fix(dist): exclude maintainer-only files + add drift guard + changelog

The 10up SVN deploy action and `npm run plugin-zip` use opposite rules
for what ships: 10up uses .distignore as an EXCLUDE list, plugin-zip
uses package.json `files` as an INCLUDE list. Three top-level entries
were tracked but listed in neither: CITATION.cff, eslint.config.cjs,
and patterns/ (empty .gitkeep scaffold). They were absent from the
local zip but shipped to SVN trunk in v1.0.3 (changeset 3534041).

Three changes to converge the two paths and prevent the next leak:

1. Add the three offenders to .distignore. The next deploy will remove
   them from trunk via 10up's rsync --delete.

2. New bin/check-distignore.mjs script asserts every tracked top-level
   entry is in either package.json `files` OR matched by .distignore.
   Wired into lefthook pre-push and ci.yml so a missing rule fails at
   PR time, not after SVN deploy. Verified against the v1.0.3 leak set:
   the guard correctly flags all three files when the .distignore fix
   is reverted, clean when in place.

3. Populate readme.txt Changelog with 1.0.4, 1.0.3, 1.0.2 entries.
   The wp.org-visible history starts from the first published version;
   1.0.0 (pre-rename) and 1.0.1 (pended) never reached users.

Version stays at 1.0.3 in this commit. The automated release workflow
bumps to 1.0.4 on next dispatch.

Author: ph33nx

.distignore

@@ -35,6 +35,9 @@
 /README.md
 /CLAUDE.md
 /MAINTAINER.md
+/CITATION.cff
+/eslint.config.cjs
+/patterns
 /todo.md
 /specs
 /vendor

.github/workflows/ci.yml

@@ -22,6 +22,8 @@ jobs:
               run: npm run generate
             - name: Fail if generated code is stale
               run: git diff --exit-code src/Generated blocks/generated
+            - name: Fail if distribution drifts between local zip and SVN deploy
+              run: node bin/check-distignore.mjs
 
     lint:
         name: Lint and Plugin Check

bin/check-distignore.mjs

@@ -0,0 +1,115 @@
+#!/usr/bin/env node
+/**
+ * Distribution drift guard.
+ *
+ * Two release paths produce the published zip and they use opposite rules:
+ *
+ *   - Local: `npm run plugin-zip` (wp-scripts plugin-zip → npm-packlist) ships
+ *     only entries listed in package.json `files`. Include-list semantics.
+ *   - CI: 10up/action-wordpress-plugin-deploy ships every top-level entry
+ *     except those matched by .distignore. Exclude-list semantics.
+ *
+ * Any top-level repo entry that is in neither list ships via 10up but is
+ * absent from the local zip — silent drift that only surfaces after SVN
+ * deploy. v1.0.3 leaked CITATION.cff, eslint.config.cjs, and patterns/
+ * exactly this way.
+ *
+ * This script fails (exit 1) if any tracked top-level entry is neither
+ * a member of the package.json `files` include-list nor matched by a
+ * .distignore rule. Run before push via lefthook.
+ */
+import { execFileSync } from 'node:child_process';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
+const root = path.resolve(
+	path.dirname( fileURLToPath( import.meta.url ) ),
+	'..'
+);
+
+const tracked = execFileSync( 'git', [ 'ls-files' ], {
+	cwd: root,
+	encoding: 'utf8',
+} )
+	.split( '\n' )
+	.filter( Boolean );
+
+const topLevel = new Set();
+for ( const f of tracked ) {
+	const slash = f.indexOf( '/' );
+	topLevel.add( slash === -1 ? f : f.slice( 0, slash ) );
+}
+
+const pkg = JSON.parse(
+	readFileSync( path.join( root, 'package.json' ), 'utf8' )
+);
+const filesField = new Set(
+	( pkg.files || [] ).map( ( e ) => e.replace( /\/$/, '' ) )
+);
+
+const distignore = readFileSync( path.join( root, '.distignore' ), 'utf8' )
+	.split( '\n' )
+	.map( ( l ) => l.trim() )
+	.filter( ( l ) => l && ! l.startsWith( '#' ) );
+
+const distignoreLeading = new Set(
+	distignore
+		.filter( ( l ) => l.startsWith( '/' ) )
+		.map( ( l ) => l.slice( 1 ) )
+);
+const distignoreGlobs = distignore.filter( ( l ) => l.includes( '*' ) );
+
+function matchedByDistignore( entry ) {
+	if ( distignoreLeading.has( entry ) ) {
+		return true;
+	}
+	for ( const glob of distignoreGlobs ) {
+		const pattern =
+			'^' + glob.replace( /\./g, '\\.' ).replace( /\*/g, '.*' ) + '$';
+		if ( new RegExp( pattern ).test( entry ) ) {
+			return true;
+		}
+	}
+	return false;
+}
+
+const drift = [];
+for ( const entry of topLevel ) {
+	const inFiles = filesField.has( entry ) || filesField.has( entry + '/' );
+	const inIgnore = matchedByDistignore( entry );
+	if ( ! inFiles && ! inIgnore ) {
+		drift.push( entry );
+	}
+}
+
+if ( drift.length ) {
+	console.error( '✗ Distribution drift detected.' );
+	console.error( '' );
+	console.error(
+		'The following top-level entries are tracked in git but are:'
+	);
+	console.error(
+		'  - NOT listed in package.json `files` (so npm-packlist excludes them locally)'
+	);
+	console.error(
+		'  - NOT matched by any .distignore rule (so 10up rsync ships them to SVN)'
+	);
+	console.error( '' );
+	console.error(
+		'This produces a silent drift between `npm run plugin-zip` and the SVN deploy.'
+	);
+	console.error( '' );
+	for ( const entry of drift.sort() ) {
+		console.error( `  - ${ entry }` );
+	}
+	console.error( '' );
+	console.error(
+		'Fix by adding each to .distignore (if dev-only) or to package.json `files` (if shippable).'
+	);
+	process.exit( 1 );
+}
+
+console.log(
+	`✓ no distribution drift (${ topLevel.size } top-level entries audited)`
+);

