# Changelog

## Phase 5 Device Authorization Server — 2026-05-11

### Added

- Added `vectra_sync_sessions` migration for account/device authorization session state.
- Added `sync_start.php` for unauthenticated, rate-limited sync session creation.
- Added `sync_poll.php` for device-code authenticated polling and deterministic single-use license issuance.
- Added `sync_approve.php` for WordPress server-to-server approval/denial using HMAC-SHA256 over `timestamp + "." + raw_json_body`.
- Added `lib/vectra_sync_session.php` with:
  - CSPRNG `deviceCode` generation.
  - 40-bit human `userCode` generation using the approved 32-character alphabet.
  - HMAC-hashed device codes, user codes, approval nonces, IPs, machine fingerprints, and license fingerprints.
  - Active pending user-code collision retry with transactional `FOR UPDATE` checks.
  - Timestamp freshness, key ID lookup, issuer/audience/scope validation, nonce replay prevention, and constant-time signature comparison.
  - Failed approval attempt limits and denial after threshold.
  - Pending → approved → completed state transitions.
  - Poll interval enforcement and completed-session non-regeneration behavior.
  - Opportunistic expiry/retention cleanup and immediate removal of full machine fingerprint JSON on terminal states.
- Added fixture test coverage in `tests/test_phase5_device_authorization_fixtures.py`.
- Added deployment documentation in `docs_phase5_device_authorization_deploy.md` and `README_DEPLOY.md`.

### Changed

- Extended `config/vectra_bootstrap.php` to read Phase 5 sync/approval configuration from environment variables.
- Extended `config/vectra_env.php` sample config with Phase 5 sync session settings.
- Updated `htaccess` with friendly routes for the Phase 5 endpoints.

### Preserved

- Phase 4 `license_refresh.php` remains unchanged.
- Manual `wpClaimToken` refresh fallback remains available.
- Free baseline assertion and Standard/Deluxe entitlement derivation reuse the accepted Phase 4 logic.
- Legacy activation endpoints are not wired to Phase 5 and remain non-mutating for tokenless legacy activation.
- No OAuth/OIDC, username/password login, read-path flip, `live_enabled`, historical backfill, subscription logic, or public add-on catalog was implemented.