# Changelog

## 1.0.1

### Added
- Early serving support (plugin-based; no WordPress drop-ins) with UI status and improved safety.
- Health tab (cache directory permissions, cache size, last purge, and hit/miss counters).
- Automation: Preload/Warm cache (WP-Cron) with sitemap and URL list support.
- Automation: Garbage Collection (WP-Cron) + max cache size enforcement (trim oldest cache files).
- Rules: strip marketing query strings (utm_*, gclid, fbclid, etc.) and allowlist query parameters.
- Optional separate cache variant for mobile user agents.
- Debug log (optional) with viewer and Clear log tool.

### Changed
- Purge keeps runtime config/stats/logs intact and re-creates essential directories.

### Improved
- Admin UX: prominent one-click global purge and WP Admin Bar shortcut.
- Privacy-safe analytics: top cached paths (path-only; no query strings) and daily cache size trend sampling (admin-only).
- Performance: cache size calculations are transient-cached to reduce disk scanning overhead.
- Compatibility: recursive cache directory creation (wp_mkdir_p) to avoid missing cache/config on fresh installs.
- Security: do not cache requests carrying Authorization headers.
- Security: Preload/Warm-cache accepts only local (same-host) URLs and uses hardened HTTP options (reject unsafe URLs; no redirects).
- Cache correctness: explicitly bypass cache for wp-login.php, wp-json, xmlrpc.php, and wp-cron.php.

### Fixed
- Settings key mismatches for allowlist query parameters and sitemap URL.
- Admin UI: improved status reporting consistency and safer fallbacks.
- Fatal error in Tools view due to missing utility method aliases (debug log tail/clear).
- Removed deprecated add_option() parameter usage.
- Added error accounting for failed cache writes.

All notable changes to this project will be documented in this file.

## [1.0.0] - 2025-12-17

### Added
- Initial release.

### Security
- Cache safety: do not cache responses that set cookies or send Cache-Control directives such as no-cache/no-store/private (and Pragma: no-cache).
- Cache integrity: cached HTML is signed and verified (HMAC); unsigned or failed verification is treated as a cache miss.
- Filesystem hardening: cache read/write/purge is constrained to the dedicated cache directory under wp-content/cache/brenwp-cache.

### Compatibility
- WordPress.org language pack compatibility (no manual textdomain loading).

### Developer
- Request cacheability checks cover common non-cacheable contexts (admin/AJAX/REST/feed/search/preview, etc.).
- Settings sanitization covers all plugin options (cookie/UA exclusions, bypass param, and optional 404 caching).
- WPCS-style cleanup for safer output handling and consistent braces/indentation.