v0.4.0

Opt-in decision logging

Adds a Debug logging toggle (Forms → Settings → ALTCHA, off by default) that records every protection decision so behaviour can be verified through the logs:

[gravityforms-altcha] altcha: fail {"form":43,"reason":"replay"}
[gravityforms-altcha] rate_limit: blocked {"form":12}
[gravityforms-altcha] content_filter: spam {"form":7,"score":3,"signals":["keyword"]}
[gravityforms-altcha] email_validation: blocked {"form":7,"status":"undeliverable","domain":"example.com"}

• Covers ALTCHA (pass/fail + reason), rate limiting, content filtering (score + signals), and email validation.
• Privacy-safe: IPs only as a salted hash, emails as the domain only — never raw.
• Routable via the genero/gravityforms_altcha/log action (Sentry, Query Monitor); genero/gravityforms_altcha/logging filter to force on/off.

See #3.

v0.3.0

Stronger anti-bot + opt-in spam layers

Builds on the opt-in settings with layered, first-party protection — every layer is opt-in and tuned to never block real users (fuzzy layers mark spam, recoverable, rather than rejecting).

• Proof-of-work: "Protection strength" preset dropdown (site-wide + per-form), ~20× stronger default; replay protection (each challenge single-use).
• Rate limiting (default 3/hour/IP, configurable): IP resolved independently of GF and kept only as a salted HMAC in a transient — raw IP never stored.
• Content heuristics: word-boundary keywords + combined weak signals (link farms, URL in the name field, injected markup, wrong-script text); scans composite name/address fields; ignores zero-width evasion.
• Email validation (Bouncer, off by default): per-verdict checkboxes (undeliverable/risky/disposable); fails open.
• Tests: unit + Brain\Monkey mocked suites in CI (PHP 8.2–8.4); real-WP wp-phpunit integration suite for DDEV/wp-env.

See #2.

v0.2.0

Opt-in ALTCHA with global + per-form settings

ALTCHA is now opt-in (off by default) with admin UI, instead of protecting every Gravity Form automatically.

• Global "Enable for all forms" toggle — Forms → Settings → ALTCHA.
• Per-form "Enable ALTCHA for this form" toggle — each form's Settings → ALTCHA tab.

A form is protected when the global toggle is on or that form's own toggle is on. The genero/gravityforms_altcha/should_protect filter still overrides the saved settings.

⚠️ Behavior change

Flips the default from opt-out to opt-in. After upgrading, no form is protected until a toggle is enabled. Sites relying on universal coverage should turn on "Enable for all forms" after updating.

See #1.

v0.1.1 — target ALTCHA widget v3

Fixes a mismatched widget version that broke verification on real form pages.

• Widget bundled is now `altcha@^3.0` (latest 3.0.9) — produces a payload format compatible with `altcha-org/altcha` v2's verifier.
• Switched the `` tag to v3 attributes (`challenge=`, `display=invisible`).
• End-to-end verified against a real Gravity Forms install: positive submission accepted, tampered/empty payload rejected, no visible widget UI.

Anyone running v0.1.0 should upgrade — v0.1.0 won't successfully verify a real submission.

v0.1.0 — first release

First public release.

• Invisible ALTCHA proof-of-work spam protection for Gravity Forms.
• No third-party calls, no license keys, no quotas.
• Default algorithm: PBKDF2/SHA-256, cost 10 000 iterations, 10-minute expiry.
• MIT-licensed end to end.

Install via composer once `generoi/packagist` indexes the release:

```
composer require generoi/gravityforms-altcha
```