Aetos SEO

Changelog

Every release. Every fix. No marketing language.

v3.3.0 · securityarchitectural

License Server v2 (Ed25519, server-only signing)

  • Server holds the Ed25519 private key — plugin holds public key only
  • Cache stores full signed responses; cache forgery requires the private key
  • Legacy v3 (n8n) protocol kept as fallback during migration window
  • Closes the v3.x pepper-on-disk concern entirely
v3.2.0 · brand

Customer-facing rebrand → Aetos SEO

  • Plugin name + brand display = Aetos SEO
  • Publisher remains Nsr Elmtagr Digital Marketing
  • Internal slugs / option keys / namespaces unchanged — full backward compat
  • No security or schema changes
v3.1.5 · reliabilityux

Cache-preservation on lock timeout + filterable XLSX neutralizer

  • Nonce-lock timeout no longer overwrites the durable signed cache
  • Preserves the 14-day grace runway
  • CSV/XLSX neutralizer now filterable for trusted-data export pipelines
v3.1.4 · securitycode quality

Fail-closed nonce-lock + dead code removal

  • Lock acquisition timeout now fails CLOSED (routes through grace_or_fail)
  • Deleted dead Reports/Formats/XlsxWriter.php
v3.1.3 · security

License fail-open + KB containment + true-atomic nonce lock

  • Unknown signed remote statuses now hard-fail INVALID (was GRACE)
  • KB-root containment applied in full mode (was: focused mode only)
  • Grounding-brief prompt-injection sanitized on both call paths
  • Nonce-tracker lock replaced with TRUE atomic primitive (wp_cache_add / add_option)
  • XLSX formula neutralizer moved onto the active export path
v3.1.2 · security

Multi-nonce ring buffer + atomic nonce-tracker writes

  • Ring buffer of last 8 consumed nonces (closes alternating-nonce replay)
  • Atomic read-modify-write on the nonce store
  • Added SECURITY.md and CHANGELOG.md
v3.1.1 · security

License replay-attack closure + broker URL allowlist

  • Today freshness window (±36h) added to license-response verification
  • Per-build nonce-replay tracker
  • broker_url() restricted to vendor host allowlist
v3.1.0 · securityreliability

Strict remote signature default + 18 closed audit findings

  • Strict remote-signature verification default-on
  • IPv6 SSRF resolver (gethostbynamel → dns_get_record A+AAAA)
  • Atomic audit-run lock (wp_cache_add / add_option)
  • CSV/XLSX formula-injection neutralizer
  • KB prompt-injection guard for AI-augmented audits
  • KB-roots containment, ENGINE=InnoDB pin, schema downgrade guard
  • Daily chat-history prune cron