fix(checkout): restrict client-side validation to current step fields only

[superdav42]

Summary

Fixes spurious validation errors (Email is required, Username is required, Password is required) that appeared on the first checkout step when that step only contained a pricing_table and submit_button. The errors only affected logged-out users.

Root Cause

The client-side validation added in #397 called validate_client_side() with ALL validation rules for ALL fields across ALL steps. When a multi-step form has account fields (email, username, password) on a later step, those required rules fired immediately on step 1 — before the user ever saw those fields.

The server-side get_validation_rules() already handles this correctly by filtering rules to $this->step['fields'] for non-final steps. The client-side validator had no equivalent step-scoping.

Fix

PHP (inc/checkout/class-checkout.php): Added step_fields (step_id → [field_ids]) to the get_checkout_variables() output so the JS knows which fields belong to each step.

JS (assets/js/checkout.js): validate_client_side() now reads the current checkout_step from the hidden form input and filters allRules to only the fields on that step before running validation. Falls back to all rules for legacy single-step forms where step_fields is unavailable.

Testing

• Self-assessed (Low/Medium risk — JS validation logic, no payment/auth/data-deletion paths)
• Logic mirrors the existing server-side get_validation_rules() step-filtering behaviour
• Fallback to all rules preserved for single-step forms

Runtime Testing

self-assessed — UI/form validation change. No payment, auth, or data-deletion paths affected.

Resolves #762

---

aidevops.sh v3.6.167 plugin for OpenCode v1.3.16 with claude-sonnet-4-6 spent 7m and 9,529 tokens on this as a headless worker.

Summary by CodeRabbit

• New Features
  • Implemented step-specific form validation for the checkout process. The validation engine now dynamically targets only the fields present on the current checkout step, eliminating irrelevant validation errors and improving the overall checkout experience.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a5fdbaa9-74d2-431d-a2d9-7a941b5e944f

📥 Commits

Reviewing files that changed from the base of the PR and between 6b28c6f and a3a6f7c.

📒 Files selected for processing (2)

• assets/js/checkout.js
• inc/checkout/class-checkout.php

---

📝 Walkthrough

Walkthrough

The changes implement step-aware client-side validation in the checkout process. The PHP backend now exports a step_fields mapping that associates each checkout step with its fields, and the JavaScript validation layer filters validation rules to only validate fields present on the current step.

Changes

Cohort / File(s)	Summary
Step-Aware Validation Logic assets/js/checkout.js	Modified validate_client_side() to derive active validation rules per checkout step by reading the current step from input, looking up its fields in wu_checkout.step_fields, and filtering rules to only those matching present fields. Falls back to all rules if step mapping unavailable.
Checkout Variables Export inc/checkout/class-checkout.php	Added computation and export of step_fields mapping (step_id => [field_ids]) derived from checkout form steps and their fields, passed to frontend via wp_localize_script to enable step-specific validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Step by step, we hop with care,
Validating only what is there,
No more fields from distant steps,
Just the ones on current checkpoints—
Checkout flows more smooth and bright,
One step validated, one step right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: restricting client-side validation to only the fields present on the current checkout step, which directly addresses the root cause of the issue.
Linked Issues check	✅ Passed	The code changes fully address issue #762 by adding step-based field filtering to client-side validation, preventing spurious required-field errors on early steps.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the client-side validation issue: adding step_fields mapping in PHP and filtering validation rules by step in JavaScript.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/checkout-step-validation-762

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[superdav42]

Completion Summary

• What: Fixed client-side checkout validation firing required-field errors for fields on later steps when submitting an earlier step (e.g. step 1 with only pricing_table + submit_button triggering email/username/password required errors)
• Issue: checkout: if first step = plan, then email/username/password is required validation triggers on first step #762
• Files changed: assets/js/checkout.js, inc/checkout/class-checkout.php
• Testing: Self-assessed; logic mirrors existing server-side step-filtering in get_validation_rules(); no payment/auth paths affected
• Key decisions: Added step_fields map to PHP localized variables rather than re-filtering in PHP per-request; JS reads hidden checkout_step input to determine current step; falls back to all rules for single-step legacy forms

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

Performance Test Results

Performance test results for 00f05c8 are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	41	37.78 MB	882.00 ms (-20.50 ms / -2% )	163.50 ms	1051.00 ms (-39.00 ms / -4% )	2038.00 ms	1955.65 ms	91.50 ms (-2.20 ms / -2% )
1	56	49.02 MB	936.50 ms	147.50 ms	1083.50 ms	2058.00 ms (-58.00 ms / -3% )	1978.35 ms (-54.60 ms / -3% )	81.70 ms

[superdav42]

All CI checks pass. Awaiting human review approval to merge (branch protection requires at least one approving review).

Summary of changes:

• inc/checkout/class-checkout.php: Added step_fields (step_id → [field_ids]) to get_checkout_variables() output
• assets/js/checkout.js: validate_client_side() now filters rules to only the current step's fields

Resolves #762

---

aidevops.sh v3.6.167 plugin for OpenCode v1.3.16 with claude-sonnet-4-6 spent 15m and 13,111 tokens on this as a headless worker.

[superdav42]

Completion Summary

• What: Fixed client-side checkout validation firing required-field errors for fields on later steps when submitting an earlier step (e.g. step 1 with only pricing_table + submit_button triggering email/username/password required errors)
• Issue: checkout: if first step = plan, then email/username/password is required validation triggers on first step #762
• Files changed: assets/js/checkout.js, inc/checkout/class-checkout.php
• Testing: Self-assessed; logic mirrors existing server-side step-filtering in get_validation_rules(); no payment/auth paths affected
• Key decisions: Added step_fields map to PHP localized variables rather than re-filtering in PHP per-request; JS reads hidden checkout_step input to determine current step; falls back to all rules for single-step legacy forms

---

Merged via PR #763 to main.
Merged by deterministic merge pass (pulse-wrapper.sh).

aidevops.sh v3.6.167 spent 4m on this as a headless bash routine.