=== PosLimitless Booking ===
Contributors: poslimitless
Tags: booking, reservation, escape-game, gift-card, events
Requires at least: 5.8
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 2.6.6
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Online booking system, client portal, gift cards and events for leisure centers.

== Description ==

PosLimitless Booking integrates PosLimitless booking modules directly into your WordPress site.

**Included modules:**

* **Booking** — Full booking system with calendar, time slot selection and online payment (Stripe, Monetico, Sogecommerce, CAWL)
* **Confirmation** — Summary and payment page with promo codes, gift cards and options
* **Client Portal** — Secure client portal with booking history, gift cards and photos
* **Gift Card** — Online gift card purchase with customization and live preview
* **Events** — Display public center events with registration

**Features:**

* 5 visual styles per module (Classic, Grid, Glassmorphism, Immersive, Dashboard)
* Full customization of colors, fonts and effects
* 6 pre-configured color packs
* Live preview in the WordPress admin
* Dark mode / light mode
* Mobile responsive
* Secure multi-gateway payment

== Installation ==

1. Upload the `poslimitless-booking` folder to `/wp-content/plugins/`
2. Activate the plugin in the Plugins menu
3. Go to PosLimitless > Configuration
4. Enter your Center ID and API Key (available in POS Limitless > API Keys)
5. Insert shortcodes into your pages

== Shortcodes ==

* `[poslimitless_booking]` — Booking module
* `[poslimitless_espace_client]` — Client portal
* `[poslimitless_bon_cadeau]` — Gift cards
* `[poslimitless_verif_bon_cadeau]` — Gift card balance check
* `[poslimitless_roue_chance]` — Lucky wheel
* `[poslimitless_event]` — Events

== Frequently Asked Questions ==

= Where can I find my Center ID and API Key? =

Log in to POS Limitless (poslimitless.web.app), go to Configuration > API Keys. You will find your Center ID there and can generate your API Key.

= How do I customize the appearance? =

Each module has its own appearance page in the PosLimitless menu. You can choose from 5 visual styles and customize all colors.

= Which payment methods are supported? =

Stripe, Monetico, Sogecommerce and CAWL. Configuration is done in POS Limitless.

== Changelog ==

= 2.6.6 =
* Improvement: client portal dashboard — reservations with status `pictureClient` (paid + photo captured on arrival) now show a clean "Payé" badge instead of the raw internal status string, alongside a small camera icon that jumps to the Photos tab on click. On mobile, the tab bar now performs a brief horizontal scroll hint on load when it overflows, so customers discover the off-screen Photos tab without having to swipe blindly.

= 2.6.5 =
* Fix: ad conversion value (Google Ads, Meta, TikTok, GA4) now reports the full reservation total after discounts/coupon, instead of the deposit amount when the customer pays a deposit. Previously deposit-mode bookings under-reported their value to ad platforms, skewing ROAS and smart bidding downward.
* Change: the booking widget no longer manages its own cookie/tracking consent. Since the widget mounts directly in the host page (not an iframe), its tags now inherit the consent signals from the host site's Consent Management Platform (Complianz, CookieYes, etc.). The widget's separate "cookies & trackers" checkbox has been removed to avoid a duplicate, conflicting consent layer. The privacy-policy acceptance checkbox is unchanged.

= 2.6.4 =
* Fix: when the booking widget is mounted via a scoped shortcode (e.g. `[poslimitless_booking group_id="..."]`), cancelling a payment on the provider's hosted page (Stripe / CAWL / Monetico / Sogecommerce) now returns the customer to the exact page they came from, instead of the center's general booking page. The widget now forwards `window.location.href` as `originUrl` on all payment session creation calls; the backend stores it on the session document and prefers it (after host validation against the center's known domains, to prevent open-redirect abuse) over the default booking URL when building the cancel redirect.

