=== Blurt Publisher ===
Contributors: khrom
Tags: blurt, blockchain, publishing, woocommerce, social-media
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.6.7
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Publish WordPress posts and WooCommerce products to Blurt with local Direct RPC signing.

== Description ==

Blurt Publisher connects WordPress with the Blurt blockchain.

The recommended publishing mode is Direct RPC. In this mode WordPress prepares the Blurt transaction, signs it locally with the private posting key saved in the plugin settings, and broadcasts the signed transaction directly to public Blurt RPC nodes. No external plugin endpoint is needed.

The plugin can publish:

* WordPress posts.
* WooCommerce products.
* Full post content or excerpt/teaser-only content.
* Products using a Blurt Market-style template.
* Separate post and product schedules.
* Separate post and product Blurt accounts and posting keys.
* Optional fallback through a secured legacy endpoint for hosting environments where Direct RPC is unavailable.

== Important security notes ==

Use only your Blurt private posting key in this plugin. Do not enter your owner key or active key.

Direct RPC mode is recommended because the private posting key stays inside WordPress and is not sent to a plugin endpoint.

Private posting keys and endpoint fallback credentials are stored encrypted at rest when OpenSSL AES-256-GCM is available. The encryption key is derived from `BLURT_PUBLISHER_ENCRYPTION_KEY` when this constant is defined, otherwise from WordPress auth salts. If you change your WordPress salts or custom encryption key, you may need to re-enter saved private keys.

Legacy endpoint fallback still sends the private posting key to the configured endpoint for a single publication request. It should be used only when Direct RPC is not available on a particular hosting provider.

Protect your WordPress admin account, database, backups and hosting panel. Anyone with access to the database and encryption material may be able to recover stored secrets.

== External Services ==

This plugin connects to external services to publish content to Blurt.

= 1. Public Blurt RPC nodes =

The plugin connects to configured Blurt RPC nodes, by default:

* https://rpc.beblurt.com
* https://rpc.blurt.world
* https://blurt-rpc.saboin.com

The plugin sends signed Blurt blockchain transactions to these nodes. In Direct RPC mode the private posting key is not sent to these nodes; only signed transactions are broadcast.

= 2. Optional legacy endpoint fallback =

If legacy endpoint mode is enabled, the plugin sends post/product data and the private posting key to the configured endpoint URL. The request is protected with HTTPS, endpoint token, timestamp, nonce and HMAC signature.

= 3. Optional endpoint key registration =

When the user clicks the endpoint key generation button, the plugin generates a unique endpoint token and HMAC secret, broadcasts a signed Blurt `custom_json` proof containing only hashes of those secrets, and sends the actual token/HMAC secret to the configured endpoint registration route over HTTPS.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install the ZIP file in WordPress admin.
2. Activate Blurt Publisher.
3. Open Blurt Publisher → Welcome.
4. Open Blurt Publisher → Settings.
5. Enter your Blurt author account without `@`.
6. Save your private posting key. Use the private posting key only.
7. Keep Publishing Mode set to Direct RPC unless you explicitly need fallback endpoint mode.
8. Configure tags, community, reward and schedule.
9. Use Publish Next Post for a controlled test.
10. If WooCommerce products should be published, configure Blurt Publisher → Product Settings.

== Frequently Asked Questions ==

= Do I need an endpoint? =

No. Direct RPC mode does not need an endpoint. The endpoint is only an optional fallback for hosting environments where Direct RPC cannot be used.

= Does Direct RPC send my private posting key outside WordPress? =

No. Direct RPC mode signs transactions locally inside WordPress and broadcasts only signed transactions.

= Are private keys encrypted in WordPress? =

Yes, private posting keys and endpoint fallback credentials are encrypted at rest when OpenSSL AES-256-GCM is available. If OpenSSL AES-256-GCM is unavailable, the plugin will show an admin warning and will not save new private keys securely.

= Can I use a custom encryption key? =

Yes. Define `BLURT_PUBLISHER_ENCRYPTION_KEY` in `wp-config.php` before saving keys if you want a custom encryption secret independent of WordPress salts.

= Does legacy endpoint fallback send my private posting key? =

Yes. Legacy fallback exists for compatibility. The request is protected with HMAC, nonce and timestamp, but the endpoint still receives the private posting key for that one publication request.

= Can products use a different Blurt account? =

Yes. Products have their own author and private posting key settings.

= Can I publish only excerpts? =

Yes. Posts and products can publish full content or excerpt/teaser-only content.

= What key should I use? =

Use the private posting key only. Never use the owner key or active key in this plugin.

== Changelog ==

= 1.6.7 =
* Fixed queue lookup after Plugin Check query changes. Manual Publish Next now scans the visible queue correctly and automatic publishing no longer stops after the first flagged batch.

= 1.6.6 =
* Fixed Plugin Check findings from the 2026-06-06 report.
* Renamed the public plugin name to Blurt Publisher to avoid restricted WordPress.org terms.
* Removed manual textdomain loading for WordPress.org compatibility.
* Reworked log writing to use WP_Filesystem helpers.
* Reworked flag-management screens to avoid metadata-filter list queries and escape generated output.
* Removed unexpected Markdown documentation from the plugin root and reduced readme tags to five.

= 1.6.4 =
* Added multilingual Welcome page content based on WordPress locale: EN, PL, ES, IT and FR.
* Improved Welcome page layout and default top-level plugin page.

= 1.6.3 =
* Made the Welcome screen the default top-level plugin page.
* Added a professional tabbed Welcome page with Blurt logo, account registration links, publishing guidance, frontends and security notes.

= 1.6.2 =
* Removed shared default endpoint token and HMAC secret.
* Added individual endpoint key generation.
* Added Blurt custom_json proof for generated fallback credentials.
* Added endpoint registration support.
* Added WordPress.org-style readme.txt.
* Added setting sanitization callbacks.
* Moved logs to wp-content/uploads/blurt-publisher-logs.
* Added nonce/capability checks to the error console.

== Upgrade Notice ==

= 1.6.7 =
* Fixed queue lookup after Plugin Check query changes. Manual Publish Next now scans the visible queue correctly and automatic publishing no longer stops after the first flagged batch.

= 1.6.6 =
This version migrates legacy plaintext key options to encrypted secret options when OpenSSL AES-256-GCM is available. Re-save private keys if WordPress reports that encryption is unavailable or if salts/encryption keys have changed.
