# Changelog

All notable changes to this project will be documented in this file.

## [1.1.3] - 2026-03-07

### Security

- **Template output escaping**: Added `|esc_url` filter to all unescaped URL outputs across 8 Twig template partials — `header.html.twig`, `header-offcanvas.html.twig`, `header-transparent.html.twig`, `header-centered.html.twig`, `footer.html.twig`, `footer-columns.html.twig`, `search-form.html.twig`, `comment-item.html.twig`. Covers `site.url`, `item.url`, `child.url`, `user.account_url`, `comment.author_url`, and `comment.edit_url`.

### Added

- **Twig escape filters** (`TwigService.php`): Registered `esc_html`, `esc_attr`, and `esc_url` as Twig filters with `['is_safe' => ['html']]` to prevent double-encoding. Complements existing `wpautop` and `wp_kses_post` filters.

## [1.1.2] - 2026-03-01

### Security

- **WidgetRenderer regex hardening**: Combined two separate `preg_replace` calls for h2→h4 heading downgrade into a single regex that only matches `<h2>` elements with the `wp-block-heading` class. The previous approach replaced all `</h2>` tags unconditionally, risking mismatched tags if a widget contained non-block h2 elements.

### Performance

- **O(n) comment tree building** (`ContextBuilder`): Replaced O(n²) recursive scan with a parent-indexed lookup map built in a single pass. Each recursion level now iterates only direct children instead of all comments.
- **Consolidated sidebar queries** (`ContextBuilder`): Merged three separate sidebar detection branches (`is_home`, `is_page`+sidebar, `is_singular` post) into a single boolean check with one `getSidebarData()` call, eliminating up to 2 redundant calls per request.
- **Transient caching for sidebar data** (`ContextBuilder`): `getSidebarRecentPosts()` and `getSidebarTags()` results cached in WordPress transients (1 hour TTL). Invalidation hooks on `save_post` (recent posts) and `create/edit/delete_post_tag` (tags).

### Changed

- **Hex-to-RGB consolidation** (`functions.php`): `wp_bootstrap_hex_to_rgb()` now delegates to `wp_bootstrap_hex_to_rgb_array()` instead of duplicating hex parsing logic. Added `ctype_xdigit()` validation and return type hints to all color utility functions.

## [1.1.1] - 2026-02-28

### Added

- **PHPUnit test suite**: 64 unit tests covering `BlockRenderer`, `WidgetRenderer`, `NavWalker`, and `TemplateController` classes with 107 assertions. Uses PHPUnit 11 and Brain\Monkey for WordPress function mocking.
- **Test infrastructure**: `WP_HTML_Tag_Processor` functional stub using DOMDocument for testing block renderer HTML manipulation outside WordPress. Empty stubs for `WP_Block` and `WP_Widget` type hints.
- **Build pipeline integration**: Tests run automatically before every `npm run build` via `prebuild` hook (`composer exec -- phpunit`).
- **CI test job**: New PHPUnit test step in Gitea CI workflow between lint and build-release. Tests must pass before release packages are built.
- **Release package exclusions**: `tests/`, `phpunit.xml.dist`, and `.phpunit.cache/` excluded from release ZIP packages with verification step.