= 2.6.3 =
* Fix: the real root cause of the "extra players" warning breaking French words mid-character. Direct API inspection on the live site revealed the stored message HTML contained ` ` (non-breaking space) entities between every word — Quill, the rich-text editor used in the admin Service form, inserts NBSP whenever the user selects text or applies formatting. From the browser's wrapping perspective, an NBSP-joined sentence is a single unbreakable word, so `overflow-wrap: break-word` kicks in and slices it at arbitrary character positions to make it fit the column. No amount of Shadow DOM, `!important`, or `word-break: normal` could have fixed it — the issue was in the text data, not the styling. The warning's `sanitizeWarningHtml` now decodes ` ` and the U+00A0 character back into regular spaces before injection, so the browser can wrap at word boundaries the way the rest of the CSS already expected.

= 2.6.2 =
* Fix: the "extra players" warning, even rendered inside a Shadow DOM (since v2.6.1), was still breaking French words mid-character at narrow column widths (e.g. the 320 px summary column in the V5 confirm view). DevTools inspection on the live site (enigma78.fr) confirmed the shadow root and the `word-break: normal !important` rule were both applied — so the cause was not theme CSS, but `text-align: justify` combined with the browser's default justification algorithm picking break opportunities mid-word when stretching short lines. Switched the shadow-DOM scoped CSS to `text-align: left !important` and `text-justify: inter-word !important` so justification can only happen between whitespace tokens, never inside a word.

= 2.6.1 =
* Fix: the "extra players" warning now renders its message inside a Shadow DOM so the host WordPress theme can no longer reach the content with CSS selectors. Earlier attempts (v2.5.4 through v2.6.0) tried scoped class selectors, scoped `<style>` blocks, inline `!important` styles, and finally `element.style.setProperty(name, value, 'important')` via `useEffect` — but on at least one theme (Enigma78), even inline `!important` was being overwritten, probably by a MutationObserver re-applying global rules. With Shadow DOM the warning lives in an isolated scope: external selectors don't match, only inherited properties can leak in (and we override those with a scoped `<style>` block inside the shadow root). The warning's icon and outer border still render in the light DOM, so the existing flex layout is untouched.

= 2.6.0 =
* Fix: the "extra players" warning text is now immune to host WordPress themes that ship `#main p { word-break: break-all !important }` or similar high-specificity rules. Earlier attempts (v2.5.4 through v2.5.9) used scoped `<style>` blocks with class-based selectors, which a theme rule built on an ID selector can still beat in CSS specificity. The component now applies the `word-break`, `overflow-wrap`, `white-space`, and `hyphens` overrides via `element.style.setProperty(name, value, 'important')` in a `useEffect`, posting them as inline `!important` declarations on both the warning's text container and every descendant injected by the rich-text editor. Inline `!important` is the highest CSS priority — even ID-based theme rules with `!important` cannot override it.

= 2.5.9 =
* Fix: re-introduce the scoped `<style>` block with `!important` overrides on the "extra players" warning so its text no longer breaks French words mid-character on themes that apply `word-break: break-all !important` or `hyphens: auto !important` to their global content. The earlier v2.5.5/v2.5.6 attempts at this block were correct in principle but were dropped in v2.5.7 because they coincided with a layout regression caused by an unrelated missing `min-width: 0` further up the tree (fixed in v2.5.8). Now that the column sizing is robust, the scoped overrides can do their job without side effects. Also restores `text-align: justify` on the warning text so the right edge looks clean inside narrow summary columns.

= 2.5.8 =
* Fix: the cart-recap column in the V4/V5 confirm pages no longer expands past its grid track when a reservation has an "extra players" warning AND/OR a long service-option label. The root cause was a flex item (`<div style={{ flex: 1 }}>` wrapping the per-resa block in `CartRecap`) which defaulted to `min-width: auto`, preventing it from shrinking below its intrinsic min-content. Since v2.5.7 the warning text uses `word-break: normal`, its intrinsic min-content became "the longest word" rather than "1 char", which together with the missing `min-width: 0` pushed the column wider than the 320 px / 400 px grid track and made content overflow into the viewport margin. Added `min-width: 0` to that flex item, and rewrapped the service-option `<label>` so its text content lives inside a `flex: 1; min-width: 0` span, allowing long option names to wrap inside the column instead of overflowing.

