=== Auditto ===
Contributors: aporcebr
Tags: gdpr, ccpa, lgpd, privacy, compliance
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 0.3.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Verify what your WordPress site actually does vs. what your privacy policy claims. GDPR / CCPA / LGPD compliance, from inside WordPress.

== Description ==

Auditto is a privacy-compliance verifier that runs inside your WordPress install. It catches what no external scanner can see: which plugin is loading Google Fonts, which theme is pulling jQuery from a CDN, which cron job phones home to a vendor API.

It pairs with the **Auditto** SaaS (https://auditto.pro) — an external scanner that reads your privacy policy and cross-references it against what your site actually does — to give you a complete picture: the OUTSIDE view (what visitors see) plus the INSIDE view (what plugins do).

= What it does =

* **Detects every script and stylesheet** loaded by every installed plugin and theme, on both the frontend and wp-admin. Flags anything served from a third-party host.
* **Logs every outbound HTTP call** WordPress makes from your server (cron jobs, plugin update checks, vendor webhooks, REST callbacks). Aggregates by host so you see who you're talking to.
* **Cross-references against a database of ~50 known privacy-relevant third parties**: Google Fonts, Meta Pixel, Hotjar, Microsoft Clarity, Intercom, jQuery CDN, Cloudflare, MaxMind, and many more. Each hit comes with the legal concern (consent / international transfer / transparency), the affected law (GDPR / UK GDPR / CCPA / LGPD), and a one-line remediation tip.
* **Pulls your latest Auditto SaaS scan** for this domain and shows score + top findings + action plan directly in wp-admin. One-click rescan from the dashboard.
* **Provides the Auditto badge** as a [auditto_badge] shortcode and a copy-paste HTML snippet, ready for your site footer.

= Privacy by design =

* **No tracker, no cookie, no analytics call** is added to your site by this plugin. It observes; it never injects.
* **No account required**, no registration, no API key — the free Auditto SaaS scan works for any domain.
* **The opt-in tracker feed is OFF by default.** When you choose to turn it on, the plugin sends ONLY anonymised hostnames it observed (no content, no visitor data, no PII) to help us grow the global tracker database. The site_token used for deduplication is a random UUID generated locally; it has no link to any account.

= What we never send =

* Site content, posts, pages, comments
* Logged-in user information, emails, visitor IPs
* URLs with query strings or form data
* Anything from your own domain — only third-party hostnames

== Installation ==

1. Upload the `auditto` folder to `/wp-content/plugins/`, or install via the WordPress Plugins menu.
2. Activate via **Plugins → Installed Plugins → Auditto**.
3. Visit **Auditto → Settings** and check the contact email. The plugin already detected your site's URL automatically.
4. On the **Dashboard**, click **Run my first scan**. Result arrives in ~90 seconds.

That's it. No API keys, no signup.

== Frequently Asked Questions ==

= Do I need an Auditto account to use this plugin? =

No. The free Auditto SaaS scan works for any domain without registration. Paid Auditto plans (weekly auto-scans, active tracker blocking, multi-site dashboard) will require an account when they launch.

= Does the plugin slow down my site? =

No measurable impact. The asset scanner records once per 24 hours per scope, the HTTP watcher writes one transient at the end of each request only if anything new was captured, and everything else only runs on wp-admin pages. The plugin loads no frontend scripts and adds no markup outside its shortcode.

= Where is the data stored? =

* **Locally** (in the `wp_options` and `wp_*_transient` tables on your install): the captured asset list, the HTTP-call log, the cached Auditto report, your settings.
* **At the Auditto SaaS** (only the bits the SaaS already knew): the scan you requested, your contact email, the report HTML — same as if you'd used the auditto.pro form directly.
* **Globally** (only if you opt in to the tracker feed): anonymised third-party hostnames and which plugin/theme loaded them.

= Will the plugin track my site visitors? =

No. The plugin never executes on the frontend in a way that touches your visitors' identity. The asset scanner samples enqueued handles once a day; the HTTP watcher only observes calls your SERVER makes, never visitor traffic.

= How is this different from a cookie banner plugin? =

Cookie banners ASK for consent. They generally don't enforce it, and they don't tell you whether your plugins are loading trackers BEFORE the banner appears. Auditto verifies the reality: what is your site actually loading, before and after the banner.

= Where can I read your privacy policy? =

https://auditto.pro/en/privacy (English), https://auditto.syswp.com.br/pt/privacidade (Portuguese), https://auditto.pro/es/privacidad (Spanish).

= I want to delete every trace of the plugin. How? =

Plugins → Installed Plugins → Deactivate → Delete. The plugin's uninstall.php nukes every option, transient, and scheduled task it created. If you opted into the tracker feed before deleting, write to dpo@auditto.pro with your site_token and we'll delete the rows.

== Changelog ==

= 0.3.0 =
* **Renamed**: the plugin is now called **Auditto** (was "SysAuditto"). Existing installs are migrated automatically on activation — your settings, API key and site token carry over.
* Cleaned up duplicate "Vendor Vendor Name" labels in the dashboard top-issues list.

= 0.2.0 =
* Auditto API key support — paste a key from auditto.pro/account/api-keys to link this site to your account.
* Active tracker blocking (Pro / Agency plans): removes from the enqueue queue any frontend script or stylesheet whose src matches a known privacy-violating service, BEFORE the browser downloads it.
* Settings page shows your current plan badge.

= 0.1.0 =
* Initial release.
* WordPress dashboard pulls the latest Auditto SaaS scan for your domain and shows score + top findings + action plan.
* One-click "Run my first scan" / "Rescan" buttons.
* Asset scanner: captures every enqueued script and stylesheet, grouped by owning plugin / theme.
* HTTP watcher: logs every distinct outbound host WordPress contacted in the last 24 h.
* Known-offenders database: ~50 hand-curated third-party services with concern, jurisdiction, and remediation tip.
* Opt-in (OFF by default) weekly tracker feed to improve the global database.
* [auditto_badge] shortcode for the Auditto compliance badge.
* Full English UI with POT template for translators.

== Upgrade Notice ==

= 0.3.0 =
Plugin renamed from "SysAuditto" to "Auditto". Settings migrate automatically.

= 0.2.0 =
Adds API-key authentication so you can pair this install with a paid Auditto plan and unlock active tracker blocking on the frontend.

= 0.1.0 =
Initial public release.

== Screenshots ==

1. Dashboard — score, top findings, action plan, badge embed code.
2. Detected assets — every plugin's scripts and styles, with external hosts flagged.
3. Outbound HTTP — distinct hosts your server contacts.
4. Known offenders — vendors detected with remediation tips.
5. Settings — contact email, site token, opt-in tracker feed.
