npm - @blamejs/blamejs-shop - Versions diffs - 0.0.123 → 0.0.124 - Mend

@blamejs/blamejs-shop 0.0.123 → 0.0.124

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.0.x
+- v0.0.124 (2026-05-24) — **Save for later — move cart items into a holding list and back.** Each cart line now has a "Save for later" control that moves the item out of the cart into a per-customer holding list without losing it. Saved items live on a new account page where they can be moved back to the cart or removed. Moving an item back reprices it to the current catalog price and checks stock first, so a saved item that sold out (and isn't backorderable) can't silently re-enter the cart. Login-required, since the list is scoped to one customer. **Added:** *Save-for-later control on cart lines* — Each editable cart line gets a Save-for-later control. `POST /cart/lines/:line_id/save` moves the line out of the cart into the customer's saved list (`moveFromCart`). Login-gated — a signed-out shopper is redirected to sign in. · *`/account/saved` — the holding list* — A new account page lists saved items with a thumbnail, the saved price for reference, and Move-to-cart / Remove controls. Items whose product was archived render as "no longer available" rather than breaking the list. The account dashboard links to it (alongside Wishlist). · *Move back to cart, repriced + stock-checked* — `POST /saved/:save_id/move-to-cart` returns the item to the session cart at the current catalog price (not the stale snapshot) and refuses if the SKU is out of stock and not backorderable. `POST /saved/:save_id/remove` drops a saved row.
 - v0.0.123 (2026-05-24) — **Wishlist — save products to your account, with social-proof counts on the product page.** Signed-in customers can now save products to a wishlist from the product page. A "N shoppers saved this" count surfaces social proof, and saved items live on a new account page where they can be removed or reopened. The save control and count render identically on the edge and container paths; the toggle is idempotent (saving twice is a no-op, toggling again removes) and login-gated, since a wishlist is scoped to one customer. **Added:** *Save to wishlist on the product page* — The PDP renders a "Save to wishlist" control and, once any customer has saved it, a "N shoppers saved this" social-proof count. Both render server-side on the edge and container paths. The count is public; the save action requires sign-in. · *`/account/wishlist` — saved items* — A new account page lists the customer's saved products with a thumbnail, a link back to the product, and a Remove control. Entries whose product was archived render as "no longer available" rather than breaking the list (wishlist rows are orphan-tolerant by design). The account dashboard links to it. · *`POST /wishlist/toggle`* — Login-required endpoint that saves the product if it isn't saved and removes it if it is. Idempotent (`INSERT OR IGNORE`). Redirects back to the product by resolving its canonical slug from the product id, or to a safe same-origin `return_to` (the account page's Remove uses it) — a forged or off-site redirect target is rejected.
 - v0.0.122 (2026-05-24) — **Product reviews on the storefront — verified-buyer submission, operator moderation, and rich-snippet ratings.** The product page now shows customer reviews: an average rating, a per-star distribution, and the published review list, with `AggregateRating` structured data so star ratings can surface in search results. Submission is gated to signed-in customers who have actually purchased the product — the route confirms a completed order for that product before accepting a review, and re-checks on submit. Reviews land in a pending state; operators publish or reject them through new bearer-token admin endpoints. Display and structured data are identical whether the page is served at the edge or from the container. **Added:** *Reviews on the product page* — The PDP renders an average rating, a per-star distribution bar chart, and the published reviews (newest first, verified-buyer badge, date). Products with no reviews show an invite to be the first. Rendered server-side on both the edge and container paths. · *Verified-buyer review submission* — `GET /products/:slug/review` shows the review form to a signed-in customer who has purchased the product; everyone else is redirected to sign in or told only verified buyers can review. `POST /products/:slug/review` re-checks the purchase before accepting the review, so a direct POST can't bypass the gate. Submitted reviews start pending. · *Operator review moderation* — `GET /admin/reviews?status=pending` lists the moderation queue across all products; `GET /admin/reviews/:id` reads one; `POST /admin/reviews/:id/publish` and `POST /admin/reviews/:id/reject` move it. Bearer-token-gated like the rest of the admin API. Pending and rejected reviews never appear on the storefront. · *`AggregateRating` structured data* — The product page emits Schema.org `AggregateRating` (rating value + review count) nested in the existing `Product` JSON-LD when published reviews exist, so eligible products can show star ratings in search results. Omitted entirely at zero reviews to stay valid. The container render path now emits the full `Product` + `AggregateOffer` + `BreadcrumbList` JSON-LD that the edge already did. · *`order.hasPurchasedProduct(customerId, productId)`* — Existence check — true when the customer has an order line for any variant of the product in an order that reached `paid` or later (excludes `pending` and `cancelled`). Backs the review purchase gate. · *`reviews.listByStatus(status, opts)`* — Lists reviews across all products by status, newest first, with the same opaque tuple cursor as `listForProduct`. Backs the admin moderation queue.

