@blamejs/blamejs-shop 0.3.72 → 0.3.74

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.3.x
 
+- v0.3.74 (2026-06-05) — **The payment form matches the shop's dark theme.** The Stripe Payment Element and the express wallet buttons on the pay page previously rendered in Stripe's default light style — a white card floating on the shop's near-black page. The elements now use Stripe's night appearance recolored with the shop's own design tokens: violet accent on focus and selected tabs, the shop's charcoal input surfaces, soft ink text, and matching corner radii. The Apple Pay, Google Pay, and PayPal express buttons switch to their white and outline variants, which keep each brand's contrast rules legible on the dark card. No payment behavior changes; this is purely the appearance configuration on the existing elements. **Changed:** *Dark-themed payment elements* — The pay page's Stripe elements adopt the night appearance with the shop's design tokens — violet primary, charcoal surfaces, soft ink, ten-pixel radii, violet focus rings — and the express wallet buttons render in their white and outline variants sized to the page's controls. Inside Stripe's cross-origin frame the typeface falls back to the system stack; everything else mirrors the storefront's stylesheet tokens.
+
+- v0.3.73 (2026-06-05) — **Unlock codes are manageable from the Discounts screen, and coupon guessing is rate-capped.** Code-unlocked discount rules shipped with an API-only gap: the Discounts console had no field for the unlock code, so creating a code-gated rule required a raw API call. The create and edit forms now carry an optional Unlock code input — clearing it on edit reverts the rule to purely automatic — and the rule list and detail show which rules are code-gated; the screen's description covers both kinds. The cart's code-apply endpoint joins the tight per-address rate budget that already guards gift-card balance lookups, capping coupon-namespace guessing at the same rate. Also fixed: a failed confirmation-resend in the browser console now lands in the error log with a clean notice instead of an unrecorded failure, and the signed-in cart page resolves the shopper's destination once instead of twice per view. **Fixed:** *Unlock codes editable in the Discounts console* — The create and edit forms gain an optional Unlock code field, threaded through the same validation as the API. On edit, submitting the field blank explicitly clears the code (the rule becomes purely automatic again), while the inline quick-edit leaves it untouched. The rule list and the detail view display each rule's code, escaped, so code-gated rules are visible at a glance, and the screen copy now describes both automatic and code-unlocked rules. · *Coupon-code guessing joins the tight rate budget* — POST /cart/coupon now sits in the per-address, per-path rate budget alongside gift-card balance lookups — both accept guessable secrets and answer uniformly, so both deserve the same throttle. The pinned integration test sprays the endpoint and asserts the cap engages. · *Failed confirmation resends are captured and surfaced* — A mailer fault during a browser-initiated confirmation resend previously escaped both the error log and the screen. It now records to the error log and redirects back to the order with an honest failure notice; the API path captures identically. The signed-in cart view also drops a duplicated destination lookup per render.
+
 - v0.3.72 (2026-06-05) — **Resend an order confirmation from the console, and export a segment's members as CSV.** Two operator actions land in the admin console. The order detail screen gains a Resend-confirmation action: buyer emails are stored only as one-way hashes, so the original address cannot be recovered — the operator types the recipient (from the customer's own request), and a fresh receipt rendered from the stored order is sent, rate-bounded to three per order per hour, with every send audited and the recipient kept out of the audit trail. The action appears only when a mailer is configured. Customer segments gain a members CSV export that streams id, display name, segment join date, and order count — deliberately no email column, since addresses are not stored in readable form; the file says so in a leading comment, cell values are quoted and spreadsheet-formula-neutralized, and the stream is written batch by batch so a large segment never buffers in memory. **Added:** *Resend order confirmation* — POST /admin/orders/:id/resend-confirmation sends a fresh receipt for the stored order to an operator-supplied address, since the buyer's email exists only as a hash and cannot be recovered — the recipient comes from the customer's own "I didn't get it" request. Rate-bounded to three sends per order per hour, audited without recording the recipient, gated on a configured mailer (the panel renders an honest disabled note otherwise), and validated for address shape. · *Segment members CSV export* — GET /admin/segments/:slug/members.csv streams a segment's members — customer id, display name, join date, order count — in keyset-paginated batches with RFC 4180 quoting and spreadsheet-formula-injection neutralization. There is no email column: addresses are stored hashed, and both the screen copy and a leading CSV comment state it. Unknown segments return 404 before any bytes stream; an archived segment yields a well-formed header-only file; each export is audited.
 
