AI eShop Optimizer

Changelog

6.4 – 2026-06-02

Missing Hot Sellers, variation descriptions on swatches, and clean activation on a fresh database

• Missing Hot Sellers now lets you control what counts as a “gap” so the totals reflect real opportunities. An Include filter chooses which statuses appear — by default drafts to complete and products not in the eshop at all, while Private (one-time/reciprocal offers you deliberately took offline) and Pending are excluded. The headline count, in-store turnover and estimated recoverable figure all follow the filter.
• New exclude-by-pattern field: list name or SKU substrings (e.g. recurring offers, coupons, gift vouchers, catch-all accounting SKUs like “ΔΙΑΦΟΡΑ ΕΙΔΗ”) and any matching product is dropped from the list and the totals — for current and future imports.
• The per-row Dismiss still removes a single SKU permanently; dismissed items now appear in a manage list with a Restore link, so exclusions are no longer one-way. All filtering happens at read-time (no re-detection needed).
• Product swatches now surface each variation’s own description. The per-variation description (e.g. “No100 Fair”) is combined with its attribute into a “description – attribute” caption (e.g. “No100 Fair – Ανοιχτόχρωμο”) shown when you hover an image swatch, under the product title on selection, and — alongside the attribute — in the cart, checkout, order details and emails. The swatch caption is read instantly from the preloaded swatch cache, so it costs nothing at render time; a “Variation name under product title” toggle was added to the Product Swatches settings, and the cart/order label is filterable (aieo_dmm_swatch_cart_desc_label).
• Removed the PHP warnings emitted on first activation against a fresh database — Undefined array key "index_type" / "index_name" / "index_columns" / "column_name" from wp-admin/includes/upgrade.php, followed by Cannot modify header information - headers already sent (the warning output broke the post-activation redirect). WordPress’s dbDelta() parses CREATE TABLE line by line and mis-reads blank lines (as empty indexes) and -- SQL comments (as columns) once PHP 8 surfaces undefined-array-key warnings. A new aieo_dbdelta() wrapper strips blank/comment lines before table creation, so our documented schema SQL stays readable while dbDelta receives one field/index per line. Affected the Customer Surveys and Push customer-intelligence schemas; observed on a fresh MySQL 8.4 install.

6.3 – 2026-06-02

Paid-traffic attribution (Facebook + TikTok + Google), offer-targeting correctness, catalogue-query hardening

• Attribution: full paid-social support. The session attribution now captures the raw click id (fbclid / ttclid / gclid / gbraid / msclkid / …) for Conversions-API & offline-conversion uploads, plus the campaign -> ad set / ad group -> ad hierarchy (Meta ad_id / adset_id / campaign_id, TikTok and Google adgroup_id), so paid campaigns can be analysed down to the ad. TikTok and Google iOS (gbraid / wbraid) clicks are now classified correctly, and Instagram link shares stay “social” (not mis-tagged as paid).
• Product discounts / Free gifts / Free shipping — targeting correctness:
  • Exclusions now work as a cart-level veto: when the cart contains any excluded brand / category / need / product, the discount, gift or free-shipping rule no longer applies (as the UI states).
  • The “Specific products” whitelist is now enforced — an offer that requires one of those products only applies when the cart actually contains one.
  • Per-product discounts now honour the exclusion lists, and cart-conditional discounts (minimum subtotal / specific-products) no longer apply unconditionally.
  • Fixed a double-discount that could apply the percentage twice on cart lines when “apply discount to the main product price” was enabled.
  • Free-gift awards now respect exclusions and the specific-products whitelist.
• Fixed brand-only discounts being mis-attributed across every line in the offer ROI reports.
• Duplicate-promo detection now considers every condition (exclusions, thresholds, scopes, specific-products) so distinct promos are no longer dropped as “duplicates”; gift offers are now de-duplicated on save to prevent accidental gift stacking.
• Performance: product targeting lookups are memoised within a request (fewer repeated taxonomy reads during cart and shipping calculation).
• Hardening: the gift “sample” hiding on shop / search pages no longer issues an expensive postmeta self-join on every archive query (it could pin the database for minutes on large catalogues) — sample products are now excluded via a cached id list.
• Stock Recovery: in-store demand is now shown for both the recency window (which drives the suggested restock quantity) and all-time since the product went out of stock, clearly labelled on the headline totals and each row — so the figures match the suggestion.
• New: Multi-Attribute Variations tool (Catalog Sync → Stock Management) — lists variable products that use more than one attribute for variations (e.g. colour × size). Allowed by default (a master switch lets you turn on a save-guard that blocks them in catalogues where it’s a mistake).

