@blamejs/blamejs-shop 0.0.121 → 0.0.123

package/lib/storefront.js

@@ -676,8 +676,10 @@ var PRODUCT_PAGE =
   "          </table>\n" +
   "        </div>\n" +
   "      </div>\n" +
+  "      RAW_WISHLIST_PLACEHOLDER\n" +
   "    </div>\n" +
   "  </div>\n" +
+  "  RAW_REVIEWS_PLACEHOLDER\n" +
   "</section>\n";
 
 // PDP gallery markup — composed once per render call from the
@@ -720,6 +722,280 @@ function _buildPdpGallery(product, media, assetPrefix) {
   return heroImg + "<ul class=\"pdp__thumbs\" aria-hidden=\"true\">" + thumbs.join("") + "</ul>";
 }
 
+// Accessible star glyph row — the precise figure rides in a visually-
+// hidden label so a screen reader announces "4.3 out of 5 stars" while
+// sighted users see the rounded glyph fill. Mirrors the edge renderer
+// (`worker/render/product.js`) so both paths emit identical markup.
+function _reviewStars(value, label) {
+  var esc = _b().template.escapeHtml;
+  var filled = Math.round(value);
+  if (filled < 0) filled = 0;
+  if (filled > 5) filled = 5;
+  var glyphs = "";
+  for (var i = 1; i <= 5; i += 1) {
+    glyphs += "<span class=\"star" + (i <= filled ? " star--on" : "") + "\">" +
+      (i <= filled ? "★" : "☆") + "</span>";
+  }
+  return "<span class=\"stars\" aria-hidden=\"true\">" + glyphs + "</span>" +
+         "<span class=\"sr-only\">" + esc(label) + "</span>";
+}
+
+function _reviewDate(ts) {
+  var n = Number(ts);
+  if (!Number.isFinite(n) || n <= 0) return "";
+  return new Date(n).toISOString().slice(0, 10);
+}
+
+// Builds the PDP reviews block from the published aggregate + list.
+// Renders the "no reviews yet" empty state when the product has none;
+// `ctaHtml` is the operator/customer call-to-action (a "Write a review"
+// link, or "Sign in to review", resolved by the route). Mirrors the
+// edge renderer byte-for-byte so the two render paths stay in sync.
+function _buildReviews(summary, reviews, ctaHtml) {
+  var esc = _b().template.escapeHtml;
+  summary = summary || { count: 0, avg_rating: 0, distribution: { 1: 0, 2: 0, 3: 0, 4: 0, 5: 0 } };
+  reviews = reviews || [];
+  var count = Number(summary.count) || 0;
+
+  var head;
+  if (count > 0) {
+    var avg = Number(summary.avg_rating) || 0;
+    var avgStr = avg.toFixed(1);
+    var dist = summary.distribution || {};
+    var bars = "";
+    for (var s = 5; s >= 1; s -= 1) {
+      var n   = Number(dist[s]) || 0;
+      var pct = count > 0 ? Math.round((n / count) * 100) : 0;
+      bars +=
+        "<li class=\"rating-bar\">" +
+          "<span class=\"rating-bar__label\">" + s + " star</span>" +
+          "<span class=\"rating-bar__track\"><span class=\"rating-bar__fill\" style=\"width:" + pct + "%\"></span></span>" +
+          "<span class=\"rating-bar__count\">" + n + "</span>" +
+        "</li>";
+    }
+    head =
+      "<div class=\"reviews__summary\">" +
+        "<div class=\"reviews__average\">" +
+          "<span class=\"reviews__average-num\">" + esc(avgStr) + "</span>" +
+          _reviewStars(avg, avgStr + " out of 5 stars") +
+          "<span class=\"reviews__count\">" + count + (count === 1 ? " review" : " reviews") + "</span>" +
+        "</div>" +
+        "<ul class=\"reviews__distribution\">" + bars + "</ul>" +
+      "</div>";
+  } else {
+    head = "<p class=\"reviews__empty\">No reviews yet. Be the first to review this product.</p>";
+  }
+
+  var list = "";
+  for (var i = 0; i < reviews.length; i += 1) {
+    var r = reviews[i];
+    var rating = Number(r.rating) || 0;
+    var verified = Number(r.verified_purchase) === 1
