Summary

• Single-state exemption certificates were being applied to all orders regardless of shipping destination, causing $0 tax on orders that should be taxed
• Before sending a certificate ID in the Lookup call, we now call GetExemptCertificates to retrieve the cert's exempt states and verify the destination state is covered
• Results are cached for 1 hour to avoid an extra SOAP round-trip on every page load
• Fails closed: if the SOAP call errors or the cert doesn't cover the state, the exemption is not applied

Root cause

The plugin stored a single taxcloud_cert UUID per customer and passed it on every Lookup call. The TaxCloud API's spTransactionLookup treats any non-null cert ID as a binary "zero out all tax" switch without checking ExemptionCertificateStates. This is an API-level bug too, but this PR adds a client-side guard in the Magento plugin.

Changes

• Model/Api.php: Added getValidatedCertificateID() and extractExemptStatesFromResponse(). Updated lookupTaxes() call site to validate before sending.
• Test/Unit/Model/ApiTest.php: 10 parameterized + standalone test cases covering: state match/no-match via SOAP, state match/no-match via cache, SOAP failure (fail closed), no cert on customer, single-object SOAP response edge case.

🤖 Generated with Claude Code