6.2 – 2026-06-01

Flat-vitals data sourcing, schedulable predictor, recovery insights

• SKU and barcode (GTIN) indices are now precomputed into the core product vitals table on every build — rolled up per parent in the variation-combine step — and a parent_id index was added. SKU/barcode lookups now read a single flat vitals row instead of joining the legacy Pods table.
• Sales / out-of-stock predictor: the staged (batched) build now also runs on the scheduled path, so the predictor can be put on a schedule (WP-Cron / system cron) without the parent-grain pass stalling — previously only the manual “Run now” used batches.
• Stock Recovery: new headline card totalling the in-store sales of products the eshop currently has out of stock, alongside the predictor’s pessimistic / average / optimistic recovery-value estimates.
• Missing Hot Sellers: new card totalling the in-store sales currently missing online (products, units, turnover).
• Stock Recovery confidence thresholds each get a plain-language hover tooltip explaining the setting and how to tune it.
• Performance: bulk COGS apply now suppresses heavy per-save reindex hooks (search / filtering / feeds / embeddings) for the duration of the run, so large catalogues update in a fraction of the time.
• Fixed: the full bundled translation could be shadowed by an incomplete wp.org language pack (e.g. a 10-string Greek pack), leaving most of the admin UI in English. The plugin now forces its bundled translation to take precedence over an incomplete global language pack.

6.1 – 2026-05-31

• Physical-Demand Recovery: detects products the ERP marks out-of-stock that the physical stores still sell, and can auto-restock them (manager confidence thresholds) — with recovered-sales (units + €) and success/failure tracking.
• Missing Hot Sellers: ranked list of SKUs selling in-store but not live in the eshop (draft imports needing images/description/categories/brand, or absent), with direct edit links.
• Catalog Sync reorganised into a two-column panel (Stock Management / Sync & Feeds).
• Sales/out-of-stock predictor now runs from the UI in batches (no timeout); grain/anchor controls realigned.
• All Insights reports (wpDataTables) re-pointed to the AIEO schema; two new Insights-chat skills for the data above.
• Fixed a harmless “Duplicate column name ‘entry_source’” notice on deactivate/reactivate.

