ArchivioMD

1.17.4

• Fixed version mismatch: plugin header Version and MDSM_VERSION constant were stuck at 1.16.0 across the 1.17.x release series. Both now correctly read 1.17.4 and match the readme Stable tag.

1.17.3

• Added /.well-known/archiviomd-dns-spec.json — a machine-readable, self-contained specification for the amd1 TXT record format, the TLSA profile, the canonical message format, and the end-to-end verification flow.
• archiviomd-dns.json now includes a spec_url field pointing to the spec endpoint.

1.17.2

• Added TLSA cert-expiry staleness warning (≤ 30 days warns, expired errors).
• Added ARCHIVIOMD_DANE_TTL constant; TTL now configurable and used consistently across rotation threshold, admin UI, and Cache-Control headers.
• Added ETag / If-None-Match / 304 conditional response support to the discovery endpoint.
• Fixed discovery endpoint returning HTTP 404 when DANE disabled — now returns HTTP 200 with {“enabled”:false} so verifiers can distinguish module-off from a wrong URL.
• Fixed DoH network timeout surfacing as a false “DNSSEC not validated” admin notice.

1.17.1

• Added TLSA / DANE-EE support (RFC 6698) for the ECDSA P-256 certificate. Selector=1 (SubjectPublicKeyInfo) so the record survives certificate renewal without a key change.
• Added copy-to-clipboard buttons for all DNS TXT record values in the admin UI.
• Fixed Cache-Control bug in the discovery endpoint that overwrote the intended public, max-age=3600 header.
• Added –enable and –disable flags to wp archiviomd dane-check.

1.17.0

• Added DANE / DNS Key Corroboration. Publishes Ed25519, SLH-DSA, ECDSA P-256, and RSA public keys as DNSSEC-protected DNS TXT records in the custom amd1 format. DoH-based health checks, weekly passive cron, key rotation workflow, machine-readable discovery endpoint at /.well-known/archiviomd-dns.json, JSON-LD integration, and WP-CLI wp archiviomd dane-check.

1.16.0

• Added RSA Compatibility Signing (Extended Format). RSA-PSS/SHA-256 (recommended) and PKCS#1 v1.5/SHA-256. Minimum key size 2048 bits enforced. Public key published at /.well-known/rsa-pubkey.pem.
• Added CMS / PKCS#7 Detached Signatures (Extended Format). DER blob importable directly into Adobe Acrobat and enterprise DMS platforms as .p7s. Reuses existing ECDSA or RSA key.
• Added JSON-LD / W3C Data Integrity Proofs (Extended Format). Cryptosuites eddsa-rdfc-2022 and ecdsa-rdfc-2019. DID document at /.well-known/did.json.
• All three new methods are opt-in, disabled by default, and sign the same canonical message as all other methods.

1.15.0

• Added ECDSA P-256 document signing (Enterprise / Compliance Mode). Nonce generation delegated entirely to OpenSSL. Certificate validated on every signing operation. Private keys stored outside DOCUMENT_ROOT, chmod 0600. Leaf certificate published at /.well-known/ecdsa-cert.pem.

1.14.0

• Added SLH-DSA (SPHINCS+) post-quantum document signing — NIST FIPS 205, pure PHP, no extensions or Composer dependencies. Four parameter sets: SHA2-128s (default), SHA2-128f, SHA2-192s, SHA2-256s. Hybrid mode with Ed25519 via shared DSSE envelope.

1.13.1

• Fixed SSRF in the URL decoder (ajax_decode_url()): hostname now resolved via dns_get_record() with full private/loopback range rejection and cURL IP pinning to prevent TOCTOU.
• Fixed rate limiter bypass via X-Forwarded-For: now uses rightmost IP with private-range validation, falls back to REMOTE_ADDR.
• Fixed evidence receipts signed over arbitrary POST data: handler now fetches the authoritative server-written log row by ID.
• Fixed key rotation warning that could not be dismissed (wrong option key names in delete calls).
• Fixed three canary option keys missing from the site-specific obfuscation map (fell through to a site-agnostic fallback, defeating the scheme).
• Fixed ReDoS in extract_main_content(): input capped at 2 MB; DOMDocument used as primary extractor; regex fallback uses bounded quantifiers.
• Removed sslverify => false from all outbound fetches.
• Added persistent admin notice when ARCHIVIOMD_HMAC_KEY is not defined in wp-config.php.

1.13.0

• Added Ch.13 (Sentence-count parity) and Ch.14 (Word-count parity) structural fingerprinting channels — CDN-proof, survive Unicode normalisation.
• Added Cache-Control: no-transform header on all fingerprinted responses.
• Renamed REST endpoints from archiviomd/v1/canary-check to content/v1/verify to reduce plugin fingerprinting via API enumeration.
• Added .htaccess to plugin root blocking direct HTTP access to .php, .txt, .json, and other source files.
• Added key-derived pair selection for Ch.5/6/8/9: active dictionary subset is site-specific, making adversarial reversal equivalent to key brute-force.
• Added wp_options key obfuscation for all Canary Token settings.

1.12.0

• Added Cache Compatibility Layer. Detects and repairs Unicode fingerprint stripping by WP Super Cache, W3 Total Cache, LiteSpeed Cache, WP Rocket, and other HTML-minifying caching plugins — no caching plugin configuration required.

1.11.0

• Added Canary Token channels Ch.8–Ch.12: Spelling Variants (60+ British/American pairs), Hyphenation Choices (30+ compound pairs), Number/Date Style, Punctuation Style II, Citation/Title Style.

1.10.0

• Added REST API fingerprinting (closes WP REST API scraping path).
• Added rate limiting on public verification endpoint (60 req/min; HTTP 429).
• Added Key Health Monitor with persistent admin notice on HMAC key change.
• Added Discovery Log (wp_archivio_canary_log) with CSV export.
• Added Signed Evidence Package — .sig.json receipt with SHA-256 + optional Ed25519 signature for each decode event.
• Added Re-fingerprint All Posts bulk action (single atomic SQL upsert).
• Added Canary Coverage meta box on the post edit screen.
• Added Ch.7 (Punctuation Choice: Oxford comma, em-dash/parentheses).
• Added URL Decoder and DMCA Notice Generator tabs.

1.9.0

• Added Ch.5 (Contraction Encoding) and Ch.6 (Synonym Substitution) to the Canary Token semantic layer. Both opt-in, disabled by default.

1.8.0

• Added Canary Token steganographic content fingerprinting (opt-in, disabled by default). 112-bit HMAC-authenticated payload across four Unicode channels with majority-vote redundancy.

For versions prior to 1.8.0, see the full changelog on the plugin’s development repository.