- Fix sync_users search: pass criteria in URL query string instead of
as data parameter (GET requests ignore body data), which caused every
user search to fail and fall through to create
- Improve validate_api_response to check Zoho-specific error codes
before generic HTTP errors, and include field-level detail in messages
- Add Last_Name fallback to display_name/username when meta is empty
- Sanitize Phone to digits-only, require 10+ digits, omit if invalid
- Bump HVAC_PLUGIN_VERSION to 2.2.11 to bust browser cache
Result: 65/65 trainers now sync successfully (was 0/65).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Zoho CRM sync appeared connected but silently failed to write data due to
unvalidated API responses. Sync methods now validate Zoho responses before
updating hashes, ensuring failed records re-sync on next run. Also fixes
staging detection to use wp_parse_url hostname parsing instead of fragile
strpos matching, adds admin UI for resetting sync hashes, and bumps
HVAC_PLUGIN_VERSION to 2.2.11 to bust browser cache for updated JS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add generate_sync_hash(), should_sync(), and should_sync_user() helper methods
- Modify all 5 sync methods to check hashes before syncing
- Add 'skipped' count to track unchanged records
- Update scheduled sync to aggregate and log skipped counts
This fixes the issue where 59 items were synced every scheduled run even
when no WordPress records had changed.
- Load HVAC_Zoho_Scheduled_Sync on ALL requests (not just admin)
so WP-Cron can find custom schedules and action hooks
- Add add_option hook for first-time setting creation
- Explicitly call schedule_sync() in save_settings() to ensure
scheduling works even when option value hasn't changed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix Client ID regex to allow lowercase letters
- Update HVAC_Zoho_CRM_Auth to use encrypted storage for all operations
- Update class-zoho-admin.php to use HVAC_Secure_Storage for credential retrieval
- Update OAuth callback to use secure storage for token storage
- Update Status.md with blocking production issue (400 Bad Request)
Note: Issue persists on production - needs further investigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. OAuth CSRF Protection:
- Added state parameter to OAuth authorization URL
- Generate and store state in transient (10 min expiry)
- Validate state on callback with timing-safe comparison
2. Debug Log Sanitization:
- Added sanitize_log_message() to mask credentials in logs
- Patterns mask client_id, client_secret, access_token, refresh_token
- Error handlers only expose file paths in WP_DEBUG mode
3. Move Inline JS to External File:
- Moved ~100 lines of inline JS to assets/js/zoho-admin.js
- Added redirectUri and oauthUrl to wp_localize_script
- Better CSP compliance and caching
4. Updated .gitignore to track includes/admin/ and includes/zoho/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace WooCommerce sync with Event Tickets (Tickets Commerce) support
- Add sync_attendees() for Contacts + Campaign Members
- Add sync_rsvps() for Leads + Campaign Members
- Fix user roles filter (hvac_trainer/hvac_master_trainer)
- Fix event query to include past events
- Update admin UI with new sync buttons
- Correct meta keys for Tickets Commerce (_tec_tickets_commerce_*)
- Correct meta keys for RSVPs (_tribe_rsvp_*)
Dry-run tested on staging:
- Events: 20 records
- Trainers: 53 records
- Attendees: 79 records
- RSVPs: 4 records
- Orders: 52 records
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