 - v0.3.71 (2026-06-05) — **Vendored blamejs framework refreshed from v0.14.19 to v0.14.21.** The storefront runs on a vendored copy of the blamejs framework; this refreshes it across two upstream patch releases. The most operator-relevant upstream changes for this shop: the OAuth client — which Sign in with Google and Apple compose — gains RFC 9396 Rich Authorization Request validation and attestation-based client authentication primitives, and refuses token grants an identity provider broadened beyond what was requested; HEAD requests now conform by carrying no response body; the sealed-field store gains an unseal rate cap; and a framework-wide sweep ensures every accepted option is actually read, surfacing configuration typos that were previously silent. The remaining upstream changes are in framework areas the storefront does not expose (SCIM bulk operations, OID4VCI credential proofs, DMARC forensic-report parsing). The storefront's own behavior is unchanged, verified by the full test suite — including the regression guards that pin the CSRF origin posture, the referrer policy, and the payment-processor TLS agent against vendor drift — and the vendored-tree integrity manifest was re-stamped as part of the refresh. **Changed:** *Updated the vendored framework to blamejs v0.14.21* — The vendored framework moves from v0.14.19 to v0.14.21 (two upstream patch releases of fixes and additive, opt-in changes). Notable for this shop: hardened OAuth client validation behind federated sign-in, HTTP HEAD conformance, a sealed-field unseal rate cap, and boot-time validation of previously-unread options. The integrity manifest over the vendored tree was re-stamped as part of the refresh.

package/lib/admin.js

@@ -2890,9 +2890,19 @@ function mount(router, deps) {
         var body = req.body || {};
         try { await _resendReceipt(o, body.email || body.to); }
         catch (e) {
-          if (!(e instanceof TypeError)) throw e;
-          var reason = e.code === "RESEND_RATE_LIMITED" ? "rate" : "email";
-          return _redirect(res, "/admin/orders/" + enc + "?resend_err=" + reason);
+          // Validation / rate-limit faults are TypeErrors → a contextual
+          // banner. A mailer fault (the send itself failing) is NOT a
+          // TypeError: route it through _safeNotice so it lands in the
+          // operator error log (the htmlHandler isn't wrapped by _wrap, so
+          // a re-throw here would bypass the capture the JSON path gets via
+          // the wrapper's catch), then redirect to a generic send-failed
+          // banner rather than 500-ing the page.
+          if (e instanceof TypeError) {
+            var reason = e.code === "RESEND_RATE_LIMITED" ? "rate" : "email";
+            return _redirect(res, "/admin/orders/" + enc + "?resend_err=" + reason);
+          }
+          _safeNotice(e, "order.receipt.resend");
+          return _redirect(res, "/admin/orders/" + enc + "?resend_err=send");
         }
         b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.receipt.resend", outcome: "success", metadata: { id: id } });
         _redirect(res, "/admin/orders/" + enc + "?resent=1");
@@ -10768,6 +10778,13 @@ function mount(router, deps) {
     if (body.priority != null && body.priority !== "") {
       input.priority = _strictMinorInt(body.priority, "autoDiscount", "priority");
     }
+    // Optional shopper-typed unlock code. A non-empty value makes the rule
+    // code-gated (dormant until presented at /cart/coupon); the lib
+    // validates the code shape and rejects a clash with another active
+    // rule's code. Blank leaves it a pure automatic.
+    if (typeof body.unlock_code === "string" && body.unlock_code.trim() !== "") {
+      input.unlock_code = body.unlock_code.trim();
+    }
     return input;
   }
 
