Added — unblock/form/client_ip filter for overriding the client IP used in form rate limiting (proxy support).
Added — Security regression tests for PostQuery type filtering and Processor timestamp validation.
Improved — AI chat shows a notice with a link to Settings → Connectors when no AI provider is configured, instead of letting the user send a message and get an error.
Improved — AI image generation errors are now reported to the model so it can explain the failure to the user.
Improved — Form rate limiting uses REMOTE_ADDR only; proxy setups use the new unblock/form/client_ip filter.
Improved — MCP sessions now store user_id and enforce ownership on register/deregister.
Improved — MCP command IDs use cryptographically secure UUIDs (wp_generate_uuid4) instead of uniqid.
Improved — File write permissions use FS_CHMOD_FILE (default 0644) instead of hardcoded 0755.
Improved — License update check uses POST instead of GET to keep license keys out of URLs and server logs.
Fixed — PostQuery with post_type => 'any' exposing non-viewable (private) post types to unauthorized users.
Fixed — Empty timestamp token bypassing anti-spam validation with a silent return instead of an error.
Fixed — Audit skills (accessibility, SEO) now keep tools available so models use the function calling API instead of hallucinating raw tool call tags in chat output.
Fixed — Clicking an anchor with a #fragment href in the editor scrolling to the target section instead of being suppressed.
Fixed — HTML inspector edits occasionally not syncing to the block when typing soon after a previous edit was applied.
Fixed — Non-width @media queries (prefers-reduced-motion, prefers-color-scheme, hover) breaking the device switch by displaying incorrect icons and being auto-selected as default. Moved to the at-rules dropdown instead.