=== Shark Booking by Carson ===
Contributors: carsonleung
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
Text Domain: shark-booking-by-carson
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Tags: booking, appointments, stripe, scheduling, calendar

Appointments, Stripe payments, and booking operations for WordPress.

== Description ==

Shark Booking by Carson is an installable plugin for businesses that need a streamlined appointment booking flow on any WordPress site.

Features:

* Admin booking list and calendar views (day, week, month) with filters.
* Service management with duration, buffers, pricing, currency, and active status.
* Resource management with service assignments and weekly schedule editing.
* Availability management with weekly rules and date-specific overrides.
* Frontend booking flow via shortcode; step labels and messages are built in (Flow Configuration provides the shortcode only).
* Email sender details (Email Configuration) for booking notifications; subjects and bodies use built-in templates.
* Stripe Checkout flow for bookings.
* Stripe webhook processing with idempotency safeguards.
* Quote and pricing engine.
* Manual admin actions for bookings (edit, delete, resend customer notification).
* Built-in FAQ screen and Contact entry point in the admin menu.
* Security hardening for public booking APIs (same-origin checks, rate limits, and nonce-aware permission callbacks for logged-in sessions).

Use `[booking_appointment_flow]` for the appointment booking flow.

== Installation ==

1. Upload the `shark-booking-by-carson` folder to `/wp-content/plugins/` (main file: `shark-booking-by-carson.php`).
2. Activate the plugin in the WordPress admin.
3. Go to `Bookings > Settings` and configure timezone, currency, and Stripe keys.
4. Create services under `Bookings > Services`.
5. Create resources under `Bookings > Resources`.
6. Add availability rules under `Bookings > Availability`.
7. Add `[booking_appointment_flow]` to a page and publish it.
8. Configure the Stripe webhook endpoint to:
   `/wp-json/sharkbooking/v1/stripe/webhook`

== Frequently Asked Questions ==

= How do I set up the plugin for the first time? =

Configure timezone and currency in Settings, then create Services, Resources, and Availability rules.

= How do I create a booking page? =

Create or edit a WordPress page and add the shortcode `[booking_appointment_flow]`, then publish the page.

= What can I manage in the admin area? =

You can manage bookings, services, resources, availability, email sender details (Email Configuration), Stripe keys, and other site preferences. Bookings → Flow Configuration is for copying the appointment shortcode only.

= Can I customize labels and messages on the booking steps? =

No. Customer-facing wording uses built-in defaults. Flow Configuration only provides the shortcode.

= Does it support customer packages or add-on bundles? =

No. There is no package balance or bundled add-on catalog; use Services and Resources for what customers book.

= How do I configure booking notification emails? =

Use Email Configuration to set the From name and From address. Message subjects and bodies are fixed built-in templates.

= Can I edit email subjects or bodies in the admin? =

No. Only the sender name and address are configurable; template wording is defined by the plugin.

= Does it support multiple staff members or rooms? =

Yes. Each resource can be assigned to specific services and can have its own weekly and date-specific availability.

= How does Stripe confirmation work? =

Bookings are finalized after Stripe webhook confirmation at `/wp-json/sharkbooking/v1/stripe/webhook`.

= Can admins manually create or edit bookings? =

Yes. Admins can create, edit, update status, send notifications, and delete bookings from Booking List and Calendar.

= Does this plugin connect to external services? =

Yes, in three feature-specific cases:

* Stripe payment and webhook APIs are used for checkout/payment processing when Stripe keys are configured.
* Freemius is bundled for voluntary opt-in telemetry, billing, updates, and account pages initiated from wp-admin (`Bookings → Subscription`).
* If an admin submits the in-plugin Contact form (`Bookings > FAQ`), the entered name, email, and message are sent to Shark Booking by Carson support via email.

== External services ==

= Stripe =

This plugin uses Stripe Checkout and webhook APIs to process booking payments.

Data sent: checkout/payment fields such as transaction amount, selected items, customer email, and callback metadata needed to reconcile booking records.

When sent: when a customer starts checkout and when Stripe calls the webhook endpoint after payment events.

Terms of Service: https://stripe.com/legal/ssa
Privacy Policy: https://stripe.com/privacy

= Freemius =

This plugin uses Freemius for voluntary site registration, subscriptions, billing, and telemetry when admins interact with SDK-driven account pages.

Data sent: standard Freemius installation and account telemetry as described by Freemius when opted in.

When sent: when admins open Subscription / account pricing pages or enroll in telemetry through the SDK.

Terms of Service: https://freemius.com/terms/
Privacy Policy: https://freemius.com/privacy/

= What if email delivery fails? =

The plugin uses WordPress `wp_mail()`. Delivery depends on your hosting mail setup or SMTP/mail plugin.

== Changelog ==

= 1.0.0 =

* Admin: Flow Configuration no longer edits step labels or messages; the screen only explains built-in copy and provides the `[booking_appointment_flow]` shortcode. Removed the `save_flow_wording` admin action.
* Admin: FAQ and Subscription copy updated.

= 0.2.30 =

* Admin: Email Configuration no longer exposes template subject/body or enable controls; saving only updates From name and address. Stored defaults from the plugin still drive notification content.
* Admin: FAQ and Subscription copy updated to match built-in email templates.
* Email: Diagnostic message when a template is disabled no longer references the Email Configuration screen.

= 0.2.29 =

* Admin: Flow Configuration and Email Configuration now save editable frontend copy and email templates using existing sanitization helpers; template fields (enable, recipient, subject, body) appear on Email Configuration.
* Admin: FAQ copy aligned with flow/email customization and clarified that package balances and add-on catalogs are not included.
* Removed unused legacy `public/views/booking-form.php` view (booking uses `appointment-flow.php`).

= 0.2.28 =

* Security: Admin GET readers verify the screen nonce in the same code path as `wp_verify_nonce()` (per-key gate) so Plugin Directory tooling and reviewers can validate intent alongside sanitization.
* Security: Admin POST actions sanitize fields directly from `$_POST` (no bulk `wp_unslash( $_POST )`); service price uses numeric validation; resource weekly hours read from POST only after the admin action nonce passes.
* Security: Admin notices and contact modal require a valid screen nonce before reading `booksh_notice` / `booksh_contact`.
* Security: REST booking POST permission callback uses an explicit nonce result variable for logged-in sessions (same-origin and `wp_rest` behavior unchanged).
* Add `uninstall.php` and `includes/class-uninstaller.php` for standard directory uninstall handling when “delete data on uninstall” is enabled (shared with Freemius `after_uninstall` cleanup).
* Admin: PHPCS `NonceVerification` / `ValidatedSanitizedInput` fixes (scoped `phpcs:disable` where verification is delegated; `price_major` unslashed before sanitization).

= 0.2.27 =

* Admin: Plugin Check/WPCS compatibility for Shark Booking GET handling (`admin/class-admin-pages.php`): explicit nonce/sanitized-input sniff directives, `sanitize_text_field` notice parsing, refined `admin_screen_compute_query_trust()` helper.

= 0.2.26 =

* Admin: Shark Booking screens now pair plugin GET state with a reusable screen nonce; filter forms include the hidden field automatically and redirects/significant links refresh the token.
* Harden POST admin actions around explicit sanitized field maps before handing data to repositories and services.
* Public shortcode/views: removed `FILTER_UNSAFE_RAW`-based GET reads for booking-return flags (shortcode sanitizes booking reference lookup first).
* Documented REST `permission_callback` rules for authenticated vs anonymous booking POST helpers.

= 0.2.25 =

* Admin: removed the Available Email Codes reference block from Email Configuration (templates still accept `{{placeholder}}` values in subjects and bodies).

= 0.2.24 =

* Admin: Subscription page shows a Free vs Pro comparison (cards and feature table) instead of the Freemius info blurb.

= 0.2.23 =

* Free-tier build: appointment booking, Stripe, and emails only — removed packages, add-on upsells, related REST routes, legacy DB tables/columns (with migration on upgrade), and updated admin/marketing copy accordingly.

= 0.2.22 =

* Added booking calendar day/week/month views with richer filtering.
* Added admin booking quick actions, including manual customer notification sending.
* Improved Stripe webhook handling with deduplication.
* Hardened public REST booking endpoints with same-origin checks, throttling, and nonce-aware permission callbacks for logged-in sessions.
* Improved booking and payment summaries across frontend flow steps.

= 0.1.0 =

* Initial release with services, resources, availability rules, bookings, Stripe checkout, webhook confirmation, and email notifications.
