=== CartMan Connect for WooCommerce ===
Contributors: waveinfotech
Tags: woocommerce, mobile, orders, rest-api, ecommerce
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.6.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Requires Plugins: woocommerce

Secure REST API bridge for the CartMan mobile app. Not affiliated with or endorsed by WooCommerce or Automattic.

== Description ==

CartMan Connect for WooCommerce adds a secure REST API to your WooCommerce store so you can manage orders, payments, sales reports, and customer support from the CartMan app.

**Disclaimer:** This is a third-party plugin. It is not affiliated with, endorsed by, or sponsored by WooCommerce, Automattic, or WordPress.

This plugin does **not** require a third-party SaaS account. All data stays on your WordPress site. Authentication uses a hashed connection key or WordPress Application Passwords.

= Features =

* Secure REST API for WooCommerce order management
* View new orders, update order status (processing, shipped/completed, on hold, cancelled)
* Payment transaction listing
* Basic sales reports (today, 7, 30, 90 days)
* Customer support tickets with email notifications
* Customer support form shortcode for your storefront
* WooCommerce product catalog CRUD for the mobile app
* Hashed connection keys, HTTPS enforcement, rate limiting, and audit logging

= Mobile app =

Pair this plugin with the **CartMan** mobile app (available on Google Play and the App Store). After activating the plugin, open **WooCommerce → CartMan Connect** to copy your store URL and connection key.

= Shortcode =

Add a customer support form to any page:

`[cartman_support_form]`

Customers must enter their order ID and billing email. Submissions are verified, rate limited, and emailed to your store.

= Requirements =

* WordPress 6.2 or later
* WooCommerce 7.0 or later
* Pretty permalinks enabled
* HTTPS recommended for production

== Installation ==

1. Upload the plugin files to `/wp-content/plugins/cartman-connect`, or install through the WordPress Plugins screen.
2. Activate the plugin through the **Plugins** screen.
3. Ensure WooCommerce is installed and active.
4. Go to **WooCommerce → CartMan Connect**.
5. Copy your Store URL and Connection Key into the CartMan app.

== Frequently Asked Questions ==

= Does this plugin work without the mobile app? =

The REST API and customer support shortcode work independently. The mobile app is optional but designed to use this plugin.

= How do I connect the mobile app? =

Install CartMan Connect for WooCommerce, then in the app enter your HTTPS store URL and tap **Log in with your store**. Sign in with your WordPress admin or shop manager account and approve access. You can also use a connection key or application password from **WooCommerce → CartMan Connect** if needed.

= Is the connection key stored securely? =

Yes. Connection keys are stored hashed in the database using PHP's `password_hash()`. The plain key is only shown briefly after generation.

= Does the connection key expire? =

By default, keys never expire. In **WooCommerce → CartMan Connect**, you can choose **Never expire** or **Expire after X days**. When expiry is enabled, the mobile app must use a freshly regenerated key after the expiry date.

= Why is my API request rejected? =

Common causes: missing HTTPS (in production), expired request timestamp (check server/device clock), invalid connection key, or IP not on the allowlist (if configured).

= How do customers submit support requests? =

Add `[cartman_support_form]` to a WordPress page. Customers enter their order ID, billing email, and message. Verified submissions create a ticket and email your store.

== Screenshots ==

1. CartMan Connect settings page with connection details and security options.
2. Customer support form rendered via shortcode.

== Changelog ==

= 1.6.4 =
* WordPress.org review: load wp-admin includes only when required and call their functions immediately
* Base64 product uploads use image.php helpers only; URL sideloads use media.php via media_sideload_image()

= 1.6.3 =
* Proper WooCommerce refunds from the app via wc_create_refund (line items, restock, totals)
* PATCH status=refunded now creates a real refund record instead of only changing status
* POST /orders/{id}/refund endpoint for explicit refunds from CartMan

= 1.6.2 =
* Block refund status changes from the app (refunds must be processed in WooCommerce admin)
* Harden order list/detail API against plugin conflicts and malformed order data
* Declare WooCommerce HPOS (custom order tables) compatibility
* Add admin URL on order detail responses for mobile deep links

= 1.6.1 =
* Internal identifiers migrated to cartman prefix (API, options, shortcodes)
* OAuth client ID and redirect schemes updated for the CartMan app

= 1.6.0 =
* Rebranded to CartMan Connect for WooCommerce (slug: cartman-connect) for WordPress.org compliance
* Distinctive plugin name; third-party disclaimer; scoped admin notices
* Plugin URI and Author URI are separate

= 1.5.6 =

= 1.5.4 =
* Custom fields: only schema-defined and explicitly allowlisted meta keys are exposed (no more plugin junk like PEWC_, EKIT_, WCBOOST_)
* Empty non-schema meta values are hidden from the mobile app

= 1.5.3 =
* Fixed auth lockout blocking valid OAuth/application password logins after failed attempts
* Successful login now clears IP lockout automatically

= 1.5.2 =
* Fixed OAuth "Invalid OAuth request" for Expo Go and development redirect URIs (exp://)
* Improved OAuth redirect URI validation and clearer error messages
* Discover endpoint now validates redirect_uri before login

= 1.5.1 =
* Fixed OAuth / application password authentication for REST API requests
* Extended connection test with store software health and admin shortcut URLs

= 1.5.0 =
* Added product custom fields / meta support for the mobile app (read, write, schema endpoint)
* Expose all product attributes including descriptive (non-variation) attributes
* Admin settings for extra meta keys and mobile custom field schema

= 1.4.0 =
* Extended product API: categories, tags, shipping dimensions, tax, inventory, sale dates, and variable products with variations
* Added GET /products/tags endpoint for mobile product editor

= 1.3.0 =
* Added store OAuth login for the mobile app (authorization code + PKCE)
* Mobile users can log in on their WordPress site instead of pasting keys manually

= 1.2.0 =
* Added optional connection key expiry (never expire by default, or expire after N days)
* Added security hardening: hashed keys, HTTPS enforcement, rate limiting, auth lockout, audit log, IP allowlist
* Added support tickets and customer support shortcode
* Added order status updates via REST API
* Added sales reports and transaction endpoints

= 1.1.0 =
* Added support system and improved mobile API responses

= 1.0.0 =
* Initial release

== Upgrade Notice ==

= 1.6.4 =
Compliance update for WordPress.org plugin review. Safe to upgrade.

= 1.6.3 =
Enables proper in-app refunds through WooCommerce refund records.

= 1.2.0 =
Regenerate your connection key after upgrading and reconnect the mobile app.