## [1.1.0] - 2026-02-28

### Added

- **Block Renderer** (`inc/Block/BlockRenderer.php`): New class that injects Bootstrap 5 classes into WordPress core block HTML output on the frontend via per-block `render_block_{$name}` filters. Handles 8 block types:
  - `core/table` — `.table` on `<table>`, `.table-striped` when stripes style is active
  - `core/button` — `.btn` + `.btn-{variant}` or `.btn-outline-{variant}` mapped from WP preset color slugs
  - `core/buttons` — `.d-flex .flex-wrap .gap-2` on button group wrapper
  - `core/image` — `.img-fluid` on `<img>` for responsive images
  - `core/search` — `.input-group` on inner wrapper, `.form-control` on input, `.btn .btn-primary` on button
  - `core/quote` — `.blockquote` on `<blockquote>`, `.blockquote-footer` on `<cite>`
  - `core/pullquote` — Same blockquote treatment inside `<figure>`
  - `core/list` — `.list-group` + `.list-group-item` when `is-style-list-group` block style is selected
- **Widget Renderer** (`inc/Block/WidgetRenderer.php`): New class that transforms sidebar widgets into Bootstrap 5 card components via `dynamic_sidebar_params` and `widget_block_content` filters. Wraps each widget in a `.card > .card-body` structure with `.card-title` headings. Downgrades block widget `<h2>` headings to `<h4>` for proper sidebar visual hierarchy.
- **Widget SCSS** (`src/scss/_widgets.scss`): New stylesheet for sidebar widget Bootstrap styling — list-group-style list items with border separators, flush-to-card-edge list positioning, Bootstrap form-control styling for select dropdowns, search form input-group layout, tag cloud with pill badges, and secondary-color post dates.
- **List Group block style**: New "List Group" style registered for `core/list` blocks — applies Bootstrap `.list-group` and `.list-group-item` classes when selected in the editor.
- **Single post sidebar template** (`views/pages/single-sidebar.html.twig`): New two-column layout for blog posts with `col-lg-8` content area and `col-lg-4` sidebar. Includes all single post features (meta, thumbnail, tags, post navigation, comments, more posts). "More posts" section uses `row-cols-md-2` to fit the narrower column.
- **Extensibility**: `wp_bootstrap_block_renderer_blocks` filter allows child themes to add/remove block handler mappings.

### Changed

- **Post template default** (`inc/Template/TemplateController.php`): Blog posts now render with the sidebar layout by default (`single-sidebar.html.twig`). Posts assigned the "Full Width" template use `single.html.twig` instead. Template selection uses `get_page_template_slug()` with a `match` expression.
- **Sidebar data for posts** (`inc/Template/ContextBuilder.php`): Posts always receive sidebar data (recent posts, tags, widgets) regardless of template selection, ensuring the sidebar partial always has data available.
- **Widget SCSS import** (`src/scss/style.scss`): Added `_widgets` partial import between Bootstrap Icons and custom styles.

## [1.0.12] - 2026-02-28

### Fixed

- **Admin bar offcanvas padding on desktop** (`functions.php`): Scoped the admin bar offcanvas padding fix to mobile viewports only (`max-width: 991.98px`) so the extra padding does not appear on wide screens where the offcanvas renders inline as a regular navbar.

## [1.0.11] - 2026-02-28

### Changed

- **Offcanvas mobile navigation**: Default header now uses `header-offcanvas.html.twig` instead of `header.html.twig`. Mobile navigation slides in as an offcanvas panel from the right instead of collapsing downward.
- **User avatar in offcanvas header**: When logged in, the offcanvas header displays the user's Gravatar and display name linking to the WooCommerce My Account page (or WP admin profile as fallback). Falls back to the site name when logged out.
- **Dark mode toggle repositioned**: Moved from the offcanvas body to the offcanvas footer on mobile. Desktop toggle remains in the navbar.

### Added

- **User context data** (`inc/Template/ContextBuilder.php`): New `getUserData()` method exposing `user.logged_in`, `user.display_name`, `user.avatar`, and `user.account_url` to all Twig templates.

### Fixed

- **Admin bar overlapping offcanvas** (`functions.php`): Inline CSS via `wp_add_inline_style()` adds `padding-top` matching the admin bar height to `.offcanvas` when the admin bar is visible, preventing content overlap.

## [1.0.10] - 2026-02-25

### Fixed

- **Title double-encoding in Twig templates** (`inc/Template/ContextBuilder.php`): WordPress's `get_the_title()` pre-encodes `&` as `&#038;`. When passed to Twig with autoescape enabled, the `&` in `&#038;` was escaped again to `&amp;#038;`, rendering as literal `&#038;` in the browser (e.g. "Bewerbungen &#038; Nachrichten" instead of "Bewerbungen & Nachrichten"). Fixed by wrapping all 6 `get_the_title()` calls with `wp_specialchars_decode()` to decode WordPress entities before Twig. Twig autoescape then properly re-encodes `&` → `&amp;`. This is XSS-safe because Twig still escapes all output.

