@blamejs/blamejs-shop 0.1.4 → 0.1.6

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.6 (2026-05-25) — **Claim past guest orders when a shopper signs in.** A shopper who checked out as a guest and later signs in with a provider-verified email now finds those past orders attached to their account. Checkout records a hash of the buyer's email on the order; on Google sign-in, orders placed under that same email — and not yet owned by anyone — are claimed into the account. Linking happens only on an email the identity provider verified, never on an unverified one, so it can't be used to steal another shopper's order history. **Added:** *Guest-order reconciliation on sign-in* — Orders now carry a `customer_email_hash` (migration 0206), written at checkout from the buyer's email with the same key the customers table uses. On a verified Google sign-in, `order.linkGuestOrdersByEmailHash` claims every ownerless order under that email into the account — so prior guest purchases appear in /account and satisfy customer-scoped checks (e.g. verified-buyer reviews). Only ownerless orders are touched (an order already attached to a customer is never reassigned), and only a provider-verified email triggers a link.
+
+- v0.1.5 (2026-05-25) — **Tell operators how to turn each integration on.** Every third-party integration (Stripe card checkout, Apple/Google Pay, Sign in with Google) is off by default and only activates when you supply its credentials. This release documents exactly what to set for each — in the README, in a new .env.example, and in the admin console itself. A signed-in operator opens /admin/integrations to see, at a glance, which integrations are live and the precise environment variables (or one-time action) needed to enable the rest. Nothing is enabled without your keys. **Added:** *Admin integrations status page* — `/admin/integrations` lists each integration with a live Enabled / Not configured status and the exact variables or action to turn it on — Stripe keys, the payment-method-domain registration for wallets, the Google OAuth client + redirect URI. Read-only; secrets are never rendered. Linked from the admin landing. · *Operator setup docs* — A README "Optional integrations" section and a top-level `.env.example` enumerate every environment variable, what capability it unlocks, and the external setup (e.g. the Google OAuth redirect URI, the Stripe webhook path). Both note that Apple sign-in + PayPal are planned and that Shop Pay / "Sign in with Shop" isn't available to a self-hosted store.
+
 - v0.1.4 (2026-05-25) — **Sign in with Google.** Customers can sign in with Google alongside passkeys. The account login page gains a Continue with Google button; the OIDC authorization-code flow (PKCE, state, nonce, ID-token verification) runs through the framework's OAuth adapter, and the verified identity becomes a shop session. Accounts are keyed on the provider's stable subject, and an existing account is only ever linked on an email the provider has verified — an unverified email that collides with an existing account is refused rather than linked. A cart built before signing in is adopted into the account, so checkout attaches the order to the customer. **Added:** *Google sign-in* — Mounts `/account/login/google` + `/account/auth/google/callback` when the operator sets `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, and `SHOP_ORIGIN`. The in-flight state (CSRF state + nonce + PKCE verifier) rides a sealed, /account-scoped, SameSite=Lax cookie; the callback verifies the state before exchanging the code. A forged or stale callback is dropped to the login page. On success the guest session cart is adopted into the account (`cart.setCustomer`), matching the passkey path. · *Federated identity model + safe account linking* — `customers.signInWithOIDC` resolves a verified sign-in to a customer: an existing `(provider, subject)` link, else — only on a provider-verified email — an existing account with that email, else a new account. It never links to an existing account on an unverified email (account-takeover defense). New `customer_oauth_identities` table (migration 0205) + `customers.byOAuthIdentity`.
 
 - v0.1.2 (2026-05-25) — **Apple Pay and Google Pay express checkout.** The pay page now offers one-tap wallet checkout. Stripe's Express Checkout Element renders Apple Pay and Google Pay buttons above the card form on eligible devices, confirming the same PaymentIntent as the card path — so the webhook and order flow are unchanged. To turn the wallets on, the operator registers the shop's web domain with Stripe once via the admin API; Stripe performs Apple merchant validation and hosts the domain-association file, so no Apple Developer account is needed. **Added:** *Wallet buttons on the pay page* — The Stripe Express Checkout Element mounts above the card form and auto-renders Apple Pay / Google Pay (and Link) when the device and the shop's registered domain make them available. It stays hidden until Stripe reports an available wallet, and confirms the existing per-order PaymentIntent — the payment-completion path (webhook → order FSM) is identical to the card flow. · *Payment-method domain registration* — `POST /admin/payment-method-domains` (with `{ "domain_name": "shop.example.com" }`) registers a domain with Stripe to enable the wallets; `GET /admin/payment-method-domains` lists registered domains and their per-method status. The payment adapter gains `registerPaymentMethodDomain` + `listPaymentMethodDomains`. Apex, www, and each subdomain register separately; a live-mode registration also covers sandbox.

