@blamejs/blamejs-shop 0.4.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/README.md +1 -1
- package/lib/admin.js +314 -1
- package/lib/asset-manifest.json +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.4.x
|
|
10
10
|
|
|
11
|
+
- v0.4.1 (2026-06-05) — **Order notes and a customer activity timeline in the admin console.** Two operator surfaces land in the admin console. Every order detail screen gains a customer-service notes thread: operators record internal notes or customer-visible ones, pin the important thread to the top, and mark issues resolved or reopen them — with note bodies length-bounded, control-character-rejected, and escaped at render. Every customer detail screen gains a read-only activity timeline aggregating what that customer has done across the store — orders placed and their lifecycle transitions, loyalty points earned, wishlist additions, reviews submitted, and support tickets opened — read directly from the tables those features already populate, newest first. Both panels appear only when their backing modules are wired, and every note mutation is ownership-scoped to its order and audited. **Added:** *Customer-service notes on order detail* — The admin order screen shows a notes thread with pinned notes floated first and the rest newest-first. Operators add notes as internal (the default) or customer-visible, pin and unpin them, and resolve or reopen them with a short resolution summary; resolving a customer-visible note is refused so customer-facing context is never silently closed out. Bodies are validated server-side (8000-character cap, control characters rejected) and HTML-escaped at render. Each mutation verifies the note belongs to the order in the URL before acting, returns clean errors for unknown or malformed identifiers, and emits an audit event. The same surface is available as JSON under the admin bearer token. · *Customer activity timeline on customer detail* — The admin customer screen shows an aggregated, newest-first activity feed: order placements and status transitions, loyalty point movements, wishlist additions, review submissions, and support tickets. The timeline is a read-only view over the tables those features already write — no new tracking or recording was added anywhere in the request path. The panel shows the most recent fifty events, links each event to its admin screen where one exists, and renders an explicit empty state for customers with no history. The same feed is available as JSON under the admin bearer token.
|
|
12
|
+
|
|
11
13
|
- v0.4.0 (2026-06-05) — **Inventory is enforced at the point of sale, completing the transactions, checkout, and analytics surface.** Stock levels were previously display-only: the product page showed honest availability, but nothing reserved inventory at checkout or debited it on a sale, so concurrent buyers could oversell a SKU and stock counts never moved. Checkout now places an atomic per-SKU hold before any charge — a sold-out line re-renders the form with a friendly message instead of charging — and the order lifecycle settles the hold: payment converts it to a real stock decrement (idempotent across webhook re-deliveries), cancellation releases it, and refunds deliberately leave restocking to the operator's judgment. Untracked SKUs remain unlimited, and pre-order campaigns keep their own reservation flow. The README previously described an oversell-prevention mechanism that was not actually wired; it now describes the real one. This minor release caps the transactions, checkout, and analytics arc: server-validated addresses and digital-cart checkout, discount codes with console authoring, gift cards, loyalty, store pickup, a dark-themed Stripe payment surface with express wallets and verified 3-D Secure, shipment tracking timelines, consent-gated funnel analytics with an admin dashboard, abandoned-cart visibility with honest recovery codes, operator error logs, and confirmation resends. Known, documented deferrals: customer receipt downloads (the confirmation page and signed email serve as the receipt), partial refunds from the browser console (the JSON API supports them), and a real-time new-order notification (the dashboard and outbound webhooks cover arrival today). **Added:** *Point-of-sale inventory enforcement* — Checkout reserves stock with an atomic conditional hold per shippable line before charging — insufficient stock re-renders the checkout with a clear message and charges nothing, and two concurrent buyers of the last unit resolve to exactly one sale. Payment converts holds into stock decrements, idempotently across webhook re-deliveries; cancelling a pending order releases its holds precisely, even when other shoppers hold the same SKU. Refunds do not auto-restock — returned goods re-enter stock through the operator's existing restock action, by judgment. SKUs without an inventory row remain available without limit, and pre-order campaigns are unaffected. The inventory primitive gains the hold and decrement operations its documentation previously described, and the README now reflects the actual oversell-prevention mechanism. **Changed:** *The 0.3 series rolls up* — This release follows nineteen 0.3.x patches that built out the commerce surface: server-side address validation with accessible per-field errors, digital-cart checkout without an address, delivery-date estimates, discount unlock codes with cart redemption and console authoring, full shipment-tracking timelines, consent-gated funnel analytics and an Analytics console screen, abandoned-cart visibility with single-use recovery codes, an operator-readable error log with a JSON API, order-confirmation resends, segment CSV exports, payment-processor TLS fixes verified by live payment, a dark-themed payment surface with express wallets, and a vendored-framework refresh. See the changelog for the full sequence.
