fix: enqueue assets via real $src (#10)

[nolderoos]

Closes #10. wp.org review round 1, item 2/7.

Frontend/chat CSS and JS now register with real plugins_url() $src URLs and stream through wp_register_* / wp_enqueue_* / wp_print_*. Per-request data (accent colour CSS vars) still routes through wp_add_inline_style. JSON-LD in faq.php and ot-chat-config in chat.php now emit via wp_print_inline_script_tag(). Font path becomes relative to the served CSS file.

Test plan

• /trust-center/ cold load: Inter font loads, no console errors, frontend.css + frontend.js request once with ?ver=1.0.1.
• /trust-center/ view-source with FAQs: <script type="application/ld+json"> present near the FAQ section.
• /trust-center/ask/: <script id="ot-chat-config" type="application/json"> present; chat UI hydrates; first question round-trips.
• DevTools Network: defer attribute set on frontend.js / chat.js.

Summary by CodeRabbit

• Bug Fixes

  • Fixed the self-hosted font file path so fonts load reliably.

• Refactor

  • Replaced inline embedding of CSS/JS with standard registration/enqueueing for improved caching and performance.
  • Chat configuration and FAQ JSON-LD now use standard script output methods.

• Documentation

  • Updated translation metadata and source references.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR standardizes asset loading by replacing manual file reads and inline script/style synthesis with WordPress asset registration/enqueueing (wp_register_style/script, wp_enqueue_style/script, wp_add_inline_style, wp_print_inline_script_tag) and updates the CSS font URL to a relative bundled path.

Changes

Asset Enqueueing Standardization

Layer / File(s)	Summary
Stylesheet registration and font path resolution assets/css/frontend.css, templates/trust-center.php, templates/chat.php	Font reference in frontend.css updated to relative path ../fonts/Inter-Variable.woff2. Frontend stylesheet registered with a real URL and enqueued in trust-center.php, with dynamic :root accent variables inlined via wp_add_inline_style. chat.php registers/enqueues both frontend and chat styles and inlines only computed CSS variables, replacing prior conditional file-loading and full-CSS inlining.
JavaScript registration and inline script output templates/trust-center.php, templates/chat.php, templates/partials/faq.php	Frontend and chat scripts registered via wp_register_script with plugin URL, versioning, and defer, then enqueued and printed. Chat client config is emitted as an application/json inline script using wp_print_inline_script_tag. FAQ JSON-LD is emitted via wp_print_inline_script_tag instead of a raw <script type="application/ld+json"> block.
Gettext template source references languages/opentrust.pot	Updated POT-Creation-Date and adjusted source-location line references for multiple existing msgids to match edited template line numbers; no msgid text changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

bug

Poem

🐰 Scripts and styles now queue and flow,
With WordPress functions steal the show,
No more hand-printing, no more inline,
Assets enqueued work just fine,
The font path blooms—a relative delight!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: enqueue assets via real $src (#10)' accurately summarizes the main change: switching asset inclusion to WordPress enqueue functions with proper source URLs instead of inlining file contents.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #10: registers frontend/chat CSS/JS with real plugins_url sources, uses wp_print_styles/wp_print_scripts explicitly in templates, uses wp_add_inline_style for CSS variables, updates frontend.css to use CSS custom properties for font URL, and replaces raw script tags with wp_print_inline_script_tag().
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing proper asset enqueuing per issue #10: CSS/JS registration and enqueueing, inline style/script APIs, CSS custom property refactoring, and WordPress template API usage. Language file updates reflect only location changes due to code reorganization.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/wp-enqueue-assets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nolderoos]

Claude Code review

Reviewed against wporg-review/02-enqueue-scripts/analysis.md. This PR implements the recommended Option C (hybrid) and matches the prescription almost line-for-line.

Verdict: APPROVE

What I checked

• templates/trust-center.php ~L94-97: wp_register_style('opentrust-frontend', plugins_url('assets/css/frontend.css', OPENTRUST_PLUGIN_FILE), [], OPENTRUST_VERSION) + wp_enqueue_style + wp_add_inline_style (accent vars only) + wp_print_styles. Real $src, no more false. Good.
• templates/trust-center.php ~L229-235: wp_register_script('opentrust-frontend', plugins_url('assets/js/frontend.js', OPENTRUST_PLUGIN_FILE), [], OPENTRUST_VERSION, ['in_footer' => true, 'strategy' => 'defer']). file_get_contents() payload dropped. Good.
• templates/chat.php ~L84-89: registers both opentrust-frontend and opentrust-chat styles with real plugins_url() $srcs; opentrust-chat correctly declares ['opentrust-frontend'] as a dependency. Accent vars routed through wp_add_inline_style. Good.
• templates/chat.php ~L347-358: ot-chat-config JSON now emitted via wp_print_inline_script_tag(..., ['id' => 'ot-chat-config', 'type' => 'application/json']) — matches the analysis prescription, no rewrite needed in chat.js since the DOM shape is identical. opentrust-chat script registered with real $src, in_footer + defer. Good.
• templates/partials/faq.php L67-72: raw <script type="application/ld+json"> swapped for wp_print_inline_script_tag(..., ['type' => 'application/ld+json']) and the phpcs:ignore is gone. Good.
• assets/css/frontend.css L11: @@OT_FONT_URL@@ placeholder replaced with url('../fonts/Inter-Variable.woff2'). Resolves correctly because the CSS is now served from assets/css/ so ../fonts/ lands at assets/fonts/Inter-Variable.woff2 (verified file exists at that path). Good — this also removes the per-request str_replace() and a minor escaping concern.
• Constants: OPENTRUST_PLUGIN_FILE is defined in opentrust.php L24, so plugins_url($path, OPENTRUST_PLUGIN_FILE) works correctly.
• Hook timing: enqueues fire during template_redirect (after init), and the template uses explicit wp_print_styles(['opentrust-...']) / wp_print_scripts(['opentrust-...']) rather than wp_head() / wp_footer() — preserves the theme-isolation guarantee called out in the analysis Risk section.
• Handles all opentrust- prefixed; admin enqueue path in class-opentrust-admin.php is untouched and was already canonical.

Plugin Check rules that should now pass

• WordPress.WP.EnqueuedResources — no whole-file payloads piped through wp_add_inline_* anymore; only per-request accent CSS vars remain inline (idiomatic).
• WordPress.Security.EscapeOutput.OutputNotEscaped (the :242, :99, :105 flags from the reviewer's email) — the (string) file_get_contents(...) echo paths are gone.
• The faq.php:69 flag — wp_print_inline_script_tag() is an asset-API primitive, no manual <script> tag printed by the partial.

Minor notes (non-blocking)

• The analysis suggested bumping OPENTRUST_VERSION to 1.1.0. It's still 1.0.1 in opentrust.php L21. Not required for this PR to clear the reviewer's flag, but worth bumping before tagging the release that goes back to wp.org — otherwise visitors on stale browser caches will be served the old fallback request semantics (no real consequence here since the previous codepath never emitted <link> / <script src=...> tags, so there's no cache to bust). Same point for the Version: header and POT Project-Id-Version if you tag a new build.
• The Cloudflare Turnstile registration at chat.php ~L92 still carries the phpcs:ignore PluginCheck.CodeAnalysis.Offloading... comment, which is correct (third-party CAPTCHA must load from the vendor CDN per Cloudflare's TOS); leaving it as a deliberate, scoped suppression with rationale is the right call.

— Claude (automated review on behalf of @nolderoos)