CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [0.2.2] - 2026-01-28

### Added

- `/update-check` endpoint documentation in server-implementation.md
- `product_not_found` error code to error codes table
- `handleUpdateCheck()` handler example in WordPress plugin implementation
- `findProduct()` method stub for product lookups

### Changed

- Verified client implementation aligns with updated server documentation
- All signature algorithms, key derivation, and JSON canonicalization match server

## [0.2.1] - 2026-01-27

### Added

- `checkForUpdates()` method for checking plugin updates
- `UpdateInfo` DTO for update check responses
- `ProductNotFoundException` for `product_not_found` error handling
- `/update-check` endpoint support aligned with remote OpenAPI spec (v0.4.0)

### Changed

- Updated local `openapi.json` to match remote specification (now v0.4.0)
- Added "Plugin Updates" tag to OpenAPI specification

## [0.2.0] - 2026-01-26

### Added

- SSRF protection with URL validation and private IP range blocking
- `allowInsecureHttp` constructor parameter for development environments
- Input validation in all DTO `fromArray()` methods
- DateTime exception handling in DTOs
- Recursive key sorting in `ResponseSignature` for nested objects

### Changed

- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC
- Exception messages sanitized to prevent information disclosure
- Header normalization treats empty values as null

### Fixed

- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
- Header normalization null risk in `SecureLicenseClient`

### Security

- Comprehensive security audit performed
- SSRF vulnerability mitigated
- Information disclosure in error messages fixed
- Improved cryptographic key derivation

## [0.1.0] - 2026-01-22

### Added

- Object-oriented client library (`LicenseClient`, `LicenseClientInterface`)
- DTO classes for API responses (`LicenseInfo`, `LicenseStatus`, `ActivationResult`)
- `LicenseState` enum for license status values
- Comprehensive exception hierarchy for error handling
- PSR-3 logging support (optional)
- PSR-6 caching support (optional)
- PSR dependencies (`psr/log`, `psr/cache`, `psr/http-client`)
- PHPUnit test suite with 32 tests covering DTOs, exceptions, and client
- `SecureLicenseClient` with response signature verification (HMAC-SHA256)
- `ResponseSignature` class for signing and verifying API responses
- `StringEncoder` for basic string obfuscation in source code
- `IntegrityChecker` for verifying source file integrity
- `SignatureException` and `IntegrityException` for security errors
- Server implementation documentation (`docs/server-implementation.md`)
- Security test suite (34 additional tests)

### Changed

- Updated README with usage examples

## [0.0.1] - 2026-01-22

### Added

- Initial composer project setup
- Package configuration with PSR-4 autoloading
- Symfony HttpClient dependency (^7.0)
- Project documentation (README.md, CHANGELOG.md)
- OpenAPI specification reference in tmp/openapi.json
Initialize composer project for WooCommerce Licensed Product Client - Set up composer.json with package metadata and PSR-4 autoloading - Add symfony/http-client ^7.0 as HTTP client dependency - Create project structure (src/, tests/, tmp/) - Add README.md with project overview - Add CHANGELOG.md to track version history - Add .gitignore for vendor and cache files - Include OpenAPI specification in tmp/openapi.json Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 15:37:20 +01:00			`# Changelog`

			`All notable changes to this project will be documented in this file.`

			`The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),`
			`and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).`

			`## [Unreleased]`

Add update-check endpoint documentation (v0.2.2) - Add /update-check endpoint documentation to server-implementation.md - Add product_not_found error code to error codes table - Add handleUpdateCheck() handler example in WordPress plugin - Add findProduct() method stub for product lookups - Verified client implementation aligns with server documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 11:56:47 +01:00			`## [0.2.2] - 2026-01-28`

			`### Added`

			- `/update-check` endpoint documentation in server-implementation.md
			- `product_not_found` error code to error codes table
			- `handleUpdateCheck()` handler example in WordPress plugin implementation
			- `findProduct()` method stub for product lookups

			`### Changed`

			`- Verified client implementation aligns with updated server documentation`
			`- All signature algorithms, key derivation, and JSON canonicalization match server`

Add update-check endpoint support (v0.2.1) Implement /update-check endpoint aligned with remote OpenAPI spec: - Add checkForUpdates() method to LicenseClientInterface - Add UpdateInfo DTO for update check responses - Add ProductNotFoundException for product_not_found error - Update local openapi.json to v0.4.0 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-27 20:52:12 +01:00			`## [0.2.1] - 2026-01-27`

			`### Added`

			- `checkForUpdates()` method for checking plugin updates
			- `UpdateInfo` DTO for update check responses
			- `ProductNotFoundException` for `product_not_found` error handling
			- `/update-check` endpoint support aligned with remote OpenAPI spec (v0.4.0)

			`### Changed`

			- Updated local `openapi.json` to match remote specification (now v0.4.0)
			`- Added "Plugin Updates" tag to OpenAPI specification`

Release version 0.2.0 Security improvements and server implementation alignment. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 16:36:29 +01:00			`## [0.2.0] - 2026-01-26`

			`### Added`

			`- SSRF protection with URL validation and private IP range blocking`
			- `allowInsecureHttp` constructor parameter for development environments
			- Input validation in all DTO `fromArray()` methods
			`- DateTime exception handling in DTOs`
			- Recursive key sorting in `ResponseSignature` for nested objects

			`### Changed`

			- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC
			`- Exception messages sanitized to prevent information disclosure`
			`- Header normalization treats empty values as null`

			`### Fixed`

			- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
			- Header normalization null risk in `SecureLicenseClient`

			`### Security`

			`- Comprehensive security audit performed`
			`- SSRF vulnerability mitigated`
			`- Information disclosure in error messages fixed`
			`- Improved cryptographic key derivation`

Release version 0.1.0 First minor release with complete license client functionality: - Object-oriented client library with PSR support - Secure client with HMAC-SHA256 signature verification - Comprehensive test suite (66 tests) - Full documentation including server implementation guide Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 16:24:57 +01:00			`## [0.1.0] - 2026-01-22`
Add object-oriented license client library (v0.0.2) - Add LicenseClient with PSR-3 logging and PSR-6 caching support - Add DTO classes: LicenseInfo, LicenseStatus, ActivationResult - Add LicenseState enum for license status values - Add comprehensive exception hierarchy for error handling - Add PSR dependencies (psr/log, psr/cache, psr/http-client) - Update README with usage examples - Update CHANGELOG for v0.0.2 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 15:51:05 +01:00
			`### Added`

			- Object-oriented client library (`LicenseClient`, `LicenseClientInterface`)
			- DTO classes for API responses (`LicenseInfo`, `LicenseStatus`, `ActivationResult`)
			- `LicenseState` enum for license status values
			`- Comprehensive exception hierarchy for error handling`
			`- PSR-3 logging support (optional)`
			`- PSR-6 caching support (optional)`
			- PSR dependencies (`psr/log`, `psr/cache`, `psr/http-client`)
Add PHPUnit test suite - Add PHPUnit 11.0 as dev dependency - Add phpunit.xml configuration - Add DTO tests (LicenseInfo, LicenseStatus, ActivationResult) - Add Exception tests (factory method, all exception types) - Add LicenseClient tests with mocked HTTP responses - Update README with testing instructions - Update CHANGELOG 32 tests, 93 assertions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 16:05:28 +01:00			`- PHPUnit test suite with 32 tests covering DTOs, exceptions, and client`
Add security layer with response signature verification Security classes: - ResponseSignature: HMAC-SHA256 signing and verification - StringEncoder: XOR-based string obfuscation for source code - IntegrityChecker: Source file hash verification - SignatureException, IntegrityException for error handling SecureLicenseClient: - Verifies server response signatures - Prevents response tampering and replay attacks - Per-license derived signing keys - Optional code integrity checking Documentation: - docs/server-implementation.md with complete WordPress/WooCommerce integration guide for signing responses Tests: - 34 new security tests (66 total, all passing) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 16:16:59 +01:00			- `SecureLicenseClient` with response signature verification (HMAC-SHA256)
			- `ResponseSignature` class for signing and verifying API responses
			- `StringEncoder` for basic string obfuscation in source code
			- `IntegrityChecker` for verifying source file integrity
			- `SignatureException` and `IntegrityException` for security errors
			- Server implementation documentation (`docs/server-implementation.md`)
			`- Security test suite (34 additional tests)`
Add object-oriented license client library (v0.0.2) - Add LicenseClient with PSR-3 logging and PSR-6 caching support - Add DTO classes: LicenseInfo, LicenseStatus, ActivationResult - Add LicenseState enum for license status values - Add comprehensive exception hierarchy for error handling - Add PSR dependencies (psr/log, psr/cache, psr/http-client) - Update README with usage examples - Update CHANGELOG for v0.0.2 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 15:51:05 +01:00
			`### Changed`

			`- Updated README with usage examples`

Initialize composer project for WooCommerce Licensed Product Client - Set up composer.json with package metadata and PSR-4 autoloading - Add symfony/http-client ^7.0 as HTTP client dependency - Create project structure (src/, tests/, tmp/) - Add README.md with project overview - Add CHANGELOG.md to track version history - Add .gitignore for vendor and cache files - Include OpenAPI specification in tmp/openapi.json Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-22 15:37:20 +01:00			`## [0.0.1] - 2026-01-22`

			`### Added`

			`- Initial composer project setup`
			`- Package configuration with PSR-4 autoloading`
			`- Symfony HttpClient dependency (^7.0)`
			`- Project documentation (README.md, CHANGELOG.md)`
			`- OpenAPI specification reference in tmp/openapi.json`