v-wordpress-plugin-updater/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Unreleased

• Aligned update-check contract (Option A): Unified the request/response protocol used between the WordPress client plugin and the Update API server.
  • PluginUpdater::fetch_package now sends type=plugin&slug=<slug> instead of plugin=<slug>.
  • ThemeUpdater::fetch_package now sends type=theme&slug=<slug> instead of theme=<slug>.
  • Both updaters now treat HTTP 403 as the auth-failure signal (replacing the previous incorrect 401 check) to match the status code returned by ApiController.
  • Both updaters now handle the direct binary ZIP response on HTTP 200 (no JSON zip_url parsing) and return the authenticated API URL as download_url for AbstractRemoteUpdater.
  • Added tests/ApiControllerTest.php covering request validation, auth failure (403), no-update (204), and successful update (200) for both plugin and theme types.
  • Added tests/UpdaterFetchPackageTest.php with 22 tests locking parameter names, status-code branches, WP_Error handling, and a regression test proving a valid request reaches the install path.
  • Updated v-wp-updater/api/API_SCHEMA.md with the canonical update-check endpoint contract.
• Updated update-api/cron.php to accept the positional worker argument, reject unknown CLI options, and propagate non-zero exit codes when cron work fails via ErrorManager.
• Added integration tests covering worker invocation, argument validation, and CLI error handling, plus lightweight mu-plugin fixtures required for the suite.
• Updated README.md to match current codebase: Replaced all references to obsolete mu-plugin/ directory with v-wp-updater/. Updated project structure documentation to reflect dual-component architecture (Update API Server + WordPress Client Plugin). Removed references to non-existent files (HOSTS, autoload.php) and controllers (AccountsController, InfoController, UsersController). Added documentation for SiteLogsController and cron.php with worker mode. Updated installation and usage sections with accurate paths and separate setup procedures for API server and client plugin.
• Removed legacy key-exchange workflow; clients now use a stored API key.
• Updated installation to use VONTMNT_UPDATE_KEYREGEN instead of VONTMENT_KEY.
• Consolidated VONTMENT_PLUGINS and VONTMENT_THEMES into a single VONTMNT_API_URL constant.
• Split update loops into single-item tasks: Refactored plugin and theme updaters to use asynchronous per-item processing. Daily update checks now schedule individual wp_schedule_single_event() tasks for each plugin/theme instead of processing all items synchronously. Added vontmnt_plugin_update_single() and vontmnt_theme_update_single() callback functions.
• Expanded test coverage to reflect current codebase: Added comprehensive tests for ThemeModel, Encryption, Blacklist, CronWorker, Validation, Response, Csrf, and MessageHelper classes. Test suite expanded from 37 to 105 tests with 241 assertions, providing coverage for all major components including models, helpers, and core classes.
• Stored admin password as a hash and verified with password_verify during login.
• Controllers now return structured Response objects; router and session handling updated accordingly.
• Expanded filename validation to allow digits and underscores in slugs and updated tests.
• Introduced configurable LOG_FILE and centralized logging through ErrorManager.
• Made SessionManager::requireAuth non-terminating, returning a boolean instead.
• Enhanced vontmnt_get_api_key with wp-config backups and validation.
• Streamlined plugin updates using a single streaming wp_remote_get call.
• Removed HTML escaping in HostsModel in favor of parameterized queries.

4.0.0

• Added PHP_CodeSniffer with WordPress Coding Standards for linting.
• Moved validation helpers to App\Helpers\Validation and encryption helpers to App\Helpers\Encryption.
• Added App\Models\Blacklist for IP blacklist management and removed App\Core\Utility.
• Introduced centralized SessionManager and Csrf utilities, refactored controllers and routing to use them, and replaced AuthController with LoginController.
• Switched router to instantiate controllers, dropped unused account/user/info routes, and added /api endpoint.
• Updated LoginController to render views through $this instead of creating a new instance.
• Converted controllers to instance methods using $this->render and removed the feeds controller and route.
• Refined router dispatch to include HTTP method and validate API requests before enforcing authentication.
• Streamlined session validation to check only timeout and user agent, moved IP blacklist enforcement to authentication, and added unit tests for session expiry, user-agent changes, and blacklist handling.
• Refactored router into a singleton and documented root URL redirection to /home.
• Restricted table generation helpers in controllers and SessionManager::isValid to internal use and updated tests accordingly.
• Fixed PHPStan reported issues by initializing variables, adding explicit type annotations, and excluding vendor code from analysis.
• Introduced SQLite persistence using Doctrine DBAL with install and cron scripts, and migrated models and controllers to use the database.
• Replaced JSON-based blacklist with SQLite table that automatically resets entries after three days.
• Moved blacklist table creation to installer script.
• Removed rawurlencode from updater request parameters to prevent double encoding.
• Added WP_Error checks after wp_remote_get calls to log network failures and skip processing.
• Corrected the header in v-sys-theme-updater.php so it loads as a plugin.
• Updated SessionManager::requireAuth to return a boolean and halt routing for blacklisted IPs.
• Logged failed package writes in plugin and theme updaters and skipped installation when writes fail.