SalamBaba Orders - Delivery Module
=================================

Files:
  - orders/delivery/delivery.php
      Public driver-facing form (no login) for confirming delivery or failed delivery,
      with HMAC-secured link:
        https://salambaba.co/orders/delivery/delivery.php?code=TRACKING_CODE&token=TOKEN

  - orders/delivery/upload.php
      Internal helper endpoint for logged-in head_carrier / admin to upload delivery proofs.

  - orders/delivery/delivery.css
      Stylesheet for delivery.php page.

  - orders/delivery/readme.txt
      This file.

How to integrate driver link
----------------------------

In any PHP page where you already have $o (row from `orders` table), and you have:

    $order_uid     = $o['order_uid'];
    $tracking_code = $o['tracking_code'];

Add (AFTER config.php is loaded so DELIVERY_LINK_SECRET is defined):

    $token = hash_hmac('sha256', $order_uid, DELIVERY_LINK_SECRET);
    $link  = 'https://salambaba.co/orders/delivery/delivery.php?code='
           . rawurlencode($tracking_code)
           . '&token='
           . rawurlencode($token);

You can then show $link as:
  - a button/link in head-carrier panel
  - or send via SMS / WhatsApp to the driver.

Database requirements
---------------------

Table `order_delivery_proofs` must exist with at least these columns:

    id              INT AUTO_INCREMENT PRIMARY KEY
    order_id        INT NOT NULL
    item_id         INT NULL
    serial_number   VARCHAR(100) NULL
    customer_name   VARCHAR(255) NULL
    customer_phone  VARCHAR(20) NULL
    address_snapshot TEXT NULL
    note            TEXT NULL
    photo1          VARCHAR(255) NULL
    photo2          VARCHAR(255) NULL
    photo3          VARCHAR(255) NULL
    video1          VARCHAR(255) NULL
    created_by      VARCHAR(100) NULL
    created_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP

Config requirement
------------------

In orders/includes/config.php you must have:

    define('DELIVERY_LINK_SECRET', 'SLMB_DRIVE_'.md5('your-super-secret-key-2025'));

(You already added this in your config. DO NOT change it later,
otherwise old links will become invalid.)

Security notes
--------------

- delivery.php does NOT require login. Access is protected only by the HMAC token.
- upload.php REQUIRES login and only accepts roles: admin, head_carrier, logistic.
- For delivered (تحویل موفق) status, at least one file (photo or media) is required.
