--no-check-lock: Skip lock file validation (regenerated during install)
--no-check-all: Only validate schema, not warnings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change version constraint from @dev to * for path repository
- Remove --strict from composer validate (path repos can't have proper versions)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes CI/CD failing to clone submodule via HTTPS.
Relative path uses same protocol/auth as parent repo.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace non-existent actions/gitea-release-action with direct
Gitea API calls using curl for release creation and asset upload.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Convert wc-licensed-product-client from Composer VCS to git submodule
- Add Gitea Actions workflow for automated releases on version tags
- Update composer.json to use path repository for submodule
- Workflow includes: submodule checkout, PHP setup, translation compilation,
version verification, package creation, checksum generation, release upload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created wc-licensed-product-0.7.1.zip (886 KB)
- SHA256: 6ffd0bdf47395436bbc28a029eff4c6d065f2b5b64c687b96ae36a74c3ee34ef
- Updated CLAUDE.md with release info
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
## Fixed
- CRITICAL: Fixed API Verification Secret not displayed in PHP fallback template
- Response signing now includes /update-check endpoint
## Changed
- Updated magdev/wc-licensed-product-client to v0.2.2
- Updated symfony/http-client to v7.4.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Regenerated .pot template with 388 strings
- All German (de_CH) translations up to date
- Compiled .mo file for production
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security Fixes:
- Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods)
- Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait)
- Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait)
- Added file size limit (2MB), row limit (1000), and rate limiting to CSV import
- Added JSON decode error handling in StoreApiExtension
- Added license ID validation in frontend.js to prevent selector injection
New Files:
- src/Api/IpDetectionTrait.php - Shared IP detection with proxy support
- src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations
Breaking Changes:
- None
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix admin license test popup showing empty product field
- Display product name in bold in test license modal
- Split auto-update settings into notification and auto-install options
- Add filter functionality to customer account licenses page
- Update translations (402 strings)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Regenerated .pot template with current strings
- All 402 strings translated in German (de_CH)
- Compiled .mo binary file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document WordPress auto-update system implementation
- Add /update-check endpoint to REST API table
- Add Update/ directory to project structure
- Add Email/ directory to project structure
- Update temporary roadmap to v0.7.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add UpdateController REST API endpoint for serving update info to licensed plugins
- Add PluginUpdateChecker singleton for client-side update checking
- Hook into WordPress native plugin update system (pre_set_site_transient_update_plugins, plugins_api)
- Add Auto-Updates settings subtab with enable/disable and check frequency options
- Add authentication headers for secure download requests
- Support configurable cache TTL for update checks (default 12 hours)
- Document /update-check endpoint in OpenAPI specification
- Update German translations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Simplified JavaScript to avoid conflicts with WooCommerce's native show/hide logic
- Removed conflicting CSS rule for .hide_if_licensed
- License Settings tab uses CSS class toggle for proper display
- Variations tab properly shows for licensed-variable via woocommerce_product_data_tabs filter
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Product Versions meta box now always added to product pages, visibility controlled via CSS/JavaScript
- Added Installer::registerProductTypes() to create product type terms in the product_type taxonomy
- Product type terms are now ensured to exist on woocommerce_init hook for existing installations
- Fixed License Settings tab and Product Versions visibility toggling when changing product types
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix OrderLicenseController to use isLicensedProduct() for consistent product type detection
- Fixed expected licenses calculation for variable product orders
- Fixed manual license generation from admin order page for variable products
- Remove debug logging from all source files (PHP and JavaScript)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed stock indicator appearing in cart for licensed variable products
- Override get_children() with direct SQL query to bypass WooCommerce type check
- Override get_variation_attributes() for proper taxonomy attribute loading
- Override get_variation_prices() to prevent null array errors
- Override get_available_variations() with empty availability_html
- Added is_type() override to pass variable type checks
- Added multiple stock-related filters for comprehensive coverage
- Improved isLicensedProductOrVariation() with DB-level parent type check
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed is_purchasable() method in LicensedVariableProduct to delegate to
parent WC_Product_Variable instead of checking for price (variable products
don't have direct prices, only their variations do)
- Fixed getProductClass() filter to accept all 4 WooCommerce parameters
and use product_id for reliable variation parent detection
- Fallback to global $post when product_id not available for backwards compat
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Re-load product via wc_get_product() to ensure correct class instance
- Removed overly strict type check that prevented variations from displaying
- Now mirrors WooCommerce's standard woocommerce_variable_add_to_cart()
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added null checks for get_variation_attributes(), get_available_variations(), get_default_attributes()
- Show informative message when product has no variations configured
- Changed product type check from instanceof to is_type() for better compatibility
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated POT template with 388 strings
- All German (de_CH) strings translated
- Recompiled .mo file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Max Activations (was "Default Max Activations")
- License Validity (Days) (was "Default License Validity (Days)")
- Bind to Major Version (was "Default Bind to Major Version")
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CRITICAL: Key derivation now uses native hash_hkdf() for RFC 5869
compliance. Previous custom implementation was incompatible with
the magdev/wc-licensed-product-client library.
Changes:
- ResponseSigner::deriveCustomerSecret() now uses hash_hkdf()
- Added missing domain validation to /activate endpoint
- Customer secrets will change after upgrade (breaking change)
The signature algorithm now matches the client's ResponseSignature::deriveKey():
- IKM: server_secret
- Length: 32 bytes
- Info: license_key
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