6.0 – 2026-05-29

Block-checkout COD gating suite, BoxNow Partner API, payment-method reactivity

• NEW: Cash-on-Delivery can be disabled per destination country. A multiselect in the COD card (Free Shipping tab) hides COD for the chosen billing countries, driven by the checkout country switcher — flip to Cyprus and COD disappears live; Greece keeps it. Works on both classic and block (Store API) checkout via a runtime delegate plus a canMakePayment block callback that updates reactively on every country/shipping change, no reload
• NEW: COD can be disabled per shipping method / courier (e.g. tick “Box Now” to forbid COD whenever Box Now is selected). Table-rate rate IDs are normalised (the _rule_{id} suffix stripped) before matching so every carrier resolves correctly
• NEW: per-courier COD fee override with a {cod_fee} placeholder in the gateway description that resolves to the courier-specific amount. Decimal entry accepts both . and ,
• Performance: the entire gating layer only registers its filters / block JS when a country, courier, or fee override is actually configured — stores on plain default COD pay no runtime cost
• NEW: Payment Gating (cheque-on-pickup) now works on block checkout and lives under the COD card on the Free Shipping tab (its standalone tab is removed). Runtime delegate added so the Store API path honours it
• NEW: BoxNow Partner API driver — full integration (manual v7.2). OAuth2 client_credentials auth, create voucher, label PDF, cancel, and locker listing; the order-edit Print action now appears for BoxNow vouchers. Verified create → label → cancel on production. Credentials live in courier_boxnow settings; build_voucher_payload() now passes order_id so the driver can read the customer’s chosen locker
• NEW: Skroutz / Shopflix feeds emit color + additional_image for the “Μόδα” (fashion) category, sourced from core product vitals. Skroutz wraps colour in CDATA and emits <color/> when empty so the field is present on every product
• Fixed: checkout landing message now spans the content width (carries the theme alignwide class) so it lines up with the checkout/cart rows below
• Fixed: chat model selection now saves newly released models (e.g. Claude Opus 4.8) — the Save handler validates against the model registry instead of a hardcoded whitelist that silently reverted the choice
• Fixed: array_map() fatal on the chat-model save path, plus four more (array) sanitize_text_field($_POST[...]) array-swallowing anti-patterns (embedding manager, ratings, TRS zone admin, DMM social login)
• Removed: the deprecated legacy shipment-tracking module (AIEO Fulfillment tracking supersedes it; orphaned option cleaned up)

5.10 – 2026-05-28

Shopflix voucher endpoint fix + admin list-table per-page caps

• Fixed: Shopflix voucher PDFs were coming back with the wrong layout/rotation. The print endpoint expects /shipments/{trackingNumber}/print, not /shipments/{orderId}/print — Shopflix support confirmed 2026-05-28. We now capture trackingNumber from the create response (with a /orders/{id} fallback for already-existing shipments) and call print correctly. Vouchers now respect the merchant-portal-selected label format
• NEW: admin list-table per-page caps. Tools tab → “Admin list-table per-page caps” card sets a hard ceiling on Screen Options for the All Orders + All Products lists (defaults 200/200). Operators below the cap keep their personal value untouched; only those above (e.g. shop managers running at 500–600) get clamped on the next render. Settings are administrator-only — shop managers see the card but it’s overlaid with a frosted “Administrator only” lock. Cap=0 disables enforcement for that screen

5.9 – 2026-05-28

AS async runner restored, admin-bar menu, Shopflix error decoder, re-ship of ACS driver

• Critical fix: ensures the ACS Courier driver fixes actually ship. The 5.8 wp.org package was built from a snapshot that predated the ACS driver rewrite, so sites updating from 5.8 didn’t get the 10 fixes documented in the 5.8 changelog. 5.9 re-bundles them properly. If you’re on 5.8 and your ACS vouchers were still mis-printing (Weight: 5,00, COD: 602,00), update to 5.9
• NEW: Action Scheduler async runner re-enabled. Pending actions now drain continuously instead of waiting for the 5-minute system-cron window. AS’s own background AJAX runner is allowed to fire on every page load; regular page rendering stays unaffected (concurrent_batches=0 on web). One prod site went from 150 overdue actions to 81 in under a minute after the fix
• NEW: admin-bar menu. The “AI Optimizer” icon appears in the WordPress admin toolbar with dropdown shortcuts to Data Prep, e-shop Manager, and AI Chat. Saves the operator a sidebar-scroll on every screen
• Fixed: Shopflix accept errors are now human-readable. The Shopflix API returns errors under error.message + error.code, but our parser was reading error.errorMessage and falling back to “HTTP 400”. Now surfaces the actual message (“Cannot Accept Order (10303)” etc.) so operators know whether to retry, contact Shopflix support, or skip the order

5.8 – 2026-05-24 to 2026-05-26

Three-day stretch — COD surcharge fix, Skroutz webhook repair, ACS Courier driver rewrite, AS dedup hardening, fulfillment polish

