Technical Changelog

Here’s the more technical version of the Crosspost to Inkwell WordPress plugin until it gets published on WordPress. Will likely put it up on Github eventually.

Crosspost to Inkwell — Development Changelog

Version 1.0.0 — Submitted 03/10/26

02/27/26 — 1:02 AM — Initial build

• Plugin created with auto-crosspost on publish via transition_post_status hook

• Manual crosspost button in the post editor sidebar (AJAX, no page reload)

• Featured image upload via POST /api/images before entry creation

• Post tags synced and sanitized to Inkwell's alphanumeric+hyphen format

• Per-post overrides: disable crosspost, custom category, custom privacy

• Crosspost status and Inkwell entry URL stored in post meta and displayed in sidebar

• Configurable default privacy (public, friends_only, private)

• Optional featured image and excerpt sending

• Support for custom post types in addition to standard posts

03/01/26 — 12:55 AM — API layer & double-post fix

• Rebuilt API integration against the official Inkwell API docs (inkwell.social/developers)

• Added live API key verification on settings page

• Fixed double-posting bug: WordPress fires transition_post_status multiple times per save; resolved with static $fired[] array + transient lock + _inkwell_crossposted meta guard

• Plugin renamed to "WP Inkwell Crosspost"

03/05/26 — 9:12 AM — Stability

• Rolled back an unstable version of the double-post fix; restored stable build

03/06/26 — 12:39 AM — Submission prep begins

• Mapped full WordPress.org plugin directory submission checklist

03/09/26 — 4:02 PM — readme & validator

• readme.txt written to WordPress.org spec

• Donate link added

• Tested up to updated to 6.9

03/09/26 — 6:15 PM — Naming compliance

• Plugin renamed from "WP Inkwell Crosspost" → "Crosspost to Inkwell" per WP.org Guideline 17

03/09/26 — 7:04 PM — Security audit & PCP compliance

• Full output escaping audit: esc_html(), esc_attr(), esc_url(), esc_textarea() applied throughout

• All $_POST reads wrapped with wp_unslash() + appropriate sanitize function

• sanitize_key() for post type slugs; sanitize_text_field() for all other string inputs

• All forms and AJAX actions protected by nonces via check_ajax_referer()

• register_setting() modernized to array format with sanitize_callback

• in_array() uses strict comparison (true) throughout

• mb_substr() explicitly specifies UTF-8 encoding

• file_get_contents() replaced with WP Filesystem API

03/09/26 — 8:39 PM — i18n, JS & form cleanup

• Full i18n across all ~99 user-facing strings with /* translators: */ comments

• load_plugin_textdomain() removed (auto-loaded since WP 4.6)

• Nested <form> removed — Verify Key button converted to pure AJAX

• All JavaScript moved to properly registered handles via wp_add_inline_script(); no raw <script> blocks

• Version set to 1.0.0; settings stored in wp_options; no custom database tables

03/10/26 — 10:02 PM — Final pre-submission fixes

• All wp_enqueue_script() calls moved to admin_enqueue_scripts hook

• current_time('mysql') replaced with wp_date('Y-m-d H:i:s') (deprecated since WP 5.3)

• wp_register_script() src changed from '' to false for inline-only handles

• Requires at least: 5.8 and Requires PHP: 7.4 added to PHP file header

• License URI unified to gpl-2.0.html across PHP header and readme

• External service disclosure and privacy notice added to readme.txt

• Plugin slug renamed from inkwell-crosspost → crosspost-to-inkwell throughout

• Text domain: crosspost-to-inkwell

• Submitted to WordPress.org plugin directory ✅