= 2.59.07.08 =
* Removes plugin-owned trait/class declaration conflict guards while retaining the WP-CLI environment condition.
* Repairs the gettext template header and removes local development paths from source references.
* Rewrites and aligns the packaged readmes, keeps `readme.txt` below 10 KB, and documents every distributed JavaScript helper.
* Separates the optimized AVIF/WebP file counter completely from Cache Statistics, dashboard-stat snapshots, cache-stat polling, and the generic JavaScript `stats` state.
* Stores only the dedicated AVIF, WebP, and total file counts in the non-autoloaded WordPress option `ultracache_media_file_counts`; no JSON file, sidecar, or other filesystem storage is added.
* Loads the file counter independently during dashboard bootstrap and returns it independently as `mediaFileCounts` from the existing media queue REST response, preventing cache-stat refreshes from resetting it to zero.
* Updates the dedicated counter when UltraCache creates or deletes optimized files and keeps the previous database values during the one-time option rename from `ultracache_media_storage_stats_v2`.
* Removes the Optimized Images card from the Cache Statistics panel and removes media-file values from engine/cache-stat payloads.
* Renames Refresh Storage Stats to Recount Optimized Image Files; the action scans `uploads/ultracache/images` and corrects only the AVIF/WebP file counter.
* Bumps release metadata from 2.59.07.07 to 2.59.07.08.

= 2.59.07.07 =
* Fixes optimized-image counters resetting to `0 AVIF · 0 WebP` after a dashboard refresh by including the persistent media-storage option in the initial passive dashboard payload.
* Merges the current persistent media counters into cached dashboard-stat snapshots before returning them, preventing a stale snapshot from overwriting live totals.
* Synchronizes legacy `imagesOptimized`, `avifImagesOptimized`, and `webpImagesOptimized` aliases with the persistent counters so older cached payload fields cannot take precedence with stale zero values.
* Keeps persistent media totals visible even when general cache-stat polling is disabled; reading these counters is a lightweight option lookup and does not scan the filesystem.
* Bumps release metadata from 2.59.07.06 to 2.59.07.07.

= 2.59.07.06 =
* Moves Stop All Media Background Work / Resume All Media Background Work to the final position in the media queue action list so the emergency control appears after normal processing, maintenance, retry, and cleanup actions.
* Keeps all pause/resume behavior unchanged.
* Bumps release metadata from 2.59.07.05 to 2.59.07.06.

= 2.59.07.05 =
* Adds a persistent Stop All Media Background Work / Resume All Media Background Work control that invalidates outstanding dispatcher tokens, clears media cron watchdogs, cancels deferred dispatch, returns claimed queue rows to pending, and blocks upload, page-generation, cron, immediate-worker, REST, dashboard, and direct AVIF/WebP conversion entry points after the current physical encode finishes.
* Keeps the media queue and existing optimized files intact while generation is stopped; refreshing the dashboard cannot resume processing automatically, and resuming can continue from the preserved pending queue.
* Merges Rebuild Media Queue and Verify / Repair Queue into one Rebuild / Repair Media Queue action. The scan now checks every attachment's required physical derivatives, marks current outputs complete, requeues missing or stale outputs, and shares the conversion lock so queue repair cannot race an active encoder.
* Treats an optimized derivative as current only when it exists and is at least as new as its source file, allowing changed originals or thumbnails to be repaired without deleting valid outputs first.
* Removes the redundant cache warm-up explanatory note and simplifies the media conversion panel description.
* Bumps release metadata from 2.59.07.04 to 2.59.07.05.

= 2.59.07.04 =
* Renames "Queue Missing Media on Demand" to "Queue Missing Media During Page Generation" so the option name matches the actual discovery trigger.
* Rewrites the setting description to state only when discovery occurs: uncached page generation, warm-up, cron warm, and stale regeneration, with conversion handled separately in the background.
* Simplifies the related help text without listing unrelated actions that do not trigger media generation.
* Bumps release metadata from 2.59.07.03 to 2.59.07.04.

= 2.59.07.03 =
* Makes missing-media on-demand processing immediate without converting inside the visitor request: the request queues the attachment and sends one signed, non-blocking same-site REST worker request after WordPress finishes the response and page-cache write.
* Defers the initial dispatch through a PHP shutdown callback so a fast conversion cannot purge the affected page before the originating request finishes storing that page in cache.
* Adds a dedicated database dispatcher lock held across the worker chain, so concurrent frontend visits, uploads, warm-up requests, and cron recovery can produce only one active background media dispatcher.
* Chains one physical image unit at a time through the existing shared conversion lock and timeout-safe processor; successful units dispatch the next worker while pending work remains.
* Keeps WP-Cron as a watchdog and fallback only. Failed loopback dispatch, conversion-lock contention, and conversion failures use bounded fallback/backoff schedules instead of launching workers from every visitor.
* Protects the public worker route with a short-lived HMAC bound to the dispatcher token, site URL, and WordPress authentication salt; stale, expired, or non-owner requests are rejected.
* Resets stale processing rows before watchdog recovery, allowing abandoned conversions to return to the bounded retry flow.
* Updates the Queue Missing Media on Demand description to distinguish immediate background dispatch from conversion inside the visitor request.
* Bumps release metadata from 2.59.07.02 to 2.59.07.03.

= 2.59.07.02 =
* Adds a dedicated database lock for Media Queue Rebuild chunks so refresh, resume, another browser tab, WP-CLI, and automatic queue building cannot scan/update the rebuild cursor concurrently.
* Adds a persistent rebuild generation token. Restart publishes a new generation before waiting for the lock, causing any older in-flight chunk or delayed browser request to stop as stale instead of updating the new run.
* Makes rebuild requests idempotent per generation, so retrying the same initial request does not delete and restart the queue a second time when the first response was lost.
* Persists the rebuild generation in the dashboard job state, silently waits for an active chunk lock during refresh/resume, and rejects saved state belonging to an older rebuild.
* Keeps the corrected 2.59.07.01 rebuild progress bar and its Total units, Finished, and Time left display unchanged.
* Bumps release metadata from 2.59.07.01 to 2.59.07.02.

= 2.59.07.01 =
* Keeps the existing long-job progress bar and simplifies only the Media Queue Rebuild status area to Total units, Finished, and Time left.
* Removes the rebuild-only Overall Progress text and chunk scan/queue log lines that could present stale or misleading information while a new rebuild starts.
* Uses the fixed eligible Media Library attachment total (`libraryTotal`) as the rebuild denominator instead of the mutable queue-row total, preventing on-demand queue additions from producing results such as 28,675 / 28,677.
* Resets a fresh rebuild display to zero/Calculating until the first authoritative chunk response arrives, preserves exact progress across pause/resume, and prevents a non-complete job from showing 0s remaining.
* Bumps release metadata from 2.59.06.100 to 2.59.07.01.

= 2.59.06.100 =
* Bounds media conversion failures with a dedicated `consecutive_failures` queue column. A row becomes `failed` after three consecutive failed or abandoned claims instead of remaining pending forever; any successful physical-image unit resets the counter, and Retry Failed resets it for an explicit new attempt.
* Bumps the media queue schema to version 3 so existing queue rows receive the new failure counter without reusing the historical `attempts` values from successful unit processing, and verifies that the new column exists before saving the schema version.
* Separates `skippedThisRun` from `alreadyOptimizedThisRun`, eliminating the WP-CLI skipped-total double count.
* Returns non-2xx REST responses for media queue lock conflicts and conversion/retry-limit failures: 409 for lock contention, 422 for conversion failures, and 500 for other processing errors.
* Wraps the GD opaque-JPEG source decode and generated-AVIF decode in scoped warning handlers so codec warnings are captured in diagnostics instead of leaking into output.
* Replaces the three remaining focused WPCS `json_encode()` fallbacks with WordPress `wp_json_encode()` calls.
* Bumps release metadata from 2.59.06.99 to 2.59.06.100.

= 2.59.06.99 =
* Replaces transient-only optimized-media storage totals with persistent aggregate counters stored in `ultracache_media_storage_stats_v2`.
* Updates AVIF/WebP file counts and byte totals immediately when UltraCache creates, replaces, or deletes generated derivatives, so dashboard values survive transient expiry, Redis eviction, and process restarts.
* Seeds the persistent counters from the latest legacy storage scan when available and keeps the last known values visible when reconciliation is incomplete instead of reporting an incorrect zero.
* Makes Refresh Storage Stats reconcile the persistent counters against the filesystem; complete scans become authoritative while capped/incomplete scans preserve the last known totals and mark reconciliation as needed.
* Adds dashboard status text distinguishing reconciled persistent counters from last-known counters that still need filesystem reconciliation.
* Removes the new persistent storage statistics option through the existing UltraCache runtime-data uninstall policy while leaving generated media files untouched.
* Bumps release metadata from 2.59.06.98 to 2.59.06.99.

= 2.59.06.98 =
* Clarifies the Media Conversion capability summary so Imagick installation, AVIF encoder verification, and WebP availability are reported as distinct states.
* Updates media runtime diagnostics to label AVIF results as self-test Passed/Failed and WebP results as Available/Unavailable instead of ambiguous Yes/No values.
* Keeps the automatic AVIF safety test and runtime behavior unchanged; this release only corrects capability reporting terminology.
* Bumps release metadata from 2.59.06.97 to 2.59.06.98.

= 2.59.06.97 =
* Removes the complete AVIF encoder self-test status panel from the Media Conversion dashboard, including the explanatory text and Imagick/GD result lines.
* Retains the automatic environment-fingerprinted AVIF safety test exclusively as an internal runtime capability gate for generation and frontend delivery.
* Bumps release metadata from 2.59.06.96 to 2.59.06.97.

= 2.59.06.96 =
* Removes the manual AVIF self-test button and its authenticated REST trigger from the dashboard after completing the encoder regression diagnosis.
* Retains the automatic, environment-fingerprinted opaque-JPEG and transparent-RGBA AVIF safety tests as runtime capability gates for generation and frontend delivery.
* Bumps release metadata from 2.59.06.95 to 2.59.06.96.

= 2.59.06.95 =
* Fixes content-dependent Imagick AVIF corruption by preserving the source image's native channel layout instead of activating an alpha channel on opaque JPEG files.
* Keeps native transparency for PNG/WebP sources without manufacturing alpha for JPEG sources; the GD conversion path now requests alpha preservation only for source formats that can carry it.
* Extends the AVIF self-test with a bundled opaque 300x169 odd-height JPEG regression fixture in addition to the transparent 16x16 RGBA PNG, and requires both tests to pass for each encoder.
* Increments the AVIF self-test algorithm version so previously cached results are invalidated and the expanded test runs automatically after upgrade.
* Does not delete existing generated AVIF files automatically; previously generated AVIF derivatives must be regenerated after installing this release.
* Bumps release metadata from 2.59.06.94 to 2.59.06.95.

= 2.59.06.94 =
* Bundles a deterministic 16x16 RGBA PNG for AVIF encoder validation instead of trusting codec presence or container metadata alone.
* Adds persistent, environment-fingerprinted AVIF self-tests for Imagick and GD that encode the bundled image, fully decode the generated AVIF, and validate known red, green, blue, white, transparent, and semi-transparent pixels.
* Uses the self-test result as runtime capability truth: failed AVIF engines are excluded from generation, existing AVIF files are no longer selected for frontend HTML/CSS rewrites, and `best` media work requires WebP when no AVIF engine passes.
* Adds an authenticated REST diagnostic endpoint and a Media Conversion dashboard button showing separate Imagick and GD pass/fail reasons.
* Makes WebP the recommended default for fresh/default settings and performance profiles while preserving existing saved output selections.
* Stores the AVIF result in `ultracache_avif_encoder_self_test_v1`, invalidates it when the PHP/image-library fingerprint or bundled test asset changes, and removes it through UltraCache data cleanup/uninstall.
* Bumps release metadata from 2.59.06.93 to 2.59.06.94.

= 2.59.06.93 =
* Adds a staged media-optimization ETA that measures the first 10 completed attachments, recalibrates after 100 attachments, and recalibrates again at every 500-attachment checkpoint.
* Keeps the current ETA between checkpoints while reducing the remaining time after every completed attachment, and preserves measured timing data across pause/resume without counting paused time.
* Propagates the exact eligible Media Library attachment total from the queue discovery query, replacing the provisional queue-row denominator and allowing progress and ETA to remain meaningful while the queue is still building.
* Shows the ETA sample size in the dashboard and displays a clear estimation countdown until the initial 10-attachment sample is available.
* Bumps release metadata from 2.59.06.92 to 2.59.06.93.

