FlexiLay Gateway for WooCommerce

1.3.0

• Security: Added HMAC-SHA256 webhook signature verification for all incoming plan status updates from FlexiLay backend
• Security: Enforced HTTPS for API base URL in production environments
• Security: Added rate limiting on onboarding registration and pairing endpoints
• Security: Stripe URL extraction now validates URL starts with https://connect.stripe.com/
• Security: Removed deprecated order_set_status endpoint — order status now managed exclusively via verified webhooks
• Improvement: Added comprehensive security event logging (WP_DEBUG_LOG)
• Improvement: Enhanced error handling in payment flow — HTTP status codes now properly handled
• Improvement: Added X-Flexilay-Api-Key header to draft plan creation for proper API authentication
• Improvement: Added merchant pairing check before checkout — prevents customer confusion if merchant not configured
• Improvement: Order lifecycle now mirrors Shopify flow: on-hold → processing → completed/cancelled
• Improvement: Plan status webhooks add order notes for full audit trail
• Improvement: Added WooCommerce minimum version check at runtime (8.0+)
• Fix: Refund endpoint now calls correct backend path (/api/plans/{id}/refund)

1.2.6.6

• Improved legal acceptance save validation in the WooCommerce admin.
• Shows a clear error when FlexiLay accepts the request but does not persist acceptedDocs server-side.
• Version bump for admin onboarding diagnostics.

1.2.6.5

• Fix onboarding completing before legal documents are saved
• Require Save acceptance before legals count as complete
• Prevent final legal checkbox from jumping to the completion screen before save

1.2.6.4

• Clear stale local pairing state when a merchant has been deleted and onboarding is started again.
• Stop legal document acceptance from being restored from old browser local storage on a fresh install.
• Normalise onboarding status so Register & Pair, Stripe, and Legals only show complete when the current merchant state supports it.

1.2.6.2

• Fix onboarding status incorrectly showing as complete
• Fix stale API key causing false registration state
• Improve onboarding step validation (Register & Pair)
• WooCommerce 10.6.2 compatibility update

1.2.6.1

• Initial onboarding state fix

1.2.6.0

• Replaced raw admin footer Crisp injection with a proper enqueued admin script.
• Expanded REST plan ID route patterns to support hyphens, underscores, and mixed-case identifiers.
• Prevented signed requests from falling back to an empty secret.
• Added API base URL sanitization and normalization.
• Removed inline admin app container styling from render output.
• Updated readme wording to describe native WordPress admin screens.
• Added an explicit WooCommerce dependency admin notice.
• Removed duplicate ABSPATH guard in the gateway class.
• Refreshed readme metadata and changelog for the current release.

1.2.5.0

• Previous release.