=== WPMC Plugin Seatbelt ===
Contributors: wpmissioncontrol
Tags: plugins, security, updates, monitoring, admin
Requires at least: 6.0
Tested up to: 6.6
Requires PHP: 7.4
Stable tag: 1.0.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

WPMC Plugin Seatbelt monitors trust signals for installed WordPress plugins and warns administrators when a plugin changes in a way that may deserve review before updating.

== Description ==

WPMC Plugin Seatbelt is a lightweight trust change monitor for installed WordPress plugins. It is not a malware scanner and does not claim that a plugin is safe or unsafe.

Created by WPMissionControl: https://wpmissioncontrol.com/

The plugin records a baseline for installed plugins, checks public WordPress.org metadata where available, and highlights changes that may deserve an administrator's attention.

WPMC private repository plugins distributed from WPMissionControl infrastructure are recognized as a known plugin source when their update metadata points to the WPMC repository.

For verified WPMC repository status, configure signed release metadata in the repository server and define the matching public key for Seatbelt with `WPMC_PLUGIN_SEATBELT_WPMC_REPO_PUBLIC_KEY`.

It can detect signals such as:

* New baseline needed
* Unknown source
* Previously found WordPress.org plugin no longer found
* Author changes
* Contributor changes
* Plugins that appear abandoned based on last updated date
* Plugins with available updates and existing trust warnings

Before plugin updates, WPMC Plugin Seatbelt can show an admin notice when plugins waiting for update have warning or critical trust signals.

== Installation ==

1. Upload the `wpmc-plugin-seatbelt` folder to `/wp-content/plugins/`.
2. Activate WPMC Plugin Seatbelt from the Plugins screen.
3. Go to Tools > WPMC Plugin Seatbelt.
4. Review the first baseline scan or run a manual scan.

== Frequently Asked Questions ==

= Is this a malware scanner? =

No. WPMC Plugin Seatbelt monitors trust signals and metadata changes. It does not scan code for malware.

= Are premium or custom plugins marked as dangerous? =

No. Plugins that are not clearly hosted on WordPress.org are shown as unknown source. That means they should be reviewed in context, not that they are dangerous.

= Why does the plugin contact WordPress.org? =

It retrieves public plugin metadata such as version, author, contributors, and last updated date.

= How often does it scan? =

The plugin schedules a daily WP-Cron scan. Administrators can also run a manual scan from Tools > WPMC Plugin Seatbelt.

= Can I disable email alerts? =

Yes. Email alerts can be enabled or disabled on the WPMC Plugin Seatbelt admin page.

== Screenshots ==

1. WPMC Plugin Seatbelt admin page with plugin trust status summary.
2. Plugin table showing status, severity, source, update state, and details.
3. Update warning notice before plugin updates.

== Privacy ==

WPMC Plugin Seatbelt contacts WordPress.org to retrieve public plugin metadata. It does not send personal data to third-party services.

The plugin stores scan snapshots, settings, scan events, and notification hashes in WordPress options on the local site.

== Changelog ==

= 1.0.4 =

* Improve WPMC repository manifest diagnostics.

= 1.0.0 =

* Initial release.
