=== GymGrow Connect ===
Contributors: gymgrowplugin
Tags: rest-api, rankmath, seo, publishing, automation
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.3
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Secure REST endpoints to publish article content, set RankMath SEO fields, and upload images from an external automation pipeline.

== Description ==

GymGrow Connect adds a small set of secure REST API endpoints under the `gymgrow/v1` namespace so an external system (for example, an AI content pipeline) can:

* Create or update a post — title, content, excerpt, slug, categories, tags, schedule date — in a single request.
* Set RankMath SEO fields (SEO title, meta description, focus keyword, canonical URL, robots) on the same request or on an existing post.
* Upload an image from a multipart file or a remote URL, set its alt text, and optionally assign it as the featured image.

It replaces ad-hoc `functions.php` snippets with a versioned, capability-checked plugin.

= Endpoints =

* `POST /wp-json/gymgrow/v1/article` — publish/update an article (also sets SEO and featured image).
* `POST /wp-json/gymgrow/v1/media` — upload an image.
* `POST /wp-json/gymgrow/v1/seo/{id}` — update RankMath SEO fields for a post.

A backward-compatible alias `POST /wp-json/custom/v1/rankmath/{id}` is also registered for pipelines that used the legacy route.

= Authentication =

Requests are authenticated with WordPress's own user authentication — use an Application Password (Basic Auth) for a user who can publish posts. Permissions are enforced per route with capability checks (`publish_posts`, `upload_files`, `edit_post`). You may optionally enable a second-factor shared secret (`X-GymGrow-Key` header) from the settings screen.

This plugin does not call any external services and stores no personal data.

== Installation ==

1. Upload the `gymgrow-connect` folder to `/wp-content/plugins/`, or install the ZIP via Plugins → Add New → Upload Plugin.
2. Activate the plugin through the Plugins screen.
3. (Optional) Visit Settings → GymGrow Connect to generate an API key, choose a default category, and set a default status.
4. Create an Application Password for the publishing user under Users → Profile, and use it as Basic Auth in your pipeline.

== Frequently Asked Questions ==

= Does it require RankMath? =

No. If RankMath is active the SEO fields take effect immediately. If not, the meta is still stored under the RankMath meta keys and becomes live once RankMath is installed.

= How are the endpoints secured? =

Every route has a capability-based `permission_callback`. Publishing requires `publish_posts`, uploads require `upload_files`, and SEO updates require `edit_post` on the target post. You can additionally require a matching `X-GymGrow-Key` header.

= Does it send data anywhere? =

No. The plugin only receives requests; it does not phone home or contact third-party services.

== Changelog ==

= 1.0.3 =
* Security: omitting the `status` parameter now creates or updates a draft instead of publishing. Publishing requires explicitly passing `status=publish`, which remains gated by the `publish_posts` capability.

= 1.0.2 =
* Security: editing an existing post that is already published, private, or scheduled (future) now requires the `publish_posts` capability even when the request does not change the status.

= 1.0.1 =
* Security: the article endpoint now requires the `publish_posts` capability when an update changes a post to a published, private, or scheduled (future) status, not just `edit_post`.

= 1.0.0 =
* Initial release: article publish endpoint, media upload endpoint, RankMath SEO endpoint, optional API key, settings screen.

== Upgrade Notice ==

= 1.0.3 =
Omitting the status parameter now defaults to draft instead of publish, so a post cannot be published without explicitly requesting it.

= 1.0.2 =
Hardens the publish permission check so editing an already-published post requires the publish_posts capability even when the status is unchanged.

= 1.0.1 =
Hardens the publish permission check so editing an existing post cannot be used to publish without the publish_posts capability.

= 1.0.0 =
Initial release.
