From da6502cf7ff260a63cc86e0359dc45ce4319a463 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:00:53 +1000
Subject: [PATCH 01/15] Plugin Directory: Defer update_source writes by 48hrs
 to gate plugin releases.

Introduces a release cooldown that holds new versions back from the update API
for RELEASE_COOL_DOWN_DELAY (48hrs) after commit / final author confirmation.
The previous version continues to be served during the window, giving scanners
and reviewers time to flag supply-chain attacks before the new version ships
to sites.

Plugin reviewers can bypass the cooldown for urgent security fixes via a new
Force-release control on the Plugin Controls metabox (requires a reason; logged
via Tools::audit_log).

Closed/disabled plugins, rebuild scripts, and other status-change paths
bypass the cooldown so closures take effect immediately. release_time is
re-anchored to the moment the version actually becomes public so the existing
phased_rollout manual-updates-24hr window still measures from public
availability.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/class-customizations.php            |   1 +
 .../admin/metabox/class-controls.php          | 134 ++++++++++
 .../bin/rebuild-update_source-table.php       |   3 +-
 .../jobs/class-api-update-updater.php         | 229 ++++++++++++++++-
 .../plugin-directory/jobs/class-manager.php   |  11 +-
 .../plugin-directory/plugin-directory.php     |  10 +
 .../shortcodes/class-release-confirmation.php |  75 ++++++
 .../tests/Plugin_Update_Cooldown_Test.php     | 234 ++++++++++++++++++
 8 files changed, 679 insertions(+), 18 deletions(-)
 create mode 100644 wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php
index 79ff49ea5a..f965fa9780 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php
@@ -79,6 +79,7 @@ private function __construct() {
 		add_action( 'save_post', array( __NAMESPACE__ . '\Metabox\Release_Confirmation', 'save_post' ) );
 		add_action( 'save_post', array( __NAMESPACE__ . '\Metabox\Author_Notice', 'save_post' ) );
 		add_action( 'save_post', array( __NAMESPACE__ . '\Metabox\Reviewer', 'save_post' ) );
+		add_action( 'save_post', array( __NAMESPACE__ . '\Metabox\Controls', 'save_post' ) );
 	}
 
 	/**
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index 052f6f5a15..5f06d1b058 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -2,7 +2,10 @@
 namespace WordPressdotorg\Plugin_Directory\Admin\Metabox;
 
 use WordPressdotorg\Plugin_Directory\Admin\Status_Transitions;
+use WordPressdotorg\Plugin_Directory\Jobs\API_Update_Updater;
+use WordPressdotorg\Plugin_Directory\Plugin_Directory;
 use WordPressdotorg\Plugin_Directory\Template;
+use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * The Plugin Controls / Publish metabox.
@@ -27,6 +30,7 @@ static function display() {
 			<div id="misc-publishing-actions">
 				<?php
 				self::display_meta();
+				self::display_release_cooldown();
 				self::display_post_status();
 				?>
 			</div>
@@ -42,6 +46,136 @@ static function display() {
 		<?php
 	}
 
+	/**
+	 * Display the release cooldown status and (for reviewers) a force-release control.
+	 *
+	 * The cooldown only applies to publishable, version-bumping releases; for any other
+	 * state (closed/disabled plugins, releases past the cooldown window, releases already
+	 * force-released) this section is skipped entirely.
+	 */
+	protected static function display_release_cooldown() {
+		$post = get_post();
+
+		if ( 'publish' !== $post->post_status ) {
+			return;
+		}
+
+		$version = get_post_meta( $post->ID, 'version', true );
+		if ( ! $version ) {
+			return;
+		}
+
+		$release = Plugin_Directory::get_release( $post, $version );
+		if ( ! $release ) {
+			return;
+		}
+
+		$release_time   = API_Update_Updater::compute_release_time( $post, $release );
+		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+		$force_released = ! empty( $release['force_released'] );
+
+		// Already force-released — show audit info to reviewers, nothing to authors.
+		if ( $force_released ) {
+			if ( current_user_can( 'plugin_review', $post ) ) {
+				$user = get_userdata( (int) ( $release['force_released_by'] ?? 0 ) );
+				printf(
+					'<div class="misc-pub-section misc-pub-release-cooldown"><p>%s</p></div>',
+					sprintf(
+						/* translators: 1: version, 2: relative time, 3: user display name */
+						esc_html__( 'Version %1$s was force-released %2$s ago by %3$s, bypassing the release cooldown.', 'wporg-plugins' ),
+						esc_html( $version ),
+						esc_html( human_time_diff( (int) ( $release['force_released_at'] ?? time() ) ) ),
+						esc_html( $user ? ( $user->display_name ? $user->display_name : $user->user_login ) : __( 'unknown', 'wporg-plugins' ) )
+					)
+				);
+			}
+			return;
+		}
+
+		// Cooldown already elapsed — nothing to show.
+		if ( $cooldown_until <= time() ) {
+			return;
+		}
+
+		?>
+		<div class="misc-pub-section misc-pub-release-cooldown">
+			<p>
+			<?php
+			printf(
+				/* translators: 1: version, 2: relative time until cooldown expires, 3: absolute UTC timestamp */
+				esc_html__( 'Version %1$s is in the release cooldown — it will be served to sites in %2$s (at %3$s UTC).', 'wporg-plugins' ),
+				esc_html( $version ),
+				esc_html( human_time_diff( time(), $cooldown_until ) ),
+				esc_html( gmdate( 'Y-m-d H:i', $cooldown_until ) )
+			);
+			?>
+			</p>
+			<?php if ( current_user_can( 'plugin_review', $post ) ) : ?>
+				<p>
+					<label for="force_release_reason"><?php esc_html_e( 'Force-release reason (required):', 'wporg-plugins' ); ?></label>
+					<textarea
+						id="force_release_reason"
+						name="force_release_reason"
+						rows="2"
+						style="width: 100%;"
+						placeholder="<?php esc_attr_e( 'e.g. urgent security fix for CVE-…', 'wporg-plugins' ); ?>"
+					></textarea>
+				</p>
+				<p>
+					<?php wp_nonce_field( 'force_release_' . $post->ID, '_force_release_nonce' ); ?>
+					<button type="submit" name="force_release_version" value="<?php echo esc_attr( $version ); ?>" class="button">
+						<?php
+						printf(
+							/* translators: %s: version */
+							esc_html__( 'Force-release %s now', 'wporg-plugins' ),
+							esc_html( $version )
+						);
+						?>
+					</button>
+				</p>
+			<?php endif; ?>
+		</div>
+		<?php
+	}
+
+	/**
+	 * Save handler for reviewer force-release submissions from the Controls metabox.
+	 *
+	 * @param int $post_id The post being saved.
+	 */
+	public static function save_post( $post_id ) {
+		if ( empty( $_POST['force_release_version'] ) ) {
+			return;
+		}
+
+		$post = get_post( $post_id );
+		if ( ! $post || 'plugin' !== $post->post_type ) {
+			return;
+		}
+
+		if ( ! current_user_can( 'plugin_review', $post ) ) {
+			return;
+		}
+
+		check_admin_referer( 'force_release_' . $post_id, '_force_release_nonce' );
+
+		$version           = get_post_meta( $post->ID, 'version', true );
+		$submitted_version = sanitize_text_field( wp_unslash( $_POST['force_release_version'] ) );
+		if ( $submitted_version !== $version ) {
+			// Submitted version doesn't match current — a newer commit landed since the form was rendered.
+			return;
+		}
+
+		$reason = isset( $_POST['force_release_reason'] )
+			? trim( sanitize_textarea_field( wp_unslash( $_POST['force_release_reason'] ) ) )
+			: '';
+		if ( ! $reason ) {
+			return;
+		}
+
+		API_Update_Updater::force_release( $post->post_name, $reason );
+	}
+
 	/**
 	 * Get button label for setting the plugin status.
 	 *
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
index 7ac682dcee..bb82efe232 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
@@ -47,7 +47,8 @@
 foreach ( $slugs as $i => $slug ) {
 	echo ++$i . '/' . count( $slugs ) . "\t" . $slug . "\n";
 
-	Jobs\API_Update_Updater::update_single_plugin( $slug );
+	// Rebuild bypasses the release cooldown — the intent is to reflect current state.
+	Jobs\API_Update_Updater::update_single_plugin( $slug, true );
 
 	clear_memory_caches();
 }
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 21a83ecb2d..776a832fc1 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -3,6 +3,7 @@
 
 use WordPressdotorg\Plugin_Directory\Plugin_Directory;
 use WordPressdotorg\Plugin_Directory\Template;
+use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * Handles interfacing with the api.WordPress.org/plugin/update-check/ API.
@@ -67,20 +68,77 @@ public static function cron_trigger() {
 
 	/**
 	 * Updates a single plugins `update_source` data.
+	 *
+	 * @param string $plugin_slug     The plugin slug.
+	 * @param bool   $bypass_cooldown Whether to bypass the release cooldown gate. True when called
+	 *                                from the deferred release cron, the reviewer force-release
+	 *                                action, or from contexts that must publish immediately (status
+	 *                                transitions, rebuild scripts). When true, `release_time` in the
+	 *                                stored meta is anchored to the moment of the write rather than
+	 *                                the original commit time, so the phased-rollout
+	 *                                `manual-updates-24hr` window measures from public availability.
+	 * @return bool
 	 */
-	public static function update_single_plugin( $plugin_slug, $self_loop = false ) {
+	public static function update_single_plugin( $plugin_slug, $bypass_cooldown = false ) {
 		global $wpdb;
 		$post = Plugin_Directory::get_plugin_post( $plugin_slug );
 
 		if ( ! $post || ! in_array( $post->post_status, array( 'publish', 'disabled', 'closed' ) ) ) {
 			$wpdb->delete( $wpdb->prefix . 'update_source', compact( 'plugin_slug' ) );
+			wp_clear_scheduled_hook( "release_to_update_api:{$plugin_slug}" );
 			return true;
 		}
 
 		$version          = get_post_meta( $post->ID, 'version', true );
 		$requires_plugins = get_post_meta( $post->ID, 'requires_plugins', true );
-		$meta             = array(
-			'release_time'    => strtotime( $post->version_date ?: $post->post_modified ),
+		$release          = Plugin_Directory::get_release( $post, $version );
+		$release_time     = self::compute_release_time( $post, $release );
+		$existing_version = (string) $wpdb->get_var(
+			$wpdb->prepare(
+				"SELECT version FROM {$wpdb->prefix}update_source WHERE plugin_slug = %s",
+				$post->post_name
+			)
+		);
+
+		/*
+		 * Defer the write for new versions still inside the cooldown window. While
+		 * deferred, the existing `update_source` row (carrying the previous version)
+		 * continues to be served by the update API.
+		 *
+		 * Bypassed when:
+		 *  - The caller explicitly bypasses (deferred-event fire, reviewer force-release, etc.).
+		 *  - The plugin is closed/disabled — closure must take effect immediately, see
+		 *    get_cooldown_defer_time().
+		 *  - The reviewer has already force-released this version.
+		 *  - This isn't actually a new-version write (same version as already in the table).
+		 */
+		if ( ! $bypass_cooldown ) {
+			$cooldown_until = self::get_cooldown_defer_time(
+				$release_time,
+				! empty( $release['force_released'] ),
+				$post->post_status,
+				$existing_version,
+				(string) $version
+			);
+
+			if ( $cooldown_until ) {
+				self::queue_release_to_update_api( $post->post_name, $cooldown_until );
+				return true;
+			}
+		}
+
+		// When this write is publishing a new version (existing row had a different version, or
+		// no row existed) anchor `release_time` to now — that's the moment the version is
+		// actually available to sites. Keeps phased_rollout()'s `manual-updates-24hr` window
+		// measuring from public availability, even if the commit/confirmation was long ago
+		// because the cooldown deferred the write. Rebuild/status/meta-sync paths reach this
+		// code with existing_version == version and so retain the original release_time.
+		if ( $existing_version !== (string) $version && 'publish' === $post->post_status ) {
+			$release_time = time();
+		}
+
+		$meta = array(
+			'release_time'    => $release_time,
 			'last_version'    => $post->last_version ?? '',
 			'last_stable_tag' => $post->last_stable_tag ?? '',
 		);
@@ -96,15 +154,6 @@ public static function update_single_plugin( $plugin_slug, $self_loop = false )
 			}
 		}
 