• Fixed: COD payment method was hidden at checkout when the cart used a non-whitelisted shipping slug. AIEO now force-restores the configured COD gateway, pre-empting WC’s “Enable for shipping methods” whitelist and any third-party filter (Box Now, COD-Plus). Runtime + admin both updated
• Fixed: COD fee now overwrites a same-label legacy fee instead of skipping via idempotency. Operator-set €X is authoritative
• Marketplace Order Importer — Skroutz webhook integration repaired end-to-end: parser accepts both wrapped {event_type, order:{…}} and flat {event_type, id, code, …} payload shapes; falls back to order.code when Skroutz omits the numeric id; uses Skroutz’s current line-item field names (product_name / unit_price / total_price); Mapper survives orphaned product references via try/catch + free-form line-item fallback
• NEW: REGISTERED state added to the MOI Accept/Reject button allowlist so Shopflix orders in their initial state actually show the action buttons
• ACS Courier driver — ten fixes audited against the official ACS Rest API docs: response envelope preserved (so ACSExecution_HasError + per-row Error_Message reach the UI); response traversal corrected to ACSOutputResponce.ACSValueOutput; address split into street + number; Greek phone landline/cell split with +30 stripping; Charge_Type defaults to 2, auto-switches to 4 when COD; Acs_Delivery_Products auto-appends COD when cod_amount > 0; print uses the correct ACS_Print_Voucher alias and decodes the base64 PDF; cancel uses the correct ACS_Delete_Voucher alias; Weight + Cod_Ammount now sent as JSON numbers (was being parsed by ACS with Greek locale, multiplying decimals by 10 on the printed label)
• NEW: Recompute queue — atomic dedup at the AS schedule layer. New pre_as_schedule_* filters with MySQL GET_LOCK short-circuit as_schedule_* calls when a pending/in-progress action exists. Closes the dedup-bypass that let parallel recurring chains accumulate (one prod site had 225 pending ticks for a single hook before the fix)
• Fixed: Session Tracker trackAddToCart now guards $button.* access and falls back to page context when callers fire added_to_cart without the 4th $button arg. Fixes the spinner-stuck symptom on the swatches bulk-add path
• NEW: Fulfillment vouchers — postal_code column stored at voucher creation. Migration is idempotent and runs on plugin upgrade
• Fixed: Stock import now strips the UTF-8 BOM, transcodes Windows-1253 / ISO-8859-7 → UTF-8, and synthesises a header row when the first line is data. Greek-locale Excel exports import without manual conversion
• NEW: Price export — Stock column + Vitals fast-path. Reading from the vitals cache turns a 90-minute export on a 25k-SKU catalogue into about 2 minutes; Live path unchanged
• Marketplace feeds — field parity with the wpwoof reference + universal ?cf-no-cache=1 cache-bust on every emitted URL. Fixes the long-standing g:price bug that was emitting the sale price instead of the regular price
• NEW: Geniki monthly invoice CSV reconciliation card on Fulfillment → Reports. Matches invoice rows to voucher rows; surfaces orphans either direction. Pattern is carrier-agnostic; Geniki is the first integrated
• Bulk fulfillment actions are now memory-protected. Lifts the practical limit from ~40 orders to 200–500+ depending on the carrier API
• Critical fix: WC 10.9 compat migration was looping forever. Replaced the broken “_product_image_gallery missing” gate with explicit _aieo_variation_migrated markers (one prod site ran the loop 153,219 times across 2.5 days). New operator UI in DMM → Variations gallery exposes the migration state
• Fixed: Variation image storage now uses a two-hop join via _product_image_gallery (WC 10.9 canonical) → _thumbnail_id → parent featured. Fixes the “variation image renders as the 40×40 swatch chip” regression
• Fixed: Star ratings mobile non-FSE alignment + caption wrap. Defeats Botiga’s universal button { min-width: ... } rule that pushed empty stars onto a second row

5.7 – 2026-05-24

Day-after follow-up to 5.6 — runtime-only brand blocks, engagement-gated Web Push, plus three small admin polish items

