=== TimeSaverBot ===
Contributors: timesaverbot
Tags: chatbot, live-chat, ai, customer-support, webchat
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.1
Stable tag: 1.1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connect your WordPress site to TimeSaverBot SaaS — AI-powered chatbot, live-chat widget, and lead collection platform.

== Description ==

TimeSaverBot integrates your WordPress site with the [TimeSaverBot](https://app.timesaverbot.com/) SaaS platform. A guided setup wizard provisions your workspace automatically — no separate account registration required.

**Features:**

* AI-powered chatbot with customizable prompt instructions
* Live-chat widget with appearance and behavior settings
* Lead collection and management dashboard
* Knowledge base integration for enriching bot context
* Admin dashboard with usage metrics (dialogs, leads, conversion rate)
* One-click navigation to Chat, Leads, and Knowledge Base with automatic authentication

**How it works:**

1. Activate the plugin and complete the setup wizard.
2. Configure your bot prompt and widget appearance from within WordPress admin.
3. The chat widget appears on your site automatically — no manual code changes required.
4. Manage conversations and leads from the WordPress admin menu.

= Third-Party Service Disclosure =

This plugin relies on the **TimeSaverBot SaaS platform** hosted at `app.timesaverbot.com`. The following external connections are made:

1. **Provisioning API** (`POST /Provision/WordPressInstall`) — Called once during the setup wizard to create your workspace. Sends: site URL, installation ID, WordPress version, plugin version, admin email.
2. **Dashboard Summary API** (`GET /Provision/WordPressDashboardSummary`) — Called when loading the Dashboard page. Returns aggregated usage metrics.
3. **Operation Token API** (`POST /Auth/CreateOperationToken`) — Called when you navigate to Chat, Leads, or Knowledge Base. Issues a short-lived authentication token.
4. **Iframe embeds** — Bot Settings and Widget Settings pages load the TimeSaverBot configuration UI inside an iframe from `app.timesaverbot.com`.
5. **Silent login redirects** — Chat, Leads, and Knowledge Base menu items redirect to `app.timesaverbot.com` with automatic authentication.
6. **Chat widget script** (`embed.js`) — Loaded on every frontend page after wizard completion. The script is served from `widget.timesaverbot.com` and renders the chat widget inside an iframe. It sends your tenant ID and channel ID as data attributes.

All server-to-server API calls are signed with HMAC-SHA256 using a per-installation secret. No data is sent to any other third-party service.

* [TimeSaverBot Terms of Service](https://app.timesaverbot.com/terms)
* [TimeSaverBot Privacy Policy](https://app.timesaverbot.com/privacy)

== Installation ==

1. Upload the `timesaverbot` folder to `/wp-content/plugins/`.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Follow the setup wizard that appears automatically:
   * **Stage 0** — Read the introduction and click "Start setup" to provision your workspace.
   * **Stage 1** — Configure your bot prompt. Once saved, the setup completes automatically.
4. You are now on the Dashboard. Use the admin menu to manage your chatbot.

== Frequently Asked Questions ==

= Do I need a TimeSaverBot account? =

No. The setup wizard automatically provisions a workspace for your site. No separate registration or login is required.

= What data is sent to TimeSaverBot during setup? =

When you click "Start setup" in the wizard, the plugin sends:

* Your site URL (normalized to a canonical hostname)
* A unique installation identifier (UUID, generated locally)
* Your WordPress version and plugin version
* The admin email address (used to create a technical user in your workspace)

This is the only time these details are transmitted. Subsequent API calls use HMAC-signed requests that include only the installation ID in a request header.

= What data is sent during normal usage? =

* **Dashboard page load**: A signed GET request fetches usage metrics (dialog counts, lead counts, plan info). No site content is transmitted.
* **Chat / Leads / Knowledge Base navigation**: A signed POST request obtains a short-lived, one-time authentication token. The token is exchanged in the browser for a session — no WordPress credentials are shared.
* **Bot Settings / Widget Settings**: These pages load inside an iframe. Configuration data is exchanged directly between your browser and TimeSaverBot — the WordPress plugin is not involved after authentication.

= Where is my data stored? =

Plugin settings (installation ID, secret, tenant IDs) are stored locally in WordPress options (`wp_options` table). Your chatbot configuration, conversations, and leads are stored on the TimeSaverBot platform. No data is stored on any other third-party service.

= What happens when I deactivate the plugin? =

All settings and your installation identity are preserved. Reactivating the plugin restores your connection to TimeSaverBot without re-running the wizard. Your workspace and data on TimeSaverBot remain intact.

= What happens when I uninstall (delete) the plugin? =

Plugin settings are removed from the WordPress database. Your workspace on TimeSaverBot is **not** deleted — contact TimeSaverBot support if you want your data removed from the platform.

= Can I use this plugin on a multisite installation? =

The plugin is designed for single-site WordPress installations. Multisite support is not currently available.

= How does the chat widget appear on my site? =

After completing the setup wizard, the plugin automatically injects the TimeSaverBot chat widget script into every frontend page via `wp_footer`. No manual code changes are needed. The widget does not appear on wp-admin pages. If you deactivate the plugin or reset the wizard, the widget is removed automatically.

= Can I override the widget script URL? =

Yes. Add `define('TSVBOT_WIDGET_URL', 'https://your-custom-url.com');` to your `wp-config.php` before the plugin loads. The default is `https://widget.timesaverbot.com`.

= The iframe pages are blank or blocked =

See the Troubleshooting section on the Help page inside the plugin (TimeSaverBot → Help), or refer to the plugin's SECURITY.md file for CSP/frame-ancestors configuration requirements.

== Privacy ==

TimeSaverBot connects to the TimeSaverBot SaaS platform at `app.timesaverbot.com`. This section documents all data transmitted.

= Data sent during provisioning (one-time, on wizard completion) =

* Normalized site hostname (e.g. `example.com`)
* Installation UUID (locally generated, not tied to any personal data)
* Raw site URL, WordPress version, plugin version (diagnostic metadata)
* Admin email address (used to create a technical user for your workspace)

= Data sent during normal operation =

* **Dashboard**: HMAC-signed GET request with installation ID header. Returns aggregate metrics only.
* **Navigation (Chat/Leads/Knowledge Base)**: HMAC-signed POST request with installation ID and requested scope. Returns a one-time authentication token.
* **Settings (Bot/Widget)**: After initial authentication, the iframe communicates directly between the browser and TimeSaverBot. The WordPress plugin does not relay this traffic.

= Data stored locally =

Installation ID, HMAC secret, tenant ID, connector channel ID, process ID, wizard state. All stored in the `wp_options` table under the `tsvbot_wp_settings` key.

= Data stored remotely =

Chatbot configuration, conversations, leads, and usage metrics are stored on the TimeSaverBot platform. See the [TimeSaverBot Privacy Policy](https://app.timesaverbot.com/privacy) for retention and deletion policies.

= No additional third parties =

This plugin does not transmit data to any service other than `app.timesaverbot.com`.

== Screenshots ==

1. Setup wizard — Stage 0 introduction page.
2. Dashboard with settings status, plan usage, and monthly metrics.
3. Bot Settings configuration via embedded iframe.

== Changelog ==

= 1.1.1 =
* Fix: point plugin API calls to api.timesaverbot.com (previously targeted app.timesaverbot.com, causing provisioning requests to fail with 405)
* Updated Help page diagnostics to reference the correct API host

= 1.1.0 =
* Automatic frontend widget injection — chat widget appears on all frontend pages after wizard completion
* Widget absent on wp-admin pages and when wizard is incomplete
* Added TSVBOT_WIDGET_URL constant (overridable in wp-config.php)

= 1.0.0 =
* WordPress.org documentation and compliance: full readme.txt, privacy disclosure, security docs, Quick Start, troubleshooting guide
* Help page expanded with detailed Quick Start and troubleshooting for 4 key failure scenarios

= 0.3.0 =
* Wizard Stages 1-3 UI with iframe embeds, navigation controls, and completion flow
* Dashboard page with settings status, plan and usage, last 30 days metrics
* Silent login links for Chat, Leads, and Knowledge Base with redirect notice page
* Iframe pages for Bot Settings and Widget Settings with embedded Nuxt UI
* Audit logging for provisioning and authentication events
* HMAC-SHA256 request signing with replay protection (timestamp + nonce)
* Operation token and silent login exchange (short-lived, one-time tokens)
* Call TimeSaverBot provisioning API on wizard Stage 0 to Stage 1 transition
* Store tenant ID, connector ID, process ID, and installation secret in WP options
* Add TSVBOT_API_URL constant (overridable in wp-config.php)

= 0.2.0 =
* Generate and persist stable installation ID (UUID v4) across deactivation/reactivation
* Normalize site URL to canonical host for stable identity binding

= 0.1.0 =
* Initial plugin skeleton with activation/deactivation hooks
* Setup wizard with Stage 0 intro page
* Admin menu with 8 navigation items (Dashboard, Chat, Leads, Bot Settings, Widget Settings, Knowledge Base, Packages, Help)
* Settings storage and version-based migration runner

== Upgrade Notice ==

= 1.1.1 =
Bug fix: corrects the API host used for provisioning. Recommended for all users — earlier versions could fail to complete the setup wizard.

= 1.1.0 =
Chat widget now appears automatically on your site after completing the setup wizard. No manual script embedding required.

= 1.0.0 =
Documentation and compliance update. No functional changes — safe to upgrade.
