=== AI Valve ===
Contributors: PerS
Tags: ai, governance, tokens, cost-control, connector
Requires at least: 7.0
Tested up to: 7.0
Requires PHP: 8.3
Stable tag: 1.1.6
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Control, meter, and permission-gate AI usage from plugins that connect through the WordPress 7 AI connector.

== Description ==

AI Valve gives site administrators visibility and control over how plugins use the built-in WordPress AI connector.

= Features =

* **Per-plugin access control** — Allow or deny individual plugins from making AI requests.
* **Token budgets** — Set daily and monthly token limits per plugin and globally.
* **Context restrictions** — Control which execution contexts (admin, frontend, cron, REST, AJAX, CLI) may trigger AI calls.
* **Usage dashboard** — See token consumption at a glance with summary cards, progress bars, and per-plugin breakdowns.
* **Request logging** — Every AI request is logged with provider, model, capability, tokens, and caller attribution.
* **Budget alerts** — Admin notices and optional email when usage approaches or exceeds limits.

= Requirements =

* WordPress 7.0 or later
* PHP 8.3 or later
* A configured AI provider in Settings → Connectors

== Installation ==

1. Install AI Valve from the WordPress plugin directory, or upload `soderlind-aivalve.zip` via Plugins → Add New → Upload Plugin.
2. Activate the plugin.
3. Go to Settings → AI Valve to configure.

== Frequently Asked Questions ==

= What are tokens? =

Tokens are the units AI models use to measure input and output. Roughly 1 token ≈ ¾ of a word. Both the text you send (prompt tokens) and the text the AI returns (completion tokens) count toward your usage.

= What does "limit = 0" mean? =

A limit of 0 means unlimited — no cap is enforced. Set a positive number to restrict token usage.

= How does AI Valve identify which plugin made an AI request? =

It walks the PHP call stack (`debug_backtrace()`) and matches file paths against the plugins directory to determine the originating plugin slug.

= Will this work with future WordPress updates? =

Yes. AI Valve relies only on the stable public hooks (`wp_ai_client_prevent_prompt`, `wp_ai_client_before_generate_result`, `wp_ai_client_after_generate_result`) provided by the WordPress AI connector API.

= Are there developer hooks? =

Yes. See the [developer hooks documentation](https://github.com/soderlind/ai-valve/blob/main/docs/hooks.md) for available filters and actions.

= Does AI Valve work on multisite? =

Yes. Each subsite has its own log table, settings, and budgets.

= What happens when a plugin is blocked? =

The plugin receives a `WP_Error` with code `prompt_prevented` instead of an AI response. The denied request is logged with the reason. See [how-blocking-works.md](https://github.com/soderlind/ai-valve/blob/main/docs/how-blocking-works.md) for the full explanation.

= How do I block all plugins and only allow specific ones? =

1. Go to Settings → AI Valve → Settings.
2. Set the Default policy to Deny.
3. Switch to the Dashboard tab.
4. In the Per-plugin access table, set the plugins you want to allow to Allow.

Only explicitly allowed plugins will be able to make AI requests; everything else is denied by default.

==  Screenshots ==

1. Dashboard with usage summary cards and per-plugin breakdown.

== Changelog ==

= 1.1.6 =
* Fixed: WordPress.org review issues by correcting repository URLs and restoring the `ai-valve` text domain.

= 1.1.5 =
* Changed: Plugin-facing slugs, REST namespace, package metadata, docs, and admin UI prefixes from `ai-valve` to `soderlind-aivalve`.
* Fixed: Plugin text domain now uses `soderlind-aivalve` consistently across PHP, JavaScript, and generated assets.

= 1.1.4 =
* Fixed: WordPress.org plugin review prefix compliance by renaming plugin-owned namespaces, constants, hooks, options, cron events, database keys, and admin script globals to the unique `soderlind_aivalve` prefix.
* Fixed: Migration and cleanup paths for existing `aivalve`/`ai_valve` installs while keeping active identifiers uniquely prefixed.
* Changed: Readme tags for improved clarity and relevance.

= 1.1.3 =
* Changed: Updated WordPress.org icons and banner.
* Fixed: Improved compatibility with custom plugin directory layouts and unique plugin-owned identifiers.
* Fixed: Resolved npm dependency security advisories.

= 1.1.2 =
* Changed: Refactored code structure for improved readability and maintainability.

= 1.1.1 =
* Fixed: Dashboard usage date buckets now keep Today, plugin totals, and Recent Requests aligned around database/PHP day boundaries.
* Fixed: WordPress 6.8 SelectControl deprecation warnings in the admin UI.
* Added: WordPress.org icon and banner assets.

= 1.1.0 =
* Removed: GitHub release updater for WordPress.org distribution.
* Removed: plugin-update-checker dependency and bundled updater files.
* Fixed: Added direct-access guards and Plugin Check cleanup for production files.

= 1.0.4 =
* Changed: Update npm dependencies to latest versions.

= 1.0.3 =
* Added: `soderlind_aivalve_plugin_policy` filter to override allow/deny policy programmatically.
* Added: `soderlind_aivalve_request_denied` action, fired when a request is blocked.
* Added: `soderlind_aivalve_request_completed` action, fired after every successful request.

= 1.0.2 =
* Fixed: Resolve multiple security vulnerabilities in transitive dependencies.

= 1.0.1 =
* Added: FAQ entry on deny-by-default allowlist setup.

= 1.0.0 =
* Fixed: AI requests that fail (auth errors, timeouts, bad deployments) now logged with status = 'error'.
* Fixed: Schema migrations run on every load (version-gated) so in-place updates work without deactivate/activate.
* Changed: on_before_generate inserts a pending log row immediately; on_after_generate updates it.
* Changed: Shutdown handler catches orphaned pending rows and marks them as errors.
* Added: LogRepository::update() for updating existing log rows by ID.

= 0.6.0 =
* Added: Request duration tracking (duration_ms column, schema v3).
* Added: Log retention setting — auto-delete logs older than N days via daily cron.
* Added: Purge all logs REST endpoint (DELETE /logs) and Danger Zone UI on Logs tab.
* Added: Time-range preset selector (24h / 7d / 30d / This month) on Logs tab.
* Added: Combined Provider / Model column in log tables with duration display.
* Added: Dropdown filters for Plugin, Provider, and Model on Logs tab (GET /logs/filters).
* Changed: Database schema upgraded to v3.
* Changed: Moved Danger Zone (purge) from Settings to Logs tab.

= 0.5.0 =
* Removed: Reflection-based event dispatcher injection workaround (fixed in WP 7 RC1).
* Changed: Tested up to WP 7.0-RC1.

= 0.4.0 =
* Changed: Admin UI rebuilt as a React single-page application.
* Changed: Settings, dashboard, and logs now render client-side via the REST API.
* Added: REST endpoint `GET /settings` for reading all plugin settings.
* Added: `by_context`, `recent`, and `known_slugs` fields in the `GET /usage` response.
* Added: `date_from` and `date_to` filter parameters on the `GET /logs` endpoint.
* Added: Dedicated CSS file for admin styles (replaces inline styles).

= 0.3.0 =
* Added: Model filter on the Logs tab and CSV export.
* Added: Provider & Model breakdown table on the Dashboard.
* Added: Per-plugin token bar chart on the Dashboard.
* Added: Per-provider token counters.
* Changed: Providers & Contexts tables displayed side by side.
* Changed: Plugin list only shows plugins that used the AI connector.

= 0.2.0 =
* Fixed: Status column widened — denial reasons were silently truncated.
* Fixed: "Denied" log filter now matches all denial variants.
* Fixed: Respect the `wp_supports_ai` filter as a global kill switch.
* Added: Date range filter (From / To) on the Logs tab.
* Added: Context breakdown table on the Dashboard tab.
* Added: Per-plugin budget threshold alerts (admin notices).
* Added: CSV export button on the Logs tab.
* Changed: Logs filter bar uses flex layout for better fit.

= 0.1.0 =
* Initial release.
* Per-plugin access control (allow/deny).
* Global and per-plugin daily/monthly token budgets.
* Context restrictions (admin, frontend, cron, REST, AJAX, CLI).
* Usage dashboard with summary cards and progress bars.
* Request logging with provider, model, capability, and token counts.
* Budget alert notices and optional email notifications.
* REST API endpoints for usage and log data.
* Workaround for WordPress 7.0 event dispatcher bug.

== Upgrade Notice ==

= 0.4.0 =
Admin UI rebuilt with React for faster, client-side rendering.

= 0.3.0 =
Dashboard enhancements: model filter, provider+model breakdown, per-plugin bar chart, side-by-side layout.

= 0.2.0 =
Bug fixes for log status storage and filtering. New: date range filter, context breakdown, per-plugin alerts, CSV export.

= 0.1.0 =
Initial release.
