1.3.0-rc1: API freeze, pre-rc1 audit hardening landed Cut after a methodical pre-rc1 audit on the 1.3.x line. The audit read every PHP, YAML, and Markdown file on the branch, checked against Drupal coding standards, common security anti-patterns, and the SA-team-flag risk surface. One security finding (defence in depth on the ESI fragment route), two coding-standards items, two doc refreshes, three test-coverage gaps. All seven landed in the four "rc1 prep" commits since 1.3.0-beta2. The version bump signals API freeze for the 1.3.x track and asks operators to soak the module on production-shape installs ahead of 1.3.0 stable. Per the 1.0.0 trajectory, rc1 -> ~2 weeks soak -> 1.3.0 stable. What landed since 1.3.0-beta2 (commit 02e98fd): - B1 / 70c388e: TrustedCallbackInterface enforcement on ESI fragment callbacks. The fragment route previously gated callable invocation on HMAC token verification only; now also checks that the resolved class declares itself trusted via Drupal core's standard marker interface, mirroring the #lazy_builder policy. Defence in depth: bounds the impact of a hash-salt compromise. No exploitable bug; SA-team-aligned hardening. - S1+S2 / 4516f72: LscachePurgerSettingsForm constructor params now declare types (ConfigFactoryInterface, TypedConfigManager Interface). TagHeaderBuilder::resolvePrefix() removed entirely as it accepted a parameter it never used and just delegated to getPrefix(). - S6+S7 / 480889f: lscache.install status report description updated to link at the 1.3.x docs branch instead of 1.0.x. htaccess-gotchas.md gained version notes for 1.0.0-rc1, 1.0.0, 1.0.1, 1.1.x, 1.2.x, 1.3.x covering the additional .htaccess and LSWS-side directives each release introduces, plus a summary table mapping feature surface to required directives. - S3+S4+S5 / 676931f: three new unit-test classes covering Esi::preRenderEsi's missing-callback path, the fragment controller's TrustedCallbackInterface enforcement (positive and negative cases for both static-method and service-method callable shapes), and the install hook's flatten-defaults helper (six cases covering scalars, mappings, sequences, empty arrays, deep nesting, and mixed shapes). What 1.3.x cumulatively ships: - 1.0.x: cache-tag headers, Purge framework integration, status report .htaccess check, purge_host scheme validation - 1.1.x: per-user private cache mode driven by Drupal cache contexts, admin-route skip, log placeholder substitution - 1.2.x: ESI render element with HMAC-signed fragment URLs and TrustedCallbackInterface enforcement on the resolved callback - 1.3.x: named vary cookies that emit X-LiteSpeed-Vary header for every configured cookie on every cacheable response Stability commitment carried forward from beta2 unchanged: the config schema, response-header contract, render-element shape, fragment-route URL pattern, and TagHeaderBuilder service are all stable from this release. Path to 1.3.0 stable is bug-fix only.