Security: Detect generic key fields (n8n Google API pattern queryParameters.parameters[].name = “key”) and redact them when the value looks secret-shaped. Closes a gap where API keys bypassed the name-based filter.
Security: Defense-in-depth entropy heuristic (looks_like_secret()) with vendor regex for AIza / sk- / ghp_ / Bearer plus a length+char-class fallback — catches custom tokens the name allowlist can’t enumerate.
Security: Redact credential display names and meta.instanceId so workflow exports can no longer be correlated to the originating n8n instance or team.
Security: Optional tag removal at publish time (opt-in checkbox in wizard step 3). Workflow tags are often harmless but occasionally identifying — publisher decides per workflow.
Security: Wizard step 3 now shows a collapsible Reason / Key / Note table listing exactly what was masked, so publishers can verify before clicking Publish.
Mobile: Rewrote the SVG touch handling. Single-finger pan is now smooth; pinch-to-zoom and double-tap-to-zoom work on iOS and Android. touch-action: none on the diagram SVG ends the browser-vs-plugin gesture tug-of-war that caused the “finger loses tracking” stutter.
Mobile: Minimap now responds to touch — tap or drag to navigate.
Note: Starting a touch on the diagram SVG blocks page scroll until the finger lifts. This is intentional so gestures are unambiguous; scroll around the diagram still works.
1.0.3
Fixed double rendering when “Easy Table of Contents” (or any plugin that re-runs the_content filters) is active. The shortcode now silently deduplicates re-entrant invocations via a fingerprint of post id + resolved render settings.
Wrapper id is now unique per instance (breznflow-wrap-<POSTID>-<COUNTER>), enabling multiple embeds of the same workflow with different attributes in one post.
Anchor span id=”breznflow-<POSTID>” is emitted only for the first instance per post to keep the DOM valid and preserve existing share links.
Renderer now guards against mounting twice onto the same container.
1.0.2
Fixed WordPress.org plugin review issues.
Embed page now uses wp_enqueue_style/wp_enqueue_script with wp_head/wp_footer instead of direct HTML tags.
Added nonce verification to wizard step navigation (steps 2 and 3).
Improved input sanitization for $_FILES handling in theme import.
Improved JSON input handling with explicit type validation.
Added wp_strip_all_tags() escaping for inline CSS in wp_add_inline_style() calls.
Added late escaping (sanitize_key, esc_attr) in custom theme CSS output.
Improved phpcs:ignore documentation for public read-only endpoints.
1.0.1
Fixed WordPress Plugin Check warnings for WordPress.org compliance.
Removed deprecated load_plugin_textdomain() call — translations are now loaded automatically by WordPress (since WP 4.6).
Prefixed all global template variables in themes.php with breznflow_ for WPCS naming conventions compliance.
1.0.0
Interactive SVG renderer with zoom, pan, and node detail panel.
3-step import wizard with JSON validation, URL fetch, and sensitive data masking.
86 node type registry with brand colors and icons.
Shortcode [breznflow] with 13 attributes for mode, zoom, theme, and display toggles.
Auto-fit zoom for large workflows (configurable threshold, default: 30 nodes).
Minimap toggle per workflow and via shortcode attribute.
5 built-in themes (Dark, Light, Minimal, Tech, Brezn) plus custom theme import via .breznflow.json files.
Action bar with share, embed, get JSON, and download buttons.
Embed handler for standalone iframe embedding with dual-gate security.
Download handler for sanitized JSON export with dual-gate security.
Two-pass sensitive data masking: URL parameters, header values, and entropy-based condition detection.
View counter and related workflows by shared node types.
AI detection badges for workflows containing AI nodes.
