fix(wordpress): remove anonymous telemetry ping (review blocker)

packages/axle-wordpress/axle-scan.js

@@ -7,10 +7,8 @@
  * via admin-ajax.php and stored in the axle_last_scan option so PHP can
  * render the summary on the next page load.
  *
- * No external network call for scanning. Optional anonymous ping to
- * /api/track fires after a successful scan if the user hasn't set
- * AXLE_NO_TELEMETRY, so the source counter on axle's dashboard reflects
- * real WP-plugin usage.
+ * No external network call at all — scanning and result storage happen
+ * entirely within your own WordPress (axe-core in the iframe + admin-ajax.php).
  */
 (function () {
     'use strict';
@@ -58,7 +56,6 @@
                 scanned_at: Date.now(),
             });
 
-            pingTelemetry();
             setStatus('Scan complete — reloading…');
             window.location.reload();
         } catch (err) {
@@ -154,28 +151,6 @@
         }
     }
 
-    function pingTelemetry() {
-        // Fire-and-forget. No PII, no URL, no scan contents.
-        try {
-            const body = JSON.stringify({
-                source: 'axle-wordpress',
-                event: 'scan_complete',
-            });
-            if (navigator.sendBeacon) {
-                navigator.sendBeacon(cfg.telemetryUrl, new Blob([body], { type: 'application/json' }));
-            } else {
-                fetch(cfg.telemetryUrl, {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: body,
-                    keepalive: true,
-                }).catch(function () {});
-            }
-        } catch (e) {
-            /* no-op */
-        }
-    }
-
     function setStatus(msg) {
         statusEl.textContent = msg;
         statusEl.style.display = msg ? '' : 'none';

packages/axle-wordpress/axle.php

@@ -3,7 +3,7 @@
  * Plugin Name: AsafAmos Accessibility Scanner
  * Plugin URI:  https://github.com/asafamos/axle/tree/main/packages/axle-wordpress
  * Description: Scan this WordPress site for WCAG 2.1 / 2.2 AA accessibility violations. axe-core 4.11 runs in your admin browser via a hidden iframe — nothing transmitted by default. Built for EAA 2025 / ADA / תקנה 35.
- * Version:     1.2.0
+ * Version:     1.2.1
  * Requires at least: 5.8
  * Requires PHP: 7.4
  * Author:      AsafAmos
@@ -24,7 +24,7 @@
 
 if (!defined('ABSPATH')) { exit; }
 
-define('AXLE_VERSION', '1.2.0');
+define('AXLE_VERSION', '1.2.1');
 define('AXLE_API_BASE', 'https://axle-iota.vercel.app');
 define('AXLE_OPTION_SETTINGS', 'axle_settings');
 define('AXLE_OPTION_LAST_SCAN', 'axle_last_scan');
@@ -251,7 +251,6 @@ function axle_sanitize_violations($violations) {
         'ajaxUrl'      => admin_url('admin-ajax.php'),
         'nonce'        => wp_create_nonce('axle_save_scan'),
         'targetUrl'    => $target,
-        'telemetryUrl' => AXLE_API_BASE . '/api/track',
     ]);
 });
 

packages/axle-wordpress/readme.txt

@@ -4,7 +4,7 @@ Tags: accessibility, a11y, wcag, axe-core, scanner
 Requires at least: 5.8
 Tested up to: 7.0
 Requires PHP: 7.4
-Stable tag: 1.2.0
+Stable tag: 1.2.1
 License: MIT
 License URI: https://opensource.org/licenses/MIT
 
@@ -59,22 +59,15 @@ This is the full and accurate transmission story for every feature. The default
 * **Does not transmit anything to any external service.**
 * Scan results are written to your WordPress `wp_options` table under the key `axle_last_scan` so the admin dashboard can render the summary.
 