|
|
12
14
|
|
|
13
15
|
## v0.3.x
|
package/README.md
CHANGED
|
@@ -97,7 +97,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
|
|
|
97
97
|
| **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
|
|
98
98
|
| **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
|
|
99
99
|
| **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
|
|
100
|
-
| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Carts** (`/admin/carts`) lists abandoned carts — active, has items, idle past a tunable window (24h default) — with line counts, value at risk, and guest/signed-in attribution; a per-cart action mints a single-use, code-gated discount the operator shares through their own channel (recovery email is impossible by design: buyer addresses are stored only as hashes, and the screen says so). **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, Carts, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
|
|
100
|
+
| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer, plus a customer-service notes thread per order (internal or customer-visible, pinnable, resolvable); **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); each customer opens to an aggregated activity timeline (orders, loyalty, wishlist, reviews, support) read from the tables those primitives already populate; customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Carts** (`/admin/carts`) lists abandoned carts — active, has items, idle past a tunable window (24h default) — with line counts, value at risk, and guest/signed-in attribution; a per-cart action mints a single-use, code-gated discount the operator shares through their own channel (recovery email is impossible by design: buyer addresses are stored only as hashes, and the screen says so). **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, Carts, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
|
|
101
101
|
| **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
|
|
102
102
|
| **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
|
|
103
103
|
|
package/lib/admin.js
CHANGED
|
@@ -52,6 +52,12 @@ var MS_PER_HOUR = C.TIME.hours(1);
|
|
|
52
52
|
|
|
53
53
|
var AUDIT_NAMESPACE = "shop_admin";
|
|
54
54
|
|
|
55
|
+
// Newest-N bound on the order-detail customer-service notes panel + the
|
|
56
|
+
// customer-detail activity timeline. Both are bounded reads — the console
|
|
57
|
+
// renders the most recent slice rather than paginating an unbounded list.
|
|
58
|
+
var NOTES_PANEL_LIMIT = 50;
|
|
59
|
+
var ACTIVITY_PANEL_LIMIT = 50;
|
|
60
|
+
|
|
55
61
|
// Operator-readable error-log sink (lib/error-log.js), set by mount()
|
|
56
62
|
// when the deployment wires `deps.errorLog`. `_safeNotice` records the
|
|
57
63
|
// scrubbed message of a genuine 5xx here so the failure is reachable
|
|
@@ -547,6 +553,8 @@ function mount(router, deps) {
|
|
|
547
553
|
var storeCredit = deps.storeCredit || null; // per-customer store-credit panel + grant/deduct disabled when absent
|
|
548
554
|
var customerNotes = deps.customerNotes || null; // per-customer CRM notes panel disabled when absent
|
|
549
555
|
var customerSegments = deps.customerSegments || null; // per-customer segment-membership panel disabled when absent
|
|
556
|
+
var customerActivity = deps.customerActivity || null; // per-customer chronological activity-timeline panel disabled when absent
|
|
557
|
+
var orderNotes = deps.orderNotes || null; // per-order customer-service notes panel + add/lifecycle disabled when absent
|
|
550
558
|
var orderTracking = deps.orderTracking || null; // shipment/tracking panel disabled when absent
|
|
551
559
|
var salesReports = deps.salesReports || null; // /admin/reports degrades to an unconfigured notice when absent
|
|
552
560
|
var orderExport = deps.orderExport || null; // /admin/exports (date-range CSV/NDJSON dump + scheduled-export queue) disabled when absent
|
|
@@ -1777,6 +1785,16 @@ function mount(router, deps) {
|
|
|
1777
1785
|
try { splitPlans = await splitShipments.splitsForOrder(o.id); }
|
|
1778
1786
|
catch (_se) { splitPlans = []; }
|
|
1779
1787
|
}
|
|
1788
|
+
// Customer-service notes attached to the order — both visibility tiers
|
|
1789
|
+
// (internal + customer-visible), pinned-first then newest-first, bounded
|
|
1790
|
+
// to the most recent NOTES_PANEL_LIMIT. Best-effort: an unmigrated
|
|
1791
|
+
// order_notes table degrades to "no notes" rather than 500-ing the page.
|
|
1792
|
+
var notes = [];
|
|
1793
|
+
if (orderNotes) {
|
|
1794
|
+
try {
|
|
1795
|
+
notes = (await orderNotes.listForOrder({ order_id: o.id, limit: NOTES_PANEL_LIMIT })).rows || [];
|
|
1796
|
+
} catch (_ne) { notes = []; }
|
|
1797
|
+
}
|
|
1780
1798
|
_sendHtml(res, 200, renderAdminOrder({
|
|
1781
1799
|
shop_name: deps.shop_name,
|
|
1782
1800
|
nav_available: navAvailable,
|
|
@@ -1816,11 +1834,173 @@ function mount(router, deps) {
|
|
|
1816
1834
|
ship_done: url && url.searchParams.get("ship"),
|
|
1817
1835
|
label_done: url && url.searchParams.get("label"),
|
|
1818
1836
|
split_done: url && url.searchParams.get("split"),
|
|
1837
|
+
// Customer-service notes panel — renders only when the order-notes
|
|
1838
|
+
// primitive is wired (its routes mount only then). `note_done` flags a
|
|
1839
|
+
// successful add / lifecycle action (PRG); `note_err` surfaces a clean
|
|
1840
|
+
// operator-facing notice from a refused write.
|
|
1841
|
+
can_notes: !!orderNotes,
|
|
1842
|
+
notes: notes,
|
|
1843
|
+
note_done: url && url.searchParams.get("note"),
|
|
1844
|
+
note_err: url && url.searchParams.get("note_err") ? url.searchParams.get("note_err") : null,
|
|
1845
|
+
note_authors: orderNotes ? orderNotes.ALLOWED_AUTHORS : null,
|
|
1846
|
+
note_visibility: orderNotes ? orderNotes.ALLOWED_VISIBILITY : null,
|
|
1819
1847
|
notice: url && url.searchParams.get("err") ? "That action couldn't be completed for this order." : null,
|
|
1820
1848
|
}));
|
|
1821
1849
|
},
|
|
1822
1850
|
));
|
|
1823
1851
|
|
|
1852
|
+
// ---- order notes (customer-service threaded notes) ------------------
|
|
1853
|
+
//
|
|
1854
|
+
// The operator's customer-service surface on the order-detail screen: a
|
|
1855
|
+
// list of notes attached to the order (both internal + customer-visible
|
|
1856
|
+
// tiers, pinned-first then newest-first) plus an add form and the lifecycle
|
|
1857
|
+
// the order-notes primitive offers — pin / unpin (float to the top) and
|
|
1858
|
+
// resolve / reopen (close out an internal thread with a short summary). The
|
|
1859
|
+
// note body is operator free text, escaped at render and length-capped by
|
|
1860
|
+
// the primitive's validator. Every mutation is audited; the panel renders
|
|
1861
|
+
// only when the order-notes primitive is wired.
|
|
1862
|
+
if (orderNotes) {
|
|
1863
|
+
// Resolve the :id to an order. A malformed id throws inside order.get's
|
|
1864
|
+
// defensive reader — treat that as "no such order" so the route refuses
|
|
1865
|
+
// cleanly (404) rather than 500-ing.
|
|
1866
|
+
async function _resolveOrder(id) {
|
|
1867
|
+
try { return await order.get(id); }
|
|
1868
|
+
catch (e) { if (e instanceof TypeError) return null; throw e; }
|
|
1869
|
+
}
|
|
1870
|
+
|
|
1871
|
+
// A note belongs to an order. The primitive's pin / resolve / reopen move
|
|
1872
|
+
// a row by note id alone — they carry no notion of which order the
|
|
1873
|
+
// operator is acting on — so every per-note write route under :id MUST
|
|
1874
|
+
// first assert the note belongs to THAT order before mutating it, or an
|
|
1875
|
+
// operator on order A's screen could pin / resolve order B's note by
|
|
1876
|
+
// guessing its id (an IDOR). Mirrors the customer-notes
|
|
1877
|
+
// _noteBelongsToCustomer scoping. A malformed note id throws inside get's
|
|
1878
|
+
// UUID guard -> a clean 400; a well-formed unknown id (or one on a
|
|
1879
|
+
// different order) returns null -> a clean 404, with nothing written.
|
|
1880
|
+
async function _orderNoteBelongs(noteId, orderId) {
|
|
1881
|
+
var note;
|
|
1882
|
+
try { note = await orderNotes.get(noteId); }
|
|
1883
|
+
catch (e) { if (e instanceof TypeError) throw e; return false; }
|
|
1884
|
+
return (note && note.order_id === orderId) ? note : false;
|
|
1885
|
+
}
|
|
1886
|
+
|
|
1887
|
+
// ---- add a note ----------------------------------------------------
|
|
1888
|
+
// Scoped to the :id order. Defaults author "operator" + visibility
|
|
1889
|
+
// "internal" (the console never writes a system note; an operator can opt
|
|
1890
|
+
// a note customer-visible via the form's visibility select). Bad input
|
|
1891
|
+
// (empty / over-long body, bad author / visibility) is a clean 4xx with
|
|
1892
|
+
// nothing written.
|
|
1893
|
+
router.post("/admin/orders/:id/notes", _pageOrApi(false,
|
|
1894
|
+
W("order.note.add", async function (req, res) {
|
|
1895
|
+
var o = await _resolveOrder(req.params.id);
|
|
1896
|
+
if (!o) return _problem(res, 404, "order-not-found");
|
|
1897
|
+
var body = req.body || {};
|
|
1898
|
+
var note;
|
|
1899
|
+
try {
|
|
1900
|
+
note = await orderNotes.add({
|
|
1901
|
+
order_id: o.id,
|
|
1902
|
+
author: (body.author === "customer" || body.author === "system") ? body.author : "operator",
|
|
1903
|
+
visibility: body.visibility === "customer_visible" ? "customer_visible" : "internal",
|
|
1904
|
+
body: body.body,
|
|
1905
|
+
});
|
|
1906
|
+
} catch (e) {
|
|
1907
|
+
if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
|
|
1908
|
+
throw e;
|
|
1909
|
+
}
|
|
1910
|
+
_json(res, 201, note);
|
|
1911
|
+
return { id: o.id };
|
|
1912
|
+
}),
|
|
1913
|
+
async function (req, res) {
|
|
1914
|
+
var o = await _resolveOrder(req.params.id);
|
|
1915
|
+
if (!o) return _sendHtml(res, 404, renderAdminOrders({
|
|
1916
|
+
shop_name: deps.shop_name, nav_available: navAvailable, orders: [], notice: "Order not found.",
|
|
1917
|
+
}));
|
|
1918
|
+
var body = req.body || {};
|
|
1919
|
+
var enc = encodeURIComponent(o.id);
|
|
1920
|
+
try {
|
|
1921
|
+
await orderNotes.add({
|
|
1922
|
+
order_id: o.id,
|
|
1923
|
+
author: (body.author === "customer" || body.author === "system") ? body.author : "operator",
|
|
1924
|
+
visibility: body.visibility === "customer_visible" ? "customer_visible" : "internal",
|
|
1925
|
+
body: body.body,
|
|
1926
|
+
});
|
|
1927
|
+
} catch (e) {
|
|
1928
|
+
var n = _safeNotice(e, "order.note.add");
|
|
1929
|
+
return _redirect(res, "/admin/orders/" + enc +
|
|
1930
|
+
"?note_err=" + encodeURIComponent(n.message.replace(/^(?:admin|orderNotes)[.:]\s*/, "")));
|
|
1931
|
+
}
|
|
1932
|
+
b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.note.add", outcome: "success", metadata: { id: o.id } });
|
|
1933
|
+
_redirect(res, "/admin/orders/" + enc + "?note=1");
|
|
1934
|
+
},
|
|
1935
|
+
));
|
|
1936
|
+
|
|
1937
|
+
// ---- per-note lifecycle (pin / unpin / resolve / reopen) -----------
|
|
1938
|
+
// Each route asserts note-belongs-to-order BEFORE mutating, then runs the
|
|
1939
|
+
// matching primitive call. `mutate(note, body)` returns the updated note
|
|
1940
|
+
// (bearer JSON) or throws a TypeError on bad input (-> a clean 400 /
|
|
1941
|
+
// note_err redirect). A missing / cross-order note is a clean 404 (bearer)
|
|
1942
|
+
// / note_err redirect (browser); nothing is mutated on any refusal.
|
|
1943
|
+
function _orderNoteWriteRoute(routePath, audit, mutate) {
|
|
1944
|
+
router.post(routePath, _pageOrApi(false,
|
|
1945
|
+
W(audit, async function (req, res) {
|
|
1946
|
+
var o = await _resolveOrder(req.params.id);
|
|
1947
|
+
if (!o) return _problem(res, 404, "order-not-found");
|
|
1948
|
+
var owned;
|
|
1949
|
+
try { owned = await _orderNoteBelongs(req.params.noteId, o.id); }
|
|
1950
|
+
catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
|
|
1951
|
+
if (!owned) return _problem(res, 404, "note-not-found");
|
|
1952
|
+
var updated;
|
|
1953
|
+
try { updated = await mutate(owned, req.body || {}); }
|
|
1954
|
+
catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
|
|
1955
|
+
_json(res, 200, updated);
|
|
1956
|
+
return { id: o.id };
|
|
1957
|
+
}),
|
|
1958
|
+
async function (req, res) {
|
|
1959
|
+
var o = await _resolveOrder(req.params.id);
|
|
1960
|
+
if (!o) return _sendHtml(res, 404, renderAdminOrders({
|
|
1961
|
+
shop_name: deps.shop_name, nav_available: navAvailable, orders: [], notice: "Order not found.",
|
|
1962
|
+
}));
|
|
1963
|
+
var enc = encodeURIComponent(o.id);
|
|
1964
|
+
var owned;
|
|
1965
|
+
try { owned = await _orderNoteBelongs(req.params.noteId, o.id); }
|
|
1966
|
+
catch (e) {
|
|
1967
|
+
var nm = _safeNotice(e, audit);
|
|
1968
|
+
return _redirect(res, "/admin/orders/" + enc +
|
|
1969
|
+
"?note_err=" + encodeURIComponent(nm.message.replace(/^(?:admin|orderNotes)[.:]\s*/, "")));
|
|
1970
|
+
}
|
|
1971
|
+
if (!owned) {
|
|
1972
|
+
return _redirect(res, "/admin/orders/" + enc +
|
|
1973
|
+
"?note_err=" + encodeURIComponent("That note was not found on this order."));
|
|
1974
|
+
}
|
|
1975
|
+
try { await mutate(owned, req.body || {}); }
|
|
1976
|
+
catch (e) {
|
|
1977
|
+
var n = _safeNotice(e, audit);
|
|
1978
|
+
return _redirect(res, "/admin/orders/" + enc +
|
|
1979
|
+
"?note_err=" + encodeURIComponent(n.message.replace(/^(?:admin|orderNotes)[.:]\s*/, "")));
|
|
1980
|
+
}
|
|
1981
|
+
b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + audit, outcome: "success", metadata: { id: o.id } });
|
|
1982
|
+
_redirect(res, "/admin/orders/" + enc + "?note=1");
|
|
1983
|
+
},
|
|
1984
|
+
));
|
|
1985
|
+
}
|
|
1986
|
+
|
|
1987
|
+
// Pin / unpin — a pinned note floats to the top of the order's note list
|
|
1988
|
+
// (listForOrder orders pinned DESC). Idempotent at the primitive.
|
|
1989
|
+
_orderNoteWriteRoute("/admin/orders/:id/notes/:noteId/pin", "order.note.pin",
|
|
1990
|
+
function (owned) { return orderNotes.pin(owned.id); });
|
|
1991
|
+
_orderNoteWriteRoute("/admin/orders/:id/notes/:noteId/unpin", "order.note.unpin",
|
|
1992
|
+
function (owned) { return orderNotes.unpin(owned.id); });
|
|
1993
|
+
|
|
1994
|
+
// Resolve / reopen — close out an INTERNAL thread with a short (<=280-char)
|
|
1995
|
+
// operator summary, or reopen it. The primitive refuses to resolve a
|
|
1996
|
+
// customer-visible note (only internal threads carry a resolution) — that
|
|
1997
|
+
// refusal surfaces as a clean 4xx / note_err, never a 500.
|
|
1998
|
+
_orderNoteWriteRoute("/admin/orders/:id/notes/:noteId/resolve", "order.note.resolve",
|
|
1999
|
+
function (owned, body) { return orderNotes.resolve({ note_id: owned.id, resolution: body.resolution }); });
|
|
2000
|
+
_orderNoteWriteRoute("/admin/orders/:id/notes/:noteId/reopen", "order.note.reopen",
|
|
2001
|
+
function (owned) { return orderNotes.reopen(owned.id); });
|
|
2002
|
+
}
|
|
2003
|
+
|
|
1824
2004
|
// ---- audit / activity log (read-only) -------------------------------
|
|
1825
2005
|
//
|
|
1826
2006
|
// A read-only window onto the framework's tamper-evident audit chain —
|
|
@@ -3049,6 +3229,21 @@ function mount(router, deps) {
|
|
|
3049
3229
|
catch (_e) { segments = []; }
|
|
3050
3230
|
}
|
|
3051
3231
|
|
|
3232
|
+
// Chronological activity timeline — the read-only per-customer feed the
|
|
3233
|
+
// aggregator flattens from the wired source primitives (order
|
|
3234
|
+
// transitions, wishlist saves, loyalty ledger, support tickets,
|
|
3235
|
+
// reviews), newest-first, bounded to the most recent N. Best-effort: an
|
|
3236
|
+
// unmigrated source / cache table degrades the panel to "no activity"
|
|
3237
|
+
// rather than 500-ing the page.
|
|
3238
|
+
var activity = [];
|
|
3239
|
+
if (customerActivity) {
|
|
3240
|
+
try {
|
|
3241
|
+
activity = (await customerActivity.forCustomer({
|
|
3242
|
+
customer_id: customer.id, limit: ACTIVITY_PANEL_LIMIT,
|
|
3243
|
+
})).events || [];
|
|
3244
|
+
} catch (_e) { activity = []; }
|
|
3245
|
+
}
|
|
3246
|
+
|
|
3052
3247
|
return Object.assign({
|
|
3053
3248
|
shop_name: deps.shop_name,
|
|
3054
3249
|
nav_available: navAvailable,
|
|
@@ -3065,6 +3260,8 @@ function mount(router, deps) {
|
|
|
3065
3260
|
show_archived_notes: showArchivedNotes,
|
|
3066
3261
|
can_segments: !!customerSegments,
|
|
3067
3262
|
segments: segments,
|
|
3263
|
+
can_activity: !!customerActivity,
|
|
3264
|
+
activity: activity,
|
|
3068
3265
|
}, flags);
|
|
3069
3266
|
}
|
|
3070
3267
|
|
|
@@ -3096,6 +3293,7 @@ function mount(router, deps) {
|
|
|
3096
3293
|
loyalty: model.loyalty,
|
|
3097
3294
|
notes: model.notes,
|
|
3098
3295
|
segments: model.segments,
|
|
3296
|
+
activity: model.activity,
|
|
3099
3297
|
});
|
|
3100
3298
|
}),
|
|
3101
3299
|
async function (req, res) {
|
|
@@ -12664,6 +12862,18 @@ function renderAdminOrder(opts) {
|
|
|
12664
12862
|
splitPanel = _orderSplitPanel(o, opts.split_plans || []);
|
|
12665
12863
|
}
|
|
12666
12864
|
|
|
12865
|
+
// Customer-service notes panel — only when the order-notes primitive is
|
|
12866
|
+
// wired (its routes mount only then). The note body is operator free text,
|
|
12867
|
+
// escaped at render. `_orderNotesPanel` lists the notes newest-first with
|
|
12868
|
+
// their per-note lifecycle controls, then the add form.
|
|
12869
|
+
var notesPanel = "";
|
|
12870
|
+
if (opts.can_notes) {
|
|
12871
|
+
notesPanel = _orderNotesPanel(o.id, opts.notes || [],
|
|
12872
|
+
opts.note_done ? "<div class=\"banner banner--ok\">Note saved.</div>" : "",
|
|
12873
|
+
opts.note_err ? "<div class=\"banner banner--warn\">" + _htmlEscape(opts.note_err) + "</div>" : "",
|
|
12874
|
+
opts.note_authors || [], opts.note_visibility || []);
|
|
12875
|
+
}
|
|
12876
|
+
|
|
12667
12877
|
var body =
|
|
12668
12878
|
"<section class=\"mw-48\">" +
|
|
12669
12879
|
"<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/orders\">← Orders</a></div>" +
|
|
@@ -12684,12 +12894,85 @@ function renderAdminOrder(opts) {
|
|
|
12684
12894
|
"</div>" +
|
|
12685
12895
|
documentsPanel +
|
|
12686
12896
|
resendPanel +
|
|
12897
|
+
notesPanel +
|
|
12687
12898
|
splitPanel +
|
|
12688
12899
|
trackingPanel +
|
|
12689
12900
|
"</section>";
|
|
12690
12901
|
return _renderAdminShell(opts.shop_name, "Order " + o.id.slice(0, 8), body, "orders", opts.nav_available);
|
|
12691
12902
|
}
|
|
12692
12903
|
|
|
12904
|
+
// The order-detail customer-service notes panel. Lists the order's notes
|
|
12905
|
+
// newest-first (pinned float to the top, as the primitive orders them) with
|
|
12906
|
+
// each note's tier (internal / customer-visible), author, timestamp, pins,
|
|
12907
|
+
// resolution summary, and the legal lifecycle controls — pin / unpin always,
|
|
12908
|
+
// resolve (on an active internal note) / reopen (on a resolved one). Then an
|
|
12909
|
+
// add form (body + author + visibility). The note body is operator free text,
|
|
12910
|
+
// escaped with _htmlEscape at every interpolation. Every form renders through
|
|
12911
|
+
// _renderAdminShell, which injects the _csrf field into each POST form, so no
|
|
12912
|
+
// per-form token handling is needed here.
|
|
12913
|
+
function _orderNotesPanel(orderId, notes, doneBanner, errBanner, authors, visibilities) {
|
|
12914
|
+
var enc = encodeURIComponent(orderId);
|
|
12915
|
+
var noteItems = notes.map(function (n) {
|
|
12916
|
+
var nenc = _htmlEscape(encodeURIComponent(n.id));
|
|
12917
|
+
var base = "/admin/orders/" + _htmlEscape(enc) + "/notes/" + nenc;
|
|
12918
|
+
var isPinned = Number(n.pinned) === 1;
|
|
12919
|
+
var isInternal = n.visibility === "internal";
|
|
12920
|
+
var isResolved = n.resolved_at != null;
|
|
12921
|
+
var pills =
|
|
12922
|
+
"<span class=\"status-pill " + (isInternal ? "pending" : "shipped") + "\">" +
|
|
12923
|
+
_htmlEscape(isInternal ? "Internal" : "Customer-visible") + "</span>" +
|
|
12924
|
+
(isPinned ? "<span class=\"status-pill paid\">Pinned</span>" : "") +
|
|
12925
|
+
(isResolved ? "<span class=\"status-pill refunded\">Resolved</span>" : "");
|
|
12926
|
+
var pinForm = "<form method=\"post\" action=\"" + base + (isPinned ? "/unpin" : "/pin") + "\" class=\"form-inline\">" +
|
|
12927
|
+
"<button class=\"btn btn--ghost\" type=\"submit\">" + (isPinned ? "Unpin" : "Pin") + "</button></form>";
|
|
12928
|
+
// Resolve / reopen apply only to internal threads (the primitive refuses a
|
|
12929
|
+
// customer-visible resolve). An active internal note offers a resolve form
|
|
12930
|
+
// (with the required summary); a resolved one offers reopen.
|
|
12931
|
+
var resolveForm = "";
|
|
12932
|
+
if (isInternal) {
|
|
12933
|
+
resolveForm = isResolved
|
|
12934
|
+
? "<form method=\"post\" action=\"" + base + "/reopen\" class=\"form-inline\">" +
|
|
12935
|
+
"<button class=\"btn btn--ghost\" type=\"submit\">Reopen</button></form>"
|
|
12936
|
+
: "<form method=\"post\" action=\"" + base + "/resolve\" class=\"return-action\">" +
|
|
12937
|
+
"<input type=\"text\" name=\"resolution\" placeholder=\"Resolution summary\" maxlength=\"280\" aria-label=\"Resolution summary\" required>" +
|
|
12938
|
+
"<button class=\"btn\" type=\"submit\">Resolve</button></form>";
|
|
12939
|
+
}
|
|
12940
|
+
var resolutionLine = (isResolved && n.resolution)
|
|
12941
|
+
? "<div class=\"note-meta\">Resolution: " + _htmlEscape(String(n.resolution)) + "</div>"
|
|
12942
|
+
: "";
|
|
12943
|
+
return "<li class=\"note-item\">" +
|
|
12944
|
+
"<div class=\"note-meta\">" + _htmlEscape(String(n.author)) + " · " + _htmlEscape(_fmtDate(n.created_at)) +
|
|
12945
|
+
" " + pills + "</div>" +
|
|
12946
|
+
"<div class=\"note-body\">" + _htmlEscape(String(n.body)) + "</div>" +
|
|
12947
|
+
resolutionLine +
|
|
12948
|
+
"<div class=\"actions-row\">" + pinForm + resolveForm + "</div>" +
|
|
12949
|
+
"</li>";
|
|
12950
|
+
}).join("");
|
|
12951
|
+
var authorOpts = (authors || []).map(function (a) {
|
|
12952
|
+
return "<option value=\"" + _htmlEscape(a) + "\"" + (a === "operator" ? " selected" : "") + ">" + _htmlEscape(a) + "</option>";
|
|
12953
|
+
}).join("");
|
|
12954
|
+
var visibilityOpts = (visibilities || []).map(function (v) {
|
|
12955
|
+
return "<option value=\"" + _htmlEscape(v) + "\"" + (v === "internal" ? " selected" : "") + ">" +
|
|
12956
|
+
_htmlEscape(v === "customer_visible" ? "Customer-visible" : v) + "</option>";
|
|
12957
|
+
}).join("");
|
|
12958
|
+
return "<div class=\"panel mt\"><h3 class=\"subhead\">Customer-service notes</h3>" +
|
|
12959
|
+
doneBanner + errBanner +
|
|
12960
|
+
