@blamejs/blamejs-shop 0.3.71 → 0.3.73

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.3.x
 
+- v0.3.73 (2026-06-05) — **Unlock codes are manageable from the Discounts screen, and coupon guessing is rate-capped.** Code-unlocked discount rules shipped with an API-only gap: the Discounts console had no field for the unlock code, so creating a code-gated rule required a raw API call. The create and edit forms now carry an optional Unlock code input — clearing it on edit reverts the rule to purely automatic — and the rule list and detail show which rules are code-gated; the screen's description covers both kinds. The cart's code-apply endpoint joins the tight per-address rate budget that already guards gift-card balance lookups, capping coupon-namespace guessing at the same rate. Also fixed: a failed confirmation-resend in the browser console now lands in the error log with a clean notice instead of an unrecorded failure, and the signed-in cart page resolves the shopper's destination once instead of twice per view. **Fixed:** *Unlock codes editable in the Discounts console* — The create and edit forms gain an optional Unlock code field, threaded through the same validation as the API. On edit, submitting the field blank explicitly clears the code (the rule becomes purely automatic again), while the inline quick-edit leaves it untouched. The rule list and the detail view display each rule's code, escaped, so code-gated rules are visible at a glance, and the screen copy now describes both automatic and code-unlocked rules. · *Coupon-code guessing joins the tight rate budget* — POST /cart/coupon now sits in the per-address, per-path rate budget alongside gift-card balance lookups — both accept guessable secrets and answer uniformly, so both deserve the same throttle. The pinned integration test sprays the endpoint and asserts the cap engages. · *Failed confirmation resends are captured and surfaced* — A mailer fault during a browser-initiated confirmation resend previously escaped both the error log and the screen. It now records to the error log and redirects back to the order with an honest failure notice; the API path captures identically. The signed-in cart view also drops a duplicated destination lookup per render.
+
+- v0.3.72 (2026-06-05) — **Resend an order confirmation from the console, and export a segment's members as CSV.** Two operator actions land in the admin console. The order detail screen gains a Resend-confirmation action: buyer emails are stored only as one-way hashes, so the original address cannot be recovered — the operator types the recipient (from the customer's own request), and a fresh receipt rendered from the stored order is sent, rate-bounded to three per order per hour, with every send audited and the recipient kept out of the audit trail. The action appears only when a mailer is configured. Customer segments gain a members CSV export that streams id, display name, segment join date, and order count — deliberately no email column, since addresses are not stored in readable form; the file says so in a leading comment, cell values are quoted and spreadsheet-formula-neutralized, and the stream is written batch by batch so a large segment never buffers in memory. **Added:** *Resend order confirmation* — POST /admin/orders/:id/resend-confirmation sends a fresh receipt for the stored order to an operator-supplied address, since the buyer's email exists only as a hash and cannot be recovered — the recipient comes from the customer's own "I didn't get it" request. Rate-bounded to three sends per order per hour, audited without recording the recipient, gated on a configured mailer (the panel renders an honest disabled note otherwise), and validated for address shape. · *Segment members CSV export* — GET /admin/segments/:slug/members.csv streams a segment's members — customer id, display name, join date, order count — in keyset-paginated batches with RFC 4180 quoting and spreadsheet-formula-injection neutralization. There is no email column: addresses are stored hashed, and both the screen copy and a leading CSV comment state it. Unknown segments return 404 before any bytes stream; an archived segment yields a well-formed header-only file; each export is audited.
+
 - v0.3.71 (2026-06-05) — **Vendored blamejs framework refreshed from v0.14.19 to v0.14.21.** The storefront runs on a vendored copy of the blamejs framework; this refreshes it across two upstream patch releases. The most operator-relevant upstream changes for this shop: the OAuth client — which Sign in with Google and Apple compose — gains RFC 9396 Rich Authorization Request validation and attestation-based client authentication primitives, and refuses token grants an identity provider broadened beyond what was requested; HEAD requests now conform by carrying no response body; the sealed-field store gains an unseal rate cap; and a framework-wide sweep ensures every accepted option is actually read, surfacing configuration typos that were previously silent. The remaining upstream changes are in framework areas the storefront does not expose (SCIM bulk operations, OID4VCI credential proofs, DMARC forensic-report parsing). The storefront's own behavior is unchanged, verified by the full test suite — including the regression guards that pin the CSRF origin posture, the referrer policy, and the payment-processor TLS agent against vendor drift — and the vendored-tree integrity manifest was re-stamped as part of the refresh. **Changed:** *Updated the vendored framework to blamejs v0.14.21* — The vendored framework moves from v0.14.19 to v0.14.21 (two upstream patch releases of fixes and additive, opt-in changes). Notable for this shop: hardened OAuth client validation behind federated sign-in, HTTP HEAD conformance, a sealed-field unseal rate cap, and boot-time validation of previously-unread options. The integrity manifest over the vendored tree was re-stamped as part of the refresh.
 
