=== Publishing Connector for Flowra ===
Contributors: sudhanrichardson
Tags: publishing, content, seo, api
Requires at least: 6.0
Tested up to: 7.0
Stable tag: 1.0.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

== Description ==

Publishing Connector for Flowra is a lightweight infrastructure plugin that securely connects a WordPress site with the Flowra content operations platform.

This plugin allows Flowra to interact with WordPress as a trusted publishing client while respecting WordPress permissions, themes, and existing SEO plugins.

The plugin has no user interface and no settings screen. It exists purely as a secure bridge between Flowra and WordPress.

== Features ==

- Secure authentication using WordPress Application Passwords
- OAuth-ready architecture for future connection methods
- Read posts and pages from WordPress
- Publish, update, and schedule posts
- Assign categories and tags
- Sync SEO metadata from popular SEO plugins:
  - Rank Math
  - Yoast SEO
  - All in One SEO
  - SEOPress
- No conflicts with existing SEO plugins
- No background jobs or cron tasks
- No tracking or data collection

== Installation ==

1. Upload the `publishing-connector-for-flowra` folder to the `/wp-content/plugins/` directory
2. Activate the plugin through the WordPress Plugins screen
3. Generate a WordPress Application Password for an admin or editor user
4. Connect your site from the Flowra app using the site URL, username, and application password

== Usage ==

Once activated, the plugin exposes secure REST API endpoints used by Flowra.

All content creation, publishing, and scheduling actions are performed from the Flowra platform.

There are no WordPress admin pages or settings for this plugin.

== Security ==

- All API requests require authentication
- Only users with publishing permissions can access endpoints
- No data is exposed publicly
- No credentials are stored by the plugin

== Changelog ==

= 1.0.4 =
- Added defensive class guards to prevent fatal errors if the legacy, manually-installed "flowra-connector" plugin is active on the same site
- If the legacy flowra-connector plugin is detected, an admin notice now offers a one-click, user-initiated link to deactivate it (nothing is deactivated automatically)
- Status endpoint now reports the correct plugin slug

= 1.0.3 =
- Security fix: the /publish permission check used a non-existent "publish_post" per-post capability, which could incorrectly deny (or in some setups mis-evaluate) publish/schedule requests; it now correctly checks the type-wide publish_posts capability
- Security fix: the /content permission check for status=any now also requires edit_others_posts in addition to read_private_posts, since "any" can include other users' draft/pending/future posts, not just private ones

= 1.0.2 =
- Security: tightened REST API permission checks on the /publish and /content endpoints so capability requirements match the action actually being performed (publishing/scheduling vs. editing, and private vs. other non-public statuses)
- Fix: content read endpoint now sets up post data correctly before running the_content filters, avoiding conflicts with themes/plugins that rely on it
- Hardening: SEO metadata fields are now sanitized before being saved

= 1.0.0 =
- Initial public release
- Secure Flowra ↔ WordPress connector
- Publishing, scheduling, and SEO metadata sync
- OAuth-ready architecture

== Upgrade Notice ==

= 1.0.4 =
Hardening release: prevents fatal errors if the legacy flowra-connector plugin is also active, and adds an opt-in admin notice to deactivate it manually.

= 1.0.3 =
Security fix: corrected an invalid capability check on the /publish endpoint and tightened /content permission checks for status=any. Update recommended for all sites.

= 1.0.2 =
Security fix: REST API permission checks now correctly require publishing capability for publish/schedule actions and private-content capability for private posts. Update recommended for all sites.

= 1.0.0 =
Initial stable release.
