# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [0.2.2] - 2026-01-28 ### Added - `/update-check` endpoint documentation in server-implementation.md - `product_not_found` error code to error codes table - `handleUpdateCheck()` handler example in WordPress plugin implementation - `findProduct()` method stub for product lookups ### Changed - Verified client implementation aligns with updated server documentation - All signature algorithms, key derivation, and JSON canonicalization match server ## [0.2.1] - 2026-01-27 ### Added - `checkForUpdates()` method for checking plugin updates - `UpdateInfo` DTO for update check responses - `ProductNotFoundException` for `product_not_found` error handling - `/update-check` endpoint support aligned with remote OpenAPI spec (v0.4.0) ### Changed - Updated local `openapi.json` to match remote specification (now v0.4.0) - Added "Plugin Updates" tag to OpenAPI specification ## [0.2.0] - 2026-01-26 ### Added - SSRF protection with URL validation and private IP range blocking - `allowInsecureHttp` constructor parameter for development environments - Input validation in all DTO `fromArray()` methods - DateTime exception handling in DTOs - Recursive key sorting in `ResponseSignature` for nested objects ### Changed - Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC - Exception messages sanitized to prevent information disclosure - Header normalization treats empty values as null ### Fixed - JSON encoding error handling in `ResponseSignature::buildSignaturePayload()` - Header normalization null risk in `SecureLicenseClient` ### Security - Comprehensive security audit performed - SSRF vulnerability mitigated - Information disclosure in error messages fixed - Improved cryptographic key derivation ## [0.1.0] - 2026-01-22 ### Added - Object-oriented client library (`LicenseClient`, `LicenseClientInterface`) - DTO classes for API responses (`LicenseInfo`, `LicenseStatus`, `ActivationResult`) - `LicenseState` enum for license status values - Comprehensive exception hierarchy for error handling - PSR-3 logging support (optional) - PSR-6 caching support (optional) - PSR dependencies (`psr/log`, `psr/cache`, `psr/http-client`) - PHPUnit test suite with 32 tests covering DTOs, exceptions, and client - `SecureLicenseClient` with response signature verification (HMAC-SHA256) - `ResponseSignature` class for signing and verifying API responses - `StringEncoder` for basic string obfuscation in source code - `IntegrityChecker` for verifying source file integrity - `SignatureException` and `IntegrityException` for security errors - Server implementation documentation (`docs/server-implementation.md`) - Security test suite (34 additional tests) ### Changed - Updated README with usage examples ## [0.0.1] - 2026-01-22 ### Added - Initial composer project setup - Package configuration with PSR-4 autoloading - Symfony HttpClient dependency (^7.0) - Project documentation (README.md, CHANGELOG.md) - OpenAPI specification reference in tmp/openapi.json