TrustLens – Trust Scores & Fraud Detection for WooCommerce

Өзгөртүүлөр

1.2.3

Security and reliability hardening. Closes several issues surfaced during a pre-release audit.

Fixed

• Card-Testing Defense — VIP bypass too permissive. Previously, any customer with at least one completed order was permanently exempt from card-testing velocity blocks — meaning a fraud actor who completed a single order gained immunity from then on. The threshold now matches the plugin-wide trustlens_min_orders setting (default 3 orders) AND customers in risk or critical segments no longer bypass card-testing defense regardless of order count.
• Chargeback meta not HPOS-compatible. Manual chargeback writes used update_post_meta() / get_post_meta() directly, which silently target the wrong table on stores with WooCommerce High-Performance Order Storage enabled. Switched to WC_Order::update_meta_data() / WC_Order::get_meta() so the chargeback indicator and Record Manual Chargeback form work correctly on HPOS stores.
• IP spoofing via forwarding headers. HTTP_X_FORWARDED_FOR (request gate) and HTTP_CLIENT_IP + HTTP_X_FORWARDED_FOR (payment-method controls) were trusted unconditionally, letting an attacker send X-Forwarded-For: 1.2.3.4 to rotate their apparent IP and defeat per-IP velocity rules. Both code paths now default to REMOTE_ADDR. Sites legitimately behind a trusted reverse proxy (Cloudflare, load balancer, Sucuri) can opt in to X-Forwarded-For via the new trustlens/trust_proxy_headers filter — the last entry in the header is used (the IP the closest trusted hop observed).
• Webhook signing secret exposed in DOM. The “Test” button on the Pro Webhooks settings page rendered the signing secret as a data-secret HTML attribute, making it readable by any browser extension or XSS payload running in the admin panel. The secret is no longer rendered to the page; the AJAX handler now looks up the endpoint server-side from the stored config.
• Webhook async dispatch could pile up duplicates. Automation rule webhooks used as_enqueue_async_action() without dedup, so a rapid burst of identical triggers (e.g. score_updated firing several times during a batch refund) queued multiple deliveries for the same rule+customer. Now dedup’d via wstl_ensure_single_action; retries from inside the dispatch handler still carry a distinct retry counter and bypass dedup so failed deliveries still get their 60s / 120s / 240s attempts.
• Score-update queue race. wstl_queue_score_update() used a read-then-write pattern that could double-schedule the score recalculation under concurrent events for the same customer. Replaced with wstl_ensure_single_action, which uses unschedule-then-schedule semantics and is race-free.
• Chargeback record double-increment under concurrency. The manual chargeback AJAX path ran two separate UPDATE statements (one for total_disputes, one for the outcome counter). Two concurrent calls for the same customer could leave disputes_lost exceeding total_disputes. Now done as a single atomic UPDATE when the outcome is known at record time.
• Shipping anomaly re-entrancy. The trustlens/shipping_anomaly action fired (and address_anomaly_detected was logged) from inside get_signal(), which runs on every score recalculation. That could spawn re-entrant Action Scheduler jobs through automation rules. Both events now fire once from handle_order_completed, so each detection produces exactly one event per order completion.
• Guest-order automation actions silently dropped. Customer-level actions (send email, block customer, tag, etc.) on order-bound rules silently returned when the order was a guest checkout. Now a 'skipped' row is written to the rule log with the reason “Guest order: no customer email hash” — the inspector can finally answer “why didn’t my rule fire?”.
• Lockdown targets transient race. Card-Testing Defense stored every targeted device fingerprint in one shared transient map; concurrent attacks from different devices could clobber each other on write. Switched to one transient per fingerprint so concurrent target writes never conflict. Admin listing and “any-target-active” check use indexed wp_options LIKE queries.
• Automation is_first_order matched 0-order customers. Condition now requires total_orders === 1 (exact), so rules don’t fire against brand-new customer records that exist before any order has been counted.
• Chargeback signal ignored min-orders threshold. A one-time buyer who filed a legitimate dispute could trigger the -30 chargeback penalty before any other signals existed. The chargeback module now honors trustlens_min_orders like the returns, coupons, and shipping modules.
