Hatch v0.1.1 — Headless WordPress, made easy
Post-launch polish — five hollow / mislabeled toggles fixed, repo cleaned, README rewritten to match shipped reality.
Security toggles — code now matches every label
- Kill XML-RPC —
/xmlrpc.phpnow hard-returns 403 (previously responded 200 with a method-list message; only method dispatch was blocked). - Hide usernames —
?author=Nnow returns 404 (was a 301 redirect to home)./wp/v2/usersis removed from the REST surface unconditionally — no longer dependent on the REST-lock toggle. - Hide WP from Google —
robots.txtnow emitsUser-agent: *\nDisallow: /when the toggle is on. Previously only the meta robots noindex was emitted; therobots.txtbody was unchanged.
Performance toggles — wiring fixes
- Real-user telemetry — fixed an option-key mismatch (UI was writing to
hatch_telemetry, the frontend was readinghatch_perf['telemetry']). The beacon now actually fires when the toggle is on. - CDN asset prefix — removed (was saved but never consumed). Will return in v0.2 wired into
astro.config.mjsbuild.assetsPrefixat build time.
Editor
- Gutenberg URL preview — the editor tooltip now mirrors the actual saved slug. Previously the preview reflected the title-derived
generated_slugeven when the user had manually edited the slug to something else.
Layout
- Page + post container alignment — pages now share the same
--hatch-max-widthcontainer as posts and the homepage. Header, footer, and article all align vertically on every route.
Repo + documentation
- README rewritten with explanatory voice and v0.1.1 reality (no "8 Gutenberg blocks" claim — Hatch uses core Gutenberg).
- Removed all internal handoff / audit / architecture markdown files from the repo root.
- Removed legacy
docs/folder (replaced by inline FAQ + README sections). blocks-src/excluded from the release zip (~40 KB smaller)..DS_Storeadded to.gitignore.
Verified
- Zero static-scan issues across the codebase (10 checks).
- Zero runtime QA issues across 30 cells (5 themes × 5 page types) after the toggle fixes.
- Per-toggle end-to-end audit: 0 hollow, 0 broken across all 6 admin tabs.