- Add JSON encoding error handling in ResponseSignature to prevent silent failures - Sanitize exception messages to prevent information disclosure - Fix header normalization to treat empty values as null - Add SSRF protection with URL validation and private IP blocking - Replace custom key derivation with RFC 5869 compliant hash_hkdf() - Add input validation in DTO fromArray() methods - Add DateTime exception handling in DTOs Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update OpenAPI spec to v0.3.2 with signature header documentation - Add X-License-Signature and X-License-Timestamp header definitions - Clean up unused imports in security classes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security classes: - ResponseSignature: HMAC-SHA256 signing and verification - StringEncoder: XOR-based string obfuscation for source code - IntegrityChecker: Source file hash verification - SignatureException, IntegrityException for error handling SecureLicenseClient: - Verifies server response signatures - Prevents response tampering and replay attacks - Per-license derived signing keys - Optional code integrity checking Documentation: - docs/server-implementation.md with complete WordPress/WooCommerce integration guide for signing responses Tests: - 34 new security tests (66 total, all passing) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