= 2.5.7 =
* Fix: revert the layout regression introduced in v2.5.5/v2.5.6 where the summary column could grow past its 380 px grid track on some themes (the warning component became a flex sibling that resisted shrinking). The warning now uses its original block layout (`div` instead of `span`, no `<style>` injection, no `min-width: 0` on the outer container) and only keeps the message-sanitization step from v2.5.6: `<p>` and `<div>` tags coming from the rich-text editor are converted to plain `<br>` line breaks, and `class=` attributes are stripped from inline tags, so the host theme can no longer style our paragraphs into `white-space: nowrap` or `display: inline-block`.

= 2.5.6 =
* Fix: the "extra players" warning message no longer overflows the summary column or breaks French words mid-character on host WordPress themes that apply aggressive global rules to `<p>` and `<div>` tags. Previous v2.5.3–v2.5.5 attempts relied on scoped CSS overrides which could be defeated by theme rules with higher specificity (e.g. `#content p { ... }`). v2.5.6 takes a different approach: the warning now sanitizes the message HTML before injection — `<p>` and `<div>` block tags are converted to simple `<br>` line breaks, and class attributes on inline tags (`<strong>`, `<em>`, `<a>`, etc.) are stripped — so the entire warning content is rendered inside our own `<span>` whose layout properties are inline-styled (highest CSS priority).

= 2.5.5 =
* Fix: the "extra players" warning no longer widens its parent summary column past the viewport on host WordPress themes. The previous v2.5.4 attempt scoped the CSS overrides correctly but did not give the warning container its own `min-width: 0`, so the flex item's intrinsic size grew with the longest unbreakable word, which in turn forced the right summary column wider than the page. The container is now explicitly shrinkable (`min-width: 0`, `flex: 1 1 0%`), and the scoped style block now also pins `white-space: normal` and resets `<p>` margins so that themes injecting custom paragraph styles cannot disrupt the warning layout.

= 2.5.4 =
* Fix: the "extra players" warning message no longer breaks French words mid-character on narrow summary columns when the host WordPress theme imposes `word-break: break-all` globally. The previous v2.5.3 fix only set the property via inline React style, which the theme's `!important` rules could override. v2.5.4 now injects a scoped `<style>` block with `!important` overrides on `word-break`, `overflow-wrap`, and `hyphens` (incl. vendor prefixes) and justifies the warning text for a cleaner look in tight containers.

= 2.5.3 =
* Fix: the "extra players" warning message no longer breaks French words mid-character (e.g. "expérienc-e", "dégrad-ée") in narrow summary columns. Some WordPress themes apply `hyphens: auto` globally, and the warning component previously relied on the non-standard `word-break: break-word` which let the browser insert automatic hyphenation. The component now forces `hyphens: manual` and uses `overflow-wrap: anywhere`, so lines only wrap at spaces (or at very long unbreakable strings).

= 2.5.2 =
* Fix: variable-priced services now display the correct total when the customer uses the "extra players" option to exceed the maxPeople defined in the pricing grid. Previously the widget looked up `mapPriceByNb[nbPeople]` directly, and when no entry existed for that exact count (e.g. mapping defined for 2→6 players but client picks 7 or 8), the unit price fell back to 0 €, so the total and deposit both showed 0,00 €. The widget now falls back to the highest defined key in the mapping, so 7 players on a 2→6 grid is billed as 7 × price(6).

= 2.5.1 =
* Fix: paid traffic attribution. Visitors arriving with only a click-ID (`gclid`, `fbclid`, `ttclid`) and no `utm_source` were previously bucketed as "Direct" in the Acquisition report, even though they clearly came from a paid ad. The tracking loader now mirrors GA4's default behavior: when no explicit UTM is present but a `gclid` / `fbclid` / `ttclid` is, the source is inferred (`google/cpc`, `facebook/paid`, `tiktok/paid`). This restores accurate attribution for advertisers who have not configured a Google Ads tracking template or are running Performance Max (which never propagates UTM params).
* Added: `ttclid` and `fbclid` are now persisted in localStorage like `gclid`, enabling future server-side Conversion API (Meta CAPI / TikTok Events API) deduplication.

= 2.5.0 =
* Fix: Google Ads / Meta / TikTok purchase conversion events are now correctly fired on the booking widget after returning from the payment provider. Previously the widget always mounted at "booking" step on return, never rendering the success page — so no `purchase` event was pushed to the dataLayer and no conversion was sent. The widget now detects success URL params (`session_id` for Stripe, `ref` for CAWL/Monetico/Sogecommerce) and switches to the success step on mount.
* Fix: gift card purchases now fire the same set of conversion events (dataLayer purchase + conversion, Google Ads gtag conversion, GA4 purchase, Meta Pixel Purchase, TikTok CompletePayment) that the booking flow already had. Previously the gift card success state showed a "Bon cadeau acheté !" message but did not push any tracking. Conversion data (amount, currency, transaction ID, client info for Enhanced Conversions) is stored before redirecting to the payment provider and replayed on return.
* New: gift card success page now redirects to a configurable "thank you" page (`sitewebmercibon` field on the center, falls back to `sitewebmerci` if empty), aligned with the existing booking flow. The redirect waits for Meta / TikTok / Google Ads pixel network requests to actually fire (PerformanceObserver, 5s safety timeout) before navigating away, so pixel/server deduplication is preserved.

= 2.4.9 =
* Fix: tracking loader is now served as an external static JS file (`assets/tracking-loader.js`) instead of inline. Pixel IDs are passed via `data-*` attributes on the `<script src>` tag. This bypasses Consent Management Platforms (Complianz, CookieYes, Cookiebot, Borlabs Cookie, etc.) that scan inline script content for tracker references and rewrite them to `type="text/plain"` — even when the documented bypass attributes are set. External scripts served from the plugin's own domain are not matched against the CMPs' third-party tracker URL lists.
* Added: WP Rocket "Delay JavaScript Execution" exclusion filter (`rocket_delay_js_exclusions`) for the tracking loader, so the pixel fires immediately on page load instead of waiting for first user interaction. Cloudflare Rocket Loader is also disabled for this script via `data-cfasync="false"`.

= 2.4.8 =
* Fix: tracking script is now emitted directly via `echo` in `wp_head` instead of through `wp_add_inline_script`, and wrapped in the official Complianz `<!--cmplz-native-->` HTML markers. The previous v2.4.7 attempt to inject CMP bypass attributes via the `script_loader_tag` filter did not work because that filter is only applied to scripts with a `src` attribute, never to inline scripts. As a result, Complianz (and other CMPs) kept neutralizing the tracking script with `type="text/plain"` even after upgrading.

= 2.4.7 =
* Fix: tracking script is now flagged with bypass attributes for the main WordPress Consent Management Platforms (Complianz, CookieYes, Cookiebot, Borlabs Cookie, CookieFirst). Without these, CMPs would auto-detect references to Meta/TikTok/GTM in the inline script and rewrite its `type` to `text/plain`, neutralizing it before execution — even after the visitor accepted cookies, since the script was wrongly classified under "marketing". Site owners who want consent-gated tracking can still classify the script manually in their CMP settings.

= 2.4.6 =
* Fix: tracking pixels (Google, Meta, TikTok) are now injected sitewide on every front-end page instead of only on pages where the booking shortcode was detected in the raw post content. Previous behavior used `has_shortcode($post->post_content)`, which silently failed when the booking widget was embedded via a page builder (Elementor, Bricks, Divi, Gutenberg blocks, custom theme template…). Result: zero browser-side pixel events on most modern WP setups. Tracking now loads as long as a center ID is configured in the plugin settings.

= 2.4.5 =
* Changed: tracking pixels (Google, Meta, TikTok) now load immediately on page render instead of waiting for an internal cookie consent flag. RGPD compliance is delegated to the host site's own cookie banner plugin (CookieYes, Complianz, Real Cookie Banner, Tarteaucitron, etc.), which can block third-party scripts as needed. Resolves missing browser-side TikTok/Meta pixel events on sites whose consent banner did not set the previously required `cookie_consent=granted` localStorage key.
* Fix: PHP version constant resynced with plugin header (was lagging at 2.4.2 while header was 2.4.4), ensuring the tracking-config transient cache is properly invalidated on upgrade.

= 2.4.4 =
* Fix: scheduled exceptional closures now keep the service visible on the booking widget with all slots inside the closure period blocked, instead of removing the service entirely for the day.

= 2.4.3 =
* New: service lifecycle (open/close dates). A service can now have an "available from" date (appears on the booking widget at that date) and an "available until" date (no new bookings after that date). Scheduled and archived services are automatically hidden from the public widget. Events and services with no available slots are also hidden.

= 2.4.2 =
* Improved: smart wait for pixel network requests before redirecting to "thank you" page (sitewebmerci). Uses PerformanceObserver to detect when Meta, TikTok, and Google Ads pixel HTTP requests have actually been sent — redirects immediately when all configured pixels have fired (or after 5s safety timeout). Replaces the previous fixed 3s delay.
* New: visual loader on the success page during the wait, with per-pixel status indicators (✓ Meta, ✓ TikTok, ✓ Google Ads).

= 2.4.1 =
* Fix: tracking pixel cache TTL reduced from 1h to 5 min, and cache key now includes plugin version. After updating Meta/TikTok pixel IDs in the PosLimitless dashboard, changes propagate within 5 minutes (instead of 1 hour). Plugin upgrades automatically invalidate the cache.

= 2.4.0 =
* Fix: 1.2s delay before redirect to "thank you page" (sitewebmerci) so browser pixels (Meta fbq, TikTok ttq, GA gtag) have time to fire. Previously the redirect was aborting the pixel requests, causing Purchase events to be missing on the Browser side (server-side was unaffected).

= 2.3.9 =
* New: full TikTok Pixel + Events API integration (ViewContent, InitiateCheckout, CompletePayment) with browser-server deduplication via event_id
* New: enriched Meta Pixel events (Purchase eventID for Conversions API dedup)
* New: capture of TikTok ttclid URL param + _ttp cookie for server-side attribution
* Improved: ViewContent enriched with center.id and center.name for better audience matching

= 2.3.7 =
* Improved: "phone only" status now resolved server-side (honors per-day and per-period overrides on opening rules, lunch breaks and closures)

= 2.3.6 =
* New: dedicated "Service title" color in appearance settings (independent from text color)

= 2.3.5 =
* New: customizable colored border around service images (appearance settings)
* Improved: per-badge color & emoji support (syncs with Poslimitless admin where each badge can have its own emoji and color)

= 2.3.4 =
* Fix: service info modal no longer clipped when embedded in pages with transformed ancestors (React Portal to document.body)
* New: dedicated "Info badges" color in appearance settings (independent from accent color)

= 2.3.3 =
* Full i18n support: English source strings, French translation shipped (languages/poslimitless-booking-fr_FR.mo)
* Plugin icon and banner published on wordpress.org

= 2.3.2 =
* New "transparent background" option per module (let the WordPress theme drive the page background)

= 2.3.1 =
* Renamed generic JavaScript globals to use unique poslbo prefix (WordPress.org review compliance)

