=== Insertabot - AI Chatbot Solution ===
Contributors: m1styk
Tags: chatbot, ai, chat, support, customer service
Requires at least: 5.9
Tested up to: 6.9
Stable tag: 1.0.9
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Add a customizable AI chatbot to your WordPress site. Real-time web search, unlimited conversations. Get started free!

== Description ==

**Insertabot** brings the power of AI chat to your WordPress website in just minutes. No coding required!

###  What Makes Insertabot Different?

* **Real-Time Web Search** - Unlike ChatGPT, Insertabot searches the web for current information
* **Lightning Fast Setup** - Install plugin, add API key, done! Takes under 5 minutes
* **Fully Customizable** - Match your brand colors, greeting message, and bot personality
* **Mobile Optimized** - Beautiful chat experience on all devices
* **Free to Start** - 20 messages per day, no credit card required

###  Key Features

*  **AI-Powered Conversations** - Smart, natural responses to visitor questions
*  **Real-Time Web Search** - Always up-to-date answers (not outdated training data)
*  **Full Customization** - Colors, branding, greeting messages
*  **Mobile-Friendly Widget** - Works perfectly on phones and tablets
*  **Zero Code Required** - Simple settings page, no technical skills needed
*  **Privacy Focused** - Your data is secure and never sold

###  Pricing

**Free Plan**
* 20 messages per day
* Real-time web search
* Basic customization
* Mobile-optimized widget

**Pro Plan - $9.99/month**
* Unlimited playground messages
* 500 embedded messages/month
* Priority support
* Advanced analytics

[Get Your Free API Key →](https://insertabot.io/signup)

###  Perfect For:

* E-commerce stores (product questions, support)
* Blogs (engaging with readers)
* Service businesses (answering FAQs)
* SaaS products (onboarding help)
* Educational sites (tutoring, Q&A)

###  How It Works

1. **Install Plugin** - Download and activate from WordPress.org
2. **Get API Key** - Sign up free at insertabot.io
3. **Paste & Enable** - Enter your API key and toggle on
4. **Done!** - Your AI chatbot is now live on your site

###  Why Users Love It

> "Set up in 5 minutes. Visitors are actually using it. Best $10/month I spend." - Sarah, blogger

> "The real-time web search is a game changer. Answers are always current." - Mike, e-commerce owner

> "Free tier is perfect for testing. Upgraded after seeing how well it works." - Jessica, startup founder

###  Technical Details

* Footer script loading (won't slow down your site)
* GDPR compliant
* Works with all WordPress themes
* Compatible with page builders (Elementor, Divi, etc.)
* CDN-hosted for blazing fast performance

== External Services ==

This plugin connects to the Insertabot API service to provide AI chatbot functionality.

**Service URL:** https://insertabot.io

**When the chatbot is enabled, the following data is transmitted:**
* User chat messages and questions
* Your website URL (for context)
* API key (for authentication)

**Third-Party Service Information:**
* Service Provider: Insertabot (https://insertabot.io)
* Privacy Policy: https://insertabot.io/privacy
* Terms of Service: https://insertabot.io/terms

The plugin requires an API key from Insertabot to function. You can obtain a free API key by signing up at https://insertabot.io/signup

**Backend Services Used by Insertabot API:**
* Cloudflare Workers AI (for AI processing)
* Tavily API (for real-time web search)

== Privacy ==

**Local Data Storage:**
Insertabot stores minimal data locally in your WordPress database:
* Encrypted API key (option: `insertabot_api_key_encrypted`)
* Plugin settings (enabled/disabled state, API base URL)
* Optional security logs (option: `insertabot_security_logs`) - anonymized with IP addresses masked

**Data Transmission:**
When users interact with the chatbot, their messages are sent to the Insertabot API service for processing. The plugin does **not** expose your API key to client browsers (uses short-lived tokens instead).

**GDPR Compliance:**
The plugin implements WordPress personal data exporters and erasers. Site administrators can export or remove personal data associated with a user via Tools → Export Personal Data / Erase Personal Data in WordPress admin.

**Security:**
* API keys are stored using AES-256-CBC encryption
* IP addresses in logs are anonymized (last octet/80 bits zeroed)
* No personal data is sent to third parties beyond what is necessary for chatbot functionality

###  Support

Need help? We're here for you:

* **Insertabot Chat** – The fastest way to get help! Visit [insertabot.io](https://insertabot.io) and ask our AI assistant directly in the chat widget. Already signed up? Use the **Playground** tab in your [dashboard](https://insertabot.io/dashboard) for guided, real-time assistance.
* [Documentation](https://insertabot.io/docs)
* [Dashboard](https://insertabot.io/dashboard)
* WordPress.org support forum
* Email: support@insertabot.io

###  Get Started Free

No credit card required. 20 messages per day included.

[Sign up now →](https://insertabot.io/signup)

== Installation ==

### Automatic Installation

1. Log in to your WordPress admin panel
2. Go to **Plugins** > **Add New**
3. Search for "Insertabot"
4. Click **Install Now**, then **Activate**
5. Go to **Insertabot** in your admin menu
6. Get your free API key from [insertabot.io](https://insertabot.io/signup)
7. Paste your API key and enable the chatbot
8. Done! The chat widget will appear automatically on your site.

### Manual Installation

1. Download the plugin zip file
2. Log in to your WordPress admin panel
3. Go to **Plugins** > **Add New** > **Upload Plugin**
4. Choose the zip file and click **Install Now**
5. Click **Activate Plugin**
6. Follow steps 5-9 from automatic installation above

== Frequently Asked Questions ==

= Do I need a credit card to start? =

No! The free plan includes 20 messages per day with no credit card required.

