Security
- Add looks_like_secret() entropy heuristic: vendor regex (AIza, sk-,
ghp_, gho_, Slack xox, Bearer) + length/char-class fallback +
path/whitespace denylist. Defensible hybrid: zero false-positives
on known token formats, catches custom tokens without tripping on
URLs or slugs.
- Gate generic 'key'-named fields and ?key= URL params with the
entropy heuristic. Closes the n8n queryParameters Google-API-key
bypass without false-positives on benign values.
- Entropy fallback in mask_name_value_pair for custom-header value
patterns (X-App-Token etc.) whose names we cannot enumerate.
- Redact credentials[].name per node (id retained), clear
meta.instanceId so exports no longer correlate to the source n8n
instance.
- Opt-in tag clearing at publish time: wizard step 3 checkbox with
the current tag list inline, only shown when tags exist.
- Wizard step 3 now renders a collapsible Reason / Key / Note table
so publishers can verify exactly what was masked before publishing.
Mobile
- touch-action: none on .breznflow-svg to stop the
browser-vs-plugin gesture tug-of-war.
- Rewrote pointer handling as a Map-based multi-pointer state
machine with { passive: false } listeners: single-finger pan is
now smooth on iOS and Android, pinch-to-zoom anchored at the
finger midpoint, double-tap toggles 100/200 % zoom.
- Minimap ported to pointer events + setPointerCapture — tap and
drag navigation work on touch.
Docs
- Expand Sensitive Data Masking section of both READMEs to describe
the 1.0.4 passes and the opt-in tag removal.
- Version badge 1.0.3 -> 1.0.4.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fix double rendering when "Easy Table of Contents" (or any plugin that
re-runs the_content filters) is active.
- Shortcode re-entry guard via md5 fingerprint of post_id + resolved
render settings — silently skips duplicate passes while preserving
legitimate multi-embed with different attributes
- Wrapper DOM id is now unique per instance (breznflow-wrap-<POST>-<N>),
enabling multiple embeds of the same workflow in one post
- Share-anchor span id="breznflow-<POST>" emitted only on the first
instance per post to keep the DOM valid and existing deep-links working
- View counter increments moved after the dedupe check so re-entrant
scans do not overcount views
- JS renderer tracks mounted containers in a WeakSet — defensive guard
that catches any duplicates server-side dedupe might miss
- readme: add Learn more section with website, FAQ, and demo links
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Remove deprecated load_plugin_textdomain() call (auto-loaded since WP 4.6)
- Prefix all global variables in themes.php with breznflow_ for WPCS compliance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Initial public release of BreznFlow, an n8n workflow renderer for WordPress.
Fully PHPCS-compliant (WordPress Coding Standards), security-hardened,
and ready for WordPress.org plugin review.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