• Dispute Report didn’t validate the hash format. $_GET['hash'] is now checked against wstl_is_email_hash() before being passed to the lookup, matching the rest of the codebase.
• Webhook log table escaping. Endpoint URL inside <code> was escaped with esc_url() (an attribute-context function) instead of esc_html(). Switched to the correct function for text content.
• Automation retention cron not cleared on deactivation. The trustlens/automation/retention_cleanup event survived Deactivate, leaving an orphan WP-Cron entry. Now cleared alongside the other scheduled events.
• Duplicate score-save logic. process_score_calculation() and TrustLens_Score_Calculator::recalculate_score() each contained their own copy of the save-and-fire(score_updated / segment_changed) flow. The Action Scheduler callback now delegates to the calculator method so the two paths can’t drift.
• Redundant order re-fetches. class-module-orders and class-module-shipping-anomalies registered woocommerce_order_status_completed with 1 arg and immediately called wc_get_order() on the order ID. Hooks now register with 2 args and use the WC_Order instance WooCommerce passes — with a defensive fallback for third-party callers firing the hook with one argument.
• Card-testing defense bypass via client fingerprint rotation. Bots that rotated their JavaScript-side fingerprint per request avoided the per-fingerprint velocity threshold (each rotated hash had count 1, never tripping the limit). Declines are now also recorded under the server-fallback fingerprint (IP + User-Agent + Accept-Language) — which stays stable across client-hash rotation — so the velocity detector accumulates and targets even rotating attackers. Lockdown checks test both hashes on every request, so an attacker who got the server hash targeted on attempt 3 stays blocked even if they rotate the client hash on attempt 4.
• Panic Freeze duration ceiling. The duration the panic-freeze AJAX accepted from the admin form was clamped to 3600s (1 hour). An admin mis-entering the value could accidentally block checkout for an hour. The server-side ceiling is now 30 minutes by default, filterable via trustlens/card_testing/panic_max_duration for sites that genuinely need longer.
• Cron reconciliation on every page load. ensure_notification_schedules() was hooked to init and ran on every frontend request, writing to wp_options on stores with notifications disabled. The reconciliation now self-throttles to once per hour, with explicit invalidation on notification-setting changes so toggles still take effect immediately.
• Automation customer_age_days / days_since_last_order timezone drift. Conditions mixed local-time (current_time('timestamp')) with UTC-stored MySQL timestamps, producing up to ±14 hours of drift on non-UTC sites — enough to push a daily-granularity condition off by a full day. Both sides now anchor to UTC.
• Webhook endpoints option marked autoload=no. The endpoint config (which contains plaintext HMAC signing secrets) was autoloaded on every request. It’s now loaded only when a webhook actually needs to fire.
• Card-Testing Defense not actually enabled by default. The readme advertised “ships enabled with sensible thresholds” but the activation flow never set the trustlens_module_card_testing_enabled option, so the module sat dormant until merchants found the toggle in Settings. New installs now enable card-testing defense and the VIP customer bypass automatically, matching the documented promise. Existing sites keep whatever value they already have — no surprise behavior changes.
• Welcome email never sent on default-off installs. The 24-hour-post-activation welcome summary was gated behind the master trustlens_enable_notifications switch, which ships disabled. The handler silently returned and the carefully-built welcome email was dropped on every fresh install. The welcome email is now gated only by its own trustlens_notify_welcome_summary opt-out (which already defaults to on), so the onboarding email actually fires.
• Plugin row “Dashboard” / “Settings” shortcuts. The Plugins screen now surfaces direct links to the TrustLens dashboard and Settings page in the plugin row, matching standard WordPress plugin UX.
• Dashboard onboarding card now signals active protection. When a fresh install lands on the empty dashboard, a small pill next to the onboarding steps confirms that the detection modules are already scoring incoming orders, so merchants know protection is live and not deferred until they finish setup.