## [1.0.9] - 2026-02-19

### Performance

- **Color variation CSS transient caching** (`functions.php`): `wp_bootstrap_variation_colors()` now caches the generated inline CSS in a 24-hour WordPress transient keyed by `wp_bootstrap_variation_css_` + an MD5 of the active stylesheet slug. Previously the palette iteration and CSS string building ran on every frontend page load. The transient is immediately invalidated on `switch_theme` and `save_post_wp_global_styles`, so changes made via the Design Editor are reflected instantly.
- **Twig template recompilation gated behind `WP_DEBUG`** (`inc/Twig/TwigService.php`): `auto_reload` in the Twig `Environment` constructor was hardcoded to `true`, causing Twig to stat every compiled template file on every request to check for source changes. Changed to `WP_DEBUG` so template recompilation only occurs during development. In production (`WP_DEBUG = false`) compiled Twig templates are served from cache without filesystem mtime checks.

## [1.0.8] - 2026-02-19

### Security

- **Archive XSS hardening**: `ContextBuilder::getArchiveData()` now wraps `get_the_archive_title()` and `get_the_archive_description()` with `wp_kses_post()`. Term descriptions are user-editable by Editors and above; without sanitization an injected `<script>` tag would execute via the `|raw` filter in `archive.html.twig`
- **Comment author XSS hardening**: `ContextBuilder::buildCommentTree()` now applies `esc_html()` to `comment_author` and `esc_url()` to `comment_author_url` at the data source, preventing injection via user-supplied comment fields
- **Dark mode localStorage whitelist**: `getPreferredTheme()` in `dark-mode.js` now validates the stored theme value against `['dark', 'light']` before use, preventing attribute injection from a tampered localStorage value written by a third-party script
- **Twig escaping functions marked safe**: `esc_html()`, `esc_attr()`, and `esc_url()` registered in `TwigService` are now declared with `['is_safe' => ['html']]`, preventing double-encoding if Twig autoescape is ever enabled

### Changed

- `views/partials/comment-item.html.twig`: Comment author URL now output via `{{ comment.author_url|raw }}` (escaped in PHP) instead of calling `esc_url()` from the template, keeping escaping logic in one place

## [1.0.7] - 2026-02-18

### Added

- `do_shortcode()` registered as a Twig function in `TwigService`, allowing shortcodes to be rendered directly from Twig templates via `{{ do_shortcode('[shortcode]') }}`

## [1.0.6] - 2026-02-14

### Fixed

- Sidebar widgets not rendered on pages using the "Page with Sidebar" template — `ContextBuilder::build()` only populated `sidebar` context for `is_home()`, so `page-sidebar.html.twig` received no widget data

## [1.0.5] - 2026-02-11

### Added

- 11 new translation files: de_CH_informal, de_DE, de_DE_informal, en_GB, es_ES, fr_CH, it_CH, it_IT, nl_NL, pl_PL, pt_PT (total: 13 locales + en_US base)
- Compiled .mo files for all 13 translations

### Changed

- Standardized all .po file names to use `wp-bootstrap-` prefix (WordPress convention: `{text-domain}-{locale}.po`)

## [1.0.4] - 2026-02-11

### Added

- `wp_bootstrap_should_render_template` filter in `TemplateController::render()` — allows plugins and child themes to prevent the theme from rendering a specific request, enabling clean separation of concerns when plugins handle their own page rendering

## [1.0.3] - 2026-02-11

### Fixed

- Double `<h1>` headings on pages where plugins provide their own titles — `page.html.twig` now wraps `<h1>` in `{% if post.title is not empty %}` guard so plugins can suppress it by passing empty `post.title`

## [1.0.2] - 2026-02-10

### Fixed

- Missing HTML `<title>` tag on all pages — theme never declared `add_theme_support('title-tag')`, so WordPress's `_wp_render_title_tag()` hook was inactive during `wp_head()` output in Twig templates

## [1.0.1] - 2026-02-09

### Added

- Bootstrap Icons web font integration — all 2,000+ icons available via `<i class="bi bi-*"></i>` CSS classes
- `copy:icons` build step to copy icon font files (`.woff`, `.woff2`) from `node_modules` to `assets/fonts/`
- Bootstrap Icons SCSS imported in both frontend and editor stylesheets for icon support in templates and block editor

## [1.0.0] - 2026-02-08

### Added

- Sidebar widget area (`primary-sidebar`) registered via `register_sidebar()` — manageable in Appearance > Widgets
- Widget area rendering in Twig sidebar with fallback to built-in content (recent posts, search, tags) when no widgets assigned
- Widget area description strings added to all translation files (en_US, de_CH, fr_FR)

