=== SAMPAY Payment Gateway for WooCommerce ===
Contributors: sampay
Tags: woocommerce, payments, mobile money, zambia, sampay
Requires at least: 6.0
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Redirect WooCommerce customers to the SAMPAY hosted secure checkout page.

== Description ==

This plugin adds SAMPAY as a WooCommerce payment gateway. It creates hosted checkout payment requests, redirects customers to the SAMPAY secure checkout page, stores transaction references on WooCommerce orders, and verifies status updates with the SAMPAY status API before updating WooCommerce orders.

The plugin sends `payment_method: mobile_money_zm`. Customers enter their 10 digit mobile money number on the SAMPAY checkout page, where SAMPAY detects Airtel, MTN, or Zamtel.

== Installation ==

1. Upload the plugin folder to `wp-content/plugins/sampay-payment-gateway`.
2. Activate the plugin in WordPress.
3. Go to WooCommerce > Settings > Payments > SAMPAY.
4. Enter your SAMPAY public API key and merchant secret key.
5. Copy the displayed webhook URL into your SAMPAY merchant dashboard if required.
6. Enable the gateway.

== Configuration ==

SAMPAY requires ZMW checkout currency, a merchant API key, and a merchant secret key. Payment initiation sends a signed JSON `POST` request to `/payments/initiate/checkout` with:

* `payment_method: mobile_money_zm`
* `callback_url: https://example.com/wp-json/sampay/v1/webhook`
* `success_url` set to the WooCommerce order received URL
* `failure_url` set to the WooCommerce order cancellation/payment retry URL

The plugin never sends a `provider` field. Protected API requests include `X-API-Key`, `X-Timestamp`, and `X-Signature`, where the signature is `hash_hmac( 'sha256', $timestamp . $payload, $secret_key )`. Status checks use an empty payload string for `GET /payments/{reference}`.

Return URL statuses are treated as reported statuses only. Webhook signatures are verified with `X-Webhook-Signature`, then the plugin calls `GET /payments/{reference}` and applies the verified status returned by SAMPAY.

== Changelog ==

= 1.1.1 =
* Updated hosted checkout initiation to `/payments/initiate/checkout`.
* Restored signed API requests and webhook signature verification for the current SamPay API.

= 1.1.0 =
* Reworked the gateway for SamPay hosted secure checkout.
* Uses the hosted checkout endpoint at `/payments/initiate/checkout`.
* Removed direct provider selection from checkout.
* Added signed API requests and webhook signature verification.
* Added status API verification before WooCommerce order status updates.

= 1.0.0 =
* Initial release.
