Editant

1.0.0

• New: Settings page now exposes configurable defaults for new review links (expiry, reviewer identification), email sender (name, address), and per-IP rate limits (read, write). Each field includes an inline tooltip. Empty email fields fall back to the WordPress default.
• New: “Editant Pro features” preview on the Settings page lists the access controls, signed approvals, retention policies, and integrations coming in Editant Pro.
• Changed: Tested up to WordPress 7.0.
• Changed: Editor sidebar icon refreshed to use the Editant brand silhouette, disambiguating it from WordPress 7.0’s new Notes feature.
• Internal: improved validation feedback on the Settings page; the “Application tokens” section is hidden when no extension subscribes.

0.10.0

• New: Eight extension hooks for Editant Pro and other Editant extensions. editant/comment/render_chrome decorates comment HTML. editant/decision/recorded lets subscribers observe approve / changes-requested events. editant/link/validate_settings extends link-settings validation. editant/reviewer/kinds registers new reviewer kinds. editant/admin/token_issuance_panel plugs UI into the Settings page. editant/event/dispatch is an audit-log event bus. editant/publish/gate_check lets extensions veto publishes. editant/activator/setup_blog runs alongside Free Core’s per-blog setup.
• New: Settings admin page (Editant -> Settings) as a slot host for application-token UI. Capability: manage_options.
• Internal: legacy editant_link_settings_validate filter replaced with editant/link/validate_settings (errors-array contract). No user-facing change.
• Internal: service-method signatures gained an int $actorUserId parameter where the actor identity wasn’t already passed in (LinkService::revoke, LinkService::updateSettings, LinkService::updateExpiry, CommentService::setStatus, CommentService::setThreadStatus). Internal API; no behaviour change for end users.

0.9.3

• Security: admin REST endpoints now require the relevant Editant capability (editant_view_links for reads, editant_manage_links for writes) in addition to the existing per-post edit_post check. Closes a gap where users granted edit_post by a third-party plugin or custom role could reach Editant link data without holding the Editant capabilities. Shipped to WordPress.org directly via SVN in response to plugin review feedback on the 0.9.2 submission.

0.9.2

• Security: explicit boundary sanitisation added across the reviewer-facing public endpoints (identity capture, comments, decisions).
• Removed the “Powered by Editant” attribution from the reviewer preview page.
• Source code for the bundled JavaScript and CSS now ships with the plugin under assets/src/, alongside the build configuration (composer.json, package.json, webpack.config.js).
• Documentation: added a Development section to the readme covering source layout and rebuild steps. Clarified the preview-page customisation filter hooks available to theme developers.

0.9.1

• Editor sidebar now appears on Pages and any public custom post type, not just Posts (migrated from @wordpress/edit-post to @wordpress/editor).
• Admin menu promoted from a submenu under Posts to a top-level menu item.
• Menu icon is now theme-aware: the SVG silhouette recolours per WordPress admin colour scheme.
• Permanently deleting a post now also removes its associated Editant links, reviewers, comments, and decisions.
• User-facing labels in the admin dashboard made post-type-neutral (“item”, “title”, “content” rather than “post”).
• Documentation: clarified that Editant requires the block editor and that the Classic Editor plugin is not supported.
• Documentation: added FAQ entry covering the rewrite-rules refresh required when reviewer links return 404 immediately after install.
• Internal: repository interface layer introduced across the four data-path repositories; multisite-aware activator dispatcher.

0.9.0

Initial pre-release.

Reviewer experience

• Tokenised preview links with configurable expiry, revocation, and regeneration.
• Login-free access; optional name or name + email identity capture.
• Threaded comments and approve / request changes decisions.

Authoring experience

• Block editor sidebar with live thread updates (auto-refresh and manual refresh).
• Reply to reviewer comments from inside the editor.

Admin dashboard

• Admin list view with link counts, reviewer activity, and decision summaries.
• Per-item detail view showing all links, threads, and decisions on one screen.

Notifications

• Email notifications via wp_mail for new comments, replies, and decisions.

Internationalisation and accessibility

• Full RTL support across reviewer page, sidebar, and dashboard.
• All user-facing strings translatable; .pot file shipped.

Privacy and security

• Tokens generated with random_bytes(32); stored as SHA-256 hashes only.
• Per-site hash salt for IP, email, and user agent fingerprints.
• Rate limiting on all public endpoints.
• GDPR personal data exporter and eraser registered with WordPress core privacy tools.
• X-Robots-Tag: noindex, nofollow, noarchive and Cache-Control: no-store on every preview response.

Quality

• PHPUnit suite covering domain values, services, repositories, and privacy classes.
• Playwright end-to-end test for the reviewer happy path.