=== Maintenance & Construction Mode ===
Requires at least: 6.5
Requires PHP: 8.0
Stable tag: 2.0.0
License: GPLv2 or later

Secure maintenance, prelaunch, private staging, and limited-operation profiles.

== Operating profiles ==

* Short maintenance returns HTTP 503 with a configurable Retry-After header. robots.txt remains accessible and the response does not combine noindex with a temporary 503.
* Prelaunch serves one meaningful homepage with HTTP 200 and returns a real 404/noindex response for other public URLs rather than duplicating one placeholder everywhere.
* Private staging blocks the front end, REST API, feeds, oEmbed REST routes, and XML-RPC unless the request has authorized preview access. robots.txt disallows crawling.
* Limited operation preserves normal public pages and status codes while showing a banner and optionally disabling WooCommerce purchasing, Contact Form 7 delivery, and new comments.

== Access and administration ==

The plugin supports schedules, selectable backing pages, role/IP allowlists, trusted proxies, excluded webhook paths, a shared password, opaque expiring browser sessions, one-time invite links, and an emergency bypass key. Login throttling combines client IP, email, and site-wide limits.

Managed backing pages are drafts and are excluded from the WordPress sitemap. Session retention is configurable; daily cleanup and WordPress privacy export/erase callbacks are included. The diagnostics panel documents expected response codes, and a bounded activity log records security-relevant events without raw client IP addresses.

== Changelog ==

= 2.0.0 =
* Added four purpose-built operating profiles.
* Corrected construction/prelaunch HTTP behavior to prevent soft-404 duplication.
* Added full private-mode protection for REST, feeds, oEmbed, and XML-RPC.
* Kept robots.txt reachable during short maintenance and stopped sending noindex with 503.
* Replaced published auto-pages with managed draft pages excluded from sitemaps.
* Added retention, cron cleanup, privacy policy text, exporter, and eraser support.
* Replaced email-bearing cookies with opaque random session tokens.
* Added proxy-aware combined IP/email/global throttling.
* Added wp_body_open and filtered body classes to the lock template.
* Added scheduling, invite links, allowlists, webhook exclusions, cache/CDN headers, emergency bypass, diagnostics, activity logging, and limited-operation controls.
