=== COOKR – Cookie Consent & Script Blocking ===
Contributors: riptight
Tags: gdpr, consent, cookies, privacy, compliance
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.9.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Runtime-first consent infrastructure for WordPress. Self-hosted. No external consent cloud.

== Description ==

Most consent plugins operate at the UI layer.

COOKR operates at the runtime layer.

Scripts are intercepted server-side before the browser receives them. Third-party services requiring consent are neutralized before execution and restored only after consent has been granted.

No external consent cloud. No proxy layer. No visitor data leaving your site.

COOKR CORE includes:

* Consent banner & preferences UI
* Server-side script interception via PHP output buffer
* Auto-Blocker for third-party scripts and iframes
* Runtime Inspector
* CSP-aware restoration with nonce propagation
* Google Consent Mode v2 support
* Full JavaScript API (`window.cookrConsent`)
* Self-hosted operation — no external services required

COOKR is designed for developers, agencies, and privacy-conscious site operators who want operational visibility into what actually executes at runtime.

= Runtime-first =

Traditional consent tools often rely on JavaScript execution order and client-side conditions. Scripts may already execute before consent logic initializes.

COOKR intercepts scripts in the PHP output buffer using `WP_HTML_Tag_Processor` before delivery to the browser.

There is no race condition.

= Auto-Blocker =

Enable in Settings. Off by default.

When enabled, COOKR rewrites matching `<script>` and `<iframe>` tags server-side — setting `type="text/plain"` and preserving original attributes in `data-cookr-*` attributes for restoration after consent.

Test after enabling when using WP Rocket, LiteSpeed Cache, NitroPack, or Cloudflare Rocket Loader.

= Runtime Inspector =

The Runtime Inspector exposes third-party runtime activity directly in the browser — blocked scripts, restored services, iframe activity, detected domains.

Enable in Settings. Append `?cookr_debug=1` to any frontend URL while logged in as administrator.

= CSP-aware =

COOKR supports strict Content Security Policies without requiring `unsafe-inline`.

Restored scripts preserve CSP integrity via nonce-aware restoration. Define `COOKR_CSP_NONCE` with a per-request nonce value to enable.

= Developer JS API =

`cookrConsent.has('analytics')`
`cookrConsent.require('marketing', callback)`
`cookrConsent.whenConsented('analytics').then(fn)`
`cookrConsent.on('consent' | 'change' | 'decline' | 'reset', handler)`
`cookrConsent.off(event, handler)`
`cookrConsent.getConsent()`
`cookrConsent.getExpiry()`
`cookrConsent.categories()`
`cookrConsent.reset()`

= Consent Categories =

* **Necessary** — Always active.
* **Analytics** — GA, GTM, Matomo, Hotjar, Clarity, etc.
* **Marketing** — Meta Pixel, Google Ads, TikTok, LinkedIn, etc.
* **External Media** — YouTube, Vimeo, Google Maps, etc.

= CORE vs RADR =

This plugin repository contains COOKR CORE.

RADR is an optional intelligence layer currently rolling out gradually outside the WordPress.org release. RADR adds service detection, classification, signature updates, and automatic blocking recommendations on top of CORE.

CORE provides complete runtime enforcement infrastructure without RADR.

== Installation ==

1. Upload the plugin files to `/wp-content/plugins/cookr`, or install through the WordPress plugins screen.
2. Activate through the Plugins screen in WordPress.
3. Open the COOKR settings page.
4. Configure your banner text and legal URLs.
5. Enable the Auto-Blocker and test on your site.
6. Add third-party domains under blocked domains.

== Frequently Asked Questions ==

= Does COOKR require an external cloud service? =

No. COOKR runs entirely on your WordPress installation.

= Does visitor consent data leave the server? =

No. Consent data is stored locally on your site.

= Is the Auto-Blocker enabled by default? =

No. Enable and test it after installation, particularly when using caching or JavaScript optimization plugins.

= Which services can be blocked? =

Any third-party script or iframe matching configured domains. Examples: Google Tag Manager, Meta Pixel, YouTube embeds, TikTok Analytics.

= Does COOKR support Google Consent Mode v2? =

Yes. Enable in settings when using GTM or GA4.

= How do I inspect runtime activity? =

Enable the Runtime Inspector in settings and append `?cookr_debug=1` to any frontend URL while logged in as administrator.

= Does COOKR store personal data? =

The consent log stores a hashed IP (not the raw IP address), consent choices, and a timestamp. Raw IP addresses are never written to the database.

= Is COOKR compatible with strict CSP? =

Yes. Define `COOKR_CSP_NONCE` with a per-request nonce to enable CSP-aware script restoration compatible with `strict-dynamic` policies.

= What WordPress version is required? =

WordPress 6.2 or higher. COOKR uses `WP_HTML_Tag_Processor` for safe, attribute-aware script rewriting, introduced in WP 6.2.

== Screenshots ==

1. COOKR admin interface with live banner preview
2. Consent banner — default view
3. Consent preferences panel with granular category toggles
4. Runtime Inspector debug panel

Note: Screenshot image files are hosted separately as WordPress.org plugin assets and are not included in the plugin zip.

== Changelog ==

= 1.9.2 =
* Initial public CORE release
* 3×3 visual position picker replaces dropdown
* Accent colour now applies to banner icon and buttons in preview
* Auto-Blocker wording updated — recommended framing, test-after-enable guidance
* Runtime Inspector enabled by default
* Preserve data on uninstall enabled by default
* Consent log default retention reduced to 100 entries
* COOKR CRAZE built-in CSS preset
* RADR intelligence layer separated into standalone build

= 1.8.2 =
* Added: Runtime Inspector — detects unknown third-party script and iframe domains at runtime
* Added: Persistent findings stored per domain (first seen, last seen, page count)
* Added: Runtime Inspector toggle with configurable auto-disable duration

= 1.2.0 =
* Added: Google Consent Mode v2
* Added: debug inspector
* Added: browser chrome preview in admin dashboard

= 1.1.0 =
* Plugin renamed from GDPR Cookie Consent to COOKR
* Added: WP_HTML_Tag_Processor for safe, attribute-aware script rewriting
* Added: CSP nonce propagation

= 1.0.0 =
* Initial release

== Upgrade Notice ==

= 1.9.2 =
Initial public release of COOKR CORE.
