=== Mersal OTP ===
Contributors: mersal
Tags: otp, login, passwordless, woocommerce, whatsapp, verification, two-factor
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.8.0
License: GPLv3 or later
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Passwordless WordPress/WooCommerce login, signup & verification via one-time codes (Email, WhatsApp, SMS) — wearing the new Mersal design system.

== Description ==

Mersal OTP is a focused, self-contained plugin that combines the proven Mersal
OTP functionality with the new "Design Files" UI direction. It ships:

* A polished, RTL/Arabic-aware **front-end flow** — Sign in → Verify → Success,
  plus Sign up — built from the Mersal design (3 themes: Green, Cyan, Light;
  light/dark; live language toggle).
* A new-design **admin app** (sidebar + topbar + pages) with a real Dashboard,
  OTP Settings, Appearance and Activity Logs.
* A real OTP engine: code generation, transient storage, per-IP rate limiting,
  verification, user login and signup.

= Channels =

* **Email** — works out of the box via `wp_mail()`.
* **WhatsApp / SMS** — pluggable. Connect a gateway with the filters below, or
  enable **Test mode** to demo the flow without a live gateway.
* **Google** — optional "Continue with Google" button (wire your provider via
  the `motp_google_login_url` filter).

== Installation ==

1. Copy the `mersal-otp` folder into `wp-content/plugins/` (or zip it and
   upload via Plugins → Add New → Upload).
2. Activate **Mersal OTP**.
3. Create a page and add the shortcode `[mersal_otp]` (alias: `[motp_login]`).
4. Open **Mersal OTP** in the admin sidebar to configure channels, messages,
   appearance and to view logs.

== Usage ==

Front-end shortcode:

`[mersal_otp]`

Optional attributes:

`[mersal_otp theme="cyan" lang="en"]`  (theme: green|cyan|light, lang: ar|en)

== For developers ==

Wire a real WhatsApp gateway:

`add_filter( 'motp_send_whatsapp', function ( $result, $phone, $message, $code ) {
    // ... call your gateway / the Mersal API here ...
    return array( 'ok' => true, 'message' => 'Sent via WhatsApp' );
}, 10, 4 );`

Same signature for SMS via `motp_send_sms`.

Other hooks:

* `motp_phone_meta_keys` — array of user-meta keys used to find a user by phone.
* `motp_google_login_url` — URL for the "Continue with Google" button.

AJAX actions (front-end, nonce `motp_nonce`): `motp_send_code`, `motp_verify_code`.

== File map ==

* `mersal-otp.php` — bootstrap, constants, activation.
* `includes/class-mersal-otp-settings.php` — option store + defaults + sanitization.
* `includes/class-mersal-otp-core.php` — OTP generate/store/verify/send, user lookup, login/signup, logs/stats.
* `includes/class-mersal-otp-frontend.php` — `[mersal_otp]` shortcode + AJAX + the 4 design screens.
* `includes/class-mersal-otp-admin.php` — admin shell (sidebar/topbar) + Dashboard/OTP/Appearance/Logs.
* `assets/css/admin.css` — admin design system (themes + components), scoped under `.motp-app`.
* `assets/css/frontend.css` — front-end form themes + components, scoped under `.motp-frontend`.
* `assets/js/frontend.js` — front-end flow controller.
* `assets/js/admin.js` — admin shell interactions.

== Relationship to the source material ==

This plugin was assembled from two folders in the Mersal workspace:

* **Design Files/** — the React/CSS prototype that defines the look (themes,
  components, the admin shell, and the login/verify/success flow). Its CSS was
  ported (scoped) and its screens re-implemented as server-rendered markup so no
  build step or CDN React is needed.
* **MersalOTP/** — the original WooCommerce plugin that defines the *functions*.
  Its OTP patterns (random 6-digit code, 10-minute transient, per-IP rate limit,
  user lookup by email/phone, login + redirect) were re-implemented in a clean,
  self-contained engine.

Implemented end-to-end:

* Front-end flow — sign in, sign up, verify (OTP boxes + resend timer), and a
  first-time **welcome** with an account summary. No-account automatically rolls
  into sign-up; logged-in users see a sign-out view.
* **Mersal account connection** — real SSO with mersal.it ("Login by Mersal" →
  token capture → /api/wordpress/user/me validation → gateways + api_key stored).
  WhatsApp OTPs are delivered through your connected gateway (/api/whatsapp/send).
* First-run **onboarding wizard**, **log out** / disconnect in the sidebar.
* Real admin pages (no placeholders): Dashboard, General, Email, Phone, WhatsApp,
  SMS, Google, OTP, Templates, Redirects (per-role), Shortcodes, Users, Activity
  Logs, Security (rate-limit + reCAPTCHA v3), Appearance, Mersal account.

Not (yet) carried over from the original suite: campaigns, abandoned carts,
meta/firebase message logs, the advanced country-code phone field. SMS delivery
needs an SMS gateway (wire `motp_send_sms`); Email + WhatsApp work today.

== Changelog ==

= 1.5.0 =
* Source protection: the distributed build is now obfuscated (comments stripped,
  string literals encoded, local variables scrambled) to protect the plugin's
  intellectual property against copying and tampering. No runtime extension
  required — runs on any standard PHP 7.4+ host.
* Hardened against direct file access and in-dashboard file editing.

= 1.3.0 =
* Notifications are now managed centrally from the Mersal dashboard. Admins create
  announcements at mersal.it (channel = WordPress) and the plugin pulls and shows
  them in the top-bar bell automatically — the local "create notification" form was
  removed in favour of a read-only synced list.

= 1.1.0 =
* Full plugin: Mersal SSO connection + gateway import + real WhatsApp sending,
  onboarding wizard, logout/disconnect, and real internal pages (General, Email,
  Phone, WhatsApp, SMS, Google, Templates, Redirects, Shortcodes, Users, Security).
* Default theme set to Quiet Light; Tajawal font; working dark mode + EN/AR
  toggles in the admin top bar.
* Rendering hardened: CSS/JS inlined and icons converted to inline SVG so the
  design renders even when external assets/fonts are blocked.

= 1.0.0 =
* Initial release: front-end OTP flow, admin app (Dashboard/OTP/Appearance/Logs),
  Email channel built in, WhatsApp/SMS via filters, 3 themes, AR/EN, light/dark.
