# Yatoon Security Notes

## Credential handling

Yatoon stores third-party credentials in WordPress options because Square, Vagaro, Stripe, Twilio, and Google Calendar require server-side API access. Admin settings mask saved secrets in the user interface and leave saved values unchanged when credential fields are submitted blank.

Sensitive fields include:

- Square access token
- Vagaro API key
- Stripe secret key
- Stripe webhook secret
- Twilio auth token
- Google client secret
- Google refresh token

## Staff access

Staff Portal access is designed for day-to-day technician workflow. Staff PINs are hashed before storage. Owner/admin-only actions should remain limited to trusted users.

Yatoon registers these capabilities for future role delegation:

- `yatoon_manage_settings`
- `yatoon_manage_bookings`
- `yatoon_manage_services`
- `yatoon_manage_staff`
- `yatoon_view_reports`

Administrators receive these capabilities on activation.

## Site hardening recommendations

- Use HTTPS on every booking page.
- Use SMTP for outgoing WordPress email.
- Restrict WordPress administrator accounts to owners or trusted managers.
- Exclude booking, customer portal, staff portal, and manage-booking pages from full-page cache.
- Keep WordPress, PHP, themes, and plugins updated.
- Test Square, Vagaro, Stripe, Twilio, and Google credentials in sandbox/test mode before going live.

