=== Shed Turnstile ===
Contributors: teamstaccato
Tags: turnstile, cloudflare, bot-protection, spam, captcha
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.1
Stable tag: 1.0.6
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Centralized Cloudflare Turnstile management with a shared API for other plugins.

== Description ==

Shed Turnstile provides centralized management of Cloudflare Turnstile Site Key and Secret Key, offering a shared API for compatible plugins such as Shed Form.

**Features:**

* Centralized Site Key / Secret Key management
* API functions callable from other plugins
* Turnstile widget rendering helper
* Server-side token verification

= API Functions =

* `shedturn_is_configured()` — Check if keys are configured
* `shedturn_render_widget( $args )` — Return widget HTML
* `shedturn_verify_token( $token, $ip )` — Verify a Turnstile token
* `shedturn_enqueue_script()` — Enqueue Cloudflare JS

= 日本語の説明 =

Shed Turnstile は Cloudflare Turnstile の Site Key / Secret Key を一元管理し、Shed Form などの対応プラグインに共通の API を提供します。

**主な機能:**

* Site Key / Secret Key の一元管理
* 他プラグインから呼び出せる API 関数
* Turnstile ウィジェットの描画ヘルパー
* トークンのサーバーサイド検証

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/`, or install directly through the WordPress plugin screen.
2. Activate the plugin through the 'Plugins' menu.
3. Go to **Settings → Shed Turnstile** and enter your Cloudflare Turnstile Site Key and Secret Key.
4. Compatible plugins (e.g. Shed Form) will automatically detect and use the configured keys.

== Frequently Asked Questions ==

= Where do I get a Turnstile Site Key and Secret Key? =

Log in to your Cloudflare dashboard, navigate to Turnstile, and create a new site. The Site Key and Secret Key will be provided.

= Does this plugin work standalone? =

This plugin manages Turnstile keys and provides an API. To use Turnstile on your forms, you need a compatible form plugin such as Shed Form.

= Is Cloudflare Turnstile free? =

Yes. Cloudflare Turnstile is a free CAPTCHA alternative service.

== Screenshots ==

1. Settings page — enter your Cloudflare Turnstile Site Key and Secret Key.

== Third-Party Services ==

This plugin connects to Cloudflare's servers for Turnstile verification.

* Service: [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/)
* Privacy Policy: [https://www.cloudflare.com/privacypolicy/](https://www.cloudflare.com/privacypolicy/)
* Terms of Service: [https://www.cloudflare.com/website-terms/](https://www.cloudflare.com/website-terms/)
* Data sent: Turnstile token, site key, user IP address
* When: Each time a form with Turnstile enabled is submitted

== Upgrade Notice ==

= 1.0.6 =
Apply wp_unslash() to nonce field before verification for WordPress Coding Standards compliance.

= 1.0.5 =
Security hardening: sanitize externally-supplied IP address in verify_token(). Remove HTTP_CLIENT_IP trust.

= 1.0.4 =
Added i18n support and GPL-2.0 LICENSE file for WordPress.org compliance.

= 1.0.3 =
All prefixes renamed. If upgrading from 1.0.2 or earlier, existing Turnstile keys will be automatically migrated.

== Changelog ==

= 1.0.6 =
* Fixed: Apply wp_unslash() to nonce field in admin settings save handler
* Added: languages/shed-turnstile.pot for translation support

= 1.0.5 =
* Fixed: Sanitize externally-supplied $ip parameter in shedturn_verify_token()
* Fixed: Remove HTTP_CLIENT_IP trust in shedturn_get_client_ip() (spoofable header)
* Fixed: Add is_array() guard on json_decode result
* Added: Screenshots section to readme.txt

= 1.0.4 =
* Added: GPL-2.0 LICENSE file
* Added: Domain Path header
* Fixed: i18n — all user-facing strings wrapped with __()
* Fixed: uninstall.php now removes legacy wsf_turnstile_* options

= 1.0.3 =
* Changed: All function, class, constant, hook, and option prefixes renamed from wst_/WST_ to shedturn_/SHEDTURN_/Shedturn_.

= 1.0.2 =
* Changed: Plugin slug
