npm - @blamejs/blamejs-shop - Versions diffs - 0.1.5 → 0.1.7 - Mend

@blamejs/blamejs-shop 0.1.5 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.1.x
+- v0.1.7 (2026-05-25) — **Admin console — persistent navigation and a products screen.** The admin is now a cohesive, navigable web console rather than a set of disconnected pages. A persistent nav (Home, Dashboard, Products, Integrations, Setup) runs across every signed-in page, and Products is the first full management screen: browse the catalog, create a product, and archive or restore one — all from the browser. The JSON API is unchanged: an endpoint serves the HTML console to a signed-in browser and JSON to a bearer-token client, so tooling keeps working exactly as before. **Added:** *Console navigation* — Every signed-in admin page shares a top nav with the current section highlighted, so the dashboard, products, integrations, and setup wizard are one console. The shell is the same brand-matched layout as the dashboard. · *Products management screen* — `/admin/products` renders the catalog as a table (title, slug, status) with Archive / Restore actions and a New-product form, when opened in a signed-in browser. The same path returns the existing JSON list to a bearer-token client; create, archive, and restore content-negotiate the same way (browser form → redirect; bad input re-renders with a notice, never a 500). The product create / archive / restore JSON API is unchanged.
+- v0.1.6 (2026-05-25) — **Claim past guest orders when a shopper signs in.** A shopper who checked out as a guest and later signs in with a provider-verified email now finds those past orders attached to their account. Checkout records a hash of the buyer's email on the order; on Google sign-in, orders placed under that same email — and not yet owned by anyone — are claimed into the account. Linking happens only on an email the identity provider verified, never on an unverified one, so it can't be used to steal another shopper's order history. **Added:** *Guest-order reconciliation on sign-in* — Orders now carry a `customer_email_hash` (migration 0206), written at checkout from the buyer's email with the same key the customers table uses. On a verified Google sign-in, `order.linkGuestOrdersByEmailHash` claims every ownerless order under that email into the account — so prior guest purchases appear in /account and satisfy customer-scoped checks (e.g. verified-buyer reviews). Only ownerless orders are touched (an order already attached to a customer is never reassigned), and only a provider-verified email triggers a link.
 - v0.1.5 (2026-05-25) — **Tell operators how to turn each integration on.** Every third-party integration (Stripe card checkout, Apple/Google Pay, Sign in with Google) is off by default and only activates when you supply its credentials. This release documents exactly what to set for each — in the README, in a new .env.example, and in the admin console itself. A signed-in operator opens /admin/integrations to see, at a glance, which integrations are live and the precise environment variables (or one-time action) needed to enable the rest. Nothing is enabled without your keys. **Added:** *Admin integrations status page* — `/admin/integrations` lists each integration with a live Enabled / Not configured status and the exact variables or action to turn it on — Stripe keys, the payment-method-domain registration for wallets, the Google OAuth client + redirect URI. Read-only; secrets are never rendered. Linked from the admin landing. · *Operator setup docs* — A README "Optional integrations" section and a top-level `.env.example` enumerate every environment variable, what capability it unlocks, and the external setup (e.g. the Google OAuth redirect URI, the Stripe webhook path). Both note that Apple sign-in + PayPal are planned and that Shop Pay / "Sign in with Shop" isn't available to a self-hosted store.
 - v0.1.4 (2026-05-25) — **Sign in with Google.** Customers can sign in with Google alongside passkeys. The account login page gains a Continue with Google button; the OIDC authorization-code flow (PKCE, state, nonce, ID-token verification) runs through the framework's OAuth adapter, and the verified identity becomes a shop session. Accounts are keyed on the provider's stable subject, and an existing account is only ever linked on an email the provider has verified — an unverified email that collides with an existing account is refused rather than linked. A cart built before signing in is adopted into the account, so checkout attaches the order to the customer. **Added:** *Google sign-in* — Mounts `/account/login/google` + `/account/auth/google/callback` when the operator sets `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, and `SHOP_ORIGIN`. The in-flight state (CSRF state + nonce + PKCE verifier) rides a sealed, /account-scoped, SameSite=Lax cookie; the callback verifies the state before exchanging the code. A forged or stale callback is dropped to the login page. On success the guest session cart is adopted into the account (`cart.setCustomer`), matching the passkey path. · *Federated identity model + safe account linking* — `customers.signInWithOIDC` resolves a verified sign-in to a customer: an existing `(provider, subject)` link, else — only on a provider-verified email — an existing account with that email, else a new account. It never links to an existing account on an unverified email (account-takeover defense). New `customer_oauth_identities` table (migration 0205) + `customers.byOAuthIdentity`.

package/README.md CHANGED Viewed

@@ -93,6 +93,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 - `migrations-d1/0023_returns.sql` — return authorizations + lines (RMA lifecycle FSM)
 - `migrations-d1/0205_customer_oauth_identities.sql` — federated sign-in identities (provider + subject, verified-email gating)
+- `migrations-d1/0206_orders_email_hash.sql` — queryable buyer-email hash on orders (guest-order reconciliation key)
 - `migrations-d1/0043_collections.sql` — manual + smart product collections (members + rules + sort strategy)
 - `migrations-d1/0050_recently_viewed.sql` — per-customer / per-session product browse history (dedup + per-subject cap)

package/lib/admin.js CHANGED Viewed

@@ -235,6 +235,24 @@ function mount(router, deps) {
     return _wrap(h, { expectedToken: expectedToken });
   };
+  // Content-negotiate one endpoint between the JSON API and the HTML
+  // console: a bearer token routes to `apiHandler` (the JSON contract,
+  // unchanged for tooling); a browser admin-cookie session routes to
+  // `htmlHandler` (the rendered console page). Unauthenticated GETs show
+  // the sign-in form; other methods bounce to /admin.
+  function _pageOrApi(isGet, apiHandler, htmlHandler) {
+    return async function (req, res) {
+      if (_authOk(_readBearer(req), expectedToken)) return apiHandler(req, res);
+      // Mirror _htmlAuthed: a missing vault makes the cookie check throw;
+      // treat that as "not authed" rather than 500-ing the route.
+      var cookieOk = false;
+      try { cookieOk = _adminCookieValid(req); } catch (_e) { cookieOk = false; }
+      if (cookieOk) return htmlHandler(req, res);
+      if (isGet) return _sendHtml(res, 200, renderAdminLogin({ shop_name: deps.shop_name }));
+      return _redirect(res, "/admin");
+    };
+  }
   function _json(res, status, obj) {
     res.status(status);
     if (res.setHeader) res.setHeader("content-type", "application/json; charset=utf-8");
@@ -244,11 +262,31 @@ function mount(router, deps) {
   // ---- products -------------------------------------------------------
-  router.post("/admin/products", W("product.create", async function (req, res) {
-    var p = await catalog.products.create(req.body || {});
-    _json(res, 201, p);
-    return p;
-  }));
+  router.post("/admin/products", _pageOrApi(false,
+    W("product.create", async function (req, res) {
+      var p = await catalog.products.create(req.body || {});
+      _json(res, 201, p);
+      return p;
+    }),
+    async function (req, res) {
+      // Browser form submit — create, then redirect (PRG). Bad input
+      // re-renders the products page with a notice, never a 500.
+      try {
+        await catalog.products.create(req.body || {});
+      } catch (e) {
+        if (e instanceof TypeError || e.code === "CATALOG_DUPLICATE" || /slug|exists|duplicate/i.test(e.message || "")) {
+          var page = await catalog.products.list({ limit: 100 });
+          return _sendHtml(res, 400, renderAdminProducts({
+            shop_name: deps.shop_name, products: page.rows || [],
+            notice: (e && e.message) || "Couldn't create that product.",
+          }));
+        }
+        throw e;
+      }
+      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".product.create", outcome: "success", metadata: {} });
+      _redirect(res, "/admin/products?created=1");
+    },
+  ));
   router.get("/admin/products/search", R(async function (req, res) {
     var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -269,15 +307,23 @@ function mount(router, deps) {
     _json(res, 200, page);
   }));
-  router.get("/admin/products", R(async function (req, res) {
-    var url = req.url ? new URL(req.url, "http://localhost") : null;
-    var status = url && url.searchParams.get("status");
-    var cursor = url && url.searchParams.get("cursor");
-    var limitS = url && url.searchParams.get("limit");
-    var limit  = limitS == null ? 50 : parseInt(limitS, 10);
-    var page = await catalog.products.list({ status: status || undefined, cursor: cursor || undefined, limit: limit });
-    _json(res, 200, page);
-  }));
+  router.get("/admin/products", _pageOrApi(true,
+    R(async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var status = url && url.searchParams.get("status");
+      var cursor = url && url.searchParams.get("cursor");
+      var limitS = url && url.searchParams.get("limit");
+      var limit  = limitS == null ? 50 : parseInt(limitS, 10);
+      var page = await catalog.products.list({ status: status || undefined, cursor: cursor || undefined, limit: limit });
+      _json(res, 200, page);
+    }),
+    async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var created = !!(url && url.searchParams.get("created"));
+      var page = await catalog.products.list({ limit: 100 });
+      _sendHtml(res, 200, renderAdminProducts({ shop_name: deps.shop_name, products: page.rows || [], created: created }));
+    },
+  ));
   router.get("/admin/products/:id", R(async function (req, res) {
     var p = await catalog.products.get(req.params.id);
@@ -292,19 +338,26 @@ function mount(router, deps) {
     return p;
   }));
-  router.post("/admin/products/:id/archive", W("product.archive", async function (req, res) {
-    var p = await catalog.products.archive(req.params.id);
-    if (!p) return _problem(res, 404, "product-not-found");
-    _json(res, 200, p);
-    return p;
-  }));
-  router.post("/admin/products/:id/restore", W("product.restore", async function (req, res) {
-    var p = await catalog.products.restore(req.params.id);
-    if (!p) return _problem(res, 404, "product-not-found");
-    _json(res, 200, p);
-    return p;
-  }));
+  function _productStateAction(verb, op, audit) {
+    return _pageOrApi(false,
+      W(audit, async function (req, res) {
+        var p = await op(req.params.id);
+        if (!p) return _problem(res, 404, "product-not-found");
+        _json(res, 200, p);
+        return p;
+      }),
+      async function (req, res) {
+        // A bad/missing id is a no-op (fall through to the list); a real
+        // failure must NOT be reported as success — let it surface.
+        try { await op(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + "." + audit, outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/products");
+      },
+    );
+  }
+  router.post("/admin/products/:id/archive", _productStateAction("archive", function (id) { return catalog.products.archive(id); }, "product.archive"));
+  router.post("/admin/products/:id/restore", _productStateAction("restore", function (id) { return catalog.products.restore(id); }, "product.restore"));
   // ---- variants -------------------------------------------------------
@@ -1189,6 +1242,11 @@ var DASHBOARD_LAYOUT =
   "    .banner--ok { background:#e9f5ec; border:1px solid #bfe1c9; color:#1f6b3a; }\n" +
   "    .banner--err { background:#fff1eb; border:1px solid #f6c5af; color:var(--accent-d); }\n" +
   "    .actions-row { display:flex; gap:.75rem; flex-wrap:wrap; align-items:center; margin-top:1.5rem; }\n" +
+  "    .admin-nav { background:var(--paper); border-bottom:1px solid var(--hair); }\n" +
+  "    .admin-nav__inner { max-width:80rem; margin:0 auto; padding:0 1.5rem; display:flex; gap:.1rem; flex-wrap:wrap; }\n" +
+  "    .admin-nav a { display:inline-block; padding:.85rem .9rem; color:var(--ink-2); text-decoration:none; font-size:.84rem; font-weight:600; border-bottom:2px solid transparent; }\n" +
+  "    .admin-nav a:hover { color:var(--ink); }\n" +
+  "    .admin-nav a.active { color:var(--accent); border-bottom-color:var(--accent); }\n" +
   "  </style>\n" +
   "</head>\n" +
   "<body>\n" +
@@ -1198,6 +1256,7 @@ var DASHBOARD_LAYOUT =
   "      <span style=\"font-size:.8rem; color:var(--mute);\">{{window_label}}</span>\n" +
   "    </div>\n" +
   "  </header>\n" +
+  "  {{nav}}\n" +
   "  <main>{{body}}</main>\n" +
   "</body>\n" +
   "</html>\n";
@@ -1326,12 +1385,12 @@ function renderDashboard(opts) {
   var body = statsBlock + otherCurrencies + spark + twoCol;
-  var html = _renderTemplate(DASHBOARD_LAYOUT, {
-    shop_name:    opts.shop_name || "blamejs.shop",
-    window_label: "Window: last 30 days (operator-tunable via ?since=&until=)",
-    body:         "RAW_BODY",
-  }).replace("RAW_BODY", body);
-  return html;
+  return _renderAdminShell(
+    opts.shop_name,
+    "Window: last 30 days (operator-tunable via ?since=&until=)",
+    body,
+    "dashboard",
+  );
 }
 function _statCard(label, value, accent) {
@@ -1341,12 +1400,32 @@ function _statCard(label, value, accent) {
 // ---- admin web pages (login / landing / setup wizard) -------------------
-function _renderAdminShell(shopName, subtitle, bodyHtml) {
+// Console nav — one entry per HTML console screen. `active` highlights
+// the current page; `null`/`false` (unauthenticated pages like the
+// sign-in form) renders no nav at all.
+var ADMIN_NAV_ITEMS = [
+  { key: "home",         href: "/admin",              label: "Home" },
+  { key: "dashboard",    href: "/admin/dashboard",    label: "Dashboard" },
+  { key: "products",     href: "/admin/products",     label: "Products" },
+  { key: "integrations", href: "/admin/integrations", label: "Integrations" },
+  { key: "setup",        href: "/admin/setup",        label: "Setup" },
+];
+function _adminNav(active) {
+  if (active === null || active === undefined || active === false) return "";
+  var links = ADMIN_NAV_ITEMS.map(function (it) {
+    return "<a href=\"" + it.href + "\"" + (it.key === active ? " class=\"active\"" : "") + ">" +
+      _htmlEscape(it.label) + "</a>";
+  }).join("");
+  return "<nav class=\"admin-nav\"><div class=\"admin-nav__inner\">" + links + "</div></nav>";
+}
+function _renderAdminShell(shopName, subtitle, bodyHtml, active) {
   return _renderTemplate(DASHBOARD_LAYOUT, {
     shop_name:    shopName || "blamejs.shop",
     window_label: subtitle || "",
+    nav:          "RAW_NAV",
     body:         "RAW_BODY",
-  }).replace("RAW_BODY", bodyHtml);
+  }).replace("RAW_NAV", _adminNav(active)).replace("RAW_BODY", bodyHtml);
 }
 function renderAdminLogin(opts) {
@@ -1365,7 +1444,7 @@ function renderAdminLogin(opts) {
         "<button type=\"submit\" class=\"btn\">Sign in</button>" +
       "</form>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Sign in", body);
+  return _renderAdminShell(opts.shop_name, "Sign in", body, null);
 }
 function renderAdminLanding(opts) {
@@ -1383,7 +1462,7 @@ function renderAdminLanding(opts) {
       "</div>" +
       "<div class=\"actions-row\"><form method=\"post\" action=\"/admin/logout\"><button type=\"submit\" class=\"btn btn--ghost\">Sign out</button></form></div>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "", body);
+  return _renderAdminShell(opts.shop_name, "", body, "home");
 }
