=== Aura Frontend Inspector ===
Contributors: fropt
Tags: accessibility, a11y, html, inspector, audit
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 2.5.8
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

The AI-Native accessibility and HTML debugger for WordPress. Detect issues, export ARF 1.0 reports, and get AI-assisted fixes in seconds.

== Description ==

**Aura Frontend Inspector** is a professional-grade debugging tool designed for WordPress developers and agencies who need to ensure their sites are compliant, accessible, and error-free. 

Unlike traditional auditors, Aura is built for the AI era. It features the **ARF 1.0 (Aura Report Format)**, a structured data standard that allows you to copy detected issues directly into AI tools like ChatGPT or Claude to receive instant, context-aware code fixes.

### Built for AI-Assisted Debugging
Every issue detected by Aura includes a **"Copy AI Prompt"** button. This assembles a high-signal prompt containing the exact HTML snippet, site environment, and error metadata in the ARF 1.0 format. Simply paste it into your favorite LLM for a precise solution tailored to your WordPress site.

### Professional Accessibility (A11y) Auditing
Ensure your site meets WCAG 2.1 standards with real-time detection of:
*   **Duplicate IDs**: Finds elements sharing IDs that break screen readers and ARIA landmarks.
*   **Missing Labels**: Identifies form inputs without accessible names.
*   **ARIA Integrity**: Detects broken `aria-labelledby`, `aria-describedby`, and hidden focusable elements.
*   **Semantic Structure**: Validates heading levels (H1-H6), main landmarks, and page titles.
*   **Interactive Elements**: Flags non-interactive elements with click handlers and buttons without types.

### Developer-First Features
*   **Persistent Logging**: Issues are stored in a dedicated database table with rate-limiting and deduplication.
*   **HTML Snapshots**: Capture the full rendered DOM of any page for offline audit or historical reference.
*   **Environment Aware**: Configure Aura to run only in `Development` or `Staging` modes to protect production performance.
*   **Auto-Fix Engine**: Optionally allow Aura to automatically resolve common issues like duplicate IDs on the fly.
*   **Export Options**: Download professional CSV logs or ARF 1.0 JSON reports for your client audits.

### Part of the Aura Plugin Series
Aura Frontend Inspector is part of the **Aura Plugin Series**, a suite of AI-native tools including **Aura Static Security Analyzer** and **Aura Login**. Together, they provide a unified "Security & Compliance" ecosystem for WordPress professionals.

== Installation ==

1. Upload the `aura-frontend-inspector` folder to the `/wp-content/plugins/` directory, or install directly through the WordPress plugins screen.
2. Activate the plugin through the 'Plugins' screen in WordPress.
3. Navigate to the **Aura FI** menu in your admin sidebar.
4. Enable the debugger and visit any page on your frontend to start detecting issues.

== Frequently Asked Questions ==

= Does this plugin affect my site's speed? =
Aura is highly optimized. The detection engine runs in the client's browser, and the logging system uses a dedicated database table with rate-limiting to ensure zero impact on your server's core performance.

= What is ARF 1.0? =
ARF (Aura Report Format) is a standardized JSON schema created by the Aura team. It is designed to be "AI-Readable," allowing developers to pass complex technical issues to LLMs without manual formatting.

= Can I use this for ADA/WCAG compliance? =
Yes. Aura is an excellent tool for identifying Level A and AA violations. Use the ARF export to generate audit reports for your clients or legal compliance teams.

= Does it work with Page Builders? =
Absolutely. Aura inspects the *rendered* HTML, meaning it works perfectly with Elementor, Divi, Beaver Builder, and the Block Editor (Gutenberg).

== Screenshots ==

1. **Dashboard Overview**: A central view of all detected issues, statistics, and plugin settings.
2. **Issue Log**: Filterable log entries with "Copy AI Prompt" and "View Code" shortcuts.
3. **AI Integration**: Example of how the ARF 1.0 prompt looks when pasted into an AI assistant.
4. **HTML Capture**: The interface for managing and viewing rendered HTML snapshots.
5. **Admin Bar**: The unobtrusive status indicator in the WordPress admin bar.

== Changelog ==

= 2.5.8 =
* FIX: "Scan Now" did nothing when the passive-monitoring toggle/environment heuristic considered debugging inactive — the scan engine module is now always loaded, and an explicit admin-triggered scan always runs regardless of that heuristic.
* FIX: Default landing page changed from Logs to Settings, so the enable toggle is visible immediately instead of being buried in a second tab.
* NEW: A "Scan Now" that finds zero issues now logs a "Scan Complete — No issues found" entry instead of silently doing nothing, so a clean scan is no longer indistinguishable from a broken one.

= 2.5.7 =
* FIX: Scanner no longer reports false positives for elements inside the WP admin bar (#wpadminbar) or Query Monitor panels (#qm, [id^="qm-"]).
* COMPLIANCE: Replaced json_encode() with wp_json_encode() for inline script output.
* COMPLIANCE: ABSPATH guard in RuleRegistry moved before use statements to satisfy Plugin Check.
* COMPLIANCE: $_GET['nonce'] and $_POST['nonce'] in get_logs() now individually unslashed; correct NonceVerification phpcs:ignore codes added.
* COMPLIANCE: $_GET['limit'] in export_logs_json() now unslashed before intval().
* COMPLIANCE: Migration INSERT IGNORE query phpcs:ignore extended to cover DirectQuery and NoCaching sniffs.
* CHANGE: Tested up to WordPress 7.0.
* UI: False Positive column header widened to prevent text wrapping in Logs table.
* UI: "View Code" column renamed to "Line" and now displays the detected source line number.

= 2.5.6 =
* COMPLIANCE: register_setting() updated to array form with explicit type and sanitize_callback.
* COMPLIANCE: exclude_wp_core_elements option now correctly sanitized in sanitizeOptions() — was silently dropped on save.
* COMPLIANCE: HTML capture feature removed from free build; unsanitized full-page HTML cannot be adequately sanitized with WordPress built-ins without breaking the feature.
* SECURITY: json_last_error() validation added after JSON decode in LogHandler and ValidationHandler.

= 2.5.5 =
* COMPLIANCE: wp_die() calls in LogHandler now wrapped with esc_html__() for proper escaping and i18n compatibility.

= 2.5.4 =
* CHANGE: AJAX handler modularised — Handler.php split into AbstractHandler, CaptureHandler, ValidationHandler, and LogHandler.
* UI: Removed non-functional light/dark theme toggle from Captures page; stripped all emoji characters from Captures admin page.
* BUILD: openspec/ directory excluded from distribution zip.

= 2.5.3 =
* FIX: validate_html() fatal HTTP 500 — Aura_FI_HTML_Validator class reference prefixed with \ to resolve from global namespace.

= 2.5.2 =
* SECURITY: Rate-limit directory now uses wp_upload_dir() for compatibility with custom upload paths.
* SECURITY: HTML captures directory protected with deny-from-all .htaccess on creation.
* SECURITY: capture_html() rejects payloads exceeding 5 MB.
* FIX: JSON validation_options boolean flags and max_issues explicitly cast after array_merge().

= 2.5.1 =
* COMPLIANCE: Removed remaining inline <script> blocks from Captures and LogsTable pages; JS now served via properly enqueued files.
* COMPLIANCE: Added sanitize_text_field(wp_unslash()) before wp_verify_nonce() for all three nonce checks in Captures page (delete_file, delete_all, force_update_config).
* COMPLIANCE: Assets class extended to register and enqueue split admin JS files (admin-dashboard, admin-settings, admin-logs-table, admin-captures).

= 2.5.0 =
* UI: Separated Settings & Logs into two distinct pages.
* UI: New tab order — Logs, HTML Captures, Settings, About.
* UI: Dashboard statistics cards and log table now live exclusively in the Logs tab.
* UI: Settings tab contains only plugin configuration options.
* UI: Added (i) info icon to every setting with contextual tooltips; Debug Mode tooltip explains when to choose each environment.
* UI: Debug Mode header now shows the active mode name (Development / Staging / Production) instead of the word "SELECT".
* UI: Debug Mode label updates live when the user changes the select, before saving.
* UI: Maximum Log Entries and Maximum HTML Captures now show the current value in the header; value updates live as you type.
* UI: URLs to Exclude shows an "Edit ›" hint in the header that highlights on hover.
* CHANGE: Detect Duplicate IDs and Detect Missing Labels are now always enabled and no longer appear as user-configurable toggles.
* SECURITY: Added capability check (aura_fi_current_user_can_access) to log_issue, capture_html, and validate_html AJAX handlers; previously these relied solely on nonce verification.

= 2.4.8 =
* SECURITY: Added sanitize_text_field() before wp_verify_nonce() in Captures.php (3 remaining call sites).
* SECURITY: json_decode() on $_POST['issues'] now uses explicit unslash-then-decode pattern with is_array() guard.
* COMPLIANCE: Contributors field in readme.txt corrected to match WordPress.org account username.

= 2.4.7 =
* SECURITY: All nonce verifications now use sanitize_text_field() before wp_verify_nonce() (7 call sites).
* SECURITY: json_decode() result on validation_options now validated as array before use.
* COMPLIANCE: Removed all inline <script> blocks from admin pages; JS extracted to separate enqueued files.
* COMPLIANCE: Chart.js bundled locally (assets/vendor/chartjs/); CDN dependency removed.
* COMPLIANCE: Rate-limit transient keys prefixed with aurafrin_ instead of generic ajax_.
* COMPLIANCE: Debug-active admin notice now scoped to plugin pages only.
* COMPLIANCE: Removed Plugin URI pointing to a 404 page.

= 2.4.0 =
* NEW: Full support for ARF 1.0 (Aura Report Format).
* NEW: "Copy AI Prompt" button for instant AI-assisted fixes.
* IMPROVED: Enhanced heuristics for mapping DOM elements to source line numbers.
* FIX: Performance optimizations for sites with large DOM trees.

= 2.1.0 =
* PSR-4 Migration: Core architecture refactored for better performance and extensibility.
* New modular rule engine: Easily toggle specific detection rules.
* Added support for ARIA attribute validation and interactive element checks.

= 2.0.0 =
* Major Rebrand: Plugin renamed to Aura Frontend Inspector.
* New top-level admin menu and unified UI.
* Added persistence layer: Issues are now stored in a custom DB table.

= 1.0.0 =
* Initial release with basic HTML and duplicate ID detection.

== Upgrade Notice ==

= 2.5.8 =
Important fix: "Scan Now" could silently do nothing under certain environment settings. Now always runs when triggered by an admin, and confirms when a scan finds zero issues.

= 2.5.7 =
Compliance and scanner patch: eliminates WP admin bar / Query Monitor false positives, switches to wp_json_encode(), and addresses all Plugin Check warnings.

= 2.5.6 =
WP.org compliance patch: sanitization fixes and HTML capture feature removed from free build.

= 2.5.5 =
Compliance patch: wp_die() strings wrapped with esc_html__() in AJAX handlers.

= 2.5.1 =
Compliance patch: remaining inline scripts extracted to enqueued files; nonce inputs sanitized before verification in Captures page.

= 2.5.0 =
Admin UI restructured: Logs and Settings are now separate tabs for a cleaner workflow.

= 2.4.8 =
Security patch completing nonce sanitization and JSON decode hardening across all admin handlers.

= 2.4.7 =
Security and WordPress.org compliance release. Fixes nonce sanitization, removes CDN dependencies, and extracts all inline scripts to properly enqueued files.

= 2.4.0 =
Highly recommended: Introduces the AI-Native ARF 1.0 reporting and "Copy AI Prompt" feature for faster debugging.