Changed (potentially breaking for existing webhook receivers)

• Webhook signature scheme v2. Outgoing webhook signatures now cover timestamp + '.' + body instead of body alone, and a new X-TrustLens-Timestamp header carries the Unix epoch. This lets receivers reject replayed deliveries by checking the timestamp falls within a short window (recommended: ±5 minutes). Verification on the receiver side: compute 'sha256=' + hmac_sha256(timestamp + '.' + body, secret) and constant-time-compare against X-TrustLens-Signature. If you have an existing webhook receiver, update its verification code before upgrading.

Internal

• Centralized client-IP retrieval in wstl_get_client_ip() so future fraud modules don’t have to re-solve the spoofable-header problem.
• Centralized webhook signature computation in TrustLens_Webhooks::compute_signature() so the three send sites (settings test, classic webhooks, automation webhooks) can’t drift apart.
• Defensive: replaced ActionScheduler_Store::STATUS_PENDING constant reference with the literal 'pending' in wstl_queue_score_update() so the function survives unusual AS bootstrap orderings.

1.2.2

Automation Rules — reliability rewrite + major capability expansion. Plus Card-Testing Defense admin UX consolidation.

Automation

• Added triggers: Chargeback Filed · Dispute Recorded · Linked Accounts Detected · Card Testing Attack · Shipping Anomaly.
• Added condition fields: Total Order Value · Total Disputes · Linked Accounts · Coupon Then Refund · Cancelled Orders · Customer Type · Is Blocked · Customer Age · Days Since Last Order · Payment Method · Shipping Country · Billing Country · Country Mismatch · Coupon Total.
• Added actions: Allowlist Customer · Cancel Order.
• Added: Save-time validator blocks rules that can never fire — unsatisfiable conditions, schema-bound violations, trigger-state contradictions, invalid operators for the field type, incomplete actions — each with a specific inline reason.
• Added: Inspector shows SKIP status on evaluations that didn’t execute, with the reason (“Cooldown active” / “Condition not met: trust_score > 50”). Directly answers “why didn’t my rule fire?”.
• Changed: Webhooks now dispatch async with automatic retry (60s/120s/240s backoff) and are HMAC-SHA256 signed by default.
• Changed: Rule editor no longer full-page-reloads on save or delete; errors appear inline inside the modal.
• Fixed: Concurrent rule saves were last-write-wins — now serialized via advisory lock.
• Fixed: A failed action locked the rule out for an hour via cooldown — now clears on error so the next event retries.
• Fixed: Rules with an unknown condition field silently matched everything (catastrophic for block_customer rules). Now rejected.
• Fixed: Timezone drift between log timestamps and inspector counters when MySQL server TZ ≠ site TZ.
• Fixed: Operators <, <=, <> couldn’t save at all.
• Fixed: “Send Email” action ignored the recipient field; now honors it as a per-rule override (falls back to site notification email when blank).
• Fixed: “Refund Processed” trigger silently dropped order context — order-only actions/conditions never fired on refunds.

Admin UX — Card-Testing Defense + Dashboard

• Changed: Card-Testing Defense page consolidated from four tabs into a single live view — panic controls, live state, and targeted fingerprints visible without clicking.
• Added: Dashboard alert band for active Panic Freeze, targeted lockdowns, and card-network programs over chargeback threshold.
• Added: Module-status pill row on the dashboard (on/off + one stat for each subsystem).
• Added: Persistent plugin-wide admin header with unified nav, live status pill, notifications bell, and ⌘K command palette.
• Fixed: Unchecking “Enable Card-Testing Defense” or “VIP bypass” didn’t save (Settings API checkbox quirk).
• Fixed: Slack webhook delivery failures are now logged instead of swallowed.
• Fixed: Uninstall clears card-testing options and cron hooks; deactivation unschedules card-testing crons.
• Fixed: Card-testing attacks with an identifiable customer email now fire trustlens/checkout_blocked (once per newly-targeted fingerprint) so Notifications / Automation / Webhooks can react.

Safe additive upgrade — new composite index added idempotently, no data migration.

1.5.0

Card-Testing Defense — Pro tier

• Added (Pro): Auto-escalation from targeted blocking to global panic freeze when an attack spreads across multiple device fingerprints. Default threshold: 3 distinct devices in a 10-minute window.
• Added (Pro): Geographic-diversity safeguard. Before auto-escalating, checks whether the decline burst is naturally distributed across ≥10 countries with no single country holding >50% — if so, treats as a legitimate flash-sale or viral-moment burst and holds off.
• Added (Pro): Fingerprint and IP CIDR allowlists. Devices or IP ranges on the allowlist bypass the card-testing defense entirely — for QA, integration partners, or known-good traffic. Both IPv4 and IPv6 CIDR ranges supported.
• Added (Pro): Advanced fingerprint signal — enumerates 12 common fonts via baseline-width comparison and adds the detected-fonts list to the fingerprint hash. Harder for botnets to spoof consistently across nodes than canvas + screen alone. Opt-in via script tag data attribute (only injected when Pro is licensed AND card-testing is enabled).
• Added (Pro): Per-fingerprint threshold overrides. Tighter or looser thresholds for specific known devices.
• Added (Pro): Attack History tab — 24h decline count, decline-code breakdown, top-10 attacking fingerprints, hourly timeline chart (Chart.js). CSV export of all velocity events in the window.
• Added (Pro): Slack and email alert dispatcher — subscribes to attack_detected, auto_escalated, and panic_button_activated events. Configure a Slack webhook and/or email address to receive attack notifications.
• Added (Pro): Documented stable contract on the trustlens/panic_button_activated action — Pro integrators can rely on the signature and timing.
• Free tier behavior unchanged.

