Release v0.7.0 - Security Hardening

Security Fixes:
- Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods)
- Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait)
- Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait)
- Added file size limit (2MB), row limit (1000), and rate limiting to CSV import
- Added JSON decode error handling in StoreApiExtension
- Added license ID validation in frontend.js to prevent selector injection

New Files:
- src/Api/IpDetectionTrait.php - Shared IP detection with proxy support
- src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations

Breaking Changes:
- None

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-01-28
+
+### Security
+
+- Fixed XSS vulnerability in checkout blocks DOM fallback injection
+- Unified IP detection for rate limiting across all REST API endpoints
+- Added rate limiting to license transfers (5 per hour) and downloads (30 per hour)
+- Added file size (2MB), row count (1000), and rate limiting to CSV import
+- Added JSON decode error handling in Store API extension
+- Added jQuery selector sanitization for license ID validation
+
+### Added
+
+- New `IpDetectionTrait` for shared IP detection logic with proxy support
+- New `RateLimitTrait` for reusable frontend rate limiting
+- New `src/Common/` directory for shared traits
+
+### Changed
+
+- RestApiController now uses IpDetectionTrait instead of inline methods
+- UpdateController now uses IpDetectionTrait for consistent rate limiting behind proxies
+- AccountController now uses RateLimitTrait for transfer rate limiting
+- DownloadController now uses RateLimitTrait for download rate limiting
+- Checkout blocks fallback uses safe DOM construction instead of innerHTML
+
 ## [0.6.1] - 2026-01-27
 
 ### Added