@@ -10835,6 +10852,14 @@ function mount(router, deps) {
     if (body.active_present === "1") patch.active = (body.active === "on" || body.active === "1");
     if (body.trigger_kind != null && body.trigger_kind !== "") patch.trigger = _discountTrigger(body);
     if (body.value_kind   != null && body.value_kind   !== "") patch.value   = _discountValue(body);
+    // The edit form always renders the unlock-code field with a hidden
+    // `unlock_code_present` marker, so a blank submission is an explicit
+    // CLEAR (the lib maps "" → null, reverting the rule to a pure
+    // automatic) rather than an omission. The lib validates the shape and
+    // rejects a code already claimed by another active rule.
+    if (body.unlock_code_present === "1") {
+      patch.unlock_code = typeof body.unlock_code === "string" ? body.unlock_code.trim() : "";
+    }
     return patch;
   }
 
@@ -12165,7 +12190,9 @@ function renderAdminOrder(opts) {
     ? "<div class=\"banner banner--err\">Resend limit reached for this order. Try again later.</div>"
     : (opts.resend_error === "email"
         ? "<div class=\"banner banner--err\">Enter a valid recipient email address to resend.</div>"
-        : "");
+        : (opts.resend_error === "send"
+            ? "<div class=\"banner banner--err\">The confirmation email couldn't be sent. The failure was logged — try again, or check the error log.</div>"
+            : ""));
   var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
 
   var lineRows = (o.lines || []).map(function (l) {
@@ -15077,6 +15104,8 @@ function renderAdminDiscount(opts) {
           _setupField("· BOGO buy qty", "value_buy_qty", v.kind === "bogo" && v.buy_qty != null ? String(v.buy_qty) : "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
           _setupField("· BOGO get qty", "value_get_qty", v.kind === "bogo" && v.get_qty != null ? String(v.get_qty) : "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
           _setupField("Priority", "priority", String(r.priority), "number", "Higher wins ties.", " min=\"0\"") +
+          "<input type=\"hidden\" name=\"unlock_code_present\" value=\"1\">" +
+          _setupField("Unlock code (optional)", "unlock_code", r.unlock_code || "", "text", "Code that gates this rule — shoppers type it at the cart to unlock it. Clear the field to make the rule a pure automatic again. Letters, digits, . _ - only.", " maxlength=\"64\"") +
           "<label class=\"kv\"><input type=\"checkbox\" name=\"active\"" + (r.active ? " checked" : "") + "> Active</label>" +
           "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Save changes</button></div>" +
         "</form>" +
@@ -15087,6 +15116,7 @@ function renderAdminDiscount(opts) {
       "<div><dt>Rule</dt><dd><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code></dd></div>" +
       "<div><dt>Trigger</dt><dd>" + _htmlEscape(_fmtTrigger(r.trigger)) + "</dd></div>" +
       "<div><dt>Value</dt><dd>" + _htmlEscape(_fmtValue(r.value)) + "</dd></div>" +
+      "<div><dt>Unlock code</dt><dd>" + (r.unlock_code ? "<code class=\"order-id\">" + _htmlEscape(r.unlock_code) + "</code> <span class=\"meta\">(shopper types this at the cart)</span>" : "<span class=\"meta\">none — pure automatic</span>") + "</dd></div>" +
       "<div><dt>Priority</dt><dd>" + _htmlEscape(String(r.priority)) + "</dd></div>" +
       "<div><dt>Status</dt><dd><span class=\"status-pill " + (isArchived ? "cancelled" : (r.active ? "paid" : "pending")) + "\">" + (isArchived ? "archived" : (r.active ? "active" : "paused")) + "</span></dd></div>" +
     "</dl></div>" +
@@ -15121,8 +15151,15 @@ function renderAdminDiscounts(opts) {
       "<a class=\"btn btn--ghost\" href=\"/admin/discounts/" + _htmlEscape(encodeURIComponent(r.slug)) + "\">Edit terms</a> " +
       "<form method=\"post\" action=\"/admin/discounts/" + _htmlEscape(encodeURIComponent(r.slug)) + "/archive\" class=\"form-inline\">" +
         "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form>";
+    // A code-gated rule is dormant until a shopper types its unlock code at
+    // the cart; surface the code so an operator can see at a glance which
+    // rules are gated vs pure-automatic. The code is operator-authored free
+    // text → escaped at the sink.
+    var gate = r.unlock_code
+      ? "<br><span class=\"meta\">code: <code class=\"order-id\">" + _htmlEscape(r.unlock_code) + "</code></span>"
+      : "";
     return "<tr>" +
-      "<td><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code></td>" +
+      "<td><strong>" + _htmlEscape(r.title) + "</strong><br><code class=\"order-id\">" + _htmlEscape(r.slug) + "</code>" + gate + "</td>" +
       "<td>" + _htmlEscape(_fmtTrigger(r.trigger)) + "</td>" +
       "<td>" + _htmlEscape(_fmtValue(r.value)) + "</td>" +
       "<td class=\"num\">" + _htmlEscape(String(r.priority)) + "</td>" +
@@ -15168,6 +15205,7 @@ function renderAdminDiscounts(opts) {
         _setupField("· BOGO buy qty", "value_buy_qty", "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
         _setupField("· BOGO get qty", "value_get_qty", "", "number", "For \"Buy X get Y\".", " min=\"1\"") +
         _setupField("Priority", "priority", "", "number", "Higher wins ties. Default 0.", " min=\"0\"") +
+        _setupField("Unlock code (optional)", "unlock_code", "", "text", "Leave blank for a pure automatic. Set a code to gate the rule — it stays dormant until a shopper types this code at the cart. Letters, digits, . _ - only.", " maxlength=\"64\"") +
         "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add rule</button></div>" +
       "</form>" +
     "</div>";
@@ -15215,7 +15253,7 @@ function renderAdminDiscounts(opts) {
   }
 
   var body = "<section><h2>Discounts</h2>" + created + updated + archived + notice +
-    "<p class=\"meta\">Automatic cart-level discounts — applied without a coupon code.</p>" +
+    "<p class=\"meta\">Cart-level discount rules. By default a rule applies automatically when the cart matches its trigger; set an unlock code on a rule to keep it dormant until a shopper types that code at the cart.</p>" +
     ruleTable + createForm + policySection + "</section>";
   return _renderAdminShell(opts.shop_name, "Discounts", body, "discounts", opts.nav_available);
 }

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.3.72",
+  "version": "0.3.74",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",
@@ -38,8 +38,8 @@
       "fingerprinted": "js/passkey-register.02b0e196fb9608d8.js"
     },
     "js/pay.js": {
-      "integrity": "sha384-b9H7SuK6CdLZtcZbTouW6uZ2G99L5/joX5z2YyiL7Slg2ub69ZNw2rPZ/Pxw4qBG",
-      "fingerprinted": "js/pay.e174b69ddffbbfe4.js"
+      "integrity": "sha384-W11JVQhv1RZq4WhsAOglu56gTZTDz1ByLd+b1HFQBCi8xGoEhJ0PZ2yI3FqbYzt6",
+      "fingerprinted": "js/pay.683a905563e54a47.js"
     },
     "js/paypal-checkout.js": {
       "integrity": "sha384-LI6y/1z0Y9F8Kx8RhW4EwY2WqJPXLwJozCXqnhDT+dTckLHyvhly0SsRpH0bsdui",

package/lib/security-middleware.js

@@ -90,6 +90,14 @@ var HEALTH_PATH = "/_/health";
 //                                request-supplied address — without the tight
 //                                budget it is a victim-addressed mail cannon on
 //                                the loose global bucket alone.
+//   /cart/coupon              -> apply + remove a typed discount code. POST /cart/coupon
+//                                validates the code against the discount engine; on a
+//                                miss it returns a UNIFORM error (no existence oracle),
+//                                which makes the loose global bucket alone a code-guessing
+//                                engine — a sprayer can grind the coupon namespace for a
+//                                live code. The tight per-(IP+path) budget caps the
+//                                guess rate (same guessable-secret rationale as the
+//                                /gift-cards/balance lookup). Container-only.
 var TIGHT_PREFIXES = [
   "/account/login",
   "/account/register",
@@ -102,6 +110,7 @@ var TIGHT_PREFIXES = [
   "/survey/",
   "/orders/",
   "/stock-alert/",
+  "/cart/coupon",
 ];
 
 // Edge-served state-changing POST endpoints. These forms are rendered at

package/lib/storefront.js

@@ -11306,7 +11306,12 @@ function mount(router, deps) {
       // address with no usable postal falls through to null here.
       var coAuth = _currentCustomerEnv(req);
       if (!coAuth) return null;
-      var dest = await _estimateDestination(req);
+      // Reuse a destination the caller already resolved (the cart GET
+      // resolves it once and threads it into both this and
+      // _estimateCartTotals) so a signed-in cart render doesn't run the
+      // address lookup twice. Falls back to resolving it here for callers
+      // that don't pass one (the PDP).
+      var dest = opts.dest || await _estimateDestination(req);
       if (!dest || !dest.from_saved || !dest.ship_to || !dest.ship_to.postal) return null;
       // Operator-configured origin — the primitive won't guess one. Resolved
       // at boot into `deps.delivery_estimate_origin` (a plain slug string) from
@@ -11395,9 +11400,13 @@ function mount(router, deps) {
       destination:       null,
     };
     if (!deps.checkout || typeof deps.checkout.quote !== "function") return result;
+    // `opts.ship_to` (a shopper-confirmed address from the checkout POST) wins;
+    // else reuse a destination the caller already resolved (`opts.dest`, so a
+    // signed-in cart render doesn't run the address lookup twice — once here
+    // and once in _resolveDeliveryEstimate); else resolve it now.
     var dest = opts.ship_to
       ? { ship_to: opts.ship_to, from_saved: false }
-      : await _estimateDestination(req);
+      : (opts.dest || await _estimateDestination(req));
     result.destination = dest;
     try {
       // quote() without a selected_shipping_id returns the tax row + ALL
@@ -12288,12 +12297,17 @@ function mount(router, deps) {
       catch (_e) { appliedCodes = []; }
     }
     var appliedCodeStrings = appliedCodes.map(function (r) { return r.code; });
+    // Resolve the estimate destination ONCE for the render: both the totals
+    // estimate and the "Get it by <date>" delivery estimate need it, and the
+    // lookup (a saved-address read for a signed-in customer) is otherwise run
+    // twice per cart GET. Thread the single result into both.
+    var estimateDest = await _estimateDestination(req);
     // Real total before pay: compose the same tax + shipping primitives the
     // charge runs through (estimated against the shopper's saved/default
     // destination until they confirm an address at checkout). Falls back to
     // a subtotal-only breakdown — with tax/shipping labelled "calculated at
     // checkout" — when checkout isn't wired or no zone matches.
-    var totalsDetail = await _estimateCartTotals(req, c, lines, { codes: appliedCodeStrings });
+    var totalsDetail = await _estimateCartTotals(req, c, lines, { codes: appliedCodeStrings, dest: estimateDest });
     var totals = totalsDetail.totals;
     // Truthful per-line stock state (out / low / ok) so the cart never
     // implies a sold-out line is buyable.
@@ -12340,7 +12354,7 @@ function mount(router, deps) {
     // cart estimate is the destination window, not a per-parcel weight quote);
     // the primitive falls back to its weight-agnostic transit rows. Drop-
     // silent → null, and the summary renders no estimate.
-    var cartEstimate = await _resolveDeliveryEstimate(req, {});
+    var cartEstimate = await _resolveDeliveryEstimate(req, { dest: estimateDest });
     _send(res, 200, renderCart(Object.assign({
       lines:           lines,
       totals:          totals,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.3.72",
+  "version": "0.3.74",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {