=== SOCHQ AI Log Agent ===
Contributors: cyberneticsplus
Tags: logging, webhook, telemetry, monitoring
Requires at least: 5.8
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight agent that batches WordPress request telemetry and ships it via HTTPS to your webhook/SOCHQ for AI analysis and policy-driven blocking via your WAF.

== Description ==

**SOCHQ AI Log Agent** collects lightweight PHP/WordPress request telemetry (method, path, status, timing, and optional client traits) and periodically ships it as compact JSON batches to *your* HTTPS Webhook (typically a SOCHQ ingestion endpoint). Collection is non-blocking and scheduled (default: every 15 minutes) to keep overhead minimal.

This plugin by itself is a **telemetry forwarder**. The AI analysis and any blocking decisions happen in the **SOCHQ** platform after the batch is received.

### What the plugin does (on your WordPress site)
- **Collects request telemetry** for each PHP request: HTTP method, URI/path, status code, execution time, and optional fields (user-agent, referrer, client IP).
- **Buffers and batches** events locally, then **sends via HTTPS** to your configured Webhook at fixed intervals (default: 15 minutes using WP-Cron).
- **Fails safely**: undelivered batches are retried on the next run; sending pauses if the Webhook URL is cleared.
- **Minimal footprint**: only low-sensitivity fields are enabled by default; optional fields are configurable to fit your privacy policy.

> If you disable WP-Cron, set a server cron to call `wp-cron.php` so batching runs on schedule.

### How SOCHQ analyzes your telemetry (in the platform)
Once a batch lands in SOCHQ, your data flows through an **AI-driven pipeline**:

1. **Ingestion & Normalization**  
   Validate, deduplicate, and normalize fields (method, path, status, timings, UA, referrer, IP).

2. **Feature Extraction**  
   Time-window features (RPS, burstiness), path semantics (login/admin patterns, traversal markers), client traits (headless/bot indicators), and reputation (IP/ASN/geo anomalies).

3. **Detection (AI agents + rules)**  
   - **Anomaly detection** for spikes, rare paths, unusual method/status combos  
   - **Behavioral signatures** for brute-force/credential stuffing, directory enumeration, path traversal/LFI, CVE probing, noisy scraping  
   - **Correlation** across endpoints/sites/tenants (if enabled) to reveal coordinated campaigns

4. **Scoring & Triage**  
   Each IP/client/session receives a **risk score** with **explainable evidence** (top paths, error ratios, timings, matched signatures) so you can audit the “why”.

5. **Response & Blocking (optional integrations)**  
   SOCHQ can enforce policy via your controls:  
   - **WAF/CDN** (e.g., Cloudflare IP lists/rules)  
   - **Reverse proxy / NGINX** (managed deny lists)  
   - **App-level webhooks** back to your stack  
   Choose **monitor-only**, **challenge/rate-limit**, or **block**.

> **Note:** This plugin **does not** block on its own. Enforcement happens in your **WAF/proxy/firewall** via SOCHQ orchestration.

### What gets sent?
By default the agent aims to send **low-sensitivity** telemetry:
- Timestamp, HTTP method, request URI/path, response status code
- Execution time and memory hints (if available)
- A site identifier (non-PII, e.g., hashed home URL)
- **Optional (toggleable):** user-agent, referrer, client IP

Review configuration and your privacy obligations before enabling optional fields.

### Security & performance
- Outbound delivery is **HTTPS-only**.
- **Batched** delivery reduces overhead and network chatter.
- Collection is **non-blocking** and runs off the request path.

== Installation ==

1. Upload and activate the plugin.  
2. Go to **Settings → SOCHQ AI Log Agent** and enter your **HTTPS Webhook URL** (SOCHQ ingestion endpoint recommended).  
3. (Optional) Toggle extra fields (user-agent, referrer, client IP) as needed for your use case.  
4. Ensure **WP-Cron** is active; if disabled, set a system cron to call `wp-cron.php` so batches ship on schedule.

== Privacy ==

This plugin forwards request telemetry **from your site to your chosen HTTPS Webhook**. It does not store data in the WordPress database beyond transient buffers needed for batching.

**Default data categories**  
- Required: method, path, status, timing, timestamp, non-PII site identifier  
- Optional (you control): user-agent, referrer, client IP

**Controls**  
- Disable optional fields in the plugin settings to reduce data sensitivity.  
- Clear the Webhook URL to pause all outbound forwarding.  
- If WP-Cron is disabled, ensure a server cron triggers `wp-cron.php` so scheduled sends occur.

**Downstream processing in SOCHQ**  
- Data transmitted to SOCHQ is processed under your SOCHQ account configuration and retention settings.  
- SOCHQ uses the data to generate AI-assisted detections and to orchestrate enforcement via your connected WAF/proxy.  
- For DPA/agreements and retention specifics, refer to your SOCHQ plan settings and documentation.

**GDPR/PII guidance**  
- Avoid enabling client IP or other optional fields if you do not need them for security operations.  
- If enabled, ensure you have an appropriate legal basis and disclosures in your site’s privacy policy.

== Frequently Asked Questions ==

= Does this plugin block attacks by itself? =
No. It only forwards telemetry. **Blocking** happens via your connected **WAF/proxy/firewall** orchestrated by SOCHQ (e.g., Cloudflare IP lists/rules).

= What data is sent to SOCHQ? =
By default: method, path, status, timing, timestamp, and a non-PII site identifier. Optional fields (user-agent, referrer, client IP) can be enabled/disabled in settings.

= Will this affect site performance? =
Impact is minimal. Collection is non-blocking and events are **batched** for scheduled delivery (defaults to every 15 minutes).

= What if I have WP-Cron disabled? =
Set a system cron to call `wp-cron.php` at a regular interval so the batch job can run.

= Can I use a non-SOCHQ webhook? =
Yes. Any HTTPS endpoint that accepts JSON is supported. SOCHQ provides additional AI detections, correlated insights, and automated enforcement.

= How does SOCHQ decide to flag or block traffic? =
SOCHQ combines anomaly models, signature rules (e.g., brute force, enumeration, traversal/LFI), reputation, and correlation. Each finding includes a **risk score** and evidence. Enforcement policy (monitor/challenge/block) is your choice.

= How do I stop sending data? =
Clear the Webhook URL in the settings. The plugin will stop forwarding batches.

= Where do I see detections and blocks? =
Inside your SOCHQ dashboard (detections, scores, evidence) and in your connected control plane (e.g., Cloudflare IP lists/rules activity).

== Screenshots ==
1. Settings screen with Webhook URL and optional fields
2. Example JSON batch (redacted)

== Changelog ==
= 1.0.0 =
* Initial release of SOCHQ AI Log Agent
* Telemetry batching via HTTPS webhook
* Optional fields (user-agent, referrer, client IP)
* Documentation: Description, Privacy, FAQ