 - v0.3.70 (2026-06-05) — **An Analytics screen in the admin console: funnel, search terms, and product views.** The admin console gains a read-only Analytics screen at /admin/analytics showing the pre-purchase signal the sales report cannot see: the browse-to-buy funnel (product views to cart adds to checkout starts to completed orders) with a conversion rate, top search terms, most-viewed products, top SKUs ranked by units sold, and a revenue-by-day sparkline. It complements rather than duplicates the existing Reports screen — revenue totals stay there, and the two screens link to each other. The same path answers a bearer-token request with JSON, and three JSON endpoints expose the funnel, search terms, and viewed products individually for tooling. Every aggregate is window-bounded (one year maximum, thirty-day default) and limit-bounded; the screen adds no write path anywhere. **Added:** *Read-only analytics dashboard* — The analytics primitive's aggregates are now wired into the console: a date-windowed view with the conversion funnel, top search terms, most-viewed products, units-ranked top SKUs, recent revenue trend, and cross-links with the Reports screen. The HTML view degrades a malformed date window to the default with a notice; the JSON surfaces reject it with a 400. Limits clamp to the primitive's own bounds, a refund-heavy window renders a signed negative total instead of failing, and every operator- or customer-derived string on the screen is escaped. The screen appears in the navigation only when the primitive is wired.

package/README.md

@@ -97,7 +97,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
 | **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
 

package/lib/admin.js

@@ -524,6 +524,7 @@ function mount(router, deps) {
   var catalog       = deps.catalog;
   var order         = deps.order;
   var payment       = deps.payment       || null;   // refund endpoints disabled when absent
+  var mailer        = deps.mailer        || null;   // transactional email factory (lib/email.js) — resend-confirmation disabled when absent
   var _checkout     = deps.checkout      || null;   // reserved — future webhook handler wiring
   var r2            = deps.r2_bridge     || null;   // media-upload endpoint disabled when absent
   var assetPrefix   = typeof deps.asset_prefix === "string" ? deps.asset_prefix : "/assets/";
@@ -1781,6 +1782,14 @@ function mount(router, deps) {
         // wired (its route is mounted only then).
         can_receipt:      !!printReceipts,
         can_packing_slip: !!packingSlips,
+        // Resend the order-confirmation email. The route mounts only when a
+        // transactional mailer is wired; absent one the panel renders a
+        // disabled note (mailer-gated, like the document links). The buyer's
+        // plaintext address is never stored (the order keeps only the email
+        // hash), so the form takes an operator-supplied recipient.
+        can_resend_confirmation: !!mailer,
+        resent:      url && url.searchParams.get("resent"),
+        resend_error: url && url.searchParams.get("resend_err"),
         // Per-shipment carrier-label record form + split-shipment planner —
         // each renders only when its primitive is wired (routes mount only
         // then). Label carrier/package/broker enums drive the form selects.
@@ -2744,6 +2753,163 @@ function mount(router, deps) {
     },
   ));
 
+  // ---- resend order confirmation --------------------------------------
+  //
+  // Re-send the order-receipt email a customer asks for ("I never got my
+  // confirmation"). The original receipt is sent by the payment provider
+  // at confirm time (Stripe `receipt_email`) using the plaintext address
+  // the buyer typed — that address is NEVER persisted: the order row keeps
+  // only `customer_email_hash`, and the customers table keeps only
+  // `email_hash`. A one-way hash can't be reversed into a deliverable
+  // address, so this action can't recover the original recipient. It
+  // therefore takes the recipient the OPERATOR supplies (they have it from
+  // the support request) and sends a fresh receipt rendered from the stored
+  // order totals. The email-hashing stance is unchanged — we never
+  // reconstruct an address from a hash.
+  //
+  // Mounted only when a transactional mailer is wired (`deps.mailer`,
+  // lib/email.js). Absent one the detail panel shows a disabled note.
+  //
+  // Rate-bound per order via the audit chain itself — no new column. Before
+  // sending, we count this order's prior `order.receipt.resend` audit rows
+  // inside the trailing hour; past the cap the send is refused. The audit
+  // chain is append-only + tamper-evident, so the counter can't be quietly
+  // reset.
+  if (mailer && typeof mailer.orderReceipt === "function") {
+    var RESEND_WINDOW_MS  = b.constants.TIME.hours(1);
+    var RESEND_MAX_PER_HR = 3;
+    // Per-order sliding window of recent resend timestamps, scoped to this
+    // admin mount. A plain in-memory map keyed by order id — the rate bound
+    // is a soft abuse guard (stop an operator hammering "resend" at a
+    // customer's inbox), not a security control, so an in-process window is
+    // the right weight: no audit-chain read on the hot path, deterministic
+    // under burst, and a process restart simply clears the soft window
+    // (every resend is still durably recorded in the audit chain for
+    // forensics). Stale order entries are pruned lazily on each check so the
+    // map can't grow unbounded.
+    var _resendWindow = Object.create(null);
+
+    function _recentResendCount(orderId, nowTs) {
+      var cutoff = nowTs - RESEND_WINDOW_MS;
+      var arr = _resendWindow[orderId];
+      if (!arr) return 0;
+      var kept = [];
+      for (var i = 0; i < arr.length; i += 1) {
+        if (arr[i] > cutoff) kept.push(arr[i]);
+      }
+      if (kept.length) _resendWindow[orderId] = kept;
+      else delete _resendWindow[orderId];
+      return kept.length;
+    }
+
+    function _recordResendTimestamp(orderId, nowTs) {
+      var arr = _resendWindow[orderId] || (_resendWindow[orderId] = []);
+      arr.push(nowTs);
+    }
+
+    // Resolve the display name for the receipt greeting. A linked customer
+    // record carries a display_name; a guest order has none. The plaintext
+    // email is operator-supplied (never stored), so only the name is read
+    // from the order's customer link.
+    async function _receiptName(o) {
+      if (!o.customer_id || !customers) return "there";
+      try {
+        var c = await customers.get(o.customer_id);
+        return (c && c.display_name) || "there";
+      } catch (_e) { return "there"; }
+    }
+
+    // Send the receipt for an order to an operator-supplied address. Throws
+    // a TypeError on a bad address / rate-limit refusal so both the JSON and
+    // browser paths can map it to a clean 4xx / err redirect; any genuine
+    // mailer fault propagates.
+    async function _resendReceipt(o, toRaw) {
+      var to = typeof toRaw === "string" ? toRaw.trim() : "";
+      if (!to || !/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(to) || to.length > 254) {
+        var e = new TypeError("admin.order.resend: a valid recipient email is required");
+        e.code = "RESEND_BAD_EMAIL";
+        throw e;
+      }
+      var nowTs = Date.now();
+      var recent = _recentResendCount(o.id, nowTs);
+      if (recent >= RESEND_MAX_PER_HR) {
+        var rl = new TypeError("admin.order.resend: resend limit reached for this order — try again later");
+        rl.code = "RESEND_RATE_LIMITED";
+        throw rl;
+      }
+      // Reserve the slot BEFORE awaiting the mailer: concurrent resend
+      // POSTs for the same order would otherwise all read the same
+      // pre-send count and pass the limit together while the first send
+      // is still in flight. A mailer failure releases the reservation so
+      // a failed send doesn't consume the operator's budget.
+      _recordResendTimestamp(o.id, nowTs);
+      try {
+        var name = await _receiptName(o);
+        await mailer.orderReceipt({ order: o, customer: { email: to, name: name } });
+      } catch (sendErr) {
+        var arr = _resendWindow[o.id];
+        if (arr) {
+          var idx = arr.indexOf(nowTs);
+          if (idx !== -1) arr.splice(idx, 1);
+          if (!arr.length) delete _resendWindow[o.id];
+        }
+        throw sendErr;
+      }
+      return { to: to };
+    }
+
+    // The send is audited via the hot-path `safeEmit` (drop-silent, like
+    // every other admin mutation) — the recipient is operator-supplied PII
+    // and is deliberately kept OUT of the metadata; the row records only
+    // that a resend happened for this order id.
+    router.post("/admin/orders/:id/resend-confirmation", _pageOrApi(false,
+      W("order.receipt.resend", async function (req, res) {
+        var o = await order.get(req.params.id);
+        if (!o) return _problem(res, 404, "order-not-found");
+        var body = req.body || {};
+        try { await _resendReceipt(o, body.email || body.to); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var code = e.code === "RESEND_RATE_LIMITED" ? 429 : 400;
+            return _problem(res, code, e.code === "RESEND_RATE_LIMITED" ? "resend-rate-limited" : "bad-request", e.message);
+          }
+          throw e;
+        }
+        _json(res, 200, { id: o.id, resent: true });
+        return { id: o.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var o;
+        try { o = await order.get(id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
+        if (!o) return _sendHtml(res, 404, renderAdminOrders({
+          shop_name: deps.shop_name, nav_available: navAvailable, orders: [], notice: "Order not found.",
+        }));
+        var body = req.body || {};
+        try { await _resendReceipt(o, body.email || body.to); }
+        catch (e) {
+          // Validation / rate-limit faults are TypeErrors → a contextual
+          // banner. A mailer fault (the send itself failing) is NOT a
+          // TypeError: route it through _safeNotice so it lands in the
+          // operator error log (the htmlHandler isn't wrapped by _wrap, so
+          // a re-throw here would bypass the capture the JSON path gets via
+          // the wrapper's catch), then redirect to a generic send-failed
+          // banner rather than 500-ing the page.
+          if (e instanceof TypeError) {
+            var reason = e.code === "RESEND_RATE_LIMITED" ? "rate" : "email";
+            return _redirect(res, "/admin/orders/" + enc + "?resend_err=" + reason);
+          }
+          _safeNotice(e, "order.receipt.resend");
+          return _redirect(res, "/admin/orders/" + enc + "?resend_err=send");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.receipt.resend", outcome: "success", metadata: { id: id } });
+        _redirect(res, "/admin/orders/" + enc + "?resent=1");
+      },
+    ));
+  }
+
   // ---- customers (read-only) ------------------------------------------
 
