Updates

Author: PDowney

.github/copilot-instructions.md

@@ -2,111 +2,82 @@
 applyTo: '**'
 ---
 
-# WordPress Plugin Development Standards
+# EngineScript Site Optimizer — Development Standards
 
-## 🎯 Core Principles
+## Project Context
 
-**Work Environment:** Remote GitHub Codespaces only. Never suggest local Terminal commands.
+- **Plugin:** EngineScript Site Optimizer — WordPress performance optimization plugin
+- **Text Domain:** `enginescript-site-optimizer`
+- **Function/Hook Prefix:** `es_optimizer_`
+- **Version Constant:** `ES_SITE_OPTIMIZER_VERSION`
+- **WordPress:** 6.5+ | **PHP:** 7.4+
+- **Work Environment:** GitHub Codespaces (remote). Never suggest local terminal commands.
 
-**WordPress First:** Use WordPress APIs, hooks, and standards exclusively. Avoid non-WP frameworks.
+## Code Standards
 
-**Security Critical:** Sanitize all input, escape all output, use WordPress security functions.
+### WordPress & PHP
 
-**Thorough Analysis:** Read complete files (minimum 1500 lines) for accurate code review.
+- Follow [WordPress Coding Standards](https://developer.wordpress.org/coding-standards/) for PHP, JS, CSS, HTML, and accessibility
+- Use WordPress APIs and hooks exclusively — no raw PHP/SQL or non-WP frameworks
+- Prefix all functions, classes, hooks, and globals with `es_optimizer_`
+- Use `wp_die()` instead of `die()` or `exit()`
+- Use `WP_Error` for error handling; log errors without exposing sensitive data
+- Use PHPDoc with `@param`, `@return`, `@since` tags on all functions
+- Organize code by feature; use descriptive names; remove unused code
+- Validate all function parameters and handle edge cases gracefully
 
-## 📋 Essential Requirements
+### Modern PHP
 
-### WordPress Compatibility
+- PHP 7.4+ features are required; PHP 8.x features are allowed if they degrade gracefully on 7.4
+- Use typed function signatures wherever possible
+- Before submitting changes, run `phpcs`, `phpmd`, and `phpstan` (config files present in project root)
 
-- **WordPress:** 6.5+ minimum
-- **PHP:** 7.4+ minimum  
-- **WooCommerce:** 5.0+ (when applicable)
-- Follow [WordPress Coding Standards](https://developer.wordpress.org/coding-standards/) for PHP, JS, CSS, HTML, and accessibility
+## Security (Critical)
+
+All code must follow OWASP Top 10 and WordPress security best practices. **Auto-identify and fix security vulnerabilities whenever found — never leave them.**
 
-### Code Quality Standards
+**Input:**
+- Sanitize with `sanitize_text_field()`, `sanitize_email()`, `absint()`, or `wp_kses()` as appropriate
+- Validate nonces with `wp_verify_nonce()` on all form submissions and AJAX handlers
+- Use `$wpdb->prepare()` for every database query
 
-1. **Security First:** Always sanitize input (`sanitize_*()`) and escape output (`esc_*()`)
-2. **WordPress APIs:** Use WP functions instead of raw PHP/SQL
-3. **Hook System:** Proper use of `add_action()` and `add_filter()`
-4. **Internationalization:** Use `__()`, `_e()`, `esc_html__()` for all strings
-5. **Performance:** Avoid N+1 queries, use WP caching, optimize database calls
+**Output:**
+- Escape with context-appropriate functions: `esc_html()`, `esc_attr()`, `esc_url()`, `esc_js()`, `esc_textarea()`
+- Use `wp_nonce_field()` for all admin forms
 
-## 🔒 Security Requirements (Critical)
+**Access Control:**
+- Check `current_user_can('manage_options')` before any settings operation
+- Always include `if ( ! defined( 'ABSPATH' ) ) { return; }` at the top of every PHP file
+- Prevent SQL injection, XSS, CSRF, LFI, and path traversal at all times
 
-**Input Handling:**
-- Use `sanitize_text_field()`, `sanitize_email()`, `wp_kses()` for user input
-- Validate with `is_email()`, `absint()`, `wp_verify_nonce()` for security
-- Use prepared statements for database queries (`$wpdb->prepare()`)
+## Performance
 
-**Output Security:**
-- Escape all output: `esc_html()`, `esc_attr()`, `esc_url()`, `esc_js()`
-- Use `wp_nonce_field()` and `wp_verify_nonce()` for forms
-- Check permissions with `current_user_can()` before sensitive operations
+- Cache expensive operations with `wp_cache_*()` and transients
+- Avoid N+1 queries; optimize all database calls
+- Enqueue assets via `wp_enqueue_scripts()` / `wp_enqueue_styles()` with correct dependencies and version strings
+- Conditionally load admin assets only on relevant admin pages; conditionally load frontend assets only when needed
 
-**Vulnerability Prevention:**
-- Prevent SQL injection, XSS, CSRF, Local File Inclusion (LFI), and path traversal
-- Follow principle of least privilege
-- Auto-identify and fix security issues when found
+## Internationalization (i18n)
 
-## 📝 Documentation & Versioning
+- Mark all user-facing strings with `__()`, `_e()`, `esc_html__()`, or `esc_attr__()`
+- Always use text domain `enginescript-site-optimizer`
+- Update `languages/enginescript-site-optimizer.pot` whenever translatable strings are added or changed
 
-**Changelog Management:**
-- Always update CHANGELOG.md and readme.txt when making code changes
-- **Sync both changelogs:** CHANGELOG.md and readme.txt changelog section
-- Use "Unreleased" section for ongoing changes
+## Documentation & Versioning
 
-**Version Release Process (only when instructed):**
+**On every code change:**
+- Add an entry to the `Unreleased` section of `CHANGELOG.md`
+- Mirror the same entry in the changelog section of `readme.txt`
+
+**Version releases (only when explicitly instructed):**
 - Follow semantic versioning (MAJOR.MINOR.PATCH)
-- Update version in: plugin header, README.md, readme.txt, CHANGELOG.md, GEMINI.md, and `.pot` language files, constants section, package.json, and composer.json
-- Move "Unreleased" changes to new version section in both changelogs
-- **Never auto-update versions** - wait for explicit instruction
-
-**Code Documentation:**
-- Use PHPDoc with `@param`, `@return`, `@since` tags
-- Write clear function/class descriptions
-- Document security considerations and hooks used
-
-**Internationalization (i18n):**
-- Update `.pot` language files when adding or modifying translatable strings
-- Always use the correct text domain when dealing with translation functions
-- Mark all user-facing strings with `__()`, `_e()`, `esc_html__()`, `esc_attr__()`, etc.
-
-## ⚡ Performance & Quality
-
-**Performance Optimization:**
-- Use WordPress caching (`wp_cache_*()`, transients)
-- Optimize database queries, avoid N+1 problems
-- Proper asset enqueueing with `wp_enqueue_*()` functions
-- Focus on correctness first, then optimize
-
-**Code Architecture:**
-- Group by feature, not by type
-- Use descriptive function/variable names
-- Remove unused code automatically
-- Follow feature-sliced design when applicable
-
-**Error Handling:**
-- Use `WP_Error` for WordPress-specific errors
-- Log errors without exposing sensitive data
-- Handle edge cases gracefully
-- Validate all function parameters
-
-## 🚀 Workflow & Automation
-
-**Task Execution:**
-- Make changes directly to existing files (don't create duplicates)
-- Proceed automatically unless action is destructive
-- Auto-identify and fix bugs when possible
-- Only ask confirmation for data loss/deletion scenarios
-
-**File Management:**
-- Edit files in place (e.g., modify `admin.php` directly)
-- Create new files only when truly necessary
-- Avoid file duplication and unnecessary rewrites
-- Maintain clean project structure
-
-**Communication:**
-- Provide concise, actionable responses
-- Use clear formatting for readability
-- Never create change summaries as separate .md files
-- Focus on specific changes made, not verbose explanations
+- Update version in: plugin file header, `ES_SITE_OPTIMIZER_VERSION` constant, `README.md`, `readme.txt`, `CHANGELOG.md`, `GEMINI.md`, `composer.json`, and `languages/enginescript-site-optimizer.pot`
+- Move all `Unreleased` entries to the new version section in both `CHANGELOG.md` and `readme.txt`
+- **Never auto-bump versions** — wait for an explicit instruction to do so
+
+## Workflow
+
+- Edit files in place — never create duplicate files or unnecessary new files
+- Proceed automatically on non-destructive changes; ask before deleting files or data
+- Auto-fix bugs and security issues when identified
+- Keep responses concise and focused on what changed — no summary `.md` files

