const { useState: useStateSec, useEffect: useEffectSec } = React; const SECURITY_SECTIONS = [ { id: "model", label: "Security model", icon: "security", summary: "Plugin-native surface, tool coverage, and operational boundaries." }, { id: "credentials-routing", label: "Credentials and routing", icon: "vpn_key", summary: "Sodium-encrypted keys, BYOK, and managed routing." }, { id: "diagnostics", label: "Diagnostics coverage", icon: "troubleshoot", summary: "Vulnerability scans plus performance, crawl, email, query, and cache diagnostics." }, { id: "hardening", label: "Hardening history", icon: "history", summary: "Security-relevant release changes already documented in the changelog." }, { id: "support", label: "Support and reporting", icon: "mail", summary: "Where technical and general questions should go." } ]; const MODEL_CARDS = [ { title: "Native WordPress surface", icon: "dashboard", items: [ "PressArk is a native WordPress plugin whose primary interface lives inside wp-admin.", "The tool itself runs in the WordPress admin, while license management remains separate from the day-to-day operator surface." ] }, { title: "Security-aware tooling", icon: "admin_panel_settings", items: [ "The documented tool surface includes vulnerability scans plus broader diagnostics for performance, crawl, email, query, and cache behavior.", "Security work is part of the same operator workflow as content, SEO, store ops, and site maintenance." ] }, { title: "Operational use cases", icon: "build_circle", items: [ "PressArk positioning already includes security reviews and security-patch style maintenance as part of broader site operations.", "The product is meant to help teams inspect, explain, and act on operational issues from natural language inside the admin." ] } ]; const ROUTING_MODES = [ { title: "BYOK mode", tone: "light", items: [ "BYOK means Bring Your Own Key.", "Requests go directly to your selected AI provider instead of routing through PressArk servers.", "Supported providers include OpenRouter, OpenAI, Anthropic, DeepSeek, and Google Gemini." ] }, { title: "Managed mode", tone: "dark", items: [ "Managed requests use PressArk-managed routing for credits.", "This is the path that connects to the product's plan and credit accounting model.", "The operator workflow stays the same even though the request path differs from BYOK." ] } ]; const CREDENTIAL_ITEMS = [ "API keys are encrypted at rest using Sodium authenticated encryption.", "Freemius licensing is still required for plugin access even when a site runs in BYOK mode.", "BYOK removes PressArk credit budget constraints, but provider limits and rate limits still apply." ]; const DIAGNOSTIC_GROUPS = [ { title: "Security and diagnostics", items: [ "Vulnerability scans are part of the documented tool surface.", "Diagnostics coverage includes performance, crawl, email, query, and cache behavior." ] }, { title: "Operational checks", items: [ "Troubleshooting guidance already covers missing chat UI, API key validity, credit state, automation failures, and multisite activation limits.", "Retention, encryption, and WordPress privacy tooling are treated as part of the operational support story." ] }, { title: "Maintenance workflows", items: [ "Security work is grouped with broader site operations rather than isolated as a separate external service.", "The product messaging includes natural-language security reviews and patch-oriented maintenance as part of multi-site management." ] } ]; const HARDENING_MILESTONES = [ { version: "v4.1.1", date: "February 2026", title: "Security hardening in core request and key handling paths", items: [ "Security hardening moved request handling toward wp_safe_remote_* patterns to address SSRF exposure.", "Key storage completed the OpenSSL to Sodium encryption migration.", "This release also landed alongside broader WooCommerce HPOS and Elementor stability work." ] }, { version: "v4.0.0", date: "December 2025", title: "Initial public release established the BYOK security boundary", items: [ "The initial public release already included BYOK support as a core product capability.", "That release set the baseline for direct-provider routing and credit-based managed usage." ] } ]; const SUPPORT_LANES = [ { title: "Technical and security questions", email: "support@pressark.com", body: "Use this lane for plugin behavior, provider routing issues, failed actions, diagnostics questions, or other environment-specific problems." }, { title: "General, privacy, and commercial questions", email: "hello@pressark.com", body: "Use this lane for licensing, billing, privacy context, and broader product or partnership conversations." } ]; const useViewportWidth = () => { const [width, setWidth] = useStateSec(window.innerWidth); useEffectSec(() => { const handleResize = () => setWidth(window.innerWidth); window.addEventListener("resize", handleResize); return () => window.removeEventListener("resize", handleResize); }, []); return width; }; const SurfaceCard = ({ children, style }) => (
{children}
); const SoftCard = ({ children, style }) => (
{children}
); const BulletList = ({ items, light }) => ( ); const SectionShell = ({ id, kicker, title, body, children, pad }) => (
{kicker}