-		$release = Plugin_Directory::get_release( $post, $version );
-		if (
-			$release &&
-			$release['confirmations_required'] &&
-			$release['confirmations']
-		) {
-			$meta['release_time'] = max( $release['confirmations'] );
-		}
-
 		// Add phased rollout strategy data if needed.
 		if ( $release && ! empty( $release['rollout_strategy'] ) ) {
 			$meta['rollout'] = array(
@@ -112,6 +161,10 @@ public static function update_single_plugin( $plugin_slug, $self_loop = false )
 			);
 		}
 
+		// The deferred event (if any) has either fired or been pre-empted by a force-release
+		// or status change. Clear any leftover schedule so the cron table doesn't grow.
+		wp_clear_scheduled_hook( "release_to_update_api:{$post->post_name}" );
+
 		$data = array(
 			'plugin_id'        => $post->ID,
 			'plugin_slug'      => $post->post_name,
@@ -171,6 +224,158 @@ public static function update_single_plugin( $plugin_slug, $self_loop = false )
 		return true;
 	}
 
+	/**
+	 * Determine the release timestamp for a plugin version.
+	 *
+	 * Falls back through the commit timestamp on the plugin post, and is replaced by the
+	 * latest committer-confirmation time when release confirmations are required (the
+	 * version isn't really "released" until the last confirmation lands).
+	 *
+	 * @param \WP_Post   $post    The plugin post.
+	 * @param array|bool $release The release row from Plugin_Directory::get_release(), or false.
+	 * @return int Unix timestamp.
+	 */
+	public static function compute_release_time( $post, $release ) {
+		$release_time = strtotime( $post->version_date ? $post->version_date : $post->post_modified );
+
+		if (
+			$release &&
+			$release['confirmations_required'] &&
+			$release['confirmations']
+		) {
+			$release_time = max( $release['confirmations'] );
+		}
+
+		return $release_time;
+	}
+
+	/**
+	 * Pure-logic helper: decide whether a new-version write should be deferred,
+	 * and return the cooldown expiry timestamp if so.
+	 *
+	 * @param int    $release_time      When the release was committed / final-confirmed.
+	 * @param bool   $force_released    Whether a reviewer has force-released this version.
+	 * @param string $post_status       The plugin's current post_status.
+	 * @param string $existing_version  The version currently sitting in update_source (or '').
+	 * @param string $new_version       The version proposed for this write.
+	 * @param int    $now               Current time, injectable for tests.
+	 * @return int|false                Cooldown expiry timestamp if deferral applies, false otherwise.
+	 */
+	public static function get_cooldown_defer_time( $release_time, $force_released, $post_status, $existing_version, $new_version, $now = null ) {
+		if ( null === $now ) {
+			$now = time();
+		}
+
+		if ( $force_released ) {
+			return false;
+		}
+
+		if ( 'publish' !== $post_status ) {
+			return false;
+		}
+
+		if ( $existing_version === $new_version ) {
+			return false;
+		}
+
+		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+		if ( $cooldown_until <= $now ) {
+			return false;
+		}
+
+		return $cooldown_until;
+	}
+
+	/**
+	 * Schedule a deferred release-to-update-api cron event for a plugin.
+	 *
+	 * If an event is already scheduled at the desired time, this is a no-op. If a
+	 * different time is scheduled (e.g. an earlier commit's cooldown), the event is
+	 * rescheduled to the later time so a follow-up commit fully resets the window.
+	 *
+	 * @param string $plugin_slug    The plugin slug.
+	 * @param int    $cooldown_until Unix timestamp when the deferred event should fire.
+	 */
+	public static function queue_release_to_update_api( $plugin_slug, $cooldown_until ) {
+		$hook = "release_to_update_api:{$plugin_slug}";
+
+		$existing = wp_next_scheduled( $hook, array( $plugin_slug ) );
+		if ( $existing === $cooldown_until ) {
+			return;
+		}
+
+		if ( $existing ) {
+			wp_unschedule_event( $existing, $hook, array( $plugin_slug ) );
+		}
+
+		wp_schedule_single_event( $cooldown_until, $hook, array( $plugin_slug ) );
+	}
+
+	/**
+	 * Cron handler for `release_to_update_api:{slug}`. Fires when the cooldown
+	 * expires; writes the new version to `update_source` immediately.
+	 *
+	 * @param string $plugin_slug The plugin slug.
+	 */
+	public static function cron_trigger_release( $plugin_slug ) {
+		self::update_single_plugin( $plugin_slug, true );
+	}
+
+	/**
+	 * Reviewer force-release: clear the cooldown for a plugin's current version and
+	 * write it to `update_source` immediately. Logs the action with the supplied reason.
+	 *
+	 * Capability checks must be performed by the caller.
+	 *
+	 * @param string   $plugin_slug The plugin slug.
+	 * @param string   $reason      Free-text reason recorded in the audit log.
+	 * @param \WP_User $user        The acting user. Defaults to the current user.
+	 * @return bool True on success.
+	 */
+	public static function force_release( $plugin_slug, $reason, $user = null ) {
+		if ( ! $user ) {
+			$user = wp_get_current_user();
+		}
+
+		$post = Plugin_Directory::get_plugin_post( $plugin_slug );
+		if ( ! $post ) {
+			return false;
+		}
+
+		$version = get_post_meta( $post->ID, 'version', true );
+		$release = Plugin_Directory::get_release( $post, $version );
+
+		if ( ! $release ) {
+			return false;
+		}
+
+		Plugin_Directory::add_release(
+			$post,
+			array(
+				'tag'                   => $release['tag'],
+				'force_released'        => true,
+				'force_released_by'     => $user->ID,
+				'force_released_at'     => time(),
+				'force_released_reason' => $reason,
+			)
+		);
+
+		\WordPressdotorg\Plugin_Directory\Tools::audit_log(
+			sprintf(
+				'Force-released version %s, bypassing the %d-hour release cooldown. Reason: %s',
+				$version,
+				RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS,
+				$reason
+			),
+			$post,
+			$user
+		);
+
+		wp_clear_scheduled_hook( "release_to_update_api:{$plugin_slug}" );
+
+		return self::update_single_plugin( $plugin_slug, true );
+	}
+
 	static function get_plugin_assets( $post ) {
 		$icons = $banners = $banners_rtl = array();
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-manager.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-manager.php
index ebc56fc74e..386552165a 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-manager.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-manager.php
@@ -18,11 +18,12 @@ class Manager {
 	 * @var array
 	 */
 	public static $wildcard_cron_tasks = array(
-		'import_plugin'      => array( __NAMESPACE__ . '\Plugin_Import', 'cron_trigger' ),
-		'import_plugin_i18n' => array( __NAMESPACE__ . '\Plugin_i18n_Import', 'cron_trigger' ),
-		'import_zip'         => array( __NAMESPACE__ . '\Plugin_ZIP_Import', 'cron_trigger' ),
-		'scan_plugin'        => array( __NAMESPACE__ . '\Plugin_Scan', 'cron_trigger' ),
-		'create_svn_repo'    => array( __NAMESPACE__ . '\SVN_Repo_Creation', 'cron_trigger' ),
+		'import_plugin'         => array( __NAMESPACE__ . '\Plugin_Import', 'cron_trigger' ),
+		'import_plugin_i18n'    => array( __NAMESPACE__ . '\Plugin_i18n_Import', 'cron_trigger' ),
+		'import_zip'            => array( __NAMESPACE__ . '\Plugin_ZIP_Import', 'cron_trigger' ),
+		'scan_plugin'           => array( __NAMESPACE__ . '\Plugin_Scan', 'cron_trigger' ),
+		'create_svn_repo'       => array( __NAMESPACE__ . '\SVN_Repo_Creation', 'cron_trigger' ),
+		'release_to_update_api' => array( __NAMESPACE__ . '\API_Update_Updater', 'cron_trigger_release' ),
 	);
 
 	/**
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
index 6d7e745265..003f208705 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
@@ -25,6 +25,16 @@
  */
 define( __NAMESPACE__ . '\PLUGIN_DIR', __DIR__ );
 
+/**
+ * Delay between a plugin release being committed (or its final author confirmation)
+ * and the new version being written to the `update_source` table — and so served to
+ * sites by the api.wordpress.org plugin update-check API. The previous version remains
+ * served until the cooldown elapses. Mitigates supply-chain attacks by giving scanners
+ * and humans a window to flag bad releases. Plugin reviewers can bypass the cooldown
+ * via the wp-admin force-release action; see Jobs\API_Update_Updater::update_single_plugin().
+ */
+define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', 48 * HOUR_IN_SECONDS );
+
 // Register an Autoloader for all files
 require __DIR__ . '/class-autoloader.php';
 Autoloader\register_class_path( __NAMESPACE__, __DIR__ );
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
index 977fd2a4f4..cc1574073c 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
@@ -10,6 +10,7 @@
 	Revalidation\get_js_url as get_revalidation_js_url,
 	get_onboarding_account_url as get_2fa_onboarding_url
 };
+use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * The [release-confirmation] shortcode handler.
@@ -86,6 +87,19 @@ class_exists( 'Two_Factor_Core' ) &&
 		/* translators: %s: plugins@wordpress.org */
 		echo '<p>' . sprintf( __( 'Release confirmations can be enabled on the Advanced view of plugin pages. If you need to disable release confirmations for a plugin, please contact %s.', 'wporg-plugins' ), 'plugins@wordpress.org' ) . '</p>';
 
+		printf(
+			'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
+			wp_kses(
+				sprintf(
+					/* translators: 1: cooldown duration in hours, 2: plugins@wordpress.org link */
+					__( 'New releases are served to sites %1$d hours after they\'re committed (or after the final confirmation, if release confirmations are enabled). This gives security scanners and reviewers a window to catch malicious commits before they ship. If you have an urgent security fix that needs to be released sooner, contact %2$s.', 'wporg-plugins' ),
+					(int) ( RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS ),
+					'<a href="mailto:plugins@wordpress.org">plugins@wordpress.org</a>'
+				),
+				array( 'a' => array( 'href' => true ) )
+			)
+		);
+
 		$not_enabled = [];
 		foreach ( $plugins as $plugin ) {
 			printf(
@@ -265,6 +279,8 @@ static function get_approval_text( $plugin, $data ) {
 			);
 		}
 
+		self::render_cooldown_status( $data );
+
 		echo '</div>';
 
 		$text = ob_get_clean();
@@ -280,6 +296,65 @@ static function get_approval_text( $plugin, $data ) {
 		return apply_filters( 'wporg_plugins_release_approval_text', $text, $plugin, $data );
 	}
 
+	/**
+	 * Render a single line describing the cooldown state of a release: pending serve time,
+	 * served-on time, or force-released-by-reviewer time. Skipped when the release isn't yet
+	 * confirmed/processed (the existing confirmation messaging already speaks to that state).
+	 *
+	 * @param array $data The release row from Plugin_Directory::get_releases().
+	 */
+	protected static function render_cooldown_status( $data ) {
+		if ( ! empty( $data['discarded'] ) ) {
+			return;
+		}
+
+		// Skip when the release hasn't moved past the confirmation/processing stage yet.
+		if ( $data['confirmations_required'] && ( ! $data['confirmed'] || ! $data['zips_built'] ) ) {
+			return;
+		}
+
+		$release_time = $data['confirmations']
+			? max( $data['confirmations'] )
+			: (int) $data['date'];
+
+		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+
+		if ( ! empty( $data['force_released'] ) ) {
+			$message = sprintf(
+				/* translators: %s: relative time */
+				__( 'Force-released by a plugin reviewer %s ago.', 'wporg-plugins' ),
+				human_time_diff( (int) ( $data['force_released_at'] ?? $release_time ) )
+			);
+			printf( '<span>%s</span><br>', esc_html( $message ) );
+			return;
+		}
+
+		if ( $cooldown_until > time() ) {
+			$message = sprintf(
+				/* translators: %s: relative time until cooldown expires */
+				__( 'Will be served to sites in %s.', 'wporg-plugins' ),
+				human_time_diff( time(), $cooldown_until )
+			);
+			printf(
+				'<span title="%s">%s</span><br>',
+				esc_attr( gmdate( 'Y-m-d H:i:s', $cooldown_until ) ),
+				esc_html( $message )
+			);
+			return;
+		}
+
+		$message = sprintf(
+			/* translators: %s: relative time */
+			__( 'Serving to sites since %s ago.', 'wporg-plugins' ),
+			human_time_diff( $cooldown_until )
+		);
+		printf(
+			'<span title="%s">%s</span><br>',
+			esc_attr( gmdate( 'Y-m-d H:i:s', $cooldown_until ) ),
+			esc_html( $message )
+		);
+	}
+
 	static function get_actions( $plugin, $data ) {
 		$buttons = [];
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
new file mode 100644
index 0000000000..f1cc635d3d
--- /dev/null
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
@@ -0,0 +1,234 @@
+<?php
+/**
+ * Tests for the API_Update_Updater cooldown helpers.
+ *
+ * @package WordPressdotorg\Plugin_Directory\Tests
+ */
+
+use PHPUnit\Framework\TestCase;
+use WordPressdotorg\Plugin_Directory\Jobs\API_Update_Updater;
+use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
+
+/**
+ * Pure-logic coverage of the cooldown helpers; bypasses WP boot.
+ *
+ * @group jobs
+ */
+class Plugin_Update_Cooldown_Test extends TestCase {
+
+	/**
+	 * A version bump while the cooldown window is still open should defer the update_source write.
+	 */
+	public function test_defers_new_version_inside_cooldown_window() {
+		$now            = 1700000000;
+		$release_time   = $now - HOUR_IN_SECONDS;
+		$cooldown_until = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'publish',
+			'1.0',
+			'1.1',
+			$now
+		);
+
+		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $cooldown_until );
+	}
+
+	/**
+	 * Once the cooldown has elapsed the write should go straight through.
+	 */
+	public function test_does_not_defer_when_cooldown_elapsed() {
+		$now          = 1700000000;
+		$release_time = $now - RELEASE_COOL_DOWN_DELAY - HOUR_IN_SECONDS;
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'publish',
+			'1.0',
+			'1.1',
+			$now
+		);
+
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Status changes or metadata refreshes that leave the version unchanged should not defer.
+	 */
+	public function test_does_not_defer_when_version_unchanged() {
+		$now          = 1700000000;
+		$release_time = $now - HOUR_IN_SECONDS;
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'publish',
+			'1.0',
+			'1.0',
+			$now
+		);
+
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * A reviewer's force-release flag should let the new version through immediately.
+	 */
+	public function test_does_not_defer_when_force_released() {
+		$now          = 1700000000;
+		$release_time = $now - HOUR_IN_SECONDS;
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			true,
+			'publish',
+			'1.0',
+			'1.1',
+			$now
+		);
+
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Closure/disabling must take effect immediately and not get held back by the cooldown.
+	 */
+	public function test_does_not_defer_for_closed_or_disabled_plugins() {
+		$now          = 1700000000;
+		$release_time = $now - HOUR_IN_SECONDS;
+
+		$this->assertFalse(
+			API_Update_Updater::get_cooldown_defer_time(
+				$release_time,
+				false,
+				'closed',
+				'1.0',
+				'1.1',
+				$now
+			)
+		);
+
+		$this->assertFalse(
+			API_Update_Updater::get_cooldown_defer_time(
+				$release_time,
+				false,
+				'disabled',
+				'1.0',
+				'1.1',
+				$now
+			)
+		);
+	}
+
+	/**
+	 * Cron-backup paths shouldn't accidentally re-defer ancient commits whose cooldown is long past.
+	 */
+	public function test_does_not_defer_first_release_with_old_release_time() {
+		$now          = 1700000000;
+		$release_time = $now - ( 7 * DAY_IN_SECONDS );
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'publish',
+			'',
+			'1.0',
+			$now
+		);
+
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * A brand-new plugin's first commit should still be subject to the cooldown.
+	 */
+	public function test_defers_first_release_with_recent_release_time() {
+		$now          = 1700000000;
+		$release_time = $now - 60;
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'publish',
+			'',
+			'1.0',
+			$now
+		);
+
+		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $result );
+	}
+
+	/**
+	 * Without release confirmations the commit timestamp drives release_time.
+	 */
+	public function test_compute_release_time_uses_version_date_by_default() {
+		$post = (object) array(
+			'version_date'  => '2026-05-15 12:00:00',
+			'post_modified' => '2026-05-10 00:00:00',
+		);
+
+		$this->assertSame(
+			strtotime( '2026-05-15 12:00:00' ),
+			API_Update_Updater::compute_release_time( $post, false )
+		);
+	}
+
+	/**
+	 * If version_date is missing the post's last modified time is the fallback.
+	 */
+	public function test_compute_release_time_falls_back_to_post_modified() {
+		$post = (object) array(
+			'version_date'  => '',
+			'post_modified' => '2026-05-10 00:00:00',
+		);
+
+		$this->assertSame(
+			strtotime( '2026-05-10 00:00:00' ),
+			API_Update_Updater::compute_release_time( $post, false )
+		);
+	}
+
+	/**
+	 * With release confirmation required, release_time is the latest committer confirmation.
+	 */
+	public function test_compute_release_time_uses_latest_confirmation_when_required() {
+		$post = (object) array(
+			'version_date'  => '2026-05-15 12:00:00',
+			'post_modified' => '2026-05-10 00:00:00',
+		);
+
+		$release = array(
+			'confirmations_required' => 2,
+			'confirmations'          => array(
+				'alice' => 1700000100,
+				'bob'   => 1700000500,
+			),
+		);
+
+		$this->assertSame(
+			1700000500,
+			API_Update_Updater::compute_release_time( $post, $release )
+		);
+	}
+
+	/**
+	 * Confirmations on releases that don't require them should be ignored.
+	 */
+	public function test_compute_release_time_ignores_confirmations_when_not_required() {
+		$post = (object) array(
+			'version_date'  => '2026-05-15 12:00:00',
+			'post_modified' => '2026-05-10 00:00:00',
+		);
+
+		$release = array(
+			'confirmations_required' => 0,
+			'confirmations'          => array( 'alice' => 1700000100 ),
+		);
+
+		$this->assertSame(
+			strtotime( '2026-05-15 12:00:00' ),
+			API_Update_Updater::compute_release_time( $post, $release )
+		);
+	}
+}

From 2c7addd94605b04ad5f4f4deddd3669c25c71ab4 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:03:30 +1000
Subject: [PATCH 02/15] Plugin Directory: Apply the release cooldown to
 disabled plugins, not just publish.

Disabled plugins keep available=1 in update_source and continue to serve
updates through the API. The cooldown gate was only checking for publish,
so a new version committed to a disabled plugin would write through
immediately, defeating the purpose for that subset. Closed plugins remain
excluded -- available flips to 0, so there is nothing to gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/metabox/class-controls.php          |  4 ++-
 .../jobs/class-api-update-updater.php         | 12 +++++--
 .../tests/Plugin_Update_Cooldown_Test.php     | 32 ++++++++++++-------
 3 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index 5f06d1b058..ba59ee4aa9 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -56,7 +56,9 @@ static function display() {
 	protected static function display_release_cooldown() {
 		$post = get_post();
 
-		if ( 'publish' !== $post->post_status ) {
+		// Closed plugins don't serve updates (available=0), so the cooldown is irrelevant.
+		// publish + disabled both serve updates and are subject to the cooldown gate.
+		if ( ! in_array( $post->post_status, array( 'publish', 'disabled' ), true ) ) {
 			return;
 		}
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 776a832fc1..d3cdd42418 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -133,7 +133,10 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		// measuring from public availability, even if the commit/confirmation was long ago
 		// because the cooldown deferred the write. Rebuild/status/meta-sync paths reach this
 		// code with existing_version == version and so retain the original release_time.
-		if ( $existing_version !== (string) $version && 'publish' === $post->post_status ) {
+		if (
+			$existing_version !== (string) $version &&
+			in_array( $post->post_status, array( 'publish', 'disabled' ), true )
+		) {
 			$release_time = time();
 		}
 
@@ -253,6 +256,11 @@ public static function compute_release_time( $post, $release ) {
 	 * Pure-logic helper: decide whether a new-version write should be deferred,
 	 * and return the cooldown expiry timestamp if so.
 	 *
+	 * Applies to `publish` and `disabled` plugins — both keep `available = 1`
+	 * in `update_source` and so serve new versions through the update API.
+	 * Closed plugins write through immediately (available flips to 0; there's
+	 * nothing to gate).
+	 *
 	 * @param int    $release_time      When the release was committed / final-confirmed.
 	 * @param bool   $force_released    Whether a reviewer has force-released this version.
 	 * @param string $post_status       The plugin's current post_status.
@@ -270,7 +278,7 @@ public static function get_cooldown_defer_time( $release_time, $force_released,
 			return false;
 		}
 
-		if ( 'publish' !== $post_status ) {
+		if ( ! in_array( $post_status, array( 'publish', 'disabled' ), true ) ) {
 			return false;
 		}
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
index f1cc635d3d..1699c748f8 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
@@ -92,9 +92,10 @@ public function test_does_not_defer_when_force_released() {
 	}
 
 	/**
-	 * Closure/disabling must take effect immediately and not get held back by the cooldown.
+	 * Closure must take effect immediately and not get held back by the cooldown.
+	 * `closed` plugins set available=0 in update_source — there's nothing to gate.
 	 */
-	public function test_does_not_defer_for_closed_or_disabled_plugins() {
+	public function test_does_not_defer_for_closed_plugins() {
 		$now          = 1700000000;
 		$release_time = $now - HOUR_IN_SECONDS;
 
@@ -108,17 +109,26 @@ public function test_does_not_defer_for_closed_or_disabled_plugins() {
 				$now
 			)
 		);
+	}
 
-		$this->assertFalse(
-			API_Update_Updater::get_cooldown_defer_time(
-				$release_time,
-				false,
-				'disabled',
-				'1.0',
-				'1.1',
-				$now
-			)
+	/**
+	 * Disabled plugins still serve updates (available=1) so the cooldown applies the
+	 * same way as for publish.
+	 */
+	public function test_defers_new_version_for_disabled_plugins() {
+		$now          = 1700000000;
+		$release_time = $now - HOUR_IN_SECONDS;
+
+		$result = API_Update_Updater::get_cooldown_defer_time(
+			$release_time,
+			false,
+			'disabled',
+			'1.0',
+			'1.1',
+			$now
 		);
+
+		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $result );
 	}
 
 	/**

From d73600a2cff4f392e813905c93fb8ddedc0b88fe Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:14:33 +1000
Subject: [PATCH 03/15] Plugin Directory: Simplify the cooldown helper to pure
 cooldown math.

Hoist the force_released early-exit into the caller so the helper signature
shrinks to (release_time, existing_version, new_version) plus an injectable
now. Drop the post_status check from both the helper and the release_time
anchor -- callers are responsible for bypassing when their context calls
for it. Status_Transitions::flush_caches() now passes bypass=true so
closures and disables take effect immediately rather than waiting for an
in-flight cooldown window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/class-status-transitions.php        |   6 +-
 .../admin/metabox/class-controls.php          |  12 +-
 .../jobs/class-api-update-updater.php         |  47 ++------
 .../tests/Plugin_Update_Cooldown_Test.php     | 111 ++----------------
 4 files changed, 27 insertions(+), 149 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
index c80606cdc1..6abfe37dc3 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
@@ -482,8 +482,10 @@ public function clear_reviewer( $post ) {
 	 * Flush the caches for the plugin.
 	 */
 	protected function flush_caches( $post ) {
-		// Update the API endpoints with the new data
-		API_Update_Updater::update_single_plugin( $post->post_name );
+		// Update the API endpoints with the new data. Bypass the release cooldown
+		// so status transitions (closure, disable, reopen) take effect immediately
+		// rather than getting held back inside an in-flight cooldown window.
+		API_Update_Updater::update_single_plugin( $post->post_name, true );
 		Plugins_Info_API::flush_plugin_information_cache( $post->post_name );
 	}
 }
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index ba59ee4aa9..6e062b8fc8 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -49,19 +49,13 @@ static function display() {
 	/**
 	 * Display the release cooldown status and (for reviewers) a force-release control.
 	 *
-	 * The cooldown only applies to publishable, version-bumping releases; for any other
-	 * state (closed/disabled plugins, releases past the cooldown window, releases already
-	 * force-released) this section is skipped entirely.
+	 * Bails when there's no current release to gate, when the cooldown has already
+	 * elapsed, or when the release was already force-released (reviewers see an audit
+	 * line in that case; authors see no UI).
 	 */
 	protected static function display_release_cooldown() {
 		$post = get_post();
 
-		// Closed plugins don't serve updates (available=0), so the cooldown is irrelevant.
-		// publish + disabled both serve updates and are subject to the cooldown gate.
-		if ( ! in_array( $post->post_status, array( 'publish', 'disabled' ), true ) ) {
-			return;
-		}
-
 		$version = get_post_meta( $post->ID, 'version', true );
 		if ( ! $version ) {
 			return;
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index d3cdd42418..8e9c5bdffc 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -103,20 +103,13 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		/*
 		 * Defer the write for new versions still inside the cooldown window. While
 		 * deferred, the existing `update_source` row (carrying the previous version)
-		 * continues to be served by the update API.
-		 *
-		 * Bypassed when:
-		 *  - The caller explicitly bypasses (deferred-event fire, reviewer force-release, etc.).
-		 *  - The plugin is closed/disabled — closure must take effect immediately, see
-		 *    get_cooldown_defer_time().
-		 *  - The reviewer has already force-released this version.
-		 *  - This isn't actually a new-version write (same version as already in the table).
+		 * continues to be served by the update API. Callers that need immediate writes
+		 * (status transitions, reviewer force-release, the deferred event firing, meta
+		 * sync, rebuild) pass $bypass_cooldown = true.
 		 */
-		if ( ! $bypass_cooldown ) {
+		if ( ! $bypass_cooldown && empty( $release['force_released'] ) ) {
 			$cooldown_until = self::get_cooldown_defer_time(
 				$release_time,
-				! empty( $release['force_released'] ),
-				$post->post_status,
 				$existing_version,
 				(string) $version
 			);
@@ -133,10 +126,7 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		// measuring from public availability, even if the commit/confirmation was long ago
 		// because the cooldown deferred the write. Rebuild/status/meta-sync paths reach this
 		// code with existing_version == version and so retain the original release_time.
-		if (
-			$existing_version !== (string) $version &&
-			in_array( $post->post_status, array( 'publish', 'disabled' ), true )
-		) {
+		if ( $existing_version !== (string) $version ) {
 			$release_time = time();
 		}
 
@@ -256,32 +246,17 @@ public static function compute_release_time( $post, $release ) {
 	 * Pure-logic helper: decide whether a new-version write should be deferred,
 	 * and return the cooldown expiry timestamp if so.
 	 *
-	 * Applies to `publish` and `disabled` plugins — both keep `available = 1`
-	 * in `update_source` and so serve new versions through the update API.
-	 * Closed plugins write through immediately (available flips to 0; there's
-	 * nothing to gate).
-	 *
-	 * @param int    $release_time      When the release was committed / final-confirmed.
-	 * @param bool   $force_released    Whether a reviewer has force-released this version.
-	 * @param string $post_status       The plugin's current post_status.
-	 * @param string $existing_version  The version currently sitting in update_source (or '').
-	 * @param string $new_version       The version proposed for this write.
-	 * @param int    $now               Current time, injectable for tests.
-	 * @return int|false                Cooldown expiry timestamp if deferral applies, false otherwise.
+	 * @param int    $release_time     When the release was committed / final-confirmed.
+	 * @param string $existing_version The version currently sitting in update_source (or '').
+	 * @param string $new_version      The version proposed for this write.
+	 * @param int    $now              Current time, injectable for tests.
+	 * @return int|false               Cooldown expiry timestamp if deferral applies, false otherwise.
 	 */
-	public static function get_cooldown_defer_time( $release_time, $force_released, $post_status, $existing_version, $new_version, $now = null ) {
+	public static function get_cooldown_defer_time( $release_time, $existing_version, $new_version, $now = null ) {
 		if ( null === $now ) {
 			$now = time();
 		}
 
-		if ( $force_released ) {
-			return false;
-		}
-
-		if ( ! in_array( $post_status, array( 'publish', 'disabled' ), true ) ) {
-			return false;
-		}
-
 		if ( $existing_version === $new_version ) {
 			return false;
 		}
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
index 1699c748f8..54bf481384 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
@@ -22,14 +22,7 @@ class Plugin_Update_Cooldown_Test extends TestCase {
 	public function test_defers_new_version_inside_cooldown_window() {
 		$now            = 1700000000;
 		$release_time   = $now - HOUR_IN_SECONDS;
-		$cooldown_until = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'publish',
-			'1.0',
-			'1.1',
-			$now
-		);
+		$cooldown_until = API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.1', $now );
 
 		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $cooldown_until );
 	}
@@ -41,16 +34,9 @@ public function test_does_not_defer_when_cooldown_elapsed() {
 		$now          = 1700000000;
 		$release_time = $now - RELEASE_COOL_DOWN_DELAY - HOUR_IN_SECONDS;
 
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'publish',
-			'1.0',
-			'1.1',
-			$now
+		$this->assertFalse(
+			API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.1', $now )
 		);
-
-		$this->assertFalse( $result );
 	}
 
 	/**
@@ -60,77 +46,11 @@ public function test_does_not_defer_when_version_unchanged() {
 		$now          = 1700000000;
 		$release_time = $now - HOUR_IN_SECONDS;
 
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'publish',
-			'1.0',
-			'1.0',
-			$now
-		);
-
-		$this->assertFalse( $result );
-	}
-
-	/**
-	 * A reviewer's force-release flag should let the new version through immediately.
-	 */
-	public function test_does_not_defer_when_force_released() {
-		$now          = 1700000000;
-		$release_time = $now - HOUR_IN_SECONDS;
-
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			true,
-			'publish',
-			'1.0',
-			'1.1',
-			$now
-		);
-
-		$this->assertFalse( $result );
-	}
-
-	/**
-	 * Closure must take effect immediately and not get held back by the cooldown.
-	 * `closed` plugins set available=0 in update_source — there's nothing to gate.
-	 */
-	public function test_does_not_defer_for_closed_plugins() {
-		$now          = 1700000000;
-		$release_time = $now - HOUR_IN_SECONDS;
-
 		$this->assertFalse(
-			API_Update_Updater::get_cooldown_defer_time(
-				$release_time,
-				false,
-				'closed',
-				'1.0',
-				'1.1',
-				$now
-			)
+			API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.0', $now )
 		);
 	}
 
-	/**
-	 * Disabled plugins still serve updates (available=1) so the cooldown applies the
-	 * same way as for publish.
-	 */
-	public function test_defers_new_version_for_disabled_plugins() {
-		$now          = 1700000000;
-		$release_time = $now - HOUR_IN_SECONDS;
-
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'disabled',
-			'1.0',
-			'1.1',
-			$now
-		);
-
-		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $result );
-	}
-
 	/**
 	 * Cron-backup paths shouldn't accidentally re-defer ancient commits whose cooldown is long past.
 	 */
@@ -138,16 +58,9 @@ public function test_does_not_defer_first_release_with_old_release_time() {
 		$now          = 1700000000;
 		$release_time = $now - ( 7 * DAY_IN_SECONDS );
 
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'publish',
-			'',
-			'1.0',
-			$now
+		$this->assertFalse(
+			API_Update_Updater::get_cooldown_defer_time( $release_time, '', '1.0', $now )
 		);
-
-		$this->assertFalse( $result );
 	}
 
 	/**
@@ -157,16 +70,10 @@ public function test_defers_first_release_with_recent_release_time() {
 		$now          = 1700000000;
 		$release_time = $now - 60;
 
-		$result = API_Update_Updater::get_cooldown_defer_time(
-			$release_time,
-			false,
-			'publish',
-			'',
-			'1.0',
-			$now
+		$this->assertSame(
+			$release_time + RELEASE_COOL_DOWN_DELAY,
+			API_Update_Updater::get_cooldown_defer_time( $release_time, '', '1.0', $now )
 		);
-
-		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $result );
 	}
 
 	/**

From 997baa063b388f1f5b616dd8bff71f47bdf1e4f9 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:19:15 +1000
Subject: [PATCH 04/15] Plugin Directory: Disable release cooldown UI when the
 delay constant is 0; tidy.

When RELEASE_COOL_DOWN_DELAY is 0 the feature is off -- skip the deferral,
the release_time anchor, the wp-admin Controls metabox section, the
shortcode info banner, and the per-release status line. Sites running with
the cooldown disabled see no related UI at all.

Simplifications:
- Inline get_cooldown_defer_time() (single caller; pure cooldown math is 4
  lines).
- Drop the metabox force-released audit line; Tools::audit_log writes an
  internal note that the Internal Notes metabox already renders.
- Drop the "Serving to sites since X ago" line in the shortcode -- the
  existing "Released X ago by Y" line above already covers that state.
- Drop the unused $user arg to audit_log() in force_release(); it defaults
  to wp_get_current_user() which is what we set $user to anyway.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/metabox/class-controls.php          | 36 +++-------
 .../jobs/class-api-update-updater.php         | 62 +++++------------
 .../shortcodes/class-release-confirmation.php | 66 +++++++++----------
 .../tests/Plugin_Update_Cooldown_Test.php     | 65 +-----------------
 4 files changed, 59 insertions(+), 170 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index 6e062b8fc8..f0953dc199 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -49,11 +49,15 @@ static function display() {
 	/**
 	 * Display the release cooldown status and (for reviewers) a force-release control.
 	 *
-	 * Bails when there's no current release to gate, when the cooldown has already
-	 * elapsed, or when the release was already force-released (reviewers see an audit
-	 * line in that case; authors see no UI).
+	 * Bails when the cooldown feature is disabled (constant is 0), when there's no
+	 * current release to gate, when the release was force-released (the audit-log
+	 * internal note covers that for reviewers), or when the cooldown has elapsed.
 	 */
 	protected static function display_release_cooldown() {
+		if ( RELEASE_COOL_DOWN_DELAY <= 0 ) {
+			return;
+		}
+
 		$post = get_post();
 
 		$version = get_post_meta( $post->ID, 'version', true );
@@ -62,33 +66,11 @@ protected static function display_release_cooldown() {
 		}
 
 		$release = Plugin_Directory::get_release( $post, $version );
-		if ( ! $release ) {
-			return;
-		}
-
-		$release_time   = API_Update_Updater::compute_release_time( $post, $release );
-		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
-		$force_released = ! empty( $release['force_released'] );
-
-		// Already force-released — show audit info to reviewers, nothing to authors.
-		if ( $force_released ) {
-			if ( current_user_can( 'plugin_review', $post ) ) {
-				$user = get_userdata( (int) ( $release['force_released_by'] ?? 0 ) );
-				printf(
-					'<div class="misc-pub-section misc-pub-release-cooldown"><p>%s</p></div>',
-					sprintf(
-						/* translators: 1: version, 2: relative time, 3: user display name */
-						esc_html__( 'Version %1$s was force-released %2$s ago by %3$s, bypassing the release cooldown.', 'wporg-plugins' ),
-						esc_html( $version ),
-						esc_html( human_time_diff( (int) ( $release['force_released_at'] ?? time() ) ) ),
-						esc_html( $user ? ( $user->display_name ? $user->display_name : $user->user_login ) : __( 'unknown', 'wporg-plugins' ) )
-					)
-				);
-			}
+		if ( ! $release || ! empty( $release['force_released'] ) ) {
 			return;
 		}
 
-		// Cooldown already elapsed — nothing to show.
+		$cooldown_until = API_Update_Updater::compute_release_time( $post, $release ) + RELEASE_COOL_DOWN_DELAY;
 		if ( $cooldown_until <= time() ) {
 			return;
 		}
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 8e9c5bdffc..31f439cc9d 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -106,27 +106,29 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		 * continues to be served by the update API. Callers that need immediate writes
 		 * (status transitions, reviewer force-release, the deferred event firing, meta
 		 * sync, rebuild) pass $bypass_cooldown = true.
+		 *
+		 * Skipped entirely when RELEASE_COOL_DOWN_DELAY is 0 — that's the feature-flag
+		 * off switch, callers see the original commit/confirmation release_time.
 		 */
-		if ( ! $bypass_cooldown && empty( $release['force_released'] ) ) {
-			$cooldown_until = self::get_cooldown_defer_time(
-				$release_time,
-				$existing_version,
-				(string) $version
-			);
-
-			if ( $cooldown_until ) {
+		if (
+			RELEASE_COOL_DOWN_DELAY > 0 &&
+			! $bypass_cooldown &&
+			empty( $release['force_released'] ) &&
+			$existing_version !== (string) $version
+		) {
+			$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+			if ( $cooldown_until > time() ) {
 				self::queue_release_to_update_api( $post->post_name, $cooldown_until );
 				return true;
 			}
 		}
 
-		// When this write is publishing a new version (existing row had a different version, or
-		// no row existed) anchor `release_time` to now — that's the moment the version is
-		// actually available to sites. Keeps phased_rollout()'s `manual-updates-24hr` window
-		// measuring from public availability, even if the commit/confirmation was long ago
-		// because the cooldown deferred the write. Rebuild/status/meta-sync paths reach this
-		// code with existing_version == version and so retain the original release_time.
-		if ( $existing_version !== (string) $version ) {
+		// When the cooldown is enabled and this write is publishing a new version, anchor
+		// `release_time` to now — that's the moment the version is actually available to
+		// sites. Keeps phased_rollout()'s `manual-updates-24hr` window measuring from public
+		// availability, even if the commit/confirmation was long ago because the cooldown
+		// deferred the write. With the cooldown disabled, keep the original semantics.
+		if ( RELEASE_COOL_DOWN_DELAY > 0 && $existing_version !== (string) $version ) {
 			$release_time = time();
 		}
 
@@ -242,33 +244,6 @@ public static function compute_release_time( $post, $release ) {
 		return $release_time;
 	}
 
-	/**
-	 * Pure-logic helper: decide whether a new-version write should be deferred,
-	 * and return the cooldown expiry timestamp if so.
-	 *
-	 * @param int    $release_time     When the release was committed / final-confirmed.
-	 * @param string $existing_version The version currently sitting in update_source (or '').
-	 * @param string $new_version      The version proposed for this write.
-	 * @param int    $now              Current time, injectable for tests.
-	 * @return int|false               Cooldown expiry timestamp if deferral applies, false otherwise.
-	 */
-	public static function get_cooldown_defer_time( $release_time, $existing_version, $new_version, $now = null ) {
-		if ( null === $now ) {
-			$now = time();
-		}
-
-		if ( $existing_version === $new_version ) {
-			return false;
-		}
-
-		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
-		if ( $cooldown_until <= $now ) {
-			return false;
-		}
-
-		return $cooldown_until;
-	}
-
 	/**
 	 * Schedule a deferred release-to-update-api cron event for a plugin.
 	 *
@@ -350,8 +325,7 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 				RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS,
 				$reason
 			),
-			$post,
-			$user
+			$post
 		);
 
 		wp_clear_scheduled_hook( "release_to_update_api:{$plugin_slug}" );
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
index cc1574073c..5cb7831e34 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
@@ -87,18 +87,20 @@ class_exists( 'Two_Factor_Core' ) &&
 		/* translators: %s: plugins@wordpress.org */
 		echo '<p>' . sprintf( __( 'Release confirmations can be enabled on the Advanced view of plugin pages. If you need to disable release confirmations for a plugin, please contact %s.', 'wporg-plugins' ), 'plugins@wordpress.org' ) . '</p>';
 
-		printf(
-			'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
-			wp_kses(
-				sprintf(
-					/* translators: 1: cooldown duration in hours, 2: plugins@wordpress.org link */
-					__( 'New releases are served to sites %1$d hours after they\'re committed (or after the final confirmation, if release confirmations are enabled). This gives security scanners and reviewers a window to catch malicious commits before they ship. If you have an urgent security fix that needs to be released sooner, contact %2$s.', 'wporg-plugins' ),
-					(int) ( RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS ),
-					'<a href="mailto:plugins@wordpress.org">plugins@wordpress.org</a>'
-				),
-				array( 'a' => array( 'href' => true ) )
-			)
-		);
+		if ( RELEASE_COOL_DOWN_DELAY > 0 ) {
+			printf(
+				'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
+				wp_kses(
+					sprintf(
+						/* translators: 1: cooldown duration in hours, 2: plugins@wordpress.org link */
+						__( 'New releases are served to sites %1$d hours after they\'re committed (or after the final confirmation, if release confirmations are enabled). This gives security scanners and reviewers a window to catch malicious commits before they ship. If you have an urgent security fix that needs to be released sooner, contact %2$s.', 'wporg-plugins' ),
+						(int) ( RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS ),
+						'<a href="mailto:plugins@wordpress.org">plugins@wordpress.org</a>'
+					),
+					array( 'a' => array( 'href' => true ) )
+				)
+			);
+		}
 
 		$not_enabled = [];
 		foreach ( $plugins as $plugin ) {
@@ -297,13 +299,18 @@ static function get_approval_text( $plugin, $data ) {
 	}
 
 	/**
-	 * Render a single line describing the cooldown state of a release: pending serve time,
-	 * served-on time, or force-released-by-reviewer time. Skipped when the release isn't yet
-	 * confirmed/processed (the existing confirmation messaging already speaks to that state).
+	 * Render a single line describing the cooldown state of a release: pending serve time
+	 * or force-released-by-reviewer. Skipped when the cooldown feature is disabled, when
+	 * the release was discarded, when it hasn't moved past confirmation/processing, or
+	 * when the cooldown has already elapsed without force-release.
 	 *
 	 * @param array $data The release row from Plugin_Directory::get_releases().
 	 */
 	protected static function render_cooldown_status( $data ) {
+		if ( RELEASE_COOL_DOWN_DELAY <= 0 ) {
+			return;
+		}
+
 		if ( ! empty( $data['discarded'] ) ) {
 			return;
 		}
@@ -313,40 +320,27 @@ protected static function render_cooldown_status( $data ) {
 			return;
 		}
 
-		$release_time = $data['confirmations']
-			? max( $data['confirmations'] )
-			: (int) $data['date'];
-
-		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
-
 		if ( ! empty( $data['force_released'] ) ) {
 			$message = sprintf(
 				/* translators: %s: relative time */
 				__( 'Force-released by a plugin reviewer %s ago.', 'wporg-plugins' ),
-				human_time_diff( (int) ( $data['force_released_at'] ?? $release_time ) )
+				human_time_diff( (int) ( $data['force_released_at'] ?? $data['date'] ) )
 			);
 			printf( '<span>%s</span><br>', esc_html( $message ) );
 			return;
 		}
 
-		if ( $cooldown_until > time() ) {
-			$message = sprintf(
-				/* translators: %s: relative time until cooldown expires */
-				__( 'Will be served to sites in %s.', 'wporg-plugins' ),
-				human_time_diff( time(), $cooldown_until )
-			);
-			printf(
-				'<span title="%s">%s</span><br>',
-				esc_attr( gmdate( 'Y-m-d H:i:s', $cooldown_until ) ),
-				esc_html( $message )
-			);
+		$release_time   = $data['confirmations'] ? max( $data['confirmations'] ) : (int) $data['date'];
+		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+
+		if ( $cooldown_until <= time() ) {
 			return;
 		}
 
 		$message = sprintf(
-			/* translators: %s: relative time */
-			__( 'Serving to sites since %s ago.', 'wporg-plugins' ),
-			human_time_diff( $cooldown_until )
+			/* translators: %s: relative time until cooldown expires */
+			__( 'Will be served to sites in %s.', 'wporg-plugins' ),
+			human_time_diff( time(), $cooldown_until )
 		);
 		printf(
 			'<span title="%s">%s</span><br>',
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
index 54bf481384..cd81461c34 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
@@ -1,81 +1,20 @@
 <?php
 /**
- * Tests for the API_Update_Updater cooldown helpers.
+ * Tests for the API_Update_Updater::compute_release_time() helper.
  *
  * @package WordPressdotorg\Plugin_Directory\Tests
  */
 
 use PHPUnit\Framework\TestCase;
 use WordPressdotorg\Plugin_Directory\Jobs\API_Update_Updater;
-use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
- * Pure-logic coverage of the cooldown helpers; bypasses WP boot.
+ * Pure-logic coverage of the release_time computation.
  *
  * @group jobs
  */
 class Plugin_Update_Cooldown_Test extends TestCase {
 
-	/**
-	 * A version bump while the cooldown window is still open should defer the update_source write.
-	 */
-	public function test_defers_new_version_inside_cooldown_window() {
-		$now            = 1700000000;
-		$release_time   = $now - HOUR_IN_SECONDS;
-		$cooldown_until = API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.1', $now );
-
-		$this->assertSame( $release_time + RELEASE_COOL_DOWN_DELAY, $cooldown_until );
-	}
-
-	/**
-	 * Once the cooldown has elapsed the write should go straight through.
-	 */
-	public function test_does_not_defer_when_cooldown_elapsed() {
-		$now          = 1700000000;
-		$release_time = $now - RELEASE_COOL_DOWN_DELAY - HOUR_IN_SECONDS;
-
-		$this->assertFalse(
-			API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.1', $now )
-		);
-	}
-
-	/**
-	 * Status changes or metadata refreshes that leave the version unchanged should not defer.
-	 */
-	public function test_does_not_defer_when_version_unchanged() {
-		$now          = 1700000000;
-		$release_time = $now - HOUR_IN_SECONDS;
-
-		$this->assertFalse(
-			API_Update_Updater::get_cooldown_defer_time( $release_time, '1.0', '1.0', $now )
-		);
-	}
-
-	/**
-	 * Cron-backup paths shouldn't accidentally re-defer ancient commits whose cooldown is long past.
-	 */
-	public function test_does_not_defer_first_release_with_old_release_time() {
-		$now          = 1700000000;
-		$release_time = $now - ( 7 * DAY_IN_SECONDS );
-
-		$this->assertFalse(
-			API_Update_Updater::get_cooldown_defer_time( $release_time, '', '1.0', $now )
-		);
-	}
-
-	/**
-	 * A brand-new plugin's first commit should still be subject to the cooldown.
-	 */
-	public function test_defers_first_release_with_recent_release_time() {
-		$now          = 1700000000;
-		$release_time = $now - 60;
-
-		$this->assertSame(
-			$release_time + RELEASE_COOL_DOWN_DELAY,
-			API_Update_Updater::get_cooldown_defer_time( $release_time, '', '1.0', $now )
-		);
-	}
-
 	/**
 	 * Without release confirmations the commit timestamp drives release_time.
 	 */

From da553417b7e845f2483f62b2a614d33209e1b209 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:23:42 +1000
Subject: [PATCH 05/15] Plugin Directory: Use truthy checks against
 RELEASE_COOL_DOWN_DELAY.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../plugins/plugin-directory/admin/metabox/class-controls.php | 2 +-
 .../plugin-directory/jobs/class-api-update-updater.php        | 4 ++--
 .../shortcodes/class-release-confirmation.php                 | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index f0953dc199..3be7bf0bda 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -54,7 +54,7 @@ static function display() {
 	 * internal note covers that for reviewers), or when the cooldown has elapsed.
 	 */
 	protected static function display_release_cooldown() {
-		if ( RELEASE_COOL_DOWN_DELAY <= 0 ) {
+		if ( ! RELEASE_COOL_DOWN_DELAY ) {
 			return;
 		}
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 31f439cc9d..88ae295f36 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -111,7 +111,7 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		 * off switch, callers see the original commit/confirmation release_time.
 		 */
 		if (
-			RELEASE_COOL_DOWN_DELAY > 0 &&
+			RELEASE_COOL_DOWN_DELAY &&
 			! $bypass_cooldown &&
 			empty( $release['force_released'] ) &&
 			$existing_version !== (string) $version
@@ -128,7 +128,7 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		// sites. Keeps phased_rollout()'s `manual-updates-24hr` window measuring from public
 		// availability, even if the commit/confirmation was long ago because the cooldown
 		// deferred the write. With the cooldown disabled, keep the original semantics.
-		if ( RELEASE_COOL_DOWN_DELAY > 0 && $existing_version !== (string) $version ) {
+		if ( RELEASE_COOL_DOWN_DELAY && $existing_version !== (string) $version ) {
 			$release_time = time();
 		}
 
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
index 5cb7831e34..f103d032f4 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
@@ -87,7 +87,7 @@ class_exists( 'Two_Factor_Core' ) &&
 		/* translators: %s: plugins@wordpress.org */
 		echo '<p>' . sprintf( __( 'Release confirmations can be enabled on the Advanced view of plugin pages. If you need to disable release confirmations for a plugin, please contact %s.', 'wporg-plugins' ), 'plugins@wordpress.org' ) . '</p>';
 
-		if ( RELEASE_COOL_DOWN_DELAY > 0 ) {
+		if ( RELEASE_COOL_DOWN_DELAY ) {
 			printf(
 				'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
 				wp_kses(
@@ -307,7 +307,7 @@ static function get_approval_text( $plugin, $data ) {
 	 * @param array $data The release row from Plugin_Directory::get_releases().
 	 */
 	protected static function render_cooldown_status( $data ) {
-		if ( RELEASE_COOL_DOWN_DELAY <= 0 ) {
+		if ( ! RELEASE_COOL_DOWN_DELAY ) {
 			return;
 		}
 

From ebace1c10bfd506937e0c86cd78a016a08162761 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:47:06 +1000
Subject: [PATCH 06/15] Plugin Directory: Drop the redundant force-release
 nonce.

The form only renders for users with the plugin_review capability, the
save_post handler re-checks the same capability, and the whole thing
posts inside wp-admins post.php form which is already nonced by core.
The extra _force_release_nonce was just noise.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../plugins/plugin-directory/admin/metabox/class-controls.php  | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index 3be7bf0bda..57f582175b 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -100,7 +100,6 @@ protected static function display_release_cooldown() {
 					></textarea>
 				</p>
 				<p>
-					<?php wp_nonce_field( 'force_release_' . $post->ID, '_force_release_nonce' ); ?>
 					<button type="submit" name="force_release_version" value="<?php echo esc_attr( $version ); ?>" class="button">
 						<?php
 						printf(
@@ -135,8 +134,6 @@ public static function save_post( $post_id ) {
 			return;
 		}
 
-		check_admin_referer( 'force_release_' . $post_id, '_force_release_nonce' );
-
 		$version           = get_post_meta( $post->ID, 'version', true );
 		$submitted_version = sanitize_text_field( wp_unslash( $_POST['force_release_version'] ) );
 		if ( $submitted_version !== $version ) {

From 2c37527ba13f4b85340682f696ff3fa6df4b67f9 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:47:58 +1000
Subject: [PATCH 07/15] Plugin Directory: Import Tools class instead of
 fully-qualifying it inline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../plugins/plugin-directory/jobs/class-api-update-updater.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 88ae295f36..3592440e11 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -3,6 +3,7 @@
 
 use WordPressdotorg\Plugin_Directory\Plugin_Directory;
 use WordPressdotorg\Plugin_Directory\Template;
+use WordPressdotorg\Plugin_Directory\Tools;
 use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
@@ -318,7 +319,7 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 			)
 		);
 
-		\WordPressdotorg\Plugin_Directory\Tools::audit_log(
+		Tools::audit_log(
 			sprintf(
 				'Force-released version %s, bypassing the %d-hour release cooldown. Reason: %s',
 				$version,

From 802cb25a898303eadd7d97334372b8c2dc3d7c61 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 18:55:37 +1000
Subject: [PATCH 08/15] Plugin Directory: Replace force_released flags with a
 per-release release_delay.

Stores the cooldown delay on the release at creation time via add_release()s
defaults, captured from the RELEASE_COOL_DOWN_DELAY constant. The cooldown
gate and release_time anchor both read release_delay (?? 0) instead of the
global constant -- pre-feature releases coalesce to 0 and write through
unchanged, future constant changes do not retroactively affect in-flight
releases.

Force-release just sets release_delay = 0 on the release, replacing the
four force_released, force_released_by, force_released_at, and
force_released_reason fields. The reviewer, time, and reason are already
captured by Tools::audit_log() so storing them twice was redundant.

Drops the author-facing Force-released by a plugin reviewer X ago message
along with that meta -- authors just see the cooldown countdown disappear.

Verifies core post.php nonce explicitly in save_post to satisfy phpcs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/metabox/class-controls.php          | 24 +++++++------
 .../class-plugin-directory.php                |  4 +++
 .../jobs/class-api-update-updater.php         | 34 ++++++++-----------
 .../shortcodes/class-release-confirmation.php | 23 ++++---------
 4 files changed, 39 insertions(+), 46 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
index 57f582175b..3d85569f28 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php
@@ -5,7 +5,6 @@
 use WordPressdotorg\Plugin_Directory\Jobs\API_Update_Updater;
 use WordPressdotorg\Plugin_Directory\Plugin_Directory;
 use WordPressdotorg\Plugin_Directory\Template;
-use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * The Plugin Controls / Publish metabox.
@@ -49,15 +48,11 @@ static function display() {
 	/**
 	 * Display the release cooldown status and (for reviewers) a force-release control.
 	 *
-	 * Bails when the cooldown feature is disabled (constant is 0), when there's no
-	 * current release to gate, when the release was force-released (the audit-log
-	 * internal note covers that for reviewers), or when the cooldown has elapsed.
+	 * Bails when there's no current release to gate, when the release has no cooldown
+	 * delay (feature off at release-creation, or already force-released), or when the
+	 * cooldown window has elapsed.
 	 */
 	protected static function display_release_cooldown() {
-		if ( ! RELEASE_COOL_DOWN_DELAY ) {
-			return;
-		}
-
 		$post = get_post();
 
 		$version = get_post_meta( $post->ID, 'version', true );
@@ -66,11 +61,16 @@ protected static function display_release_cooldown() {
 		}
 
 		$release = Plugin_Directory::get_release( $post, $version );
-		if ( ! $release || ! empty( $release['force_released'] ) ) {
+		if ( ! $release ) {
 			return;
 		}
 
-		$cooldown_until = API_Update_Updater::compute_release_time( $post, $release ) + RELEASE_COOL_DOWN_DELAY;
+		$release_delay = (int) ( $release['release_delay'] ?? 0 );
+		if ( ! $release_delay ) {
+			return;
+		}
+
+		$cooldown_until = API_Update_Updater::compute_release_time( $post, $release ) + $release_delay;
 		if ( $cooldown_until <= time() ) {
 			return;
 		}
@@ -134,6 +134,10 @@ public static function save_post( $post_id ) {
 			return;
 		}
 
+		// Re-verify the post.php form nonce that core already checked, to satisfy phpcs
+		// and to make the security boundary explicit.
+		check_admin_referer( 'update-post_' . $post_id );
+
 		$version           = get_post_meta( $post->ID, 'version', true );
 		$submitted_version = sanitize_text_field( wp_unslash( $_POST['force_release_version'] ) );
 		if ( $submitted_version !== $version ) {
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
index f0699662ec..e73f6a5096 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
@@ -1729,6 +1729,10 @@ public static function add_release( $plugin, $data ) {
 			'confirmations_required'   => (int) $plugin->release_confirmation,
 			'committer'                => [],
 			'revision'                 => [],
+			// Captures the release cooldown active at creation time so future constant
+			// changes don't retroactively affect in-flight releases. Reviewers force-release
+			// by overriding this to 0 — see API_Update_Updater::force_release().
+			'release_delay'            => (int) RELEASE_COOL_DOWN_DELAY,
 		];
 
 		// Fill the $release with the newish data. This could/should use wp_parse_args()?
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 3592440e11..fc7785ca22 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -4,7 +4,6 @@
 use WordPressdotorg\Plugin_Directory\Plugin_Directory;
 use WordPressdotorg\Plugin_Directory\Template;
 use WordPressdotorg\Plugin_Directory\Tools;
-use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * Handles interfacing with the api.WordPress.org/plugin/update-check/ API.
@@ -101,35 +100,33 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 			)
 		);
 
+		$release_delay = (int) ( $release['release_delay'] ?? 0 );
+
 		/*
 		 * Defer the write for new versions still inside the cooldown window. While
 		 * deferred, the existing `update_source` row (carrying the previous version)
 		 * continues to be served by the update API. Callers that need immediate writes
 		 * (status transitions, reviewer force-release, the deferred event firing, meta
-		 * sync, rebuild) pass $bypass_cooldown = true.
-		 *
-		 * Skipped entirely when RELEASE_COOL_DOWN_DELAY is 0 — that's the feature-flag
-		 * off switch, callers see the original commit/confirmation release_time.
+		 * sync, rebuild) pass $bypass_cooldown = true; reviewers force-release by
+		 * setting `release_delay = 0` on the release meta.
 		 */
 		if (
-			RELEASE_COOL_DOWN_DELAY &&
+			$release_delay &&
 			! $bypass_cooldown &&
-			empty( $release['force_released'] ) &&
 			$existing_version !== (string) $version
 		) {
-			$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+			$cooldown_until = $release_time + $release_delay;
 			if ( $cooldown_until > time() ) {
 				self::queue_release_to_update_api( $post->post_name, $cooldown_until );
 				return true;
 			}
 		}
 
-		// When the cooldown is enabled and this write is publishing a new version, anchor
-		// `release_time` to now — that's the moment the version is actually available to
-		// sites. Keeps phased_rollout()'s `manual-updates-24hr` window measuring from public
-		// availability, even if the commit/confirmation was long ago because the cooldown
-		// deferred the write. With the cooldown disabled, keep the original semantics.
-		if ( RELEASE_COOL_DOWN_DELAY && $existing_version !== (string) $version ) {
+		// When publishing a new version under an active cooldown, anchor `release_time`
+		// to now — that's the moment the version is actually available to sites. Keeps
+		// phased_rollout()'s `manual-updates-24hr` window measuring from public availability,
+		// even if the commit/confirmation was long ago because the cooldown deferred the write.
+		if ( $release_delay && $existing_version !== (string) $version ) {
 			$release_time = time();
 		}
 
@@ -311,11 +308,8 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 		Plugin_Directory::add_release(
 			$post,
 			array(
-				'tag'                   => $release['tag'],
-				'force_released'        => true,
-				'force_released_by'     => $user->ID,
-				'force_released_at'     => time(),
-				'force_released_reason' => $reason,
+				'tag'           => $release['tag'],
+				'release_delay' => 0,
 			)
 		);
 
@@ -323,7 +317,7 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 			sprintf(
 				'Force-released version %s, bypassing the %d-hour release cooldown. Reason: %s',
 				$version,
-				RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS,
+				(int) ( $release['release_delay'] ?? 0 ) / HOUR_IN_SECONDS,
 				$reason
 			),
 			$post
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
index f103d032f4..955d9fe347 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
@@ -299,15 +299,16 @@ static function get_approval_text( $plugin, $data ) {
 	}
 
 	/**
-	 * Render a single line describing the cooldown state of a release: pending serve time
-	 * or force-released-by-reviewer. Skipped when the cooldown feature is disabled, when
-	 * the release was discarded, when it hasn't moved past confirmation/processing, or
-	 * when the cooldown has already elapsed without force-release.
+	 * Render a single line describing the cooldown state of a release: pending serve time.
+	 * Skipped for releases without a cooldown delay (feature off at release creation, or
+	 * force-released), discarded releases, releases that haven't moved past
+	 * confirmation/processing, or where the cooldown window has elapsed.
 	 *
 	 * @param array $data The release row from Plugin_Directory::get_releases().
 	 */
 	protected static function render_cooldown_status( $data ) {
-		if ( ! RELEASE_COOL_DOWN_DELAY ) {
+		$release_delay = (int) ( $data['release_delay'] ?? 0 );
+		if ( ! $release_delay ) {
 			return;
 		}
 
@@ -320,18 +321,8 @@ protected static function render_cooldown_status( $data ) {
 			return;
 		}
 
-		if ( ! empty( $data['force_released'] ) ) {
-			$message = sprintf(
-				/* translators: %s: relative time */
-				__( 'Force-released by a plugin reviewer %s ago.', 'wporg-plugins' ),
-				human_time_diff( (int) ( $data['force_released_at'] ?? $data['date'] ) )
-			);
-			printf( '<span>%s</span><br>', esc_html( $message ) );
-			return;
-		}
-
 		$release_time   = $data['confirmations'] ? max( $data['confirmations'] ) : (int) $data['date'];
-		$cooldown_until = $release_time + RELEASE_COOL_DOWN_DELAY;
+		$cooldown_until = $release_time + $release_delay;
 
 		if ( $cooldown_until <= time() ) {
 			return;

From 69542f858d0b504a72bcf47d703c5b1ba8cd384c Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 19:12:16 +1000
Subject: [PATCH 09/15] Plugin Directory: Simplify the cooldown cron and drop
 bypass_cooldown.

The cron schedule helper collapses to wp_clear_scheduled_hook +
wp_schedule_single_event -- the per-plugin hook name makes args unnecessary
for dedupe and the always-clear approach is shorter than the next-scheduled
dance. The cron handler recovers the slug from current_filter() so no args
need flow through.

bypass_cooldown is no longer load-bearing once release_delay is per-release:

  - cron_trigger_release: fires at cooldown_until, gate check
    (cooldown_until > time()) is false by definition.
  - force_release: sets release_delay = 0 before update_single_plugin,
    which short-circuits the gate.
  - rebuild script: cooldown gate correctly preserves in-flight cooldowns
    instead of stomping them.
  - status_transitions: status changes that do not bump version match
    existing_version == new_version and write through naturally. Status
    changes that coincide with a deferred new version write through at
    cooldown_until (worst-case 48h delay) -- the OLD safe version
    continues to be served in the meantime, which is the right call.

Also reorders force_release() to call audit_log BEFORE the add_release that
zeroes release_delay, so the log line captures the original delay rather
than relying on a stale in-memory copy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/class-status-transitions.php        |  6 +-
 .../bin/rebuild-update_source-table.php       |  3 +-
 .../jobs/class-api-update-updater.php         | 74 +++++++------------
 3 files changed, 29 insertions(+), 54 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
index 6abfe37dc3..12c6c46c2b 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php
@@ -482,10 +482,8 @@ public function clear_reviewer( $post ) {
 	 * Flush the caches for the plugin.
 	 */
 	protected function flush_caches( $post ) {
-		// Update the API endpoints with the new data. Bypass the release cooldown
-		// so status transitions (closure, disable, reopen) take effect immediately
-		// rather than getting held back inside an in-flight cooldown window.
-		API_Update_Updater::update_single_plugin( $post->post_name, true );
+		// Update the API endpoints with the new data.
+		API_Update_Updater::update_single_plugin( $post->post_name );
 		Plugins_Info_API::flush_plugin_information_cache( $post->post_name );
 	}
 }
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
index bb82efe232..7ac682dcee 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/bin/rebuild-update_source-table.php
@@ -47,8 +47,7 @@
 foreach ( $slugs as $i => $slug ) {
 	echo ++$i . '/' . count( $slugs ) . "\t" . $slug . "\n";
 
-	// Rebuild bypasses the release cooldown — the intent is to reflect current state.
-	Jobs\API_Update_Updater::update_single_plugin( $slug, true );
+	Jobs\API_Update_Updater::update_single_plugin( $slug );
 
 	clear_memory_caches();
 }
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index fc7785ca22..8c154264a1 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -69,17 +69,10 @@ public static function cron_trigger() {
 	/**
 	 * Updates a single plugins `update_source` data.
 	 *
-	 * @param string $plugin_slug     The plugin slug.
-	 * @param bool   $bypass_cooldown Whether to bypass the release cooldown gate. True when called
-	 *                                from the deferred release cron, the reviewer force-release
-	 *                                action, or from contexts that must publish immediately (status
-	 *                                transitions, rebuild scripts). When true, `release_time` in the
-	 *                                stored meta is anchored to the moment of the write rather than
-	 *                                the original commit time, so the phased-rollout
-	 *                                `manual-updates-24hr` window measures from public availability.
+	 * @param string $plugin_slug The plugin slug.
 	 * @return bool
 	 */
-	public static function update_single_plugin( $plugin_slug, $bypass_cooldown = false ) {
+	public static function update_single_plugin( $plugin_slug ) {
 		global $wpdb;
 		$post = Plugin_Directory::get_plugin_post( $plugin_slug );
 
@@ -105,16 +98,14 @@ public static function update_single_plugin( $plugin_slug, $bypass_cooldown = fa
 		/*
 		 * Defer the write for new versions still inside the cooldown window. While
 		 * deferred, the existing `update_source` row (carrying the previous version)
-		 * continues to be served by the update API. Callers that need immediate writes
-		 * (status transitions, reviewer force-release, the deferred event firing, meta
-		 * sync, rebuild) pass $bypass_cooldown = true; reviewers force-release by
-		 * setting `release_delay = 0` on the release meta.
+		 * continues to be served by the update API. Reviewers force-release by setting
+		 * `release_delay = 0` on the release meta.
+		 *
+		 * The deferred cron fires at exactly $cooldown_until, so by definition this
+		 * gate is false when called from cron_trigger_release() and no explicit bypass
+		 * is needed.
 		 */
-		if (
-			$release_delay &&
-			! $bypass_cooldown &&
-			$existing_version !== (string) $version
-		) {
+		if ( $release_delay && $existing_version !== (string) $version ) {
 			$cooldown_until = $release_time + $release_delay;
 			if ( $cooldown_until > time() ) {
 				self::queue_release_to_update_api( $post->post_name, $cooldown_until );
@@ -243,11 +234,8 @@ public static function compute_release_time( $post, $release ) {
 	}
 
 	/**
-	 * Schedule a deferred release-to-update-api cron event for a plugin.
-	 *
-	 * If an event is already scheduled at the desired time, this is a no-op. If a
-	 * different time is scheduled (e.g. an earlier commit's cooldown), the event is
-	 * rescheduled to the later time so a follow-up commit fully resets the window.
+	 * Schedule a deferred release-to-update-api cron event for a plugin, replacing
+	 * any earlier event so a follow-up commit fully resets the cooldown window.
 	 *
 	 * @param string $plugin_slug    The plugin slug.
 	 * @param int    $cooldown_until Unix timestamp when the deferred event should fire.
@@ -255,26 +243,18 @@ public static function compute_release_time( $post, $release ) {
 	public static function queue_release_to_update_api( $plugin_slug, $cooldown_until ) {
 		$hook = "release_to_update_api:{$plugin_slug}";
 
-		$existing = wp_next_scheduled( $hook, array( $plugin_slug ) );
-		if ( $existing === $cooldown_until ) {
-			return;
-		}
-
-		if ( $existing ) {
-			wp_unschedule_event( $existing, $hook, array( $plugin_slug ) );
-		}
-
-		wp_schedule_single_event( $cooldown_until, $hook, array( $plugin_slug ) );
+		wp_clear_scheduled_hook( $hook );
+		wp_schedule_single_event( $cooldown_until, $hook );
 	}
 
 	/**
 	 * Cron handler for `release_to_update_api:{slug}`. Fires when the cooldown
-	 * expires; writes the new version to `update_source` immediately.
-	 *
-	 * @param string $plugin_slug The plugin slug.
+	 * expires; writes the new version to `update_source` immediately. The slug
+	 * is recovered from the dynamic hook name so no args need flow through cron.
 	 */
-	public static function cron_trigger_release( $plugin_slug ) {
-		self::update_single_plugin( $plugin_slug, true );
+	public static function cron_trigger_release() {
+		list( , $plugin_slug ) = explode( ':', current_filter(), 2 );
+		self::update_single_plugin( $plugin_slug );
 	}
 
 	/**
@@ -305,14 +285,6 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 			return false;
 		}
 
-		Plugin_Directory::add_release(
-			$post,
-			array(
-				'tag'           => $release['tag'],
-				'release_delay' => 0,
-			)
-		);
-
 		Tools::audit_log(
 			sprintf(
 				'Force-released version %s, bypassing the %d-hour release cooldown. Reason: %s',
@@ -323,9 +295,15 @@ public static function force_release( $plugin_slug, $reason, $user = null ) {
 			$post
 		);
 
-		wp_clear_scheduled_hook( "release_to_update_api:{$plugin_slug}" );
+		Plugin_Directory::add_release(
+			$post,
+			array(
+				'tag'           => $release['tag'],
+				'release_delay' => 0,
+			)
+		);
 
-		return self::update_single_plugin( $plugin_slug, true );
+		return self::update_single_plugin( $plugin_slug );
 	}
 
 	static function get_plugin_assets( $post ) {

From 945847a3d50425171330d3b98b76ba0455893354 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 19:14:23 +1000
Subject: [PATCH 10/15] Plugin Directory: Inline the release_to_update_api hook
 name.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../plugin-directory/jobs/class-api-update-updater.php      | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
index 8c154264a1..f24821258a 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/jobs/class-api-update-updater.php
@@ -241,10 +241,8 @@ public static function compute_release_time( $post, $release ) {
 	 * @param int    $cooldown_until Unix timestamp when the deferred event should fire.
 	 */
 	public static function queue_release_to_update_api( $plugin_slug, $cooldown_until ) {
-		$hook = "release_to_update_api:{$plugin_slug}";
-
-		wp_clear_scheduled_hook( $hook );
-		wp_schedule_single_event( $cooldown_until, $hook );
+		wp_clear_scheduled_hook( "release_to_update_api:{$plugin_slug}" );
+		wp_schedule_single_event( $cooldown_until, "release_to_update_api:{$plugin_slug}" );
 	}
 
 	/**

From f03d2fc6e353c05dc1aea9cfb485753c98253637 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Fri, 15 May 2026 19:19:53 +1000
Subject: [PATCH 11/15] Plugin Directory: Surface the cooldown notice on plugin
 pages, remove the tests.

Replaces the static info banner on the release-confirmation shortcode page
with a targeted notice that only appears for committers when one of their
plugins has a release currently inside the cooldown window. Matches the
existing frontend_unconfirmed_releases_notice() pattern (same metabox
plumbing via template-tags.php and plugin-single.php).

Notice copy names the version, the relative time until it ships, the
cooldown duration, and the plugins@wordpress.org contact for security
expedites.

Drops the Plugin_Update_Cooldown_Test.php file -- only covered
compute_release_time() which is straightforward inline logic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../shortcodes/class-release-confirmation.php | 73 +++++++++++----
 .../tests/Plugin_Update_Cooldown_Test.php     | 90 -------------------
 .../wporg-plugins-2024/inc/template-tags.php  |  7 ++
 .../template-parts/plugin-single.php          |  1 +
 4 files changed, 65 insertions(+), 106 deletions(-)
 delete mode 100644 wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
index 955d9fe347..862b1630b0 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php
@@ -10,7 +10,6 @@
 	Revalidation\get_js_url as get_revalidation_js_url,
 	get_onboarding_account_url as get_2fa_onboarding_url
 };
-use const WordPressdotorg\Plugin_Directory\RELEASE_COOL_DOWN_DELAY;
 
 /**
  * The [release-confirmation] shortcode handler.
@@ -87,21 +86,6 @@ class_exists( 'Two_Factor_Core' ) &&
 		/* translators: %s: plugins@wordpress.org */
 		echo '<p>' . sprintf( __( 'Release confirmations can be enabled on the Advanced view of plugin pages. If you need to disable release confirmations for a plugin, please contact %s.', 'wporg-plugins' ), 'plugins@wordpress.org' ) . '</p>';
 
-		if ( RELEASE_COOL_DOWN_DELAY ) {
-			printf(
-				'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
-				wp_kses(
-					sprintf(
-						/* translators: 1: cooldown duration in hours, 2: plugins@wordpress.org link */
-						__( 'New releases are served to sites %1$d hours after they\'re committed (or after the final confirmation, if release confirmations are enabled). This gives security scanners and reviewers a window to catch malicious commits before they ship. If you have an urgent security fix that needs to be released sooner, contact %2$s.', 'wporg-plugins' ),
-						(int) ( RELEASE_COOL_DOWN_DELAY / HOUR_IN_SECONDS ),
-						'<a href="mailto:plugins@wordpress.org">plugins@wordpress.org</a>'
-					),
-					array( 'a' => array( 'href' => true ) )
-				)
-			);
-		}
-
 		$not_enabled = [];
 		foreach ( $plugins as $plugin ) {
 			printf(
@@ -482,6 +466,63 @@ static function template_redirect() {
 		add_filter( 'wporg_noindex_request', '__return_true' );
 	}
 
+	/**
+	 * Surfaces an in-cooldown notice to committers on the plugin's public page.
+	 *
+	 * Bails when the viewer isn't a committer, when there's no current release in
+	 * an active cooldown window, or when the release was force-released
+	 * (release_delay = 0 ⇒ no cooldown).
+	 *
+	 * @param WP_Post $post The currently displayed post.
+	 */
+	public static function frontend_cooldown_notice( $post = null ) {
+		$post = get_post( $post );
+
+		if ( ! $post || ! current_user_can( 'plugin_admin_edit', $post ) ) {
+			return;
+		}
+
+		$version = get_post_meta( $post->ID, 'version', true );
+		if ( ! $version ) {
+			return;
+		}
+
+		$release = Plugin_Directory::get_release( $post, $version );
+		if ( ! $release ) {
+			return;
+		}
+
+		$release_delay = (int) ( $release['release_delay'] ?? 0 );
+		if ( ! $release_delay ) {
+			return;
+		}
+
+		$release_time   = $release['confirmations'] ? max( $release['confirmations'] ) : (int) $release['date'];
+		$cooldown_until = $release_time + $release_delay;
+
+		if ( $cooldown_until <= time() ) {
+			return;
+		}
+
+		printf(
+			'<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
+			wp_kses(
+				sprintf(
+					/* translators: 1: plugin version, 2: relative time until cooldown expires, 3: delay duration in hours, 4: plugins@wordpress.org link */
+					__( 'Version %1$s will be released to sites in about %2$s. WordPress.org currently delays plugin updates by %3$d hours so moderators and security scanners can review changes before they reach users. If this update fixes a security issue that needs to ship sooner, contact %4$s.', 'wporg-plugins' ),
+					'<code>' . esc_html( $version ) . '</code>',
+					esc_html( human_time_diff( time(), $cooldown_until ) ),
+					(int) ( $release_delay / HOUR_IN_SECONDS ),
+					'<a href="mailto:plugins@wordpress.org">plugins@wordpress.org</a>'
+				),
+				array(
+					'code' => array(),
+					'a'    => array( 'href' => true ),
+				)
+			)
+		);
+	}
+
 	/**
 	 * Displays the notice on the plugin front-end.
 	 *
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
deleted file mode 100644
index cd81461c34..0000000000
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/tests/Plugin_Update_Cooldown_Test.php
+++ /dev/null
@@ -1,90 +0,0 @@
-<?php
-/**
- * Tests for the API_Update_Updater::compute_release_time() helper.
- *
- * @package WordPressdotorg\Plugin_Directory\Tests
- */
-
-use PHPUnit\Framework\TestCase;
-use WordPressdotorg\Plugin_Directory\Jobs\API_Update_Updater;
-
-/**
- * Pure-logic coverage of the release_time computation.
- *
- * @group jobs
- */
-class Plugin_Update_Cooldown_Test extends TestCase {
-
-	/**
-	 * Without release confirmations the commit timestamp drives release_time.
-	 */
-	public function test_compute_release_time_uses_version_date_by_default() {
-		$post = (object) array(
-			'version_date'  => '2026-05-15 12:00:00',
-			'post_modified' => '2026-05-10 00:00:00',
-		);
-
-		$this->assertSame(
-			strtotime( '2026-05-15 12:00:00' ),
-			API_Update_Updater::compute_release_time( $post, false )
-		);
-	}
-
-	/**
-	 * If version_date is missing the post's last modified time is the fallback.
-	 */
-	public function test_compute_release_time_falls_back_to_post_modified() {
-		$post = (object) array(
-			'version_date'  => '',
-			'post_modified' => '2026-05-10 00:00:00',
-		);
-
-		$this->assertSame(
-			strtotime( '2026-05-10 00:00:00' ),
-			API_Update_Updater::compute_release_time( $post, false )
-		);
-	}
-
-	/**
-	 * With release confirmation required, release_time is the latest committer confirmation.
-	 */
-	public function test_compute_release_time_uses_latest_confirmation_when_required() {
-		$post = (object) array(
-			'version_date'  => '2026-05-15 12:00:00',
-			'post_modified' => '2026-05-10 00:00:00',
-		);
-
-		$release = array(
-			'confirmations_required' => 2,
-			'confirmations'          => array(
-				'alice' => 1700000100,
-				'bob'   => 1700000500,
-			),
-		);
-
-		$this->assertSame(
-			1700000500,
-			API_Update_Updater::compute_release_time( $post, $release )
-		);
-	}
-
-	/**
-	 * Confirmations on releases that don't require them should be ignored.
-	 */
-	public function test_compute_release_time_ignores_confirmations_when_not_required() {
-		$post = (object) array(
-			'version_date'  => '2026-05-15 12:00:00',
-			'post_modified' => '2026-05-10 00:00:00',
-		);
-
-		$release = array(
-			'confirmations_required' => 0,
-			'confirmations'          => array( 'alice' => 1700000100 ),
-		);
-
-		$this->assertSame(
-			strtotime( '2026-05-15 12:00:00' ),
-			API_Update_Updater::compute_release_time( $post, $release )
-		);
-	}
-}
diff --git a/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php b/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php
index 10dd3ec7d7..3357c335d3 100644
--- a/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php
+++ b/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php
@@ -262,6 +262,13 @@ function the_unconfirmed_releases_notice() {
 	return Release_Confirmation::frontend_unconfirmed_releases_notice();
 }
 
+/**
+ * Render the in-cooldown release notice for committers on a plugin's public page.
+ */
+function the_release_cooldown_notice() {
+	return Release_Confirmation::frontend_cooldown_notice();
+}
+
 function the_no_self_management_notice() {
 	$post = get_post();
 
diff --git a/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/template-parts/plugin-single.php b/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/template-parts/plugin-single.php
index b28bcffb99..cdf32fc5e7 100644
--- a/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/template-parts/plugin-single.php
+++ b/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/template-parts/plugin-single.php
@@ -27,6 +27,7 @@
 		<?php the_author_notice(); ?>
 		<?php the_active_plugin_notice(); ?>
 		<?php the_unconfirmed_releases_notice(); ?>
+		<?php the_release_cooldown_notice(); ?>
 
 		<div class="entry-heading-container">
 			<div>

From 4ee1d35ae3cade1c6f68c14a4ac0beb25e9ec586 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Thu, 21 May 2026 16:55:28 +1000
Subject: [PATCH 12/15] Plugin Directory: Reduce the release cooldown to 24
 hours.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../wp-content/plugins/plugin-directory/plugin-directory.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
index 003f208705..4c77a9d7e9 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
@@ -33,7 +33,7 @@
  * and humans a window to flag bad releases. Plugin reviewers can bypass the cooldown
  * via the wp-admin force-release action; see Jobs\API_Update_Updater::update_single_plugin().
  */
-define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', 48 * HOUR_IN_SECONDS );
+define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', 24 * HOUR_IN_SECONDS );
 
 // Register an Autoloader for all files
 require __DIR__ . '/class-autoloader.php';

From e2d43ce3ba2b0205e84f453a30bca743bebf51b4 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Mon, 25 May 2026 13:45:45 +1000
Subject: [PATCH 13/15] Plugin Directory: Cooldown: Defer to a shared
 WPORG_PLUGIN_THEME_RELEASE_DELAY constant.

Lets the plugin and theme directory cooldowns be tuned (or disabled) in lockstep
from a single override point. Falls back to the hard-coded 24h limit when the
shared constant isn't set. Mirrors the matching change on the theme side in #651.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../plugins/plugin-directory/plugin-directory.php           | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
index 4c77a9d7e9..29ffe7395e 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
@@ -32,8 +32,12 @@
  * served until the cooldown elapses. Mitigates supply-chain attacks by giving scanners
  * and humans a window to flag bad releases. Plugin reviewers can bypass the cooldown
  * via the wp-admin force-release action; see Jobs\API_Update_Updater::update_single_plugin().
+ *
+ * Defers to the shared WPORG_PLUGIN_THEME_RELEASE_DELAY constant when it's defined
+ * so the plugin and theme directories can be tuned (or disabled) in lockstep from a
+ * single override point.
  */
-define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', 24 * HOUR_IN_SECONDS );
+define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', defined( 'WPORG_PLUGIN_THEME_RELEASE_DELAY' ) ? WPORG_PLUGIN_THEME_RELEASE_DELAY : 24 * HOUR_IN_SECONDS );
 
 // Register an Autoloader for all files
 require __DIR__ . '/class-autoloader.php';

From 471e2ea082dcf188108612b5efbab99e6f862ca6 Mon Sep 17 00:00:00 2001
From: Dion Hulse <dion@wordpress.org>
Date: Wed, 3 Jun 2026 03:48:49 +0000
Subject: [PATCH 14/15] Plugin Directory: Cooldown: Make the release delay
 filterable.

Introduce get_release_cooldown_delay( $plugin_slug ) which returns the
RELEASE_COOL_DOWN_DELAY default passed through the new
`wporg_plugins_release_cooldown_delay` filter, with the plugin slug
passed along when known. The filter can shorten, extend, or remove
(return 0) the delay per-plugin. Captured onto the release in
add_release() exactly as before.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../class-plugin-directory.php                |  4 +--
 .../plugin-directory/plugin-directory.php     | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
index e73f6a5096..2661bc989f 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php
@@ -1729,10 +1729,10 @@ public static function add_release( $plugin, $data ) {
 			'confirmations_required'   => (int) $plugin->release_confirmation,
 			'committer'                => [],
 			'revision'                 => [],
-			// Captures the release cooldown active at creation time so future constant
+			// Captures the release cooldown active at creation time so future filter/constant
 			// changes don't retroactively affect in-flight releases. Reviewers force-release
 			// by overriding this to 0 — see API_Update_Updater::force_release().
-			'release_delay'            => (int) RELEASE_COOL_DOWN_DELAY,
+			'release_delay'            => get_release_cooldown_delay( $plugin->post_name ),
 		];
 
 		// Fill the $release with the newish data. This could/should use wp_parse_args()?
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
index 29ffe7395e..c68574ebcd 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
@@ -39,6 +39,33 @@
  */
 define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', defined( 'WPORG_PLUGIN_THEME_RELEASE_DELAY' ) ? WPORG_PLUGIN_THEME_RELEASE_DELAY : 24 * HOUR_IN_SECONDS );
 
+/**
+ * Returns the release cooldown delay, in seconds, for a plugin.
+ *
+ * The RELEASE_COOL_DOWN_DELAY constant provides the default, which is then passed through
+ * the `wporg_plugins_release_cooldown_delay` filter so the delay can be shortened,
+ * extended, or removed (return 0 to disable the cooldown) on a per-plugin basis. The
+ * plugin slug is passed to the filter when it is known.
+ *
+ * This is captured onto each release at creation time (see Plugin_Directory::add_release()),
+ * so changing the filter does not retroactively alter the cooldown of in-flight releases.
+ *
+ * @param string $plugin_slug The slug of the plugin being released, if known.
+ * @return int Delay in seconds. 0 disables the cooldown (the version is served immediately).
+ */
+function get_release_cooldown_delay( $plugin_slug = '' ) {
+	/**
+	 * Filters the release cooldown delay for a plugin.
+	 *
+	 * Return 0 to disable the cooldown (the version is served as soon as it's imported), or
+	 * a larger/smaller number of seconds to lengthen or shorten the delay for this plugin.
+	 *
+	 * @param int    $delay       The default delay in seconds (the RELEASE_COOL_DOWN_DELAY constant).
+	 * @param string $plugin_slug The slug of the plugin being released, or '' when not known.
+	 */
+	return (int) apply_filters( 'wporg_plugins_release_cooldown_delay', RELEASE_COOL_DOWN_DELAY, $plugin_slug );
+}
+
 // Register an Autoloader for all files
 require __DIR__ . '/class-autoloader.php';
 Autoloader\register_class_path( __NAMESPACE__, __DIR__ );

From 3d92d058cadeed580267109cde4468e845e15dbb Mon Sep 17 00:00:00 2001
From: Dion Hulse <dion@wordpress.org>
Date: Wed, 3 Jun 2026 05:17:08 +0000
Subject: [PATCH 15/15] Plugin Directory: Cooldown: Default the delay to 0 and
 allow config override.

Default RELEASE_COOL_DOWN_DELAY to 0 (cooldown disabled) for now, to be
raised once the workflow is ready, and wrap the define() in an
if ( ! defined() ) guard so it can be pre-defined from global config.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../plugins/plugin-directory/plugin-directory.php         | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
index c68574ebcd..45b61e3a2b 100644
--- a/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
+++ b/wordpress.org/public_html/wp-content/plugins/plugin-directory/plugin-directory.php
@@ -36,8 +36,14 @@
  * Defers to the shared WPORG_PLUGIN_THEME_RELEASE_DELAY constant when it's defined
  * so the plugin and theme directories can be tuned (or disabled) in lockstep from a
  * single override point.
+ *
+ * Defaults to 0 (cooldown disabled, releases served immediately) for now; this will be
+ * raised once the surrounding workflow is ready. Can be pre-defined in global config to
+ * override the default.
  */
-define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', defined( 'WPORG_PLUGIN_THEME_RELEASE_DELAY' ) ? WPORG_PLUGIN_THEME_RELEASE_DELAY : 24 * HOUR_IN_SECONDS );
+if ( ! defined( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY' ) ) {
+	define( __NAMESPACE__ . '\RELEASE_COOL_DOWN_DELAY', defined( 'WPORG_PLUGIN_THEME_RELEASE_DELAY' ) ? WPORG_PLUGIN_THEME_RELEASE_DELAY : 0 );
+}
 
 /**
  * Returns the release cooldown delay, in seconds, for a plugin.