= 2.59.06.92 =
* Fixes the dashboard media optimizer regression where the shared `processJobItem()` helper referenced the React component-local `cancelRequestedRef` directly and raised `ReferenceError: cancelRequestedRef is not defined`.
* Passes a cancellation callback explicitly from the dashboard job runner into the media item processor, preserving pause/resume checks between physical-file conversion requests without leaking component-local state into module scope.
* Bumps release metadata from 2.59.06.91 to 2.59.06.92.

= 2.59.06.91 =
* Changes manual, REST, and background media conversion from whole-attachment processing to one physical source-file conversion unit per request.
* Keeps attachment progress resumable by detecting existing AVIF/WebP derivatives and returning the remaining unit count after every request.
* Adds secondary time- and memory-budget checks between physical files for full-attachment CLI and maintenance callers.
* Preserves explicit WP-CLI full-attachment regeneration while keeping web and cron workers on resumable single-file units.
* Replaces transient media processor coordination with the shared token-owned UltraCache lock table so dashboard, cron, REST, and CLI queue workers cannot overlap.
* Atomically claims pending media queue rows and prevents completed queue rows from re-running conversion after a lost or repeated response.
* Removes automatic browser retries for media failures, returns interrupted units to pending for explicit Resume, pauses the job on the first HTTP/server error, and adds a 250 ms delay between successful conversion units.
* Limits web queue processing to one conversion unit with an 8-second requested budget and a 15-second hard cap, while background processing uses delayed success, lock, and failure backoff schedules.
* Reduces stale media-processing recovery from 10 minutes to 2 minutes.
* Adds repository-level Composer, PHPCS, EditorConfig, and WordPress Coding Standards configuration for repeatable plugin linting.
* Refreshes the translation template metadata and adds the new media queue status/error strings.
* Bumps release metadata from 2.59.06.90 to 2.59.06.91.

= 2.59.06.90 =
* Adds local PHPCS tooling under `tools/phpcs` with PHPCS, WordPress Coding Standards, and PHPCompatibilityWP for WordPress.org audit checks.
* Documents the local PHPCS/PHPCBF commands and ignores the generated Composer `vendor/` directory.
* Bumps release metadata from 2.59.06.89 to 2.59.06.90.

= 2.59.06.89 =
* Improves same-URL reload-loop diagnostics by scanning printed plugin/theme scripts for upstream startup `.change()` / `trigger("change")` event triggers when the final redirect/listener script is already covered.
* Adds exclusion-first upstream trigger suggestions for delayed local WooCommerce/orderby scripts that can wake another plugin's redirect listener.
* Falls back to fetching the looped page's script inventory from the stored scan detail when the runtime report does not include scripts.
* Bumps release metadata from 2.59.06.88 to 2.59.06.89.

= 2.59.06.88 =
* Makes interrupted Browser Runtime Scan matching less brittle by ranking local delayed WooCommerce/filter startup scripts from the printed page even when the scan cannot read their JavaScript contents before navigation.
* Prioritizes delayed theme WooCommerce startup scripts, including product/order scripts that are likely to fire synthetic change events before another plugin redirects.
* Keeps interrupted-navigation findings manual and exclusion-first under "Do Not Defer or Delay" candidates.
* Bumps release metadata from 2.59.06.87 to 2.59.06.88.

= 2.59.06.87 =
* Teaches Browser Runtime Scan to detect when the diagnostic popup navigates away before the in-page collector can report, covering reload/redirect loops that happen before console errors are captured.
* Sends same-origin popup script inventory with direct Browser Runtime Scan harvests so REST diagnostics can analyze the actual scripts printed on the interrupted page.
* Adds exclusion-first suggestions for startup navigation/change triggers, including WooCommerce/orderby synthetic change patterns that can activate another plugin's redirect listener after JavaScript delay.
* Bumps release metadata from 2.59.06.86 to 2.59.06.87.

= 2.59.06.86 =
* Adds a deterministic plugin ZIP builder that writes internal archive paths with forward slashes, so WordPress recognizes the single `ultracache/` root folder during manual uploads.
* Verifies release ZIPs reject backslash entries, git artifacts, missing `ultracache/ultracache.php`, and files outside the `ultracache/` root.
* Bumps release metadata from 2.59.06.85 to 2.59.06.86.

= 2.59.06.85 =
* Adds Runtime Scan same-URL reload-loop detection that persists scan navigation evidence across reloads and records the last synthetic startup event before unload.
* Marks reload-loop fixes as exclusion-first so they appear as "Do Not Defer or Delay" candidates instead of Defer Instead fixes.
* Updates dashboard grouping for exclusion-first scan findings so they are counted and shown in the correct Browser Scanner section.
* Bumps release metadata from 2.59.06.84 to 2.59.06.85.

= 2.59.06.84 =
* Renames scan-result exclusion action buttons from the internal "Do Not Defer or Delay" target name to "Add to exclusions".
* Quotes "Do Not Defer or Delay" in append buttons and nearby scan-result status text so users understand it is the visible exclusion list name.
* Bumps release metadata from 2.59.06.83 to 2.59.06.84.

= 2.59.06.83 =
* Removes Advanced Runtime Font CSS Rewrite from the Balanced and Aggressive profile patches so no performance profile enables that advanced font rewrite automatically.
* Improves Runtime Scan and Console Error Handler suggestions for order-sensitive local plugin/theme dependencies by adding the shared owner JavaScript directory when the crashed consumer and matched provider live under the same owner path.
* Bumps release metadata from 2.59.06.82 to 2.59.06.83.

= 2.59.06.82 =
* Corrects the Varnish admin CLI response reader to match Varnish's own protocol: a fixed 13-byte status/length header followed by the declared body length plus the terminating newline.
* Fixes the admin-auth follow-up read so Varnish response bodies cannot leave a newline behind and desynchronize the next CLI response.
* Bumps release metadata from 2.59.06.81 to 2.59.06.82.

= 2.59.06.81 =
* Fixes the manual object-cache backend test so newly typed Redis passwords and clear-password requests are included in the REST probe payload before settings are saved.
* Bumps release metadata from 2.59.06.80 to 2.59.06.81.

= 2.59.06.80 =
* Fixes Varnish admin-secret mode by parsing the Varnish CLI response status line dynamically instead of assuming one fixed header width.
* Updates the Varnish admin auth hash builder to try the exact secret-file byte forms Varnish accepts, covering secrets copied with or without the trailing newline from `/etc/varnish/secret`.
* Bumps release metadata from 2.59.06.79 to 2.59.06.80.

= 2.59.06.79 =
* Makes the Varnish test REST endpoint return its diagnostic payload for normal connection-test failures instead of hiding endpoint details behind a generic HTTP 500 dashboard error.
* Updates the dashboard Varnish test action to merge failed diagnostic payloads and show each endpoint's exact `server: FAIL - reason` line in the error toast and Varnish card.
* Bumps release metadata from 2.59.06.78 to 2.59.06.79.

= 2.59.06.78 =
* Rewords the historical 2.59.06.60 changelog note about removed third-party matcher fragments so automated remote-file scans do not mistake archived domain examples for active plugin behavior.
* Synchronizes the plugin header, runtime version constant, WordPress.org stable tag, and README current-version marker at 2.59.06.78.
* Bumps release metadata from 2.59.06.77 to 2.59.06.78. No runtime behavior, files, or directories were added or removed.

= 2.59.06.77 =
* Rewrites the dashboard info-icon help into plain-language, code-derived explanations that describe what each control changes, why it can improve speed, and what to test before trusting it.
* Adds specific help coverage for cache delivery, media, JavaScript timing, CSS delivery, font optimization, WooCommerce controls, query/cookie safety lists, object cache, Redis, Varnish, external cache flushing, and warm-up/scheduling controls.
* Updates the bespoke JS safeguard, Browser Scanner, Console Error Handler, CSS diagnostics, Delayed JS auto-start, Font-Mix CSS, WooCommerce strategy, Apache Static HTML Delivery, and Object Cache Fallback tooltips to match the same explanation style.
* Regenerates `languages/ultracache.pot` so the new explicit tooltip strings and 2.59.06.77 metadata are reflected in the translation catalog.
* Bumps release metadata from 2.59.06.76 to 2.59.06.77.

= 2.59.06.76 =
* Moves "Bundle Generated Font-Mix CSS" from CSS Delivery into Fonts Optimization so the control lives beside the font pipeline it affects.
* Adds a new opt-in "Async Generated Font-Mix CSS Bundle" control that async-loads only the consolidated `bundle-font-mix-*.css` file while leaving individual `css-font-mix-*` source files untouched.
* Runs Font-Mix CSS consolidation before the async CSS pass when the new async Font-Mix option is enabled so the consolidated bundle can be classified and rewritten.
* Adds richer info-icon help for WooCommerce frontend strategy presets, including Off, Safe, Balanced, Aggressive, and Custom behavior.
* Adds missing info-icon help to the bespoke JS safeguard, Browser Scanner, Console Error Handler, CSS Bundle Exclusions, page URL diagnostic, and Delayed JS auto-start controls.
* Bumps release metadata from 2.59.06.75 to 2.59.06.76.

= 2.59.06.75 =
* Adds expanded info-icon help across dashboard option controls while keeping the short descriptions visible below each title.
* Adds a visible Apache Static HTML Delivery (.htaccess) option that serves conservative queryless anonymous HTML cache aliases before PHP on Apache-compatible hosts.
* Writes stable `index-orig.html`, `index-webp.html`, and `index-avif.html` aliases beside hashed page-cache files, with source markers so purges do not delete unrelated aliases.
* Expands Browser Cache Headers .htaccess coverage for web manifests, AVIFS, WASM, EOT, audio/video files, and revalidation-oriented HTML/JSON/XML handling.
* Keeps Apache Static HTML Delivery separate from Browser Cache Headers and removes its managed rules on deactivation, plugin data cleanup, and uninstall.
* Removes UltraCache-managed Browser Cache Headers and Apache Static HTML .htaccess blocks during uninstall without touching rules outside those markers.
* Bumps release metadata from 2.59.06.74 to 2.59.06.75.

= 2.59.06.74 =
* Adds an opt-in "Bundle Generated Font-Mix CSS" control in CSS Delivery that consolidates UltraCache-generated `optimized-css/css-font-mix-*.css` stylesheet links into one ordered blocking CSS bundle.
* Keeps the generated font-mix bundle classified as layout-risk CSS so Async CSS diagnostics do not treat it as an async candidate.
* Adds WooCommerce-box info-icon help as a UI test, moving the individual WooCommerce option descriptions into native hover/focus titles while leaving the rest of the dashboard copy unchanged.
* Bumps release metadata from 2.59.06.73 to 2.59.06.74.

= 2.59.06.73 =
* Adds a visible WooCommerce cart-fragments behavior dropdown with Off, Delay request, and Suppress empty-cart execution modes.
* Adds an empty-cart cart-fragments suppression mode that prevents `wc-cart-fragments` execution on anonymous cacheable pages without WooCommerce cart/session cookies, while keeping cart, checkout, account, logged-in, and active cart/session-cookie contexts on normal WooCommerce behavior.
* Keeps cart-fragments Delay and Suppress empty-cart execution mutually exclusive during dashboard saves/imports.
* Bumps release metadata from 2.59.06.72 to 2.59.06.73.

= 2.59.06.72 =
* Reworks the WooCommerce dashboard card into "WooCommerce Controls" and moves WooCommerce Safe Mode into that section so WooCommerce cache safety, request timing, and cleanup controls live together.
* Adds a visible WooCommerce frontend strategy dropdown with Off, Safe, Balanced, Aggressive, and Custom presets that write the existing cart-fragments delay and WooCommerce asset-cleanup toggles instead of adding a hidden runtime switch.
* Renames the cart-fragments timing control to "WooCommerce release timer" to mirror the general Delayed JS timing model.
* Bumps release metadata from 2.59.06.71 to 2.59.06.72.

= 2.59.06.71 =
* Renames the "Safe Asset Cleanup" dashboard card to "WooCommerce Asset Timing" so the section matches its WooCommerce-specific controls.
* Adds visible WooCommerce cart-fragments delay controls that can queue `get_refreshed_fragments` AJAX on anonymous cacheable pages and release it with the Delayed JS timing model or a WooCommerce-specific timer, while skipping logged-in, cart, checkout, account, and active cart/session-cookie contexts.
* Adds `assets/js/woocommerce-cart-fragments-delay.js` as the frontend helper for the new WooCommerce cart-fragments delay feature and keeps it protected as an UltraCache-owned helper script.
* Bumps release metadata from 2.59.06.70 to 2.59.06.71.