 function _setupField(label, name, value, type, hint, extra) {
@@ -1412,7 +1491,7 @@ function renderAdminSetup(opts) {
           "<a class=\"btn btn--ghost\" href=\"/admin\">Back</a></div>" +
       "</form>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Setup", body);
+  return _renderAdminShell(opts.shop_name, "Setup", body, "setup");
 }
 // Each integration is off until the operator supplies its credentials.
@@ -1464,7 +1543,41 @@ function renderAdminIntegrations(opts) {
       "<p class=\"meta\" style=\"margin-top:1.25rem;\">Sign in with Apple and PayPal are planned. “Sign in with Shop” / Shop Pay isn't available to a self-hosted store. See the README “Optional integrations” section for full setup steps.</p>" +
       "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin\">Back</a></div>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Integrations", body);
+  return _renderAdminShell(opts.shop_name, "Integrations", body, "integrations");
+}
+function renderAdminProducts(opts) {
+  opts = opts || {};
+  var products = opts.products || [];
+  var created = opts.created ? "<div class=\"banner banner--ok\">Product created.</div>" : "";
+  var notice  = opts.notice  ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var rows = products.map(function (p) {
+    var cls = p.status === "active" ? "paid" : (p.status === "archived" ? "refunded" : "pending");
+    var action = p.status === "archived"
+      ? "<form method=\"post\" action=\"/admin/products/" + _htmlEscape(p.id) + "/restore\"><button class=\"btn btn--ghost\" type=\"submit\">Restore</button></form>"
+      : "<form method=\"post\" action=\"/admin/products/" + _htmlEscape(p.id) + "/archive\"><button class=\"btn btn--ghost\" type=\"submit\">Archive</button></form>";
+    return "<tr><td><strong>" + _htmlEscape(p.title) + "</strong></td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(p.slug) + "</code></td>" +
+      "<td><span class=\"status-pill " + cls + "\">" + _htmlEscape(p.status) + "</span></td>" +
+      "<td>" + action + "</td></tr>";
+  }).join("");
+  var table = products.length
+    ? "<div class=\"panel\"><table><thead><tr><th>Title</th><th>Slug</th><th>Status</th><th>Action</th></tr></thead><tbody>" + rows + "</tbody></table></div>"
+    : "<p class=\"empty\">No products yet — create your first one below.</p>";
+  var body =
+    "<section><h2>Products</h2>" + created + notice + table +
+      "<div class=\"panel\" style=\"margin-top:1.5rem; max-width:34rem;\">" +
+        "<h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">New product</h3>" +
+        "<form method=\"post\" action=\"/admin/products\">" +
+          _setupField("Title", "title", "", "text", "", " maxlength=\"200\" required") +
+          _setupField("Slug", "slug", "", "text", "Lowercase, hyphenated — the storefront URL.", " maxlength=\"200\" required") +
+          "<label class=\"form-field\"><span>Status</span><select name=\"status\"><option value=\"draft\">Draft</option><option value=\"active\">Active</option></select></label>" +
+          _setupField("Description", "description", "", "text", "", " maxlength=\"2000\"") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Create product</button></div>" +
+        "</form>" +
+      "</div>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Products", body, "products");
 }
 module.exports = {
@@ -1475,4 +1588,5 @@ module.exports = {
   renderAdminLanding:      renderAdminLanding,
   renderAdminSetup:        renderAdminSetup,
   renderAdminIntegrations: renderAdminIntegrations,
+  renderAdminProducts:     renderAdminProducts,
 };

package/lib/checkout.js CHANGED Viewed

@@ -96,6 +96,10 @@ function create(deps) {
   var payment       = deps.payment;
   var order         = deps.order;
   var subscriptions = deps.subscriptions || null;
+  // Optional — when wired, the buyer email is hashed (via the same
+  // customers.hashEmail keying the customers table) and stored on the
+  // order so a later verified-email sign-in can claim the guest order.
+  var customers     = deps.customers || null;
   // Compose a quote from a cart + ship-to + (optional) selected
   // shipping service. Pure read — no DB writes.
@@ -219,6 +223,9 @@ function create(deps) {
         grand_total_minor: quote.totals.grand_total_minor,
         payment_intent_id: pi.id,
         ship_to:           input.ship_to,
+        // Hash of the buyer email (same key as the customers table) so a
+        // later verified-email sign-in can claim this guest order.
+        customer_email_hash: customers ? customers.hashEmail(email) : null,
         lines:             quote.lines.map(function (l) {
           return {
             variant_id:        l.variant_id,

package/lib/order.js CHANGED Viewed

@@ -174,13 +174,14 @@ function create(opts) {
       await query(
         "INSERT INTO orders (id, cart_id, customer_id, session_id, status, currency, " +
         "subtotal_minor, discount_minor, tax_minor, shipping_minor, grand_total_minor, " +
-        "payment_intent_id, ship_to_json, created_at, updated_at) " +
-        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?13)",
+        "payment_intent_id, ship_to_json, customer_email_hash, created_at, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4, 'pending', ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?14)",
         [
           id, input.cart_id, input.customer_id || null, input.session_id,
           input.currency, input.subtotal_minor, input.discount_minor,
           input.tax_minor, input.shipping_minor, input.grand_total_minor,
-          input.payment_intent_id || null, JSON.stringify(input.ship_to), ts,
+          input.payment_intent_id || null, JSON.stringify(input.ship_to),
+          input.customer_email_hash || null, ts,
         ],
       );
       for (var i = 0; i < input.lines.length; i += 1) {
@@ -369,6 +370,26 @@ function create(opts) {
       return await this.get(orderId);
     },
+    // Claim guest orders into a customer account by matching the
+    // recorded buyer-email hash. The CALLER must only pass a hash for an
+    // email the identity provider VERIFIED — this method does not (and
+    // cannot) re-verify; linking an unverified email would be account
+    // takeover. Only touches orders with no owner yet (customer_id IS
+    // NULL), so it never re-assigns another customer's order. Returns
+    // the count linked.
+    linkGuestOrdersByEmailHash: async function (customerId, emailHash) {
+      _uuid(customerId, "customer id");
+      if (typeof emailHash !== "string" || !emailHash.length) {
+        throw new TypeError("order.linkGuestOrdersByEmailHash: emailHash must be a non-empty string");
+      }
+      var r = await query(
+        "UPDATE orders SET customer_id = ?1, updated_at = ?2 " +
+        "WHERE customer_id IS NULL AND customer_email_hash = ?3",
+        [customerId, _now(), emailHash],
+      );
+      return Number(r.rowCount || 0);
+    },
     // Has this customer purchased this product? True iff an order
     // line for any variant of the product sits in an order owned by
     // the customer whose status is a real purchase — anything except

package/lib/storefront.js CHANGED Viewed

@@ -3294,6 +3294,15 @@ function mount(router, deps) {
             if (anonCart) await deps.cart.setCustomer(anonCart.id, rv.customer.id);
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
+        // Claim prior guest orders placed under this email — ONLY because
+        // the provider verified it (claims.email_verified). Links orders
+        // with no owner yet whose recorded email hash matches; best-effort.
+        if (claims.email_verified === true && claims.email && deps.order &&
+            typeof deps.order.linkGuestOrdersByEmailHash === "function") {
+          try {
+            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+          } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
+        }
         _setAuthCookie(res, { customer_id: rv.customer.id, exp: Date.now() + _b().constants.TIME.days(14) });
         res.status(303); res.setHeader && res.setHeader("location", "/account");
         return res.end ? res.end() : res.send("");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {