Precision Live Rates for WooCommerce

Changelog

0.2.39

• WP.org reviewer round 3. OnboardingWizard::renderField() refactored to take typed bool $required and ?int $maxLength parameters instead of an opaque $extraAttrs HTML-fragment string. Every dynamic value is now individually esc_attr()-escaped at the echo site, eliminating the WordPress.Security.EscapeOutput.OutputNotEscaped warning without resorting to a phpcs:ignore. Fixed two more 404 URLs in the External services + Privacy sections: ShipEngine terms now points to https://www.shipengine.com/terms-of-service/ and the privacy policy to https://auctane.com/privacy-policy/ (ShipEngine’s parent company).

0.2.38

• Hotfix for the admin-page styling regression introduced in 0.2.37: the CSS enqueue’s strpos($hookSuffix, ...) check was matching against the text domain string instead of the admin menu slug, so the precision-live-rates-admin stylesheet never enqueued on a fresh install. Pinned the check to AdminScreen::PAGE_SLUG so it stays in sync with the menu slug regardless of what the text domain is renamed to.

0.2.37

• Text domain now matches the WP.org-assigned plugin slug. Renamed from precision-live-rates to precision-live-rates-for-woocommerce across every __(), _e(), esc_html__(), etc. call (251 sites), the plugin header, the Plugin::TEXT_DOMAIN constant, the privacy exporter/eraser slug, the WC Blocks integration name, the phpcs.xml configured text domain, and the language file names. Existing translations on translate.wordpress.org will now resolve correctly once the plugin is published. The admin menu slug (?page=precision-live-rates), CSS class prefixes, option/transient keys, and hook prefixes are unchanged.

0.2.36

• WP.org reviewer remediation round 2. dvdoug/boxpacker upgraded from 3.12.1 to 4.1.1 (InfalliblePacker → Packer::throwOnUnpackableItem(false), getKeepFlat() → getAllowedRotation()). Minimum PHP bumped 8.1 → 8.2 to match the new boxpacker requirement. Vendor dev artifacts (*.feature, *.py, *.ps1, vendor/dvdoug/boxpacker/docs/, vendor/dvdoug/boxpacker/features/) now stripped from the submission zip via the build script’s extension + path excludes. BoxCatalogScreen::carriersField() now runs each POSTed allowed_carriers entry through sanitize_key() before the value reaches update_option(). Fixed two USPS URLs in the External services section that returned 404.

0.2.35

• WP.org reviewer remediation. Removed all premium-tier license / auto-update infrastructure references from shipped code (no License tab, no registerLicensing() method, no premium-tier mentions in the readme) so the plugin is fully GPL-compliant per Guideline 5. Renamed the PHP namespace from the generic Acme\PrecisionRates to a project-specific PrecisionLiveRates per the prefix-uniqueness guideline. Tightened nonce handling in the SettingsPage and BoxCatalogScreen guard methods — $_POST['_wpnonce'] now flows through sanitize_text_field() before wp_verify_nonce(). Removed the comparative-marketing paragraph from the description per directory-content rules. Added a Requires Plugins: woocommerce header. Replaced broken GitHub URLs in the plugin header. Expanded the External services section with explicit data-flow, ToS, and privacy-policy links for ShipEngine, UPS, and USPS.

0.2.34

• WP.org Plugin Check round 3 — final cleanup pass. Plugin slug renamed from wc-precision-rates to precision-live-rates to clear the trademarked_term reviewer warning (wc is reserved for WooCommerce trademark protection). Bulk rename touches text domain, hook prefixes (precision_live_rates_*), constants (PRECISION_LIVE_RATES_FILE / _DIR), CSS asset handles, form-field prefixes (plr_*), and the plugin entry filename (precision-live-rates.php). The three remaining AuditLog SQL warnings (WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber, UnfinishedPrepare, and the $wpdb->insert() DirectQuery warning) are now suppressed with the correct phpcs rule names — the previous phpcs:disable bands had WordPress.DB.PreparedSQL.NotPrepared listed, which is a different sniff than the PreparedSQLPlaceholders.* family that Plugin Check actually flags. Result: zero Plugin Check errors, zero warnings.

0.2.33

• Plugin Check round 2 — moved the auto-update-bridge code out of the WP.org-bundled tree so the forbidden pre_set_site_transient_update_plugins token no longer appears in any shipped file. Excluded WP-ORG-SUBMISSION.md and any root *.md from the submission build. Removed the redundant load_plugin_textdomain() call (WP 4.6+’s just-in-time loader handles this). Migrated the AuditLog INSERT to $wpdb->insert() to clear UnescapedDBParameter warnings.

0.2.32

• WP.org Plugin Check remediation pass. ABSPATH guards added to every PHP file under src/; 20 throw-site interpolated values wrapped in esc_html() or annotated as chained-Exception; Tested up to: bumped 6.6 → 6.9; readme tags trimmed 12 → 5; short description trimmed to 121 chars; .gitkeep files excluded from the build script; composer.json now ships alongside vendor/; $_SERVER[‘REMOTE_ADDR’] now flows through wp_unslash + sanitize_text_field; AuditLog SQL strings inlined into $wpdb->prepare() to clear false-positive UnescapedDBParameter warnings; TransientStorage prefix-DELETE warnings annotated.

0.2.31

• Internal infrastructure work. No user-facing changes.

