=== WebKernelAI Security ===
Contributors: aamirsahil
Tags: security, file-integrity, seo, headers, csp
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connects your WordPress site to WebKernelAI as a secure data collector and policy executor.

== Description ==
WebKernelAI Security connects your WordPress site to the WebKernelAI platform.

The plugin can:

* expose secure token-authenticated REST endpoints for WebKernelAI dashboard actions
* enforce signed requests with HMAC + timestamp + nonce replay protection
* restrict API access to trusted WebKernelAI hosts
* apply rate limiting for authentication attempts and security reporting endpoints
* provide file hash inventory for integrity checks (hashes only, no file contents)
* sync SEO metadata (title, description, canonical, OG fields)
* apply security header and CSP configuration
* support advanced CSP controls including manual policy editing for advanced users
* apply robots.txt and llms.txt controls
* apply random-page and taxonomy archive controls
* enable granular per-endpoint feature controls for safer operations
* support production lock profile and advanced security policy rollback history

All analysis and recommendations run in WebKernelAI cloud.

== Installation ==
1. Upload the plugin folder to `/wp-content/plugins/` or install via the WordPress plugin screen.
2. Activate the plugin.
3. Go to **Settings -> WebKernelAI Security**.
4. Generate a site token and copy Site URL, API endpoint, and token into your WebKernelAI dashboard.

== Frequently Asked Questions ==
= Does this plugin send file contents to WebKernelAI? =
No. The plugin sends file metadata and hashes (for supported scan modes), not raw file contents.

= Can I disable headers or CSP? =
Yes. Header and CSP controls are configured from the WebKernelAI dashboard.

= Can I customize CSP manually? =
Yes. Advanced users can manually edit CSP policy directives from the dashboard integration and choose enforcement mode.

= Does the plugin protect against replayed API requests? =
Yes. Signed requests include freshness validation and nonce replay defense when advanced security mode is enabled.

= Can I roll back security policy changes? =
Yes. Advanced security policy versioning keeps history and supports rollback to a previous known-good configuration.

== External services ==
This plugin connects to WebKernelAI cloud services.

It sends data to:

* `https://webkernelai.com`
* your configured WebKernelAI dashboard/backend endpoint

What data is sent:

* site connection data (site URL, API endpoint, token-authenticated requests)
* file integrity data (path, SHA-256 hash, file size, modification time)
* SEO sync payloads (IDs and configured metadata fields)
* security/text control payloads (selected options and policy text)

When data is sent:

* when an administrator connects the site from WebKernelAI dashboard
* when dashboard actions request scans, sync, or configuration apply operations

Service links:

* Terms of Service: https://webkernelai.com/terms
* Privacy Policy: https://webkernelai.com/privacy

== Changelog ==
= 1.0.2 =
* Added advanced security mode with signed request validation (HMAC, nonce replay protection, and timestamp freshness checks).
* Added trusted-origin host validation for plugin API access.
* Added rate limiting controls for authentication and selected security endpoints.
* Added production lock profile support and advanced security policy versioning with rollback history.
* Added advanced CSP management support including optional manual policy editing.
* Improved dashboard-facing error messaging and security configuration controls.

= 1.0.1 =
* WordPress.org compliance: unique `webkernelai_security_*` option keys, `WebKernelAI_Security_*` class names, `X-WebKernelAI-Security-Token` auth header, automated migration from legacy option names.

= 1.0.0 =
* Initial release.