= 2.2.0 =
* Added Events module
* 5 visual styles for all modules (Classic, Grid, Glassmorphism, Immersive, Dashboard)
* Live gift card preview with customization
* Secure API Key field (wpApiKey)
* Admin interface improvements

= 2.0.0 =
* Initial public release
* Booking, Confirmation, Client Portal, Gift Card modules

== External services ==

This plugin relies on the following third-party and external services:

= PosLimitless API =

This plugin connects to the PosLimitless API to manage bookings, payments, gift cards, client accounts and events. All booking data (customer name, email, phone, reservation details, payment information) is sent to this service when a visitor makes a reservation, purchases a gift card or accesses the client portal.

* Service provider: PosLimitless SAS
* Service URL: https://limitless-backend-624311789490.europe-west1.run.app
* Terms of service: https://poslimitless.com/cgv
* Privacy policy: https://poslimitless.com/confidentialite

= Google Tag Manager / Google Analytics / Google Ads =

When a center has configured Google tracking tags in PosLimitless, this plugin **only** loads Google scripts after the visitor has explicitly opted in via the cookie consent checkbox displayed on the confirmation page. No Google scripts are loaded and no data is sent to Google until the visitor grants consent. Once consent is granted, the plugin sends page views and purchase conversion events (transaction ID, amount, currency) to Google for analytics and advertising purposes. Google Consent Mode V2 is used with all storage types denied by default.

* Data sent: page views, purchase events (transaction ID, amount, currency), Google click ID (gclid)
* When sent: only after explicit visitor opt-in via the cookie consent checkbox
* Service provider: Google LLC
* Terms of service: https://policies.google.com/terms
* Privacy policy: https://policies.google.com/privacy

= Meta Pixel (Facebook) =

When a center has configured a Meta Pixel ID in PosLimitless, this plugin **only** loads the Meta Pixel script after the visitor has explicitly opted in via the cookie consent checkbox displayed on the confirmation page. No Meta scripts are loaded and no data is sent to Meta until the visitor grants consent. Once consent is granted, it sends page views and purchase conversion events (amount, currency) to Meta for advertising purposes.

* Data sent: page views, purchase events (amount, currency)
* When sent: only after explicit visitor opt-in via the cookie consent checkbox
* Service provider: Meta Platforms, Inc.
* Terms of service: https://www.facebook.com/terms.php
* Privacy policy: https://www.facebook.com/privacy/policy/

= TikTok Pixel =

When a center has configured a TikTok Pixel ID in PosLimitless, this plugin **only** loads the TikTok Pixel script after the visitor has explicitly opted in via the cookie consent checkbox displayed on the confirmation page. No TikTok scripts are loaded and no data is sent to TikTok until the visitor grants consent. Once consent is granted, it sends page views and payment completion events (amount, currency) to TikTok for advertising purposes.

* Data sent: page views, payment completion events (amount, currency)
* When sent: only after explicit visitor opt-in via the cookie consent checkbox
* Service provider: TikTok Inc. / ByteDance Ltd.
* Terms of service: https://www.tiktok.com/legal/terms-of-service
* Privacy policy: https://www.tiktok.com/legal/privacy-policy

= Stripe =

When a center uses Stripe as a payment gateway, payment is processed via the Stripe hosted checkout. The customer is redirected to Stripe to complete payment. No card data is handled by this plugin.

* Service provider: Stripe, Inc.
* Terms of service: https://stripe.com/legal
* Privacy policy: https://stripe.com/privacy

== Source code ==

The frontend module (`assets/booking.js`) is built from a React/TypeScript application using Vite. The source code is included in the `src/` directory of this plugin. Build tools used: Node.js, Vite, TypeScript, React.

== Screenshots ==

1. Booking page (Glassmorphism view)
2. Confirmation page with summary
3. Client portal with history
4. Gift card purchase with live preview
5. Color configuration in admin
6. Visual style selection