=== RealNode Anti-Scalper ===
Contributors: emkaylabs
Tags: anti-bot, fraud prevention, checkout security, bot protection, captcha
Requires at least: 5.8
Tested up to: 7.0
Stable tag: 1.1.1
Requires PHP: 7.4
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Hardware-backed bot protection and fraud prevention for WooCommerce. Stops automated scalper bots at checkout using FIDO2/WebAuthn cryptographic attestation.

== Description ==

RealNode Anti-Scalper protects WooCommerce stores against automated purchasing bots and inventory hoarding. It integrates hardware-level identity verification directly into the checkout flow.

When a customer clicks "Place Order", RealNode requests a cryptographic proof from their device (TouchID, FaceID, or Windows Hello). This proof is generated inside the device's secure enclave and validated server-side before the order is processed.

= Three service tiers =

* **RN Insight** — Passive monitoring. Collects device signals without interrupting checkout.
* **RN Sentinel** — Active protection. Biometric verification is required at checkout for every order.
* **RN Vault** — Event-level control. Enforces per-user purchase quotas for high-demand ticket releases.

= Key properties =

* **No personal data collected** — only anonymous hardware identifiers (IDH) are transmitted
* **No friction for real users** — verification completes in under 1 second using native device biometrics
* **No performance impact** — the SDK loads asynchronously and does not affect page speed
* **No server maintenance** — fully managed SaaS infrastructure
* **Fail-open by design** — if the RealNode service is unreachable, checkout proceeds normally

= Requirements =

* An active RealNode account at [realnode.emkaylabs.tech](https://realnode.emkaylabs.tech)
* WooCommerce 6.0 or later
* Modern browsers with WebAuthn support (Chrome 67+, Firefox 60+, Safari 14+)

== External services ==

This plugin communicates with the RealNode API to provide hardware-backed bot protection. Two endpoints are used:

1. **RealNode SDK (api.emkaylabs.tech):** The plugin loads the RealNode JavaScript SDK on checkout pages to trigger the WebAuthn/FIDO2 verification prompt. Only anonymous hardware hashes (IDH) are transmitted — no personal data.
2. **RealNode Backend API (rn-v3-elite.onrender.com):** The plugin makes a server-to-server call to validate the cryptographic token generated during checkout and enforce purchase quotas. Data sent includes the ticket quantity and the anonymous hardware hash (IDH).

This service is operated by EMKAY LABS.

* Service page and legal information: https://realnode.emkaylabs.tech

== Installation ==

1. Upload the `realnode-antiscalper` folder to `/wp-content/plugins/`
2. Activate the plugin through the **Plugins** menu in WordPress
3. Go to **Settings > RealNode Anti-Scalper**
4. Paste your `pk_live_...` Public API key and your `sk_live_...` Secret key
5. Click **Save Settings** — protection is now active on your checkout

== Frequently Asked Questions ==

= Do I need to touch any code? =

No. The plugin automatically injects the SDK on checkout and cart pages and protects the WooCommerce "Place Order" button without any coding required.

= What happens to customers who don't have a compatible device? =

The plugin is fail-open by design. If a device does not support WebAuthn, verification is skipped and checkout proceeds normally. No legitimate customer is ever blocked.

= Does this slow down my site? =

No. The SDK loads only on cart and checkout pages, asynchronously, with no runtime dependencies. It has no effect on page speed for the rest of the site.

= Is my customers' biometric data sent to RealNode? =

No. Biometric data never leaves the device. WebAuthn generates a cryptographic signature inside the device hardware. RealNode receives only an anonymous hash — never the fingerprint or face scan itself.

= Is the Secret Key (sk_live_) safe in WordPress? =

Yes. The Secret Key is stored as a WordPress option and is only used in server-side PHP calls via `wp_remote_post()`. It is never exposed to the browser or included in any JavaScript output.

= Which WooCommerce checkout types are supported? =

Both the classic shortcode checkout (`[woocommerce_checkout]`) and the modern block-based checkout are supported. The plugin uses multiple CSS selectors to locate the "Place Order" button across different themes.

= What is the difference between Sentinel and Vault? =

Sentinel requires biometric verification at every checkout. Vault adds a purchase quota per user per event — each user can only buy a set number of tickets, enforced by hardware attestation.

== Screenshots ==

1. Settings page — paste your API keys to activate protection.
2. WooCommerce checkout — the "Place Order" button is intercepted seamlessly.
3. Biometric prompt — the user verifies their identity using their device (TouchID, FaceID, Windows Hello).

== Changelog ==

= 1.1.1 =
* Updated external service URLs in readme.txt.
* Updated event_id field description.

= 1.1.0 =
* Added multi-tier support: RN Insight, RN Sentinel, RN Vault.
* Added Secret Key (sk_live_) field for secure backend validation.
* Added device_token field to backend /consume validation payload.
* SDK injection restricted to cart and checkout pages only.
* Added fail-open logic with 5-second timeout on backend API calls.
* Added 30-second modal timeout with automatic fail-open fallback.

= 1.0.0 =
* Initial release.
* SDK injection with async loading.
* WooCommerce "Place Order" button protection.
* Settings page with API key and endpoint configuration.
* Graceful fail-open on unsupported devices.

== Upgrade Notice ==

= 1.1.1 =
Minor update. No settings changes required.

= 1.1.0 =
Adds multi-tier plan support (Insight, Sentinel, Vault) and requires a Secret Key for backend validation. Update your settings page after upgrading.
