=== Site Add-on Watchdog ===
Contributors: aaronhsieh
Tags: security, plugins, monitoring, notifications
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.1
Stable tag: 1.7.5.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Monitor installed plugins for security notices, outdated releases, and WPScan disclosures without leaking your site's plugin inventory.

== Description ==

Site Add-on Watchdog keeps an eye on your site's plugins and warns you when:

* Your installed version is two or more minor releases behind the directory build.
* The official changelog mentions security or vulnerability fixes.
* (Optional) WPScan lists open CVEs for the plugin when you provide your own API key.

The plugin runs on a schedule you control—choose daily, weekly, a twenty-minute testing cadence, or rely on manual scans—and stores results locally. Nothing leaves your site unless you explicitly configure outgoing notifications.

=== Privacy first ===

* No plugin inventory or telemetry is ever sent off-site by default.
* Optional webhooks are opt-in and only post the detected risks.
* WPScan lookups only run when you add your personal API token.

=== Admin tools ===

* Dashboard page with the current risk list and manual scan button.
* Ignore list to suppress noisy plugins.
* Notification settings for email, Discord, Slack, Microsoft Teams, or a generic webhook.

=== Notifications ===

* Email: send to one or more recipients (comma separated).
* Discord: post to a channel via webhook.
* Slack: connect via an incoming webhook to post alerts into any workspace channel.
* Microsoft Teams: send adaptive card style notices through an incoming webhook connector.
* Generic webhook: post JSON payload to any endpoint you control, with optional HMAC signatures. Failed deliveries are logged and highlighted on the Watchdog admin screen so you can reconfigure or resend manually.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install via the admin dashboard.
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Open the top-level **Watchdog** menu in the WordPress sidebar to review the risk table and adjust notifications (older versions or custom admin menu placements may still show under Tools → Watchdog).
4. (Optional) Add your WPScan API key in the settings to fetch vulnerability intelligence.

== FAQ ==

= Does this plugin share my list of installed plugins? =

No. All scanning happens locally. Data only leaves your site if you enable a webhook or Discord notification yourself.

= How do I get a WPScan API key? =

Register for a free account at [wpscan.com](https://wpscan.com/) and copy the API token from your profile. Paste the token into the Watchdog settings page to enable vulnerability lookups.

= How do I configure Slack or Microsoft Teams notifications? =

Slack requires an Incoming Webhook URL that you can generate from your workspace's App Directory. Microsoft Teams uses an Incoming Webhook connector that supplies its own URL. Paste either URL into the Watchdog notification settings, choose which events to send, and Watchdog will post alerts directly into the selected channel.

= Can I trigger scans manually? =

Yes. Use the "Run manual scan" button on the Watchdog admin page.

= How do I resend a failed notification payload? =

Open the Watchdog admin page and check the **Delivery health** section. If a notification fails, the payload is captured there with buttons to re-queue or download it.

= Where can I find the test suite? =

Tests and the `phpunit.xml.dist` configuration are available in the public repository but are excluded from the published plugin package. Clone the repo from GitHub to run the test suite locally with PHPUnit.

== Troubleshooting ==

=== Scheduled scans are not running ===

Watchdog relies on WP-Cron to trigger scheduled scans and notifications. If you have set `DISABLE_WP_CRON` to `true` or your site receives very little traffic (so WP-Cron rarely runs), configure a system cron job to call either `wp-cron.php` or the plugin's REST endpoint. The admin **Delivery health** panel lists the REST URL you can target; a typical example looks like this:

`curl -X POST https://example.com/wp-json/site-add-on-watchdog/v1/cron`

Testing-mode notifications also rely on this trigger, so be sure your cron job is running when validating delivery.

== CLI Usage ==

Watchdog bundles a WP-CLI command so you can run scans outside of the WordPress admin. All examples below assume the command is executed from a shell where `wp` (WP-CLI) is available.

`wp watchdog scan [--notify=<bool>]`

* `--notify` (optional): Accepts `true` or `false` (defaults to `true`). When set to `false`, Watchdog will skip any configured email or webhook notifications and only record the scan locally.

Examples:

* Run a scan and send notifications (default): `wp watchdog scan`
* Run a scan silently (skip notifications): `wp watchdog scan --notify=false`

Recommended workflow: on CI/CD platforms, add a job step that boots your WordPress/WP-CLI container, runs pending database migrations if needed, and then calls `wp watchdog scan --notify=false` to verify the plugin state without spamming production channels. Promote to production by rerunning the same command with notifications enabled when you are ready to alert your team.

== Development ==

The development repository is available on GitHub: https://github.com/happyloa/Site-Add-on-Watchdog. Clone it locally to review the source or run the test suite.

== Changelog ==

= 1.7.5.1 =
* Add proper PHPDoc type hints to the Risk model for better IDE support.
* Fix mixed-language string in admin template for consistent internationalization.
* Add CHANGELOG.md for easier version history tracking on GitHub.
* Add translation template file (languages/site-add-on-watchdog.pot) for translators.
* Sync Version constant with plugin metadata.

= 1.7.5 =
* Remove the custom View details plugin row link to avoid duplicating WordPress output.
* Bump plugin metadata, Version constant, and stable tag to 1.7.5.

= 1.7.4 =
* Fix admin risk table rendering by loading the correct Risk model in the template.
* Bump plugin metadata and Version constant to 1.7.4.

= 1.7.3 =
* Normalize risk vulnerability payloads to avoid fatal errors on new installs.
* Bump plugin metadata and Version constant to 1.7.3.

= 1.7.2 =
* Remove outdated roadmap reference in the readme.
* Clarify FAQ guidance for resending failed notifications.
* Add the GitHub repository link to the readme.

= 1.7.1 =
* Add Settings and View details links in the plugin row.
* Open the author link in a new tab from the plugins list.
* Bump plugin metadata, Version constant, and stable tag to 1.7.1.

= 1.7.0 =
* Sanitize admin request parameters for sorting, notices, and downloads.
* Bump plugin metadata, Version constant, and stable tag to 1.7.0.

= 1.6.3 =
* Bump plugin metadata, Version constant, and stable tag to 1.6.3.

= 1.6.2 =
* Bump plugin metadata, Version constant, and stable tag to 1.6.2.

= 1.6.1 =
* Add missing translator comments for placeholder strings to satisfy plugin check.
* Bump plugin metadata, Version constant, and stable tag to 1.6.1.

= 1.6.0 =
* Bump plugin metadata, Version constant, and stable tag to 1.6.0.
* Align enqueued asset cache-busting with the 1.6.0 release.
* Verify version references across the codebase for consistency.

= 1.5.3 =
* Address plugin check notices by tightening request handling and translator comments.
* Bump plugin metadata to version 1.5.3.

= 1.5.2 =
* Addressed plugin check findings by hardening sanitization, hook usage, and output handling.
* Refined admin notice and history messaging for better WordPress compliance.

= 1.5.1 =
* Addressed plugin check findings by improving nonce validation, sanitization, and escaping.
* Replaced discouraged filesystem and tag-stripping calls for compliance.

= 1.5.0 =
* Rename the main plugin file and asset handles to match the plugin slug and unique prefix.
* Prefix options, transients, hooks, and cron events with `siteadwa_` while migrating existing saved data.
* Move admin inline styles into the enqueued stylesheet and prevent direct template access.

= 1.4.0 =
* Improve the scan history card layout so risk pills stay aligned with their titles.
* Send Discord notifications as plain text only to avoid duplicated content blocks.
* Bump plugin metadata to version 1.4.0.

= 1.3.1 =
* Fix notification queue dispatch callbacks to avoid activation/runtime fatals.
* Provide safer defaults for settings persistence when WordPress APIs are unavailable in CLI/CI.
* Harden translation calls in the history template for non-WordPress contexts.

= 1.3.0 =
* Bump release metadata, stable tag, and asset cache busting to 1.3.0.

= 1.2.0 =
* Update plugin metadata, documentation, and enqueued asset versions to align with the 1.2.0 release.

= 1.0.0 =
* Promote Watchdog to its first stable release and align plugin metadata, assets, and readme references with version 1.0.0.
* Refresh the changelog to highlight the matured monitoring, notification, and history features now considered production ready.

= 0.5.0 =
* Store every scan in a downloadable history with timestamps and JSON/CSV exports.
* Add an admin dashboard history panel showing the latest results with retention controls.
* Allow administrators to configure how many historical scans are retained (defaults to 30).

= 0.4.0 =
* Add a twenty-minute testing frequency to the scan scheduler for staging and QA environments.

= 0.3.0 =
* Add schedule frequency options for daily, weekly, or manual-only scans.
* Improve webhook delivery with signature headers and better error handling.
* Refresh the admin results table with sortable columns and clearer status badges.

= 0.2.0 =
* Prefill email notification recipients with site administrators.
* Refresh email layout with HTML formatting including version details.

= 0.1.0 =
* Initial release.