@blamejs/blamejs-shop 0.3.74 → 0.3.76

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.3.x
 
+- v0.3.76 (2026-06-05) — **Abandoned-cart visibility in the admin console, with honest recovery.** The admin console gains a Carts screen showing abandoned carts: active carts with items whose last activity is older than a tunable window (twenty-four hours by default), listed freshest-first with line counts, subtotals, guest or signed-in attribution, and a value-at-risk summary. Recovery is built around what the privacy stance actually permits: buyer email addresses are stored only as one-way hashes, so a recovery email is impossible by design and the screen says so plainly. Instead, a per-cart action mints a single-use, code-gated percent-off discount — composing the existing unlock-code rules — and shows the code once for the operator to share through whatever channel they have. Fresh, empty, and converted carts are excluded; queries are window- and limit-bounded; the screen and its JSON shape are bearer-gated like every other console surface. **Added:** *Abandoned-carts screen with single-use recovery codes* — GET /admin/carts lists abandoned carts — active, containing items, idle past the window (tunable via the hours parameter, clamped to sane bounds) — with per-cart line counts, subtotal, last activity, and the customer link for signed-in carts, plus a count and value-at-risk summary. The per-cart Issue-code action creates a single-use unlock-code discount rule at the operator's chosen percentage and reveals the code once; the action is audited and appears only when the discounts primitive is wired. Session identifiers never appear in the JSON shape, and the screen states why no email recovery exists: addresses are one-way hashed.
+
+- v0.3.75 (2026-06-05) — **The analytics funnel records real shopper events — only with analytics consent.** The admin Analytics screen's browse-to-buy funnel, top search terms, and most-viewed products read an event stream that nothing previously wrote, so those tables stayed empty. The storefront now records five events — product view, search, add to cart, checkout started, order completed — strictly gated on the visitor's analytics consent: no consent decision means no recording, Do Not Track and Global Privacy Control suppress recording even after an accept-all, session identifiers are stored only as keyed hashes, and no name or email ever rides an event. Recording is fire-and-forget and can never affect a request. Edge-cached anonymous pages are deliberately not recorded — the cache stays shared and fast — so the funnel reflects consented, container-served traffic, and the dashboard's own copy now says exactly that. **Added:** *Consent-gated shopper event recording* — Product views, searches, cart adds, checkout starts, and completed orders record into the analytics event stream when — and only when — the session's consent grants the analytics category. The gate is the consent primitive's own server-side read: default-deny without a decision, policy-version-aware, and honoring Do Not Track and Sec-GPC over a stored acceptance. Events carry a hashed session key and bounded payloads, never personal data. The Analytics screen's funnel now states that its counts cover consented, container-served traffic; anonymous edge-cached page views are not tracked by design.
+
 - v0.3.74 (2026-06-05) — **The payment form matches the shop's dark theme.** The Stripe Payment Element and the express wallet buttons on the pay page previously rendered in Stripe's default light style — a white card floating on the shop's near-black page. The elements now use Stripe's night appearance recolored with the shop's own design tokens: violet accent on focus and selected tabs, the shop's charcoal input surfaces, soft ink text, and matching corner radii. The Apple Pay, Google Pay, and PayPal express buttons switch to their white and outline variants, which keep each brand's contrast rules legible on the dark card. No payment behavior changes; this is purely the appearance configuration on the existing elements. **Changed:** *Dark-themed payment elements* — The pay page's Stripe elements adopt the night appearance with the shop's design tokens — violet primary, charcoal surfaces, soft ink, ten-pixel radii, violet focus rings — and the express wallet buttons render in their white and outline variants sized to the page's controls. Inside Stripe's cross-origin frame the typeface falls back to the system stack; everything else mirrors the storefront's stylesheet tokens.
 
 - v0.3.73 (2026-06-05) — **Unlock codes are manageable from the Discounts screen, and coupon guessing is rate-capped.** Code-unlocked discount rules shipped with an API-only gap: the Discounts console had no field for the unlock code, so creating a code-gated rule required a raw API call. The create and edit forms now carry an optional Unlock code input — clearing it on edit reverts the rule to purely automatic — and the rule list and detail show which rules are code-gated; the screen's description covers both kinds. The cart's code-apply endpoint joins the tight per-address rate budget that already guards gift-card balance lookups, capping coupon-namespace guessing at the same rate. Also fixed: a failed confirmation-resend in the browser console now lands in the error log with a clean notice instead of an unrecorded failure, and the signed-in cart page resolves the shopper's destination once instead of twice per view. **Fixed:** *Unlock codes editable in the Discounts console* — The create and edit forms gain an optional Unlock code field, threaded through the same validation as the API. On edit, submitting the field blank explicitly clears the code (the rule becomes purely automatic again), while the inline quick-edit leaves it untouched. The rule list and the detail view display each rule's code, escaped, so code-gated rules are visible at a glance, and the screen copy now describes both automatic and code-unlocked rules. · *Coupon-code guessing joins the tight rate budget* — POST /cart/coupon now sits in the per-address, per-path rate budget alongside gift-card balance lookups — both accept guessable secrets and answer uniformly, so both deserve the same throttle. The pinned integration test sprays the endpoint and asserts the cap engages. · *Failed confirmation resends are captured and surfaced* — A mailer fault during a browser-initiated confirmation resend previously escaped both the error log and the screen. It now records to the error log and redirects back to the order with an honest failure notice; the API path captures identically. The signed-in cart view also drops a duplicated destination lookup per render.