0.2.30

• Customer-facing polish (BACKLOG E5). Three cart/checkout enhancements: (1) delivery-date badges — small “Arrives Wed, May 6” labels appended to each shipping option, with relative phrasing for today/tomorrow; (2) carrier logos — small inline-SVG marks (UPS, USPS, FedEx, DHL, Stamps.com) prepended to each rate label using carrier-brand colours but generic text marks (no trademark issues); (3) free-shipping threshold — flips the cheapest rate to FREE once the cart subtotal exceeds the configured value. New Settings → Customer-facing polish section with three toggles (delivery dates ON, carrier logos ON, threshold cents 0 = disabled). New WooCommerce\CustomerPolish class with 14-test coverage.

0.2.29

• Audit log (BACKLOG E8). New Audit\AuditLog class + custom DB table records every state-changing admin action: settings saves, box CRUD, service-filter changes, cache clears, ShipEngine connection tests. New “Audit log” tab on the AdminScreen renders the most recent 100 entries with filter-by-event-type + paginated history; CSV export available. 30-day retention via daily cron (precision_live_rates_audit_prune); the cron event + retention window are filterable. Schema bootstraps idempotently via dbDelta() on admin_init so first-time installs see the table appear without an explicit activation hook. 10-test AuditLogTest + new InMemoryWpdb test double covering insert / SELECT / count / pagination / prune / CSV / event-slug stability.

0.2.28

• International ZIP / postal-code coverage (BACKLOG E4). New Support\AddressInference free function class extracted from the ShipEngine mapper: stateFromPostalCode($postal, $country) dispatches by ISO country code to US (50 states + DC + PR), Canada (10 provinces + 3 territories via the leading postal-code letter), or GB / UK (ENG / SCT / WLS / NIR via the postcode area prefix). Other countries pass through with empty state — ShipEngine doesn’t strictly require it for non-US/CA shipments. ShipEngineRateMapper::buildAddress() now uses the new helper for any country with no user-supplied state, so a Toronto M5V address with state blank produces state_province: ON in the ShipEngine payload, an Edinburgh EH1 address produces SCT, etc. 49-test parametric AddressInferenceTest covers ~20 Canadian postal-code prefixes, 16 UK postcode areas, and the dispatch-by-country surface.

0.2.27

• WordPress.org submission prep. Plugin header URIs and Author updated from placeholders to the real values; readme.txt Contributors set to sulemanshahjahan; Description string in the plugin header updated to reflect the actual ShipEngine/UPS/USPS/FedEx/DHL surface; Tested up to bumped to 6.6. Static pre-flight scan against plugin-check expectations: zero hits for eval/exec/system/shell_exec/passthru/proc_open, zero sslverify=>false, zero unserialize of HTTP bodies, zero translation calls without text domain, all __()/_e()/etc. calls use the static precision-live-rates text domain. New composer ci script bundles lint + stan + test + probe-mo for one-command pre-submission verification.

0.2.26

• readme.txt polish for WP.org review (BACKLOG E7 partial). 4-paragraph description with concrete selling points; removed stale “no aggregators” non-goal that contradicted the ShipEngine integration; expanded FAQ to 8 questions covering ShipEngine signup, UPS rate negotiation, UPS/USPS direct, service hiding, combine_parcels, cache invalidation, international shipping, bug reports; new Screenshots block referencing 6 PNGs in /assets/ (placeholder until live captures land); README.md rewritten for the developer/contributor audience with an architecture skim and the prod-vendor classmap dance documented prominently. Trimmed in-readme changelog to the most recent five releases — full history stays in CHANGELOG.md.

0.2.25

• Privacy notice + GDPR consent (BACKLOG E6). New Admin\PrivacyNotice class wires three things: (1) a suggested privacy-policy boilerplate auto-registered into WP Settings → Privacy → Policy guide editor, naming ShipEngine explicitly and enumerating exactly what is and isn’t transmitted; (2) WordPress personal-data exporter + eraser hooks that report the plugin as compliant (the cache is keyed on parcel dimensions, not customer identity, so there’s nothing to export or erase); (3) a merchant-controlled toggle (Settings → Privacy) that, when enabled, renders a small “Shipping rates calculated using ShipEngine — Privacy policy” line under the cart and checkout shipping options. Default off; EU/UK merchants should turn it on. New PRIVACY.md documents the full data flow, retention windows, and compliance posture against GDPR / CCPA / Quebec Law 25.

0.2.24

• i18n bundle (BACKLOG E3). Plugin is now fully translatable: load_plugin_textdomain wired on plugins_loaded, .pot regenerated against the live source (192 strings), and Spanish (es_ES) and French (fr_FR) translations bundled. Set the WordPress site language to Español (España) or Français (France) to see the AdminScreen tabs, onboarding wizard, settings, and Rate Test screen render in the chosen locale. New CONTRIBUTING.md documents the translation contribution flow.

0.2.23

• Onboarding wizard fix: Step 2 (origin address) now redirects forward to the test-rate step on a successful save instead of re-rendering the same screen with a “saved” notice. The “Save & continue” button label now matches what the button actually does.

0.2.22

• First-activation onboarding wizard (BACKLOG E2). Replaces the cold settings-tab landing with a 4-step flow that takes a merchant from “just clicked Activate” to “first rate quoted” in under three minutes: welcome → ShipEngine API key (with inline Test connection) → origin address → run a test quote → finish. Skip-out link on every step; “Re-run onboarding” button under the Overview tab.

0.2.21

• Test suite restoration (BACKLOG E1). 315 tests → 389 tests, all green; phpstan level 8 and phpcs both clean. Two genuine bugs fixed along the way: usStateFromZip() mislabelled MA ZIPs (010xx-027xx) as Puerto Rico and didn’t recognise RI (028xx-029xx); and the cache-clear admin-post handler was crashing because the $tabUrl closure variable wasn’t imported.

For the full per-release history including 0.1.0 through 0.2.20, see CHANGELOG.md in the repo.