= 2.59.06.70 =
* Removes hidden runtime JavaScript safeguards for WordPress inline dependency blocks, GTM bootstrap snippets, and third-party dependency-library delay bypasses so Browser Scanner and Console Error Handler can propose visible "Defer Instead of Delay" or "Do Not Defer or Delay" safeguards from actual detected breakage.
* Moves inline analytics delay markers such as `gtag(`, `dataLayer`, and `gtm.start` into the visible Safe Third-Party Delay Patterns defaults instead of matching them through a private inline-script list.
* Removes hidden CSS and asset cleanup safeguards from CSS bundle exclusions, aggressive async CSS admin-asset blocking, frontend authoring asset stripping, and broad icon-font auto-detection; visible lists and scanner output are now authoritative, while UltraCache-owned helper JavaScript remains internally protected.
* Updates Delay icon fonts UI copy to clarify that only entries in the visible font pattern list are delayed.
* Bumps release metadata from 2.59.06.69 to 2.59.06.70. No files or directories were added or deleted.

= 2.59.06.69 =
* Makes the "Defer Instead of Delay" and "Do Not Defer or Delay" JavaScript safeguard lists mutually exclusive: appending to one removes overlapping entries from the other, paired saves send both final lists together, and settings sanitization removes remaining overlaps.
* Bumps release metadata from 2.59.06.68 to 2.59.06.69. No files or directories were added or deleted.

= 2.59.06.68 =
* Renames JavaScript safeguard action labels and scan status text so findings are described as appending to "Defer Instead of Delay" or "Do Not Defer or Delay" instead of the ambiguous "fallback exclusion" wording.
* Bumps release metadata from 2.59.06.67 to 2.59.06.68. No files or directories were added or deleted.

= 2.59.06.67 =
* Forces the Frontend JavaScript Manipulation safeguard editors for "Defer Instead of Delay" and "Do Not Defer or Delay" into a true two-column, one-row layout instead of relying on utility classes that could stack them vertically.
* Bumps release metadata from 2.59.06.66 to 2.59.06.67. No files or directories were added or deleted.

= 2.59.06.66 =
* Changes the Balanced and Aggressive profile default CSS bundle mode from Safe to Aggressive while keeping CSS bundling enabled and user-maintained CSS exclusions preserved.
* Keeps the Aggressive profile on native Defer as the base JavaScript strategy instead of broad Delay all JS, with targeted delay modules still enabled for speed.
* Makes the force-defer list act as "Defer Instead of Delay" across Delay all JS, targeted third-party delay, non-critical/local delay, LCP Boundary Delay, and delayed-placeholder restoration.
* Improves runtime JS diagnostics so missing WordPress/core globals suggest both the provider and the crashing consumer, filters UltraCache helper stack frames, detects duplicate-execution redeclare errors, and recognizes jQuery Migrate shorthand failures.
* Fixes pasted console parsing for jQuery Migrate shorthand failures where Chrome prefixes the TypeError with `jquery.min.js?...` and appends the `JQMIGRATE: Migrate is installed` notice, so the real error still produces a `jquery-migrate.min.js` suggestion.
* Lets Browser Scanner and Console Error Handler escalate persistent findings from "Defer Instead of Delay" to the stronger "Do Not Defer or Delay" fallback instead of hiding already-deferred suggestions.
* Updates the JavaScript safeguard UI to pair "Defer Instead of Delay" with the stronger "Do Not Defer or Delay" fallback and shared save/append controls.
* Bumps release metadata from 2.59.06.65 to 2.59.06.66. No files or directories were added or deleted.

= 2.59.06.64 =
* Fixes ordered delayed-JavaScript replay when another runtime removes, replaces, or independently restores an UltraCache placeholder while the loader is processing its original DOM snapshot.
* Replaces delayed placeholders atomically instead of inserting the executable script while the inert placeholder is still present.
* Skips detached placeholders and suppresses duplicate execution by preserved script ID or exact source URL plus execution mode; records skipped duplicate/detached counts on the document element for diagnostics.
* Makes the force-defer list act as "Defer Instead of Delay" across Delay all JS, targeted third-party delay, non-critical/local delay, LCP Boundary Delay, and delayed-placeholder restoration.
* Improves runtime JS diagnostics so missing WordPress/core globals suggest both the provider and the crashing consumer, filters UltraCache helper stack frames, detects duplicate-execution redeclare errors, and recognizes jQuery Migrate shorthand failures.
* Lets Browser Scanner and Console Error Handler escalate persistent findings from "Defer Instead of Delay" to the stronger "Do Not Defer or Delay" fallback instead of hiding already-deferred suggestions.
* Updates the JavaScript safeguard UI to pair "Defer Instead of Delay" with the stronger "Do Not Defer or Delay" fallback, and changes the Aggressive profile to use native Defer instead of broad Delay all JS.
* Bumps release metadata from 2.59.06.63 to 2.59.06.64. No files or directories were added or deleted.

= 2.59.06.63 =
* Prevents the CSS bundle source scan and final page warm loopbacks from receiving mod_pagespeed/ngx_pagespeed-rewritten HTML by sending the supported `PageSpeed: off` and backward-compatible `ModPagespeed: off` request headers.
* Requests unrewritten origin HTML for those internal operations so PageSpeed wrapper URLs such as `A.*.css.pagespeed.cf.*.css` are not passed to UltraCache cache-write validation when the server honors the supported per-request override.
* Bumps release metadata from 2.59.06.62 to 2.59.06.63. No files or directories were added or deleted.

= 2.59.06.62 =
* Fixes managed `wp-config.php` block replacement and uninstall removal so only the delimited block is removed while the surrounding line breaks are preserved; `<?php` can no longer be joined to the following `define()` statement.
* Strengthens candidate `wp-config.php` validation by requiring a normal full PHP opening tag, preventing malformed `<?phpdefine(...)` content from passing as a short opening tag plus an unknown `phpdefine()` call.
* Applies the same boundary-preserving removal and full-opening-tag validation to WordPress uninstall cleanup.
* Bumps release metadata from 2.59.06.61 to 2.59.06.62. No files or directories were added or deleted.

= 2.59.06.61 =
* Removes the standalone Redis manual-test control and its dedicated REST/action-queue surface so unsaved form values are no longer mixed with the already-bootstrapped object-cache runtime.
* Makes Save Redis Settings perform Redis connection, authentication, and read/write validation before changing wp-config.php, stored settings, or the generated object-cache drop-in; failed validation leaves the previous configuration untouched.
* Reloads after a verified Redis save, performs a one-time payload probe against the actually active backend, and labels the result with the tested backend.
* Replaces duplicate object-cache status rows with a concise runtime status, configured backend, Redis connection, PHP extension availability, backend-specific payload probe, and Redis prefix.
* Bumps release metadata from 2.59.06.60 to 2.59.06.61.

= 2.59.06.60 =
* Removes redundant Google-hosted Maps tile/static-host and reCAPTCHA static-host matcher fragments while retaining the existing Google Maps and reCAPTCHA entry-point patterns.
* Replaces the Google Fonts, dashboard heavy-action, and cron warm-up option-based locks with a shared token-guarded `ultracache_locks` table supporting atomic acquisition, expired-lock takeover, renewal, and owner-only release.
* Replaces the two remaining create-or-update `add_option()` branches with direct non-autoloaded `update_option()` calls, leaving no direct `add_option()` calls in UltraCache.
* Adds the lock table to activation, validated table handling, bounded expired-row cleanup, Delete All cleanup, and WordPress uninstall cleanup.
* Bumps release metadata from 2.59.06.59 to 2.59.06.60.

= 2.59.06.59 =
* Documents the two intentional `var_export( ..., true )` calls used to generate valid PHP string literals for UltraCache-managed `wp-config.php` password constants.
* Adds narrowly scoped PHPCS exceptions for `WordPress.PHP.DevelopmentFunctions.error_log_var_export`; the calls return strings and do not emit debug output.
* Bumps release metadata from 2.59.06.58 to 2.59.06.59. No runtime behavior, files, or directories were added or removed.

= 2.59.06.58 =
* Completes the final reviewer validation across declared URLs, WordPress-native asset enqueueing, remote dependency checks, path resolution, guarded storage, late escaping, prefixes/dynamic names, generated drop-ins, and full uninstall cleanup.
* Synchronizes the plugin header, runtime version constant, WordPress.org stable tag, and README current-version marker at 2.59.06.58.
* Regenerates `languages/ultracache.pot` from the current PHP and JavaScript sources, updates source references/header metadata, adds previously missing translatable strings, and removes obsolete catalog entries.
* Revalidates the AVIF Imagick/GD/WebP fallback policy and Safe CLS responsive-dimension safeguards without changing their runtime behavior.
* No runtime feature behavior, files, or directories were added or removed.

= 2.59.06.57 =
* Removes 221 `function_exists()` declaration wrappers and six `class_exists()` declaration wrappers from UltraCache-owned functions/classes, leaving guards only for the standard `WP_Object_Cache` and `wp_cache_*` drop-in symbols.
* Gives advanced-cache and object-cache internal helpers separate `ultracache_advanced_cache_*` and `ultracache_object_cache_*` names so both drop-ins can load without shared helper declarations or load-order fallbacks.
* Prefixes the remaining plugin-owned object-cache keys for action-job schema/rows, cron-warm schema, runtime JS diagnostic jobs, CSS rewrite-map rows, and payload diagnostics with `ultracache_`.
* Removes the unused case-only REST class alias and the duplicate admin `ultracache-root` element/lookup.
* Bumps release metadata from 2.59.06.56 to 2.59.06.57. No files or directories were added or deleted.

= 2.59.06.56 =
* Preserves every existing image `width` and `height` attribute instead of replacing percentage, `auto`, empty, zero, boolean, or otherwise non-numeric values with intrinsic pixel dimensions.
* Skips Safe CLS processing for an image when either existing dimension attribute is non-numeric, and skips inline `max-width: none` images without injecting plugin CSS or changing responsive styles.
* When exactly one positive numeric dimension exists, calculates only the missing dimension from the resolved intrinsic aspect ratio instead of copying the source image's full opposite dimension.
* Adds both intrinsic dimensions only when both attributes are absent, while leaving `srcset`, `sizes`, inline styles, classes, and responsive theme behavior unchanged.
* Extends the Safe CLS raster-image exclusion to SVGZ as well as SVG and bumps release metadata from 2.59.06.55 to 2.59.06.56. No files or directories were added or deleted.

= 2.59.06.55 =
* Makes AVIF conversion prefer Imagick first and use GD only when a real transparent/semi-transparent AVIF encode-and-decode probe verifies alpha preservation.
* Adds an equivalent real Imagick AVIF alpha probe instead of trusting format advertisement alone, so unusable AVIF codecs are not treated as supported.
* Falls back to WebP as the effective media output when neither Imagick nor GD can produce a verified alpha-safe AVIF file, and keeps WebP available as the per-image fallback when an AVIF file is missing.
* Detects the source image by its real MIME type as well as its extension, handles renamed PNG/JPEG files correctly, and rejects SVG/SVGZ from all raster conversion paths.
* Preserves alpha in the direct GD and Imagick conversion paths and updates media support/reset probe cache keys.
* Bumps release metadata from 2.59.06.54.01 to 2.59.06.55. No files or directories were added or deleted.

= 2.59.06.54.01 =
* Prevents the Delete Everything/deactivation and WordPress uninstall requests from recreating UltraCache-owned database state after cleanup by defining an explicit uninstall-in-progress guard before teardown.
* Skips deactivation-hook work, cache-asset/CSS-rewrite table creation, and object-cache flush-report persistence while the uninstall guard is active.
* Refactors uninstall table removal through a validated UltraCache-only helper, verifies each requested table is absent, and repeats the two affected table drops as the final full-cleanup operation.
* Deletes and re-verifies the final `ultracache_object_cache_last_flush_report`, `ultracache_cache_asset_refs_db_version`, and `ultracache_css_rewrite_map_db_version` options after drop-in/file cleanup.
* Bumps release metadata from 2.59.06.54 to 2.59.06.54.01. No files or directories were added or deleted.

= 2.59.06.54 =
* Removes the uniquely delimited UltraCache managed-constants block from the exact active `wp-config.php` during plugin uninstall, regardless of the selected data-retention policy.
* Resolves only the configuration file loaded by WordPress or authoritatively located by WP-CLI; no WordPress-root or parent-directory path guessing is added.
* Writes only through `WP_Filesystem::put_contents()`, validates the resulting PHP, verifies the update by SHA-256 read-back, and retains the original contents only in memory for immediate verified rollback.
* Leaves every `WP_CACHE`, `WP_REDIS_PASSWORD`, and `ULTRACACHE_VARNISH_PASSWORD` declaration outside the UltraCache managed block unchanged.
* Bumps release metadata from 2.59.06.53 to 2.59.06.54. No files or directories were added or deleted.