= How do I get an API key? =

Sign up free at [insertabot.io/signup](https://insertabot.io/signup). You'll receive your API key instantly.

= Can I customize the chatbot appearance? =

Yes! Customize colors, greeting message, bot name, and more in your [dashboard](https://insertabot.io/dashboard).

= Does it slow down my website? =

No. The script loads asynchronously and is hosted on a fast CDN. Your site speed won't be affected.

= What if I exceed 20 messages per day? =

The free plan resets daily at midnight. For unlimited messages, upgrade to Pro for $9.99/month.

= Can I use it with page builders? =

Yes! Insertabot works with Elementor, Divi, Beaver Builder, and all other page builders.

= Is it mobile-friendly? =

Absolutely! The chat widget is fully responsive and looks great on all devices.

= What makes the web search special? =

Unlike ChatGPT which has a knowledge cutoff, Insertabot searches the web in real-time for current information. Your visitors get up-to-date answers.

= How do I upgrade to Pro? =

Visit your [dashboard](https://insertabot.io/dashboard) or click the upgrade link in plugin settings.

== Screenshots ==

1. Beautiful chat widget on your website
2. Simple WordPress settings page
3. Customization dashboard
4. Mobile-optimized experience
5. Real-time web search in action

== Changelog ==

= 1.0.9 =
* Security: Removed legacy email-only login path that was returning the API key in the response
* Security: Added AI and Search circuit breakers to the chat handler and web search — circuit state is now exposed via /health
* Security: Replaced hard-coded year list with a dynamic current/previous year check in the search relevance filter
* Security: Removed overly broad SQL-injection heuristic that was triggering false positives
* Security: Adjusted response coherence validation to only reject the literal strings "undefined" or "null"
* Security: Added Content-Security-Policy header to all Worker responses
* Fix: updateWidgetConfig now uses strict !== undefined checks — falsy-but-valid values (e.g. 0, empty string) are no longer silently discarded
* Fix: Removed local any type aliases; Cloudflare Workers bindings (D1Database, KVNamespace, Ai) now use their correct platform types
* Fix: AI model message mapping corrected for multimodal content shapes
* Fix: bge-base-en-v1.5 embedding response cast to its correct output shape

= 1.0.8 =
* Fix: "Upgrade to Pro" button in plugin settings now routes directly to the Insertabot dashboard — upgrade is one click away instead of buried behind the landing page
* Fix: "Upgrade to Pro" on the public pricing page now routes to login instead of signup — existing users no longer hit a dead end
* Fix: Various backend config corrections (DB binding name, AI model ID format, demo customer query, widget.js delivery route)

= 1.0.7 =
* Fix: Stale customer_id cache was causing 401 errors on widget token exchange — ID is now resolved on every API key save, including fresh installs
* Fix: API base URL now resolved through the proper internal method instead of a raw option lookup that could return empty on new installs
* Fix: Static widget.js and widget-dev.js files removed — widget is now served exclusively through the tokenized Worker endpoint, eliminating a delivery conflict

= 1.0.6 =
* Fix: API endpoint corrected project-wide from api.insertabot.io to insertabot.io/api/* — the api subdomain was never live and caused silent failures across the plugin and Worker
* Fix: Settings menu was resetting on every "Save Changes" click when an API key was already stored
= 1.0.5 =
* Fix: upgradeToPro() was silently returning 401 — X-API-Key header was missing from the Stripe checkout fetch request
* Fix: handleWidgetTokenExchange route had been accidentally removed from the Worker, breaking widget authentication on all WordPress installs
* Fix: "Upgrade to Pro" on landing page now correctly directs existing users through login before checkout

= 1.0.4 =
* Fix: New customers were blocked from day one — null or empty allowed_domains was incorrectly refusing all widget embed requests instead of allowing all origins as documented

= 1.0.3 =
* Fix: Widget no longer requires manual script tag in footer — plugin now injects it automatically on all pages
* Fix: Removed `async` attribute from bridge script that was preventing `document.currentScript` from resolving widget configuration

= 1.0.2 =
* Upgraded ephemeral token system: v2 tokens now include customer_id for faster widget authentication (v1 fallback retained for existing installs)
* Security: upgraded rate-limit key hashing from MD5 to SHA-256
* Security: added URL validation in widget bridge to prevent SSRF
* Admin: API key save now automatically resolves and caches customer ID server-side

= 1.0.1 =
* Updated free tier messaging to accurately reflect 20 messages per day limit

= 1.0.0 =
* Initial release
* Free plan: 20 messages/day
* Pro plan: Unlimited playground messages + 500 embedded messages/month
* Real-time web search capability
* Full WordPress integration
* Mobile-optimized widget
* Customizable appearance

== Upgrade Notice ==

= 1.0.9 =
Security and type-safety hardening release. Removes a legacy login path that exposed API keys, adds circuit breakers for AI and search, and tightens response validation. Upgrade recommended for all users.

= 1.0.8 =
Fixes the upgrade flow — the "Upgrade to Pro" button in plugin settings now goes directly to your dashboard. Also corrects several backend config issues. Recommended for all users.

= 1.0.7 =
Fixes a 401 error on widget token exchange that could occur on fresh installs. Upgrade if your widget stopped loading after saving the API key.

= 1.0.6 =
Corrects a critical API endpoint URL used by the plugin. If you installed between 1.0.3 and 1.0.5, upgrade to ensure proper API communication.

= 1.0.5 =
Fixes widget authentication breaking silently and the Pro upgrade flow. Upgrade recommended for all users.

= 1.0.3 =
Fixes automatic widget injection — the chatbot now appears without any manual script tag setup. Upgrade recommended for all users.

= 1.0.0 =
Initial release of Insertabot for WordPress. Get started free today!
