=== AxioRank Agent Verification ===
Contributors: kamenzy
Tags: AI, bots, agent, verification, security
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 0.2.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Verify the AI agents that reach your WordPress REST API, admin, and dynamic endpoints. Web Bot Auth verification, monitor and enforce modes.

== Description ==

AxioRank Agent Verification checks the AI agents that reach into your site. Instead of guessing from a user-agent string, it verifies Web Bot Auth signatures (RFC 9421) and known-agent identity through AxioRank, then lets you monitor or block on the result.

It is built for the surface that actually reaches PHP: the REST API (/wp-json), admin-ajax, XML-RPC, login, search, and any request with a signature or a bot-like user-agent. Full-page-cached visits are served before PHP loads and are not seen by the plugin, which is expected. This protects your API and dynamic endpoints, not cached pages.

The plugin is a thin client. Each protected request is forwarded as one authenticated POST to the AxioRank verify endpoint, and the verdict is applied locally. There is no heavy SDK and no local model.

= What you get =

* Cryptographic verification of signed agents (Web Bot Auth), plus known-agent identity.
* Monitor mode by default: verdicts are logged in your AxioRank dashboard, nothing is blocked.
* Enforce mode: apply block (403) and challenge (401) verdicts, gated by your surface posture.
* Scope controls: choose which endpoints are verified.
* Fail-open by design: if AxioRank cannot be reached, requests are allowed, so a verification outage never takes your site down.

= Requirements =

An AxioRank account and a website surface site key (axr_site_...). Create one in AxioRank under Settings, Surfaces.

== Installation ==

1. Install and activate the plugin.
2. In AxioRank, register a website surface and copy its site key (axr_site_...).
3. Open Settings, AxioRank, paste the site key, or define it in wp-config.php:
   `define( 'AXIORANK_SITE_KEY', 'axr_site_...' );`
4. Leave the mode on Monitor, save, and use "Test connection" to confirm.
5. Watch the AxioRank dashboard, then switch to Enforce when you are confident.

== Frequently Asked Questions ==

= Will this block real visitors? =

No. Only requests that are signed, hit an enabled sensitive endpoint, or carry a bot-like user-agent are verified, and the plugin only blocks in Enforce mode when AxioRank returns an enforced non-allow verdict. Logged-out human page views are never forwarded.

= What happens if AxioRank is unreachable? =

Verification fails open. The request is allowed and the site keeps serving.

= Does it slow down my site? =

The plugin skips ordinary traffic, so most requests never call out. Verified requests add one short, capped HTTP round trip.

== Screenshots ==

1. The settings screen: the onboarding stepper, connection status, scope controls, and the monitor or enforce switch.
2. Connected, with the local activity panel showing verified, unverified, and spoofed counts.
3. A successful connection test against AxioRank.

== Changelog ==

= 0.2.1 =
* Endpoint scoping now resolves the real admin-ajax, XML-RPC, and login paths from WordPress instead of assuming their default locations, so sites that relocate wp-admin or run WordPress in a subdirectory are matched correctly.

= 0.2.0 =
* Renamed to AxioRank Agent Verification.
* New branded admin experience: onboarding stepper, connection status, scope cards, guarded enforce switch, and a local activity panel.

= 0.1.0 =
* Initial release: monitor and enforce modes, scope controls, Web Bot Auth verification through AxioRank, fail-open transport.