Web Push — engagement-gated banner (Chrome quiet-UI mitigation)
* NEW: the opt-in banner no longer mounts on a flat setTimeout(SHOW_DELAY_MS). It now waits for AIEO Session Tracker to dispatch an aieo:engagement CustomEvent on document at one of these milestones: pageviews-2, pageviews-3, scroll-25, scroll-50, scroll-75, add-to-cart, time-30s. The “Show delay (ms)” admin setting becomes a minimum-wait floor (banner never appears before that even if scroll fires at 2s)
* NEW: hard-cap fallback at 90s — visitors who never hit a milestone but also don’t bounce still see the banner eventually
* Graceful degradation: when AIEO Session Tracker is absent (operator disabled it OR runtime-only install without the admin asset), falls back to the original flat-timeout behavior so no install regresses
* Why this matters: Chrome’s quieter notification permission UI auto-denies prompts on domains with low acceptance rates. Asking bounce visitors on first-page-load poisons the reputation — every silent auto-denial counts as a “Block” signal. By only prompting engaged visitors, the acceptance rate per prompt climbs and Chrome’s quiet UI fires less aggressively over time
* Engagement signal source: AIEO_SESSION_TRACKER.pageViewsInSession (new public property, sessionStorage-backed, incremented eagerly even for bounce visitors so counts are accurate). New aieo:engagement CustomEvent is also dispatched from inside trackAddToCart and trackScrollDepth so other consumers can hook in too — no new tracker, just extends what’s already there

Brand blocks now runtime-resolvable — admin plugin no longer required for storefront pages that render aieo/brand-*
* NEW: AIEO_Runtime_Brand_Blocks delegate in the runtime plugin registers the six brand-related server-rendered blocks (aieo/brand-azindex, brand-slider, brand-rails, brand-related, brand-archive-hero, brand-story) at init priority 29 so they’re available even when the admin plugin isn’t in the request’s plugin whitelist. block.json + render.php files stay in the admin plugin’s directory (single source of truth); AIEO_Core_Brand_Vitals autoloads via the mu-plugins autoloader regardless of admin being active
* AIEO_Blocks_Loader::register_blocks() now consults WP_Block_Type_Registry::is_registered() before each register_block_type() call — when both plugins are active the runtime registration at init@29 wins, and admin’s loop at init@30 silently skips already-registered blocks (no more _doing_it_wrong notices from duplicate registration)
* Shared style handle aieo-article-cards (needed by brand-related) is also registered by the runtime delegate so brand-related renders correctly in runtime-only mode
* Use case: pages with brand sliders / brand A-Z directory / related-brands rails on category, blog, and landing pages no longer require the full admin plugin on every request — same render output, ~40 ms saved per page on cold-cache fetches

Fix — Session Tracker JS 404 + MIME-type refusal on every front-end page
* Fixed: aieo-session-tracker.js returned HTTP 404 with text/html body because the class was moved to the runtime plugin (Phase 1.5) but the JS asset was left behind in the admin plugin. plugin_dir_url(__FILE__) . '../assets/js/aieo-session-tracker.js' from the runtime class resolved to runtime/assets/js/aieo-session-tracker.js — which didn’t exist. Browsers logged “Refused to execute script from … because its MIME type (‘text/html’) is not executable” on every page load. The asset now ships alongside both plugin copies of the class so the runtime-first autoloader path finds its own asset