1.4.0

Card-Testing Defense (Free) — blocks stolen-card attack traffic before it reaches the payment gateway

• Added (Free): Real-time card-testing detection. Watches per-device decline rates in 60-second and 10-minute rolling windows. A device that crosses the decline threshold is blocked from checkout for 90 seconds. No merchant configuration required — sensible defaults ship enabled.
• Added (Free): Panic Freeze button on the new TrustLens → Card-Testing Defense admin page. One click blocks ALL checkouts for 15 minutes (configurable 5m/30m/1h). Use during active attacks your thresholds haven’t caught.
• Added (Free): VIP Customer Bypass (enabled by default). Customers with at least one successful past order are never blocked by card-testing velocity — attacks can’t disrupt legitimate repeat buyers.
• Added (Free): Negative trust-score signal for customers linked to device fingerprints involved in past attacks — keeps bad actors scored correctly even after the 90-second targeted block expires.
• Added (Free): during_attack_window event logged on orders completed while an attack is active — audit trail of which successful orders slipped through.
• Added (Free): Dashboard widget shows current defense state (IDLE / TARGETED / PANIC) and 24-hour decline count at a glance.
• Added (Free): Daily retention cron keeps the velocity-events table trimmed to the configured window (default 48h, configurable 24–168h).
• Note on velocity systems: This feature’s “velocity” is keyed on device fingerprint and measures gateway declines — unrelated to the existing Payment-Method Controls velocity (email-keyed, completed-order-count-based) and Shipping Anomalies velocity (email-keyed, distinct-address-count-based). Three independent systems, three different threats, three different responses.
• Coming in 1.5 (Pro): Auto-escalation to global freeze, geographic-diversity flash-sale safeguard, fingerprint allowlists, attack-history analytics, Slack / email alerts.

1.3.0

Request-gate infrastructure — card-testing defense foundation

• Added (Free): Internal TrustLens_Request_Gate primitive intercepts Classic checkout and Blocks / Store API checkout through a single rule-registration surface. Fraud modules register rules; the gate dispatches them pre-gateway.
• Added (Free): Browser fingerprint collection on checkout and cart pages — pseudonymous SHA-256 hash of canvas + screen + timezone + language + platform + WebGL signals. Raw signals never leave the browser. Server-side fallback hash when JS is disabled. Schema migration adds 5 new columns to wp_trustlens_fingerprints (fp_source, decline_count_24h, taint_flag, taint_reason, tainted_at).
• Improved (Free): Email blocklist (customers marked blocked in the admin) now takes effect on Blocks checkout in addition to Classic — existing behavior of the Checkout_Blocker class, now dispatched through the gate instead of its own hooks.
• Dev note: This is an infrastructure release. The card-testing detection engine (velocity windows, lockdown state machine, panic button, admin UI) ships in 1.4.0 and builds on this foundation.
• Dev note: PHPUnit test suite scaffolding added (composer.json, phpunit.xml.dist, tests/). Not shipped in distribution zips.

1.2.1

Chargeback Ratio Monitor — new feature

• Added (Free): Dashboard Chargeback Ratio speedometer — blended calendar-month ratio with a Healthy / Approaching threshold / Action needed status so you can see store health at a glance.
• Added (Free): Chargeback tracking moved from Pro to Free — automatic dispute ingestion from Stripe and WooPayments, per-customer dispute counters, and chargeback impact on trust scores now ship in every build.
• Added (Free): Manual chargeback entry form on the order edit page for gateways that don’t push dispute webhooks to WooCommerce (PayPal, Square, offline).
• Added (Free): Automatic card brand capture on Stripe and WooPayments paid orders. Historical Sync also captures card brand, so one sync run populates both trust profiles and chargeback-ratio data.
• Added (Pro): Dedicated TrustLens → Chargeback Monitor page — per-brand ratio breakdown (Visa VDMP/VFMP, Mastercard ECP, Amex, Discover) with threshold progress bars, 12-month trend chart, recent disputes activity feed, top-disputed customers with one-click Evidence Report, store-wide dispute outcomes summary, and inline alert-threshold control.
• Added (Pro): Daily email alert when any card brand reaches a configurable percent (default 70%) of its network threshold. Deduplicated per brand per calendar month — one email per brand, no spam.
• Added (Pro): Trailing-30-day ratio window alongside the Free calendar-month view, plus a customizable warn-threshold percent (50–100%).
• Added (Pro): Auto-block after N lost disputes is now actually enforced. The setting has existed since 1.2.0 but had no runtime effect until this release.

Fixes & improvements

• Fixed: Bulk customer actions (block, unblock, allowlist, remove-allowlist, recalculate, delete) failed with a fatal error due to a broken dispatch call to a non-existent TrustLens_Bulk_Operations::instance()->execute() method. The AJAX handler now dispatches directly to the correct static methods with a whitelisted action set.
• Improved: Chargeback Monitor ratio and trend queries are now transient-cached (15 min / 1 hour TTL) with automatic invalidation on new disputes or brand-backfill runs, so the dashboard doesn’t re-query order meta on every page load.

1.2.0

• Added: Shipping Address Anomalies detection module — detects address hopping, billing/shipping country mismatches, and address change velocity.
• Added: Address diversity ratio scoring — penalizes customers who ship to many different addresses relative to order count.
• Added: Billing/shipping country mismatch detection — flags cross-border shipping patterns.
• Added: Address change velocity signal — detects rapid address changes within a configurable time window.
• Added: Pro address diversity trend analysis — detects sudden behavioral shifts in shipping address patterns.
• Added: Pro enhanced country mismatch severity — deeper pattern analysis for reshipping fraud detection.
• Added: Historical backfill for country codes on existing address fingerprints.
• Added: Configurable velocity window setting (7-90 days, default 30) in Settings > Modules.
• Added: Customer Detail Analyst Grid — redesigned customer profile with trust score gauge, signal impact bars, return rate trend chart, activity feed, linked accounts, and collapsible admin notes.
• Added: Weekly return rate trend data with 1-hour transient cache for the customer profile chart.
• Fixed: ActionScheduler runaway loop on the email-hash backfill — scheduling is now idempotent and race-free via replace-semantics, backfill batches are try/catch isolated, and failing orders are tagged with a sentinel so one bad row can’t block the backfill forever. Removed the admin_init scheduler that caused unbounded fan-out on sites with heartbeat traffic.
• Fixed: Shipping anomalies country-code backfill silent-skip loop — unresolvable rows now get a sentinel value so they drop out of the NULL result set, and the batch runner terminates cleanly on all failure modes.
• Fixed: Historical sync no longer hangs in “running” state when a single malformed order throws — transitions to a terminal “failed” state so the user can retry from the UI.
• Fixed: Hash column migration was skipped on sites whose stored DB version already matched the current version.
• Fixed: Reset data now succeeds on free installs that don’t have Pro-only tables.
• Fixed: Customer lookup now accepts legacy 32-char MD5 hashes alongside the current SHA-256 format for backward compatibility.
• Fixed: Customer detail page first_order_date null guard prevents a PHP notice on customers whose first order date isn’t set.

1.1.8

• Fixed: Prevented excessive ActionScheduler task accumulation — order meta saves no longer trigger unnecessary WooCommerce analytics reimports.
• Added: Daily cleanup of completed ActionScheduler actions older than 7 days to keep the database lean.
• Updated: Freemius SDK.

1.1.7

• Added: Pro one-click Dispute Evidence Report — generate a professional, print-ready behavioral risk report for payment processor dispute responses.
• Added: “Dispute Report” button on the customer profile page and order metabox for instant report generation.
• Added: Report includes trust score, risk signals, order history, return analysis vs store average, linked accounts, and full event timeline.
• Added: Extensible action hooks trustlens/customer_profile_actions and trustlens/order_metabox_actions for Pro feature buttons.

1.1.6

• Added: Color-coded trust segment badge column on the WooCommerce orders list — see customer risk at a glance while processing orders.
• Added: Segment filter dropdown on the orders list — filter orders by Critical, Risk, Caution, Normal, Trusted, or VIP segment.
• Added: Sortable trust column — click the column header to sort orders by segment severity (Critical first).
• Added: Trust badge links directly to the TrustLens customer profile for one-click access to full behavioral history.
• Added: Automatic _trustlens_email_hash order meta storage with background backfill for existing orders via Action Scheduler.
• Improved: Unscored customers display a “New” badge; safe segments (Normal, Trusted, VIP) use muted styling to draw attention to risky orders.

1.1.5

• Added: Shared TrustLens mail sender with recipient validation, structured error capture, and rolling email delivery logs.
• Added: Keyed HMAC-SHA256 hashing for customer identifiers and linked-account fingerprints.
• Changed: Refreshed the WordPress.org plugin title, description, FAQs, and search-focused copy for clearer positioning around customer risk, abuse detection, disputes, and chargebacks.
• Changed: Split the admin controller into focused pages, settings, notices, and AJAX service classes for cleaner maintenance.
• Fixed: Welcome summary is now marked sent only after successful delivery and can retry after transient mail failures.
• Fixed: Test notification now uses the same delivery path as real emails and surfaces detailed mailer errors when available.
• Fixed: Scheduled reports now honor weekly/monthly recipient settings, support comma-separated recipient lists, run at the configured due time, and include a working manual “Send Now” path.
• Fixed: Stored scheduled reports now track real per-recipient delivery results, retry failed sends, and avoid false-positive “sent” logs.
• Fixed: Privacy export and erasure now include signals, linked-account fingerprints, category stats, and automation logs.
• Fixed: Automation actions now write canonical action IDs and analytics/ROI reporting now read the correct action names.
• Fixed: Customer blocking now logs customer_blocked events consistently so reports and event-based metrics stay accurate.
• Fixed: Customer state changes now use consistent canonical events and webhook wiring for blocked, unblocked, and allowlisted flows.
• Improved: Notification and report cron hooks are now reconciled during runtime, cleared when disabled, and cleaned up correctly on uninstall.
• Improved: Reset and customer delete flows now clear all related operational data, logs, and derived records consistently.
• Removed: TrustLens-specific auto-update notice and one-click auto-update toggle so plugin updates are managed only through standard WordPress controls.
• Removed: Remaining active md5() usage from plugin code, replacing it with SHA-256 for internal dedupe keys.

1.1.4

• Added: Dashboard chart cards now show polished empty-state UI for Trust Score Trends, Refund Activity, Activity by Hour, and Protection Trend when data is unavailable.
• Fixed: Historical Sync completion summary now reports the actual profiled customer count from the TrustLens customer table.
• Fixed: Dashboard health attention messaging now aligns with actual risk-customer counts.
• Improved: Historical Sync backfill now reconstructs historical events with original timestamps and keeps rebuilds idempotent.
• Docs: Deployment guide now documents only Freemius ZIP based WordPress.org deploy flow.

1.1.3

• Added: Historical Sync now backfills coupon behavior metrics (total_coupons_used, first_order_coupons, coupon_then_refund) from older WooCommerce orders.
• Added: Historical Sync now rebuilds category aggregates and linked-account fingerprints from historical orders for more accurate scoring inputs.
• Added: Historical Sync now reconstructs historical timeline events (orders, refunds, coupon events) using original order/refund timestamps.
• Improved: Sync backfill paths are re-sync safe and remove previously generated synthetic sync events before rebuilding.

1.1.2

• Fixed: Historical Sync now safely handles WooCommerce refund objects and no longer fails with OrderRefund::get_billing_email() errors.
• Fixed: Empty dashboard sync flow now always shows the correct progress UI when sync starts.
• Improved: Sync batch AJAX failures now recover UI state instead of leaving controls hidden.
• Added: Reliable activation redirect to TrustLens dashboard after plugin activation.

1.1.1

• Fixed: Historical Sync now surfaces precise server error messages instead of generic AJAX failures.
• Fixed: Optimized sync startup order counting to avoid loading all order IDs in memory.
• Fixed: Corrected sync customer totals to count only newly inserted customers across batches.
• Improved: Refactored duplicated batch-processing logic into a shared internal helper for consistency.
• Improved: Removed unused sync polling code path and dead AJAX endpoint, and hardened Action Scheduler fallbacks.
• Fixed: Ensured WordPress pointer assets are enqueued on TrustLens admin pages to prevent Freemius pointer JS errors.

1.1.0

• Added: New dedicated Payment Controls settings tab.
• Added: Pro Payment Method Risk Controls to hide selected gateways for risky segments at checkout.
• Added: Pro Velocity Protection for temporary gateway restrictions during high order-attempt spikes.
• Added: Pro Linked Account Protection using linked-account fingerprints (address, phone, IP, device) for real-time gateway restriction decisions.
• Improved: Restriction event logging now includes trigger reasons and linked-account risk context for auditability.

1.0.6

• Added: Redesigned Pro upsell experience with polished value panels, comparison rows, and improved CTAs across Automation, Notifications, Webhooks, Reports, and Chargebacks.
• Improved: Unified upsell rendering via a shared component for more consistent styling and messaging.
• Improved: Dashboard empty state now always shows the Historical Sync action (with clearer guidance when no eligible historical orders exist).
• Fixed: Removed obsolete locked-notification upsell styles and redundant upsell markup paths.

1.0.5

• UI Improvements.

1.0.4

• Added: Automation is now a dedicated menu (TrustLens → Automation) with its own page and dashboard-style layout.
• Added: Chargebacks (Pro) settings tab: enable/disable module and “Auto-block after N lost disputes” with proper save.
• Added: Test notification: 15-second timeout and clear message when mail/SMTP is not configured.
• Changed: Automation removed from Settings tab; old Automation tab URL redirects to the new Automation page.
• Changed: Modal styling (card look, accent bar, overlay blur, improved header/body/footer and close button).
• Changed: Global “Enable Notifications” now applies to all notifications (Standard and Pro).
• Changed: Pro notifications list refactored to a single source of truth (no duplicate markup).
• Fixed: API tab no longer shows the stored key hash when a key exists; placeholder and copy instructions shown instead.
• Fixed: API documentation: endpoints table matches implementation (lookup, update customer, events, recalculate, stats/segments); example response corrected.
• Fixed: At that time, REST API routes for customer events and recalculate used the then-current 32-character email hash format.
• Fixed: Data tab: starting Historical Sync from Settings → Data now shows progress bar and updates correctly.
• Fixed: Test notification no longer spins indefinitely when server mail is not configured.
• Other: Redundancy cleanups on Automation, Data, and Notifications pages; Chart.js not loaded on Automation page.

1.0.3

• Bug fixes

1.0.2

• Dashboard and customer pages UI refinements (spacing, sizing, alignment, and visual polish).
• Improved color system with reusable segment variables and a primary plugin color token.
• Split admin styles into page-specific files for better maintainability and scoped loading.
• Test data generation now seeds higher trust scores in the 80-95 range.

1.0.1

• Release packaging and deployment workflow updates (no functional changes).

1.0.0

Core Engine

• Trust score calculation engine with weighted signal aggregation (0-100 scale)
• 6-tier customer segmentation: VIP, Trusted, Normal, Caution, Risk, Critical
• Account age loyalty bonus (up to +15 points for 1+ year accounts)
• Configurable minimum order threshold before segment classification
• Allowlist system with automatic score override to 100

Detection Modules

• Return abuse detection — refund rate, refund value, and return frequency analysis
• Order pattern analysis — completion rates, cancellation tracking, order velocity
• Coupon abuse detection — first-order discount exploitation and coupon-then-refund patterns
• Category-aware scoring — per-category return rate tracking with weighted penalties
• Linked accounts detection — multi-account identification via address, phone, IP, payment, and device fingerprinting

Dashboard & Analytics

• 9-section command center dashboard with store health score
• 6 interactive Chart.js charts: trust trends, segment distribution, refund activity, hourly activity, category return rates, monthly protection trend
• KPI cards: total customers, average trust score, new high-risk, events (24h), total orders, return rate
• ROI scorecard with money protected, money at risk, protection rate, and actions taken
• Top returners table and high-risk customer attention list

Customer Management

• Searchable customer list with segment, score, and return rate columns
• Customer detail page with full behavioral history and signal breakdown
• Manual block and unblock with checkout enforcement
• Allowlist management for VIP protection
• CSV export for full customer list
• JSON export for individual customer profiles

Integrations

• WooCommerce order edit screen integration showing trust score
• REST API with 8 endpoints and API key authentication
• GDPR data export and erasure via WordPress privacy tools
• WooCommerce High-Performance Order Storage (HPOS) compatibility
• Action Scheduler for asynchronous score processing

Notifications

• Blocked checkout email alert
• Welcome summary (24 hours after activation)
• Weekly protection summary report

Historical Sync

• Background import of existing WooCommerce orders
• Progress tracking with start/stop/resume controls
• Batch processing without site performance impact