0.4.0: opt-in decision logging

[oxyc]

Summary

Adds an opt-in Debug logging toggle so each protection decision can be verified through the logs — requested for confirming behaviour on staging/production.

When on, every decision writes one greppable line to the PHP error log:

[gravityforms-altcha] altcha: fail {"form":43,"reason":"replay"}
[gravityforms-altcha] rate_limit: blocked {"form":12}
[gravityforms-altcha] content_filter: spam {"form":7,"score":3,"signals":["keyword"]}
[gravityforms-altcha] email_validation: blocked {"form":7,"status":"undeliverable","disposable":false,"reason":"rejected_email","domain":"example.com"}

• Events: altcha (pass/fail + reason missing/invalid/replay), rate_limit (pass/blocked), content_filter (pass/spam + score + signals), email_validation (allowed/blocked + status/disposable/reason/domain).
• Off by default. Toggle under Forms → Settings → ALTCHA, or force via the genero/gravityforms_altcha/logging filter.
• Routable: every record fires a genero/gravityforms_altcha/log action (Sentry, Query Monitor, …); a default listener writes the error-log line and can be removed.
• Privacy-safe: IPs only as a salted hash, emails as the domain only — never raw (consistent with the GDPR posture).

SpamFilter::contentReport() now exposes the score + signal names (used by both the spam decision and the logs).

Tests

• New unit (Logger::format, contentReport signals, emailDomain) + mocked (Logger::record fires/suppresses the action) tests. 56 unit+mocked tests green on PHP 8.2–8.4. Verified end-to-end on DDEV.

Bumps to 0.4.0.

🤖 Generated with Claude Code