package/README.md CHANGED Viewed

@@ -65,6 +65,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/customers.js`** | Customer accounts — passkey-only (WebAuthn). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. Account routes (`/account/login`, `/account/register`, `/account`) ship as designed cards on the storefront. |
 | **`lib/reviews.js`** | Operator-moderated product ratings. Submission requires a signed-in customer **and** a verified purchase — `/products/:slug/review` confirms a completed order for the product (via `order.hasPurchasedProduct`) before accepting, re-checked on POST; reviews land `pending`. Author identity is hash-only (`b.crypto.namespaceHash`); the raw email is never stored. The PDP renders the average, per-star distribution, and published reviews with `AggregateRating` JSON-LD. `/admin/reviews` is the moderation queue (`listByStatus` → publish / reject). |
 | **`lib/wishlist.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. UUID-shape-validated ids, `b.pagination` HMAC cursors. |
+| **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
 | **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. |
@@ -84,6 +85,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0010_newsletter_signups.sql` — email signups with hash-based dedup
 - `migrations-d1/0011_reviews.sql` — operator-moderated product reviews (hash-only author identity)
 - `migrations-d1/0012_wishlist.sql` — per-customer saved products (unique customer + product + variant)
+- `migrations-d1/0041_save_for_later.sql` — per-customer cart holding list (price snapshot + source line)
 ### Demo seed

