npm - @blamejs/blamejs-shop - Versions diffs - 0.1.6 → 0.1.7 - Mend

@blamejs/blamejs-shop 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.1.x
+- v0.1.7 (2026-05-25) — **Admin console — persistent navigation and a products screen.** The admin is now a cohesive, navigable web console rather than a set of disconnected pages. A persistent nav (Home, Dashboard, Products, Integrations, Setup) runs across every signed-in page, and Products is the first full management screen: browse the catalog, create a product, and archive or restore one — all from the browser. The JSON API is unchanged: an endpoint serves the HTML console to a signed-in browser and JSON to a bearer-token client, so tooling keeps working exactly as before. **Added:** *Console navigation* — Every signed-in admin page shares a top nav with the current section highlighted, so the dashboard, products, integrations, and setup wizard are one console. The shell is the same brand-matched layout as the dashboard. · *Products management screen* — `/admin/products` renders the catalog as a table (title, slug, status) with Archive / Restore actions and a New-product form, when opened in a signed-in browser. The same path returns the existing JSON list to a bearer-token client; create, archive, and restore content-negotiate the same way (browser form → redirect; bad input re-renders with a notice, never a 500). The product create / archive / restore JSON API is unchanged.
 - v0.1.6 (2026-05-25) — **Claim past guest orders when a shopper signs in.** A shopper who checked out as a guest and later signs in with a provider-verified email now finds those past orders attached to their account. Checkout records a hash of the buyer's email on the order; on Google sign-in, orders placed under that same email — and not yet owned by anyone — are claimed into the account. Linking happens only on an email the identity provider verified, never on an unverified one, so it can't be used to steal another shopper's order history. **Added:** *Guest-order reconciliation on sign-in* — Orders now carry a `customer_email_hash` (migration 0206), written at checkout from the buyer's email with the same key the customers table uses. On a verified Google sign-in, `order.linkGuestOrdersByEmailHash` claims every ownerless order under that email into the account — so prior guest purchases appear in /account and satisfy customer-scoped checks (e.g. verified-buyer reviews). Only ownerless orders are touched (an order already attached to a customer is never reassigned), and only a provider-verified email triggers a link.
 - v0.1.5 (2026-05-25) — **Tell operators how to turn each integration on.** Every third-party integration (Stripe card checkout, Apple/Google Pay, Sign in with Google) is off by default and only activates when you supply its credentials. This release documents exactly what to set for each — in the README, in a new .env.example, and in the admin console itself. A signed-in operator opens /admin/integrations to see, at a glance, which integrations are live and the precise environment variables (or one-time action) needed to enable the rest. Nothing is enabled without your keys. **Added:** *Admin integrations status page* — `/admin/integrations` lists each integration with a live Enabled / Not configured status and the exact variables or action to turn it on — Stripe keys, the payment-method-domain registration for wallets, the Google OAuth client + redirect URI. Read-only; secrets are never rendered. Linked from the admin landing. · *Operator setup docs* — A README "Optional integrations" section and a top-level `.env.example` enumerate every environment variable, what capability it unlocks, and the external setup (e.g. the Google OAuth redirect URI, the Stripe webhook path). Both note that Apple sign-in + PayPal are planned and that Shop Pay / "Sign in with Shop" isn't available to a self-hosted store.

package/lib/admin.js CHANGED Viewed

@@ -235,6 +235,24 @@ function mount(router, deps) {
     return _wrap(h, { expectedToken: expectedToken });
   };
+  // Content-negotiate one endpoint between the JSON API and the HTML
+  // console: a bearer token routes to `apiHandler` (the JSON contract,
+  // unchanged for tooling); a browser admin-cookie session routes to
+  // `htmlHandler` (the rendered console page). Unauthenticated GETs show
+  // the sign-in form; other methods bounce to /admin.
+  function _pageOrApi(isGet, apiHandler, htmlHandler) {
+    return async function (req, res) {
+      if (_authOk(_readBearer(req), expectedToken)) return apiHandler(req, res);
+      // Mirror _htmlAuthed: a missing vault makes the cookie check throw;
+      // treat that as "not authed" rather than 500-ing the route.