= 2.59.06.53 =
* Replaces every internal short-form plugin identifier with the full ultracache/ULTRACACHE prefix across PHP, JavaScript, generated drop-in templates, persistent keys, hooks, nonces, REST/AJAX integration, HTML identifiers, diagnostics, uninstall cleanup, translations, and documentation.
* Removes the unused action-queue option helper and obsolete action_jobs_rows_v1 cache cleanup.
* Bounds runtime JavaScript scan transient names with a fixed MD5 suffix.
* Corrects Delete All and uninstall cleanup for the active action-queue heavy lock, cron warm transient, and dynamic Google Fonts database locks while removing obsolete option cleanup entries.
* No migration, legacy aliases, fallback keys, files, or directories were added. A clean Delete All Data and reinstall is required for testing this pre-public refactor.

= 2.59.06.52 =
* Encodes all frontend helper configuration passed through `wp_add_inline_script()` with `JSON_HEX_TAG`, `JSON_HEX_AMP`, `JSON_HEX_APOS`, and `JSON_HEX_QUOT` to prevent inline-script context breakout across all five helper-data callers.
* Restricts the WordPress-engine full-page cache output path to canonical files inside `ULTRACACHE_CACHE_DIR` whose basename matches `index-(orig|avif|webp)-<32-character MD5>.html` before raw HTML output.
* Restricts the early `advanced-cache.php` drop-in output path to canonical files inside `ULTRACACHE_CACHE_DIR` using the same UltraCache filename format, allowing only the generated `.html`, `.html.gz`, and `.html.br` payloads.
* Documents the two intentional raw full-page cache output paths with narrow PHPCS exceptions; HTML escaping is not applied because it would corrupt the complete cached WordPress response.
* Bumps release metadata from 2.59.06.51 to 2.59.06.52. No files or directories were added or deleted.

= 2.59.06.51 =
* Removes the remaining native filesystem fallback branches from guarded reads, file metadata, directory listing/deletion, media optimized-file checks, runtime cleanup, diagnostics, font cleanup, profiling, warm-crawl cleanup, and uninstall cleanup. These paths now fail closed when WP_Filesystem is unavailable.
* Replaces `tempnam()` with WordPress `wp_tempnam()` and verifies that the returned temporary path remains inside the requested guarded directory.
* Removes confirmed unused helpers: `ultracache_safe_chmod()`, `ultracache_safe_stream_set_blocking()`, `ultracache_uninstall_home_path()`, `ultracache_json_encode_for_inline_script()`, `ultracache_content_cache_reference_matches()`, `ultracache_request_profile_hook_priority_details()`, `ultracache_font_css_file_diagnostics()`, and the obsolete native recursive-delete helper.
* Keeps all existing storage locations and runtime behavior otherwise unchanged. No files or directories were added or deleted.
* Bumps release metadata from 2.59.06.50 to 2.59.06.51.

= 2.59.06.50 =
* Removes the unused `ultracache_safe_copy()` helper and its native `copy()` fallback.
* Removes the native `file_put_contents()` fallback from `ultracache_safe_file_put_contents()`; generated UltraCache files now write only through `WP_Filesystem::put_contents()`.
* Removes the native `rename()` path from `ultracache_safe_rename()`; generated cache and drop-in temporary files now move into place only through `WP_Filesystem::move()`.
* Replaces the temporary `.htaccess` file and rename workflow with a direct `WP_Filesystem::put_contents()` write. UltraCache retains the original `.htaccess` content only in memory, verifies the new content by SHA-256 read-back, restores or removes the file if verification fails, and removes the obsolete temporary `.htaccess` writable-path allowance.
* Bumps release metadata from 2.59.06.49 to 2.59.06.50. No files or directories were added or deleted.

= 2.59.06.49 =
* Restores the Redis and Varnish password fields as explicit administrator controls. Saving a non-empty Redis password writes `WP_REDIS_PASSWORD`; saving a non-empty Varnish password writes `ULTRACACHE_VARNISH_PASSWORD`. Empty fields preserve existing managed values, and dedicated remove actions delete only UltraCache-managed values.
* Adds a uniquely delimited UltraCache managed-constants block to the active `wp-config.php`. Existing `WP_CACHE`, `WP_REDIS_PASSWORD`, or `ULTRACACHE_VARNISH_PASSWORD` definitions outside that block are never moved, replaced, or removed; externally managed password constants are reported as configured and remain read-only in the dashboard.
* Replaces the previous custom wp-config.php backup, temporary-file, native copy, native file-write, and native rename workflow. The new writer uses `WP_Filesystem::get_contents()` and `WP_Filesystem::put_contents()`, validates the generated PHP, verifies the written content by SHA-256 read-back, and retains the original content only in memory for immediate verified rollback.
* Adds combined settings/wp-config transaction handling. If page-cache, browser-cache, or object-cache synchronization fails after a constants update, UltraCache restores the previous settings and original wp-config.php content; an unverified rollback is surfaced as a dedicated error instead of being hidden by the original save failure.
* Generates constant values with safe PHP literals and validates managed-block parsing for quotes, backslashes, line breaks, duplicate definitions, external definitions, and the active `WP_CACHE` state.
* Password values remain excluded from WordPress options, dashboard responses, REST responses, WP-CLI output, diagnostics, logs, embedded runtime configuration, and generated cache drop-ins. Responses expose only configured/managed/external status flags.
* Updates REST permissions so password writes require both `manage_options` and `activate_plugins` plus the existing REST nonce. The dashboard never displays the stored value; a blank field means keep, while removal requires a separate explicit action.
* Removes the obsolete wp-config backup-registry cleanup entry rather than adding previous-version cleanup. No migration, legacy lookup, backward-compatibility layer, old-file cleanup, or old-option cleanup was added.
* Bumps release metadata from 2.59.06.48 to 2.59.06.49. No files or directories were added or deleted.

= 2.59.06.48 =
* Removes the generated executable runtime-secret PHP sidecar and all related path discovery, rendering, synchronization, protection, diagnostics, object-cache loading, and uninstall code. No replacement secret file is created.
* Redis authentication now uses only the standard `WP_REDIS_PASSWORD` constant from the active `wp-config.php`. Scalar passwords and Redis ACL arrays containing username/password are supported; `WP_REDIS_USERNAME` remains an optional scalar username source.
* Varnish authentication now uses only the uniquely prefixed `ULTRACACHE_VARNISH_PASSWORD` constant from the active `wp-config.php`.
* Derives the early-runtime revalidation/control secret deterministically from the existing WordPress authentication keys and salts, so no additional secret needs to be persisted in the database or filesystem.
* Updates `advanced-cache.php` and `object-cache.php` generation so early Redis authentication and runtime-control validation read constants/salts directly, without requiring a generated secret include.
* Removes Redis and Varnish password inputs from REST update/test schemas and WP-CLI mutation paths. Dashboard fields are read-only status indicators, and client/API/CLI responses expose only configured yes/no flags.
* Forces any transient dashboard password keys to remain blank before option persistence. Runtime consumers hydrate credentials from constants only; diagnostics and logs expose no secret values.
* Updates readme documentation with the required `WP_REDIS_PASSWORD` and `ULTRACACHE_VARNISH_PASSWORD` definitions.
* Bumps release metadata from 2.59.06.47 to 2.59.06.48. No files or directories were added or deleted. No migration, legacy cleanup, backward-compatibility layer, or old-secret-file removal was added.

= 2.59.06.47 =
* Removes the generated executable `runtime-config.php` sidecar and its JSON predecessor. UltraCache no longer writes, loads, protects, reconciles, or cleans a standalone runtime configuration file.
* Embeds the normalized secret-free early page-cache configuration directly into the standard WordPress `advanced-cache.php` drop-in as a JSON-decoded array generated at drop-in build time.
* Adds an SHA-256 embedded-configuration marker to `advanced-cache.php`; drop-in status and diagnostics now verify that the embedded configuration matches the current dashboard settings.
* Removes the dedicated runtime-config bootstrap hook, file synchronization cycle, protection-file generation, warm-up sync call, path helper, diagnostics path card, and uninstall cleanup associated with the deleted sidecar architecture.
* Preserves the current runtime secret file architecture unchanged for the following dedicated secret-constants stage. Redis/Varnish password storage and wp-config.php writing are outside this patch.
* Updates dashboard diagnostics to report `embedded_in_advanced_cache` configuration instead of a runtime-config.php file.
* Bumps release metadata from 2.59.06.46.02 to 2.59.06.47. No files or directories were added or deleted. No migration, legacy lookup, or backward-compatibility fallback was added.

= 2.59.06.46.02 =
* Corrective validation patch for the final path-refactor test. `ultracache_wordpress_admin_include_path()` now rejects any value containing `/` or `\` before basename normalization and allowlist matching, so values such as `../file.php` cannot be reduced to an approved filename.
* includes/core/functions.php: extends `ultracache_loaded_wp_config_path()` for WP-CLI. Normal web requests continue to use PHP's loaded-file list; WP-CLI requests use `WP_CLI\Utils\locate_wp_config()` because WP-CLI evaluates wp-config.php instead of including it. UltraCache adds no ABSPATH/root/parent search fallback.
* The existing wp-config read/write, backup, temporary-file, atomic-replace, capability, and guard behavior remains unchanged. The exact path returned by either authoritative runtime source continues to be the only primary config accepted by UltraCache's companion-path guard.
* Bumps release metadata from 2.59.06.46.01 to 2.59.06.46.02. No files or directories were added or deleted.

= 2.59.06.46.01 =
* Corrective public-path compliance patch after the 2.59.06.46 scan. Functional plugin, theme, uploads, wp-includes, and wp-admin URL matching no longer assumes default directory names such as `/plugins/`, `/themes/`, `/uploads/`, `/wp-includes/`, or `/wp-admin/`.
* includes/core/functions.php: adds `ultracache_wordpress_includes_public_path()` and `ultracache_wordpress_admin_public_path()`, resolving root-relative WordPress core/admin public paths through `includes_url()` and `admin_url()` while preserving file-versus-directory references.
* JavaScript optimization, LCP protection, runtime scanning, cache bypass, diagnostics, and default dependency exclusions now consume dynamic WordPress public-path resolvers. Plugin-specific CDN heuristics retain only owner/slug fragments such as `/woocommerce/assets/`; they no longer assume the configured plugins root name.
* includes/admin/class-admin-trait.php and includes/admin-dashboard.js: expose resolved public paths through the existing `wp_add_inline_script()` configuration and use them for WooCommerce matching and path examples. Dead profile copies of preserved path settings were removed.
* Product-filter, Slider Revolution, Elementor, Divi, WooCommerce, WordPress core JS, generated-assets, uploads, plugin, and theme references now derive from WordPress APIs. No remote request, asset load, storage location, cache key, setting key, migration, or compatibility fallback was added.
* Bumps release metadata from 2.59.06.46 to 2.59.06.46.01. No files or directories were added or deleted.

= 2.59.06.46 =
* Final path-compliance scan: verifies that active PHP code contains no `WP_CONTENT_DIR` or `WP_PLUGIN_DIR` references, no hardcoded plugin/uploads filesystem roots, and no `ABSPATH`-based wp-config.php assumptions. Direct-access guards remain unchanged; the unavoidable WordPress core-root `ABSPATH` and `WPINC` uses remain isolated in their documented canonical resolvers.
* includes/core/functions.php: adds `ultracache_mu_plugins_root_dir()` and `ultracache_mu_plugins_root_url()` as the only access points for WordPress's configurable must-use plugin path/URL constants, because WordPress exposes no public helpers for those roots. Font scanning, path-to-URL conversion, profiler ownership, and readable-root guards now consume the centralized resolvers instead of reading `WPMU_PLUGIN_DIR` / `WPMU_PLUGIN_URL` directly.
* readme.txt and README.md: replaces default-layout examples such as `wp-content/uploads/...` and `/wp-content/plugins/` with wording based on the active WordPress uploads/plugins directories, so the documentation remains correct for custom content, uploads, and plugin locations.
* ultracache.php: replaces the object-cache failure message's literal `wp-content/object-cache.php` reference with the WordPress content-directory location, preserving the same error condition and action.
* This patch does not change any storage location, generated URL, cache key, drop-in location, wp-config.php behavior, runtime-secret behavior, setting, or uninstall policy. No migration, legacy lookup, compatibility fallback, file move, or directory move was added.
* Bumps the plugin version and release metadata from 2.59.06.45 to 2.59.06.46. No files or directories were added or deleted.