package/README.md

@@ -97,7 +97,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
 | **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Carts** (`/admin/carts`) lists abandoned carts — active, has items, idle past a tunable window (24h default) — with line counts, value at risk, and guest/signed-in attribution; a per-cart action mints a single-use, code-gated discount the operator shares through their own channel (recovery email is impossible by design: buyer addresses are stored only as hashes, and the screen says so). **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, Carts, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
 

package/lib/admin.js

@@ -36,10 +36,19 @@ var quantityDiscountsModule = require("./quantity-discounts");
 var loyaltyEarnRulesModule = require("./loyalty-earn-rules");
 var loyaltyRedemptionModule = require("./loyalty-redemption");
 var trustBadgesModule = require("./trust-badges");
+var cartModule = require("./cart");   // ABANDONED_* window/limit constants for the /admin/carts console
 var textGuard = require("./text-guard");
 var { AsyncLocalStorage } = require("node:async_hooks");   // allow:non-shop-require — Node-core per-request context (no npm dep); the framework itself composes it in db-role-context / log. No b.* request-context primitive exists to wrap it.
 
 var b = require("./vendor/blamejs");
+// Framework duration constants (C.TIME.hours(n) etc.). The index entry
+// point exposes `framework` before the require cascade, so resolving this
+// at module-eval is safe — same pattern lib/cart.js uses.
+var C = b.constants;
+
+// One hour in ms, named once so the hours<->ms conversions on the
+// abandoned-cart window read in named units rather than a bare literal.
+var MS_PER_HOUR = C.TIME.hours(1);
 
 var AUDIT_NAMESPACE = "shop_admin";
 
@@ -523,6 +532,7 @@ function mount(router, deps) {
   }
   var catalog       = deps.catalog;
   var order         = deps.order;
+  var cart          = deps.cart          || null;   // abandoned-cart visibility console (/admin/carts) disabled when absent
   var payment       = deps.payment       || null;   // refund endpoints disabled when absent
   var mailer        = deps.mailer        || null;   // transactional email factory (lib/email.js) — resend-confirmation disabled when absent
   var _checkout     = deps.checkout      || null;   // reserved — future webhook handler wiring
@@ -574,7 +584,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog };
+  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart };
 
