Hardening: shortcode output from indyzen_wellness_sync_shortcode_html is passed through wp_kses_post() before display (WordPress.org escaping guidance for filtered HTML)
Hardening: Zenoti API requests use wp_safe_remote_get / wp_safe_remote_post instead of wp_remote_*
languages/index.php now includes the standard ABSPATH guard
1.2.1
Version bump: readme stable tag and front-end asset version aligned with WordPress.org packaging after shortcode prefix review
1.2.0
Align distribution identity: plugin name Indyzen Wellness Sync for Zenoti, text domain and admin slug indyzen-wellness-sync, main file indyzen-wellness-sync.php, release zip folder indyzen-wellness-sync
Breaking change for developers: all extension hooks and internal identifiers now use the indyzen_wellness_sync_* prefix (replacing zenoti_pulse_*). Update any add-on (including Pro) accordingly
One-time migration copies saved settings and active caches from legacy option/transient keys where present; legacy draft-booking transients are cleared
Consolidated public changelog to three releases for clarity
1.1.0
Queue API as default availability strategy; Service ID throughout (replaces legacy booking-ID flow); optional service_id shortcode attribute
Availability Strategy selector: Queue API, Standard Booking (draft booking + slots), or Manual therapist/appointment gap calculation
Guest ID field and 30-minute draft booking transient cache for Standard Booking
Extension hooks for strategies, API normalization, slot pipeline, and shortcode rendering
Queue API request body and error handling aligned with Zenoti (including soft handling of some 400 responses)
WordPress 6.9 tested; GPLv2 or later license alignment; languages/ directory and .distignore packaging hygiene
External Pro add-on documented (LemonSqueezy); External Services section in readme; in-plugin license field and related cron removed from free plugin
Uninstall removes plugin options and main availability cache
