Added per-site token binding — every vault operation is authenticated by a site-specific secret stored locally, HMAC-verified on the broker
Added broker-to-site callback verification on first registration — proves site ownership before binding (DNS-pinned, SSRF-protected on the broker)
Expanded credential scanner from 5 to 20 patterns across wp_options, wp_postmeta, and wp_usermeta — now detects OpenAI, Anthropic, Google AI, OpenRouter, xAI, Replicate, HuggingFace, Stripe, GitHub, AWS, DigitalOcean, Slack, and SendGrid credential shapes
Hardened input validation across admin AJAX handlers
Normalized site URL handling to match broker canonical form (lowercase scheme/host, default ports stripped)
Expanded preset AI provider documentation with provider terms and privacy policy links
Clarified that the plugin does not connect to AI provider APIs directly — it protects keys for other plugins that do
1.0.0
Initial release
Support for AI API keys (OpenAI, Anthropic, Google AI, OpenRouter) and any custom API
AES-256 encrypted off-site vault
Automatic key injection via WordPress http_request_args filter
Secure placeholder keys for cross-plugin compatibility
One-click key rotation
Built-in database scanner to verify protection
Admin UI with domain presets and custom domain support
Rate-limited vault access (60 requests/minute per site)
