Text review and update for minimum WordPress version from 6.6 to 6.8 across all relevant files and documentation, ensuring consistency with the plugin's stated requirements and compatibility testing.

Author: PDowney

.gitattributes

@@ -0,0 +1,2 @@
+# Keep repository text files normalized to LF across platforms.
+* text=auto eol=lf

.github/ISSUE_TEMPLATE/vip-phpcs-failure.md

@@ -1,71 +1,71 @@
----
-title: WordPress VIP Coding Standards Failure - PHP ${{ env.PHP_VERSION }}
-labels: ['vip-standards', 'coding-standards', 'needs-review', 'php-${{ env.PHP_VERSION }}']
-assignees: []
----
-
-## WordPress VIP Coding Standards Failure
-
-**PHP Version:** ${{ env.PHP_VERSION }}
-**Run ID:** ${{ env.RUN_ID }}
-**Workflow:** [View Failed Run](${{ env.WORKFLOW_URL }})
-
-### Issue Description
-
-The WordPress VIP coding standards check has failed during the automated workflow. This scan specifically checks for enterprise-level WordPress development standards required for WordPress VIP platform compatibility.
-
-### VIP Standards Focus Areas
-
-The WordPress VIP Go coding standards check for:
-
-🏢 **Enterprise Platform Requirements:**
-- File system operation restrictions (VIP platform limitations)
-- Performance and caching best practices for high-traffic sites
-- Security vulnerabilities specific to enterprise WordPress environments
-- User experience guidelines for enterprise-level WordPress
-
-🚀 **Performance & Caching:**
-- Uncached function usage patterns
-- Database query optimization
-- Remote data fetching best practices
-- Resource-heavy operation detection
-
-🔒 **VIP-Specific Security:**
-- File operation security in restricted environments
-- Admin bar removal restrictions for VIP support users
-- Cookie and caching constraint validations
-- Restricted function usage for platform stability
-
-### Important Notes
-
-⚠️ **VIP Standards Context:**
-- Many VIP standards are specific to the WordPress VIP hosting platform
-- Not all VIP recommendations may apply to standard WordPress installations
-- Some restrictions are platform-specific (e.g., file system limitations)
-- This scan helps ensure compatibility with enterprise WordPress environments
-
-### Next Steps
-
-1. **Review the workflow logs** to identify specific VIP standard violations
-2. **Evaluate applicability** - determine which issues apply to your hosting environment
-3. **Prioritize fixes** based on your deployment target:
-   - **High Priority:** Security and performance issues
-   - **Medium Priority:** General code quality improvements
-   - **Low Priority:** VIP platform-specific restrictions (if not targeting VIP)
-4. **Update code** to address applicable VIP standard violations
-5. **Re-run the workflow** to verify fixes
-
-### Resources
-
-- [WordPress VIP Code Quality Standards](https://docs.wpvip.com/technical-references/code-quality-and-best-practices/)
-- [VIP Coding Standards GitHub](https://github.com/Automattic/VIP-Coding-Standards)
-- [WordPress VIP Platform Documentation](https://docs.wpvip.com/)
-- [VIP Go File System Documentation](https://docs.wpvip.com/technical-references/vip-go-files-system/)
-
-### Workflow Information
-
-**Failed Workflow Run:** [View Details](${{ env.WORKFLOW_URL }})
-**PHP Version Tested:** ${{ env.PHP_VERSION }}
-**Standards Used:** WordPress-VIP-Go ruleset
-
-This issue was automatically created when the WordPress VIP coding standards check failed. Please review the specific violations in the workflow logs and address them according to your project's deployment requirements.
+---
+title: WordPress VIP Coding Standards Failure - PHP ${{ env.PHP_VERSION }}
+labels: ['vip-standards', 'coding-standards', 'needs-review', 'php-${{ env.PHP_VERSION }}']
+assignees: []
+---
+
+## WordPress VIP Coding Standards Failure
+
+**PHP Version:** ${{ env.PHP_VERSION }}
+**Run ID:** ${{ env.RUN_ID }}
+**Workflow:** [View Failed Run](${{ env.WORKFLOW_URL }})
+
+### Issue Description
+
+The WordPress VIP coding standards check has failed during the automated workflow. This scan specifically checks for enterprise-level WordPress development standards required for WordPress VIP platform compatibility.
+
+### VIP Standards Focus Areas
+
+The WordPress VIP Go coding standards check for:
+
+🏢 **Enterprise Platform Requirements:**
+- File system operation restrictions (VIP platform limitations)
+- Performance and caching best practices for high-traffic sites
+- Security vulnerabilities specific to enterprise WordPress environments
+- User experience guidelines for enterprise-level WordPress
+
+🚀 **Performance & Caching:**
+- Uncached function usage patterns
+- Database query optimization
+- Remote data fetching best practices
+- Resource-heavy operation detection
+
+🔒 **VIP-Specific Security:**
+- File operation security in restricted environments
+- Admin bar removal restrictions for VIP support users
+- Cookie and caching constraint validations
+- Restricted function usage for platform stability
+
+### Important Notes
+
+⚠️ **VIP Standards Context:**
+- Many VIP standards are specific to the WordPress VIP hosting platform
+- Not all VIP recommendations may apply to standard WordPress installations
+- Some restrictions are platform-specific (e.g., file system limitations)
+- This scan helps ensure compatibility with enterprise WordPress environments
+
+### Next Steps
+
+1. **Review the workflow logs** to identify specific VIP standard violations
+2. **Evaluate applicability** - determine which issues apply to your hosting environment
+3. **Prioritize fixes** based on your deployment target:
+   - **High Priority:** Security and performance issues
+   - **Medium Priority:** General code quality improvements
+   - **Low Priority:** VIP platform-specific restrictions (if not targeting VIP)
+4. **Update code** to address applicable VIP standard violations
+5. **Re-run the workflow** to verify fixes
+
+### Resources
+
+- [WordPress VIP Code Quality Standards](https://docs.wpvip.com/technical-references/code-quality-and-best-practices/)
+- [VIP Coding Standards GitHub](https://github.com/Automattic/VIP-Coding-Standards)
+- [WordPress VIP Platform Documentation](https://docs.wpvip.com/)
+- [VIP Go File System Documentation](https://docs.wpvip.com/technical-references/vip-go-files-system/)
+
+### Workflow Information
+
+**Failed Workflow Run:** [View Details](${{ env.WORKFLOW_URL }})
+**PHP Version Tested:** ${{ env.PHP_VERSION }}
+**Standards Used:** WordPress-VIP-Go ruleset
+
+This issue was automatically created when the WordPress VIP coding standards check failed. Please review the specific violations in the workflow logs and address them according to your project's deployment requirements.

.github/copilot-instructions.md

@@ -7,7 +7,7 @@ applyTo: '**'
 ## Project Context
 
 - **Plugin:** EngineScript Site Exporter (WordPress site export/backup plugin)
-- **WordPress:** 6.6+ minimum
+- **WordPress:** 6.8+ minimum
 - **PHP:** 7.4+ minimum (use typed parameters, return types, short arrays `[]`, null coalescing `??=`)
 - **License:** GPL-3.0-or-later
 - **Text Domain:** `enginescript-site-exporter`

.github/workflows/new-pull-request.yml

@@ -23,7 +23,7 @@ jobs:
             Thanks for contributing to EngineScript Site Exporter! 🎉
 
             **Before we review:**
-            - [ ] Have you tested your changes with WordPress 6.6+?
+            - [ ] Have you tested your changes with WordPress 6.8+?
             - [ ] Are your changes compatible with PHP 7.4+?
             - [ ] Have you followed WordPress coding standards?
             - [ ] Did you update the CHANGELOG.md if needed?

.github/workflows/wp-compatibility-test.yml

@@ -3,7 +3,7 @@
 # - WordPress Plugin Check for WordPress.org compatibility
 # - PHPUnit tests across PHP versions (7.4/8.0: PHPUnit 9+polyfills2; 8.1: PHPUnit 9+polyfills4; 8.2: PHPUnit 11+polyfills4; 8.3: PHPUnit 12+polyfills4)
 # - PHP compatibility testing across multiple PHP versions (7.4, 8.0, 8.3, 8.4, 8.5)
-# - WordPress compatibility testing across multiple WP versions (6.6, latest, nightly)
+# - WordPress compatibility testing across multiple WP versions (6.8, latest, nightly)
 # - PHPStan static analysis for WordPress-specific code quality
 # - WordPress security vulnerability scanning using pattern analysis
 # - PHPCS code standards validation for WordPress coding standards
@@ -588,7 +588,7 @@ jobs:
     strategy:
       matrix:
         php-version: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5']
-        wp-version: ['6.6', 'latest', 'nightly']
+        wp-version: ['6.8', 'latest', 'nightly']
       fail-fast: false
 
     services:
@@ -806,7 +806,7 @@ jobs:
                   $this->assertNotEmpty($wp_version, 'WordPress version should be available');
                   
                   // Test that we're running on a supported WordPress version
-                  $min_wp_version = '6.6';
+                  $min_wp_version = '6.8';
                   $this->assertTrue(version_compare($wp_version, $min_wp_version, '>='), 
                       "WordPress version {$wp_version} should be >= {$min_wp_version}");
               }

CHANGELOG.md

@@ -10,6 +10,12 @@
 - **SSRF Hardening**: File download functions now use `realpath()`-resolved paths for all filesystem operations (`readfile()`, `is_readable()`, `is_file()`), preventing TOCTOU and SSRF attack vectors. `sse_validate_file_output_security()` now returns the resolved path for direct use.
 - **CSP Compliance**: Replaced inline `onclick` JavaScript handler with external `js/admin.js` file to comply with Content Security Policy headers and prevent inline script execution risks.
 - **Upload Directory Validation**: Added `wp_upload_dir()` error key check alongside the existing `basedir` empty check, preventing silent failures on misconfigured hosts.
+- **Scheduled Cleanup Hardening**: Scheduled export deletion now deletes only the validated export directory path rather than the raw cron argument.
+- **Symlink Export Hardening**: WordPress file archive creation now skips symbolic links and verifies resolved paths stay within the WordPress root before adding them.
+- **WP-CLI Path Hardening**: Removed PATH lookup for WP-CLI and now only executes WP-CLI from explicit allowed locations.
+- **Download Boundary Hardening**: Final download path validation now uses normalized trailing-slash directory containment checks.
+- **Destructive Action Hardening**: Manual export deletion now uses POST with nonce verification instead of a GET link.
+- **Extension Policy Tightening**: Export download validation now allows only `.zip` files.
 
 ### Bug Fixes
 
@@ -18,16 +24,16 @@
 - **phpcs Suppression**: Removed unnecessary `phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped` comment on a line already properly escaped with `esc_html()`.
 - **GEMINI.md Accuracy**: Updated WP-CLI Integration section to reflect that WP-CLI is a required dependency (returns `WP_Error` if unavailable), replacing outdated "graceful fallback" language.
 - **WP-CLI Language**: Updated README.md and readme.txt from "when available" to "Requires WP-CLI" to match v2.0.0 behavior.
-- **phpcs WP Version**: Corrected `minimum_supported_wp_version` in phpcs.xml from `6.8` to `6.5` to match the plugin header `Requires at least` value.
 
 ### Architecture
 
+- **EngineScript Archive Format**: Updated exports to match the canonical EngineScript combined site archive: outer ZIP named `<site>_enginescript_site_export_<timestamp>.zip`, root `manifest.txt`, `database/<site>_db_<timestamp>.sql.gz`, and `files/<site>_files_<timestamp>.tar.gz`.
 - **File Splitting**: Split monolithic `enginescript-site-exporter.php` (~1,400 lines) into a 112-line bootstrap file plus 7 focused include files under `includes/`: `helpers.php`, `security.php`, `admin-page.php`, `export.php`, `archive.php`, `cleanup.php`, `download.php`. Each file is guarded by `ABSPATH` check.
 - **Plugin File Constant**: Added `SSE_PLUGIN_FILE` constant defined as `__FILE__` in bootstrap, used by `includes/admin-page.php` for `plugin_dir_url()` calls since `__FILE__` resolves to the include path, not the plugin root.
 - **Filter Name Constant**: Replaced hardcoded `'sse_max_file_size_for_export'` filter name string with `SSE_FILTER_MAX_FILE_SIZE` constant for discoverability.
 - **Shell Output Sanitization**: Added `sanitize_text_field()` to WP-CLI error output in `sse_export_database()` for defense-in-depth.
-- **Explicit Null Return**: Added explicit `return null;` to `sse_process_file_for_zip()` to match PHPDoc return type `true|null`.
-- **RuntimeException Catch**: Changed `sse_add_wordpress_files_to_zip()` to catch `RuntimeException` specifically before generic `Exception` fallback.
+- **Explicit Null Return**: Added explicit `return null;` to `sse_process_file_for_tar()` to match PHPDoc return type `true|null`.
+- **RuntimeException Catch**: Changed `sse_add_wordpress_files_to_tar()` to catch `RuntimeException` specifically before generic `Exception` fallback.
 - **DirectoryIterator**: Replaced `scandir()` with `DirectoryIterator` in `sse_bulk_cleanup_exports_handler()` for more efficient file iteration.
 - **PHPStan Level Increase**: Increased PHPStan analysis level from 5 to 6, added `includes/` directory to scan paths.
 - **Inline CSS Removal**: Extracted 7 inline `style` attributes from admin page and success notice into dedicated `css/admin.css` file with semantic CSS classes (`sse-section-spacing`, `sse-form-table`, `sse-warning-text`, `sse-action-button`).
@@ -42,7 +48,6 @@
 - **Dead Code Removal**: Removed no-op `sse_prepare_execution_environment()` function and its call from the export flow.
 - **Debug Code Removal**: Removed `sse_test_cron_scheduling()` debug function that created/verified/removed a test cron event on every export — no longer needed after v2.0.0 cron fixes.
 - **Cron Logging Reduction**: Reduced cron scheduling functions from 5+ log entries each to 2 (success/failure), keeping `DISABLE_WP_CRON` diagnostic on failure only.
-- **ROADMAP**: Created `ROADMAP.md` documenting prioritized bug fixes, security hardening, and improvement opportunities from second-pass code review.
 
 ### PHP 7.4 Modernization