.github/workflows/continuous-integration.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: '16'
+          node-version: '20'
           # Use conditional caching based on package-lock.json existence
           cache: ${{ steps.check-lockfile.outputs.lockfile_exists == 'true' && 'npm' || '' }}
           cache-dependency-path: |
@@ -76,7 +76,7 @@ jobs:
         
       - name: Lint PHP
         run: |
-          if [ -f composer.json ] && ([ -f .phpcs.xml ] || [ -f phpcs.xml.dist ]); then
+          if [ -f composer.json ] && ([ -f .phpcs.xml ] || [ -f phpcs.xml.dist ] || [ -f phpcs.xml ]); then
             if grep -q "\"lint:php\"" composer.json; then
               composer run lint:php
             else
@@ -115,7 +115,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: '16'
+          node-version: '20'
           # Use conditional caching based on package-lock.json existence
           cache: ${{ steps.check-lockfile-build.outputs.lockfile_exists == 'true' && 'npm' || '' }}
           cache-dependency-path: |

.github/workflows/release.yml

@@ -53,13 +53,15 @@ jobs:
           cp README.md enginescript-site-optimizer/
           cp CHANGELOG.md enginescript-site-optimizer/
           cp LICENSE enginescript-site-optimizer/ || echo "No LICENSE file found"
+          cp readme.txt enginescript-site-optimizer/ || echo "No readme.txt found"
+          [ -d languages ] && cp -r languages enginescript-site-optimizer/ || echo "No languages directory found"
           zip -r enginescript-site-optimizer-${{ steps.get_version.outputs.version }}.zip enginescript-site-optimizer
 
       - name: Get changelog entry
         if: steps.check_release.outputs.exists == 'false'
         id: get_changelog
         run: |
-          CHANGELOG_ENTRY=$(awk -v ver="## ${{ steps.get_version.outputs.version }}" 'BEGIN{flag=0} $0~ver{flag=1; print; next} /^## [0-9]+\.[0-9]+\.[0-9]+/{flag=0} flag{print}' CHANGELOG.md | tail -n +2)
+          CHANGELOG_ENTRY=$(awk -v ver="\\[${{ steps.get_version.outputs.version }}\\]" 'BEGIN{flag=0} $0 ~ "^## " ver{flag=1; next} /^## \[/{flag=0} flag{print}' CHANGELOG.md)
           echo "changelog<<EOF" >> $GITHUB_OUTPUT
           echo "$CHANGELOG_ENTRY" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT

CHANGELOG.md

@@ -3,6 +3,38 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Fixed
+
+- **Critical**: Fixed License URI in plugin header and readme.txt pointing to GPL 2.0 instead of GPL 3.0
+- **Critical**: Fixed release workflow producing incomplete zip files missing `languages/` directory and `readme.txt`
+- **Bug**: Fixed changelog parser in release workflow that could not match `## [VERSION]` heading format in CHANGELOG.md, resulting in empty release bodies
+- **Bug**: Consolidated duplicate `msgid` entries in POT translation file and corrected license header
+- **Bug**: Fixed CI lint step that never ran because it checked for `.phpcs.xml` or `phpcs.xml.dist` but the actual file is `phpcs.xml`
+- **Bug**: Fixed README.md license text incorrectly stating GPL-2.0+ instead of GPL-3.0-or-later
+
+### Added
+
+- Added `uninstall.php` to properly clean up plugin options from the database when the plugin is deleted
+- Added section headers ("Performance Optimizations", "Header Cleanup", "Additional Features") to the settings page for better UX
+- Added `phpcompatibility/phpcompatibility-wp` to `composer.json` `require-dev` (required by `phpcs.xml` ruleset)
+- Added `scripts` section to `composer.json` with `lint:php` and `analyze` commands for CI integration
+
+### Changed
+
+- **Modernization**: Added PHP 7.4+ type declarations (parameter types and return types) to all functions
+- **Modernization**: Replaced `isset()` ternaries with null coalescing operator (`??`) in render helpers
+- **Code Quality**: Standardized all option-checking to use `empty()` with early-return pattern
+- **Code Quality**: Consolidated duplicate domain validation, rejection notice, and output functions into shared helpers (`es_optimizer_validate_domain_list()`, `es_optimizer_show_rejection_notice()`, `es_optimizer_get_validated_domains()`)
+- **Code Quality**: Removed unnecessary static caching in `es_optimizer_add_preconnect()` and `es_optimizer_add_dns_prefetch()` (hooks only fire once per page load; `es_optimizer_get_options()` already caches)
+- **Code Quality**: Replaced deprecated HTML `valign="top"` attribute with standard `<tr>` (WordPress `form-table` CSS already handles alignment)
+- **CI**: Updated Node.js from EOL version 16 to LTS version 20 in continuous integration workflow
+- **Docs**: Corrected `GEMINI.md` and `readme.txt` feature lists to only include actually implemented features (removed references to XML-RPC, REST API restriction, auto-embeds, and Gutenberg CSS)
+- **Docs**: Updated POT translation file with correct line references and added new translatable section header strings
+- **Security**: Removed `phpcs:ignore` suppression on preconnect output by using explicit `if/else` branches for the crossorigin attribute
+- **Security**: Replaced fragile substring crossorigin detection (`fonts.g`, `gstatic`) with exact hostname matching against `fonts.googleapis.com` and `fonts.gstatic.com`
+
 ## [2.0.0] - 2026-02-28
 
 ### Changed

GEMINI.md

@@ -84,14 +84,14 @@ add_action( 'plugins_loaded', 'es_optimizer_init' );
 
 #### Performance Optimization Features
 
-- **XML-RPC Disabling:** Remove XML-RPC functionality for security and performance
-- **JSON REST API Control:** Disable REST API for non-logged users
 - **jQuery Migrate Removal:** Remove unnecessary jQuery Migrate script
-- **Header Meta Cleanup:** Remove unnecessary WordPress meta tags from head
-- **Auto-Embeds Disabling:** Disable WordPress auto-embed functionality
+- **Header Meta Cleanup:** Remove unnecessary WordPress meta tags from head (version, RSD, WLW, shortlinks, recent comments style)
 - **Emoji Support Removal:** Remove emoji scripts and styles
-- **Gutenberg CSS Removal:** Remove unused Gutenberg block styles
+- **Classic Theme Styles Removal:** Remove classic theme styles added in WordPress 6.1+
 - **DNS Prefetch Management:** User-configurable DNS prefetch for external domains
+- **Preconnect Management:** User-configurable preconnect for critical external domains
+- **Jetpack Ads Disabling:** Remove Jetpack advertisements and promotions
+- **Post via Email Disabling:** Disable WordPress post via email functionality
 
 #### Settings Management
 

README.md

@@ -153,7 +153,7 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 ## License
 
-This project is licensed under the GPL-2.0+ License - see the [LICENSE](LICENSE) file for details.
+This project is licensed under the GPL-3.0-or-later License - see the [LICENSE](LICENSE) file for details.
 
 ## Changelog
 

composer.json

@@ -20,11 +20,16 @@
     "dealerdirect/phpcodesniffer-composer-installer": "^1.0.0",
     "php-stubs/wordpress-stubs": "^6.8",
     "szepeviktor/phpstan-wordpress": "^1.3",
-    "phpstan/phpstan": "^1.0"
+    "phpstan/phpstan": "^1.0",
+    "phpcompatibility/phpcompatibility-wp": "^2.1"
   },
   "config": {
     "allow-plugins": {
       "dealerdirect/phpcodesniffer-composer-installer": true
     }
+  },
+  "scripts": {
+    "lint:php": "phpcs",
+    "analyze": "phpstan analyse"
   }
 }