fix(faustwp): include IV in token envelope HMAC (GHSA-q6pm-r77q-qcv3)

[josephfusco]

Summary

Authenticates the full encoded token envelope by including the initialization vector in the HMAC input on both encrypt() and decrypt(). The on-the-wire layout (IV || HMAC || ciphertext) is unchanged; only the bytes fed into hash_hmac() change.

Tracked in GHSA-q6pm-r77q-qcv3.

Changes

• plugins/faustwp/includes/auth/functions.php — HMAC input changes from $cipher_text to $iv . $cipher_text in encrypt() and decrypt().
• plugins/faustwp/tests/integration/AuthFunctionsTests.php — new coverage: round-trip across several plaintext sizes, rejection of modified ciphertext, rejection of modified IV, rejection of modified HMAC, rejection of truncated input.
• .changeset/iv-hmac-token-envelope.md — patch-level changeset for @faustwp/wordpress-plugin.

Compatibility

Tokens issued under the prior envelope rule will not decrypt on the patched version. Authorization codes (1 min) and access tokens (5 min) age out within their normal windows; refresh-token holders (2 weeks) are prompted to re-authenticate once.

Test plan

• unit_test_plugin green on the new AuthFunctionsTests.
• Existing auth integration tests still pass.
• After merge, the regenerated Version Packages PR contains only this changeset, bumping @faustwp/wordpress-plugin to 1.8.8.

[changeset-bot]

🦋 Changeset detected

Latest commit: 012678c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@faustwp/wordpress-plugin	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

📦 Next.js Bundle Analysis for @faustwp/getting-started-example

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