package/README.md

@@ -93,6 +93,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 - `migrations-d1/0023_returns.sql` — return authorizations + lines (RMA lifecycle FSM)
 - `migrations-d1/0205_customer_oauth_identities.sql` — federated sign-in identities (provider + subject, verified-email gating)
+- `migrations-d1/0206_orders_email_hash.sql` — queryable buyer-email hash on orders (guest-order reconciliation key)
 - `migrations-d1/0043_collections.sql` — manual + smart product collections (members + rules + sort strategy)
 - `migrations-d1/0050_recently_viewed.sql` — per-customer / per-session product browse history (dedup + per-subject cap)
 
@@ -146,6 +147,32 @@ curl -X POST https://your-shop.example.com/admin/products \
 
 See [`docs/deploy-cloudflare.md`](docs/deploy-cloudflare.md) for the full deploy recipe.
 
+## Optional integrations — what to set to enable each
+
+Every third-party integration is **off by default** and lights up only when you
+supply its credentials. Nothing here phones home or is enabled without your
+keys; the storefront runs fully (browse, cart, accounts) with none of them. Set
+the values as deployment secrets (`wrangler secret put …`) or environment
+variables. A signed-in operator can see the live on/off status of each at
+**`/admin/integrations`**. See [`.env.example`](.env.example) for the full list.
+
+| Integration | What it enables | Set this | Notes |
+|-------------|-----------------|----------|-------|
+| **Admin console** | The bearer-token JSON API + the `/admin` browser console (sign-in, setup wizard, dashboard). | `ADMIN_API_KEY` (≥ 16 chars — use 32 random bytes) | Sign in at `/admin` by pasting the key. Without it the admin surface doesn't mount. |
+| **Card checkout (Stripe)** | Checkout + the Payment Element on the pay page; refunds; subscription billing. | `STRIPE_API_KEY` (`sk_…`), `STRIPE_WEBHOOK_SECRET` (`whsec_…`), `STRIPE_PUBLISHABLE_KEY` (`pk_…`) | Point your Stripe webhook at `/api/webhooks/stripe`. Without these the shop stays browsable but checkout doesn't mount. |
+| **Apple Pay & Google Pay** | One-tap wallet buttons (Express Checkout Element) on the pay page. | Stripe (above) **+** register each web domain: `POST /admin/payment-method-domains {"domain_name":"shop.example.com"}` | Stripe performs Apple merchant validation and hosts the association file — **no Apple Developer account needed**. Apex, `www`, and each subdomain register separately; a live-mode registration also covers sandbox. |
+| **Sign in with Google** | A *Continue with Google* button on `/account/login` (OIDC). | `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, `SHOP_ORIGIN` (e.g. `https://shop.example.com`) | Create a Google Cloud **OAuth 2.0 Web** client; add `<SHOP_ORIGIN>/account/auth/google/callback` as an Authorized redirect URI; consent-screen scopes `openid email profile`. The button appears only when all three are set. |
+
+**Planned / not available:**
+
+- **Sign in with Apple** — the flow is wired in the framework, but it needs an
+  Apple Developer Program membership ($99/yr) and an ES256 client-secret minted
+  from your `.p8` key. Config-optional; shipping behind those credentials.
+- **PayPal** — a separate adapter (Orders v2 + its own webhook); planned.
+- **Shop Pay / "Sign in with Shop"** — **not available** to a self-hosted,
+  non-Shopify store: the credentials only issue from a Shopify Admin and payment
+  flows through Shopify Payments. There is no path to enable it here.
+
 ## Vendoring blamejs
 
 `blamejs.shop` vendors blamejs as a shallow git clone of the release tag

package/lib/admin.js

@@ -1037,6 +1037,19 @@ function mount(router, deps) {
     _redirect(res, "/admin");
   });
 
+  // Integrations status — what's live + what to set to enable the rest.
+  // `deps.integrations` is the live on/off map computed at the entry
+  // point from the environment (admin.js never reads process.env).
+  router.get("/admin/integrations", async function (req, res) {
+    if (!_htmlAuthed(req, expectedToken)) {
+      return _sendHtml(res, 200, renderAdminLogin({ shop_name: deps.shop_name }));
+    }
+    _sendHtml(res, 200, renderAdminIntegrations({
+      shop_name: deps.shop_name,
+      status:    deps.integrations || {},
+    }));
+  });
+
   if (config) {
     router.get("/admin/setup", async function (req, res) {
       if (!_htmlAuthed(req, expectedToken)) return _redirect(res, "/admin");
@@ -1365,6 +1378,7 @@ function renderAdminLanding(opts) {
       "<h2>Admin</h2>" +
       "<div class=\"nav-cards\">" +
         "<a class=\"nav-card\" href=\"/admin/setup\"><h3>Setup wizard</h3><p>Shop identity, currency, and contact details.</p></a>" +
+        "<a class=\"nav-card\" href=\"/admin/integrations\"><h3>Integrations</h3><p>Payments, wallets, and sign-in — what's live and what to set.</p></a>" +
         "<a class=\"nav-card\" href=\"/admin/dashboard\"><h3>Dashboard</h3><p>Sales, revenue, and recent orders at a glance.</p></a>" +
       "</div>" +
       "<div class=\"actions-row\"><form method=\"post\" action=\"/admin/logout\"><button type=\"submit\" class=\"btn btn--ghost\">Sign out</button></form></div>" +
@@ -1401,11 +1415,64 @@ function renderAdminSetup(opts) {
   return _renderAdminShell(opts.shop_name, "Setup", body);
 }
 
+// Each integration is off until the operator supplies its credentials.
+// `opts.status` carries the live booleans (computed at the entry point
+// from the environment); this page shows what's on and exactly what to
+// set to turn the rest on. Read-only — secrets are never rendered.
+var INTEGRATIONS_CATALOG = [
+  { key: "stripe",           name: "Card checkout (Stripe)",  enables: "Checkout, the Payment Element, refunds, and subscription billing.",
+    set: "STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PUBLISHABLE_KEY (point the Stripe webhook at /api/webhooks/stripe)." },
+  { key: "express_checkout", name: "Apple Pay & Google Pay",  enables: "One-tap wallet buttons on the pay page.",
+    set: "Configure Stripe (above), then register each domain: POST /admin/payment-method-domains {\"domain_name\":\"shop.example.com\"}. No Apple Developer account needed." },
+  { key: "google_signin",    name: "Sign in with Google",     enables: "A “Continue with Google” button on the account login page.",
+    set: "GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, SHOP_ORIGIN. Add <SHOP_ORIGIN>/account/auth/google/callback as a Google OAuth redirect URI." },
+];
+
+function renderAdminIntegrations(opts) {
+  opts = opts || {};
+  var status = opts.status || {};
+  var rows = INTEGRATIONS_CATALOG.map(function (it) {
+    // Three states: "enabled" (live), "action" (credentials present but a
+    // one-time operator action — e.g. registering a domain with Stripe —
+    // is still required before it's actually live), "off" (not configured).
+    var st = status[it.key] || "off";
+    var pill, detail;
+    if (st === "enabled") {
+      pill = "<span class=\"status-pill paid\">Enabled</span>";
+      detail = "<span class=\"meta\">Live.</span>";
+    } else if (st === "action") {
+      pill = "<span class=\"status-pill pending\">Action needed</span>";
+      detail = "<span class=\"meta\">" + _htmlEscape(it.set) + "</span>";
+    } else {
+      pill = "<span class=\"status-pill cancelled\">Not configured</span>";
+      detail = "<span class=\"meta\">" + _htmlEscape(it.set) + "</span>";
+    }
+    return "<tr>" +
+        "<td><strong>" + _htmlEscape(it.name) + "</strong><br><span class=\"meta\">" + _htmlEscape(it.enables) + "</span></td>" +
+        "<td>" + pill + "</td>" +
+        "<td>" + detail + "</td>" +
+      "</tr>";
+  }).join("");
+  var body =
+    "<section>" +
+      "<h2>Integrations</h2>" +
+      "<p class=\"meta\">Every integration is off until you supply its credentials — set them as deployment secrets, then redeploy. Nothing is enabled without your keys.</p>" +
+      "<div class=\"panel\"><table>" +
+        "<thead><tr><th>Integration</th><th>Status</th><th>To enable</th></tr></thead>" +
+        "<tbody>" + rows + "</tbody>" +
+      "</table></div>" +
+      "<p class=\"meta\" style=\"margin-top:1.25rem;\">Sign in with Apple and PayPal are planned. “Sign in with Shop” / Shop Pay isn't available to a self-hosted store. See the README “Optional integrations” section for full setup steps.</p>" +
+      "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin\">Back</a></div>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Integrations", body);
+}
+
 module.exports = {
   mount:           mount,
   AUDIT_NAMESPACE: AUDIT_NAMESPACE,
   renderDashboard: renderDashboard,
-  renderAdminLogin:   renderAdminLogin,
-  renderAdminLanding: renderAdminLanding,
-  renderAdminSetup:   renderAdminSetup,
+  renderAdminLogin:        renderAdminLogin,
+  renderAdminLanding:      renderAdminLanding,
+  renderAdminSetup:        renderAdminSetup,
+  renderAdminIntegrations: renderAdminIntegrations,
 };

package/lib/checkout.js

@@ -96,6 +96,10 @@ function create(deps) {
   var payment       = deps.payment;
   var order         = deps.order;
   var subscriptions = deps.subscriptions || null;
+  // Optional — when wired, the buyer email is hashed (via the same
+  // customers.hashEmail keying the customers table) and stored on the
+  // order so a later verified-email sign-in can claim the guest order.
+  var customers     = deps.customers || null;
 
   // Compose a quote from a cart + ship-to + (optional) selected
   // shipping service. Pure read — no DB writes.
@@ -219,6 +223,9 @@ function create(deps) {
         grand_total_minor: quote.totals.grand_total_minor,
         payment_intent_id: pi.id,
         ship_to:           input.ship_to,
+        // Hash of the buyer email (same key as the customers table) so a
+        // later verified-email sign-in can claim this guest order.
+        customer_email_hash: customers ? customers.hashEmail(email) : null,
         lines:             quote.lines.map(function (l) {
           return {
             variant_id:        l.variant_id,

package/lib/order.js

@@ -174,13 +174,14 @@ function create(opts) {
       await query(
         "INSERT INTO orders (id, cart_id, customer_id, session_id, status, currency, " +
         "subtotal_minor, discount_minor, tax_minor, shipping_minor, grand_total_minor, " +
-        "payment_intent_id, ship_to_json, created_at, updated_at) " +
-        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?13)",
+        "payment_intent_id, ship_to_json, customer_email_hash, created_at, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?14)",
         [
           id, input.cart_id, input.customer_id || null, input.session_id,
           input.currency, input.subtotal_minor, input.discount_minor,
           input.tax_minor, input.shipping_minor, input.grand_total_minor,
-          input.payment_intent_id || null, JSON.stringify(input.ship_to), ts,
+          input.payment_intent_id || null, JSON.stringify(input.ship_to),
+          input.customer_email_hash || null, ts,
         ],
       );
       for (var i = 0; i < input.lines.length; i += 1) {
@@ -369,6 +370,26 @@ function create(opts) {
       return await this.get(orderId);
     },
 
+    // Claim guest orders into a customer account by matching the
+    // recorded buyer-email hash. The CALLER must only pass a hash for an
+    // email the identity provider VERIFIED — this method does not (and
+    // cannot) re-verify; linking an unverified email would be account
+    // takeover. Only touches orders with no owner yet (customer_id IS
+    // NULL), so it never re-assigns another customer's order. Returns
+    // the count linked.
+    linkGuestOrdersByEmailHash: async function (customerId, emailHash) {
+      _uuid(customerId, "customer id");
+      if (typeof emailHash !== "string" || !emailHash.length) {
+        throw new TypeError("order.linkGuestOrdersByEmailHash: emailHash must be a non-empty string");
+      }
+      var r = await query(
+        "UPDATE orders SET customer_id = ?1, updated_at = ?2 " +
+        "WHERE customer_id IS NULL AND customer_email_hash = ?3",
+        [customerId, _now(), emailHash],
+      );
+      return Number(r.rowCount || 0);
+    },
+
     // Has this customer purchased this product? True iff an order
     // line for any variant of the product sits in an order owned by
     // the customer whose status is a real purchase — anything except

package/lib/storefront.js

@@ -3294,6 +3294,15 @@ function mount(router, deps) {
             if (anonCart) await deps.cart.setCustomer(anonCart.id, rv.customer.id);
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
+        // Claim prior guest orders placed under this email — ONLY because
+        // the provider verified it (claims.email_verified). Links orders
+        // with no owner yet whose recorded email hash matches; best-effort.
+        if (claims.email_verified === true && claims.email && deps.order &&
+            typeof deps.order.linkGuestOrdersByEmailHash === "function") {
+          try {
+            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+          } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
+        }
         _setAuthCookie(res, { customer_id: rv.customer.id, exp: Date.now() + _b().constants.TIME.days(14) });
         res.status(303); res.setHeader && res.setHeader("location", "/account");
         return res.end ? res.end() : res.send("");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {