=== Rabbit SEO ===
Contributors: rabbitseo
Tags: seo, rabbitseo, optimization, application password, rest api
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.2.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connect WordPress to Rabbit SEO with an embedded workspace, Application Password connection, and REST API access.

== Description ==

Rabbit SEO links your WordPress site to [Rabbit SEO](https://www.rabbitseo.com) so you can:

* Open the Rabbit SEO workspace inside WordPress Admin (account created automatically from your WP admin email)
* Automatically embed the Rabbit SEO frontend script using your website GUID
* Allow Rabbit SEO to read pages and posts over the WordPress REST API
* Push site snapshots for audits when Cloudflare blocks public crawlers

This plugin never asks for your main WordPress login password. When you connect later, it creates a WordPress Application Password named "Rabbit SEO" and sends it once to Rabbit SEO over HTTPS.

== Installation ==

1. Install **Rabbit SEO** from Plugins → Add New, or upload the ZIP.
2. Activate the plugin.
3. Open the **Rabbit SEO** menu — the workspace loads in this window and creates or opens your account.
4. Complete welcome onboarding (3 cards).
5. When ready, connect WordPress from inside Rabbit SEO (Application Password) for publishing and snapshot sync.

Local development tip: define `RABBITSEO_APP_BASE_URL` in `wp-config.php` (for example `http://localhost:8080`) to point at a local Rabbit SEO server.

== Privacy / data disclosure ==

When you open the workspace, Rabbit SEO receives your WordPress admin email and site URL to create or log in your account.

After you approve the Application Password connection, Rabbit SEO also receives:

* Site URL, home URL, REST API URL
* WordPress username
* One-time Application Password (stored encrypted by Rabbit SEO; never saved by this plugin)
* Website GUID, WordPress version, plugin version, connection ID

This plugin stores only non-secret connection metadata locally (GUID, connection ID, Application Password UUID, script settings). Your main WordPress password is never requested or stored.

== Frequently Asked Questions ==

= Why do I need HTTPS? =

WordPress Application Passwords require a secure environment on production sites.

= Does this overwrite Yoast / Rank Math / AIOSEO? =

No. Rabbit SEO metadata is stored under `_rabbitseo_*` keys and does not silently overwrite third-party SEO plugin fields.

= Can I disable the script without disconnecting? =

Yes. Use the script checkbox on the Rabbit SEO admin page.

== Changelog ==

= 1.2.1 =
* Signed iframe login when already connected (HMAC with per-site shared secret).
* Safer soft-create path for first install.

= 1.2.0 =
* Plugin-first workspace: embed Rabbit SEO in WordPress Admin (no new window).
* Auto-register / login from the current WordPress admin email and site URL.
* Compact WordPress connection strip for App Password sync controls.

= 1.1.0 =
* Outbound site snapshot sync to Rabbit SEO (HMAC signed) for Cloudflare-safe audits.
* Sync now control, daily safety sync, and publish/update/delete incremental updates.
* Snapshot shared secret established during Approve and Connect.

= 1.0.0 =
* Initial production release.
* Secure Application Password connection flow.
* Frontend script embed with approved CDN allowlist.
* Custom REST API under `rabbitseo/v1`.
* Rabbit SEO owned SEO metadata endpoint and output.