+      ? "<span class=\"review__verified\">Verified buyer</span>"
+      : "";
+    var date = _reviewDate(r.created_at);
+    var bodyHtml = r.body
+      ? "<p class=\"review__body\">" + esc(String(r.body)) + "</p>"
+      : "";
+    list +=
+      "<li class=\"review\">" +
+        "<div class=\"review__head\">" +
+          _reviewStars(rating, rating + " out of 5 stars") +
+          "<h3 class=\"review__title\">" + esc(String(r.title || "")) + "</h3>" +
+        "</div>" +
+        "<div class=\"review__meta\">" + verified +
+          (date ? "<time class=\"review__date\" datetime=\"" + esc(date) + "\">" + esc(date) + "</time>" : "") +
+        "</div>" +
+        bodyHtml +
+      "</li>";
+  }
+  var listHtml = list ? "<ul class=\"reviews__list\">" + list + "</ul>" : "";
+
+  return "<section class=\"reviews\" aria-labelledby=\"reviews-title\">" +
+           "<h2 id=\"reviews-title\" class=\"reviews__heading\">Customer reviews</h2>" +
+           head +
+           listHtml +
+           (ctaHtml || "") +
+         "</section>";
+}
+
+var REVIEW_FORM_PAGE =
+  "<section class=\"review-form-page\">\n" +
+  "  <nav class=\"breadcrumb\" aria-label=\"Breadcrumb\">\n" +
+  "    <ol>\n" +
+  "      <li><a href=\"/\">Shop</a></li>\n" +
+  "      <li><a href=\"/products/{{slug}}\">{{title}}</a></li>\n" +
+  "      <li aria-current=\"page\">Write a review</li>\n" +
+  "    </ol>\n" +
+  "  </nav>\n" +
+  "  <h1 class=\"review-form-page__title\">Review {{title}}</h1>\n" +
+  "  RAW_NOTICE_PLACEHOLDER\n" +
+  "  <form class=\"review-form\" method=\"post\" action=\"/products/{{slug}}/review\">\n" +
+  "    <fieldset class=\"review-form__rating\">\n" +
+  "      <legend>Your rating</legend>\n" +
+  "      RAW_STARS_PLACEHOLDER\n" +
+  "    </fieldset>\n" +
+  "    <label class=\"form-field\">\n" +
+  "      <span class=\"form-field__label\">Title</span>\n" +
+  "      <input type=\"text\" name=\"title\" maxlength=\"120\" required autocomplete=\"off\">\n" +
+  "    </label>\n" +
+  "    <label class=\"form-field\">\n" +
+  "      <span class=\"form-field__label\">Your review</span>\n" +
+  "      <textarea name=\"body\" maxlength=\"4000\" rows=\"6\"></textarea>\n" +
+  "    </label>\n" +
+  "    <button type=\"submit\" class=\"btn-primary\">Submit review</button>\n" +
+  "  </form>\n" +
+  "</section>\n";
+
+// Auth-gated review form. `opts.product` carries { title, slug };
+// `opts.notice` is an optional error string rendered above the form
+// (e.g. a validation rejection bounced back from POST).
+function renderReviewForm(opts) {
+  var esc = _b().template.escapeHtml;
+  var slug = opts.product.slug;
+  var stars = "";
+  for (var rv = 5; rv >= 1; rv -= 1) {
+    stars +=
+      "<label class=\"star-radio\">" +
+        "<input type=\"radio\" name=\"rating\" value=\"" + rv + "\" required>" +
+        "<span>" + rv + (rv === 1 ? " star" : " stars") + "</span>" +
+      "</label>";
+  }
+  var notice = opts.notice
+    ? "<p class=\"form-notice form-notice--error\" role=\"alert\">" + esc(String(opts.notice)) + "</p>"
+    : "";
+  var body = _render(REVIEW_FORM_PAGE, {
+    title: opts.product.title,
+    slug:  slug,
+  })
+    .replace("RAW_NOTICE_PLACEHOLDER", notice)
+    .replace("RAW_STARS_PLACEHOLDER", stars);
+  return _wrap({
+    title:      "Review " + opts.product.title,
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Generic single-message page for the review flow (purchase-gate
+// refusal, submission thank-you). `cta` is an optional { href, label }.
+function _reviewMessagePage(opts, heading, message, cta) {
+  var esc = _b().template.escapeHtml;
+  var ctaHtml = cta
+    ? "<a class=\"btn-primary\" href=\"" + esc(cta.href) + "\">" + esc(cta.label) + "</a>"
+    : "";
+  var body =
+    "<section class=\"review-message\">" +
+      "<h1 class=\"review-message__title\">" + esc(heading) + "</h1>" +
+      "<p class=\"review-message__lede\">" + esc(message) + "</p>" +
+      ctaHtml +
+    "</section>";
+  return _wrap({
+    title:      heading,
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Remove control for a wishlist entry — a form POST back through the
+// toggle route with `return_to` so the customer lands back on the
+// account page (not the product PDP the default toggle returns to).
+function _wishlistRemoveForm(productId, esc) {
+  return "<form class=\"wishlist-item__remove\" method=\"post\" action=\"/wishlist/toggle\">" +
+           "<input type=\"hidden\" name=\"product_id\" value=\"" + esc(productId) + "\">" +
+           "<input type=\"hidden\" name=\"return_to\" value=\"/account/wishlist\">" +
+           "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button>" +
+         "</form>";
+}
+
+// Account "Saved items" page. `opts.items` is a resolved list:
+// { product, hero_media } for live products, or { product: null,
+// product_id } for entries whose product was archived/deleted (the
+// wishlist row is orphan-tolerant by design — render "unavailable",
+// never crash the listing).
+function renderWishlist(opts) {
+  var esc = _b().template.escapeHtml;
+  var items = opts.items || [];
+  var prefix = opts.asset_prefix || "/assets/";
+  var rowsHtml = "";
+  for (var i = 0; i < items.length; i += 1) {
+    var it = items[i];
+    if (!it.product) {
+      rowsHtml +=
+        "<li class=\"wishlist-item wishlist-item--gone\">" +
+          "<span class=\"wishlist-item__title\">This item is no longer available.</span>" +
+          _wishlistRemoveForm(it.product_id, esc) +
+        "</li>";
+      continue;
+    }
+    var slug = esc(it.product.slug);
+    var thumb = it.hero_media
+      ? "<img src=\"" + esc(prefix + it.hero_media.r2_key) + "\" alt=\"" + esc(it.hero_media.alt_text || it.product.title) + "\" loading=\"lazy\">"
+      : "<span class=\"wishlist-item__mark\" aria-hidden=\"true\">" + esc((it.product.title || "?").trim().charAt(0).toUpperCase() || "?") + "</span>";
+    rowsHtml +=
+      "<li class=\"wishlist-item\">" +
+        "<a class=\"wishlist-item__media\" href=\"/products/" + slug + "\">" + thumb + "</a>" +
+        "<div class=\"wishlist-item__body\">" +
+          "<a class=\"wishlist-item__title\" href=\"/products/" + slug + "\">" + esc(it.product.title) + "</a>" +
+          "<a class=\"wishlist-item__view card-link\" href=\"/products/" + slug + "\">View product →</a>" +
+        "</div>" +
+        _wishlistRemoveForm(it.product.id, esc) +
+      "</li>";
+  }
+  var inner = rowsHtml
+    ? "<ul class=\"wishlist-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"wishlist-empty\">You haven't saved anything yet. Browse the shop and tap <strong>Save to wishlist</strong> on products you want to keep an eye on.</p>";
+  var body =
+    "<section class=\"account-wishlist\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Saved items</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-wishlist__title\">Saved items</h1>" +
+      inner +
+    "</section>";
+  return _wrap({
+    title:      "Saved items",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Product-level "Save to wishlist" control + social-proof count.
