Update OpenAPI specification for v0.3.2

- Updated OpenAPI version from 0.0.7 to 0.3.2
- Added documentation for response signing headers (X-License-Signature, X-License-Timestamp)
- Enhanced API description with security information about signature verification
- Added header component definitions to OpenAPI spec
- All endpoint 200 responses now reference optional signature headers

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.2] - 2026-01-22
+
+### Changed
+
+- Updated OpenAPI specification to version 0.3.2
+- Added documentation for response signing headers (X-License-Signature, X-License-Timestamp)
+- Enhanced API description with response signing security information
+
+### Technical Details
+
+- OpenAPI spec now documents optional response signature headers
+- Added header component definitions for X-License-Signature and X-License-Timestamp
+- All endpoint 200 responses now reference signature headers
+- Improved API documentation describing SecureLicenseClient usage
+
 ## [0.3.1] - 2026-01-22
 
 ### Changed
@@ -410,7 +425,8 @@ define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars');
 - WordPress REST API integration
 - Custom WooCommerce product type extending WC_Product
 
-[Unreleased]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.3.1...HEAD
+[Unreleased]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.3.2...HEAD
+[0.3.2]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.3.1...v0.3.2
 [0.3.1]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.3.0...v0.3.1
 [0.3.0]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.2.2...v0.3.0
 [0.2.2]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.2.1...v0.2.2

CLAUDE.md

@@ -846,3 +846,26 @@ Reorganized the settings page with WooCommerce-style sub-tab navigation for bett
 - Created release package: `releases/wc-licensed-product-0.3.1.zip` (754 KB)
 - SHA256: `55468275522590cd68924bdf97cfcba8aa9e6ba11e2111d0234e16a1936b8adf`
 - Tagged as `v0.3.1` and pushed to `main` branch
+
+### 2026-01-22 - Version 0.3.2 - OpenAPI Update
+
+**Overview:**
+
+Updated OpenAPI specification to document response signing feature added in v0.2.0.
+
+**Implemented:**
+
+- Updated OpenAPI version from 0.0.7 to 0.3.2
+- Added documentation for X-License-Signature and X-License-Timestamp headers
+- Enhanced API description with response signing security information
+- Added header component definitions in OpenAPI spec
+
+**Modified files:**
+
+- `openapi.json` - Updated version and added signature header documentation
+
+**Technical notes:**
+
+- All endpoint 200 responses now reference optional signature headers
+- Header definitions added to components section
+- API description explains SecureLicenseClient usage for signature verification

openapi.json

@@ -2,8 +2,8 @@
   "openapi": "3.1.0",
   "info": {
     "title": "WooCommerce Licensed Product API",
-    "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.",
-    "version": "0.0.7",
+    "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.\n\n## Response Signing (Optional)\n\nWhen the server is configured with `WC_LICENSE_SERVER_SECRET`, all API responses include cryptographic signatures for tamper protection:\n\n- `X-License-Signature`: HMAC-SHA256 signature of the response\n- `X-License-Timestamp`: Unix timestamp when the response was generated\n\nSignature verification prevents man-in-the-middle attacks and ensures response integrity. Use the `magdev/wc-licensed-product-client` library's `SecureLicenseClient` class to automatically verify signatures.",
+    "version": "0.3.2",
     "contact": {
       "name": "Marco Graetsch",
       "url": "https://src.bundespruefstelle.ch/magdev",
@@ -55,6 +55,14 @@
         "responses": {
           "200": {
             "description": "License is valid for the specified domain",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
             "content": {
               "application/json": {
                 "schema": {
@@ -156,6 +164,14 @@
         "responses": {
           "200": {
             "description": "License status retrieved successfully",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
             "content": {
               "application/json": {
                 "schema": {
@@ -221,6 +237,14 @@
         "responses": {
           "200": {
             "description": "License activated successfully or already activated",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
             "content": {
               "application/json": {
                 "schema": {
@@ -519,6 +543,26 @@
           }
         }
       }
+    },
+    "headers": {
+      "X-License-Signature": {
+        "description": "HMAC-SHA256 signature of the response body for tamper protection. Only present when server is configured with WC_LICENSE_SERVER_SECRET. Signature format: hex-encoded HMAC-SHA256 of (timestamp + ':' + canonical_json_body) using a per-license derived key.",
+        "schema": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "example": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"
+        },
+        "required": false
+      },
+      "X-License-Timestamp": {
+        "description": "Unix timestamp when the response was generated. Used together with X-License-Signature to prevent replay attacks. Only present when server is configured with WC_LICENSE_SERVER_SECRET.",
+        "schema": {
+          "type": "string",
+          "pattern": "^[0-9]+$",
+          "example": "1737550000"
+        },
+        "required": false
+      }
     }
   },
   "tags": [

wc-licensed-product.php

@@ -3,7 +3,7 @@
  * Plugin Name: WooCommerce Licensed Product
  * Plugin URI: https://src.bundespruefstelle.ch/magdev/wc-licensed-product
  * Description: WooCommerce plugin to sell software products using license keys with domain-based validation.
- * Version: 0.3.1
+ * Version: 0.3.2
  * Author: Marco Graetsch
  * Author URI: https://src.bundespruefstelle.ch/magdev
  * License: GPL-2.0-or-later
@@ -28,7 +28,7 @@ if (!defined('ABSPATH')) {
 }
 
 // Plugin constants
-define('WC_LICENSED_PRODUCT_VERSION', '0.3.1');
+define('WC_LICENSED_PRODUCT_VERSION', '0.3.2');
 define('WC_LICENSED_PRODUCT_PLUGIN_FILE', __FILE__);
 define('WC_LICENSED_PRODUCT_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('WC_LICENSED_PRODUCT_PLUGIN_URL', plugin_dir_url(__FILE__));