=== Kagivault ===
Contributors: benridane, presents111
Tags: ai connectors, connectors, ai, api keys, encryption
Requires at least: 7.0
Tested up to: 7.0
Requires PHP: 8.3
Stable tag: 0.1.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Encrypts WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter) at rest with XChaCha20-Poly1305 + Argon2id.

== Description ==

Kagivault is an encrypted vault for the **WordPress 7.0 AI Connectors API**. Out of the box, WordPress stores the API keys you configure on **Settings → Connectors** (OpenAI, Anthropic, Google, OpenRouter, and any other AI provider registered with the AI Client) as plaintext rows in the `wp_options` table. Anyone with database access — backups, leaked dumps, host migration files — can read them.

Kagivault wraps each AI Connectors key with **XChaCha20-Poly1305 (authenticated encryption)** and protects the data-encryption key with a **vault password derived through Argon2id**. The vault password is never persisted, and the vault automatically re-locks after a short, configurable idle timeout. Unlock from the admin UI, and the WordPress AI client transparently sees the decrypted keys — no other plugin changes required.

= Highlights =

* Drop-in encryption for every AI Connectors provider (`connectors_ai_*_api_key` rows)
* Vault password unlock with idle-timeout auto-lock
* Recovery key as a parallel unlock path
* Optional: link a WordPress login password so signing in automatically unlocks the vault
* Easy-mode initialization — no separate vault password to remember if you just want one-click setup
* Transparent for the core WP AI client and the Connectors admin page
* Versioned blob format for future cipher upgrades

= Requirements =

* WordPress 7.0 or newer (uses the Connectors API introduced in 7.0)
* PHP 8.3 or newer
* PHP sodium extension with **XChaCha20-Poly1305 AEAD** (`sodium_crypto_aead_xchacha20poly1305_ietf_encrypt`)
* PHP sodium extension with **Argon2id** (`SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13`, requires libsodium 1.0.13+)

The bundled sodium extension shipped with PHP 8.3+ on most platforms (Debian/Ubuntu `php-sodium`, RHEL `php-sodium`, Alpine `php-sodium`, Windows official builds) includes both capabilities. The plugin refuses to activate and surfaces a clear admin notice if either is unavailable.

== Installation ==

1. Upload the `kagivault` directory to `/wp-content/plugins/`.
2. Activate the plugin through the **Plugins** menu in WordPress. If sodium or Argon2id is missing, activation aborts with a specific message listing what is missing.
3. Visit **Settings → Kagivault** and set a vault password. Store the recovery key shown to you - it cannot be recovered later.

== Frequently Asked Questions ==

= What happens to my AI keys while the vault is locked? =
They cannot be decrypted, so AI calls that rely on those keys will not have a key available for that request. Unlock the vault from **Settings → Kagivault** to restore functionality.

= Where is the vault password stored? =
Nowhere. It is held only in browser memory long enough to unlock the vault. The derived data-encryption key lives in a short-lived transient that expires after the configured idle timeout.

= Does it cover keys defined in wp-config.php? =
Not in this release. Constants and environment variables still take precedence over the encrypted database entries, as defined by core. A later release will add a migration path.

= Can I change the idle-lock timeout? =
Yes. Kagivault auto-locks after one hour of inactivity by default. Override per environment by defining the constant in `wp-config.php`:

`define( 'KAGIVAULT_IDLE_TIMEOUT', 1800 );` // seconds

The constant always wins over the database setting. Values below 60 seconds are clamped to 60.

== Changelog ==

= 0.1.2 =
* Updated the plugin and support links to point to the GitHub repository.
* Clarified the readme and admin UI wording describing how the vault locks and unlocks.

= 0.1.1 =
* Default idle-lock timeout extended from 30 minutes to 1 hour.
* Added `KAGIVAULT_IDLE_TIMEOUT` constant so the timeout can be overridden from `wp-config.php` (takes precedence over the database setting).

= 0.1.0 =
* Initial release: encrypted storage for WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter, ...), vault-password unlock with idle auto-lock, recovery key, and optional WP login-password auto-unlock.

== Upgrade Notice ==

= 0.1.2 =
Documentation and project-link updates. No functional changes.

= 0.1.1 =
Idle-lock timeout defaults to 1 hour and is now configurable via the `KAGIVAULT_IDLE_TIMEOUT` wp-config constant.

= 0.1.0 =
Initial release of Kagivault.

== Privacy Policy ==

Kagivault does NOT:

* Send any data to external servers
* Track users
* Use cookies for tracking
* Share data with third parties

Kagivault DOES:

* Process and store encrypted API keys locally on your server (`wp_options`)
* Keep the data-encryption key only in a short-lived transient that expires after the configured idle timeout

== Support ==

For support, bug reports, or feature requests:

* Website: https://github.com/benridane/kagivault

== Development ==

Development happens on GitHub. Pull requests welcome!

* Follow WordPress coding standards
* All code must pass `wp plugin check kagivault`