lefthook.yml

@@ -62,6 +62,13 @@ pre-push:
             run: npm run generate:check
             priority: 1
 
+        # Distribution drift: every tracked top-level entry must be in
+        # package.json `files` (shipped by local zip) or .distignore
+        # (excluded by 10up SVN deploy). Catches the v1.0.3 leak class.
+        distignore-drift-check:
+            run: node bin/check-distignore.mjs
+            priority: 1
+
         # Full format pass (auto-fix). PHP first, then JS/CSS so each tool
         # only touches files it owns.
         php-format:

package.json

@@ -44,6 +44,7 @@
 		"wp-env": "wp-env",
 		"generate": "node bin/generate.mjs",
 		"generate:check": "node bin/generate.mjs && git diff --exit-code src/Generated blocks/generated",
+		"check:distignore": "node bin/check-distignore.mjs",
 		"upgrade": "npx npm-check-updates --target minor --upgrade",
 		"check-outdated": "npx npm-check-updates"
 	},

readme.txt

@@ -130,40 +130,24 @@ Hero block editor sidebars are intentionally minimal in this release. Live previ
 
 == Changelog ==
 
-= 1.0.2 =
-* Block registration no longer calls a WordPress 6.7 only function, keeping the plugin compatible with the stated 6.5 minimum.
+= 1.0.4 =
+* Tidy distribution: drop maintainer-only files (CITATION.cff, eslint.config.cjs, empty patterns scaffold) that were leaking into the published zip.
 
-= 1.0.1 =
-* Display name now leads with the RoxyAPI brand.
-* Form result lookups use an opaque token so visitor input never reaches the transient key.
+= 1.0.3 =
+* Sync to the latest RoxyAPI spec, now 133 endpoints across 10 spiritual domains.
+* Western astrology: detect aspect patterns (Grand Trine, Kite, T-Square, Grand Cross, Yod, Mystic Rectangle, Stellium) via new [roxy_detect_aspect_patterns] shortcode + matching block.
+* Vedic astrology: detect classical Vedic yogas in a birth chart via new [roxy_detect_yogas] shortcode + matching block.
+* Natal chart, transits, and aspect calculations now include Black Moon Lilith alongside the lunar nodes and Chiron for full 14-body planetary coverage.
+* Yoga catalog entries reworded for clearer glossary phrasing in both the list and the per-yoga detail responses.
 
-= 1.0.0 =
-* Initial release. 131 endpoints across 10 spiritual domains under one API key.
-* 17 hero shortcodes:
-  - Western astrology: Horoscope (daily, weekly, monthly), Natal chart, Synastry, Compatibility, Moon phase.
-  - Vedic astrology: Kundli, Panchang, Mangal Dosha, KP chart, Gun Milan (Ashtakoota matrimonial).
-  - Tarot: Tarot card (daily, three card, Celtic Cross), Tarot yes or no.
-  - Numerology: Numerology chart, Life path.
-  - Plus Biorhythm, Angel number, Crystals by zodiac.
-* Form mode on every hero. Drop the shortcode with no attributes and visitors fill in the form themselves; submission is server side, the API key never reaches the browser.
-* Two-chart heroes (Synastry, Gun Milan, Compatibility) are form-only because static mode would require ten plus inline attributes; the form has Person 1 / Person 2 fieldsets with city autocomplete.
-* 117 auto generated shortcodes for the long tail. Generated from the live OpenAPI spec via npm run generate.
-* Hero shortcode attribute names aligned with the documented examples so a copy-paste from the admin onboarding page works first try.
-* Horoscope block ships three real variations (daily, weekly, monthly) wired to the matching SaaS endpoints; the period attribute now actually dispatches.
-* Auto detecting form mode on every hero shortcode. Drop the shortcode with no attributes and visitors submit their own sign, name, birth date, or question.
-* GDPR Article 9 consent gate on every visitor form. Submission requires an explicit opt in checkbox; the plugin registers privacy policy content via wp_add_privacy_policy_content for the WordPress Privacy Policy Guide.
-* City autocomplete for natal chart and synastry forms. ARIA 1.2 combobox proxied through /wp-json/roxyapi/v1/geocode so the API key never reaches the browser.
-* Top level RoxyAPI menu in the admin sidebar with a tabbed settings page (Connect, Branding, Display, Privacy, Advanced) and a 3 step onboarding flow for first time users.
-* Branding controls: accent color, opt in source line under each reading.
-* Display controls: default response language, optional disclaimer line.
-* Advanced controls: cache preset (fresh, balanced, quota saver) on top of per endpoint TTLs.
-* Dashboard widget showing connection status and the most used shortcodes with copy to clipboard.
-* Settings API key field with wp config constant override and an inline Test Connection button.
-* Encryption at rest via AES 256 CTR. Returns false on missing keys instead of falling back to a hardcoded secret.
-* Server side caching with per endpoint TTL via WordPress transients (Redis and Memcached compatible automatically).
-* Rate limiting per IP to protect the site owner API quota, applied to form submissions, the Test Connection button, and the geocoder proxy.
-* Block Bindings API source roxyapi/daily-text. Bind a paragraph to it with a sign argument to render the daily overview inline.
-* X-SDK-Client and User-Agent headers matching the TypeScript and Python SDK pattern so RoxyAPI can identify plugin traffic.
+= 1.0.2 =
+* Initial public release on the WordPress Plugin Directory.
+* 131 endpoints across 10 spiritual domains under one RoxyAPI key. 17 hero shortcodes with matching Gutenberg blocks (Western astrology, Vedic astrology, tarot, numerology, biorhythm, angel numbers, crystals) plus 117 auto-generated long-tail shortcodes for the full spec.
+* Compatible with the declared WordPress 6.5 minimum: block registration no longer calls a WordPress 6.7 only function.
+* Form mode on every hero shortcode: drop with no attributes and visitors fill the form themselves. Server-side submission, API key never reaches the browser, GDPR Article 9 consent gate, per-IP rate limit.
+* Two-chart heroes (Synastry, Gun Milan, Compatibility) ship form-only with Person 1 / Person 2 fieldsets and ARIA 1.2 combobox city autocomplete via a key-protected /wp-json/roxyapi/v1/geocode proxy.
+* Tabbed admin settings (Connect, Branding, Display, Privacy, Advanced) with accent color, response-language picker, disclaimer line, cache preset (fresh / balanced / quota saver), and inline Test Connection button. API key supports a ROXYAPI_KEY wp-config constant override.
+* Encryption at rest via AES 256 CTR. Server-side caching with per-endpoint TTL via WordPress transients (Redis / Memcached compatible). Block Bindings API source roxyapi/daily-text for inline horoscope binding.
 
 == Upgrade Notice ==