+// Byte-compatible with the edge renderer (`worker/render/product.js`)
+// so both paths emit identical markup. Action-only label — the toggle
+// route resolves add/remove server-side against the sealed session.
+function _buildWishlist(productId, count) {
+  var esc = _b().template.escapeHtml;
+  var n = Number(count) || 0;
+  var countHtml = n > 0
+    ? "<span class=\"wishlist__count\">" + n + (n === 1 ? " shopper saved this" : " shoppers saved this") + "</span>"
+    : "";
+  return "<div class=\"wishlist\">" +
+           "<form class=\"wishlist__form\" method=\"post\" action=\"/wishlist/toggle\">" +
+             "<input type=\"hidden\" name=\"product_id\" value=\"" + esc(productId) + "\">" +
+             "<button type=\"submit\" class=\"btn-secondary wishlist__btn\">" +
+               "<span class=\"wishlist__heart\" aria-hidden=\"true\">♡</span> Save to wishlist" +
+             "</button>" +
+           "</form>" +
+           countHtml +
+         "</div>";
+}
+
+// Schema.org JSON-LD block. JSON.stringify covers the standard escapes;
+// the `</` → `<\/` rewrite neutralises any literal `</script>` in a
+// value. Mirrors the edge renderer's `jsonLdScript`.
+function _jsonLdScript(data) {
+  var serialised = JSON.stringify(data).replace(/<\/(?=script>)/gi, "<\\/");
+  return "<script type=\"application/ld+json\">" + serialised + "</script>";
+}
+
 function renderProduct(opts) {
   if (!opts || !opts.product) throw new TypeError("storefront.renderProduct: opts.product required");
   var variants = opts.variants || [];
@@ -741,6 +1017,11 @@ function renderProduct(opts) {
       product:        { title: opts.product.title, description: description },
       variants:       rendered,
       has_variants:   rendered.length > 0,
+      // Pre-rendered reviews block (internally HTML-escaped) for the
+      // theme's `{{{ reviews_html }}}` raw slot. The bundled themes
+      // include the slot; a custom theme opts in by adding it.
+      reviews_html:   _buildReviews(opts.review_summary, opts.reviews, opts.review_cta),
+      wishlist_html:  _buildWishlist(opts.product.id, opts.wishlist_count),
       asset_css_main: opts.theme.assetUrl("css/main.css"),
     });
   }
@@ -749,18 +1030,75 @@ function renderProduct(opts) {
   }).join("");
   if (!rows) rows = "<tr><td colspan=\"4\" class=\"empty\">No variants available.</td></tr>";
   var galleryHtml = _buildPdpGallery(opts.product, opts.media || [], opts.asset_prefix || "/assets/");
+  var reviewsHtml = _buildReviews(opts.review_summary, opts.reviews, opts.review_cta);
+  var wishlistHtml = _buildWishlist(opts.product.id, opts.wishlist_count);
   var body = _render(PRODUCT_PAGE, {
     title:        opts.product.title,
     description:  description,
     variant_rows: "RAW_ROWS_PLACEHOLDER",
   })
     .replace("RAW_GALLERY_PLACEHOLDER", galleryHtml)
-    .replace("RAW_ROWS_PLACEHOLDER", rows);
+    .replace("RAW_ROWS_PLACEHOLDER", rows)
+    .replace("RAW_WISHLIST_PLACEHOLDER", wishlistHtml)
+    .replace("RAW_REVIEWS_PLACEHOLDER", reviewsHtml);
   // Product-specific OpenGraph + Twitter Card values so shares
   // unfurl as "Operator Tee — blamejs.shop" with the SVG hero, not
   // the default shop-level description + brand logo.
   var heroMedia = (opts.media && opts.media[0]) || null;
   var ogImage   = heroMedia ? ((opts.asset_prefix || "/assets/") + heroMedia.r2_key) : "/assets/brand/logo.png";
+
+  // Product + AggregateOffer JSON-LD, with AggregateRating folded in
+  // when published reviews exist. Kept byte-compatible with the edge
+  // renderer so the structured data is identical whichever substrate
+  // serves the PDP. AggregateRating is omitted (not null) at zero
+  // reviews — Google rejects `reviewCount: 0`.
+  var priceList = variants
+    .map(function (v) { return prices[v.id] ? prices[v.id].amount_minor : null; })
+    .filter(function (n) { return Number.isInteger(n); });
+  var jsonLd = null;
+  if (priceList.length > 0) {
+    var lowMinor = Math.min.apply(null, priceList);
+    var hiMinor  = Math.max.apply(null, priceList);
+    var currency = (prices[variants[0].id] && prices[variants[0].id].currency) || "USD";
+    var divisor  = currency === "JPY" || currency === "KRW" ? 1 : 100;
+    var aggregateRating;
+    if (opts.review_summary && Number(opts.review_summary.count) > 0) {
+      aggregateRating = {
+        "@type":       "AggregateRating",
+        "ratingValue": (Number(opts.review_summary.avg_rating) || 0).toFixed(1),
+        "reviewCount": Number(opts.review_summary.count),
+        "bestRating":  5,
+        "worstRating": 1,
+      };
+    }
+    jsonLd = _jsonLdScript({
+      "@context":        "https://schema.org",
+      "@type":           "Product",
+      "name":            opts.product.title,
+      "description":     description || ("Browse " + opts.product.title + " on " + shopName + "."),
+      "image":           heroMedia ? [ogImage] : undefined,
+      "sku":             variants[0] && variants[0].sku,
+      "aggregateRating": aggregateRating,
+      "offers":          {
+        "@type":         "AggregateOffer",
+        "priceCurrency": currency,
+        "lowPrice":      (lowMinor / divisor).toFixed(divisor === 1 ? 0 : 2),
+        "highPrice":     (hiMinor  / divisor).toFixed(divisor === 1 ? 0 : 2),
+        "offerCount":    variants.length,
+        "availability":  "https://schema.org/InStock",
+      },
+    });
+  }
+  var breadcrumbJsonLd = _jsonLdScript({
+    "@context":        "https://schema.org",
+    "@type":           "BreadcrumbList",
+    "itemListElement": [
+      { "@type": "ListItem", "position": 1, "name": "Shop", "item": "/" },
+      { "@type": "ListItem", "position": 2, "name": opts.product.title, "item": "/products/" + opts.product.slug },
+    ],
+  });
+  jsonLd = (jsonLd || "") + breadcrumbJsonLd;
+
   return _wrap({
     title:          opts.product.title,
     shop_name:      shopName,
@@ -770,7 +1108,7 @@ function renderProduct(opts) {
     og_title:       opts.product.title + " — " + shopName,
     og_description: description || ("Browse " + opts.product.title + " on " + shopName + "."),
     og_image:       ogImage,
-    body:           body,
+    body:           body + jsonLd,
   });
 }
 
@@ -1548,7 +1886,10 @@ var ACCOUNT_DASH_PAGE =
   "      <h1 class=\"section-head__title\">Hi, {{display_name}}</h1>\n" +
   "      <p class=\"section-head__lede\">Your orders + account controls. Every order ships from origin with a Stripe-secured receipt.</p>\n" +
   "    </div>\n" +
-  "    <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
+  "    <div class=\"account-dash__actions\">\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Saved items</a>\n" +
+  "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
+  "    </div>\n" +
   "  </header>\n" +
   "  <dl class=\"account-dash__stats\">\n" +
   "    <div><dt>Orders</dt><dd>{{order_count}}</dd></div>\n" +
@@ -1797,14 +2138,42 @@ function mount(router, deps) {
         cartCount = lines.length;
       }
     }
+    // Published reviews aggregate + list. A failed read (e.g. the
+    // reviews table not yet migrated) degrades to the empty state
+    // rather than 500-ing the whole PDP — reviews are supplementary
+    // to the buy path. Mirrors the edge renderer's missing-table
+    // resilience.
+    var reviewSummary, reviewRows, reviewCta;
+    if (deps.reviews) {
+      try {
+        reviewSummary = await deps.reviews.summaryForProduct(product.id);
+        reviewRows    = (await deps.reviews.listForProduct(product.id, { limit: 10 })).rows;
+      } catch (_e) { reviewSummary = undefined; reviewRows = []; }
+      // The form route enforces auth + the verified-purchase gate, so
+      // the CTA links there unconditionally; logged-out shoppers get
+      // redirected to login, non-purchasers get a clear "not eligible".
+      reviewCta = "<a class=\"btn-secondary reviews__cta\" href=\"/products/" +
+        _b().template.escapeHtml(product.slug) + "/review\">Write a review</a>";
+    }
+    // Wishlist social-proof count — degrades to 0 on a read failure
+    // (e.g. table not yet migrated) rather than 500-ing the PDP.
+    var wishlistCount = 0;
+    if (deps.wishlist) {
+      try { wishlistCount = await deps.wishlist.countForProduct(product.id); }
+      catch (_e) { wishlistCount = 0; }
+    }
     var html = renderProduct({
-      product:    product,
-      variants:   variants,
-      prices:     prices,
-      media:      media,
-      shop_name:  shopName,
-      cart_count: cartCount,
-      theme:      theme,
+      product:        product,
+      variants:       variants,
+      prices:         prices,
+      media:          media,
+      review_summary: reviewSummary,
+      reviews:        reviewRows,
+      review_cta:     reviewCta,
+      wishlist_count: wishlistCount,
+      shop_name:      shopName,
+      cart_count:     cartCount,
+      theme:          theme,
     });
     _send(res, 200, html);
   });
@@ -2339,6 +2708,165 @@ function mount(router, deps) {
       res.status(303); res.setHeader && res.setHeader("location", "/");
       return res.end ? res.end() : res.send("");
     });
+
+    // Wishlist — saved products scoped to the logged-in customer.
+    // Mounts when the wishlist primitive is wired.
+    if (deps.wishlist) {
+      // POST /wishlist/toggle — add the product if not saved, remove it
+      // if already saved. Login required (the wishlist is per-customer).
+      // Redirects to `return_to` when it's a safe same-origin path
+      // (the account page's Remove uses it), otherwise back to the
+      // product PDP (the canonical slug is resolved from product_id, so
+      // a forged slug can't drive an open redirect).
+      router.post("/wishlist/toggle", async function (req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          return res.end ? res.end() : res.send("");
+        }
+        var productId = (req.body || {}).product_id;
+        try {
+          var already = await deps.wishlist.isWishlisted({ customer_id: auth.customer_id, product_id: productId });
+          if (already) await deps.wishlist.remove({ customer_id: auth.customer_id, product_id: productId });
+          else         await deps.wishlist.add({ customer_id: auth.customer_id, product_id: productId });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        var rt = (req.body || {}).return_to;
+        var dest;
+        if (typeof rt === "string" && /^\/[^/]/.test(rt)) {
+          dest = rt;
+        } else {
+          var product = null;
+          try { product = await deps.catalog.products.get(productId); } catch (_e) { product = null; }
+          dest = product ? ("/products/" + encodeURIComponent(product.slug)) : "/account/wishlist";
+        }
+        res.status(303); res.setHeader && res.setHeader("location", dest);
+        return res.end ? res.end() : res.send("");
+      });
+
+      // GET /account/wishlist — the customer's saved items. Each entry
+      // resolves its product + hero image; an entry whose product was
+      // archived renders as "unavailable" (the row is orphan-tolerant).
+      router.get("/account/wishlist", async function (req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          return res.end ? res.end() : res.send("");
+        }
+        var page = await deps.wishlist.listForCustomer(auth.customer_id, { limit: 50 });
+        var items = [];
+        for (var i = 0; i < page.rows.length; i += 1) {
+          var entry = page.rows[i];
+          var product = null;
+          try { product = await deps.catalog.products.get(entry.product_id); } catch (_e) { product = null; }
+          if (!product) { items.push({ product: null, product_id: entry.product_id }); continue; }
+          var media = await deps.catalog.media.listForProduct(product.id);
+          items.push({ product: product, hero_media: media.length ? media[0] : null });
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderWishlist({
+          items:        items,
+          shop_name:    shopName,
+          cart_count:   cartCount,
+          asset_prefix: deps.asset_prefix || "/assets/",
+        }));
+      });
+    }
+
+    // Product reviews — submission requires a logged-in customer AND a
+    // verified purchase of the product (the gate, not just a badge).
+    // Only mounts when both the reviews primitive and an order handle
+    // (for the purchase check) are wired.
+    if (deps.reviews && deps.order) {
+      async function _reviewGateContext(req, res) {
+        var slug = req.params && req.params.slug;
+        var product = slug ? await deps.catalog.products.bySlug(slug) : null;
+        if (!product) { _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme })); return null; }
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        var cartCount = await _cartCountForReq(req);
+        var purchased = await deps.order.hasPurchasedProduct(auth.customer_id, product.id);
+        return { product: product, auth: auth, cartCount: cartCount, purchased: purchased };
+      }
+
+      function _reviewIneligible(res, ctx, code) {
+        return _send(res, code, _reviewMessagePage(
+          { shop_name: shopName, cart_count: ctx.cartCount },
+          "Only verified buyers can review",
+          "We can only accept a review for a product you've purchased. Make sure you're signed in with the account you ordered with.",
+          { href: "/products/" + ctx.product.slug, label: "Back to product" },
+        ));
+      }
+
+      router.get("/products/:slug/review", async function (req, res) {
+        var ctx = await _reviewGateContext(req, res);
+        if (!ctx) return;
+        if (!ctx.purchased) return _reviewIneligible(res, ctx, 200);
+        _send(res, 200, renderReviewForm({
+          product:    { title: ctx.product.title, slug: ctx.product.slug },
+          shop_name:  shopName,
+          cart_count: ctx.cartCount,
+        }));
+      });
+
+      router.post("/products/:slug/review", async function (req, res) {
+        var ctx = await _reviewGateContext(req, res);
+        if (!ctx) return;
+        // Re-check the gate on write — a client can POST directly
+        // without ever fetching the form.
+        if (!ctx.purchased) return _reviewIneligible(res, ctx, 403);
+        var body = req.body || {};
+        try {
+          await deps.reviews.submit({
+            product_id:        ctx.product.id,
+            customer_id:       ctx.auth.customer_id,
+            rating:            parseInt(body.rating, 10),
+            title:             body.title,
+            body:              body.body,
+            verified_purchase: 1,
+          });
+        } catch (e) {
+          // Shape rejections bounce back to the form with the reason;
+          // anything else is a real 500.
+          if (e instanceof TypeError) {
+            return _send(res, 400, renderReviewForm({
+              product:    { title: ctx.product.title, slug: ctx.product.slug },
+              notice:     (e && e.message) || "Please check your review and try again.",
+              shop_name:  shopName,
+              cart_count: ctx.cartCount,
+            }));
+          }
+          throw e;
+        }
+        _send(res, 200, _reviewMessagePage(
+          { shop_name: shopName, cart_count: ctx.cartCount },
+          "Thanks for your review",
+          "Your review has been submitted and is pending moderation. It will appear on the product page once an operator approves it.",
+          { href: "/products/" + ctx.product.slug, label: "Back to product" },
+        ));
+      });
+    }
   }
 
   // POST /cart/lines — add a line. Reads variant_id + qty from the

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.21",
-      "tag": "v0.12.21",
+      "version": "0.12.29",
+      "tag": "v0.12.29",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",