=== SecPaid for WooCommerce ===
Contributors: secpaid, spacepitch
Tags: woocommerce, payment gateway, secpaid, payments, checkout
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 7.4
WC requires at least: 6.0
WC tested up to: 9.4
Stable tag: 3.0.2
Requires Plugins: woocommerce
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Accept payments in WooCommerce through SecPaid's secure hosted checkout, with reliable server-to-server webhooks and full block checkout support.

== Description ==

SecPaid for WooCommerce lets your store accept payments via the SecPaid payment platform. At checkout the customer is redirected to SecPaid's secure hosted page, completes the payment (card, PayPal, Apple Pay, Google Pay, bank transfer and more), and is returned to your store. Order status is confirmed authoritatively by a server-to-server webhook, so payments are recorded even if the customer closes their browser.

= Features =

* Hosted, PCI-compliant checkout — no card data ever touches your server.
* Authoritative server-to-server webhook confirmation with idempotent processing.
* Browser callback redirect for a smooth "thank you" page experience.
* Sandbox and Production environments with a single toggle.
* Optional webhook shared secret for extra protection.
* WooCommerce Cart & Checkout **Blocks** support.
* High-Performance Order Storage (HPOS) compatible.
* Redacted, opt-in debug logging via WooCommerce → Status → Logs.

== Installation ==

1. Upload the `secpaid-woocommerce` folder to `/wp-content/plugins/`, or install the ZIP via Plugins → Add New → Upload Plugin.
2. Activate **SecPaid for WooCommerce** through the Plugins screen.
3. Go to WooCommerce → Settings → Payments → SecPaid.
4. Enter your API key, choose Sandbox or Production, and enable the method.
5. Copy the displayed Callback URL and Webhook URL into your SecPaid dashboard.

See the full setup guide at https://docs.secpaid.com (Integrations → WooCommerce).

== Frequently Asked Questions ==

= Do I need a SecPaid account? =

Yes. Sign up at https://secpaid.com and copy your API key from Settings → API Keys.

= Where do I configure the callback and webhook URLs? =

The exact URLs for your store are shown on the gateway settings screen. Add them in your SecPaid dashboard under Settings → Callback URLs and the payment endpoint.

= Can I test before going live? =

Yes — use the Sandbox environment, which targets app.dev.secpaid.com.

== Changelog ==

= 3.0.2 =
* Added **Allow customer cancellation** setting (SecPaid `cancellable` on createLink; default on per API docs).
* Callback on `status=cancel`: marks order cancelled, shows notice, redirects to checkout (no longer falls through to thank-you page).
* Webhook on `status=cancel`: marks order cancelled with idempotent handling and logging.
* Improved webhook parsing for flat `data[status]` form keys.

= 3.0.1 =
* Fixed callback redirect: use path-style `/wc-api/secpaid-callback/` URLs so SecPaid can append `?pay_id=…&status=…` without breaking the query string.
* Hardened callback parameter parsing for HTML-encoded `&amp;` and nested query strings (same class of issue as JTL plugin v3.0.0).
* README: troubleshooting for callback redirect, API key, and block checkout nonce issues.

= 3.0.0 =
* Complete rewrite with a clean, class-based architecture (gateway, API client, order service, callback & webhook handlers, logger).
* Fixed Blocks integration: now registers under the correct `secpaid_payment` id (previously registered as `other_payment`, which broke block checkout).
* Fixed case-sensitive status handling — callback/webhook statuses are now normalized.
* Authoritative, idempotent webhook processing using `payment_complete()`.
* Enabled TLS verification on all API calls (previously disabled).
* Optional webhook shared secret.
* Removed the unsafe auto-order-creation handler that could create duplicate orders.
* Replaced scattered `error_log()` calls with opt-in, redacted WooCommerce logging.
* HPOS and Cart/Checkout Blocks compatibility declared.

== Upgrade Notice ==

= 3.0.2 =
Adds configurable payment cancellation (`cancellable`) and reliable cancel handling on callback and webhook.

= 3.0.1 =
Update callback and webhook URLs in your SecPaid dashboard to the path-style `/wc-api/…/` format shown on the gateway settings screen.

= 3.0.0 =
Major rewrite. Review your gateway settings after upgrading and re-confirm the callback/webhook URLs in your SecPaid dashboard.