Critical fix — Web Push: opt-in pipeline broken by deferred JS + Service-Worker 404 + silent localStorage throws
* Fixed: AIEO_DMM_Web_Push now registers rocket_delay_js_exclusions on activation so WP Rocket’s “Delay JavaScript execution” feature stops treating aieo-push-optin, aieoPush, aieo-push-sw and aieo-magic-link-modal as deferred-until-interaction scripts. Without this, the opt-in banner JS only ran after a mouse-move / scroll / click that lands inside the page — bots, remote-desktop sessions, and visitors who follow a deep link straight to a product page never triggered it, so the subscribe POST never fired. Now Just Works on every install with no operator config
* Fixed: aieo-push-optin.js silently died on Edge’s Tracking Prevention (and Safari ITP) when localStorage.getItem() threw — the unguarded call killed the entire IIFE before the banner could even render. Now wrapped in try/catch; blocked storage is treated as “no cooldown set” so the banner still appears
* NEW: silent re-subscribe path — when Notification.permission === 'granted' from a prior visit but no wp_aieo_push_subscriptions row exists (e.g. the earlier SW-404 bug killed the original POST), the JS now silently registers the SW, calls pushManager.subscribe() and POSTs the result on page load. No banner re-prompt, no operator action — historical “granted but never recorded” users heal themselves on next visit
* Improved: postSubscription() now checks response.ok and throws on non-2xx so the outer try/catch records the failure instead of fire-and-forget. CFG.debug-gated console output for the operator who wants to dig in
* See docs/WEB_PUSH_INSTALL.md §4 for the Nginx location = /aieo-push-sw.js block — the third leg of this trio (404 SW URL was the upstream root cause on the FF prod incident 2026-05-23)

Data Prep Schedule — product_attributes stage added so brand blocks self-populate without the manual rebuild
* NEW: hourly data-prep cron now runs a product_attributes stage between category_hierarchy and product_vitals. This stage calls the AIEO_InsertCoreProductAttributes stored procedure with the operator’s configured brand / vendor / size / color attribute taxonomies — resolving parent brand_id from wp_term_relationships. The existing propagate_brand stage then copies parent → variations as before
* Why it matters: brand blocks (aieo/brand-azindex, brand-slider, brand-rails, brand-related, brand-archive-hero, brand-story) used to render empty on sites where the operator hadn’t ticked “Please recreate the product core attributes and principal categories” in the Operational Efficiency Settings UI. That checkbox is now correctly scoped as a manual intervention only — the hourly schedule covers the day-to-day case
* Defensive: the new stage uses information_schema.ROUTINES to verify the SP exists before CALLing it — older installs without the SP get a clean no-op instead of breaking the whole tick

Google Reviews — single-location auto-fallback + clearer empty states
* NEW: when the aieo/google-reviews block (or [aieo_google_reviews] shortcode) is in “Single location” mode but no slug is set AND the page can’t auto-resolve a location from context, the block now falls back to the operator’s only configured location if exactly one exists. Most SMB stores have a single physical shop — they no longer need to pick a slug for every block instance, the block just works
* Improved: the empty-state message now shows the actual number of locations configured and steers the operator to the right next step. “No Google Reviews locations configured yet — add one under…” (when 0 exist) vs “You have N locations configured — pick one via the block’s sidebar, or switch to All-locations / Cards grid mode” (when 2+ exist). Replaces the old cryptic “Set a location slug, or place this block on a page bound to a location row”
* The admin Settings tab now carries a full “How to display the reviews on the storefront” help card explaining the FSE block, the three shortcodes, all 11 attributes, and a do_shortcode() PHP-template snippet — so operators on classic themes / page builders find the docs without leaving the admin

Google Reviews — shortcodes for non-FSE themes + runtime-only exposure
* NEW: [aieo_google_reviews] shortcode — wraps the same render path the aieo/google-reviews block uses, so classic themes / widget areas / page-builder pages can drop in Google Reviews without needing FSE block-template editing. Single-location mode when a location attribute is supplied ([aieo_google_reviews location="downtown"]), all-locations mixed-feed otherwise ([aieo_google_reviews]). All block attributes are exposed in snake_case: min_rating, max_count, layout (grid/list/carousel), presentation (static/slider/rotator), autoplay_sec, show_overall, show_rate_us, show_maps_button, heading, mode (single/all_mixed/cards_grid)
* NEW: [aieo_google_locations_grid] shortcode — convenience alias forced to mode="cards_grid" for the per-location cards layout. Accepts the same attributes
* Single source of truth: both shortcodes call AIEO_Google_Reviews_Block::render() directly, so the cache, the markup, and the CSS handle are identical to the block output — operators can mix-and-match blocks (FSE) and shortcodes (classic) on the same site without divergent rendering
* NEW: AIEO_Runtime_Google_Reviews delegate exposes the block + shortcodes to runtime-only contexts — admin’s AIEO_DMM_Google_Reviews module is no longer required on the frontend. block class files stay in admin’s includes/dmm/google-reviews/ (single source of truth); the mu-plugins autoloader resolves them on demand. The block class is now idempotent (AIEO_Google_Reviews_Block::register() guarded by a $registered flag) and admin’s call is gated behind ! defined( 'AIEO_RUNTIME_OWNS_AJAX' ) so runtime is exclusive when both plugins are active. Same aieo/store-info block also exposed

Data Prep Schedule
* NEW: product_attributes stage runs hourly between category_hierarchy and product_vitals — calls AIEO_InsertCoreProductAttributes automatically so parent brand_id populates without ticking the manual “Recreate product core attributes” checkbox
* NEW: per-stage Notes column in the Last-run table — shows useful metrics per stage (e.g. “4921 / 13513 with brand · 194 distinct brands”)

Admin polish
* Fixed: Database Performance Optimization card no longer hardcodes “MariaDB 11.4+ detected!” / “MySQL 8.0+ detected!” — now interpolates the actual detected version from aieo_check_mariadb_version() (e.g. “MariaDB 11.8.7 detected!”). Falls back to the prior threshold strings if version_number is somehow missing
* Fixed: Google Reviews → Locations admin no longer uses Femme-Fatale-specific placeholder text (piraeus slug, Femme Fatale Πειραιάς display name). All four placeholders are now generic + translatable (e.g. main-store, downtown, branch-2, Customer-facing label for this location, etc.) so the form isn’t shipping client-branded examples

5.6 – 2026-05-23

Same-day follow-up to 5.5 — Fulfillment UX polish + two production hotfixes + CSV round-trip cleanup

Production hotfixes
* Hotfix: Undefined constant "AIEO_VERSION" fatal in AIEO_Wishlist::enqueue_assets() on category pages when AIEO Runtime loads before the main plugin’s constant definition. Defensive defined() fallback chain in the runtime: AIEO_VERSION → AIEO_RUNTIME_VERSION → '0.0.0'. Same pattern for AIEO_FILE. Surfaced on prod femme-fatale.gr /me-ammonia/ as a site-wide HTTP 500 immediately after the 5.5 upgrade
* Performance: new AIEO_Perf::strip_aioseo_product_schema_on_archives() short-circuits AIOSEO Pro’s Product / WooCommerceProduct / Offer / AggregateOffer schema graphs on archive and taxonomy pages. AIOSEO was iterating every product in the loop and calling $product->get_available_variations(), which on Iconic Variation Swatches triggers a $wpdb->get_results() per variation — ~900 queries per render on a 15-variable-product category. Single-product pages are unaffected (full JSON-LD still emitted where Google rich results actually matter). Prod render time on /me-ammonia/: 9.4s → 3.2s

Fulfillment — order-edit meta box
* Fixed: Add Voucher carrier dropdown was showing every registered carrier including disabled ones. Now filters to operator-enabled carriers + custom carriers only (matches the rest of the admin)
* Fixed: pressing Enter in the tracking-number input was submitting the order’s outer form, navigating to the “Downloaded products” panel. The AIEO meta-box inputs now suppress Enter and trigger the explicit Save button instead
* Improved: ACS (and any carrier already mapped via get_carrier_for_order()) is pre-selected when the modal opens, instead of defaulting to the alphabetical-first carrier
* Improved: button labels now reflect what will actually happen — “Save tracking” / “Generate voucher” by mode, with a paired “Save + mark completed” / “Generate voucher + mark completed” for the common single-click flow
* Fixed: custom carriers with create_mode = 'manual' (no API integration) no longer error with “driver does not support create_voucher”. The manual flow now persists the tracking number directly and fires the customer email, bypassing the driver call