### Changed

- Updated README.md with accurate feature counts (15 style variations, 41 patterns, 3 translations)
- Added documentation for style variation bridge, widget areas, RTL support, and accessibility features

## [0.3.3] - 2026-02-08

### Fixed

- Style variation colors not applied to Bootstrap frontend — bridge function checked wrong palette origin (`custom` instead of `theme`)
- Variation detection now compares `theme` origin against base theme.json defaults instead of looking for slugs in `custom` origin

## [0.3.2] - 2026-02-08

### Fixed

- Dark mode body colors overridden by WordPress global styles (`styles.color` in `theme.json` generated conflicting `body` CSS)
- Dark mode styling for plugin-generated form elements (`select`, `input`, `textarea`) that lack Bootstrap classes
- Footer columns template used hardcoded `bg-dark text-light` instead of semantic `bg-body-tertiary`
- Style variation bridge function ran with default palette when no variation was active, causing unnecessary CSS overrides

### Changed

- Removed `styles.color` from `theme.json` to prevent WordPress from generating body background/text CSS that conflicts with Bootstrap dark mode
- Added `!important` override in `_custom.scss` for `html[data-bs-theme="dark"] body` to ensure Bootstrap dark mode takes precedence
- Added broad dark mode rules for native form elements in `_custom.scss`

## [0.3.1] - 2026-02-08

### Added

- 4 new light style variations: Rose, Sand, Lavender, Mint
- 4 new dark style variations: Slate, Mocha, Nebula, Obsidian
- Total of 15 color palettes available in the Design Editor (7 light, 7 dark, plus default)

## [0.3.0] - 2026-02-08

### Added

- Skip-to-content link for keyboard navigation accessibility
- ARIA labels on all navigation landmarks (`<nav>`, `<aside>`)
- `aria-current="page"` on active dropdown menu items across all header variants
- Lazy loading (`loading="lazy"`) on all below-fold images (post thumbnails, cards, avatars)
- Screen reader announcement for dark mode toggle via `aria-live` status region
- Font preload hints for Inter and Lora variable fonts
- RTL language support: conditional RTL stylesheet, logical CSS properties for blockquote and list styles
- French (fr_FR) translation with all ~216 strings translated
- CSS classes for post thumbnails, card thumbnails, sidebar headings, and hero overlays (replacing inline styles)

### Fixed

- XSS vulnerability in search results template (`search_query` now escaped with `|e('html')`)
- Comment author URLs now explicitly escaped with `esc_url()` in Twig templates

### Changed

- Block style `blockquote-accent` uses `border-inline-start` instead of `border-left` for RTL compatibility
- Block style `list-unstyled` uses `padding-inline-start` instead of `padding-left` for RTL compatibility
- Inline styles in Twig templates replaced with CSS classes for maintainability
- Updated translation files (`.pot` and `de_CH.po`) with new accessibility strings
- Build pipeline includes RTL SCSS compilation step

## [0.2.0] - 2026-02-08

### Added

- Full Design Editor compatibility: Bootstrap JS in block editor, full Bootstrap SCSS in editor stylesheet
- 3 custom block categories: Bootstrap Layout, Bootstrap Components, Bootstrap Navigation
- 3 custom pattern categories: Layout, Components, Navigation
- 4 layout patterns: container, 2-column, 3-column, full-width section
- 2 component patterns: card group, accordion
- 3 full-page patterns: about, services, contact
- 4 custom page templates (FSE + Twig): landing (no header/footer), full-width, hero, sidebar
- 2 header variations (FSE + Twig): centered, transparent
- 2 footer variations (FSE + Twig): minimal, multi-column
- 2 navigation patterns: dark navbar, offcanvas mobile navigation
- Offcanvas navigation Twig partial with Bootstrap offcanvas component
- Editor SCSS overrides for alignment and spacing consistency
- Shadow presets (sm, md, lg), aspect ratio presets, and custom layout values in `theme.json`
- Header/footer variant support via `get_theme_mod()` in `ContextBuilder`
- Twig block inheritance in `base.html.twig` for header/footer variant overrides
- Custom page template routing via `get_page_template_slug()` in `TemplateController`
- Transparent header and offcanvas dark mode SCSS styles