= 2.59.06.45 =
* includes/core/functions.php: adds `ultracache_loaded_wp_config_path()` to resolve the exact `wp-config.php` file already loaded by the current WordPress request through PHP's authoritative `get_included_files()` list. The plugin no longer assumes that wp-config.php is under the WordPress core root or one directory above it. No root/parent fallback search is retained.
* includes/core/functions.php: adds `ultracache_is_loaded_wp_config_companion_path()` and updates readable, writable, and destructive path guards so wp-config access is limited to the actually loaded config file and UltraCache's existing temporary/backup filename patterns in that exact directory. The write, backup, temporary-file, and atomic-replace behavior itself is intentionally unchanged for the separate reviewer finding.
* ultracache.php: changes `get_wp_config_path()` to consume the loaded-config resolver while preserving the existing readability check, error handling, WP_CACHE parser, and enable/disable workflow.
* Removes the final wp-config root/parent path assumptions from the active runtime. Existing WordPress core-root helpers remain only for genuine core paths and includes.
* This patch changes wp-config.php path discovery only. It does not alter wp-config.php contents, backup retention, temporary files, atomic writes, runtime secrets, cache storage, drop-ins, settings, or uninstall policy. No migration, legacy lookup, compatibility fallback, file move, or directory move was added.
* Bumps the plugin version and release metadata from 2.59.06.44 to 2.59.06.45. No files or directories were added or deleted.

= 2.59.06.44 =
* includes/core/functions.php: adds `ultracache_wordpress_admin_include_path()` and `ultracache_require_wordpress_admin_include()` as the single approved resolver/loader for the WordPress core admin files used by UltraCache (`file.php`, `image.php`, `plugin.php`, and `upgrade.php`). The unavoidable WordPress core-root `ABSPATH` dependency is isolated in `ultracache_wordpress_core_root_dir()`; callers no longer concatenate `ABSPATH . 'wp-admin/includes/...'` themselves.
* UltraCache table installers, image-editor diagnostics, plugin inventory/deactivation, home-path discovery, and WP_Filesystem initialization now load their required WordPress core APIs through the centralized helper. Existing functions, timing, database schemas, and failure returns remain unchanged.
* includes/core/functions.php and ultracache.php: replaces remaining non-guard WordPress-root uses for cron-command generation, runtime path identity, and existing wp-config.php candidate construction with `ultracache_wordpress_core_root_dir()`. This changes path discovery only; wp-config.php read/write behavior is intentionally unchanged for its later dedicated reviewer-compliance design.
* uninstall.php: adds uninstall-local WordPress core/admin include resolvers and removes repeated direct `ABSPATH . 'wp-admin/includes/file.php'` construction. The single unavoidable uninstall `ABSPATH` read is isolated and documented.
* Direct-access guards and generated runtime-file guards using `defined('ABSPATH')` remain unchanged because they are access-control checks, not file/directory location logic. `WPINC` remains isolated in the existing canonical wp-includes resolver.
* This patch does not change storage locations, drop-ins, runtime secrets, wp-config.php behavior, cache behavior, settings, or uninstall policy. No migration, legacy lookup, compatibility fallback, file move, or directory move was added.
* Bumps the plugin version and release metadata from 2.59.06.43 to 2.59.06.44. No files or directories were added or deleted.

= 2.59.06.43 =
* includes/core/functions.php: changes `ultracache_runtime_config_storage_dir()` from direct `WP_CONTENT_DIR` concatenation to the existing `ultracache_wordpress_content_dir()` resolver backed by `WP_Filesystem_Base::wp_content_dir()`. `runtime-config.php` and `runtime-config.json` remain at the same WordPress content-directory `cache/ultracache/` location; this patch changes path discovery only.
* includes/core/functions.php: removes the remaining direct `WP_CONTENT_DIR` candidate from runtime-secret path discovery and uses the centralized WordPress content-directory resolver instead. Runtime-secret location, file format, protection, and read/write behavior remain unchanged for their later dedicated reviewer-remediation stage.
* readme.txt and README.md: describe required cache drop-ins as residing in the WordPress content directory without presenting the internal `WP_CONTENT_DIR` constant as the integration path.
* Removes all active PHP references to `WP_CONTENT_DIR` while retaining required WordPress-core `ABSPATH`/`WPINC` use, wp-config.php discovery, and the current runtime configuration architecture for their separate roadmap stages.
* This patch does not move files, create migration logic, add fallback paths, alter settings, modify wp-config.php, or change cache/runtime behavior.
* Bumps the plugin version and release metadata from 2.59.06.42 to 2.59.06.43. No files or directories were added or deleted.

= 2.59.06.42 =
* uninstall.php: replaces direct `WP_CONTENT_DIR` use for `advanced-cache.php` and `object-cache.php` with `ultracache_uninstall_wordpress_content_dir()`, which resolves the active WordPress content directory through `WP_Filesystem_Base::wp_content_dir()` before constructing the required drop-in paths.
* uninstall.php: centralizes the current runtime-config cleanup path through `ultracache_uninstall_runtime_config_storage_dir()` instead of directly concatenating `WP_CONTENT_DIR . '/cache/ultracache/'`. The runtime-config files remain in their existing location until the later dedicated runtime-configuration storage stage.
* uninstall.php: routes generated CSS/font/deferred-JS cleanup through the existing WordPress uploads resolver, so uninstall uses the same `uploads/ultracache/...` roots as runtime writers and does not carry legacy cache-directory lookup or migration logic.
* uninstall.php: removes redundant `ABSPATH` and `WP_CONTENT_DIR` candidates from runtime-secret path identity and uses the WordPress home/content resolvers instead. WordPress core include paths that officially require `ABSPATH` remain unchanged.
* This patch changes uninstall path resolution only. Runtime storage, wp-config.php modification behavior, runtime-secret architecture, cache operation, generated-asset generation, and plugin settings are unchanged. No migration, legacy path lookup, compatibility fallback, file move, or directory move was added.
* Bumps the plugin version and release metadata from 2.59.06.41 to 2.59.06.42. No files or directories were added or deleted.

= 2.59.06.41 =
* includes/core/functions.php: replaces UltraCache's direct `WP_CONTENT_DIR` cache-drop-in resolver with `ultracache_wordpress_content_dir()`, which obtains the active WordPress content-directory path from `WP_Filesystem_Base::wp_content_dir()`. `advanced-cache.php` and `object-cache.php` remain in the WordPress-required content-directory root.
* includes/core/functions.php: adds dedicated WordPress Filesystem helpers for cache-drop-in existence, reads, atomic replacement, deletion, backup copying, size, and modification time. Drop-in operations no longer use UltraCache's generic filesystem wrappers or native PHP fallback operations.
* includes/engine/class-engine-dropin-lifecycle-trait.php: routes advanced-cache.php status, comparison, installation, replacement, and removal through the dedicated WP_Filesystem drop-in API. The generated drop-in contents and runtime behavior are unchanged.
* includes/class-object-cache-manager.php: routes object-cache.php status, ownership verification, installation, replacement, and removal through the same dedicated WP_Filesystem drop-in API. Object-cache backend selection and runtime configuration are unchanged.
* includes/settings/class-settings-trait.php: resolves drop-in conflicts through the canonical Filesystem API path, reads metadata through WP_Filesystem, and performs optional backup/copy/delete operations through the same filesystem transport. Removes the direct `WP_CONTENT_DIR` availability checks from active drop-in management.
* includes/diagnostics/class-diagnostics-trait.php and includes/cli/class-wp-cli-settings-stats-trait.php: use the canonical drop-in existence helper instead of native filesystem checks.
* This patch changes only cache-drop-in path resolution and lifecycle I/O. Page-cache/object-cache data storage, generated assets, runtime-config.php, runtime secrets, wp-config.php handling, and uninstall cleanup remain assigned to their separate roadmap stages. No migration, legacy path lookup, or compatibility fallback was added.
* Bumps the plugin version and release metadata from 2.59.06.40 to 2.59.06.41. No files or directories were added or deleted.

= 2.59.06.40 =
* includes/core/functions.php: changes the canonical page-cache root from `wp-content/cache/ultracache/` to the WordPress-resolved `uploads/ultracache/cache/` path and changes disk object-cache storage from `wp-content/cache/ultracache-objects/` to `uploads/ultracache/object-cache/`.
* templates/advanced-cache.php.tpl and includes/engine/class-engine-dropin-lifecycle-trait.php: replace hardcoded `WP_CONTENT_DIR` cache paths with build-time injected, WordPress-resolved cache and runtime-config paths. The advanced-cache drop-in location itself remains unchanged under the WordPress content directory.
* Page-cache HTML, compressed variants, locks, temporary media files, drop-in backups, diagnostics profiles, and the legacy file analytics buffer now resolve below `uploads/ultracache/cache/`. Existing files are not moved or read from legacy paths.
* ultracache.php: keeps `runtime-config.php` and its protection files at their current dedicated path until the later runtime-configuration storage stage, so executable runtime configuration is not moved into uploads.
* uninstall.php: updates clean-install cleanup roots to the new uploads page-cache and disk-object-cache directories, with no migration or legacy cache cleanup logic.
* readme.txt and README.md: document the new WordPress uploads-based cache and object-cache layout.
* Bumps the plugin version and release metadata from 2.59.06.39 to 2.59.06.40. No files or directories were added or deleted.

= 2.59.06.39 =
* includes/diagnostics/class-diagnostics-trait.php: replaces stale font-pipeline, CSS-bundle storage, and CSS-bundle summary readers that still looked under the internal page-cache directory with `ultracache_generated_asset_dir()` calls. Diagnostics now inspect the same WordPress uploads locations used by the writers for css-bundles, font-css, optimized-css, google-fonts, and the CSS bundle manifest.
* includes/cli/class-wp-cli-settings-stats-trait.php: changes the WP-CLI CSS bundle self-test from `wp-content/cache/ultracache/css-bundles/manifest.json` to the canonical `uploads/ultracache/css-bundles/manifest.json` path resolved through `ultracache_generated_asset_dir()`.
* ultracache.php, uninstall.php: adds the `deferred-inline-js` bucket to Delete All and uninstall generated-runtime cleanup so every ephemeral browser-loaded generated asset directory is covered. Persistent optimized AVIF/WebP files under `uploads/ultracache/images` remain intentionally excluded.
* Confirms that all active generated-asset writers already use the centralized WordPress uploads helpers introduced before this patch: CSS bundles, optimized CSS, font CSS, localized Google Fonts, deferred inline JavaScript, and optimized images remain under `uploads/ultracache/...`. This patch removes the remaining stale cache-root readers; it does not move files and adds no legacy lookup, migration, or fallback path.
* Page-cache, disk-object-cache, logs/analytics, drop-ins, wp-config.php, and runtime-secret storage remain unchanged for their dedicated roadmap stages.
* Bumps the plugin version and release metadata from 2.59.06.38 to 2.59.06.39. No files or directories were added or deleted.

= 2.59.06.38 =
* includes/core/functions.php: adds `ultracache_plugin_dir()` and `ultracache_plugin_url()` as the single WordPress-native resolver pair for UltraCache-owned files and URLs. Both are derived from `ULTRACACHE_FILE` through `plugin_dir_path()` / `plugin_dir_url()` and sanitize all optional relative paths.
* ultracache.php, includes/class-media-converter.php, includes/class-object-cache-manager.php, includes/admin/class-admin-trait.php, includes/diagnostics/class-diagnostics-trait.php, includes/engine/class-engine-dropin-lifecycle-trait.php, includes/engine/class-engine-frontend-assets-trait.php: replaces runtime concatenation of `ULTRACACHE_PATH`, `ULTRACACHE_URL`, and direct `plugins_url()` calls with the centralized plugin path/URL helpers. The initial bootstrap include remains based on the main-file constants because the helper file must load first.
* includes/core/functions.php: adds `ultracache_uploads_storage_dir()` and `ultracache_uploads_storage_url()` as the single filesystem/URL joiners for WordPress uploads. They consume the existing `ultracache_uploads_base_info()` result and preserve custom uploads directories, custom uploads URLs, multisite paths, and URL-encoded relative segments.
* includes/core/functions.php: routes generated CSS/JS/font assets, optimized image paths, uploads public-path markers, and their URLs through the centralized uploads helpers without changing their current `uploads/ultracache/...` locations.
* includes/engine/class-engine-media-image-trait.php, includes/media/class-media-html-rewrite-trait.php, includes/media/class-media-path-url-trait.php, includes/media/class-media-queue-trait.php: replaces seven direct `wp_get_upload_dir()` reads with `ultracache_uploads_base_info()` so media resolution, HTML rewriting, on-demand queue discovery, and attachment lookup share the same normalized uploads identity.
* This patch only centralizes path resolution. Page-cache, disk-object-cache, logs, analytics, drop-in, wp-config.php, and runtime-secret storage locations remain unchanged for their dedicated roadmap stages. No migration, legacy lookup, compatibility fallback, file move, or directory move is added.
* Bumps the plugin version and release metadata from 2.59.06.37 to 2.59.06.38. No files or directories were added or deleted.

= 2.59.06.37 =
* includes/core/functions.php: adds centralized WordPress-aware resolvers for the standard plugins root, WordPress core root, and wp-includes directory. The plugins root is now derived from the main plugin file through plugin_dir_path(), while the unavoidable core-root ABSPATH/WPINC use is isolated and documented in one place.
* includes/core/functions.php: replaces every active WP_PLUGIN_DIR use in installed-plugin resolution, font scanning, public URL/path mapping, readable-root allowlists, and callback profiling with the centralized plugins-root resolver. Callback profiling now classifies uploads through wp_upload_dir() data instead of a generic WP_CONTENT_DIR path.
* includes/core/functions.php, includes/diagnostics/class-diagnostics-trait.php: changes diagnostic path classification/redaction from direct WP_CONTENT_DIR/ABSPATH comparisons to known plugin, theme, uploads, WordPress-core, and document-root resolvers. No absolute server paths are exposed.
* includes/core/functions.php, includes/class-object-cache-manager.php, includes/engine/class-engine-analytics-trait.php: replaces filesystem-path-based Redis, APCu, and analytics namespace seeds with one installation-stable identity based on database identity, table prefix, and multisite network constants.
* templates/object-cache.php.tpl, templates/advanced-cache.php.tpl, includes/engine/class-engine-dropin-lifecycle-trait.php: injects the same non-filesystem namespace seed into generated drop-ins so dashboard/runtime diagnostics and drop-in cache operations use identical Redis/APCu/analytics prefixes.
* Namespace keys intentionally change in this clean-install pre-public build. No legacy-prefix lookup, cache-key migration, or backward-compatibility fallback is added.
* Existing page-cache, disk-object-cache, generated-asset, drop-in, wp-config.php, and runtime-secret storage locations remain unchanged for their later dedicated roadmap stages.
* Bumps the plugin version and release metadata from 2.59.06.36 to 2.59.06.37. No files or directories were added or deleted.

= 2.59.06.36 =
* includes/admin-dashboard.js, PERFORMANCE_PROFILES: removes the three dead Safe, Balanced, and Aggressive copies of `delayFunctionalThirdPartyJsPatterns`. Profile application already preserves this user-editable setting through `PERFORMANCE_PROFILE_PRESERVED_SETTING_KEYS`, so these copied values were never applied.
* Keeps the canonical PHP default matching-fragment list unchanged for installation defaults, reset/default restoration, and the dashboard Populate action. The listed third-party domains are detection patterns for scripts already present on the site; UltraCache does not request or load files from those providers.
* Bumps the plugin version and release metadata from 2.59.06.35 to 2.59.06.36. No files or directories were added or deleted, and runtime behavior is unchanged.

= 2.59.06.35 =
* includes/engine/class-engine-js-optimization-trait.php, build_deferred_external_inline_script_tag(): replaces the manually compiled `<script src="..." defer>` markup for generated deferred inline-JS assets with `wp_get_script_tag()`, while preserving the generated asset URL, defer state, original attributes, and UltraCache metadata.
* includes/engine/class-engine-js-optimization-trait.php, restore_delayed_script_record_tag(): replaces manual opening/closing script reconstruction with `wp_get_script_tag()` for external scripts and `wp_get_inline_script_tag()` for inline scripts, while preserving the restored source, body, nonce, integrity, crossorigin, referrer policy, ID, and other valid original attributes.
* includes/engine/class-engine-js-optimization-trait.php, build_delayed_script_tag(): replaces manually concatenated delayed external-script placeholder markup with `wp_get_script_tag()` and passes unescaped attribute values to WordPress so core performs final attribute serialization and escaping.
* includes/engine/class-engine-js-optimization-trait.php, build_delayed_inline_script_tag(): replaces manually concatenated delayed inline-script placeholder markup with `wp_get_inline_script_tag()` and lets WordPress serialize both the placeholder attributes and inline body.
* includes/engine/class-engine-js-optimization-trait.php, apply_delayed_script_replacements_with_processor(): removes the unreachable `'<script>'` default value from the required record opening tag, eliminating the reviewer-detected raw script literal without adding a fallback path.
* includes/engine/class-engine-js-optimization-trait.php, collect_js_inline_dependency_defer_recommendations(): stops rebuilding a temporary `<script>` opening tag only to inspect its ID and reads the ID from the complete regex-matched tag instead.
* Removes the related NonEnqueuedScript PHPCS suppressions because the affected final-HTML transformations now use the WordPress 5.7+ script-tag APIs. Existing plugin-owned admin and frontend files continue to load through `wp_register_script()`, `wp_enqueue_script()`, and `wp_add_inline_script()`.
* Bumps the plugin version and release metadata from 2.59.06.34 to 2.59.06.35. No files or directories were added or deleted.

= 2.59.06.34 =
* Corrects the PayPal Terms and Privacy URLs in readme.txt and README.md to the working US Legal Hub URLs.
* Bumps the plugin version and release metadata from 2.59.06.33 to 2.59.06.34.

= 2.59.06.33 =
* ultracache.php lines 6 and 21: bumps the plugin header and ULTRACACHE_VERSION constant from 2.59.06.32 to 2.59.06.33.
* ultracache.php lines 1015-1023: replaces duplicated ABSPATH-based runtime-secret token/path construction with the shared ultracache_get_runtime_secret_site_token() and ultracache_get_runtime_secret_path() helpers.
* ultracache.php lines 3915-3918: resolves the browser-cache .htaccess from get_home_path() through ultracache_get_wordpress_home_path(), so WordPress subdirectory installations update the public home root instead of ABSPATH.
* includes/core/functions.php lines 608-704: adds shared WordPress-home, effective document-root, stable runtime-secret token, and canonical outside-document-root runtime-secret path helpers.
* includes/core/functions.php lines 706-775: resolves installed plugin roots from get_plugins() real main-file entries, then uses plugin_dir_path() and plugin_dir_url() instead of concatenating a slug directly onto WP_PLUGIN_DIR/plugins_url().
* includes/core/functions.php lines 2596-2599 and 2906-2909: replaces dirname(dirname(__DIR__)) own-plugin root discovery with the existing ULTRACACHE_PATH constant.
* includes/core/functions.php lines 2993-2997: validates readable root server configuration files against the WordPress home path instead of ABSPATH.
* includes/core/functions.php lines 3013-3018: makes the runtime-secret filesystem guard consume the shared canonical runtime-secret path helper.
* includes/core/functions.php lines 3175-3179: validates browser-cache .htaccess writes against the WordPress home path instead of ABSPATH.
* includes/class-object-cache-manager.php lines 252-258: makes object-cache Redis secret loading use the same shared runtime-secret token/path helpers as the main plugin.
* includes/settings/class-settings-trait.php lines 1204-1209: detects installed W3 Total Cache-related plugins through the WordPress get_plugins() inventory helper instead of file_exists(WP_PLUGIN_DIR . slug).
* includes/rest/class-rest-profiler-trait.php lines 3623-3627, 3647-3656, and 3962-3973: removes direct WP_PLUGIN_DIR + slug fallbacks from runtime JS discovery and resolves plugin roots only through the installed-plugin main-file helper.
* includes/diagnostics/class-diagnostics-trait.php lines 1332, 1360, 1392, 1409, and 1418: reports secret-file document-root placement against the effective server document root instead of ABSPATH string-prefix checks.
* includes/diagnostics/class-diagnostics-trait.php lines 2273-2275 and 2300: reports the shared effective server document root in server diagnostics.
* uninstall.php lines 33-83 and 451-457: computes uninstall-time runtime-secret cleanup from get_home_path()/DOCUMENT_ROOT using the same canonical outside-document-root location rules.
* readme.txt line 8 and README.md line 3: updates release metadata to 2.59.06.33.
* No files or directories were added or deleted. WordPress core include paths, wp-config.php discovery, WP_CONTENT_DIR drop-ins/cache storage, and ABSPATH . WPINC core asset mapping remain intentionally unchanged.

= 2.59.06.32 =
* Removes the generic diagnostic database query wrappers that passed prepared SQL through an opaque `$query` parameter.
* Executes the analytics table and MySQL variable diagnostics through direct, scoped `$wpdb` calls with placeholders where values or identifiers are dynamic.
* Keeps database error suppression and unavailable-value behavior unchanged; no cache, analytics collection, or frontend runtime behavior changes.

= 2.59.06.31 =
* Corrects the first two Console Error Suggestion actions so they append to the unsaved JS Delay / Defer Exclusions draft instead of Defer those scripts.
* Renames those actions to Add This Script Exclusions and Add Full Dependency Chain to Exclusions.
* Keeps the two delay actions appending to the unsaved Safe Third-Party Delay Patterns draft; per-finding button hiding remains unchanged.

= 2.59.06.30 =
* Replaces the two per-result JS scanner append buttons with four choices: defer this script, defer the full discovered owner chain, delay this script, or delay the full discovered owner chain.
* Appends the selected pattern only to the corresponding unsaved textarea draft; the other three buttons disappear only for that finding, while other findings remain unchanged.
* Removes the provider-contact disclaimer text from Safe Third-Party Delay Patterns and Known Functional Third-Party Delay Patterns.

= 2.59.06.29 =
* Removes same-request manual CSS bundle tag generation when a page bundle is built too late for WordPress enqueue.
* Applies page CSS bundle replacement only when the WordPress-enqueued bundle markup is present in the rendered HTML.
* Preserves the original stylesheet links unchanged when the enqueued bundle markup is missing; the generated bundle is used on a later request through normal enqueue.

= 2.59.06.25 =
* Renames per-result scanner Append buttons to Append to exclusions.
* Adds per-result Append to Safe Third-Party Delay Patterns buttons for Browser Runtime Error scans and Console Error Suggestions.
* Uses 5px button margins and appends to the existing delaySafeThirdPartyJsPatterns setting without changing scanner logic.

= 2.59.06.24 =
* Hardens DB diagnostics so optional database probes suppress visible WordPress database errors and return Unavailable when unsupported.
* Removes the unsafe SELECT @@query_cache_size fallback for MySQL 8 compatibility.
* Keeps the change limited to DB diagnostics; no cache/runtime behavior changes.

= 2.59.06.23 =
* Renames the UI setting from Delay icon font-face blocks to Delay icon fonts.
* Merges Auto-detect likely icon fonts into Delay icon fonts so the single visible switch enables both the delayed icon-font feature and its broad icon-font detection.
* Keeps the existing internal settings synchronized for profiles and saves: enabling Delay icon fonts also enables delayIconFontsAutoDetectEnabled; disabling it turns both off.

= 2.59.06.22 =
* Removes the Populate Defaults and Download CSS JSON buttons from CSS Bundle Exclusions & Diagnostics.
* Keeps Run CSS Diagnostics, Clear CSS Result, and Save Exclusions available; no runtime behavior changes.

= 2.59.06.21 =
* Replaces the separate Gzip and Brotli cache compression switches with a single HTML Compression dropdown while keeping the same internal settings.
* Runs server-compression detection only when an admin selects UltraCache gzip or Brotli compression, and keeps compression off when server-side gzip or Brotli is already active.

= 2.59.06.20 =
* Updates changelog.txt with the reviewer-hardening changes from the 2.59.06.15 through 2.59.06.20 cycle.
* Keeps readme.txt and README.md free of changelog sections; changelog history remains in changelog.txt only.
* No runtime behavior changes.

= 2.59.06.19 =
* Fixes fresh-install drop-in conflict detection so current UltraCache advanced-cache.php and object-cache.php markers are recognized as UltraCache-managed.
* Limits guarded drop-in owner reads to the exact WordPress drop-in paths instead of broad wp-content access.
* Adds the current object-cache drop-in marker used by the owner detector; no legacy marker compatibility was added.

= 2.59.06.18 =
* Adds reviewer-facing comments for unavoidable final rendered HTML rewrites where wp_enqueue_style() or wp_enqueue_script() cannot apply after resources have already been printed.
* Clarifies that late admin print hooks only dequeue conflicting third-party admin assets and do not print scripts.
* No runtime behavior changes.

= 2.59.06.17 =
* Replaces hardcoded generated upload URL/path checks with helpers based on WordPress upload directory data and UltraCache generated-asset helpers.
* Replaces broad wp-content readable-root logic with explicit plugin, mu-plugin, theme, uploads, cache, and core include roots.
* Replaces direct ABSPATH-relative URL-to-file mapping with the central local URL resolver.

= 2.59.06.16 =
* Adds Async external CSS for stylesheet links whose host is different from the current site host.
* Places the Async external CSS switch in CSS Delivery above Aggressive Async CSS and adds a visible exclusion field in CSS Bundle Exclusions & Diagnostics.
* Ensures async external CSS wins over CSS bundling so external stylesheets are not bundled when converted to async CSS.

= 2.59.06.15 =
* Adds a diagnostic-only fallback output buffer for valid store-profile requests when the WordPress template enhancement output-buffer callback does not run.
* Saves a skipped diagnostic profile with output-buffer-callback-not-run when neither the normal callback nor the fallback can produce a profile.
* Improves diagnostic profile headers and dashboard messaging for missing STORE profile JSON cases.

= 2.59.06.14 =
* Plugin Check: write the CSS rewrite-map atomic upsert with inline `$wpdb->prepare()` inside `$wpdb->query()` so the prepared-SQL sniff can verify it directly.

= 2.59.06.13 =
- Defers the automatic Local Google Fonts rebuild triggered by the toggle so settings save can finish first and the rebuild starts as a background dashboard queue job without blocking the UI flow.

= 2.59.06.11 =
- Cleans UltraCache-owned runtime options and transient prefixes during uninstall/Delete all data, including ultracache_* and ultracache_* transient rows.
- Removes generated runtime CSS/font directories under uploads/ultracache during full cleanup: css-bundles, font-css, google-fonts, and optimized-css.
- Keeps persistent optimized image derivatives under uploads/ultracache/images by design.
- Keeps the Media Optimization Image Output Format dropdown from 2.59.06.09 and the exact-file warm verification from 2.59.06.10.

= 2.59.06.07 =
- Matches CSS bundle sources using canonical URL variants so source URLs with ?ver= can match css_rewrite_map rows stored without query args.
- Allows optimized-css/font-css generated links to be recognized as aliases of their original manifest sources during page CSS bundle replacement.
- Keeps the change limited to CSS bundle source matching; no generated path, profile, JS, or font-build behavior changes.

= 2.59.06.04 =
- Builds page CSS bundle markup from the existing manifest when the WordPress-enqueued bundle tag is absent from the final cache rewrite buffer.
- Fixes warm-up results where a CSS bundle was built but the cached HTML still had no css-bundles reference.
- Keeps the fix limited to page CSS bundle insertion/replacement; no CSS profile, generated path, or JS/font behavior changes.

= 2.59.06.02 =
- Writes runtime generated font-css/optimized-css assets to uploads/ultracache so generated URLs match generated files.
- Prunes runtime font CSS map entries whose generated target CSS file is missing before printing frontend config.
- Saves the cleaned runtime font CSS map after stale targets are removed so frontend JS does not request missing CSS files.

= 2.59.06.01 =
- Removes the hidden Google Fonts manual-rebuild backoff bypass added in 2.59.06.
- Changes the Google Fonts write-failure retry guard to a visible short 10-15 second window.
- Persists Google Fonts failure details so diagnostics can show the actual failure reason instead of only failed counts.

= 2.59.06 =
- Restores uploads/ultracache generated-asset write/delete permissions in the guarded filesystem layer.
- Fixes Google Fonts/local font CSS generation paths that were blocked after generated assets moved under uploads/ultracache.
- Changes Speed Diagnostics loopback requests from profile-bypass to internal revalidate/force-refresh so timing breakdowns can be saved.
- Adds Google Fonts rebuild failure details to the diagnostics status when a stylesheet still cannot be generated.

= 2.59.04 =
- Replaces remaining page-cache storage writable checks with the WordPress-native UltraCache filesystem wrapper.
- Removes root-only review helper markdown files from the production package while keeping required source/build notes in readme.txt.
- Updates CSS rewrite map SQL table identifiers to use WordPress database identifier placeholders and updates tested metadata.

= 2.58.90.04 =
- Moves the Delayed JS loader from raw wp_head inline output to assets/js/delayed-js-loader.js.
- Enqueues the loader through wp_enqueue_scripts with WordPress-native script APIs.
- Passes the unified delayed-JS auto-start configuration through wp_add_inline_script() before the helper.

= 2.58.90.03.04 =
- Fixes Runtime/Console Scanner explicit `_ is not defined` handling so underscore can be suggested from actual page inventory.
- Deduplicates scanner suggestions that point to the same script by preferring exact path fragments over duplicate WordPress handles.
- Keeps provider/source suggestions in the same pass for both Browser Runtime Scanner and Extract Console Error Suggestions.

= 2.58.90.03.01 =
- Fixed Runtime/Console JS suggestion resolver for explicit missing globals such as "jQuery is not defined".
- Uses error source + active plugin/theme source-file evidence + final page script inventory to suggest the matching provider script only.
- Does not infer unrelated WordPress core dependencies; already protected failing sources remain marked separately from missing provider additions.

= 2.58.90.03 =
- Moved the Runtime JS Scan collector into assets/js/runtime-js-scan-collector.js.
- Enqueues the collector only for verified runtime scan requests through wp_enqueue_scripts.
- Passes scan configuration with wp_add_inline_script() before the helper and removes the old raw inline/wp_head/output-buffer scanner paths.

= 2.58.90.02.02 =
- Replaced the MailerLite helper loading path with a clean wp_enqueue_scripts implementation.
- Removed the MailerLite HTML rewrite insertion path and wp_print_scripts() usage.
- Keeps admin_url('admin-ajax.php') configuration through wp_add_inline_script() before the helper.

= 2.58.90.02.01 =
- Broadened MailerLite lazy nonce helper detection to include official plugin assets and MailerLite Universal markers.
- Preserves WordPress script API loading and admin_url('admin-ajax.php') endpoint handling.
- No changes to other frontend JavaScript helper migrations.

= 2.58.90.02 =
- Moved the MailerLite lazy nonce frontend helper into assets/js/mailerlite-lazy-nonce.js.
- Loads the helper through WordPress script registration/printing APIs with dynamic Ajax endpoint data.
- Kept the existing lazy nonce runtime behavior and admin_url('admin-ajax.php') endpoint handling.

= 2.58.90.01 =
- Added staged frontend JavaScript helper enqueue infrastructure and migration inventory.
- Added assets/js documentation placeholders for upcoming WordPress-registered helper files.
- No frontend helper runtime behavior changed in this stage.

= 2.58.83 =
- Evidence-based JS error scanner: source/stack/code-search findings are appendable, review-only scanner output removed, and hardcoded resolver flow disabled.

* Synced performance profiles with the unified delayed JS auto-start model.
* Renamed Safe Defer JS to Defer JS and Frontend JS & Request Chains to Frontend Javascript manipulation.
* Safe profile keeps all Frontend Javascript manipulation switches off.
* Balanced enables only the selected delayed JS features: safe third-party, non-critical/local, known functional third-party, and all third-party delay.
* Aggressive adds Delay all JS with a 0.05s unified fallback.
* Moved Delayed JS auto-start triggers into one dropdown and set all event triggers off by default.

2.58.76 - JS diagnostic queue DB compliance fix
- Replaced interpolated JS diagnostic queue table SQL with prepared identifier placeholders.
- Added targeted object-cache reads and invalidation for JS diagnostic queue job/status lookups.
- Kept JS diagnostic UI/runtime behavior unchanged.

2.58.75 - JS diagnostics spacing and label polish
- Adds 12px gaps to JS diagnostics action button rows.
- Adds 10px top spacing to Runtime Scan context, runtime action buttons, console action buttons, and runtime status message.
- Sets Page URL to scan and Console errors to analyze labels to 12px and #6f7b8f.

2.58.74 - Fixed JS diagnostics Browser Scanner / Console Error Handler two-column layout and title style consistency.
2.58.73 - Fixed JS diagnostics layout regression where Clear Console Input referenced a missing React handler.
2.58.72 - Reordered JS Delay/Defer diagnostics UI into exclusions, browser scanner, console handler, and shared queue status sections with improved runtime progress visibility.
2.58.71 - Removed borders from Advanced Settings mini action/diagnostic boxes and populate-warning notices for a cleaner UI.
2.58.70 - Fixed Advanced Settings & Exclusions layout so the five sections render as separate accordion card boxes instead of one shared wrapper.
2.58.69 - Advanced Settings accordion split and JS diagnostic result UI polish
- Adds a DB-backed JS diagnostic queue for browser runtime and pasted-console diagnostics.
- Adds queue start, pause, resume, cancel, progress, latest status, and stored result buckets.
- Stores Confirmed Error Fixes, Suggestions, Review Only, Already Listed, and Ignored buckets without auto-appending exclusions.

2.58.66 - Theme scan stage
- Adds a diagnostics-only Theme Scan Stage for unresolved runtime JS errors.
- Scans the active child theme first, then the parent theme, using guarded UltraCache file reads.
- Emits review-only exact theme JS candidates; Safe Defer toggle behavior is unchanged.

2.58.65 - Runtime error group resolver
- Added a Runtime Error Group Resolver for Safe Defer/Delay diagnostics.
- Maps failing console/stack source URLs to known plugin groups where confirmed, including WooCommerce Products Filter.
- Keeps MailerLite validation-messages.js as an exact confirmed source fix instead of a generic messages/global suggestion.
- Unknown plugin/theme source owners are review-only and are not appendable confirmed fixes.

2.58.64 - HTML adjacency resolver
- Added a final-HTML external-script plus immediate-inline dependency resolver for runtime/console JS diagnostics.
- Missing globals such as MailerLite messages now resolve to the adjacent provider script instead of a raw/global token.
- No auto-append, no generic dependency fallback, and no font-display changes.

2.58.63 - Safe Defer diagnostic fixes
- Runtime/console diagnostics no longer append broad generic dependency fixes such as jquery, jquery-core, wp-i18n, wp-hooks, wp-api-fetch, react, react-dom, or wp-element.
- Runtime diagnostics now keep WordPress/React foundation errors as exact resolved review-only candidates unless a specific plugin/script group is detected.
- Added specific confirmed resolver entries for WOOF/WooCommerce Products Filter and direct MailerLite validation-messages.js errors.
- Removed the browser-side console parser fallback from Extract Console Error Suggestions.
- Replaced the remaining aggressive-profile broad JS exclusion seed with the curated tested dependency path list.

2.58.62 - Safe Defer defaults cleanup
- Safe Defer JS now appends only curated WordPress foundation script paths.
- Removed broad generic dependency defaults from Append Tested Dependency Defaults.
- Removed the legacy Safe Defer init-script scan from the Safe Defer toggle and profile apply flow.

2.58.61 - Final font-display store-stage rewrite
- Runs linked stylesheet font-display normalization at the absolute cache-store finalizer and inside the write path, after CSS/JS/LCP transformations.
- Handles root-relative local stylesheet URLs before resolving source paths, so Elementor/theme/plugin font CSS can be rewritten to patched UltraCache CSS copies.
- Does not add new frontend debug markers.

2.58.60 - Final linked font-display normalization pass
- Restored a final source-level linked stylesheet font-display normalization pass after async CSS transforms so late/restored local font CSS links are rewritten to UltraCache patched copies.
- Keeps runtime CSSOM font-display patch as fallback only; primary fix is cached CSS href replacement.

= 2.58.60 =
* UI: align uc-field-label styling with switch title typography across Advanced Settings fields.

2.58.58 - Dropdown title style alignment
- Dropdown setting titles now use the same visual title styling as switch labels.

2.58.57 - JS strategy cleanup and APCu flush lock
- Removed Defer all eligible JS from the full-site strategy dropdown; full-site strategy is now Off or Delay all eligible JS.
- Renamed LCP Boundary Defer to LCP Boundary Delay in the dashboard UI.
- Replaced Delayed local JS auto-start mode/seconds fields with one dropdown: interaction only, 0.1, 0.5, and 1-9 seconds.
- Removed the Disabled auto-start option; use the full-site delay switch instead.
- Forced Also flush APCu ON when APCu is selected as the object cache backend, with updated UI text.

2.58.56 - Native defer inline externalization
- Defer all eligible JS now externalizes safe inline scripts into generated deferred cache files so inline companions keep DOM order with native deferred external scripts.
- Delay all eligible JS remains the separate delayed-loader strategy.

2.58.55 - JS full-site strategy dropdown and separated defer/delay all behavior
2.58.54 - Visible delayed local JS auto-start controls
- Added Advanced Settings & Exclusions controls for delayed local JS auto-start: interaction only, custom seconds, or disabled.
- Replaced the hardcoded 12s local delayed JS auto-start with saved visible settings.
- Kept uncapped parallel delayed JS loading, ordered execution, jQuery ready barrier, and Elementor lazy background helper.

2.58.53 - Uncapped parallel delayed JS load without preload
- Removed the hardcoded parallel group cap from the delayed JS loader.
- External delayed scripts now load in uncapped contiguous parallel groups when the delayed batch starts.
- Kept ordered DOM execution, jQuery ready barrier, Elementor lazy background helper, and no delayed-JS preload links.

2.58.52 - Parallel delayed JS load without preload
- Removed delayed JS preload-window link injection from 2.58.51.
- Added windowed parallel script insertion with ordered execution for delayed JS batches.
- Moved local delayed auto-start later so initial load is more interaction-first.

2.58.52 - Delayed JS preload window
- Added a bounded preload-ahead window for delayed local/all scripts to reduce one-by-one network waterfalls.
- Kept strict DOM-order execution and the jQuery ready barrier so dependency order remains protected.
- Kept the 2.58.50 Elementor lazy-background class helper and avoided the 2.58.49 faster-execute/preload regression.

2.58.50 - Elementor lazy background compatibility rollback
- Reverted the 2.58.49 faster-local-queue and Elementor background preload/reveal performance experiment.
- Kept the 2.58.48 jQuery ready barrier and JS diagnostics UI cleanup.
- Added a lightweight Elementor lazy-background class helper that reveals nearby containers without running Elementor JS earlier or preloading all backgrounds.

2.58.48 - Delayed JS ready barrier and diagnostics UI cleanup
- Added a delayed-JS jQuery ready barrier so local/all delayed batches hold jQuery ready callbacks until the delayed batch has finished in DOM order.
- Cleaned the JS Delay / Defer Exclusions controls: confusing append/scan/debug buttons were replaced with explicit Analyze, Runtime Scan, Append Confirmed Error Fixes, and Append Suggestions actions.
- Added visible explanations under each JS diagnostic/action button and removed the broad /wp-includes/js/ path from tested dependency defaults.

2.58.47 - Precise JS exclusion matching for Delay all JS
- Generic visible JS exclusions such as woocommerce no longer blind-match unrelated handles like googlesitekit-events-provider-woocommerce.
- WooCommerce exclusions are now path/exact-handle aware, so real WooCommerce assets remain protectable without blocking Site Kit providers.
- Auto init-scan output now rejects broad root tokens such as woocommerce, frontend, main, plugin, script, data, and params.

2.58.46 - Delay wins over native defer
- When Defer all JS is active, script_loader_tag no longer emits native defer for the remaining scripts.
- Force-defer rules are suppressed during the absolute delay-all final pass so delayed Site Kit dependencies cannot run after native-deferred dependents.
- The final ordered delayed queue remains the authoritative pass for all eligible external and inline scripts unless matched by visible JS exclusions.

2.58.45 - Absolute Delay All JS rule
- Defer all JS now converts every delayable external and inline script into the ordered delayed layer unless matched by unified JS exclusions.
- Existing delayed scripts are normalized into the same all-js delayed queue so local and third-party pieces do not split execution order.
- Unified exclusions remain authoritative for whole WordPress script groups.

2.58.42 - JS exclusion and script group regression fix
- Treat the unified JS Delay / Defer Exclusions list as the authoritative exclusion source across defer, delay, non-critical delay, and LCP boundary paths.
- Normalize WordPress script group handles so one base-handle exclusion protects related js-before, js, js-after, js-extra, and translations companions.
- Avoid splitting WordPress script groups at script_loader_tag time when inline companions are registered.

2.58.40 - Targeted final validation fixes
- CLI warm_frontpage_html_css now warms HTML-only with success when CSS Bundling is disabled instead of failing on missing bundle injection.
- APCu object-cache CLI flush message now clarifies PHP-process scope and PHP-FPM/web APCu limitations.
- Varnish purge coordination now records/warns when Varnish is enabled but Flush All Include Varnish is OFF, avoiding misleading full-purge feedback.

2.58.39 - Final WordPress.org package
- Final submission package metadata refresh.
- Verified no remote asset enqueue, no wp_localize_script usage, no global ob_start usage, and no unexpected direct wp_remote_* calls beyond guarded infrastructure wrappers.
- Removed one frontend console warning from a MailerLite nonce fallback failure path.
- No runtime feature behavior changes.

2.58.38 - Escaping / returned HTML audit
- Added a shared inline-script JSON encoder that applies JSON_HEX_* flags for script-safe JSON literals.
- Updated runtime font map, speculation rules, runtime JS scan collector, and SR7/LCP selector inline scripts to use script-safe JSON output.
- Escaped the fallback LCP image preload href before injecting the generated link tag.

2.58.37 - Final regex review pass
- Switched font/local stylesheet scanners to WP_HTML_Tag_Processor.
- Removed legacy async CSS link rewrite regex fallbacks and moved noscript fallback insertion to the HTML API path.
- Kept CSS text parsing regexes such as @font-face, url(), and @import unchanged.

2.58.36 - Admin enqueue modernization
- Updated the UltraCache admin dashboard script enqueue to use the WordPress 6.3+ args array with in_footer => true.
- Kept admin script execution behavior unchanged and did not add a script loading strategy.

2.58.35 - CSS bundle scanner HTML API
- Switched CSS bundle stylesheet discovery to WP_HTML_Tag_Processor for head/link scanning.
- Kept the existing stylesheet eligibility rules and bundle build behavior unchanged.
- Removed the remaining CSS bundle link-scan regex path from the warm verification counter.

2.58.34 - Final submission metadata cleanup
- Refreshed plugin/readme/README/POT version metadata for the final review package.
- Normalized the GPLv2 license URI between the plugin header and readme.

2.58.33 - HTTP wrapper URL normalization revert
- Reverted esc_url_raw() normalization in the general UltraCache safe HTTP wrapper after it correlated with bypassing frontend optimization output.
- Kept WordPress safe HTTP transport, reject_unsafe_urls, bounded timeout/redirection, and the infrastructure wrapper PHPCS rationale.
- No HTML, CSS, JavaScript, media, settings, or REST parser behavior changes.

2.58.30 - Final technical dead-code cleanup
- Removed unused private helpers left behind by recent HTML API, font, CSS, JS, LCP, and media refactors.
- Cleaned the recent changelog entries for the 2.58.24-2.58.29 cleanup sequence.
- No runtime feature behavior changes intended.

2.58.29 - Font/Icon scan suspicious candidate cleanup
- Filter suspicious encoded/random-looking font-family candidates from Font/Icon scan results.
- Keep real icon/font family names such as Font Awesome, eicons, feather, swiper-icons, and theme icon fonts.

2.58.28 - Safe Defer / scan HTML API cleanup
- Switched Safe Defer front-page script scanner to WP_HTML_Tag_Processor.
- Switched runtime JS inventory scan to WP_HTML_Tag_Processor.
- Switched front-page font scan style/link discovery to WP_HTML_Tag_Processor.
- Removed legacy regex attribute extraction helpers from those scanner paths.

2.58.27 - Image/dimension HTML API cleanup
- Use WP_HTML_Tag_Processor by default for Safe CLS image dimension injection.
- Remove the regex fallback from Safe CLS image width/height injection.
- Remove the regex fallback from lazy-load/async image attribute mutation.

2.58.26 - Admin settings FIFO cleanup
- Removed stale pending settings/debounce refs from the old save model.
- Kept scoped settings save/apply behavior and the current UI FIFO flow.

2.58.25 - Delayed font noscript fallback cleanup
- Prevent Safe Async CSS processing from re-wrapping existing noscript fallback links.
- Keep delayed icon-font noscript fallbacks clean without nested noscript tags.

2.58.24 - Leftover CSS HTML API cleanup
- Converted leftover CSS stylesheet consolidation from offset/substr HTML rebuilding to WP_HTML_Tag_Processor attribute mutation.
- Kept source stylesheet consolidation scoped to the existing leftover CSS bundle path with no regex replacement fallback.

2.58.23 - Google Fonts live output cleanup
- Run Google Fonts HTML API cleanup through the WordPress template enhancement output buffer for bypass/uncached responses.
- Keep wp_resource_hints source filtering and avoid regex fallbacks.

2.58.22 - Google Fonts resource hints source filter
- Added wp_resource_hints filtering for Google Fonts dns-prefetch/preconnect hints when Local Google Fonts Optimization is enabled.
- Kept HTML API cleanup for manually injected Google Fonts hint links.

2.58.21 - Font stylesheet link HTML API cleanup
- Removed regex fallback mutation for Google Fonts stylesheet link href rewrites.
- Neutralized remote Google Fonts resource hints with WP_HTML_Tag_Processor attribute mutation instead of regex tag removal.
- Removed regex fallback mutation for self-hosted font CSS link and font-display normalized stylesheet link rewrites.

2.58.20 - LCP/preload/image HTML API cleanup
- Removed the regex fallback from the LCP image candidate optimization path.
- Existing LCP preload link normalization now uses WP_HTML_Tag_Processor only.
- UltraCache-managed ambiguous/duplicate LCP preloads are neutralized with HTML API attribute mutation instead of regex removal.

2.58.19 - Media filtered-content HTML API cleanup
- Removed the regex fallback from WordPress content/block image URL rewrite callbacks.
- Filtered content image URL rewriting now uses WP_HTML_Tag_Processor directly under the WordPress 6.9+ baseline.
- Left full-page media URL token discovery and CSS url() parsing unchanged for later focused cleanup.

2.58.18 - Script delay HTML API cleanup
- Switched the full HTML script delay/wrap application path to WP_HTML_Tag_Processor.
- Removed the offset/substr assembly path for applying already-decided delayed script replacements.
- Left script selection logic and unrelated optimization paths unchanged.

2.58.17 - JS script loading attribute HTML API cleanup
- Switched the Defer All JS script loading attribute mutation path to WP_HTML_Tag_Processor.
- Removed the regex fallback from protected script loading attribute normalization.
- Left full script tag replacement/delay wrapping paths unchanged for later focused cleanup.

2.58.16 - HTML attribute helper cleanup
- Removed regex fallback mutation from the shared HTML tag attribute helpers.
- Shared attribute add/remove operations now use the WordPress HTML API path and leave the tag unchanged if the processor cannot safely update it.

2.58.14 - Move CSS bundle cached-HTML stylesheet replacement to the WordPress HTML API without regex fallback.
2.58.13 - Hide recovered noisy REST output details from the admin UI while keeping resilient JSON recovery.
2.58.12 - Add resilient REST response parser for noisy admin REST responses

2.58.11 - Remove REST output buffer guard
- Removed the UltraCache REST bootstrap output buffer and the matching rest_pre_serve_request discard filter to avoid unclosed ob_start review risk.

2.58.10 - Profile toggle enforcement
- Fixed profile application so Pre-render on Save and Stale While Revalidate are no longer stripped from profile saves.
- Added Enable Debug to the profile-managed off state so All Off turns debug headers off.
- Kept Pre-render on Save and Stale While Revalidate enabled for Safe, Balanced, and Aggressive profiles.

2.58.09 - Safe loopback request for JS inventory scan
- Routed the runtime JS inventory scan through the shared UltraCache safe loopback request helper.
- Kept JS inventory scan requests on the same trusted same-site URL policy, SSL fallback reporting, and debug logging used by other internal scans.

2.58.08 - Admin runtime config inline script
- Replaced the admin dashboard ultracacheData runtime config use of wp_localize_script with wp_add_inline_script and wp_json_encode before the module script.
- Kept wp_set_script_translations dedicated to dashboard translation loading.

2.58.07 - REST output guard for dashboard batch jobs
- Protected UltraCache REST JSON responses from third-party PHP notices or warnings printed before the JSON payload.
- Made dashboard REST parsing fail with a clear invalid JSON or empty response error instead of returning null to warm-up and media queue jobs.
- Kept batch response normalization strict so invalid REST payloads no longer surface as unrelated processed-property crashes.
- Raised plugin metadata to PHP 8.1+ while keeping WordPress 6.9+ as the target.

2.58.06 - Settings save FIFO and scoped response apply
- Scoped dashboard settings responses to the keys saved by each switch, dropdown, or form so unrelated UI state is not rolled back by later saves.
- Routed profile follow-up saves for object-cache autodetect and Safe Defer JS scans through the same patch-scoped settings save path.
- Removed changelog content from the readme files so changelog entries live only in changelog.txt.

2.58.05 - WordPress.org escaping and external services documentation cleanup
- Routed WordPress content/block media rewrites through a context-aware callback with escaped rewritten attributes.
- Updated External services documentation for Google Fonts, third-party optimization patterns, Varnish/reverse proxy endpoints, and PayPal links.

2.58.04 - Translator comment cleanup for Plugin Check i18n placeholders
- Added missing translator comments for placeholder-based i18n strings reported by Plugin Check.
- Refreshed the POT template header for 2.58.04.

2.58.03 - Full i18n pass and localization template refresh
- Expanded PHP and admin dashboard JavaScript i18n coverage for user-facing text.
- Kept commands, paths, keys, statuses, handles, and executable snippets untranslated.
- Refreshed the POT template.

2.58.02 - Repository localization cleanup
- Replaced direct unsafe loopback SSL bypass requests with the UltraCache safe loopback helper.
- Added admin JavaScript i18n setup and generated the UltraCache POT template.
- Added a first PHP i18n pass for REST/admin-facing messages.

2.58.01 - Initial public release
- Initial public release build.