package/lib/storefront.js CHANGED Viewed

@@ -967,6 +967,71 @@ function renderWishlist(opts) {
   });
 }
+// Account "Saved for later" page. `opts.items` is a resolved list:
+// { save, product, hero_media } for live products, or { save,
+// product: null } when the variant/product behind a saved row was
+// archived (orphan-tolerant — render "no longer available").
+function renderSaved(opts) {
+  var esc = _b().template.escapeHtml;
+  var items = opts.items || [];
+  var prefix = opts.asset_prefix || "/assets/";
+  var rowsHtml = "";
+  for (var i = 0; i < items.length; i += 1) {
+    var it = items[i];
+    var save = it.save;
+    var moveForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/move-to-cart\">" +
+        "<button type=\"submit\" class=\"btn-secondary btn-secondary--sm\">Move to cart</button></form>";
+    var removeForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/remove\">" +
+        "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button></form>";
+    if (!it.product) {
+      // Archived/unavailable product — only Remove. Move-to-cart can't
+      // succeed (no current price / stock), so don't offer it.
+      rowsHtml +=
+        "<li class=\"saved-item saved-item--gone\">" +
+          "<span class=\"saved-item__title\">" + esc(save.sku) + " — no longer available</span>" +
+          "<div class=\"saved-item__actions\">" + removeForm + "</div>" +
+        "</li>";
+      continue;
+    }
+    var actions = "<div class=\"saved-item__actions\">" + moveForm + removeForm + "</div>";
+    var slug = esc(it.product.slug);
+    var thumb = it.hero_media
+      ? "<img src=\"" + esc(prefix + it.hero_media.r2_key) + "\" alt=\"" + esc(it.hero_media.alt_text || it.product.title) + "\" loading=\"lazy\">"
+      : "<span class=\"saved-item__mark\" aria-hidden=\"true\">" + esc((it.product.title || "?").trim().charAt(0).toUpperCase() || "?") + "</span>";
+    var priceStr = pricing.format(Number(save.snapshot_price_minor) || 0, "USD");
+    rowsHtml +=
+      "<li class=\"saved-item\">" +
+        "<a class=\"saved-item__media\" href=\"/products/" + slug + "\">" + thumb + "</a>" +
+        "<div class=\"saved-item__body\">" +
+          "<a class=\"saved-item__title\" href=\"/products/" + slug + "\">" + esc(it.product.title) + "</a>" +
+          "<span class=\"saved-item__meta\">Qty " + (Number(save.quantity) || 1) + " &middot; " + esc(priceStr) + " <span class=\"saved-item__snapshot\">(saved price)</span></span>" +
+        "</div>" +
+        actions +
+      "</li>";
+  }
+  var inner = rowsHtml
+    ? "<ul class=\"saved-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"saved-empty\">Nothing saved for later. Use <strong>Save for later</strong> on a cart item to move it here without losing it.</p>";
+  var body =
+    "<section class=\"account-saved\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Saved for later</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-saved__title\">Saved for later</h1>" +
+      inner +
+    "</section>";
+  return _wrap({
+    title:      "Saved for later",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
 // Product-level "Save to wishlist" control + social-proof count.
 // Byte-compatible with the edge renderer (`worker/render/product.js`)
 // so both paths emit identical markup. Action-only label — the toggle
@@ -1165,6 +1230,7 @@ var CART_LINE_EDITABLE =
   "  <td class=\"price\">{{unit}}</td>\n" +
   "  <td class=\"price\">{{total}}</td>\n" +
   "  <td class=\"cart-line__remove-cell\">\n" +
+  "    RAW_CART_LINE_SAVE" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/remove\">\n" +
   "      <button type=\"submit\" class=\"cart-line__btn cart-line__btn--remove\" aria-label=\"Remove line\">Remove</button>\n" +
   "    </form>\n" +
@@ -1511,10 +1577,18 @@ function renderCart(opts) {
   if (rendered.length === 0) {
     body = CART_EMPTY_PAGE;
   } else {
+    var canSave = !!opts.can_save;
     var rows = rendered.map(function (l) {
       var thumb = l.image_url
         ? "<span class=\"cart-line__thumb\"><img src=\"" + _escAttr(l.image_url) + "\" alt=\"" + _escAttr(l.image_alt) + "\" loading=\"lazy\"></span>"
         : "<span class=\"cart-line__thumb cart-line__thumb--empty\" aria-hidden=\"true\"></span>";
+      // "Save for later" moves the line into the customer's saved list.
+      // Rendered only when the feature is wired (and account auth is
+      // present); the route itself enforces login, redirecting a guest
+      // to sign in.
+      var saveBtn = canSave
+        ? "<form method=\"post\" action=\"/cart/lines/" + _escAttr(l.id) + "/save\"><button type=\"submit\" class=\"cart-line__btn cart-line__btn--save\">Save for later</button></form>"
+        : "";
       return _render(CART_LINE_EDITABLE, {
         sku:            l.sku,
         qty:            l.qty,
@@ -1523,7 +1597,7 @@ function renderCart(opts) {
         line_id:        l.id,
         product_title:  l.product_title,
         product_url:    l.product_url,
-      }).replace("RAW_CART_LINE_THUMB", thumb);
+      }).replace("RAW_CART_LINE_THUMB", thumb).replace("RAW_CART_LINE_SAVE", saveBtn);
     }).join("");
     body = _render(CART_PAGE, {
       line_rows: "RAW_LINES",
@@ -1887,7 +1961,8 @@ var ACCOUNT_DASH_PAGE =
   "      <p class=\"section-head__lede\">Your orders + account controls. Every order ships from origin with a Stripe-secured receipt.</p>\n" +
   "    </div>\n" +
   "    <div class=\"account-dash__actions\">\n" +
-  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Saved items</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Wishlist</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/saved\">Saved for later</a>\n" +
   "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
   "    </div>\n" +
   "  </header>\n" +
@@ -2216,6 +2291,7 @@ function mount(router, deps) {
       lines:           lines,
       totals:          totals,
       product_lookup:  productLookup,
+      can_save:        !!(deps.saveForLater && deps.customers),
       shop_name:       shopName,
       theme:           theme,
     }));
@@ -2785,6 +2861,133 @@ function mount(router, deps) {
       });
     }
+    // Save for later — move a cart line into a per-customer holding
+    // list and back. Login required (the list is per-customer).
+    if (deps.saveForLater) {
+      function _savedAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+      // POST /cart/lines/:line_id/save — move the line out of the cart
+      // into the customer's saved list. Redirects back to /cart.
+      router.post("/cart/lines/:line_id/save", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var sid = _readSidCookie(req);
+        var cart = sid ? await deps.cart.bySession(sid) : null;
+        if (!cart) {
+          res.status(303); res.setHeader && res.setHeader("location", "/cart");
+          return res.end ? res.end() : res.send("");
+        }
+        try {
+          await deps.saveForLater.moveFromCart({
+            customer_id: auth.customer_id,
+            cart_id:     cart.id,
+            line_id:     req.params && req.params.line_id,
+          });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+      // GET /account/saved — the customer's saved-for-later list.
+      router.get("/account/saved", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var page = await deps.saveForLater.listForCustomer({ customer_id: auth.customer_id, limit: 50 });
+        var items = [];
+        for (var i = 0; i < page.rows.length; i += 1) {
+          var row = page.rows[i];
+          var product = null;
+          if (row.variant_id) {
+            try {
+              var v = await deps.catalog.variants.get(row.variant_id);
+              if (v) product = await deps.catalog.products.get(v.product_id);
+            } catch (_e) { product = null; }
+          }
+          if (!product) { items.push({ save: row, product: null }); continue; }
+          var media = await deps.catalog.media.listForProduct(product.id);
+          items.push({ save: row, product: product, hero_media: media.length ? media[0] : null });
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderSaved({
+          items:        items,
+          shop_name:    shopName,
+          cart_count:   cartCount,
+          asset_prefix: deps.asset_prefix || "/assets/",
+        }));
+      });
+      // POST /saved/:save_id/move-to-cart — move a saved row back into
+      // the session cart (created if absent). Redirects to /cart.
+      router.post("/saved/:save_id/move-to-cart", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var resolved = await _getOrCreateCart(req, res, "USD");
+        try {
+          await deps.saveForLater.moveToCart({
+            customer_id: auth.customer_id,
+            save_id:     req.params && req.params.save_id,
+            cart_id:     resolved.cart.id,
+            // Reprice to the live catalog price so the cart never carries
+            // a stale snapshot; the saved page shows the snapshot for
+            // reference only.
+            use_price:   "current",
+          });
+        } catch (e) {
+          if (e instanceof TypeError) {
+            res.status(400);
+            return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+          }
+          // The cart enforces one line per (cart_id, variant_id). If the
+          // shopper re-added this variant before moving the saved copy,
+          // moveToCart's INSERT collides — but the end state they want
+          // (variant in the cart) already holds. Drop the saved row and
+          // treat it as success instead of surfacing a 500. The lib
+          // leaves the save row intact on collision, so removing it here
+          // is what completes the "move".
+          if (/unique|constraint/i.test((e && e.message) || "")) {
+            try {
+              await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+            } catch (_e) { /* drop-silent — the move is already effectively done */ }
+            res.status(303); res.setHeader && res.setHeader("location", "/cart");
+            return res.end ? res.end() : res.send("");
+          }
+          throw e;
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+      // POST /saved/:save_id/remove — drop a saved row.
+      router.post("/saved/:save_id/remove", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        try {
+          await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/saved");
+        return res.end ? res.end() : res.send("");
+      });
+    }
     // Product reviews — submission requires a logged-in customer AND a
     // verified purchase of the product (the gate, not just a badge).
     // Only mounts when both the reviews primitive and an order handle

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.123",
+  "version": "0.0.124",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {