# WordPress Plugin Directory – Compliance Checklist

This checklist confirms the RedPay (redtech-redpay-gateway) plugin aligns with [WordPress Plugin Directory Guidelines](https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/) and [Common Issues](https://developer.wordpress.org/plugins/wordpress-org/common-issues/).

---

## 1. Naming & structure

| Item | Status | Notes |
|------|--------|------|
| Main plugin file name = slug | ✅ | `redtech-redpay-gateway.php` |
| Text domain consistent | ✅ | `redtech-redpay-gateway` in all PHP files |
| Unique prefix (4+ chars) | ✅ | `redpay_`, `redtech_`, `REDPAY_` for options/hooks/constants |
| Option/setting names prefixed | ✅ | `redpay_payment_gateway_*`, `woocommerce_redpay_payment_gateway_*` |
| Gateway ID prefixed | ✅ | `redpay_payment_gateway` |
| No `wp_`/`__` as prefix | ✅ | Only WordPress i18n functions use `__()` |

---

## 2. Security – sanitization

| Item | Status | Notes |
|------|--------|------|
| All `$_GET` sanitized | ✅ | `admin_page`: `sanitize_key( wp_unslash( $_GET['tab'] ) )` |
| All `$_POST` sanitized | ✅ | `handle_js_log`: nonce, message, data with `sanitize_text_field( wp_unslash() )` |
| | ✅ | `verify_payment_ajax`: reference, order_id, skip_remote_verify with `sanitize_text_field`/`absint` + `wp_unslash` |
| | ✅ | `ajax_get_order_data`: order_id `absint( wp_unslash() )`, nonce `sanitize_text_field( wp_unslash() )` |
| Webhook payload | ✅ | Raw payload size-limited; decoded data passed through `sanitize_webhook_data()` (event whitelist, `sanitize_text_field` on reference) |
| API response messages | ✅ | Verify/refund API `message` sanitized with `sanitize_text_field()` before use/send |
| Custom SDK URLs (settings) | ✅ | `esc_url_raw( trim() )` in `enqueue_scripts()` before use in `wp_enqueue_script` |
| Refund reason | ✅ | `sanitize_text_field( $reason )` in `make_refund_request()` |
| `register_setting` sanitize_callback | ✅ | `redpay_payment_gateway_options` uses `sanitize_settings()` (debug_mode, log_level with `sanitize_key`) |

---

## 3. Security – escaping (escape late)

| Item | Status | Notes |
|------|--------|------|
| Variables in HTML | ✅ | `esc_html()` for PHP_VERSION, version strings, log table cells, transaction ID |
| URLs in attributes | ✅ | `esc_url()` for all href/action (admin_url, home_url, external links) |
| Attributes | ✅ | `esc_attr()` for class names, alt text |
| HTML content (post-like) | ✅ | `wp_kses_post( wpautop( $this->description ) )` in payment_fields |
| Translations on output | ✅ | `esc_html_e()`, `esc_html__()`, or `echo esc_html( __() )` – no raw `_e()`/`__()` when echoing |
| Inline JS (removed) | ✅ | No raw `<script>`; data via `wp_add_inline_script` with `wp_json_encode()` |

---

## 4. Security – nonces & capabilities

| Item | Status | Notes |
|------|--------|------|
| AJAX `handle_js_log` | ✅ | `sanitize_text_field( wp_unslash( $_POST['nonce'] ) )` then `wp_verify_nonce( $nonce, 'redpay_payment_gateway_nonce' )` |
| AJAX `verify_payment_ajax` | ✅ | Same pattern when not skip_remote_verify; otherwise no nonce (intended) |
| AJAX `ajax_get_order_data` | ✅ | `sanitize_text_field( wp_unslash( $_POST['nonce'] ) )` then `wp_verify_nonce( $nonce, 'redpay_pop_' . $order_id )` |
| AJAX admin (test_connection, clear_logs) | ✅ | `sanitize_text_field( wp_unslash( $_POST['nonce'] ) )` then `wp_verify_nonce( $nonce, 'redpay_payment_gateway_admin' )` |
| Settings form | ✅ | `settings_fields()` (nonce) + `options.php` handles capability |
| Admin menu | ✅ | `manage_woocommerce` for submenu |

---

## 5. Scripts & styles

| Item | Status | Notes |
|------|--------|------|
| No raw `<script>` in PHP | ✅ | Checkout data via `wp_add_inline_script( 'redtech-redpay-gateway-script', ... )` |
| JS enqueued | ✅ | `wp_enqueue_script` for redpay-sdk, frontend.js, admin.js, blocks |
| CSS enqueued | ✅ | `wp_enqueue_style` for frontend.css, admin.css |
| SDK source | ✅ | Bundled `assets/js/omni-payment-gateway-sdk.js`; optional custom URL sanitized with `esc_url_raw()` |
| WordPress HTTP API | ✅ | `wp_remote_get`, `wp_remote_request` for RedPay API |

---

## 6. Direct access & files

| Item | Status | Notes |
|------|--------|------|
| ABSPATH check in all PHP | ✅ | `redtech-redpay-gateway.php`, both gateway classes, Blocks class |
| No HEREDOC/NOWDOC for output | ✅ | Not used |
| No short PHP tags | ✅ | Full `<?php` only |

---

## 7. Readme & external services

| Item | Status | Notes |
|------|--------|------|
| Plugin name consistent | ✅ | RedPay in header and readme |
| Tested up to | ✅ | 6.9 |
| Donate link valid | ✅ | https://redpay.africa/ |
| Plugin URI valid | ✅ | https://redpay.africa/ in main file |
| External services section | ✅ | What RedPay is, what data is sent and when, terms + privacy links |
| Installation path | ✅ | `/wp-content/plugins/redtech-redpay-gateway` |
| Tags ≤ 5 | ✅ | payment, gateway, woocommerce, e-commerce, redpay |

---

## 8. Other guidelines

| Item | Status | Notes |
|------|--------|------|
| GPL compatible | ✅ | License: GPL v2 or later |
| No executable code from 3rd party | ✅ | SDK bundled; optional URL is admin-configured and sanitized |
| No tracking without consent | ✅ | No tracking; payment flow is user-initiated |
| Service documented | ✅ | RedPay documented as external service in readme |

---

## Before each upload

1. Zip the **folder** `redtech-redpay-gateway` (so the zip contains one folder with the same name).
2. Test on a clean WordPress + WooCommerce install with `WP_DEBUG` and `WP_DEBUG_LOG` enabled.
3. Run [Plugin Check](https://wordpress.org/plugins/plugin-check/) and fix any reported issues.
4. Reply to the review email briefly, confirming you've addressed the points above.

Last verified: 2026-02-28 (full audit vs guidelines + common issues)