   // Operator-facing customer roster, newest first. READ-ONLY — no create /
@@ -9748,6 +9914,62 @@ function mount(router, deps) {
         _redirect(res, "/admin/segments?unarchived=1");
       },
     ));
+
+    // Members CSV export — stream a segment's members for a marketing
+    // handoff. The primitive yields a leading comment row + header, then
+    // one chunk per membership batch (keyset-paginated, bounded memory);
+    // the route writes each batch to the socket as it's produced, never
+    // buffering the whole body — the download-route discipline. The CSV
+    // carries NO email column (addresses are stored only as a one-way
+    // hash and are never reconstructed). Audited as an export event.
+    // Same response on the bearer + browser surfaces (a link, not a fetch).
+    async function _streamSegmentMembers(res, slug) {
+      var iter = customerSegments.membersCsvForSegment(slug);
+      res.status(200);
+      if (res.setHeader) {
+        res.setHeader("content-type", "text/csv; charset=utf-8");
+        var fname = ("segment-" + slug + "-members.csv").replace(/[^A-Za-z0-9._-]/g, "");
+        res.setHeader("content-disposition", "attachment; filename=\"" + fname + "\"");
+        res.setHeader("x-content-type-options", "nosniff");
+      }
+      // Write the header chunk first, then one chunk per batch. A response
+      // without an incremental write() (a JSON test stub) buffers instead.
+      if (typeof res.write === "function" && typeof res.end === "function") {
+        for await (var chunk of iter) { if (chunk) res.write(chunk); }
+        res.end();
+      } else {
+        var body = "";
+        for await (var c2 of iter) body += c2;
+        if (res.end) res.end(body); else res.send(body);
+      }
+    }
+
+    // Audit the export as a data-egress event before streaming. Hot-path
+    // `safeEmit` (drop-silent) like every other admin mutation — a recording
+    // hiccup must never block the operator's legitimate download.
+    function _auditExport(slug) {
+      b.audit.safeEmit({
+        action:   AUDIT_NAMESPACE + ".customer_segment.export",
+        outcome:  "success",
+        metadata: { slug: slug },
+      });
+    }
+
+    router.get("/admin/segments/:slug/members.csv", _pageOrApi(true,
+      R(async function (req, res) {
+        var seg = await _segmentBySlug(req.params.slug);
+        if (!seg) return _problem(res, 404, "customer-segment-not-found");
+        _auditExport(seg.slug);
+        return _streamSegmentMembers(res, seg.slug);
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var seg = await _segmentBySlug(req.params.slug);
+        if (!seg) return _sendHtml(res, 404, await _renderSegments({ url: url, notice: "Segment not found." }));
+        _auditExport(seg.slug);
+        return _streamSegmentMembers(res, seg.slug);
+      },
+    ));
   }
 
   // ---- quantity discounts ---------------------------------------------
@@ -10556,6 +10778,13 @@ function mount(router, deps) {
     if (body.priority != null && body.priority !== "") {
       input.priority = _strictMinorInt(body.priority, "autoDiscount", "priority");
     }
+    // Optional shopper-typed unlock code. A non-empty value makes the rule
+    // code-gated (dormant until presented at /cart/coupon); the lib
+    // validates the code shape and rejects a clash with another active
+    // rule's code. Blank leaves it a pure automatic.
+    if (typeof body.unlock_code === "string" && body.unlock_code.trim() !== "") {
+      input.unlock_code = body.unlock_code.trim();
+    }
     return input;
   }
 
@@ -10623,6 +10852,14 @@ function mount(router, deps) {
     if (body.active_present === "1") patch.active = (body.active === "on" || body.active === "1");
     if (body.trigger_kind != null && body.trigger_kind !== "") patch.trigger = _discountTrigger(body);
     if (body.value_kind   != null && body.value_kind   !== "") patch.value   = _discountValue(body);
+    // The edit form always renders the unlock-code field with a hidden
+    // `unlock_code_present` marker, so a blank submission is an explicit
+    // CLEAR (the lib maps "" → null, reverting the rule to a pure
+    // automatic) rather than an omission. The lib validates the shape and
+    // rejects a code already claimed by another active rule.
+    if (body.unlock_code_present === "1") {
+      patch.unlock_code = typeof body.unlock_code === "string" ? body.unlock_code.trim() : "";
+    }
     return patch;
   }
 
@@ -11948,6 +12185,14 @@ function renderAdminOrder(opts) {
   var shipOk = opts.ship_done ? "<div class=\"banner banner--ok\">Shipment updated.</div>" : "";
   var labelOk = opts.label_done ? "<div class=\"banner banner--ok\">Shipping label updated.</div>" : "";
   var splitOk = opts.split_done ? "<div class=\"banner banner--ok\">Split shipment updated.</div>" : "";
+  var resentOk = opts.resent ? "<div class=\"banner banner--ok\">Confirmation email resent.</div>" : "";
+  var resendErr = opts.resend_error === "rate"
+    ? "<div class=\"banner banner--err\">Resend limit reached for this order. Try again later.</div>"
+    : (opts.resend_error === "email"
+        ? "<div class=\"banner banner--err\">Enter a valid recipient email address to resend.</div>"
+        : (opts.resend_error === "send"
+            ? "<div class=\"banner banner--err\">The confirmation email couldn't be sent. The failure was logged — try again, or check the error log.</div>"
+            : ""));
   var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
 
   var lineRows = (o.lines || []).map(function (l) {
@@ -12019,6 +12264,28 @@ function renderAdminOrder(opts) {
       "</div>"
     : "";
 