+      var cookieOk = false;
+      try { cookieOk = _adminCookieValid(req); } catch (_e) { cookieOk = false; }
+      if (cookieOk) return htmlHandler(req, res);
+      if (isGet) return _sendHtml(res, 200, renderAdminLogin({ shop_name: deps.shop_name }));
+      return _redirect(res, "/admin");
+    };
+  }
   function _json(res, status, obj) {
     res.status(status);
     if (res.setHeader) res.setHeader("content-type", "application/json; charset=utf-8");
@@ -244,11 +262,31 @@ function mount(router, deps) {
   // ---- products -------------------------------------------------------
-  router.post("/admin/products", W("product.create", async function (req, res) {
-    var p = await catalog.products.create(req.body || {});
-    _json(res, 201, p);
-    return p;
-  }));
+  router.post("/admin/products", _pageOrApi(false,
+    W("product.create", async function (req, res) {
+      var p = await catalog.products.create(req.body || {});
+      _json(res, 201, p);
+      return p;
+    }),
+    async function (req, res) {
+      // Browser form submit — create, then redirect (PRG). Bad input
+      // re-renders the products page with a notice, never a 500.
+      try {
+        await catalog.products.create(req.body || {});
+      } catch (e) {
+        if (e instanceof TypeError || e.code === "CATALOG_DUPLICATE" || /slug|exists|duplicate/i.test(e.message || "")) {
+          var page = await catalog.products.list({ limit: 100 });
+          return _sendHtml(res, 400, renderAdminProducts({
+            shop_name: deps.shop_name, products: page.rows || [],
+            notice: (e && e.message) || "Couldn't create that product.",
+          }));
+        }
+        throw e;
+      }
+      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".product.create", outcome: "success", metadata: {} });
+      _redirect(res, "/admin/products?created=1");
+    },
+  ));
   router.get("/admin/products/search", R(async function (req, res) {
     var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -269,15 +307,23 @@ function mount(router, deps) {
     _json(res, 200, page);
   }));
-  router.get("/admin/products", R(async function (req, res) {
-    var url = req.url ? new URL(req.url, "http://localhost") : null;
-    var status = url && url.searchParams.get("status");
-    var cursor = url && url.searchParams.get("cursor");
-    var limitS = url && url.searchParams.get("limit");
-    var limit  = limitS == null ? 50 : parseInt(limitS, 10);
-    var page = await catalog.products.list({ status: status || undefined, cursor: cursor || undefined, limit: limit });
-    _json(res, 200, page);
-  }));
+  router.get("/admin/products", _pageOrApi(true,
+    R(async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var status = url && url.searchParams.get("status");
+      var cursor = url && url.searchParams.get("cursor");
+      var limitS = url && url.searchParams.get("limit");
+      var limit  = limitS == null ? 50 : parseInt(limitS, 10);
+      var page = await catalog.products.list({ status: status || undefined, cursor: cursor || undefined, limit: limit });
+      _json(res, 200, page);
+    }),
+    async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var created = !!(url && url.searchParams.get("created"));
+      var page = await catalog.products.list({ limit: 100 });
+      _sendHtml(res, 200, renderAdminProducts({ shop_name: deps.shop_name, products: page.rows || [], created: created }));
+    },
+  ));
   router.get("/admin/products/:id", R(async function (req, res) {
     var p = await catalog.products.get(req.params.id);
@@ -292,19 +338,26 @@ function mount(router, deps) {
     return p;
   }));
-  router.post("/admin/products/:id/archive", W("product.archive", async function (req, res) {
-    var p = await catalog.products.archive(req.params.id);
-    if (!p) return _problem(res, 404, "product-not-found");
-    _json(res, 200, p);
-    return p;
-  }));
-  router.post("/admin/products/:id/restore", W("product.restore", async function (req, res) {
-    var p = await catalog.products.restore(req.params.id);
-    if (!p) return _problem(res, 404, "product-not-found");
-    _json(res, 200, p);
-    return p;
-  }));
+  function _productStateAction(verb, op, audit) {
+    return _pageOrApi(false,
+      W(audit, async function (req, res) {
+        var p = await op(req.params.id);
+        if (!p) return _problem(res, 404, "product-not-found");
+        _json(res, 200, p);
+        return p;
+      }),
+      async function (req, res) {
+        // A bad/missing id is a no-op (fall through to the list); a real
+        // failure must NOT be reported as success — let it surface.
+        try { await op(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + "." + audit, outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/products");
+      },
+    );
+  }
+  router.post("/admin/products/:id/archive", _productStateAction("archive", function (id) { return catalog.products.archive(id); }, "product.archive"));
+  router.post("/admin/products/:id/restore", _productStateAction("restore", function (id) { return catalog.products.restore(id); }, "product.restore"));
   // ---- variants -------------------------------------------------------
@@ -1189,6 +1242,11 @@ var DASHBOARD_LAYOUT =
   "    .banner--ok { background:#e9f5ec; border:1px solid #bfe1c9; color:#1f6b3a; }\n" +
   "    .banner--err { background:#fff1eb; border:1px solid #f6c5af; color:var(--accent-d); }\n" +
   "    .actions-row { display:flex; gap:.75rem; flex-wrap:wrap; align-items:center; margin-top:1.5rem; }\n" +
+  "    .admin-nav { background:var(--paper); border-bottom:1px solid var(--hair); }\n" +
+  "    .admin-nav__inner { max-width:80rem; margin:0 auto; padding:0 1.5rem; display:flex; gap:.1rem; flex-wrap:wrap; }\n" +
+  "    .admin-nav a { display:inline-block; padding:.85rem .9rem; color:var(--ink-2); text-decoration:none; font-size:.84rem; font-weight:600; border-bottom:2px solid transparent; }\n" +
+  "    .admin-nav a:hover { color:var(--ink); }\n" +
+  "    .admin-nav a.active { color:var(--accent); border-bottom-color:var(--accent); }\n" +
   "  </style>\n" +
   "</head>\n" +
   "<body>\n" +
@@ -1198,6 +1256,7 @@ var DASHBOARD_LAYOUT =
   "      <span style=\"font-size:.8rem; color:var(--mute);\">{{window_label}}</span>\n" +
   "    </div>\n" +
   "  </header>\n" +
+  "  {{nav}}\n" +
   "  <main>{{body}}</main>\n" +
   "</body>\n" +
   "</html>\n";
@@ -1326,12 +1385,12 @@ function renderDashboard(opts) {
   var body = statsBlock + otherCurrencies + spark + twoCol;
-  var html = _renderTemplate(DASHBOARD_LAYOUT, {
-    shop_name:    opts.shop_name || "blamejs.shop",
-    window_label: "Window: last 30 days (operator-tunable via ?since=&until=)",
-    body:         "RAW_BODY",
-  }).replace("RAW_BODY", body);
-  return html;
+  return _renderAdminShell(
+    opts.shop_name,
+    "Window: last 30 days (operator-tunable via ?since=&until=)",
+    body,
+    "dashboard",
+  );
 }
 function _statCard(label, value, accent) {
@@ -1341,12 +1400,32 @@ function _statCard(label, value, accent) {
 // ---- admin web pages (login / landing / setup wizard) -------------------
-function _renderAdminShell(shopName, subtitle, bodyHtml) {
+// Console nav — one entry per HTML console screen. `active` highlights
+// the current page; `null`/`false` (unauthenticated pages like the
+// sign-in form) renders no nav at all.
+var ADMIN_NAV_ITEMS = [
+  { key: "home",         href: "/admin",              label: "Home" },
+  { key: "dashboard",    href: "/admin/dashboard",    label: "Dashboard" },
+  { key: "products",     href: "/admin/products",     label: "Products" },
+  { key: "integrations", href: "/admin/integrations", label: "Integrations" },
+  { key: "setup",        href: "/admin/setup",        label: "Setup" },
+];
+function _adminNav(active) {
+  if (active === null || active === undefined || active === false) return "";
+  var links = ADMIN_NAV_ITEMS.map(function (it) {
+    return "<a href=\"" + it.href + "\"" + (it.key === active ? " class=\"active\"" : "") + ">" +
+      _htmlEscape(it.label) + "</a>";
+  }).join("");
+  return "<nav class=\"admin-nav\"><div class=\"admin-nav__inner\">" + links + "</div></nav>";
+}
+function _renderAdminShell(shopName, subtitle, bodyHtml, active) {
   return _renderTemplate(DASHBOARD_LAYOUT, {
     shop_name:    shopName || "blamejs.shop",
     window_label: subtitle || "",
+    nav:          "RAW_NAV",
     body:         "RAW_BODY",
-  }).replace("RAW_BODY", bodyHtml);
+  }).replace("RAW_NAV", _adminNav(active)).replace("RAW_BODY", bodyHtml);
 }
 function renderAdminLogin(opts) {
@@ -1365,7 +1444,7 @@ function renderAdminLogin(opts) {
         "<button type=\"submit\" class=\"btn\">Sign in</button>" +
       "</form>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Sign in", body);
+  return _renderAdminShell(opts.shop_name, "Sign in", body, null);
 }
 function renderAdminLanding(opts) {
@@ -1383,7 +1462,7 @@ function renderAdminLanding(opts) {
       "</div>" +
       "<div class=\"actions-row\"><form method=\"post\" action=\"/admin/logout\"><button type=\"submit\" class=\"btn btn--ghost\">Sign out</button></form></div>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "", body);
+  return _renderAdminShell(opts.shop_name, "", body, "home");
 }
 function _setupField(label, name, value, type, hint, extra) {
@@ -1412,7 +1491,7 @@ function renderAdminSetup(opts) {
           "<a class=\"btn btn--ghost\" href=\"/admin\">Back</a></div>" +
       "</form>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Setup", body);
+  return _renderAdminShell(opts.shop_name, "Setup", body, "setup");
 }
 // Each integration is off until the operator supplies its credentials.
@@ -1464,7 +1543,41 @@ function renderAdminIntegrations(opts) {
       "<p class=\"meta\" style=\"margin-top:1.25rem;\">Sign in with Apple and PayPal are planned. “Sign in with Shop” / Shop Pay isn't available to a self-hosted store. See the README “Optional integrations” section for full setup steps.</p>" +
       "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin\">Back</a></div>" +
     "</section>";
-  return _renderAdminShell(opts.shop_name, "Integrations", body);
+  return _renderAdminShell(opts.shop_name, "Integrations", body, "integrations");
+}
+function renderAdminProducts(opts) {
+  opts = opts || {};
+  var products = opts.products || [];
+  var created = opts.created ? "<div class=\"banner banner--ok\">Product created.</div>" : "";
+  var notice  = opts.notice  ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var rows = products.map(function (p) {
+    var cls = p.status === "active" ? "paid" : (p.status === "archived" ? "refunded" : "pending");
+    var action = p.status === "archived"
+      ? "<form method=\"post\" action=\"/admin/products/" + _htmlEscape(p.id) + "/restore\"><button class=\"btn btn--ghost\" type=\"submit\">Restore</button></form>"
+      : "<form method=\"post\" action=\"/admin/products/" + _htmlEscape(p.id) + "/archive\"><button class=\"btn btn--ghost\" type=\"submit\">Archive</button></form>";
+    return "<tr><td><strong>" + _htmlEscape(p.title) + "</strong></td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(p.slug) + "</code></td>" +
+      "<td><span class=\"status-pill " + cls + "\">" + _htmlEscape(p.status) + "</span></td>" +
+      "<td>" + action + "</td></tr>";
+  }).join("");
+  var table = products.length
+    ? "<div class=\"panel\"><table><thead><tr><th>Title</th><th>Slug</th><th>Status</th><th>Action</th></tr></thead><tbody>" + rows + "</tbody></table></div>"
+    : "<p class=\"empty\">No products yet — create your first one below.</p>";
+  var body =
+    "<section><h2>Products</h2>" + created + notice + table +
+      "<div class=\"panel\" style=\"margin-top:1.5rem; max-width:34rem;\">" +
+        "<h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">New product</h3>" +
+        "<form method=\"post\" action=\"/admin/products\">" +
+          _setupField("Title", "title", "", "text", "", " maxlength=\"200\" required") +
+          _setupField("Slug", "slug", "", "text", "Lowercase, hyphenated — the storefront URL.", " maxlength=\"200\" required") +
+          "<label class=\"form-field\"><span>Status</span><select name=\"status\"><option value=\"draft\">Draft</option><option value=\"active\">Active</option></select></label>" +
+          _setupField("Description", "description", "", "text", "", " maxlength=\"2000\"") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Create product</button></div>" +
+        "</form>" +
+      "</div>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Products", body, "products");
 }
 module.exports = {
@@ -1475,4 +1588,5 @@ module.exports = {
   renderAdminLanding:      renderAdminLanding,
   renderAdminSetup:        renderAdminSetup,
   renderAdminIntegrations: renderAdminIntegrations,
+  renderAdminProducts:     renderAdminProducts,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {