=== 2WayMicropay ===
Contributors: qixitteam, dreardon
Tags: micropayments, paywall, monetization, authors, comments
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 4.0.19.3
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Monetize WordPress content with low-cost purchases, author onboarding, revenue sharing, and optional paid comments.

== Description ==

2WayMicropay connects your WordPress site to the Qixit Products Portal so you can:

- Gate content behind purchase links
- Support author onboarding and author commerce
- Configure author revenue sharing
- Enable paid comments or unpaid comments per post
- Sync product settings from WordPress to Qixit

This plugin is intended for site owners who use Qixit vendor and site API credentials.

== External services ==

This plugin connects to Qixit-hosted services to create/sync products, verify purchases, and render purchase/payment flows.

Service endpoints used by this plugin may include:

- Products API base URL configured in plugin settings (default Qixit endpoints)
- `https://products.qixit.com` for frontend purchase/payment user flows
- `https://products.qixit.com/sdk/qixit.js` for purchase/embed runtime behavior
- Branding manifest endpoint (`/api/branding/config`) when branding assets are loaded

Data sent to Qixit services may include:

- Site API key (`X-API-Key`) configured by the site owner
- App identifier (`X-App-ID`) used for integration attribution (non-secret)
- Product and payout identifiers (GUIDs)
- Callback and delivery URLs for products
- Current user identity references where required for purchase/ownership checks

The service is provided by 2WayMicropay/Qixit:

- Terms: https://qixit.com/terms
- Privacy policy: https://qixit.com/privacy

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install via the Plugins screen.
2. Activate the plugin through the WordPress Plugins menu.
3. Go to `2WayMicropay` settings in wp-admin.
4. Enter your vendor credentials and site API key.
5. Save settings and test API connection.

== Frequently Asked Questions ==

= Do I need to enter a developer key in WordPress settings? =

No. Site owners provide vendor credentials and site API key only.

= Can I allow unpaid comments? =

Yes. In the post settings metabox, select either paid comments or unpaid comments.

= Does this plugin ship privileged developer secrets? =

No. The plugin does not embed a privileged developer API secret.

== Changelog ==

= 4.0.19.3 =

- Fixes admin settings script loading on Qixit settings screens so diagnostic buttons are active.
- Fixes "Test API Connection" UI handling to show real success/error results from WordPress AJAX.
- Adds Site API Key validation preflight to "Resync All Products & Payouts" to prevent false-success runs.
- Improves product resync recovery by recreating stale/unauthorized product GUID mappings after key binding changes.

= 4.0.19.2 =

- WordPress Plugin Check cleanup release:
- Aligns plugin `Text Domain` header and all translation function domains to lowercase `2waymicropay` to satisfy WordPress text-domain format rules.
- Keeps callback financial onboarding behavior unchanged while resolving scanner i18n mismatches.
- Adds PHPCS nonce-review annotation to the hosted-checkout callback branch that cannot use wp-admin nonce transport.

= 4.0.19.1 =

- Compatibility-safe hardening update:
- Preserves prior checkout/callback behavior while adding optional callback-token verification.
- Restores legacy callback compatibility (tokens are enforced when present, not required for old links).
- Improves callback user resolution by preferring Qixit identity mappings (author settings/user meta) before legacy username fallback.
- Adds explicit inline security rationale comments for callback-based financial onboarding and account linking.

= 4.0.19 =

- Security and WordPress.org review hardening (WordPress.org resubmission build):
- Added one-time callback token validation for payment/onboarding/publish callback URLs.
- Added capability gates on account creation/update callbacks and post-status callback updates.
- Sanitized callback logging payloads and cookie JSON parsing paths.
- Moved debug logging to uploads (`wp_upload_dir`) and removed plugin-folder file writes.
- Switched plugin path/url constants to `plugin_dir_path(__FILE__)` and `plugin_dir_url(__FILE__)`.
- Frontend credit text is now opt-in (`qixit_show_frontend_credit`), default off.
- Escaped shortcode return content in high-risk callback/shortcode branches.

= 4.0.18.2 =

- Maintenance release: bumps plugin/package version for WordPress.org verification retest.

= 4.0.18.1 =

= 4.0.18 =

- Maintenance release for test-site deployment with WordPress.org compliance fixes from 4.0.17.

= 4.0.17 =

- WordPress.org readiness updates: replaced inline admin/frontend script/style tags with WordPress enqueue inline APIs.
- Hardened purchased/session cookie parsing by decoding and validating cookie payloads as sanitized post ID arrays.
- Removed manual `load_plugin_textdomain()` call (WordPress.org auto-loads plugin translations).
- Added `dreardon` to contributors metadata for directory attribution consistency.

= 4.0.16 =

- Site API connection status now validates via Site API key context only (no username/password login probe).
- Removed Run-As Alias override from plugin settings and request headers; attribution now follows Site API key context.
- Alias-scoped site-key checks now enforce effective account ownership for joint-account aliases.
- Image-link tooltip copy updated:
  - purchase: "Click to purchase" + second line with "- [price]" (no parentheses)
  - payout: "Click to earn" + second line with "+ [price] vendor credits" for vendor-credit payouts.
- Updated terminology in tooltip/display paths from "promo credits" to "vendor credits".

= 4.0.15 =

- Updated all plugin i18n calls to use text domain `2waymicropay` to satisfy Plugin Check domain validation.

= 4.0.14 =

- Added run-as alias fallback behavior so plugin API calls use Vendor Username when explicit Run-As Alias is blank.
- Improves product/payout attribution consistency for alias-based vendor sessions.

= 4.0.13 =

- WordPress.org readiness hardening:
  - Removed embedded privileged developer secret usage
  - Kept app identifier as non-secret attribution header
  - Removed custom update-manifest hooks for wp.org-safe distribution
  - Updated license metadata to GPL-2.0-or-later
  - Standardized plugin text domain to `2waymicropay`
  - Added additional output escaping in admin/plugin notices
  - Hardened request parsing with `wp_unslash()` in core admin/AJAX/frontend handlers
  - Switched local callback cleanup redirects to `wp_safe_redirect()` where appropriate
  - Tightened migration/query patterns with prepared values and scoped PHPCS justifications
- Added unpaid comments option and mutual exclusivity with paid comments
- Removed revision-charging options from author commerce settings
- Standardized UI branding tokens across paywall/comment/overlay surfaces

