": "MCP server for WordPress block-level content management with preference-aware editing",
   "main": "dist/index.cjs",
   "type": "module",
diff --git a/src/__tests__/unit/enrichers/cbp-enricher.test.ts b/src/__tests__/unit/enrichers/cbp-enricher.test.ts
index e9e49ad..0d1af83 100644
--- a/src/__tests__/unit/enrichers/cbp-enricher.test.ts
+++ b/src/__tests__/unit/enrichers/cbp-enricher.test.ts
@@ -96,13 +96,60 @@ describe('enrichBlock — Code Block Pro', () => {
     expect(result.attributes?.highestLineNumber).toBe(1);
   });
 
-  it('leaves innerHTML undefined when block has no innerHTML', async () => {
+  /**
+   * Fresh CBP blocks created via the API (e.g. edit_block_tree replace-block)
+   * arrive with no innerHTML. Pre-fix, the enricher only updated codeHTML and
+   * left innerHTML empty, which made the block render as a blank gap on the
+   * front-end. The enricher must build a minimal wrapper so the block is
+   * actually visible after save.
+   */
+  it('builds wrapper innerHTML when block has none', async () => {
     const block: BlockDef = {
       name: 'kevinbatdorf/code-block-pro',
       attributes: { code: 'const a = 1;', language: 'javascript' },
     };
     const result = await enrichBlock(block);
-    expect(result.innerHTML).toBeUndefined();
+    expect(typeof result.innerHTML).toBe('string');
+    expect(result.innerHTML).toContain('wp-block-kevinbatdorf-code-block-pro');
+    expect(result.innerHTML).toContain('<pre class="shiki');
+  });
+
+  it('inlines wrapper style from font / colour attributes', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: {
+        code: 'const a = 1;',
+        language: 'javascript',
+        fontFamily: 'Code-Pro-JetBrains-Mono',
+        fontSize: '1rem',
+        lineHeight: '1.25rem',
+        bgColor: '#0F2B62',
+        textColor: '#d8dee9ff',
+      },
+    };
+    const result = await enrichBlock(block);
+    expect(result.innerHTML).toContain('font-family:Code-Pro-JetBrains-Mono');
+    expect(result.innerHTML).toContain('font-size:1rem');
+    expect(result.innerHTML).toContain('background-color:#0F2B62');
+    expect(result.innerHTML).toContain('color:#d8dee9ff');
+  });
+
+  it('includes copy-textarea when copyButton is enabled', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: { code: 'const a = 1;', language: 'javascript', copyButton: true },
+    };
+    const result = await enrichBlock(block);
+    expect(result.innerHTML).toMatch(/<textarea[^>]*>const a = 1;<\/textarea>/);
+  });
+
+  it('omits copy-textarea when copyButton is false', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: { code: 'const a = 1;', language: 'javascript', copyButton: false },
+    };
+    const result = await enrichBlock(block);
+    expect(result.innerHTML).not.toContain('<textarea');
   });
 
   it('keeps explicit php language without inference', async () => {
@@ -118,15 +165,74 @@ describe('enrichBlock — Code Block Pro', () => {
 // ── CBP enrichment — language inference ──────────────────────────────────────
 
 describe('enrichBlock — language inference', () => {
-  it('infers css when language is plaintext and code looks like CSS', async () => {
+  /**
+   * Explicit `language: 'plaintext'` is the caller saying "render this as plain
+   * text, no syntax highlighting." Pre-fix the enricher treated 'plaintext' as
+   * "no preference, infer" — so a chat prompt containing "from … from …" was
+   * detected as SQL and rendered with mis-coloured English words. The contract
+   * now is: explicit 'plaintext'/'text'/'plain'/'txt'/'none' is respected;
+   * inference only runs when the attribute is missing, empty, or 'auto'.
+   */
+  it('respects explicit plaintext language without inference', async () => {
     const block: BlockDef = {
       name: 'kevinbatdorf/code-block-pro',
       attributes: { code: '.hero { color: red; }', language: 'plaintext' },
     };
     const result = await enrichBlock(block);
+    expect(result.attributes?.language).toBe('plaintext');
+  });
+
+  it.each(['text', 'plain', 'txt', 'none'])(
+    'respects explicit %s as plaintext alias',
+    async (alias) => {
+      const block: BlockDef = {
+        name: 'kevinbatdorf/code-block-pro',
+        attributes: { code: '.hero { color: red; }', language: alias },
+      };
+      const result = await enrichBlock(block);
+      expect(result.attributes?.language).toBe('plaintext');
+    },
+  );
+
+  it('infers css when language attribute is missing', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: { code: '.hero { color: red; }' },
+    };
+    const result = await enrichBlock(block);
     expect(result.attributes?.language).toBe('css');
   });
 
+  it('infers css when language is "auto"', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: { code: '.hero { color: red; }', language: 'auto' },
+    };
+    const result = await enrichBlock(block);
+    expect(result.attributes?.language).toBe('css');
+  });
+
+  /**
+   * Regression: chat prompts pasted into a CBP block via the API used to detect
+   * as SQL because inferLanguage's SQL heuristic fires on the word "from" — and
+   * "from" appears twice in the canonical "Set up Block MCP from … from me"
+   * prompt. With explicit plaintext respected, the prompt renders correctly.
+   */
+  it('does not mis-detect English prose as SQL when caller passes plaintext', async () => {
+    const block: BlockDef = {
+      name: 'kevinbatdorf/code-block-pro',
+      attributes: {
+        code: 'Set up Block MCP from https://example.com on my computer. Walk me through anything you need from me — WordPress site URL, username, and Application Password.',
+        language: 'plaintext',
+      },
+    };
+    const result = await enrichBlock(block);
+    expect(result.attributes?.language).toBe('plaintext');
+    // The generated codeHTML must not contain SQL keyword tokens for the
+    // English words that previously got mis-coloured.
+    expect(result.attributes?.codeHTML).not.toContain('shiki-token-keyword');
+  });
+
   it('does not override non-plaintext language with inference', async () => {
     const block: BlockDef = {
       name: 'kevinbatdorf/code-block-pro',
@@ -172,17 +278,26 @@ describe('enrichBlock — innerHTML update', () => {
 // ── CBP enrichment — no-op (codeHTML already current) ────────────────────────
 
 describe('enrichBlock — no-op when already enriched', () => {
-  it('returns original block reference when codeHTML already matches', async () => {
+  /**
+   * A fully-enriched CBP block has both `codeHTML` (attribute) and `innerHTML`
+   * (the rendered widget). Passing such a block through the enricher again
+   * must be a no-op — same object reference returned. If only one side is
+   * populated, the enricher rebuilds the missing piece so first-pass blocks
+   * created via the API (no innerHTML) still render correctly.
+   */
+  it('returns original block reference when codeHTML and innerHTML are already current', async () => {
     const code = 'const x = 1;';
     const firstPass = await enrichBlock({
       name: 'kevinbatdorf/code-block-pro',
       attributes: { code, language: 'javascript' },
     });
     const codeHTML = firstPass.attributes?.codeHTML as string;
+    const innerHTML = firstPass.innerHTML as string;
 
     const block: BlockDef = {
       name: 'kevinbatdorf/code-block-pro',
       attributes: { code, language: 'javascript', codeHTML },
+      innerHTML,
     };
     const result = await enrichBlock(block);
     expect(result).toBe(block);
diff --git a/src/__tests__/unit/instructions.test.ts b/src/__tests__/unit/instructions.test.ts
new file mode 100644
index 0000000..0cb33c5
--- /dev/null
+++ b/src/__tests__/unit/instructions.test.ts
@@ -0,0 +1,374 @@
+/**
+ * Unit tests for src/instructions.ts (BLOCK-19).
+ *
+ * Covers the three pure helpers (sanitizeAddendum, combineInstructions,
+ * BASELINE) plus the network-bound fetchAddendum / getInstructions
+ * helpers with axios mocked. No live HTTP — these all run offline.
+ *
+ * Invariants pinned here:
+ *   - Sanitize strips C0 + DEL + Bidi/zero-width without touching tab/LF/CR.
+ *   - Sanitize truncates at MAX_ADDENDUM_LENGTH (defense in depth).
+ *   - Sanitize coerces non-string input to '' (no exceptions thrown).
+ *   - Combine returns baseline unchanged when addendum empty.
+ *   - Combine joins with `\n\n` when addendum non-empty.
+ *   - fetchAddendum honors BLOCK_MCP_INSTRUCTIONS_OFF=1 and skips the call.
+ *   - fetchAddendum falls back to '' on network failure (no throw).
+ *   - fetchAddendum sanitizes the remote payload (defense in depth).
+ *   - getInstructions wraps fetch + combine for the public entry point.
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import axios from 'axios';
+
+vi.mock('axios');
+
+import {
+  BASELINE,
+  MAX_ADDENDUM_LENGTH,
+  combineInstructions,
+  fetchAddendum,
+  getInstructions,
+  sanitizeAddendum,
+} from '../../instructions.js';
+
+const ORIG_ENV = { ...process.env };
+
+beforeEach(() => {
+  // Each test starts with a clean env to keep BLOCK_MCP_INSTRUCTIONS_OFF
+  // assertions isolated. Vitest doesn't reset process.env between tests
+  // on its own.
+  process.env = { ...ORIG_ENV };
+  vi.clearAllMocks();
+});
+
+afterEach(() => {
+  process.env = { ...ORIG_ENV };
+});
+
+// ── BASELINE ─────────────────────────────────────────────────────────────────
+
+describe('BASELINE', () => {
+  /**
+   * The baseline string is the contract the SDK and every client depend
+   * on. Pinning its length guards against accidental edits that strip
+   * crucial guidance — e.g. a refactor that drops the "saved.inner_html
+   * is the canonical post-save snapshot" rule would degrade every
+   * client. If this assertion fails, you either intentionally rewrote
+   * the baseline (update the bound) or accidentally truncated it.
+   */
+  it('is a non-trivial, non-empty string', () => {
+    expect(typeof BASELINE).toBe('string');
+    expect(BASELINE.length).toBeGreaterThan(200);
+  });
+
+  it('mentions saved.inner_html guidance', () => {
+    expect(BASELINE).toContain('saved.inner_html');
+  });
+
+  it('mentions URL → post_id resolution rule', () => {
+    expect(BASELINE).toContain('post_id is resolved server-side');
+  });
+});
+
+// ── sanitizeAddendum ─────────────────────────────────────────────────────────
+
+describe('sanitizeAddendum', () => {
+  it('returns empty string for non-string input', () => {
+    expect(sanitizeAddendum(undefined)).toBe('');
+    expect(sanitizeAddendum(null)).toBe('');
+    expect(sanitizeAddendum(42)).toBe('');
+    expect(sanitizeAddendum({ a: 1 })).toBe('');
+    expect(sanitizeAddendum([])).toBe('');
+  });
+
+  it('passes plain ASCII through unchanged', () => {
+    expect(sanitizeAddendum('Use callouts for tips.')).toBe('Use callouts for tips.');
+  });
+
+  it('preserves newlines, tabs, and indented bullets', () => {
+    const v = '- Top\n\t- Nested\n- Bottom';
+    expect(sanitizeAddendum(v)).toBe(v);
+  });
+
+  it('strips ASCII C0 control characters except tab/LF/CR', () => {
+    const v = 'A\x00B\x07C\x1BD\x08E';
+    expect(sanitizeAddendum(v)).toBe('ABCDE');
+  });
+
+  it('strips DEL character (0x7F)', () => {
+    expect(sanitizeAddendum('foo\x7Fbar')).toBe('foobar');
+  });
+
+  it('strips Bidi override codepoints', () => {
+    // U+202E RIGHT-TO-LEFT OVERRIDE — classic spoofing vector. The
+    // expected output is the visible text only, with the override gone.
+    const v = 'allow‮gnirts‬';
+    const cleaned = sanitizeAddendum(v);
+    expect(cleaned).not.toContain('‮');
+    expect(cleaned).not.toContain('‬');
+    expect(cleaned).toContain('allow');
+  });
+
+  it('strips zero-width characters', () => {
+    // ZWSP (U+200B), ZWNJ (U+200C), ZWJ (U+200D), BOM (U+FEFF).
+    const v = 'visi​ble‌‍ text';
+    expect(sanitizeAddendum(v)).toBe('visible text');
+  });
+
+  it('normalizes CRLF and CR to LF', () => {
+    expect(sanitizeAddendum('a\r\nb\rc')).toBe('a\nb\nc');
+  });
+
+  it('trims outer whitespace', () => {
+    expect(sanitizeAddendum('\n\n  inner content  \n')).toBe('inner content');
+  });
+
+  it('truncates to MAX_ADDENDUM_LENGTH', () => {
+    const long = 'A'.repeat(MAX_ADDENDUM_LENGTH + 500);
+    expect(sanitizeAddendum(long)).toHaveLength(MAX_ADDENDUM_LENGTH);
+  });
+
+  it('accepts an input exactly at the cap', () => {
+    const exact = 'B'.repeat(MAX_ADDENDUM_LENGTH);
+    expect(sanitizeAddendum(exact)).toHaveLength(MAX_ADDENDUM_LENGTH);
+  });
+
+  /**
+   * Surrogate-pair safety. `😀` (U+1F600) is one code point but two
+   * UTF-16 code units. Naive `slice(0, MAX_ADDENDUM_LENGTH)` on a
+   * string of emoji would land in the middle of the last codepoint's
+   * surrogate pair, leaving a lone high surrogate that downstream JSON
+   * encoders either reject or mangle. The sanitizer counts and slices
+   * by `Array.from` so this can never happen.
+   */
+  it('truncates emoji-heavy input at code-point boundaries', () => {
+    const input = '😀'.repeat(MAX_ADDENDUM_LENGTH + 100);
+    const result = sanitizeAddendum(input);
+    expect(Array.from(result)).toHaveLength(MAX_ADDENDUM_LENGTH);
+    // Every codepoint is the full emoji; never a lone surrogate. The
+    // matchAll iterator over the regex emits one match per scalar
+    // codepoint, so equality with the Array.from count confirms no
+    // half-pair remained.
+    expect([...result].every((c) => c === '😀')).toBe(true);
+  });
+
+  it('returns empty for empty string', () => {
+    expect(sanitizeAddendum('')).toBe('');
+  });
+});
+
+// ── combineInstructions ──────────────────────────────────────────────────────
+
+describe('combineInstructions', () => {
+  it('returns baseline unchanged when addendum is empty', () => {
+    expect(combineInstructions(BASELINE, '')).toBe(BASELINE);
+  });
+
+  it('returns baseline unchanged when addendum is whitespace only', () => {
+    expect(combineInstructions(BASELINE, '   \n\n  \t  ')).toBe(BASELINE);
+  });
+
+  it('joins baseline and addendum with a blank line', () => {
+    const result = combineInstructions('BASE', 'ADD');
+    expect(result).toBe('BASE\n\nADD');
+  });
+
+  it('trims the addendum before joining', () => {
+    const result = combineInstructions('BASE', '  ADD  ');
+    expect(result).toBe('BASE\n\nADD');
+  });
+
+  it('preserves multi-line addenda verbatim', () => {
+    const addendum = '- Rule one.\n- Rule two.';
+    const result = combineInstructions('BASE', addendum);
+    expect(result).toBe(`BASE\n\n${addendum}`);
+  });
+});
+
+// ── fetchAddendum (axios mocked) ─────────────────────────────────────────────
+
+describe('fetchAddendum', () => {
+  it('returns empty string when BLOCK_MCP_INSTRUCTIONS_OFF=1 (no HTTP call)', async () => {
+    process.env.BLOCK_MCP_INSTRUCTIONS_OFF = '1';
+    const result = await fetchAddendum('https://example.com');
+    expect(result).toBe('');
+    expect(vi.mocked(axios.get)).not.toHaveBeenCalled();
+  });
+
+  it('treats any value other than 1 in BLOCK_MCP_INSTRUCTIONS_OFF as off-not-set', async () => {
+    process.env.BLOCK_MCP_INSTRUCTIONS_OFF = '0';
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'hi' } });
+    const result = await fetchAddendum('https://example.com');
+    expect(result).toBe('hi');
+  });
+
+  it('issues GET to /wp-json/gk-block-api/v1/instructions', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'use info callout' } });
+    await fetchAddendum('https://example.com');
+    expect(vi.mocked(axios.get)).toHaveBeenCalledOnce();
+    const [url] = vi.mocked(axios.get).mock.calls[0]!;
+    expect(url).toBe('https://example.com/wp-json/gk-block-api/v1/instructions');
+  });
+
+  it('normalizes trailing slashes in the base URL', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'x' } });
+    await fetchAddendum('https://example.com///');
+    const [url] = vi.mocked(axios.get).mock.calls[0]!;
+    expect(url).toBe('https://example.com/wp-json/gk-block-api/v1/instructions');
+  });
+
+  it('passes a short timeout and JSON Accept header', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'x' } });
+    await fetchAddendum('https://example.com');
+    const [, config] = vi.mocked(axios.get).mock.calls[0]!;
+    expect(config).toBeDefined();
+    expect(config!.timeout).toBeGreaterThan(0);
+    expect(config!.timeout).toBeLessThanOrEqual(10_000);
+    expect(config!.headers).toMatchObject({ Accept: 'application/json' });
+  });
+
+  /**
+   * Pins the hardening from BLOCK-19 review: a compromised or misconfigured
+   * WP site must not be able to redirect us to a different origin.
+   * `maxRedirects: 0` makes axios surface any 3xx as an error which falls
+   * through to baseline-only via the existing catch path.
+   */
+  it('disables redirect following (maxRedirects: 0)', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'x' } });
+    await fetchAddendum('https://example.com');
+    const [, config] = vi.mocked(axios.get).mock.calls[0]!;
+    expect(config!.maxRedirects).toBe(0);
+  });
+
+  /**
+   * Pins the hardening from BLOCK-19 review: the HTTP layer must cap
+   * response body size before anything reaches `sanitizeAddendum`.
+   * Primary defense against unbounded payloads; sanitize is secondary.
+   */
+  it('caps response body size via maxContentLength', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: 'x' } });
+    await fetchAddendum('https://example.com');
+    const [, config] = vi.mocked(axios.get).mock.calls[0]!;
+    expect(typeof config!.maxContentLength).toBe('number');
+    // Headroom over MAX_ADDENDUM_LENGTH but well under a megabyte —
+    // 16 KB is the chosen value; assert a window so an intentional
+    // bump up or down doesn't silently break the contract.
+    expect(config!.maxContentLength).toBeGreaterThan(MAX_ADDENDUM_LENGTH);
+    expect(config!.maxContentLength).toBeLessThanOrEqual(64 * 1024);
+  });
+
+  /**
+   * Same-host enforcement at the HTTP layer: a 3xx response from the
+   * site (whatever the Location header points to) is treated as an
+   * error and we fall back to baseline-only.
+   */
+  it('treats a 302 redirect as a fetch failure', async () => {
+    const err = Object.assign(new Error('Maximum number of redirects exceeded'), {
+      isAxiosError: true,
+      code: 'ERR_FR_MAX_REDIRECTS_EXCEEDED',
+    });
+    vi.mocked(axios.get).mockRejectedValueOnce(err);
+    vi.mocked(axios.isAxiosError).mockReturnValue(true);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    expect(await fetchAddendum('https://example.com')).toBe('');
+    spy.mockRestore();
+  });
+
+  it('returns the sanitized addendum on success', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({
+      data: { addendum: 'A\x00B' },
+    });
+    const result = await fetchAddendum('https://example.com');
+    expect(result).toBe('AB');
+  });
+
+  it('truncates an overly long remote response to MAX_ADDENDUM_LENGTH', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({
+      data: { addendum: 'X'.repeat(MAX_ADDENDUM_LENGTH + 1000) },
+    });
+    const result = await fetchAddendum('https://example.com');
+    expect(result).toHaveLength(MAX_ADDENDUM_LENGTH);
+  });
+
+  it('strips Bidi overrides served by a compromised WP install', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({
+      data: { addendum: 'evil‮block' },
+    });
+    const result = await fetchAddendum('https://example.com');
+    expect(result).not.toContain('‮');
+  });
+
+  it('returns empty when the response is missing the addendum field', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { length: 0 } });
+    expect(await fetchAddendum('https://example.com')).toBe('');
+  });
+
+  it('returns empty when the response body is not an object', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: 'malformed' });
+    expect(await fetchAddendum('https://example.com')).toBe('');
+  });
+
+  it('returns empty when axios rejects (network error)', async () => {
+    vi.mocked(axios.get).mockRejectedValueOnce(new Error('ECONNREFUSED'));
+    // Suppress the stderr noise from the rejection log line.
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    expect(await fetchAddendum('https://example.com')).toBe('');
+    spy.mockRestore();
+  });
+
+  it('returns empty when the server replies non-2xx', async () => {
+    // axios with validateStatus throws on non-2xx by default; emulate that.
+    const err = Object.assign(new Error('Request failed with status code 500'), {
+      isAxiosError: true,
+      response: { status: 500, data: '' },
+    });
+    vi.mocked(axios.get).mockRejectedValueOnce(err);
+    vi.mocked(axios.isAxiosError).mockReturnValue(true);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    expect(await fetchAddendum('https://example.com')).toBe('');
+    spy.mockRestore();
+  });
+
+  it('never throws — every failure path returns empty', async () => {
+    vi.mocked(axios.get).mockImplementation(() => {
+      throw new Error('synchronous boom');
+    });
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    await expect(fetchAddendum('https://example.com')).resolves.toBe('');
+    spy.mockRestore();
+  });
+});
+
+// ── getInstructions (the public entry point) ─────────────────────────────────
+
+describe('getInstructions', () => {
+  it('returns baseline alone when the site is unreachable', async () => {
+    vi.mocked(axios.get).mockRejectedValueOnce(new Error('ENOTFOUND'));
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const result = await getInstructions('https://example.com');
+    expect(result).toBe(BASELINE);
+    spy.mockRestore();
+  });
+
+  it('returns baseline alone when BLOCK_MCP_INSTRUCTIONS_OFF=1', async () => {
+    process.env.BLOCK_MCP_INSTRUCTIONS_OFF = '1';
+    const result = await getInstructions('https://example.com');
+    expect(result).toBe(BASELINE);
+    expect(vi.mocked(axios.get)).not.toHaveBeenCalled();
+  });
+
+  it('returns baseline + addendum joined with a blank line', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({
+      data: { addendum: 'CUSTOM RULE: prefer is-style-callout-info.' },
+    });
+    const result = await getInstructions('https://example.com');
+    expect(result.startsWith(BASELINE)).toBe(true);
+    expect(result.endsWith('CUSTOM RULE: prefer is-style-callout-info.')).toBe(true);
+    expect(result).toContain('\n\nCUSTOM RULE');
+  });
+
+  it('returns baseline alone when the site returns empty addendum', async () => {
+    vi.mocked(axios.get).mockResolvedValueOnce({ data: { addendum: '' } });
+    expect(await getInstructions('https://example.com')).toBe(BASELINE);
+  });
+});
diff --git a/src/enrichers.ts b/src/enrichers.ts
index e224743..35212e0 100644
--- a/src/enrichers.ts
+++ b/src/enrichers.ts
@@ -201,46 +201,88 @@ registerBlockEnricher('kevinbatdorf/code-block-pro', async (block) => {
   const code = attrs.code as string | undefined;
   if (!code) return null;
 
-  const rawLang = ((attrs.language as string) || 'plaintext').toLowerCase();
-  const { langs } = await getHighlighter();
-
-  const lang = (rawLang === 'plaintext' || rawLang === 'text' || rawLang === '')
+  // Three caller intents on `language`:
+  //   • Missing / '' / 'auto'      → run inferLanguage()
+  //   • 'plaintext' (and aliases)  → render as plaintext, NO inference
+  //   • Any other string           → use it verbatim (caller knows the language)
+  //
+  // Earlier the enricher collapsed missing + 'plaintext' into "infer", which
+  // surprised callers passing 'plaintext' for prose. A chat prompt with the
+  // word "from" appearing twice tripped the SQL signal in inferLanguage() and
+  // rendered as syntax-highlighted SQL.
+  const rawLangAttr = typeof attrs.language === 'string' ? (attrs.language as string).trim() : '';
+  const rawLang = rawLangAttr.toLowerCase();
+  const PLAINTEXT_ALIASES = new Set(['plaintext', 'text', 'plain', 'txt', 'none']);
+  const shouldInfer = rawLang === '' || rawLang === 'auto';
+  const lang = shouldInfer
     ? inferLanguage(code)
-    : rawLang;
+    : (PLAINTEXT_ALIASES.has(rawLang) ? 'plaintext' : rawLang);
+
+  const { langs } = await getHighlighter();
   const effectiveLang = langs.has(lang) ? lang : 'plaintext';
 
   const themeName = (attrs.theme as string | undefined) || undefined;
   const codeHTML = await shikiHighlight(code, effectiveLang, themeName);
   const highestLineNumber = code.split('\n').length;
-  if (codeHTML === attrs.codeHTML && lang === rawLang) return null;
+  const incomingInnerHTML = block.innerHTML ?? '';
+  // Bail out only when nothing meaningful has changed AND innerHTML is already
+  // populated. An empty incomingInnerHTML always falls through so the wrapper
+  // gets built below, even if codeHTML matches a previously-stored attribute.
+  if (codeHTML === attrs.codeHTML && lang === rawLang && incomingInnerHTML !== '') {
+    return null;
+  }
 
   const updatedAttrs = { ...attrs, language: lang, codeHTML, highestLineNumber };
 
-  // CBP is dual-storage: codeHTML is embedded verbatim inside innerHTML. When
-  // innerHTML is provided, replace the <pre class="shiki"> portion in-place and
-  // update the copy-button <textarea> so both match the new code.
-  let updatedInnerHTML = block.innerHTML;
-  if (updatedInnerHTML) {
-    updatedInnerHTML = updatedInnerHTML.replace(
+  // Encode `&`, `<`, `>` before injecting raw source code into the
+  // copy-button <textarea>'s text content. A literal `</textarea>` in the
+  // source would otherwise close the element early and corrupt innerHTML.
+  const encodedCode = code
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+
+  // CBP is dual-storage: codeHTML lives both as an attribute (for the editor)
+  // and inside innerHTML (the rendered widget served on the front-end).
+  //   • innerHTML already exists → replace the <pre class="shiki"> portion
+  //     in-place and re-sync the copy-button <textarea> contents.
+  //   • innerHTML is empty       → build a minimal wrapper from scratch so the
+  //     block actually renders. Without this branch, a CBP block inserted via
+  //     the API saves the codeHTML attribute but emits no visible HTML — the
+  //     post renders a blank gap where the code should be.
+  let updatedInnerHTML: string;
+  if (incomingInnerHTML !== '') {
+    updatedInnerHTML = incomingInnerHTML.replace(
       /<pre class="shiki[\s\S]*?<\/pre>/,
-      codeHTML
+      codeHTML,
     );
-    // Encode `&`, `<`, `>` before injecting raw source code into the
-    // <textarea>'s text content. A literal `</textarea>` in the source
-    // would otherwise close the element early and corrupt innerHTML.
-    const encoded = code
-      .replace(/&/g, '&amp;')
-      .replace(/</g, '&lt;')
-      .replace(/>/g, '&gt;');
     updatedInnerHTML = updatedInnerHTML.replace(
       /(<textarea[^>]*>)([\s\S]*?)(<\/textarea>)/,
-      (_m, open, _old, close) => `${open}${encoded}${close}`
+      (_m, open, _old, close) => `${open}${encodedCode}${close}`,
     );
+  } else {
+    // Mirror CBP's save() inline style attribute. Without these the wrapper
+    // falls back to theme defaults and the code uses the surrounding font /
+    // colour, breaking visual parity with editor-created blocks.
+    const styleParts: string[] = [];
+    if (typeof attrs.fontFamily === 'string') styleParts.push(`font-family:${attrs.fontFamily}`);
+    if (typeof attrs.fontSize === 'string') styleParts.push(`font-size:${attrs.fontSize}`);
+    if (typeof attrs.lineHeight === 'string') styleParts.push(`line-height:${attrs.lineHeight}`);
+    if (typeof attrs.bgColor === 'string') styleParts.push(`background-color:${attrs.bgColor}`);
+    if (typeof attrs.textColor === 'string') styleParts.push(`color:${attrs.textColor}`);
+    const styleAttr = styleParts.length ? ` style="${styleParts.join(';')}"` : '';
+    const classNameExtra = typeof attrs.className === 'string' && (attrs.className as string).trim() !== ''
+      ? ` ${(attrs.className as string).trim()}`
+      : '';
+    const copyTextarea = attrs.copyButton
+      ? `<textarea style="display:none" aria-hidden="true">${encodedCode}</textarea>`
+      : '';
+    updatedInnerHTML = `<div class="wp-block-kevinbatdorf-code-block-pro${classNameExtra}"${styleAttr}>${codeHTML}${copyTextarea}</div>`;
   }
 
   return {
     ...block,
     attributes: updatedAttrs,
-    ...(updatedInnerHTML !== block.innerHTML ? { innerHTML: updatedInnerHTML } : {}),
+    innerHTML: updatedInnerHTML,
   };
 });
diff --git a/src/index.ts b/src/index.ts
index 39347d5..d3467a6 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -33,6 +33,7 @@ import {
   GetPromptRequestSchema,
 } from '@modelcontextprotocol/sdk/types.js';
 import { WordPressBlockClient } from './client.js';
+import { getInstructions } from './instructions.js';
 import { DISCOVERY_TOOLS, handleDiscoveryTool } from './tools/discovery.js';
 import { READ_TOOLS, handleReadTool } from './tools/read.js';
 import { WRITE_TOOLS, handleWriteTool } from './tools/write.js';
@@ -85,29 +86,18 @@ const client = new WordPressBlockClient({
 });
 
 // ============================================
-// Create MCP server
-// ============================================
-
-const server = new McpServer(
-  {
-    name: 'block-mcp',
-    version: pkg.version,
-  },
-  {
-    capabilities: {
-      tools: {},
-      resources: {},
-      prompts: {},
-    },
-    instructions:
-      `Block-level WordPress CRUD. URL → post_id is resolved server-side — pass URLs directly to get_page_blocks / resolve_url; never shell out to curl or wp-json.
-
-After a write, the response already includes the canonical post-save snapshot (\`saved.inner_html\` + \`saved.attributes\` on update_block; \`saved\` per result on update_blocks with \`verbose:true\`). Use that for verification — do not fetch the public page to confirm edits. If you need a single-block re-read later, call get_block(ref) — same shape, no extra plumbing.
-
-Tier policy is per-site config, surfaced inline (block.preference) and via list_block_types. Read block-mcp://agent-guide for the editing workflow.`,
-  }
-);
-
+// MCP server construction is deferred to main() so the per-site
+// instructions addendum can be fetched from WordPress before the
+// `McpServer` constructor is called. Constructing once with the final
+// instructions string uses the SDK's public API; an earlier draft
+// mutated `server.server._instructions` post-construction, which
+// depended on a private SDK field and would silently degrade to
+// baseline-only if the field were ever renamed.
+//
+// The baseline string is imported from `./instructions.ts` and combined
+// with the remote addendum inside main(). All request handlers are
+// registered in `registerHandlers(server)` (defined below) which main()
+// calls after constructing the server.
 // ============================================
 // Aggregate all tool definitions
 // ============================================
@@ -227,9 +217,17 @@ How to behave:
 - When you encounter legacy blocks on a page during a read, note them but do not replace unless asked.`;
 
 // ============================================
-// Handler: List tools
+// Handler registration
+//
+// All request handlers run on the server passed in by main(). Keeping
+// this in a function instead of running at module scope means the
+// server can be constructed AFTER fetching the per-site instructions
+// addendum (otherwise we'd have to mutate the SDK's private
+// `_instructions` field — see the construction note above).
 // ============================================
 
+function registerHandlers(server: McpServer): void {
+
 server.server.setRequestHandler(ListToolsRequestSchema, async () => {
   return { tools: ALL_TOOLS };
 });
@@ -395,11 +393,37 @@ server.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
   };
 });
 
+} // end registerHandlers
+
 // ============================================
 // Start the server
 // ============================================
 
 async function main(): Promise<void> {
+  // Fetch the per-site instructions addendum BEFORE constructing the
+  // server so the initialize handshake includes the combined string
+  // from the start — no post-construction mutation of SDK internals.
+  // `getInstructions` never throws: on any failure it logs to stderr
+  // and returns the baseline only.
+  const instructions = await getInstructions(WORDPRESS_URL as string);
+
+  const server = new McpServer(
+    {
+      name: 'block-mcp',
+      version: pkg.version,
+    },
+    {
+      capabilities: {
+        tools: {},
+        resources: {},
+        prompts: {},
+      },
+      instructions,
+    }
+  );
+
+  registerHandlers(server);
+
   const transport = new StdioServerTransport();
   await server.connect(transport);
   console.error('Block MCP Server running on stdio');
diff --git a/src/instructions.ts b/src/instructions.ts
new file mode 100644
index 0000000..99c654d
--- /dev/null
+++ b/src/instructions.ts
@@ -0,0 +1,270 @@
+/**
+ * Per-site `serverInfo.instructions` assembly (BLOCK-19).
+ *
+ * The MCP server ships a hard-coded baseline string in `BASELINE`. At
+ * startup, the server fetches an admin-editable addendum from the
+ * connected WordPress site via `GET /gk-block-api/v1/instructions` and
+ * appends it to the baseline. The combined string is passed to the
+ * `McpServer` constructor's `instructions` field, where the MCP SDK
+ * surfaces it to clients during the initialize handshake.
+ *
+ * Two opt-out paths:
+ *
+ * - The fetch wraps every step in try/catch and falls back to baseline-
+ *   only on any failure (DNS, timeout, 404, 5xx, malformed JSON). The
+ *   server never blocks startup on the fetch.
+ * - The `BLOCK_MCP_INSTRUCTIONS_OFF=1` env var skips the fetch entirely
+ *   — useful for offline testing and isolation.
+ *
+ * Threat model: the remote addendum comes from the WP options table and
+ * is sanitized server-side, but a compromised WP install could still
+ * push malicious instructions. This module performs defense-in-depth
+ * sanitization (length cap, control-char strip, suspicious-pattern
+ * filter) before passing the value to the SDK. The primary control
+ * remains "don't connect Block MCP to a WP site you don't trust."
+ */
+
+import axios, { AxiosError } from 'axios';
+
+/**
+ * The baseline instructions string.
+ *
+ * This is the canonical, version-controlled guidance every MCP client
+ * receives, regardless of which WordPress site the server connects to.
+ * Site-specific rules go in the WP option served by `/instructions`.
+ *
+ * Kept verbatim in sync with the inline literal that previously lived
+ * at `src/index.ts:102-107` so existing clients see no change in
+ * behaviour when no addendum is set.
+ */
+export const BASELINE = `Block-level WordPress CRUD. URL → post_id is resolved server-side — pass URLs directly to get_page_blocks / resolve_url; never shell out to curl or wp-json.
+
+After a write, the response already includes the canonical post-save snapshot (\`saved.inner_html\` + \`saved.attributes\` on update_block; \`saved\` per result on update_blocks with \`verbose:true\`). Use that for verification — do not fetch the public page to confirm edits. If you need a single-block re-read later, call get_block(ref) — same shape, no extra plumbing.
+
+Tier policy is per-site config, surfaced inline (block.preference) and via list_block_types. Read block-mcp://agent-guide for the editing workflow.`;
+
+/**
+ * Server-side cap on the addendum length. Mirrors `Instructions::MAX_LENGTH`
+ * in the PHP plugin. Truncation is silent — `McpServer` doesn't care, and
+ * surfacing an error would block startup over a value that's already on
+ * the wire.
+ */
+export const MAX_ADDENDUM_LENGTH = 2000;
+
+/**
+ * Timeout for the addendum fetch. Short, because we don't want startup
+ * to feel laggy when the site is offline — falling back to baseline-only
+ * is preferable to hanging.
+ */
+const FETCH_TIMEOUT_MS = 3000;
+
+/**
+ * Hard cap on the response body axios accepts from `/instructions`.
+ *
+ * The expected payload is `{ addendum, length, max_length, updated_at }`
+ * where `addendum` is at most `MAX_ADDENDUM_LENGTH` characters. With
+ * 4-byte UTF-8 codepoints and the JSON envelope, the realistic ceiling
+ * is well under 10 KB. Capping at 16 KB gives generous headroom while
+ * making a compromised or malicious WP site unable to push an unbounded
+ * stream of bytes at us (slowloris-style DoS, memory pressure).
+ *
+ * The HTTP-layer cap is the primary defense; `sanitizeAddendum` is the
+ * secondary defense. Both stay in place.
+ */
+const FETCH_MAX_BYTES = 16 * 1024;
+
+/**
+ * Env var that disables the fetch entirely. Useful for offline tests,
+ * isolation, or when running against an internal site whose admin you
+ * don't trust to manage the addendum.
+ */
+const OFF_ENV_VAR = 'BLOCK_MCP_INSTRUCTIONS_OFF';
+
+/**
+ * Response envelope from `GET /gk-block-api/v1/instructions`.
+ *
+ * `length` and `max_length` are advisory — the TypeScript side re-checks
+ * the actual addendum string and enforces its own truncation.
+ */
+export interface InstructionsResponse {
+  addendum: string;
+  length?: number;
+  max_length?: number;
+  updated_at?: number;
+}
+
+/**
+ * Sanitize a remote addendum before handing it to the MCP SDK.
+ *
+ * Defense in depth — the PHP side already does most of this, but we
+ * cannot assume the WordPress install has the plugin version that
+ * sanitizes on the read path. Steps:
+ *
+ * 1. Cast to string; non-strings (objects, arrays, null) return empty.
+ * 2. Strip ASCII C0 control characters except `\t` (tab), `\n` (LF),
+ *    `\r` (CR) — same set the PHP side keeps.
+ * 3. Strip the DEL character (`\x7F`).
+ * 4. Strip the unicode Bidi override and zero-width characters that
+ *    have been used in prompt-injection PoCs to hide text from human
+ *    review while still being visible to the LLM.
+ * 5. Normalize CRLF/CR to LF.
+ * 6. Trim outer whitespace.
+ * 7. Truncate to `MAX_ADDENDUM_LENGTH` characters.
+ */
+export function sanitizeAddendum(input: unknown): string {
+  if (typeof input !== 'string') {
+    return '';
+  }
+  let s = input;
+
+  // ASCII C0/C1 control chars except tab/LF/CR + DEL.
+  s = s.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+
+  // Unicode Bidi overrides + zero-width chars. These render invisibly in
+  // some clients but still reach the LLM tokenizer, making them a
+  // prompt-injection vector. Stripped via explicit escape sequences so
+  // the source is readable and the set is unambiguous.
+  //
+  //   U+200B  ZERO WIDTH SPACE
+  //   U+200C  ZERO WIDTH NON-JOINER
+  //   U+200D  ZERO WIDTH JOINER
+  //   U+2060  WORD JOINER
+  //   U+FEFF  ZERO WIDTH NO-BREAK SPACE / BOM
+  //   U+202A..U+202E LRE/RLE/PDF/LRO/RLO Bidi overrides
+  //   U+2066..U+2069 LRI/RLI/FSI/PDI Bidi isolates
+  s = s.replace(/[\u200B-\u200D\u2060\uFEFF\u202A-\u202E\u2066-\u2069]/g, '');
+
+  // CRLF / CR → LF.
+  s = s.replace(/\r\n?/g, '\n');
+
+  s = s.trim();
+
+  // Count and slice by Unicode code points, NOT UTF-16 code units, so an
+  // astral character (emoji, rare CJK, math symbol) is never split mid
+  // surrogate pair — which would leave the tail as an unpaired surrogate
+  // that downstream JSON serializers either reject or mangle. Matches
+  // the server's `mb_strlen($s, 'UTF-8')` semantics.
+  const codePoints = Array.from(s);
+  if (codePoints.length > MAX_ADDENDUM_LENGTH) {
+    s = codePoints.slice(0, MAX_ADDENDUM_LENGTH).join('');
+  }
+
+  return s;
+}
+
+/**
+ * Combine the baseline with an optional addendum into the final string
+ * passed to `McpServer`. When the addendum is empty, returns the
+ * baseline unchanged — clients that don't customize see no marker
+ * polluting the handshake.
+ *
+ * Two newlines between baseline and addendum so markdown renderers in
+ * MCP clients see them as separate paragraphs / sections.
+ */
+export function combineInstructions(baseline: string, addendum: string): string {
+  const clean = addendum.trim();
+  if (clean.length === 0) {
+    return baseline;
+  }
+  return `${baseline}\n\n${clean}`;
+}
+
+/**
+ * Fetch the addendum from the WordPress site's `/instructions` endpoint.
+ *
+ * Public, unauthenticated request (the endpoint is public-by-design).
+ * On any failure — network error, non-200 response, malformed JSON,
+ * missing addendum field — returns an empty string. Logs the cause to
+ * stderr so admins can debug, but never throws.
+ *
+ * Honors `BLOCK_MCP_INSTRUCTIONS_OFF=1` by returning empty immediately
+ * (no HTTP call).
+ *
+ * @param wordpressUrl  Base URL of the WordPress site (no trailing slash
+ *                      enforced — the function normalizes both forms).
+ */
+export async function fetchAddendum(wordpressUrl: string): Promise<string> {
+  if (process.env[OFF_ENV_VAR] === '1') {
+    return '';
+  }
+
+  // Normalize trailing slash and resolve relative to wp-json.
+  const base = wordpressUrl.replace(/\/+$/, '');
+  const url = `${base}/wp-json/gk-block-api/v1/instructions`;
+
+  try {
+    const response = await axios.get<InstructionsResponse>(url, {
+      timeout: FETCH_TIMEOUT_MS,
+      // Disable axios's automatic redirect following entirely. Without
+      // this, a compromised or misconfigured WP site could redirect us
+      // to a different origin (an exfil endpoint, an SSRF target on the
+      // internal network, etc.). Admins should configure
+      // WORDPRESS_URL with the canonical scheme + host so the first
+      // hop returns 200 directly. If the site needs an HTTP → HTTPS
+      // redirect, fix the env var instead of relying on axios to
+      // follow it for us.
+      //
+      // The corollary is a 3xx response now surfaces as an axios
+      // error and we fall back to baseline-only. Logged to stderr.
+      maxRedirects: 0,
+      // Hard cap the response body size. Primary defense against an
+      // unbounded payload — `sanitizeAddendum` still truncates after,
+      // but we never want raw bytes past this cap to hit our process.
+      maxContentLength: FETCH_MAX_BYTES,
+      // Lower-case Accept so caches see a stable Vary key.
+      headers: {
+        Accept: 'application/json',
+      },
+      // We treat 2xx as success; 3xx (any redirect) and 4xx/5xx fall
+      // back to empty via the catch block.
+      validateStatus: (status) => status >= 200 && status < 300,
+    });
+
+    if (!response.data || typeof response.data !== 'object') {
+      console.error(
+        `[block-mcp] /instructions returned non-object payload; using baseline only.`
+      );
+      return '';
+    }
+
+    return sanitizeAddendum(response.data.addendum);
+  } catch (err) {
+    // Don't crash startup — empty addendum, log to stderr, continue.
+    const message = formatFetchError(err);
+    console.error(`[block-mcp] Failed to fetch /instructions (${message}); using baseline only.`);
+    return '';
+  }
+}
+
+/**
+ * Convenience helper: fetch + combine in one call. The default entry
+ * point used by `src/index.ts`.
+ */
+export async function getInstructions(wordpressUrl: string): Promise<string> {
+  const addendum = await fetchAddendum(wordpressUrl);
+  return combineInstructions(BASELINE, addendum);
+}
+
+/**
+ * Map axios / network errors into a short stderr message. Kept private
+ * because callers shouldn't depend on the exact wording.
+ */
+function formatFetchError(err: unknown): string {
+  if (axios.isAxiosError(err)) {
+    const axiosErr = err as AxiosError;
+    if (axiosErr.code === 'ECONNABORTED' || axiosErr.message.includes('timeout')) {
+      return `timeout after ${FETCH_TIMEOUT_MS}ms`;
+    }
+    if (axiosErr.response) {
+      return `HTTP ${axiosErr.response.status}`;
+    }
+    if (axiosErr.code) {
+      return axiosErr.code;
+    }
+    return axiosErr.message;
+  }
+  if (err instanceof Error) {
+    return err.message;
+  }
+  return String(err);
+}
diff --git a/wordpress-plugin/gk-block-api/gk-block-api.php b/wordpress-plugin/gk-block-api/gk-block-api.php
index f643e12..5a8c405 100644
--- a/wordpress-plugin/gk-block-api/gk-block-api.php
+++ b/wordpress-plugin/gk-block-api/gk-block-api.php
@@ -3,7 +3,7 @@
  * Plugin Name: GK Block API
  * Plugin URI: https://www.gravitykit.com
  * Description: REST API for block-level CRUD operations with smart preferences for AI agents.
- * Version: 1.6.1
+ * Version: 1.7.0
  * Author: GravityKit
  * Author URI: https://www.gravitykit.com
  * License: GPL-2.0-or-later
@@ -23,7 +23,7 @@
 	exit;
 }
 
-define( 'GK_BLOCK_API_VERSION', '1.6.1' );
+define( 'GK_BLOCK_API_VERSION', '1.7.0' );
 define( 'GK_BLOCK_API_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'GK_BLOCK_API_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 
diff --git a/wordpress-plugin/gk-block-api/includes/class-instructions.php b/wordpress-plugin/gk-block-api/includes/class-instructions.php
new file mode 100644
index 0000000..886b9a8
--- /dev/null
+++ b/wordpress-plugin/gk-block-api/includes/class-instructions.php
@@ -0,0 +1,261 @@
+<?php
+/**
+ * Per-site MCP server Instructions addendum.
+ *
+ * Stores an admin-editable string that the TypeScript MCP server appends to
+ * its hard-coded baseline when constructing `serverInfo.instructions` at
+ * initialize. Lets a site encode conventions (callout className mapping,
+ * code-block theme, doc structure rules) once and have every connected
+ * client receive them without re-discovery.
+ *
+ * @package GravityKit\BlockAPI
+ */
+
+namespace GravityKit\BlockAPI;
+
+// Exit if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * Class Instructions
+ */
+class Instructions {
+
+	/**
+	 * WP option key. Public read via the REST endpoint by design — the value
+	 * reaches every connected MCP client at handshake. Admins MUST NOT put
+	 * secrets in this field; UI copy warns about this.
+	 */
+	const OPTION_KEY = 'gk_block_api_instructions';
+
+	/**
+	 * Companion option tracking the last update timestamp (unix seconds).
+	 * Stored separately so REST callers can `If-Modified-Since` without
+	 * parsing the value, and so wipe-on-empty still emits a fresh timestamp.
+	 */
+	const UPDATED_AT_OPTION = 'gk_block_api_instructions_updated_at';
+
+	/**
+	 * Maximum allowed length, counted in UTF-8 characters (not bytes).
+	 * Hard-enforced on save and again on the REST read path as defense in
+	 * depth. All length checks and truncations use `mb_strlen` /
+	 * `mb_substr` with the `'UTF-8'` encoding so multibyte input (emoji,
+	 * CJK, accented Latin) isn't split mid-codepoint.
+	 *
+	 * Sized to roughly 500 tokens of English text — small enough to be a
+	 * cheap addition to every LLM session, big enough for a useful rules
+	 * list (callout mapping + code-block conventions + 5–10 bulleted rules
+	 * fits comfortably).
+	 */
+	const MAX_LENGTH = 2000;
+
+	/**
+	 * Rate-limit window for the public REST endpoint (requests per minute
+	 * per remote IP). Deters scraping without affecting legitimate clients,
+	 * which cache at `max-age=60` and hit the endpoint once per session.
+	 */
+	const RATE_LIMIT_PER_MIN = 30;
+
+	/**
+	 * Return the stored addendum, sanitized at read time as belt-and-braces.
+	 *
+	 * Sanitizing on read AND write protects against options written by code
+	 * that bypassed our sanitize_callback (direct `update_option` from a
+	 * sibling plugin, a database restore from an older schema, etc.).
+	 *
+	 * @return string Empty string when no addendum is set.
+	 */
+	public static function get_addendum(): string {
+		$raw = (string) get_option( self::OPTION_KEY, '' );
+		if ( '' === $raw ) {
+			return '';
+		}
+		return self::sanitize( $raw );
+	}
+
+	/**
+	 * Return the timestamp (unix seconds) of the last successful save.
+	 *
+	 * Zero when no value has ever been saved. Independent of the addendum
+	 * value so callers can distinguish "never set" (0) from "explicitly
+	 * cleared" (>0 with empty addendum).
+	 *
+	 * @return int
+	 */
+	public static function get_updated_at(): int {
+		return (int) get_option( self::UPDATED_AT_OPTION, 0 );
+	}
+
+	/**
+	 * Save the addendum. Sanitizes input, enforces length cap, updates the
+	 * companion timestamp atomically.
+	 *
+	 * @param mixed $value Raw input.
+	 *
+	 * @return true|\WP_Error True on success; WP_Error('addendum_too_long')
+	 *                       when input exceeds MAX_LENGTH even after sanitize.
+	 */
+	public static function set_addendum( $value ) {
+		$clean = self::sanitize( $value );
+
+		// Length check fires after sanitize so HTML/shortcode stripping
+		// doesn't accidentally push a 1990-char input over the limit; the
+		// 2000-char budget is the post-sanitize character count that
+		// reaches clients. `mb_strlen` counts UTF-8 codepoints so emoji
+		// and CJK don't blow the cap on byte-length alone.
+		if ( mb_strlen( $clean, 'UTF-8' ) > self::MAX_LENGTH ) {
+			return new \WP_Error(
+				'addendum_too_long',
+				sprintf(
+					/* translators: 1: max length, 2: submitted length */
+					__( 'Instructions addendum is too long: %2$d characters (max %1$d).', 'gk-block-api' ),
+					self::MAX_LENGTH,
+					mb_strlen( $clean, 'UTF-8' )
+				),
+				array( 'status' => 400 )
+			);
+		}
+
+		update_option( self::OPTION_KEY, $clean, false );
+		update_option( self::UPDATED_AT_OPTION, time(), false );
+		return true;
+	}
+
+	/**
+	 * Sanitize an addendum value.
+	 *
+	 * Strips HTML tags, PHP, shortcodes, and ASCII control characters
+	 * (except newline/tab — kept so markdown bullets and indentation
+	 * survive). Truncates to MAX_LENGTH as defense in depth.
+	 *
+	 * What this does NOT do:
+	 *
+	 * - Render markdown. Output is sent verbatim to MCP clients which
+	 *   handle their own rendering.
+	 * - Strip unicode control characters beyond the C0/C1 ASCII ranges.
+	 *   The TypeScript side does an additional pass for those (Bidi marks,
+	 *   zero-width chars) where they have higher prompt-injection signal.
+	 *
+	 * @param mixed $value Raw input.
+	 *
+	 * @return string Sanitized string (may be empty).
+	 */
+	public static function sanitize( $value ): string {
+		if ( is_array( $value ) || is_object( $value ) ) {
+			return '';
+		}
+		$str = (string) $value;
+		if ( '' === $str ) {
+			return '';
+		}
+
+		// Strip HTML/PHP tags first — `sanitize_textarea_field()` does this
+		// internally but also nukes newlines we want to keep, so do it
+		// manually. `wp_strip_all_tags( $str, false )` does NOT collapse
+		// whitespace (the second arg defaults true and we override).
+		$str = wp_strip_all_tags( $str, false );
+
+		// Strip WordPress shortcodes. Defense against an admin pasting
+		// `[do_something]` and being surprised when it doesn't execute.
+		// It cannot — we never call `do_shortcode()` on this value — but
+		// stripping eliminates the question.
+		$str = strip_shortcodes( $str );
+
+		// Strip C0 control characters except \t (0x09), \n (0x0A), \r (0x0D)
+		// — those are needed for markdown indentation and bullet lists.
+		// Also strips the DEL character (0x7F).
+		$str = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/u', '', $str );
+
+		// Normalize CRLF / CR line endings to LF. Saves one branch on the
+		// TypeScript side and matches MCP client expectations.
+		$str = str_replace( array( "\r\n", "\r" ), "\n", (string) $str );
+
+		// Trim outer whitespace — leading/trailing newlines from a paste
+		// don't carry meaning and waste budget.
+		$str = trim( $str );
+
+		// Length cap last so it operates on the post-sanitize size. Use
+		// the multibyte variants so a truncation never lands inside a
+		// UTF-8 codepoint sequence (which would produce a mojibake tail
+		// and could break a downstream client's JSON parser).
+		if ( mb_strlen( $str, 'UTF-8' ) > self::MAX_LENGTH ) {
+			$str = mb_substr( $str, 0, self::MAX_LENGTH, 'UTF-8' );
+		}
+
+		return $str;
+	}
+
+	/**
+	 * Sanitize callback for `register_setting()`.
+	 *
+	 * Wraps `sanitize()` + length cap so the Settings API does the right
+	 * thing on form submit without the caller needing to know about
+	 * `set_addendum()`. Over-length input is silently truncated here (no
+	 * way to surface a WP_Error through the Settings API on a per-field
+	 * basis without `add_settings_error()`, which the rest of this plugin
+	 * doesn't use).
+	 *
+	 * @param mixed $value Raw input from $_POST.
+	 *
+	 * @return string
+	 */
+	public static function sanitize_callback( $value ): string {
+		$clean = self::sanitize( $value );
+
+		// Touch the timestamp option so REST consumers see the save even
+		// when the value didn't change (admins re-saving to refresh).
+		update_option( self::UPDATED_AT_OPTION, time(), false );
+
+		return $clean;
+	}
+
+	/**
+	 * Check (and record) the per-IP rate limit for the public read endpoint.
+	 *
+	 * Uses a 60-second sliding-window transient keyed by the remote IP. Each
+	 * call records the current timestamp; when the count within the last 60s
+	 * exceeds RATE_LIMIT_PER_MIN, returns false (caller should respond 429).
+	 *
+	 * @param string $ip Remote IP from REST_Server::get_raw_data() context
+	 *                   (caller passes `$_SERVER['REMOTE_ADDR']`).
+	 *
+	 * @return bool True when the request is permitted (rate budget remains);
+	 *              false when the budget is exhausted.
+	 */
+	public static function check_rate_limit( string $ip ): bool {
+		// IP is opaque to us — only used as a transient key. Hash so the
+		// raw IP doesn't sit in the options table (PII minimization), and
+		// to keep the key short and bounded (IPv6 strings can hit 39
+		// chars; the hash is 12).
+		$key = 'gk_block_api_instr_rl_' . substr( hash( 'sha256', $ip ), 0, 12 );
+
+		$now    = time();
+		$window = 60;
+		$bucket = get_transient( $key );
+		if ( ! is_array( $bucket ) ) {
+			$bucket = array();
+		}
+
+		// Drop entries outside the rolling window.
+		$bucket = array_values(
+			array_filter(
+				$bucket,
+				static function ( $ts ) use ( $now, $window ) {
+					return is_numeric( $ts ) && ( $now - (int) $ts ) < $window;
+				}
+			)
+		);
+
+		if ( count( $bucket ) >= self::RATE_LIMIT_PER_MIN ) {
+			return false;
+		}
+
+		$bucket[] = $now;
+		// Slightly longer TTL than the window so the bucket survives until
+		// every entry has aged out, even if no further request lands.
+		set_transient( $key, $bucket, $window * 2 );
+		return true;
+	}
+}
diff --git a/wordpress-plugin/gk-block-api/includes/class-rest-controller.php b/wordpress-plugin/gk-block-api/includes/class-rest-controller.php
index c562a99..8933266 100644
--- a/wordpress-plugin/gk-block-api/includes/class-rest-controller.php
+++ b/wordpress-plugin/gk-block-api/includes/class-rest-controller.php
@@ -909,6 +909,22 @@ public function register_routes() {
 				'permission_callback' => array( $this, 'check_upload_permissions' ),
 			)
 		);
+
+		// Per-site MCP serverInfo instructions addendum. PUBLIC: the value
+		// reaches every connected MCP client at handshake before any
+		// tool-call auth, so this endpoint must be readable unauthenticated.
+		// Rate-limited at Instructions::RATE_LIMIT_PER_MIN per IP to deter
+		// scraping. Admins MUST NOT put secrets in the option value; the UI
+		// copy on the settings page warns about this.
+		register_rest_route(
+			self::NAMESPACE,
+			'/instructions',
+			array(
+				'methods'             => \WP_REST_Server::READABLE,
+				'callback'            => array( $this, 'get_instructions' ),
+				'permission_callback' => '__return_true',
+			)
+		);
 	}
 
 	/**
@@ -961,6 +977,66 @@ public function check_upload_permissions() {
 		return true;
 	}
 
+	/**
+	 * GET /instructions — serve the site's MCP serverInfo addendum.
+	 *
+	 * Public endpoint by design. The MCP server fetches this at startup
+	 * (before any tool call), combines with its hard-coded baseline, and
+	 * passes the result to `McpServer`'s `instructions` field.
+	 *
+	 * Response shape: `{ addendum, length, max_length, updated_at }`. Empty
+	 * addendum is returned as an empty string (NOT 404) so the client
+	 * doesn't have to special-case missing-vs-empty.
+	 *
+	 * Cache-Control: `public, max-age=60` — fresh enough that admin edits
+	 * land quickly in dev; long enough that legitimate clients don't hammer
+	 * the endpoint. Caller-side cache key is the WordPress URL + path.
+	 *
+	 * @param \WP_REST_Request $request Request object.
+	 *
+	 * @return \WP_REST_Response|\WP_Error
+	 */
+	public function get_instructions( $request ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found -- WP_REST_Server requires the request object on every callback signature even when the route has no params.
+		try {
+			$ip = isset( $_SERVER['REMOTE_ADDR'] )
+				? sanitize_text_field( wp_unslash( (string) $_SERVER['REMOTE_ADDR'] ) )
+				: '';
+
+			if ( '' !== $ip && ! Instructions::check_rate_limit( $ip ) ) {
+				return new \WP_Error(
+					'rate_limit_exceeded',
+					__( 'Too many requests. Try again in a minute.', 'gk-block-api' ),
+					array( 'status' => 429 )
+				);
+			}
+
+			$addendum   = Instructions::get_addendum();
+			$updated_at = Instructions::get_updated_at();
+
+			$response = rest_ensure_response(
+				array(
+					'addendum'   => $addendum,
+					// `length` reports UTF-8 character count to match
+					// Instructions::MAX_LENGTH semantics (also characters,
+					// not bytes). Clients comparing the two stay
+					// apples-to-apples.
+					'length'     => mb_strlen( $addendum, 'UTF-8' ),
+					'max_length' => Instructions::MAX_LENGTH,
+					'updated_at' => $updated_at,
+				)
+			);
+
+			// Short TTL public cache. Surrogates and reverse proxies are
+			// welcome to cache; private intermediaries should not because
+			// every visitor receives the same payload.
+			$response->header( 'Cache-Control', 'public, max-age=60' );
+
+			return $response;
+		} catch ( \Throwable $e ) {
+			return $this->handle_error( $e );
+		}
+	}
+
 	// =========================================================================
 	// v1.2 — Docs lifecycle handlers.
 	// =========================================================================
diff --git a/wordpress-plugin/gk-block-api/includes/class-settings-page.php b/wordpress-plugin/gk-block-api/includes/class-settings-page.php
index 5049b15..7e2f913 100644
--- a/wordpress-plugin/gk-block-api/includes/class-settings-page.php
+++ b/wordpress-plugin/gk-block-api/includes/class-settings-page.php
@@ -116,7 +116,21 @@ public function register_settings() {
 			)
 		);
 
-		// 4. Global media-uploads kill-switch. Stored as the string '0' or
+		// 4. MCP server instructions addendum (BLOCK-19).
+		// Stored as a plain-text string. The Instructions class handles
+		// sanitize + length-cap + timestamp; the REST endpoint serves it
+		// unauthenticated to MCP clients at handshake.
+		register_setting(
+			self::OPTION_GROUP,
+			Instructions::OPTION_KEY,
+			array(
+				'type'              => 'string',
+				'sanitize_callback' => array( Instructions::class, 'sanitize_callback' ),
+				'default'           => '',
+			)
+		);
+
+		// 5. Global media-uploads kill-switch. Stored as the string '0' or
 		// '1' rather than a PHP bool because update_option() can't
 		// reliably persist boolean false when the option is missing
 		// (the equality check against the "doesn't exist → false" default
@@ -298,6 +312,8 @@ public function handle_reset() {
 		delete_option( self::DUAL_MANUAL_OPTION );
 		delete_option( Media_Manager::UPLOADS_OPTION );
 		delete_option( Block_Inventory::STORAGE_MODES_OPTION );
+		delete_option( Instructions::OPTION_KEY );
+		delete_option( Instructions::UPDATED_AT_OPTION );
 		delete_transient( Block_Inventory::CACHE_KEY );
 
 		// Per-post rate-limit transients accumulate per write activity. Sweep
@@ -306,7 +322,9 @@ public function handle_reset() {
 		$wpdb->query(
 			"DELETE FROM {$wpdb->options}
 				WHERE option_name LIKE '_transient_gk_block_api_rate_%'
-				   OR option_name LIKE '_transient_timeout_gk_block_api_rate_%'"
+				   OR option_name LIKE '_transient_timeout_gk_block_api_rate_%'
+				   OR option_name LIKE '_transient_gk_block_api_instr_rl_%'
+				   OR option_name LIKE '_transient_timeout_gk_block_api_instr_rl_%'"
 		);
 
 		nocache_headers();
@@ -343,6 +361,8 @@ public function render_page() {
 		$scan_results     = (array) get_option( Block_Inventory::STORAGE_MODES_OPTION, array() );
 		$uploads_enabled  = \GravityKit\BlockAPI\Media_Manager::uploads_enabled();
 		$uploads_option   = \GravityKit\BlockAPI\Media_Manager::UPLOADS_OPTION;
+		$instructions_val = Instructions::get_addendum();
+		$instructions_max = Instructions::MAX_LENGTH;
 
 		$registered_post_types = get_post_types( array( 'public' => true ), 'objects' );
 
@@ -422,6 +442,84 @@ public function render_page() {
 			<form method="post" action="options.php">
 				<?php settings_fields( self::OPTION_GROUP ); ?>
 
+				<h2><?php esc_html_e( 'MCP server instructions', 'gk-block-api' ); ?></h2>
+				<p class="description">
+					<?php
+					echo wp_kses(
+						sprintf(
+							/* translators: 1: link to MCP spec, 2: max length */
+							__( 'Custom rules that every connected MCP client receives at handshake via <a href="%1$s" target="_blank" rel="noopener noreferrer">serverInfo.instructions</a>. Use it to encode site-specific conventions — callout className mapping, code-block theme, doc structure rules — so LLM agents don\'t have to re-discover them. Plain text up to %2$d characters; appended to the server\'s baseline.', 'gk-block-api' ),
+							'https://modelcontextprotocol.io/specification',
+							(int) $instructions_max
+						),
+						array(
+							'a' => array(
+								'href'   => array(),
+								'target' => array(),
+								'rel'    => array(),
+							),
+						)
+					);
+					?>
+				</p>
+				<p class="description" style="color:#b32d2e;">
+					<strong><?php esc_html_e( 'Public data:', 'gk-block-api' ); ?></strong>
+					<?php esc_html_e( 'This value is served unauthenticated to every connected MCP client. Do NOT paste secrets, API keys, or internal URLs.', 'gk-block-api' ); ?>
+				</p>
+				<?php
+				/*
+				 * No HTML `maxlength` attribute. The browser counts UTF-16
+				 * code units while the server counts UTF-8 code points
+				 * (mb_strlen / Instructions::MAX_LENGTH), so a maxlength
+				 * value of 2000 would block ~1000 emoji at the client
+				 * even though the server would accept them. The inline
+				 * JS below enforces a true code-point limit that matches
+				 * the server's counter.
+				 */
+				?>
+				<textarea
+					id="gk-block-api-instructions"
+					name="<?php echo esc_attr( Instructions::OPTION_KEY ); ?>"
+					rows="8"
+					data-max-codepoints="<?php echo esc_attr( (string) $instructions_max ); ?>"
+					class="large-text code"
+					placeholder="<?php esc_attr_e( "Callouts: use core/group with is-style-callout-info|warning|danger|success|note.\nCode blocks: use kevinbatdorf/code-block-pro with theme=gravitykit-dark, language=auto.\nFirst H2 of every doc should be 'Overview'.", 'gk-block-api' ); ?>"
+				><?php echo esc_textarea( $instructions_val ); ?></textarea>
+				<p class="description">
+					<span id="gk-block-api-instructions-count"><?php echo esc_html( (string) mb_strlen( $instructions_val, 'UTF-8' ) ); ?></span>
+					<?php
+					echo esc_html(
+						sprintf(
+							/* translators: %d: max length */
+							__( '/ %d characters used. Roughly 500 tokens at max length — keep it short and use concise bulleted rules rather than prose.', 'gk-block-api' ),
+							(int) $instructions_max
+						)
+					);
+					?>
+				</p>
+				<script>
+				(function () {
+					var ta    = document.getElementById('gk-block-api-instructions');
+					var count = document.getElementById('gk-block-api-instructions-count');
+					if (!ta || !count) return;
+					var max = parseInt(ta.getAttribute('data-max-codepoints'), 10) || 0;
+
+					// Count Unicode code points, not UTF-16 code units, so
+					// astral characters (emoji, rare CJK, math symbols)
+					// match the server's mb_strlen(...) tally.
+					function codePoints(s) { return Array.from(s); }
+
+					ta.addEventListener('input', function () {
+						var cps = codePoints(ta.value);
+						if (max > 0 && cps.length > max) {
+							ta.value = cps.slice(0, max).join('');
+							cps = codePoints(ta.value);
+						}
+						count.textContent = String(cps.length);
+					});
+				})();
+				</script>
+
 				<h2><?php esc_html_e( 'Namespace tier scores', 'gk-block-api' ); ?></h2>
 				<p class="description"><?php esc_html_e( 'Score 0–100 per namespace. >= 80 = preferred, >= 50 = acceptable, >= 10 = avoid (warning), < 10 = legacy (hard reject on insert).', 'gk-block-api' ); ?></p>
 				<table class="widefat striped gk-block-api-growable" data-row-prefix="gk_block_api_preferences[namespace_rows]" style="max-width: 700px;">
diff --git a/wordpress-plugin/gk-block-api/readme.txt b/wordpress-plugin/gk-block-api/readme.txt
index 9ef96bc..0658e9d 100644
--- a/wordpress-plugin/gk-block-api/readme.txt
+++ b/wordpress-plugin/gk-block-api/readme.txt
@@ -4,7 +4,7 @@ Tags: blocks, rest-api, gutenberg, mcp, ai
 Requires at least: 6.0
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 1.6.1
+Stable tag: 1.7.0
 License: GPL-2.0-or-later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -96,6 +96,9 @@ Visit Settings → Block MCP. Set the score for a namespace to less than 10 to m
 
 == Upgrade Notice ==
 
+= 1.7.0 =
+New per-site MCP server instructions addendum. Paste site-specific conventions (callout className mapping, code-block theme, doc structure rules) under Settings → Block MCP and every connected MCP client receives them at handshake — no more rediscovery per session. Plain-text, 2,000-char cap, public-by-design endpoint with per-IP rate limiting.
+
 = 1.6.1 =
 Fixes a 30-second timeout on `/patterns` for sites with many synced patterns: the per-pattern LIKE scan that ran twice per pattern is now a single chunked aggregate scan cached for an hour. `?refresh=true` on `/patterns` now requires `manage_options`, and orphaned refs from copy-pasted content no longer pollute the cache.
 
@@ -125,6 +128,30 @@ Docs lifecycle tools (`create_post`, `update_post`, `list_terms`, `upload_media`
 
 == Changelog ==
 
+= 1.7.0 on May 20, 2026 =
+
+New per-site MCP server instructions addendum. Admins paste rules in **Settings → Block MCP**; the TypeScript MCP server fetches them on startup and appends to its hard-coded baseline before constructing `serverInfo.instructions`, so every connected client receives the same site-specific conventions at handshake — eliminating the per-session rediscovery LLM agents currently do for things like callout className conventions or code-block theme choices.
+
+#### ✨ New
+
+* New admin field at **Settings → Block MCP** → *MCP server instructions*. Plain-text textarea, 2,000-character cap, live character counter, in-page warning that the value is served unauthenticated.
+* New REST endpoint `GET /gk-block-api/v1/instructions`. Returns `{ addendum, length, max_length, updated_at }` with `Cache-Control: public, max-age=60`. Unauthenticated by design — the value reaches MCP clients before any tool-call auth, same posture as MCP `initialize` itself.
+* New `Instructions` service class (`includes/class-instructions.php`) owning option storage, sanitize, length cap, and the rate-limit bucket.
+
+#### 🔒 Security
+
+* Save path sanitization: `wp_strip_all_tags` (HTML/PHP), `strip_shortcodes` (no `do_shortcode` is ever called on this value), C0/C1 control characters stripped except `\t \n \r`, length cap enforced after sanitize so the 2,000-character budget is the post-sanitize size that reaches clients.
+* Read path sanitization (defense in depth) — the same `Instructions::sanitize` runs on every `get_addendum()` so direct `update_option` writes from sibling plugins or database restores can't bypass it.
+* Public read endpoint rate-limited at 30 req/min per remote IP (sliding 60s window, IP hashed before use as a transient key for PII minimization).
+* Admin field is `manage_options`-gated; settings save retains the Settings API's built-in nonce.
+
+#### 💻 Developer Updates
+
+* `Instructions::OPTION_KEY`, `Instructions::UPDATED_AT_OPTION`, `Instructions::MAX_LENGTH`, `Instructions::RATE_LIMIT_PER_MIN` exposed as public constants for downstream callers.
+* `Instructions::sanitize( $value )` callable from anywhere as the canonical sanitizer for this option.
+* New uninstall sweep: `gk_block_api_instructions`, `gk_block_api_instructions_updated_at`, and per-IP `_transient_gk_block_api_instr_rl_*` transients are removed alongside existing plugin data.
+* Reset-to-defaults handler clears the new options + per-IP rate-limit transients so admins can wipe instructions without a full uninstall.
+
 = 1.6.1 on May 20, 2026 =
 
 `/patterns` no longer times out on sites with many synced patterns. The per-pattern reference-count query that previously ran 2N LIKE scans against `wp_posts` is now a single chunked aggregate scan cached for an hour. Includes a permission gate on cache refresh, an orphan-ref filter, and a memory-bounded chunked loop.
diff --git a/wordpress-plugin/gk-block-api/tests/Instructions/InstructionsTest.php b/wordpress-plugin/gk-block-api/tests/Instructions/InstructionsTest.php
new file mode 100644
index 0000000..105ef4f
--- /dev/null
+++ b/wordpress-plugin/gk-block-api/tests/Instructions/InstructionsTest.php
@@ -0,0 +1,301 @@
+<?php
+/**
+ * Tests for the Instructions service class.
+ *
+ * Covers: option storage round-trip, sanitization (HTML, shortcode,
+ * control-char stripping), length cap (server-side enforcement on
+ * set_addendum + post-sanitize truncation in sanitize), timestamp
+ * tracking, and per-IP rate limiting.
+ *
+ * @package GravityKit\BlockAPI\Tests
+ */
+
+declare( strict_types=1 );
+
+use GravityKit\BlockAPI\Instructions;
+
+class InstructionsTest extends WP_UnitTestCase {
+
+	public function set_up(): void {
+		parent::set_up();
+		delete_option( Instructions::OPTION_KEY );
+		delete_option( Instructions::UPDATED_AT_OPTION );
+	}
+
+	// ── get_addendum / set_addendum round-trip ──
+
+	public function test_get_addendum_returns_empty_when_unset(): void {
+		$this->assertSame( '', Instructions::get_addendum() );
+	}
+
+	public function test_set_then_get_roundtrips_plain_text(): void {
+		$result = Instructions::set_addendum( 'Use is-style-callout-info for tips.' );
+		$this->assertTrue( $result );
+		$this->assertSame( 'Use is-style-callout-info for tips.', Instructions::get_addendum() );
+	}
+
+	public function test_set_then_get_preserves_markdown_bullets(): void {
+		$value = "- First rule\n- Second rule\n  - Indented sub-rule\n- Third rule";
+		Instructions::set_addendum( $value );
+		$this->assertSame( $value, Instructions::get_addendum() );
+	}
+
+	public function test_set_then_get_preserves_blank_lines_between_paragraphs(): void {
+		$value = "Rule A.\n\nRule B.";
+		Instructions::set_addendum( $value );
+		$this->assertSame( $value, Instructions::get_addendum() );
+	}
+
+	// ── Sanitization: HTML / shortcodes / PHP ──
+
+	public function test_sanitize_strips_script_tags(): void {
+		$dirty = "Use callouts.<script>alert('xss')</script>";
+		$this->assertSame( 'Use callouts.', Instructions::sanitize( $dirty ) );
+	}
+
+	public function test_sanitize_strips_anchor_tags_but_keeps_text(): void {
+		$dirty = 'Click <a href="https://evil.example">here</a> for rules.';
+		$this->assertSame( 'Click here for rules.', Instructions::sanitize( $dirty ) );
+	}
+
+	public function test_sanitize_strips_img_tags(): void {
+		$dirty = 'Bullet <img src=x onerror=alert(1)> rule';
+		// wp_strip_all_tags removes the tag and its attributes; the
+		// surrounding text survives intact.
+		$result = Instructions::sanitize( $dirty );
+		$this->assertStringNotContainsString( '<img', $result );
+		$this->assertStringNotContainsString( 'onerror', $result );
+		$this->assertStringContainsString( 'Bullet', $result );
+		$this->assertStringContainsString( 'rule', $result );
+	}
+
+	public function test_sanitize_strips_php_tags(): void {
+		$dirty = "Rule one. <?php system('id'); ?> Rule two.";
+		$result = Instructions::sanitize( $dirty );
+		$this->assertStringNotContainsString( '<?php', $result );
+		$this->assertStringNotContainsString( 'system', $result );
+	}
+
+	/**
+	 * `strip_shortcodes` only strips REGISTERED shortcodes — `[gallery]`
+	 * is registered by core and survives no further processing. Untrusted
+	 * shortcode-shaped strings like `[evil_user_input]` would only stop
+	 * being a real risk if the plugin ever called `do_shortcode()` on
+	 * this value (it doesn't), so the test contract is "registered
+	 * shortcodes are stripped" — not "anything inside `[...]` is."
+	 */
+	public function test_sanitize_strips_registered_shortcodes(): void {
+		$dirty = 'Use [gallery] in docs.';
+		$result = Instructions::sanitize( $dirty );
+		$this->assertStringNotContainsString( '[gallery]', $result );
+		$this->assertStringContainsString( 'Use', $result );
+		$this->assertStringContainsString( 'in docs.', $result );
+	}
+
+	/**
+	 * Every C0 control byte except `\t \n \r` is stripped. The printable
+	 * ASCII surrounding the controls passes through unchanged — so an
+	 * ANSI escape like `\x1B[31m` strips the ESC byte but leaves the
+	 * `[31m` text because those are regular printable chars. The cap on
+	 * "what's an attack" is "control bytes that could derail a terminal
+	 * or LLM tokenizer," not "any text that looks like an escape code."
+	 */
+	public function test_sanitize_strips_c0_control_bytes_but_keeps_printable_neighbours(): void {
+		// Null, bell, backspace — controls. The ASCII around them stays.
+		$dirty = "Rule\x00 \x07with \x08control chars.";
+		$result = Instructions::sanitize( $dirty );
+		$this->assertSame( 'Rule with control chars.', $result );
+	}
+
+	public function test_sanitize_strips_del_char(): void {
+		$dirty = "Rule\x7F.";
+		$this->assertSame( 'Rule.', Instructions::sanitize( $dirty ) );
+	}
+
+	public function test_sanitize_preserves_tab(): void {
+		// Tabs are kept — indentation under markdown bullets needs them.
+		$value = "- Top\n\t- Nested";
+		$this->assertSame( $value, Instructions::sanitize( $value ) );
+	}
+
+	public function test_sanitize_normalizes_crlf_to_lf(): void {
+		$dirty = "Line one.\r\nLine two.\rLine three.";
+		$this->assertSame( "Line one.\nLine two.\nLine three.", Instructions::sanitize( $dirty ) );
+	}
+
+	public function test_sanitize_trims_outer_whitespace(): void {
+		$dirty = "\n\n  Real content here.  \n\n";
+		$this->assertSame( 'Real content here.', Instructions::sanitize( $dirty ) );
+	}
+
+	public function test_sanitize_returns_empty_for_array(): void {
+		$this->assertSame( '', Instructions::sanitize( array( 'rule' ) ) );
+	}
+
+	public function test_sanitize_returns_empty_for_object(): void {
+		$this->assertSame( '', Instructions::sanitize( new \stdClass() ) );
+	}
+
+	public function test_sanitize_returns_empty_for_empty_string(): void {
+		$this->assertSame( '', Instructions::sanitize( '' ) );
+	}
+
+	public function test_sanitize_casts_integers_to_string(): void {
+		$this->assertSame( '42', Instructions::sanitize( 42 ) );
+	}
+
+	// ── Length cap ──
+
+	public function test_sanitize_truncates_to_max_length(): void {
+		$long = str_repeat( 'A', Instructions::MAX_LENGTH + 500 );
+		$result = Instructions::sanitize( $long );
+		$this->assertSame( Instructions::MAX_LENGTH, strlen( $result ) );
+	}
+
+	/**
+	 * Over-long input is silently truncated to MAX_LENGTH at sanitize time,
+	 * so set_addendum() succeeds rather than returning WP_Error. The
+	 * post-condition is "no value > MAX_LENGTH ever lands in the option."
+	 * The explicit WP_Error branch in set_addendum() exists as a guard
+	 * against a future sanitize refactor that stops truncating — it cannot
+	 * be hit through the public API today.
+	 */
+	public function test_set_truncates_over_long_input_at_max_length(): void {
+		$value = str_repeat( 'B', Instructions::MAX_LENGTH + 1 );
+		$result = Instructions::set_addendum( $value );
+		$this->assertTrue( $result );
+		$this->assertSame( Instructions::MAX_LENGTH, strlen( Instructions::get_addendum() ) );
+	}
+
+	public function test_set_accepts_exactly_max_length(): void {
+		$value = str_repeat( 'C', Instructions::MAX_LENGTH );
+		$this->assertTrue( Instructions::set_addendum( $value ) );
+		$this->assertSame( Instructions::MAX_LENGTH, mb_strlen( Instructions::get_addendum(), 'UTF-8' ) );
+	}
+
+	/**
+	 * MAX_LENGTH counts UTF-8 characters, not bytes. An over-long input
+	 * of 4-byte characters (emoji) must be truncated at MAX_LENGTH chars
+	 * — never at MAX_LENGTH bytes (which would cut mid-codepoint and
+	 * produce invalid UTF-8).
+	 */
+	public function test_sanitize_truncates_multibyte_at_character_boundary(): void {
+		// 😀 (U+1F600) is 4 bytes in UTF-8. MAX_LENGTH + 100 of them is
+		// roughly 8.4 KB which previously would have been byte-truncated
+		// mid-codepoint.
+		$value = str_repeat( "\u{1F600}", Instructions::MAX_LENGTH + 100 );
+		$result = Instructions::sanitize( $value );
+
+		$this->assertSame( Instructions::MAX_LENGTH, mb_strlen( $result, 'UTF-8' ) );
+		// Validate UTF-8: a truncation that landed mid-codepoint would
+		// produce a byte sequence that fails round-trip through UTF-8.
+		$this->assertTrue( mb_check_encoding( $result, 'UTF-8' ) );
+	}
+
+	public function test_sanitize_preserves_emoji_below_cap(): void {
+		$value = "Rule: 😀 use is-style-callout-info.\nRule: 🔒 escape user input.";
+		$this->assertSame( $value, Instructions::sanitize( $value ) );
+	}
+
+	// ── Timestamp tracking ──
+
+	public function test_get_updated_at_returns_zero_when_never_saved(): void {
+		$this->assertSame( 0, Instructions::get_updated_at() );
+	}
+
+	public function test_updated_at_advances_on_save(): void {
+		$before = time();
+		Instructions::set_addendum( 'Hello' );
+		$after = Instructions::get_updated_at();
+		$this->assertGreaterThanOrEqual( $before, $after );
+		$this->assertLessThanOrEqual( time() + 1, $after );
+	}
+
+	public function test_updated_at_advances_even_for_empty_save(): void {
+		Instructions::set_addendum( 'first' );
+		$first = Instructions::get_updated_at();
+		// Sleep one tick to ensure the timestamp would change if it does.
+		sleep( 1 );
+		Instructions::set_addendum( '' );
+		$this->assertGreaterThanOrEqual( $first, Instructions::get_updated_at() );
+	}
+
+	// ── sanitize_callback (Settings API entry point) ──
+
+	public function test_sanitize_callback_returns_sanitized_string(): void {
+		$result = Instructions::sanitize_callback( 'Plain <b>text</b>.' );
+		$this->assertSame( 'Plain text.', $result );
+	}
+
+	public function test_sanitize_callback_touches_updated_at(): void {
+		$before = Instructions::get_updated_at();
+		// Sleep so the timestamp would strictly increase.
+		if ( $before > 0 ) {
+			sleep( 1 );
+		}
+		Instructions::sanitize_callback( 'something' );
+		$this->assertGreaterThan( $before, Instructions::get_updated_at() );
+	}
+
+	// ── Read-path sanitize (defense in depth) ──
+
+	public function test_get_addendum_re_sanitizes_dirty_option(): void {
+		// Simulate a direct update_option from a sibling plugin that
+		// bypassed Instructions::sanitize. The read path must still
+		// produce a clean value. wp_strip_all_tags drops the entire
+		// <script> tag including its contents; the C0 \x00 byte is
+		// stripped separately — final string is just the leading text.
+		update_option( Instructions::OPTION_KEY, "Dirty\x00<script>x</script>", false );
+		$this->assertSame( 'Dirty', Instructions::get_addendum() );
+	}
+
+	// ── Rate limiter ──
+
+	public function test_rate_limit_allows_first_request(): void {
+		$ip = '203.0.113.42';
+		$this->assertTrue( Instructions::check_rate_limit( $ip ) );
+	}
+
+	public function test_rate_limit_blocks_after_budget_exhausted(): void {
+		$ip = '203.0.113.43';
+		for ( $i = 0; $i < Instructions::RATE_LIMIT_PER_MIN; $i++ ) {
+			$this->assertTrue(
+				Instructions::check_rate_limit( $ip ),
+				"Request {$i} should be allowed"
+			);
+		}
+		// The next call exceeds the budget.
+		$this->assertFalse( Instructions::check_rate_limit( $ip ) );
+	}
+
+	public function test_rate_limit_is_per_ip(): void {
+		$ip_a = '203.0.113.44';
+		$ip_b = '203.0.113.45';
+		// Exhaust A's budget.
+		for ( $i = 0; $i < Instructions::RATE_LIMIT_PER_MIN; $i++ ) {
+			Instructions::check_rate_limit( $ip_a );
+		}
+		$this->assertFalse( Instructions::check_rate_limit( $ip_a ) );
+		// B is independent.
+		$this->assertTrue( Instructions::check_rate_limit( $ip_b ) );
+	}
+
+	public function test_rate_limit_handles_ipv6(): void {
+		$ip = '2001:db8::1';
+		$this->assertTrue( Instructions::check_rate_limit( $ip ) );
+	}
+
+	public function test_rate_limit_does_not_store_raw_ip(): void {
+		$ip = 'PIIIP-marker-203.0.113.46';
+		Instructions::check_rate_limit( $ip );
+		// The transient key uses a hash; the raw IP must not appear in
+		// any option_name in the table.
+		global $wpdb;
+		$rows = $wpdb->get_col(
+			"SELECT option_name FROM {$wpdb->options} WHERE option_name LIKE '_transient_gk_block_api_instr_rl_%'"
+		);
+		foreach ( $rows as $name ) {
+			$this->assertStringNotContainsString( 'PIIIP-marker', $name );
+		}
+	}
+}
diff --git a/wordpress-plugin/gk-block-api/tests/REST/InstructionsRouteTest.php b/wordpress-plugin/gk-block-api/tests/REST/InstructionsRouteTest.php
new file mode 100644
index 0000000..7ab62fb
--- /dev/null
+++ b/wordpress-plugin/gk-block-api/tests/REST/InstructionsRouteTest.php
@@ -0,0 +1,190 @@
+<?php
+/**
+ * Integration tests for `GET /gk-block-api/v1/instructions`.
+ *
+ * Pins the public-by-design read endpoint that serves the per-site MCP
+ * serverInfo addendum (BLOCK-19). Covers: response shape, cache headers,
+ * unauthenticated access, rate-limit enforcement, defense-in-depth
+ * re-sanitization, and the timestamp contract.
+ *
+ * @package GravityKit\BlockAPI\Tests
+ */
+
+declare( strict_types=1 );
+
+use GravityKit\BlockAPI\Instructions;
+
+class InstructionsRouteTest extends RestControllerTestCase {
+
+	public function set_up(): void {
+		parent::set_up();
+		delete_option( Instructions::OPTION_KEY );
+		delete_option( Instructions::UPDATED_AT_OPTION );
+		$_SERVER['REMOTE_ADDR'] = '203.0.113.10';
+	}
+
+	public function tear_down(): void {
+		unset( $_SERVER['REMOTE_ADDR'] );
+		parent::tear_down();
+	}
+
+	private function make_request(): \WP_REST_Request {
+		return new \WP_REST_Request( 'GET', '/gk-block-api/v1/instructions' );
+	}
+
+	// ── Response shape ────────────────────────────────────────────────
+
+	/**
+	 * Empty addendum returns shape `{ addendum:"", length:0, max_length, updated_at:0 }`.
+	 * Empty addendum is NOT 404 — clients should not have to special-case
+	 * the missing-vs-empty distinction. updated_at=0 communicates "never
+	 * set" via the data itself.
+	 */
+	public function test_empty_state_returns_full_shape(): void {
+		$response = $this->controller->get_instructions( $this->make_request() );
+
+		$this->assertInstanceOf( \WP_REST_Response::class, $response );
+		$this->assertSame( 200, $response->get_status() );
+
+		$data = $response->get_data();
+		$this->assertIsArray( $data );
+		$this->assertSame( '', $data['addendum'] );
+		$this->assertSame( 0, $data['length'] );
+		$this->assertSame( Instructions::MAX_LENGTH, $data['max_length'] );
+		$this->assertSame( 0, $data['updated_at'] );
+	}
+
+	/**
+	 * Saved addendum is round-tripped verbatim through the endpoint and
+	 * length reflects the post-sanitize byte length.
+	 */
+	public function test_stored_addendum_is_returned(): void {
+		Instructions::set_addendum( "Use is-style-callout-info for tips.\nFirst H2 is Overview." );
+
+		$response = $this->controller->get_instructions( $this->make_request() );
+		$data     = $response->get_data();
+
+		$this->assertSame(
+			"Use is-style-callout-info for tips.\nFirst H2 is Overview.",
+			$data['addendum']
+		);
+		$this->assertSame( strlen( $data['addendum'] ), $data['length'] );
+		$this->assertGreaterThan( 0, $data['updated_at'] );
+	}
+
+	// ── Auth posture ──────────────────────────────────────────────────
+
+	/**
+	 * Endpoint is public by design — anonymous users (no `wp_set_current_user`)
+	 * receive a 200 with the addendum. The MCP server fetches this BEFORE
+	 * any auth-gated tool call; gating it would break the handshake.
+	 */
+	public function test_unauthenticated_request_succeeds(): void {
+		// Default test environment has no logged-in user.
+		wp_set_current_user( 0 );
+		Instructions::set_addendum( 'public payload' );
+
+		$response = $this->controller->get_instructions( $this->make_request() );
+
+		$this->assertInstanceOf( \WP_REST_Response::class, $response );
+		$this->assertSame( 200, $response->get_status() );
+		$this->assertSame( 'public payload', $response->get_data()['addendum'] );
+	}
+
+	// ── Cache header ──────────────────────────────────────────────────
+
+	/**
+	 * `Cache-Control: public, max-age=60` is set on every response. Short
+	 * TTL keeps admin edits fast to land while still letting reverse
+	 * proxies / surrogates cache.
+	 */
+	public function test_sets_short_public_cache_control(): void {
+		$response = $this->controller->get_instructions( $this->make_request() );
+
+		$headers = $response->get_headers();
+		$this->assertArrayHasKey( 'Cache-Control', $headers );
+		$this->assertSame( 'public, max-age=60', $headers['Cache-Control'] );
+	}
+
+	// ── Defense in depth: read-time re-sanitize ───────────────────────
+
+	/**
+	 * Direct `update_option` writes that bypass `Instructions::sanitize`
+	 * (sibling plugin, database restore from older schema) must NOT reach
+	 * the wire. The read path re-sanitizes as belt-and-braces.
+	 */
+	public function test_dirty_option_is_resanitized_on_read(): void {
+		update_option( Instructions::OPTION_KEY, "Hello\x00<script>nope</script>", false );
+
+		$response = $this->controller->get_instructions( $this->make_request() );
+		$data     = $response->get_data();
+
+		// wp_strip_all_tags removes <script> tags AND their content (not
+		// just the opening/closing markers); the \x00 control byte is then
+		// stripped by the C0 pass. Final payload is the leading text only.
+		$this->assertSame( 'Hello', $data['addendum'] );
+	}
+
+	// ── Rate limiting ─────────────────────────────────────────────────
+
+	/**
+	 * After RATE_LIMIT_PER_MIN requests within the sliding window, the
+	 * next request from the same IP returns a 429-equivalent WP_Error.
+	 * Independent IPs are unaffected.
+	 */
+	public function test_returns_429_when_per_ip_budget_exhausted(): void {
+		$_SERVER['REMOTE_ADDR'] = '198.51.100.7';
+
+		// Exhaust the budget.
+		for ( $i = 0; $i < Instructions::RATE_LIMIT_PER_MIN; $i++ ) {
+			$ok = $this->controller->get_instructions( $this->make_request() );
+			$this->assertInstanceOf( \WP_REST_Response::class, $ok, "Request {$i} should be allowed" );
+		}
+
+		// Next call exceeds.
+		$result = $this->controller->get_instructions( $this->make_request() );
+		$this->assertInstanceOf( \WP_Error::class, $result );
+		$this->assertSame( 'rate_limit_exceeded', $result->get_error_code() );
+		$data = $result->get_error_data();
+		$this->assertIsArray( $data );
+		$this->assertSame( 429, $data['status'] );
+	}
+
+	/**
+	 * Rate limit is scoped per-IP. Exhausting one IP's budget does not
+	 * lock out another. Defends against a noisy neighbour scenario.
+	 */
+	public function test_rate_limit_does_not_leak_across_ips(): void {
+		$_SERVER['REMOTE_ADDR'] = '198.51.100.8';
+		for ( $i = 0; $i < Instructions::RATE_LIMIT_PER_MIN; $i++ ) {
+			$this->controller->get_instructions( $this->make_request() );
+		}
+		// Exhausted.
+		$blocked = $this->controller->get_instructions( $this->make_request() );
+		$this->assertInstanceOf( \WP_Error::class, $blocked );
+
+		// Different IP — fresh budget.
+		$_SERVER['REMOTE_ADDR'] = '198.51.100.9';
+		$ok = $this->controller->get_instructions( $this->make_request() );
+		$this->assertInstanceOf( \WP_REST_Response::class, $ok );
+	}
+
+	// ── Timestamp contract ────────────────────────────────────────────
+
+	/**
+	 * `updated_at` strictly increases (or stays equal) across saves and
+	 * advances even when the addendum is cleared. Lets clients detect
+	 * "explicitly cleared" vs "never set".
+	 */
+	public function test_updated_at_advances_on_clear(): void {
+		Instructions::set_addendum( 'first value' );
+		$first = $this->controller->get_instructions( $this->make_request() )->get_data()['updated_at'];
+		$this->assertGreaterThan( 0, $first );
+
+		sleep( 1 );
+		Instructions::set_addendum( '' );
+
+		$second = $this->controller->get_instructions( $this->make_request() )->get_data()['updated_at'];
+		$this->assertGreaterThanOrEqual( $first, $second );
+	}
+}
diff --git a/wordpress-plugin/gk-block-api/uninstall.php b/wordpress-plugin/gk-block-api/uninstall.php
index 94d458e..ec0e0ba 100644
--- a/wordpress-plugin/gk-block-api/uninstall.php
+++ b/wordpress-plugin/gk-block-api/uninstall.php
@@ -27,6 +27,8 @@ function gk_block_api_uninstall_blog() {
 	delete_option( 'gk_block_api_storage_modes' );
 	delete_option( 'gk_block_api_storage_modes_last_run' );
 	delete_option( 'gk_block_api_db_version' );
+	delete_option( 'gk_block_api_instructions' );
+	delete_option( 'gk_block_api_instructions_updated_at' );
 
 	// Inventory caches — both the new key and the legacy `gk_block_usage_stats`
 	// from before the Block_Inventory rename.
@@ -38,12 +40,15 @@ function gk_block_api_uninstall_blog() {
 
 	// Per-post rate-limit transients accumulate per write activity. Sweep
 	// the option table directly — there's no core helper for prefixed
-	// transient deletion.
+	// transient deletion. Also sweeps the per-IP `instr_rl_` rate-limit
+	// transients written by the public /instructions endpoint.
 	global $wpdb;
 	$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
 		"DELETE FROM {$wpdb->options}
 			WHERE option_name LIKE '_transient_gk_block_api_rate_%'
-			   OR option_name LIKE '_transient_timeout_gk_block_api_rate_%'"
+			   OR option_name LIKE '_transient_timeout_gk_block_api_rate_%'
+			   OR option_name LIKE '_transient_gk_block_api_instr_rl_%'
+			   OR option_name LIKE '_transient_timeout_gk_block_api_instr_rl_%'"
 	);
 }