### Changed

- Enhanced `editor-style.scss` to import full Bootstrap for WYSIWYG editor fidelity
- Enhanced `theme.json` with custom templates and template parts registration
- Enhanced `functions.php` with block editor assets, block categories, and pattern categories
- Enhanced `ContextBuilder` with header/footer variant methods
- Enhanced `TemplateController` with custom page template slug routing
- Updated translation files (`.pot` and `de_CH.po`) with all new translatable strings

## [0.1.1] - 2026-02-08

### Added

- Twig-based frontend rendering via `template_redirect` hook, bypassing FSE block markup on the frontend while preserving Site Editor functionality
- `TemplateController` class: resolves and renders Twig templates for all page types (home, single, page, archive, search, 404)
- `ContextBuilder` class: gathers WordPress data (posts, menus, pagination, comments, sidebar, archive info) into structured arrays for Twig
- `NavWalker` class: converts flat `wp_get_nav_menu_items()` into nested tree for Bootstrap dropdown menus
- 20 Twig templates with proper Bootstrap 5 HTML: base layout, 5 page templates, 9 partials (header, footer, pagination, sidebar, comments, search form, dark mode toggle, meta, post navigation), 3 components (post card, post grid card, post loop)
- Bootstrap 5 navbar with responsive collapse, brand, dropdown support, and dark mode toggle
- Bootstrap 5 card components for post listings
- Bootstrap 5 pagination component
- Bootstrap 5 comment section with threaded replies and Bootstrap-styled form fields
- Bootstrap 5 sidebar with recent posts, search, and tag cloud (badges)
- Previous/next post navigation and "More posts" grid on single posts
- WordPress functions in Twig: `wp_head`, `wp_footer`, `wp_body_open`, `language_attributes`, `body_class`, `home_url`, `get_bloginfo`, `get_search_query`, `wp_kses_post`, `number_format_i18n`, `_n`
- Twig globals: `site_name`, `site_description`, `site_url`, `theme_uri`, `charset`, `current_year`
- Twig filters: `wpautop`, `wp_kses_post`
- `primary` and `footer` navigation menu locations
- Comment form fields filter for Bootstrap classes (`form-control`, `form-label`, `form-check`, `btn`)
- Fallback menu from published pages when no menu is assigned
- Sidebar layout detection for "Blog with Sidebar" template
- README.md with project documentation

### Changed

- Enhanced `TwigService` with WordPress output-buffering functions, globals, and filters

## [0.1.0] - 2026-02-08

### Added

- Dark mode toggle with Bootstrap 5.3 `data-bs-theme` attribute, localStorage persistence, and `prefers-color-scheme` support
- 16 new block patterns: hero (cover, split, centered), features (3-col, icon list, 2-col offset), CTA (banner, newsletter), testimonials (2-col, centered), pricing (3-col), contact info, FAQ, about section, sidebar, dark mode toggle
- 17 custom block styles: cards (2), alerts (4), table variants (3), quote accent, image effects (2), button sizes (2), list styles (2), separator wide
- 4 style variations (color schemes): Ocean, Forest, Sunset, Midnight
- Sidebar template part with recent posts, search, and tag cloud
- "Blog with Sidebar" custom page template
- Inter (sans-serif) and Lora (serif) variable web fonts
- "Display" font size for hero headings
- 7 new pattern categories: hero, CTA, features, testimonials, pricing, contact, text
- Dark mode overrides for alert and card block styles in SCSS

### Changed

- Header pattern now includes dark mode toggle button
- Build pipeline adds theme JS copy step (`copy:theme-js`)

## [0.0.1] - 2026-02-08

### Added

- Initial theme scaffolding
- Bootstrap 5 CSS and JS integration (served locally via npm)
- SASS build pipeline with Dart Sass, PostCSS, Autoprefixer, cssnano
- Twig 3.0 template engine integration via Composer
- FSE templates: index, home, single, page, archive, search, 404
- Template parts: header, footer
- Block patterns: header, footer, query loop, comments, post navigation, more posts, 404, search, blog heading, written by
- `theme.json` with Bootstrap 5-aligned design tokens (colors, typography, spacing)
- WordPress i18n support with `en_US` (base) and `de_CH` translations
- Gitea CI/CD workflow for automated release packages
- Editor styles for block editor compatibility