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
 
@@ -9431,6 +9441,154 @@ function mount(router, deps) {
     return patch;
   }
 
+  // ---- abandoned carts (visibility + honest recovery) -----------------
+  //
+  // Operators have zero abandoned-cart visibility without this screen — no
+  // list, no value-at-risk total, no recovery surface. This reads the live
+  // `carts` table directly (active cart + has lines + untouched for >N
+  // hours), so it works WITHOUT the cart-abandonment scanner cron having
+  // ever run. The window is operator-tunable via `?hours=` (default 24).
+  //
+  // Recovery, honest version: a buyer's email is one-way hashed at every
+  // layer (the `carts` row carries only a sealed-cookie `session_id`, the
+  // customer record stores only an `email_hash`), so the framework cannot
+  // send a recovery EMAIL to ANY cart — guest or signed-in — on its own.
+  // The screen states this plainly. What it CAN do is compose the existing
+  // `autoDiscount` unlock-code surface: the "issue recovery code" action
+  // mints a single-use, code-gated percent-off rule (`max_redemptions_total
+  // = 1`) and shows the code ONCE for the operator to share through their
+  // own channel (the order-confirmation reply, an SMS, a printed receipt).
+  // No email is claimed where none is possible. When `autoDiscount` isn't
+  // wired the action is absent and the screen documents it as the next step.
+
+  // The recovery-code action composes deps.autoDiscount. Read it through a
+  // helper rather than the `autoDiscount` local (which is declared further
+  // down, inside the discounts block) so this block doesn't depend on
+  // var-hoist ordering.
+  function autoDiscountForCarts() { return deps.autoDiscount || null; }
+
+  // Defensive request-shape readers for the abandoned-cart window. The
+  // console accepts `?hours=` (whole hours) + `?limit=`; the cart primitive
+  // clamps the ms window + limit again, but converting here keeps the
+  // operator-facing unit (hours) at the route boundary. Garbage falls back
+  // to the default rather than 500-ing the screen.
+  function _cartHoursToMs(hoursRaw) {
+    if (hoursRaw == null || hoursRaw === "") return cartModule.ABANDONED_DEFAULT_IDLE_MS;
+    var h = Number(hoursRaw);
+    if (!isFinite(h) || h <= 0) return cartModule.ABANDONED_DEFAULT_IDLE_MS;
+    return Math.floor(h * MS_PER_HOUR);
+  }
+  function _cartListLimit(limitRaw) {
+    if (limitRaw == null || limitRaw === "") return undefined;
+    var n = parseInt(limitRaw, 10);
+    if (!isFinite(n) || n <= 0) return undefined;
+    return n;
+  }
+
+  // Mint a single-use, code-gated percent-off rule for one abandoned cart.
+  // Returns `{ rule_slug, unlock_code, percent_off }` on success, or null
+  // when the cart id doesn't resolve to an abandonable cart (so the route
+  // 404s rather than minting a code for nothing). Throws TypeError on bad
+  // input (a non-1..99 percent, a bad cart id) → clean 400 at the route.
+  async function _issueCartRecoveryCode(cartId, body) {
+    var ad = autoDiscountForCarts();
+    if (!ad) return null;   // defensive — the route only mounts when wired
+    // Resolve the cart so we don't mint a code for a non-existent / already
+    // converted cart. cart.get validates the id shape (throws TypeError on
+    // garbage → 400).
+    var row = await cart.get(cartId);
+    if (!row || row.status !== "active") return null;
+    // Percent off — operator-chosen, 1..99. Default 10% when blank.
+    var pctRaw = body.percent_off;
+    var pct = (pctRaw == null || pctRaw === "") ? 10 : Number(pctRaw);
+    if (!isFinite(pct) || !Number.isInteger(pct) || pct < 1 || pct > 99) {
+      throw new TypeError("percent_off must be a whole number between 1 and 99");
+    }
+    // Mint a short, human-shareable code. The unlock_code grammar is
+    // alnum + . _ - ; an uppercased hex slice of random bytes keeps it
+    // typeable. generateToken(n) returns n random bytes as 2n hex chars.
+    var code = "SAVE" + b.crypto.generateToken(4).slice(0, 6).toUpperCase();
+    var slug = "cart-recovery-" + String(cartId).slice(0, 8).toLowerCase() + "-" + Date.now().toString(36);
+    // Single-use, code-gated, no automatic trigger (cart_total_min: 0 fires
+    // on any cart once the code is presented). The lib rejects a code clash
+    // with another active rule (→ TypeError → 400), so a duplicate is safe.
+    await ad.defineRule({
+      slug:  slug,
+      title: "Cart recovery — " + pct + "% off",
+      trigger: { kind: "cart_total_min", min_minor: 0 },
+      value:   { kind: "percent_off", basis_points: pct * 100 },
+      unlock_code: code,
+      max_redemptions_total: 1,
+    });
+    return { rule_slug: slug, unlock_code: code, percent_off: pct };
+  }
+
+  if (cart) {
+    var cartRecoveryCodeEnabled = !!autoDiscountForCarts();
+
+    router.get("/admin/carts", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var hours = url && url.searchParams.get("hours");
+        var idleMs = _cartHoursToMs(hours);
+        var limit = _cartListLimit(url && url.searchParams.get("limit"));
+        var carts = await cart.listAbandoned({ idle_threshold_ms: idleMs, limit: limit });
+        var summary = await cart.abandonedSummary({ idle_threshold_ms: idleMs });
+        _json(res, 200, { carts: carts, summary: summary });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var hoursRaw = url && url.searchParams.get("hours");
+        var idleMs = _cartHoursToMs(hoursRaw);
+        var hours = Math.round(idleMs / MS_PER_HOUR);
+        var carts = await cart.listAbandoned({ idle_threshold_ms: idleMs, limit: cartModule.ABANDONED_MAX_LIMIT });
+        var summary = await cart.abandonedSummary({ idle_threshold_ms: idleMs });
+        _sendHtml(res, 200, renderAdminCarts({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          carts: carts, summary: summary, hours: hours,
+          recovery_enabled: cartRecoveryCodeEnabled,
+          issued: url && url.searchParams.get("issued"),
+          issued_code: url && url.searchParams.get("code"),
+          issued_cart: url && url.searchParams.get("cart"),
+          notice: (url && url.searchParams.get("err")) ? "That action couldn't be completed." : null,
+        }));
+      },
+    ));
+
+    // Issue a single-use recovery code for one cart. Composes the existing
+    // autoDiscount unlock-code surface — NO new primitive. Only mounted
+    // when autoDiscount is wired; absent it, the screen never renders the
+    // form (so this route stays an honest 404 for the unwired deploy).
+    if (cartRecoveryCodeEnabled) {
+      router.post("/admin/carts/:id/recovery-code", _pageOrApi(false,
+        W("cart_recovery_code.issue", async function (req, res) {
+          var out;
+          try { out = await _issueCartRecoveryCode(req.params.id, req.body || {}); }
+          catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+          if (!out) return _problem(res, 404, "cart-not-found");
+          _json(res, 201, out);
+          return { id: out.rule_slug };
+        }),
+        async function (req, res) {
+          var out;
+          try { out = await _issueCartRecoveryCode(req.params.id, req.body || {}); }
+          catch (e) {
+            if (!(e instanceof TypeError)) throw e;
+            return _redirect(res, "/admin/carts?err=1");
+          }
+          if (!out) return _redirect(res, "/admin/carts?err=1");
+          b.audit.safeEmit({
+            action: AUDIT_NAMESPACE + ".cart_recovery_code.issue",
+            outcome: "success",
+            metadata: { rule_slug: out.rule_slug },
+          });
+          _redirect(res, "/admin/carts?issued=1&code=" + encodeURIComponent(out.unlock_code) +
+            "&cart=" + encodeURIComponent(String(req.params.id).slice(0, 8)));
+        },
+      ));
+    }
+  }
+
   // ---- automatic discounts + stacking policies ------------------------
   //
   // Two related concerns on one console screen. `autoDiscount` rules are
@@ -11247,7 +11405,7 @@ function renderAdminAnalytics(opts) {
   var ratePct = (Number(fn.conversion_rate) || 0) * 100;
   var funnelStats =
     "<section><h2>Browse-to-buy funnel</h2>" +
-      "<p class=\"meta\">Pre-purchase signal from the event stream — the sales report covers post-order status; this covers the path to it.</p>" +
+      "<p class=\"meta\">Pre-purchase signal from the event stream — the sales report covers post-order status; this covers the path to it. Counts cover visitors who opted into analytics cookies and reflect container-served traffic: anonymous product and search pages are served from the edge cache and aren't recorded here.</p>" +
       "<div class=\"stat-grid\">" +
         _statCard("Product views", String(fn.pdp_views || 0)) +
         _statCard("Cart adds",     String(fn.cart_adds || 0)) +
@@ -11334,6 +11492,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "products",     href: "/admin/products",     label: "Products" },
   { key: "inventory",    href: "/admin/inventory",    label: "Inventory" },
   { key: "orders",       href: "/admin/orders",       label: "Orders" },
+  { key: "carts",        href: "/admin/carts",        label: "Abandoned carts", requires: "carts" },
   { key: "reports",      href: "/admin/reports",      label: "Reports" },
   { key: "analytics",    href: "/admin/analytics",    label: "Analytics",    requires: "analytics" },
   { key: "audit",        href: "/admin/audit",        label: "Audit",        requires: "auditLog" },
@@ -11655,6 +11814,138 @@ function renderAdminOrders(opts) {
   return _renderAdminShell(opts.shop_name, "Orders", body, "orders", opts.nav_available);
 }
 
+// Format an idle duration (ms) as a coarse human string for the abandoned-
+// cart "last activity" column: "3h", "2d", "<1h". Coarse on purpose — the
+// operator wants the order of magnitude, not a precise stopwatch.
+function _fmtIdle(ms) {
+  if (typeof ms !== "number" || !isFinite(ms) || ms < 0) return "—";
+  var hours = ms / MS_PER_HOUR;
+  if (hours < 1)  return "<1h";
+  if (hours < 48) return Math.floor(hours) + "h";
+  return Math.floor(hours / 24) + "d";
+}
+
+// Abandoned-cart visibility. Lists active carts with at least one line that
+// haven't been touched for the selected window (default 24h, tunable via the
+// `?hours=` filter), freshest-abandonment first, with a value-at-risk summary.
+//
+// Recovery is honest about the framework's hash-only stance: buyer emails are
+// one-way hashed everywhere (the cart row carries only a sealed-cookie
+// session_id; the customer record stores only an email_hash), so NO recovery
+// EMAIL is possible — for guest OR signed-in carts. The screen says so. When
+// `autoDiscount` is wired it offers the one recovery that IS possible: minting
+// a single-use code-gated discount whose code the operator shares through
+// their own channel.
+//
+// XSS note: customer_id + cart id are framework-issued UUIDs, but every value
+// still flows through _htmlEscape (escape-by-default) — the discipline holds
+// regardless of the field's provenance.
+function renderAdminCarts(opts) {
+  opts = opts || {};
+  var carts = opts.carts || [];
+  var summary = opts.summary || { cart_count: 0, by_currency: [] };
+  var hours = opts.hours || 24;
+  var recoveryEnabled = !!opts.recovery_enabled;
+
+  var notice = opts.notice ? "<div class=\"banner banner--warn\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  // PRG success banner after issuing a recovery code — shows the code ONCE
+  // (the operator copies it to share through their own channel; it isn't
+  // re-displayed on reload).
+  var issued = "";
+  if (opts.issued && opts.issued_code) {
+    issued = "<div class=\"banner banner--ok\">" +
+      "Recovery code <code class=\"order-id\">" + _htmlEscape(opts.issued_code) + "</code> issued" +
+      (opts.issued_cart ? " for cart " + _htmlEscape(opts.issued_cart) : "") + ". " +
+      "Share it through your own channel — it's single-use and won't be shown again." +
+      "</div>";
+  }
+
+  // Value-at-risk summary line(s) — one per currency present in the window.
+  var valueLine;
+  if (summary.cart_count === 0) {
+    valueLine = "<span class=\"meta\">No carts have been idle longer than " + _htmlEscape(String(hours)) + "h.</span>";
+  } else {
+    var perCur = (summary.by_currency || []).map(function (c) {
+      return _htmlEscape(pricing.format(c.value_minor, c.currency)) +
+        " across " + _htmlEscape(String(c.cart_count)) + " cart" + (c.cart_count === 1 ? "" : "s");
+    }).join("; ");
+    valueLine = "<strong>" + _htmlEscape(String(summary.cart_count)) + "</strong> abandoned cart" +
+      (summary.cart_count === 1 ? "" : "s") + " — " + perCur + " at risk.";
+  }
+
+  // Window filter chips — common windows plus the current one highlighted.
+  var WINDOWS = [1, 6, 24, 72, 168];
+  var chips = "<div class=\"order-filters\">" +
+    WINDOWS.map(function (h) {
+      var label = h < 24 ? h + "h" : (h / 24) + "d";
+      return "<a class=\"chip" + (hours === h ? " chip--on" : "") +
+        "\" href=\"/admin/carts?hours=" + h + "\">&gt; " + _htmlEscape(label) + "</a>";
+    }).join("") +
+    "</div>";
+
+  var rows = carts.map(function (c) {
+    var isGuest = !c.customer_id;
+    var who = isGuest
+      ? "<span class=\"chip\">Guest</span>"
+      : "<a href=\"/admin/customers/" + _htmlEscape(encodeURIComponent(c.customer_id)) +
+        "\"><span class=\"chip\">Signed in</span></a>";
+    // The recovery-code form (only when autoDiscount is wired). A guest cart
+    // gets the same code-mint affordance — the code is shared out-of-band, so
+    // it doesn't depend on a deliverable address either way.
+    var action = recoveryEnabled
+      ? "<form method=\"post\" action=\"/admin/carts/" + _htmlEscape(encodeURIComponent(c.id)) +
+          "/recovery-code\" class=\"form-inline\">" +
+          "<input type=\"number\" name=\"percent_off\" min=\"1\" max=\"99\" step=\"1\" value=\"10\" " +
+            "class=\"input-code\" aria-label=\"Percent off\"> " +
+          "<button class=\"btn btn--ghost btn--sm\" type=\"submit\">Issue code</button>" +
+        "</form>"
+      : "<span class=\"meta\">—</span>";
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(String(c.id).slice(0, 8)) + "</code></td>" +
+      "<td class=\"num\">" + _htmlEscape(String(c.line_count)) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(pricing.format(c.subtotal_minor, c.currency)) + "</td>" +
+      "<td>" + _htmlEscape(_fmtIdle(c.idle_ms)) + " ago <span class=\"meta\">(" + _htmlEscape(_fmtDate(c.updated_at)) + ")</span></td>" +
+      "<td>" + who + "</td>" +
+      "<td>" + action + "</td>" +
+      "</tr>";
+  }).join("");
+
+  var table = carts.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr>" +
+        "<th scope=\"col\">Cart</th>" +
+        "<th scope=\"col\" class=\"num\">Items</th>" +
+        "<th scope=\"col\" class=\"num\">Subtotal</th>" +
+        "<th scope=\"col\">Last activity</th>" +
+        "<th scope=\"col\">Shopper</th>" +
+        "<th scope=\"col\">" + (recoveryEnabled ? "Recovery" : "<span class=\"sr-only\">Recovery</span>") + "</th>" +
+      "</tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No carts have been abandoned longer than " + _htmlEscape(String(hours)) + "h.</p>";
+
+  // The honest-recovery explainer. Always shown — it's the load-bearing
+  // caveat that distinguishes this screen from a store that emails idle
+  // shoppers (which this framework structurally cannot do).
+  var recoveryNote = recoveryEnabled
+    ? "<div class=\"panel mt\"><h3 class=\"subhead\">Recovering a cart</h3>" +
+        "<p class=\"meta\">Buyer emails are one-way hashed everywhere in this shop, so the " +
+        "framework can't send an abandoned-cart email — for guest or signed-in carts. " +
+        "Instead, issue a single-use discount code for a cart and share it through your own " +
+        "channel (an order-confirmation reply, SMS, or printed receipt). Each code works once " +
+        "and appears on your <a href=\"/admin/discounts\">discounts</a> list.</p></div>"
+    : "<div class=\"panel mt\"><h3 class=\"subhead\">Recovering a cart</h3>" +
+        "<p class=\"meta\">Buyer emails are one-way hashed everywhere in this shop, so the " +
+        "framework can't send an abandoned-cart email. The recovery path here is to issue a " +
+        "single-use discount code per cart and share it through your own channel — wire the " +
+        "discounts feature (the <code>autoDiscount</code> dependency) to enable it.</p></div>";
+
+  var body = "<section><h2>Abandoned carts</h2>" + notice + issued +
+    "<p class=\"meta\">Active carts with items that haven't been touched in a while. " +
+    "These are reads of live carts — no scanner or cron required.</p>" +
+    "<p class=\"meta\">" + valueLine + "</p>" +
+    chips + table + recoveryNote + "</section>";
+  return _renderAdminShell(opts.shop_name, "Abandoned carts", body, "carts", opts.nav_available);
+}
+
 // The outcomes an operator can filter the audit log by — drives the chips.
 var AUDIT_OUTCOME_FILTERS = ["success", "failure", "denied"];
 

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.3.74",
+  "version": "0.3.76",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/cart.js

@@ -42,6 +42,18 @@ var CURRENCY_RE     = /^[A-Z]{3}$/;
 var DISCOUNT_CODE_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/;
 var MAX_CODES_PER_CART = 16;
 
+// Abandoned-cart visibility defaults. A cart counts as "abandoned" for the
+// operator dashboard when it is still `active`, carries at least one line,
+// and has not been touched (no `updated_at` bump) for at least
+// `idle_threshold_ms`. This reads the live `carts` table directly — it does
+// NOT require the cart-abandonment scanner's detection rows to exist, so an
+// operator who never wired the recovery cron still sees their idle carts.
+var ABANDONED_DEFAULT_IDLE_MS = C.TIME.hours(24);
+var ABANDONED_MIN_IDLE_MS     = C.TIME.minutes(1);   // floor so a 0h window can't list live carts
+var ABANDONED_MAX_IDLE_MS     = C.TIME.days(90);     // ceiling — past this the TTL has abandoned it anyway
+var ABANDONED_DEFAULT_LIMIT   = 50;
+var ABANDONED_MAX_LIMIT       = 200;
+
 // ---- validators ---------------------------------------------------------
 
 function _uuid(s, label) {
@@ -77,6 +89,31 @@ function _discountCode(s) {
 
 function _now() { return Date.now(); }
 
+// Defensive request-shape readers for the abandoned-cart dashboard window.
+// A garbage / out-of-range value (a hand-typed `?hours=` query param) clamps
+// to a sane default rather than throwing — the console must never 500 on a
+// fat-fingered filter. The bounds also stop a caller widening the scan past
+// the ceiling (idle floor keeps live carts out; limit ceiling keeps the
+// payload bounded).
+function _abandonedIdleMs(v) {
+  if (v == null) return ABANDONED_DEFAULT_IDLE_MS;
+  var n = typeof v === "string" ? Number(v) : v;
+  if (typeof n !== "number" || !isFinite(n)) return ABANDONED_DEFAULT_IDLE_MS;
+  n = Math.floor(n);
+  if (n < ABANDONED_MIN_IDLE_MS) return ABANDONED_MIN_IDLE_MS;
+  if (n > ABANDONED_MAX_IDLE_MS) return ABANDONED_MAX_IDLE_MS;
+  return n;
+}
+function _abandonedLimit(v) {
+  if (v == null) return ABANDONED_DEFAULT_LIMIT;
+  var n = typeof v === "string" ? Number(v) : v;
+  if (typeof n !== "number" || !isFinite(n)) return ABANDONED_DEFAULT_LIMIT;
+  n = Math.floor(n);
+  if (n < 1) return ABANDONED_DEFAULT_LIMIT;
+  if (n > ABANDONED_MAX_LIMIT) return ABANDONED_MAX_LIMIT;
+  return n;
+}
+
 // ---- factory ------------------------------------------------------------
 
 function create(opts) {
@@ -317,6 +354,107 @@ function create(opts) {
       return (await query("SELECT * FROM carts WHERE id = ?1", [cartId])).rows[0];
     },
 
+    // ---- abandoned-cart visibility (operator dashboard) ---------------
+    //
+    // A cart is "abandoned" for dashboard purposes when it is still
+    // `active`, has at least one line, and hasn't been touched for
+    // `idle_threshold_ms` (default 24h, operator-tunable). This reads the
+    // live `carts` / `cart_lines` tables — it needs NO scanner detection
+    // rows and NO schema change, so an operator who never wired the
+    // recovery cron still sees their idle carts.
+    //
+    // Defensive request-shape reader tier: a missing / garbage option
+    // falls back to a sane default rather than throwing, so a hand-typed
+    // `?hours=` query param can't 500 the console. The window is clamped
+    // to [1min, 90d] and the limit to [1, 200] — a caller can't widen the
+    // scan past the bounded ceiling.
+
+    // List abandoned carts, most-recent-activity-first, each enriched with
+    // its line count + subtotal-in-minor-units + age. Bounded by `limit`
+    // (default 50, max 200). The `idle_threshold_ms` option sets the
+    // untouched-for window; carts updated more recently than that are still
+    // "live" and excluded. Carts with zero lines are excluded (an empty
+    // cart has nothing to recover).
+    listAbandoned: async function (listOpts) {
+      listOpts = listOpts || {};
+      var idleMs = _abandonedIdleMs(listOpts.idle_threshold_ms);
+      var limit  = _abandonedLimit(listOpts.limit);
+      var now    = listOpts.now == null ? _now() : listOpts.now;
+      var cutoff = now - idleMs;
+      // INNER JOIN onto an aggregate of cart_lines so the zero-line carts
+      // drop out (a cart with no lines produces no group row) and we read
+      // the line count + subtotal in one pass. ORDER BY updated_at DESC =
+      // freshest-abandonment first (the operator's most-actionable carts).
+      var rows = (await query(
+        "SELECT c.id AS id, c.session_id AS session_id, c.customer_id AS customer_id, " +
+        "       c.currency AS currency, c.created_at AS created_at, c.updated_at AS updated_at, " +
+        "       agg.line_count AS line_count, agg.subtotal_minor AS subtotal_minor " +
+        "FROM carts c " +
+        "JOIN (SELECT cart_id, COUNT(*) AS line_count, " +
+        "             SUM(qty * unit_amount_minor) AS subtotal_minor " +
+        "      FROM cart_lines GROUP BY cart_id) agg ON agg.cart_id = c.id " +
+        "WHERE c.status = 'active' AND c.updated_at <= ?1 " +
+        "ORDER BY c.updated_at DESC, c.id DESC LIMIT ?2",
+        [cutoff, limit],
+      )).rows;
+      var out = [];
+      for (var i = 0; i < rows.length; i += 1) {
+        var r = rows[i];
+        out.push({
+          id:             r.id,
+          // session_id is sealed-cookie material — never surface it raw to
+          // the operator screen; a short opaque tag of the cart id is the
+          // dashboard handle. customer_id passes through so the console can
+          // link signed-in carts to /admin/customers/<id>.
+          customer_id:    r.customer_id || null,
+          currency:       r.currency,
+          line_count:     Number(r.line_count || 0),
+          subtotal_minor: Number(r.subtotal_minor || 0),
+          created_at:     Number(r.created_at),
+          updated_at:     Number(r.updated_at),
+          idle_ms:        Math.max(0, now - Number(r.updated_at)),
+        });
+      }
+      return out;
+    },
+
+    // Summary stats for the same abandoned-cart window: how many carts are
+    // at risk + the total value (sum of subtotals) across them, per
+    // currency. The console renders this as the headline "N carts, X at
+    // risk" line. Unbounded COUNT/SUM (cheap aggregate, no row payload).
+    abandonedSummary: async function (sumOpts) {
+      sumOpts = sumOpts || {};
+      var idleMs = _abandonedIdleMs(sumOpts.idle_threshold_ms);
+      var now    = sumOpts.now == null ? _now() : sumOpts.now;
+      var cutoff = now - idleMs;
+      var rows = (await query(
+        "SELECT c.currency AS currency, COUNT(*) AS cart_count, " +
+        "       SUM(agg.subtotal_minor) AS value_minor " +
+        "FROM carts c " +
+        "JOIN (SELECT cart_id, SUM(qty * unit_amount_minor) AS subtotal_minor " +
+        "      FROM cart_lines GROUP BY cart_id) agg ON agg.cart_id = c.id " +
+        "WHERE c.status = 'active' AND c.updated_at <= ?1 " +
+        "GROUP BY c.currency",
+        [cutoff],
+      )).rows;
+      var byCurrency = [];
+      var totalCarts = 0;
+      for (var i = 0; i < rows.length; i += 1) {
+        var n = Number(rows[i].cart_count || 0);
+        totalCarts += n;
+        byCurrency.push({
+          currency:    rows[i].currency,
+          cart_count:  n,
+          value_minor: Number(rows[i].value_minor || 0),
+        });
+      }
+      return {
+        idle_threshold_ms: idleMs,
+        cart_count:        totalCarts,
+        by_currency:       byCurrency,
+      };
+    },
+
     // ---- applied discount codes ---------------------------------------
     //
     // A cart carries the discount codes a shopper applied on the cart page.
@@ -391,8 +529,10 @@ function create(opts) {
 }
 
 module.exports = {
-  create:           create,
-  DEFAULT_TTL_MS:   DEFAULT_TTL_MS,
-  MAX_QTY:          MAX_QTY,
-  CART_STATUSES:    CART_STATUSES,
+  create:                    create,
+  DEFAULT_TTL_MS:            DEFAULT_TTL_MS,
+  MAX_QTY:                   MAX_QTY,
+  CART_STATUSES:             CART_STATUSES,
+  ABANDONED_DEFAULT_IDLE_MS: ABANDONED_DEFAULT_IDLE_MS,
+  ABANDONED_MAX_LIMIT:       ABANDONED_MAX_LIMIT,
 };

package/lib/storefront.js

@@ -10114,6 +10114,53 @@ function mount(router, deps) {
     return lines.length;
   }
 
+  // Consent-gated browse→buy event recording (lib/analytics.js's event
+  // stream — the data behind /admin/analytics's funnel, top-search-terms,
+  // and most-viewed tables). Mounts only when deps.analytics is wired.
+  //
+  // GATE: a single byte is written ONLY when the visitor's stored decision
+  // opts the `analytics` category in. The gate is the SAME server-side read
+  // every other consent-gated behaviour uses — `_consentAllows(req,
+  // "analytics", _liveConsentPolicy())` — which reads the sealed
+  // `shop_consent` cookie, default-denies when there's no decision, and
+  // honours DNT / Sec-GPC as an implicit deny. No consent → nothing is
+  // recorded (no anonymised fallback row).
+  //
+  // PRIVACY: the only join key is the per-session `shop_sid` value, which
+  // recordEvent namespace-hashes before it touches the table (raw id never
+  // persists). No emails / names / customer ids are passed — session-scoped
+  // only. recordEvent itself refuses anything that looks like a raw email
+  // or IP, so a stray PII value loud-fails rather than leaking.
+  //
+  // EDGE NOTE: PDP + search GETs are edge-cached for anonymous visitors,
+  // and the edge cannot record per-visitor events (it has no DB write path
+  // and must stay cacheable) — it is deliberately NOT changed to. These
+  // events therefore fire on CONTAINER-served requests only, so the funnel
+  // reflects container-served traffic (a session-cookie-carrying visitor
+  // skips the edge cache, which is exactly the cohort whose consent we can
+  // read). The /admin/analytics screen copy states this honestly.
+  //
+  // HOT PATH: every call is fire-and-forget + drop-silent. We never await
+  // the write into the response and the whole body is wrapped so a recording
+  // failure (unmigrated table, write contention, validator throw) can never
+  // affect the request that triggered it.
+  function _recordAnalyticsEvent(req, fields, sidOverride) {
+    if (!deps.analytics) return;
+    try {
+      if (!_consentAllows(req, "analytics", _liveConsentPolicy())) return;
+      // `sidOverride` carries a session id the route just resolved/minted
+      // (e.g. cart-add creating a fresh session) — the request cookie can
+      // be stale or absent at that point.
+      var sid = sidOverride || null;
+      if (!sid) { try { sid = _readSidCookie(req); } catch (_e) { sid = null; } }
+      if (!sid) return;   // recordEvent needs a join key; no session → skip
+      var input = Object.assign({ session_id: sid }, fields);
+      // Fire-and-forget: kick the async write off and swallow any rejection
+      // so a slow / failing DB hop never delays or breaks the response.
+      Promise.resolve(deps.analytics.recordEvent(input)).catch(function () {});
+    } catch (_e) { /* drop-silent — analytics is supplementary to every request */ }
+  }
+
   // Resolve the active trust badges for a container-only placement and
   // concatenate each one's sanitized renderHtml. Fires an impression per
   // rendered badge (fire-and-forget — the counter is drop-silent on the hot
@@ -11717,6 +11764,13 @@ function mount(router, deps) {
       shop_name:       shopName,
       cart_count:      cartCount,
     }, _requestUrls(req), ccy)));
+    // Consent-gated funnel event — feeds the top-search-terms aggregate.
+    // Only a real (non-empty) query counts; the typed term is bounded to
+    // 200 chars above (recordEvent caps search_q at 256). Container-served
+    // only; fire-and-forget + drop-silent.
+    if (q.trim().length > 0) {
+      _recordAnalyticsEvent(req, { event_type: "search_query", search_q: q.trim() });
+    }
   });
 
   router.get("/products/:slug", async function (req, res) {
@@ -11886,6 +11940,10 @@ function mount(router, deps) {
       cart_count:     cartCount,
       theme:          theme,
     }, _requestUrls(req), ccy));
+    // Consent-gated funnel event — the top of the browse→buy funnel +
+    // most-viewed-products aggregate. Container-served only (anonymous PDPs
+    // are edge-cached and never reach here); fire-and-forget + drop-silent.
+    _recordAnalyticsEvent(req, { event_type: "pdp_view", product_id: product.id });
     _send(res, 200, html);
   });
 
@@ -12681,6 +12739,10 @@ function mount(router, deps) {
       var lines = await _repriceCartLines(rawLines);
       _setCheckoutCsp(res);
       _send(res, 200, renderCheckoutForm(await _checkoutRenderOpts(req, c, lines, null)));
+      // Consent-gated funnel event — the checkout_start step (the visitor
+      // reached the checkout form with a non-empty cart). Container-served
+      // (checkout is never edge-cached); fire-and-forget + drop-silent.
+      _recordAnalyticsEvent(req, { event_type: "checkout_start" });
     });
 
     router.post("/checkout", async function (req, res) {
@@ -12768,6 +12830,20 @@ function mount(router, deps) {
         // schedule land here. A failure must never roll back a paid order, so
         // each is its own try/catch (mirrors _recordAutoDiscounts).
         await _persistGiftAndPickup(c, result.order, body);
+        // Consent-gated funnel event — checkout_complete (an order was
+        // placed: the cart converted via checkout.confirm). Fires for both
+        // the gift-card-fully-paid path and the Stripe-intent path (the
+        // async pending→paid webhook carries no visitor session/consent, so
+        // it is deliberately NOT a recording point — the order placed here
+        // is the conversion the funnel counts). Container-served; fire-and-
+        // forget + drop-silent.
+        // A fully-covered order (gift card / loyalty pays it all) settles AT
+        // confirm; a Stripe-path order is only PENDING here — its completion
+        // records on the post-payment return (/orders/:id) instead, so the
+        // funnel never counts a payment the shopper abandoned at /pay.
+        if (!result.payment_intent) {
+          _recordAnalyticsEvent(req, { event_type: "checkout_complete", payload: { order_id: result.order.id } });
+        }
         // When a gift card fully covered the order there's no Stripe
         // intent — the order is already paid. Skip the pay-cookie +
         // pay page and land the customer straight on the confirmation.
@@ -13060,6 +13136,19 @@ function mount(router, deps) {
       if (o.customer_id && (!orderAuth || o.customer_id !== orderAuth.customer_id)) {
         return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
       }
+      // Stripe's post-payment return lands here with ?redirect_status=
+      // succeeded — the moment the payment actually settled client-side,
+      // with the shopper's session + consent readable. Record the funnel's
+      // checkout_complete HERE (the confirm POST only records fully-covered
+      // orders), then 303 to the param-less URL: the redirect both cleans
+      // the confirmation link and acts as the dedupe — a refresh or revisit
+      // hits the bare URL and records nothing.
+      if (req.query && req.query.redirect_status === "succeeded") {
+        _recordAnalyticsEvent(req, { event_type: "checkout_complete", payload: { order_id: o.id } });
+        res.status(303);
+        if (res.setHeader) res.setHeader("location", "/orders/" + o.id);
+        return res.end ? res.end() : res.send("");
+      }
       // Same variant_id → {product, hero_media} lookup pattern as the
       // cart route, applied to the order's frozen line items so the
       // post-checkout page shows what the customer bought visually.
@@ -17823,6 +17912,12 @@ function mount(router, deps) {
         back_href: "/cart", back_label: "Back to cart",
       }));
     }
+    // Consent-gated funnel event — the cart_add step of the browse→buy
+    // funnel. The added variant rides in the payload (the funnel counts by
+    // event_type; product_id is reserved for pdp_view's most-viewed
+    // aggregate). Fire-and-forget + drop-silent.
+    _recordAnalyticsEvent(req, { event_type: "cart_add", payload: { variant_id: variantId, qty: qty } },
+      resolved && resolved.cart && resolved.cart.session_id);
     // `?added=1` so the cart page can confirm the item landed (the page
     // surfaces an "Added to cart" status banner). Still a 303 so a refresh
     // re-issues the GET, not the POST.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.3.74",
+  "version": "0.3.76",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {