WordPress NLWeb plugin: apply review feedback

[Copilot]

Addresses a batch of correctness, security, and polish issues flagged in the initial plugin review.

Bug Fixes

• class-nlweb-settings.php: Default models corrected (gpt-4.1-mini → gpt-4o-mini)
• class-nlweb-llm.php: Added openai provider case to build_request/parse_response — previously only openrouter was handled, so selecting "OpenAI" in settings silently failed; added error_log on all failure paths
• class-nlweb-query-rewriter.php: fanout_search deduplication used non-existent id field; switched to url, with fallback for both associative arrays and numeric tuples [url, schema_json, name, site]; converted file from tabs to spaces to match the rest of the plugin

Security

• nlweb-mcp-renderer.js: Removed allow-same-origin from sandbox. allow-scripts + allow-same-origin together allow the iframe to remove its own sandbox attribute, fully bypassing isolation. Updated setupMessageListener to use event.source for validation since sandboxed null-origin iframes can't be validated by origin string.

// Before — effectively no sandbox
this.iframe.setAttribute('sandbox', 'allow-scripts allow-forms allow-same-origin');

// After
this.iframe.setAttribute('sandbox', 'allow-scripts allow-forms');

Polish

• class-nlweb-handler.php: Fixed step comment label (4 → 5 for "Optionally summarize")
• nlweb-frontend.css: .page .wp-block-post-title { display:none } was hiding titles site-wide; scoped to .nlweb-fullpage-layout
• class-nlweb-retriever.php: Yoast extraction catch block now logs errors instead of swallowing them silently
• class-nlweb-ranker.php: Comment wording fix
• class-nlweb-frontend.php: Hardcoded sci-fi movie empty state replaced with generic defaults; added empty_title and empty_message shortcode attributes for customization

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.