{title}

{body}

{children} ); const Hero = ({ isTablet, isMobile }) => (
Sodium-encrypted keys BYOK direct routing Vulnerability scans
Security overview

The security story gathered into one place.

This page covers the security-relevant facts that matter in production: key protection, BYOK routing, diagnostics coverage, and the hardening work already shipped in recent releases.

Review key and routing model See hardening history
{[ "API keys encrypted at rest with Sodium authenticated encryption", "BYOK requests go directly to the selected provider", "Security and diagnostics tools cover scans plus site health checks" ].map((item) => ( {item} ))}
Security baseline documented product facts
{[ { value: "1", label: "encryption path" }, { value: "2", label: "routing modes" }, { value: "5", label: "diagnostic lanes" } ].map((stat) => (
{stat.value}
{stat.label}
))}
); const SecurityBand = ({ isMobile }) => (
Security map

Three ideas that define the current page.

{[ { title: "Key handling is concrete", body: "The product documentation names the encryption approach for stored API keys instead of hiding behind generic security language." }, { title: "Routing depends on billing mode", body: "BYOK and managed credits change where requests travel, so the security boundary has to describe both paths clearly." }, { title: "Security is part of operations", body: "Scans, diagnostics, patch-oriented workflows, and troubleshooting all sit inside the broader WordPress operator surface." } ].map((card) => (

{card.title}

{card.body}

 ))}
); const SecurityRail = ({ isTablet }) => (
On this page
{SECURITY_SECTIONS.map((section) => ( {section.label} {section.summary} ))}
Security note

Security sits inside the same operator workflow as the rest of the product.

); const ModelSection = ({ isMobile, pad }) => (
{MODEL_CARDS.map((card) => (

{card.title}

 ))}
); const CredentialSection = ({ isTablet, isMobile, pad }) => (
Credential baseline

API keys are encrypted at rest using Sodium authenticated encryption.

{ROUTING_MODES.map((mode) => (
{mode.title}
))}
Routing mode changes where requests travel, not whether teams still need to review the provider, environment, and operational boundaries around the work they run inside WordPress.
); const DiagnosticsSection = ({ isMobile, pad }) => (
{DIAGNOSTIC_GROUPS.map((group) => (

{group.title}

 ))}
); const HardeningSection = ({ isMobile, pad }) => (
{HARDENING_MILESTONES.map((milestone) => (
{milestone.version} {milestone.date}

{milestone.title}

 ))}
); const SupportSection = ({ isTablet, pad }) => (
Support summary
{SUPPORT_LANES.map((lane) => (

{lane.title}

{lane.email}

{lane.body}

 ))}
); const SecurityCta = ({ isTablet, isMobile }) => (
Next references

Security is the operations layer. Privacy and docs explain the adjacent boundaries.

Use this page for encryption, routing, diagnostics, and hardening context. Use privacy for data handling and docs for installation, configuration, and troubleshooting detail.

Privacy page Docs page
{[ { label: "Encryption", value: "Sodium authenticated encryption" }, { label: "Direct routing", value: "BYOK requests go to the selected provider" }, { label: "Diagnostics", value: "Security, performance, crawl, email, query, cache" } ].map((row) => (
{row.label}
{row.value}
 ))}
); const SecurityApp = () => { const width = useViewportWidth(); const isTablet = width < 1040; const isMobile = width < 720; const pad = isMobile ? 20 : 28; return ( <>