Fulfillment — Carriers without API admin
* NEW: inline Edit button next to Remove on every row — label and tracking-URL template editable in place; Save / Cancel pair posts to the same upsert AJAX endpoint
* Fixed: tracking_url_template field was being silently ignored by the courier-driver base when an operator overrode the per-carrier default. AIEO_Courier_Driver_Base::tracking_url() now consults the operator-saved template first
* NEW: filter aieo_custom_carriers — themes / plugins can register carriers from functions.php, same pattern as WooCommerce Shipment Tracking’s wc_shipment_tracking_get_providers

Fulfillment — Settings
* NEW: “Backfill customer shipping paid” card — one-shot retrospective pass that fills _aieo_customer_shipping_paid on historical orders so the Shipment Cost reports’ income column is populated for past periods (not only orders placed after the cost-tracking went live)

Shipment Cost reports
* NEW: sortable column headers on the results table — click to sort by orders / income / our cost / free-shipping subsidy. In-memory client-side sort (the result set is already paginated server-side)

Role-based pricing — CSV round-trip
* Fixed: import now strips a leading UTF-8 BOM from the uploaded file before parsing (Excel-on-Windows exports leave one). Previously caused “must include sku column” errors when the actual header was \xEF\xBB\xBFsku
* Fixed: import auto-detects the separator (, vs ; vs \t) by counting candidates in the first line. Greek-locale Excel exports use ;; the previous hardcoded , parser produced unparseable single-column rows
* Improved: import error messages now state the detected separator and the header row that was parsed, so operators can see exactly why their file was rejected
* Fixed: export no longer prepends a UTF-8 BOM. Cross-environment round-trips (export from one site, import into another) used to fail until the import learned to strip BOMs; now the file is BOM-clean from the start, keeping cat / awk / diff output untouched as well

Critical fix — Social Login settings silently wiped on every Save
* Fixed: AIEO_DMM_Social_Login::ajax_save_settings() used the sanitize_text_field( $array ) anti-pattern as the guard for both providers and intents POST arrays. sanitize_text_field() on an array returns '' (empty string), so is_array('') was always false — every Save click silently wrote empty providers + every-intent-off, regardless of what the operator had ticked in the UI. Symptom: “I’ve enabled Google + Facebook for login / checkout but the buttons never render anywhere.” The guard is now is_array($_POST['providers']) directly; per-field sanitization (sanitize_text_field, sanitize_key) still runs on each value. Operators with previously-wiped settings need to re-enter their config once
* Same anti-pattern was caught in 3 other modules in 5.2 (see memory wp_sanitize_text_field_array_antipattern); this one slipped through because the SSO admin tab is less frequently tested

Marketplace Order Importer — webhook setup guide + Rooster-derived tokens
* NEW: per-vendor “Setup help” card on the AIEO MOI → Vendors tab. Surfaces the webhook URL prominently with a one-click Copy button and per-provider step-by-step instructions for where to paste it into the marketplace’s merchant panel. For Skroutz: deep-links to the exact merchants.skroutz.gr settings page, names the field operators need to find (“Webhook URL / Webhook παραγγελιών”), and reminds them to deactivate the legacy skroutz-marketplace-xml-for-woocommerce plugin once the new URL is saved. Poll-only providers (Shopflix, eMag) get the card skipped — nothing for the operator to do
* NEW: webhook tokens on freshly-created vendors are now derived from the operator’s Rooster API key via substr(hash('sha256', $rooster_key . '|moi-webhook|' . $vendor_slug), 0, 20). Each install gets a unique, stable, self-identifying webhook URL — and the URL is regenerable from the Rooster key alone, so losing the vendor row no longer means re-pasting random tokens into every marketplace panel. Hash, not substring, so the token never exposes any portion of the Rooster key. Falls back to a random token on standalone (non-Rooster) installs
* NEW: per-vendor “Use Rooster-derived token” button on the setup card lets operators migrate existing random tokens to the …