=== XC SEO — Google Search Console ===
Contributors: xaniacode
Tags: seo, search-console, google, rank-tracker, oauth
Requires at least: 6.0
Tested up to: 6.8
Requires PHP: 8.0
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Requires Plugins: xc-seo-engine
Compatible With: XC SEO Engine 1.0.0+
Gutenberg Optimized: No
Compatible Browsers: Firefox, Safari, Opera, Chrome, Edge
High Resolution: Yes

Free addon for XC SEO Engine. Connects to Google Search Console via OAuth 2.0 with PKCE; pulls top queries and feeds positions into the rank tracker.

== Description ==

This is a free addon bundled with the XC SEO Engine product. It connects your WordPress site to Google Search Console via OAuth 2.0 with PKCE (Proof Key for Code Exchange), then pulls real search-query performance data into the XC SEO Engine admin and feeds keyword positions into the rank tracker.

= What it does =

* **Top queries dashboard** — last 28 days of search performance with clicks, impressions, CTR, and average position
* **Daily background sync** — refreshes data automatically once per day
* **Rank tracker integration** — implements `xcseo_rank_provider` at priority 20 so XC SEO can record real Google positions for tracked keywords
* **OAuth 2.0 with PKCE** — modern authorization flow with code verifier + S256 challenge, no implicit grant
* **Encrypted refresh tokens** — stored at rest with AES-256-CBC + HMAC-SHA256, same envelope as the XC SEO license manager
* **State nonce verification** — bound to the current admin user with 10-minute expiry to prevent CSRF
* **Standalone fallback** — if XC SEO Engine is briefly disabled, the settings page registers as a top-level under Settings instead of disappearing

= Setup =

You'll need a Google Cloud OAuth 2.0 client. The addon walks you through:

1. Go to [Google Cloud Console](https://console.cloud.google.com), create a project, enable the Search Console API
2. Create an OAuth 2.0 client of type "Web application"
3. Add the redirect URI shown in the addon settings page (something like `https://yoursite.com/wp-admin/admin-post.php?action=xcsc_callback`)
4. Paste the Client ID and Client Secret into the addon
5. Click **Connect to Google** and authorize

For production sites, prefer defining `XCSC_CLIENT_ID` and `XCSC_CLIENT_SECRET` in `wp-config.php` instead of storing them in the database.

= Pricing =

This addon is free and bundled with XC SEO Engine. Google Search Console itself is free.

== Installation ==

1. Make sure XC SEO Engine is installed and active
2. Upload `xc-seo-search-console` folder to `/wp-content/plugins/`
3. Activate "XC SEO — Google Search Console" in WP Admin → Plugins
4. Go to XC SEO → Search Console to configure

== Frequently Asked Questions ==

= Why does this need a Google Cloud project? =

Google's Search Console API requires OAuth 2.0 — you authenticate as the property owner. Each WordPress install needs its own Client ID + Secret pair to get a refresh token tied to that owner. There's no API-key alternative.

= Is the refresh token safe in my database? =

The refresh token is encrypted at rest with AES-256-CBC + HMAC-SHA256 authentication, using a key derived from your WordPress salts. The HMAC prevents tampering; if the salts rotate, decryption fails gracefully and asks you to reconnect.

For higher assurance, define `XCSC_ENC_KEY` in `wp-config.php` with a stable secret independent of WordPress salts.

= Are domain properties supported? =

Not in this version — only URL-prefix properties (e.g. `https://example.com/`). Domain properties cover all subdomains and HTTP/HTTPS variants but require a different API call shape.

= How recent is the data? =

Google Search Console has roughly a 48-hour reporting lag. Data shown is for `[today − 30 days]` to `[today − 2 days]`.

= Will this consume API quota? =

Yes — each rank lookup is one API call. Search Console API allows 1200 calls per minute and 30,000 per day per project, which is more than enough unless you're tracking thousands of keywords.

== Changelog ==

See CHANGELOG.md for the full version history.