+  // Resend confirmation panel. The buyer's plaintext address is never
+  // stored (the order keeps only the email hash), so the operator types
+  // the recipient — typically the address from the customer's "I didn't
+  // get my confirmation" request. Rendered only when a mailer is wired;
+  // absent one it's a disabled note (mailer-gated, like the print links).
+  var resendPanel;
+  if (opts.can_resend_confirmation) {
+    resendPanel =
+      "<div class=\"panel mt\"><h3 class=\"subhead\">Resend confirmation</h3>" +
+        "<p class=\"meta\">The original receipt was sent to the address the customer entered at checkout. That address isn't stored (only a one-way hash is), so enter where to send a fresh copy.</p>" +
+        "<form method=\"post\" action=\"/admin/orders/" + _htmlEscape(o.id) + "/resend-confirmation\">" +
+          _setupField("Recipient email", "email", "", "email", "Where to send the order receipt.", " maxlength=\"254\" required") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Resend confirmation</button></div>" +
+        "</form>" +
+      "</div>";
+  } else {
+    resendPanel =
+      "<div class=\"panel mt\"><h3 class=\"subhead\">Resend confirmation</h3>" +
+        "<p class=\"empty\">Email isn't configured for this store, so confirmations can't be resent. Wire a transactional mailer to enable this.</p>" +
+      "</div>";
+  }
+
   // Shipment + tracking panel. Renders only when the tracking primitive is
   // wired (`can_track`). For each existing shipment: the carrier, status,
   // tracking number (linked to the carrier's public URL when known), and
@@ -12113,7 +12380,7 @@ function renderAdminOrder(opts) {
         "<span class=\"status-pill " + _htmlEscape(o.status) + "\">" + _htmlEscape(o.status) + "</span></h2>" +
       "<p class=\"meta\">Placed " + _htmlEscape(_fmtDate(o.created_at)) + " · last updated " + _htmlEscape(_fmtDate(o.updated_at)) +
         (o.payment_intent_id ? " · payment <code class=\"order-id\">" + _htmlEscape(o.payment_intent_id) + "</code>" : "") + "</p>" +
-      moved + shipOk + labelOk + splitOk + notice +
+      moved + shipOk + labelOk + splitOk + resentOk + resendErr + notice +
       "<div class=\"two-col\">" +
         "<div class=\"panel\"><h3 class=\"subhead\">Items</h3>" + linesTable + "</div>" +
         "<div class=\"panel\"><h3 class=\"subhead\">Ship to</h3>" +
@@ -12125,6 +12392,7 @@ function renderAdminOrder(opts) {
         "<div class=\"order-actions\">" + actions + "</div>" +
       "</div>" +
       documentsPanel +
+      resendPanel +
       splitPanel +
       trackingPanel +
     "</section>";
@@ -14836,6 +15104,8 @@ function renderAdminDiscount(opts) {
           _setupField("· BOGO buy qty", "value_buy_qty", v.kind === "bogo" && v.buy_qty != null ? String(v.buy_qty) : "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
           _setupField("· BOGO get qty", "value_get_qty", v.kind === "bogo" && v.get_qty != null ? String(v.get_qty) : "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
           _setupField("Priority", "priority", String(r.priority), "number", "Higher wins ties.", " min=\"0\"") +
+          "<input type=\"hidden\" name=\"unlock_code_present\" value=\"1\">" +
+          _setupField("Unlock code (optional)", "unlock_code", r.unlock_code || "", "text", "Code that gates this rule — shoppers type it at the cart to unlock it. Clear the field to make the rule a pure automatic again. Letters, digits, . _ - only.", " maxlength=\"64\"") +
           "<label class=\"kv\"><input type=\"checkbox\" name=\"active\"" + (r.active ? " checked" : "") + "> Active</label>" +
           "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Save changes</button></div>" +
         "</form>" +
@@ -14846,6 +15116,7 @@ function renderAdminDiscount(opts) {
       "<div><dt>Rule</dt><dd><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code></dd></div>" +
       "<div><dt>Trigger</dt><dd>" + _htmlEscape(_fmtTrigger(r.trigger)) + "</dd></div>" +
       "<div><dt>Value</dt><dd>" + _htmlEscape(_fmtValue(r.value)) + "</dd></div>" +
+      "<div><dt>Unlock code</dt><dd>" + (r.unlock_code ? "<code class=\"order-id\">" + _htmlEscape(r.unlock_code) + "</code> <span class=\"meta\">(shopper types this at the cart)</span>" : "<span class=\"meta\">none — pure automatic</span>") + "</dd></div>" +
       "<div><dt>Priority</dt><dd>" + _htmlEscape(String(r.priority)) + "</dd></div>" +
       "<div><dt>Status</dt><dd><span class=\"status-pill " + (isArchived ? "cancelled" : (r.active ? "paid" : "pending")) + "\">" + (isArchived ? "archived" : (r.active ? "active" : "paused")) + "</span></dd></div>" +
     "</dl></div>" +
@@ -14880,8 +15151,15 @@ function renderAdminDiscounts(opts) {
       "<a class=\"btn btn--ghost\" href=\"/admin/discounts/" + _htmlEscape(encodeURIComponent(r.slug)) + "\">Edit terms</a> " +
       "<form method=\"post\" action=\"/admin/discounts/" + _htmlEscape(encodeURIComponent(r.slug)) + "/archive\" class=\"form-inline\">" +
         "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form>";
+    // A code-gated rule is dormant until a shopper types its unlock code at
+    // the cart; surface the code so an operator can see at a glance which
+    // rules are gated vs pure-automatic. The code is operator-authored free
+    // text → escaped at the sink.
+    var gate = r.unlock_code
+      ? "<br><span class=\"meta\">code: <code class=\"order-id\">" + _htmlEscape(r.unlock_code) + "</code></span>"
+      : "";
     return "<tr>" +
-      "<td><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code></td>" +
+      "<td><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code>" + gate + "</td>" +
       "<td>" + _htmlEscape(_fmtTrigger(r.trigger)) + "</td>" +
       "<td>" + _htmlEscape(_fmtValue(r.value)) + "</td>" +
       "<td class=\"num\">" + _htmlEscape(String(r.priority)) + "</td>" +
@@ -14927,6 +15205,7 @@ function renderAdminDiscounts(opts) {
         _setupField("· BOGO buy qty", "value_buy_qty", "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
         _setupField("· BOGO get qty", "value_get_qty", "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
         _setupField("Priority", "priority", "", "number", "Higher wins ties. Default 0.", " min=\"0\"") +
+        _setupField("Unlock code (optional)", "unlock_code", "", "text", "Leave blank for a pure automatic. Set a code to gate the rule — it stays dormant until a shopper types this code at the cart. Letters, digits, . _ - only.", " maxlength=\"64\"") +
         "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add rule</button></div>" +
       "</form>" +
     "</div>";
@@ -14974,7 +15253,7 @@ function renderAdminDiscounts(opts) {
   }
 
   var body = "<section><h2>Discounts</h2>" + created + updated + archived + notice +
-    "<p class=\"meta\">Automatic cart-level discounts — applied without a coupon code.</p>" +
+    "<p class=\"meta\">Cart-level discount rules. By default a rule applies automatically when the cart matches its trigger; set an unlock code on a rule to keep it dormant until a shopper types that code at the cart.</p>" +
     ruleTable + createForm + policySection + "</section>";
   return _renderAdminShell(opts.shop_name, "Discounts", body, "discounts", opts.nav_available);
 }
@@ -15047,6 +15326,7 @@ function renderAdminSegments(opts) {
             "<button class=\"btn btn--ghost\" type=\"submit\">Unarchive</button></form>"
         : "<form method=\"post\" action=\"/admin/segments/" + _htmlEscape(enc) + "/recompute\" class=\"form-inline\">" +
             "<button class=\"btn btn--ghost\" type=\"submit\">Recompute</button></form> " +
+          "<a class=\"btn btn--ghost\" href=\"/admin/segments/" + _htmlEscape(enc) + "/members.csv\">Export CSV</a> " +
           "<form method=\"post\" action=\"/admin/segments/" + _htmlEscape(enc) + "/archive\" class=\"form-inline\">" +
             "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form>");
     return "<tr>" +
@@ -15134,6 +15414,15 @@ function renderAdminSegment(opts) {
       "<button class=\"btn\" type=\"submit\">Recompute membership</button>" +
     "</form>";
 
+  // Members CSV export — for a marketing handoff. Active segments only
+  // (an archived segment's membership cache is cleared by contract). The
+  // export carries no email addresses (stored as a one-way hash); the
+  // note states this so the operator knows why.
+  var exportLink = isArchived ? "" :
+    "<a class=\"btn btn--ghost\" href=\"/admin/segments/" + _htmlEscape(enc) + "/members.csv\">Export members (CSV)</a>";
+  var exportNote = isArchived ? "" :
+    "<p class=\"meta\">The members CSV lists customer id, display name, join date, and order count — no email addresses (they're stored only as a one-way hash and aren't reconstructed). Recompute first if the membership looks stale.</p>";
+
   var editForm = isArchived
     ? "<p class=\"empty\">This segment is archived. Unarchive it to edit or recompute.</p>" +
         "<form method=\"post\" action=\"/admin/segments/" + _htmlEscape(enc) + "/unarchive\" class=\"form-inline\">" +
@@ -15158,7 +15447,8 @@ function renderAdminSegment(opts) {
 
   var body = "<section><h2>" + _htmlEscape(s.title) + "</h2>" + updated + recomputed + notice +
     head + statCards +
-    "<div class=\"actions-row mt\">" + recomputeForm + archiveForm + "</div>" +
+    "<div class=\"actions-row mt\">" + recomputeForm + exportLink + archiveForm + "</div>" +
+    exportNote +
     editForm +
     "<div class=\"actions-row mt\"><a class=\"btn btn--ghost\" href=\"/admin/segments\">Back to segments</a></div>" +
   "</section>";

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.3.71",
+  "version": "0.3.73",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/customer-segments.js

@@ -113,6 +113,21 @@ var C = b.constants;
 
 var DEFAULT_LIMIT = 100;
 var MAX_LIMIT     = 1000;
+var EXPORT_BATCH_SIZE = 500;
+
+// CSV column shape for a segment-members export. NO email column —
+// customer email is stored only as a one-way hash, so a marketing
+// export reconstructs no addresses; the operator gets a stable
+// customer id, the display name, the join date (when the customer
+// landed in the segment), and the lifetime order count. The screen
+// copy + the leading comment row state this so the operator knows why
+// the address is absent.
+var MEMBER_EXPORT_COLUMNS = Object.freeze([
+  "customer_id",
+  "display_name",
+  "joined_segment_at",
+  "order_count",
+]);
 var SLUG_RE       = /^[a-z0-9](?:[a-z0-9_-]{0,62}[a-z0-9])?$/;
 var MAX_TITLE_LEN = 200;
 var MAX_DESC_LEN  = 1000;
@@ -314,6 +329,42 @@ function _limit(n, label) {
 
 function _now() { return Date.now(); }
 
+// ---- CSV helpers (members export) ---------------------------------------
+//
+// Same RFC-4180 quoting + spreadsheet-formula-injection neutralization
+// the order-export primitive uses: every cell is quoted, embedded `"`
+// doubled, and any cell beginning with `=` / `+` / `-` / `@` is prefixed
+// with `'` so a spreadsheet treats it as text (a customer-controlled
+// display_name is the injection vector). Signed numerics pass through.
+
+function _coerceCell(value) {
+  if (value == null) return "";
+  if (typeof value === "string") return value;
+  if (typeof value === "number" || typeof value === "boolean") return String(value);
+  return JSON.stringify(value);
+}
+
+var _NUMERIC_SIGN_RE = /^[+-](?:\d+(?:\.\d+)?|\.\d+)$/;
+
+function _neutralizeInjection(s) {
+  if (s.length === 0) return s;
+  var first = s.charAt(0);
+  if (first !== "=" && first !== "+" && first !== "-" && first !== "@") return s;
+  if ((first === "+" || first === "-") && _NUMERIC_SIGN_RE.test(s)) return s;
+  return "'" + s;
+}
+
+function _csvCell(value) {
+  var s = _neutralizeInjection(_coerceCell(value));
+  return '"' + s.replace(/"/g, '""') + '"';
+}
+
+function _csvRow(cells) {
+  var parts = [];
+  for (var i = 0; i < cells.length; i += 1) parts.push(_csvCell(cells[i]));
+  return parts.join(",") + "\r\n";
+}
+
 // ---- factory ------------------------------------------------------------
 
 function create(opts) {
@@ -615,6 +666,100 @@ function create(opts) {
       return { customer_ids: ids, next_cursor: nextCursor };
     },
 
+    MEMBER_EXPORT_COLUMNS: MEMBER_EXPORT_COLUMNS.slice(),
+
+    // Streaming CSV of a segment's members for a marketing handoff.
+    // Async-iterable: yields a leading comment row + the header on the
+    // first iteration, then one chunk per membership batch. Keyset-
+    // paginated on customer_id ASC (the membership PK order) so the
+    // process holds at most one batch in memory regardless of segment
+    // size — mirrors the order-export streaming discipline.
+    //
+    // Columns: customer_id, display_name, joined_segment_at (the
+    // recompute timestamp that placed the customer in the segment),
+    // order_count (lifetime non-cancelled orders). There is NO email
+    // column — the address is stored only as a one-way hash and is never
+    // reconstructed; the leading comment row states this so the operator
+    // understands the omission.
+    //
+    // An unknown / archived slug yields an iterator whose first `next()`
+    // throws a TypeError, so the HTTP layer can map it to a clean 404
+    // without a partial stream.
+    membersCsvForSegment: function (slug, csvOpts) {
+      _slug(slug);
+      csvOpts = csvOpts || {};
+      var batch = EXPORT_BATCH_SIZE;
+      var cursorVal = null;
+      var done = false;
+      var preludeEmitted = false;
+      var seg = null;
+
+      async function _resolveSegment() {
+        if (seg) return seg;
+        var row = await _readSegment(slug);
+        if (!row) {
+          throw new TypeError("customer-segments.membersCsvForSegment: unknown slug " + JSON.stringify(slug));
+        }
+        seg = row;
+        return seg;
+      }
+
+      return {
+        [Symbol.asyncIterator]: function () { return this; },
+        next: async function () {
+          if (done) return { value: undefined, done: true };
+          var s = await _resolveSegment();
+          if (!preludeEmitted) {
+            preludeEmitted = true;
+            // Leading comment row — RFC-4180-quoted so spreadsheets keep it
+            // intact; states why no email column exists. Then the header.
+            var prelude =
+              _csvRow(["# Segment members export — email addresses are omitted (stored as a one-way hash, never reconstructed)."]) +
+              _csvRow(MEMBER_EXPORT_COLUMNS);
+            // An archived segment has an empty cache by contract — the
+            // header still emits so the consumer gets a well-formed
+            // (empty) file rather than a 404 mid-stream.
+            return { value: prelude, done: false };
+          }
+          var sql, params;
+          if (cursorVal != null) {
+            sql = "SELECT csm.customer_id AS customer_id, csm.evaluated_at AS joined_segment_at, " +
+                  "  c.display_name AS display_name, " +
+                  "  (SELECT COUNT(*) FROM orders o WHERE o.customer_id = csm.customer_id AND o.status != 'cancelled') AS order_count " +
+                  "FROM customer_segment_membership csm " +
+                  "LEFT JOIN customers c ON c.id = csm.customer_id " +
+                  "WHERE csm.segment_id = ?1 AND csm.customer_id > ?2 " +
+                  "ORDER BY csm.customer_id ASC LIMIT ?3";
+            params = [s.id, cursorVal, batch];
+          } else {
+            sql = "SELECT csm.customer_id AS customer_id, csm.evaluated_at AS joined_segment_at, " +
+                  "  c.display_name AS display_name, " +
+                  "  (SELECT COUNT(*) FROM orders o WHERE o.customer_id = csm.customer_id AND o.status != 'cancelled') AS order_count " +
+                  "FROM customer_segment_membership csm " +
+                  "LEFT JOIN customers c ON c.id = csm.customer_id " +
+                  "WHERE csm.segment_id = ?1 " +
+                  "ORDER BY csm.customer_id ASC LIMIT ?2";
+            params = [s.id, batch];
+          }
+          var rows = (await query(sql, params)).rows;
+          if (rows.length === 0) { done = true; return { value: undefined, done: true }; }
+          var out = "";
+          for (var i = 0; i < rows.length; i += 1) {
+            var r = rows[i];
+            out += _csvRow([
+              r.customer_id,
+              r.display_name == null ? "" : r.display_name,
+              r.joined_segment_at == null ? "" : r.joined_segment_at,
+              r.order_count == null ? 0 : r.order_count,
+            ]);
+          }
+          cursorVal = rows[rows.length - 1].customer_id;
+          if (rows.length < batch) done = true;
+          return { value: out, done: false };
+        },
+      };
+    },
+
     recompute: async function (recomputeOpts) {
       recomputeOpts = recomputeOpts || {};
       var slugFilter = null;
@@ -811,4 +956,9 @@ module.exports = {
   ALLOWED_ORDER_STATUSES: ALLOWED_ORDER_STATUSES,
   DEFAULT_LIMIT:          DEFAULT_LIMIT,
   MAX_LIMIT:              MAX_LIMIT,
+  MEMBER_EXPORT_COLUMNS:  MEMBER_EXPORT_COLUMNS,
+  // Exposed for the test suite to assert CSV cell semantics without a
+  // full DB round-trip.
+  _csvCell:               _csvCell,
+  _neutralizeInjection:   _neutralizeInjection,
 };

package/lib/security-middleware.js

@@ -90,6 +90,14 @@ var HEALTH_PATH = "/_/health";
 //                                request-supplied address — without the tight
 //                                budget it is a victim-addressed mail cannon on
 //                                the loose global bucket alone.
+//   /cart/coupon              -> apply + remove a typed discount code. POST /cart/coupon
+//                                validates the code against the discount engine; on a
+//                                miss it returns a UNIFORM error (no existence oracle),
+//                                which makes the loose global bucket alone a code-guessing
+//                                engine — a sprayer can grind the coupon namespace for a
+//                                live code. The tight per-(IP+path) budget caps the
+//                                guess rate (same guessable-secret rationale as the
+//                                /gift-cards/balance lookup). Container-only.
 var TIGHT_PREFIXES = [
   "/account/login",
   "/account/register",
@@ -102,6 +110,7 @@ var TIGHT_PREFIXES = [
   "/survey/",
   "/orders/",
   "/stock-alert/",
+  "/cart/coupon",
 ];
 
 // Edge-served state-changing POST endpoints. These forms are rendered at

package/lib/storefront.js

@@ -11306,7 +11306,12 @@ function mount(router, deps) {
       // address with no usable postal falls through to null here.
       var coAuth = _currentCustomerEnv(req);
       if (!coAuth) return null;
-      var dest = await _estimateDestination(req);
+      // Reuse a destination the caller already resolved (the cart GET
+      // resolves it once and threads it into both this and
+      // _estimateCartTotals) so a signed-in cart render doesn't run the
+      // address lookup twice. Falls back to resolving it here for callers
+      // that don't pass one (the PDP).
+      var dest = opts.dest || await _estimateDestination(req);
       if (!dest || !dest.from_saved || !dest.ship_to || !dest.ship_to.postal) return null;
       // Operator-configured origin — the primitive won't guess one. Resolved
       // at boot into `deps.delivery_estimate_origin` (a plain slug string) from
@@ -11395,9 +11400,13 @@ function mount(router, deps) {
       destination:       null,
     };
     if (!deps.checkout || typeof deps.checkout.quote !== "function") return result;
+    // `opts.ship_to` (a shopper-confirmed address from the checkout POST) wins;
+    // else reuse a destination the caller already resolved (`opts.dest`, so a
+    // signed-in cart render doesn't run the address lookup twice — once here
+    // and once in _resolveDeliveryEstimate); else resolve it now.
     var dest = opts.ship_to
       ? { ship_to: opts.ship_to, from_saved: false }
-      : await _estimateDestination(req);
+      : (opts.dest || await _estimateDestination(req));
     result.destination = dest;
     try {
       // quote() without a selected_shipping_id returns the tax row + ALL
@@ -12288,12 +12297,17 @@ function mount(router, deps) {
       catch (_e) { appliedCodes = []; }
     }
     var appliedCodeStrings = appliedCodes.map(function (r) { return r.code; });
+    // Resolve the estimate destination ONCE for the render: both the totals
+    // estimate and the "Get it by <date>" delivery estimate need it, and the
+    // lookup (a saved-address read for a signed-in customer) is otherwise run
+    // twice per cart GET. Thread the single result into both.
+    var estimateDest = await _estimateDestination(req);
     // Real total before pay: compose the same tax + shipping primitives the
     // charge runs through (estimated against the shopper's saved/default
     // destination until they confirm an address at checkout). Falls back to
     // a subtotal-only breakdown — with tax/shipping labelled "calculated at
     // checkout" — when checkout isn't wired or no zone matches.
-    var totalsDetail = await _estimateCartTotals(req, c, lines, { codes: appliedCodeStrings });
+    var totalsDetail = await _estimateCartTotals(req, c, lines, { codes: appliedCodeStrings, dest: estimateDest });
     var totals = totalsDetail.totals;
     // Truthful per-line stock state (out / low / ok) so the cart never
     // implies a sold-out line is buyable.
@@ -12340,7 +12354,7 @@ function mount(router, deps) {
     // cart estimate is the destination window, not a per-parcel weight quote);
     // the primitive falls back to its weight-agnostic transit rows. Drop-
     // silent → null, and the summary renders no estimate.
-    var cartEstimate = await _resolveDeliveryEstimate(req, {});
+    var cartEstimate = await _resolveDeliveryEstimate(req, { dest: estimateDest });
     _send(res, 200, renderCart(Object.assign({
       lines:           lines,
       totals:          totals,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.3.71",
+  "version": "0.3.73",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {