Programmatic API

Repository, Version, Catalog, Secrets, Budget, Log, IO, and Corpus public methods.

OpenTrust exposes its functionality through public static methods on OpenTrust_* classes rather than global functions. The signatures listed here are stable across the v1.x line.

The programmatic API does not enforce permission or rate-limit checks. Callers are responsible for both. Treat every method below as you would direct database access.

Repository

Read-side data layer. The renderer and the chat corpus both go through this. Use it instead of raw WP_Query when you want OpenTrust's normalisation, locale handling, and "last updated" timestamps for free.

$repo = OpenTrust_Repository::instance();

Method	Returns	Purpose
`fetch_policies()`	`array[]`	Published policies, normalized, in the canonical sort order.
`fetch_policy_posts()`	`WP_Post[]`	Same selection, raw posts (when you need access to revisions or `post_content`).
`fetch_certifications()`	`array[]`	Published certifications.
`fetch_subprocessors()`	`array[]`	Published subprocessors.
`fetch_data_practices()`	`array[]`	Published data practices.
`fetch_faqs()`	`array[]`	Published FAQs in `menu_order`.
`section_last_updated(string $section)`	`int`	UNIX timestamp of the most recent modification to any post of that type.
`resolve_policy_attachment(int $policy_id)`	`array	null`

Each fetch_* method returns an array of associative arrays. The shape mirrors the postmeta keys for that CPT, minus the _ot_ prefix, plus standard id, title, slug, permalink, updated_at.

$policies = OpenTrust_Repository::instance()->fetch_policies();
foreach ( $policies as $policy ) {
    printf(
        "%s - v%d (last reviewed %s)\n",
        $policy['title'],
        $policy['version'],
        $policy['review_date'] ?? 'never'
    );
}

Version control

Used internally by the policy save handler. Useful directly when you want to programmatically bump a policy version without going through the editor.

Method	Purpose
`OpenTrust_Version::bump_version(int $policy_id, ?string $summary = null)`	Increments `_ot_version`, archives the prior content as a revision, optionally records a `_ot_version_summary`.
`OpenTrust_Version::ensure_initial_version(int $policy_id)`	Sets `_ot_version` to `1` if the policy has none. Idempotent. Useful for migrating imported policies.

OpenTrust_Version::bump_version( $policy_id, 'Updated retention period from 24 to 36 months.' );

bump_version() runs synchronously and writes through wpdb directly for the version meta to avoid hitting the auto-summarizer cron more than once.

Catalogs

Read access to the bundled catalogs. The catalog filters (see Hooks) modify the data returned by these methods.

Method	Returns
`OpenTrust_Catalog::subprocessors()`	Filtered subprocessor catalog.
`OpenTrust_Catalog::data_practices()`	Filtered data-practice catalog.
`OpenTrust_Catalog::certifications()`	Filtered certification catalog.
`OpenTrust_Catalog::faqs()`	Filtered FAQ seed catalog.
`OpenTrust_Catalog::for_js(string $post_type)`	Catalog formatted for the Add-New screen typeahead, keyed by `name` for fast lookup.
`OpenTrust_Catalog::seed_default_faqs()`	Idempotent. Inserts every FAQ from `OpenTrust_Catalog::faqs()` if no `ot_faq` posts exist and the `opentrust_faqs_seeded` flag is unset.

$entries = OpenTrust_Catalog::subprocessors();
$matches = array_filter( $entries, fn( $e ) => str_contains( strtolower( $e['name'] ), 'aws' ) );

Secrets

libsodium-encrypted secret storage. Use this when you want to store an additional secret alongside OpenTrust's keys (e.g. a webhook signing secret) under the same AUTH_KEY-derived encryption.

Method	Purpose
`OpenTrust_Chat_Secrets::set(string $provider, string $plaintext_key)`	Encrypt and store. Returns true on success.
`OpenTrust_Chat_Secrets::get(string $provider)`	Decrypt and return. Returns null if no key, false if decryption failed (typically `AUTH_KEY` rotated).
`OpenTrust_Chat_Secrets::forget(string $provider)`	Remove the ciphertext.
`OpenTrust_Chat_Secrets::fingerprint(string $provider)`	Return the masked fingerprint shown in the settings UI (e.g. `sk-…f3e2`).
`OpenTrust_Chat_Secrets::encrypt(string $plaintext)`	Low-level: return ciphertext with `ot_enc_v1:` prefix.
`OpenTrust_Chat_Secrets::decrypt(string $ciphertext)`	Low-level: return plaintext or false.

OpenTrust_Chat_Secrets::set( 'webhook', $signing_secret );

// Later:
$key = OpenTrust_Chat_Secrets::get( 'webhook' );
if ( false === $key ) {
    // AUTH_KEY rotated. Re-prompt for the secret.
}

Budgets and rate limits

Reserve-commit-release token accounting plus sliding-window rate limits.

Method	Purpose
`OpenTrust_Chat_Budget::check_and_reserve(int $tokens)`	Atomically check daily and monthly caps, reserve `$tokens`. Returns reservation handle or WP_Error.
`OpenTrust_Chat_Budget::commit($reservation, int $actual_tokens)`	Lock in the actual usage, release the reserved-minus-actual delta.
`OpenTrust_Chat_Budget::release($reservation)`	Release the full reservation (used on errors).
`OpenTrust_Chat_Budget::hash_ip(?string $ip = null)`	16-char hash, salted from `opentrust_site_salt`.
`OpenTrust_Chat_Budget::hash_session(?string $token = null)`	Same, for session tokens.
`OpenTrust_Chat_Budget::visitor_ip()`	Best-effort visitor IP (respects standard proxy headers).

The check-and-reserve pattern is what prevents two concurrent requests from each thinking they can spend the last 1000 tokens.

Chat log

Programmatic access to wp_opentrust_chat_log.

Method	Purpose
`OpenTrust_Chat_Log::record(array $row)`	Insert a row. Used internally; safe to call directly for custom telemetry rows that match the schema.
`OpenTrust_Chat_Log::query(array $args)`	Paginated query. Args mirror `WP_Query` (`number`, `offset`, `orderby`, `order`, plus filters on `provider`, `model`, `refused`).
`OpenTrust_Chat_Log::clear_all()`	Truncate the table.
`OpenTrust_Chat_Log::purge_old()`	Remove rows older than `RETENTION_DAYS` (90). Called from the daily cron.
`OpenTrust_Chat_Log::total_count()`	Total row count.
`OpenTrust_Chat_Log::distinct_models()`	List of distinct `model` values, for filter UIs.
`OpenTrust_Chat_Log::table_name()`	Fully prefixed table name.

Import / Export

Programmatic access to the IO archive format.

Method	Purpose
`OpenTrust_IO::build_settings_manifest()`	Build the settings half of an export manifest.
`OpenTrust_IO::build_content_manifest()`	Build the content half. Includes every post of every CPT.
`OpenTrust_IO::write_zip(array $manifest, string $dest_path)`	Materialise an archive at `$dest_path`.
`OpenTrust_IO::read_zip(string $src_path)`	Open and parse a manifest from disk.
`OpenTrust_IO::validate_manifest(array $manifest)`	Hard-check schema and version compatibility. Returns true or WP_Error.
`OpenTrust_IO::preview_import(array $manifest)`	Diff the incoming manifest against current state. Returns the conflict list shown on the import-preview screen.
`OpenTrust_IO::apply_settings_import(array $manifest, string $strategy = 'skip')`	Apply the settings half.
`OpenTrust_IO::apply_content_import(array $manifest, string $strategy = 'skip')`	Apply the content half. Detaches the chat-summarizer hook for the duration.

$strategy is one of OpenTrust_IO::STRATEGY_SKIP, STRATEGY_OVERWRITE, STRATEGY_CREATE_NEW.

Corpus

Build, cache, and invalidate the AI chat's corpus.

Method	Purpose
`OpenTrust_Chat_Corpus::get_or_build(string $locale)`	Return cached corpus for that locale, or build and cache if missing.
`OpenTrust_Chat_Corpus::invalidate()`	Bump the cache version, dropping every locale's transient.
`OpenTrust_Chat_Corpus::format_index_for_prompt(array $corpus)`	Return the slim TOC index used in the model's system prompt.

If you ship a custom chat surface that calls the REST endpoint, you do not need to touch the corpus directly. It's invalidated automatically on every CPT save. Direct access is useful for diagnostic tooling.

Core utilities

Colour math and other utilities that don't fit elsewhere.

Method	Purpose
`OpenTrust::instance()`	The plugin singleton.
`OpenTrust::defaults()`	Return the default settings array.
`OpenTrust::get_settings()`	Return current merged settings.
`OpenTrust::accent_safe_lightness(string $hex)`	Find the largest HSL lightness ≤ the user's pick where the colour clears 4.5:1 vs white.
`OpenTrust::hex_to_hsl(string $hex)`	Convert hex to `[h, s, l]` array.
`OpenTrust::hex_to_rgb(string $hex)`	Convert hex to `[r, g, b]` array.
`OpenTrust::hsl_to_rgb(int $h, int $s, int $l)`	Convert HSL to RGB.
`OpenTrust::relative_luminance(int $r, int $g, int $b)`	Per WCAG.
`OpenTrust::contrast_vs_white(string $hex)`	Contrast ratio against white.
`OpenTrust::invalidate_cache()`	Bump `opentrust_cache_version`. Forces every transient cache key to miss.

Cache invalidation hook (internal but useful)

OpenTrust_CPT::register_invalidator(array $cpts, callable $cb) lets you wire a callback to all four cache-busting events for a list of CPTs (save, delete, trash/untrash, transition_post_status) in a single call. This is how OpenTrust keeps its render cache and chat corpus aligned with content changes.

OpenTrust_CPT::register_invalidator(
    [ 'ot_policy', 'ot_certification' ],
    function ( $post_id, $event ) {
        // Your custom invalidation here.
    }
);

The callback receives $post_id and an $event string identifying which lifecycle event fired. Useful for syncing OpenTrust content into your own search index or analytics pipeline.

On this page