-**2. Anonymous usage ping (after a successful Scan now)**
-
-* If your browser allows `navigator.sendBeacon` / `fetch`, after a scan completes a single anonymous ping is sent to `https://axle-iota.vercel.app/api/track` with body `{ "source": "axle-wordpress", "event": "scan_complete" }`.
-* No URL, no domain, no scan contents, no admin user info is included.
-* Used to track rough plugin adoption on our analytics dashboard.
-* Blocked automatically if the browser disables third-party requests, or if you block the host.
-
-**3. Auto scan = Daily (opt in only — Off by default)**
+**2. Auto scan = Daily (opt in only — Off by default)**
 
 * Only relevant if you explicitly enable this in Tools → AsafAmos Accessibility Scanner → Settings.
 * WP-Cron runs without a browser, so the daily cron cannot use the in-browser iframe scanner. Instead it uses the hosted scanner at `POST https://axle-iota.vercel.app/api/scan` with body `{ "url": "<your configured target URL>", "source": "axle-wordpress" }` (and `Authorization: Bearer <key>` if you've entered an axle API key).
 * **Requires your target URL to be publicly reachable** — the hosted scanner cannot reach LocalWP, staging behind basic auth, or VPN-only environments.
 * No visitor data, form data, or admin content is sent. Only the configured target URL.
 * Disabled by default. Setting can be turned off again at any time.
 
-**Service provider for #2 and #3:** axle (https://axle-iota.vercel.app)
+**Service provider for #2 (the opt-in daily cron only):** axle (https://axle-iota.vercel.app)
 **Terms of use:** https://axle-iota.vercel.app/terms
 **Privacy policy:** https://axle-iota.vercel.app/privacy
 
@@ -88,7 +81,7 @@ No. The bundled axe-core engine is loaded only inside your WordPress admin pages
 
 = What data leaves my site by default? =
 
-By default, **nothing**. The Scan now button runs entirely client-side in your admin browser via a hidden iframe. Optional features (anonymous usage ping; opt-in daily cron) are described in detail in the &ldquo;Optional features&rdquo; section.
+By default, **nothing**. The Scan now button runs entirely client-side in your admin browser via a hidden iframe — no analytics, no tracking, no calls to any external server. The only optional feature that contacts a server is the opt-in daily cron (Off by default), described in the &ldquo;Optional features&rdquo; section.
 
 = Do I need an account? =
 
@@ -100,7 +93,7 @@ No. Automated scanning catches roughly 57% of WCAG issues. For full compliance,
 
 = What about GDPR / privacy? =
 
-The plugin does not track your visitors. The default scan flow makes no outbound HTTP requests to any external service. Optional features (anonymous usage ping; opt-in daily cron) are documented under &ldquo;Optional features&rdquo; with the exact request body.
+The plugin does not track you or your visitors and includes no analytics. The default scan flow makes no outbound HTTP requests to any external service. The only optional feature that contacts a server is the opt-in daily cron (Off by default), documented under &ldquo;Optional features&rdquo; with the exact request body.
 
 = I'm on LocalWP / staging behind basic auth / a VPN-only host. Will this still work? =
 
@@ -118,14 +111,17 @@ The author's WordPress.org username is `asafamos1`. The plugin is part of the `a
 
 == Changelog ==
 
+= 1.2.1 =
+* Removed the anonymous usage ping entirely per WordPress.org Plugin Review Team feedback — no tracking, no phoning home. The plugin now makes zero outbound requests by default. The only optional network feature is the opt-in daily cron (Off by default), which contacts the hosted scanner as a service you explicitly enable.
+
 = 1.2.0 =
 * Renamed plugin display name and slug from &ldquo;Axle Accessibility Scanner&rdquo; / `axle-accessibility-scanner` to &ldquo;AsafAmos Accessibility Scanner&rdquo; / `asafamos-accessibility-scanner` per WordPress.org Plugin Review Team feedback (avoid the &ldquo;Axle&rdquo; trademark concern).
 * Rewrote readme to remove inconsistencies between the original 1.0.0 (hosted-scan) and current 1.1.0+ (in-admin-iframe) architectures. The default scan flow now described accurately as fully client-side; optional hosted features moved to a clearly-labelled section.
 * Updated `Contributors` to the plugin owner's WordPress.org username `asafamos1`.
 
 = 1.1.0 =
 * Scans now run **client-side in the admin browser** using bundled axe-core 4.11. Works for LocalWP, staging behind basic auth / VPN, and any other private environment the previous hosted scanner could not reach.
-* No external network calls during a normal Scan now — only an optional anonymous telemetry ping after a successful scan.
+* No external network calls during a normal Scan now.
 * Auto scan cron still uses the hosted scanner (it has no browser available). Disabled by default; opt in via Settings.
 
 = 1.0.0 =