"<p class=\"meta\">Threaded notes attached to this order. Internal notes are operator-only; customer-visible notes surface on the customer's order page. Pin the notes every shift should see first; resolve an internal thread with a short summary once it's handled.</p>" +
|
|
12961
|
+
(notes.length
|
|
12962
|
+
? "<ul class=\"note-list\">" + noteItems + "</ul>"
|
|
12963
|
+
: "<p class=\"empty\">No notes on this order yet.</p>") +
|
|
12964
|
+
"<form method=\"post\" action=\"/admin/orders/" + _htmlEscape(enc) + "/notes\">" +
|
|
12965
|
+
"<label class=\"form-field\"><span>Note</span>" +
|
|
12966
|
+
"<textarea name=\"body\" required maxlength=\"8000\" rows=\"3\" placeholder=\"e.g. Buyer asked to delay shipment until Monday\"></textarea></label>" +
|
|
12967
|
+
"<div class=\"two-col\">" +
|
|
12968
|
+
"<label class=\"form-field\"><span>Author</span><select name=\"author\">" + authorOpts + "</select></label>" +
|
|
12969
|
+
"<label class=\"form-field\"><span>Visibility</span><select name=\"visibility\">" + visibilityOpts + "</select></label>" +
|
|
12970
|
+
"</div>" +
|
|
12971
|
+
"<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add note</button></div>" +
|
|
12972
|
+
"</form>" +
|
|
12973
|
+
"</div>";
|
|
12974
|
+
}
|
|
12975
|
+
|
|
12693
12976
|
// Per-shipment carrier-label sub-panel for the order detail. Lists the
|
|
12694
12977
|
// recorded labels (tracking number, broker, cost, status pill) with a
|
|
12695
12978
|
// "Mark used" action on purchased ones, then a form to record a freshly-
|
|
@@ -13260,11 +13543,41 @@ function renderAdminCustomerDetail(opts) {
|
|
|
13260
13543
|
"</div>";
|
|
13261
13544
|
}
|
|
13262
13545
|
|
|
13546
|
+
// ---- activity timeline (read-only) ---------------------------------
|
|
13547
|
+
// The chronological per-customer feed the customerActivity aggregator
|
|
13548
|
+
// flattens from the wired source primitives, newest-first. Read-only — the
|
|
13549
|
+
// operator never writes an event here; every row originates in a source
|
|
13550
|
+
// primitive's own table. title / body / actor are escaped (title is a fixed
|
|
13551
|
+
// canonical string per kind, but body can carry source free text — a review
|
|
13552
|
+
// title, a ticket subject — so both pass through _htmlEscape).
|
|
13553
|
+
var activityPanel = "";
|
|
13554
|
+
if (opts.can_activity) {
|
|
13555
|
+
var activityRows = (opts.activity || []).map(function (e) {
|
|
13556
|
+
var link = (typeof e.link === "string" && e.link.charAt(0) === "/") ? e.link : null;
|
|
13557
|
+
var titleCell = link
|
|
13558
|
+
? "<a href=\"" + _htmlEscape(link) + "\">" + _htmlEscape(String(e.title || e.kind)) + "</a>"
|
|
13559
|
+
: _htmlEscape(String(e.title || e.kind));
|
|
13560
|
+
return "<li class=\"note-item\">" +
|
|
13561
|
+
"<div class=\"note-meta\">" + _htmlEscape(_fmtDate(e.occurred_at)) +
|
|
13562
|
+
" · <code class=\"order-id\">" + _htmlEscape(String(e.kind)) + "</code>" +
|
|
13563
|
+
(e.actor ? " · " + _htmlEscape(String(e.actor)) : "") + "</div>" +
|
|
13564
|
+
"<div class=\"note-body\">" + titleCell +
|
|
13565
|
+
(e.body ? " <span class=\"meta\">" + _htmlEscape(String(e.body)) + "</span>" : "") + "</div>" +
|
|
13566
|
+
"</li>";
|
|
13567
|
+
}).join("");
|
|
13568
|
+
activityPanel = "<div class=\"panel\"><h3 class=\"subhead\">Activity</h3>" +
|
|
13569
|
+
"<p class=\"meta\">A read-only chronological feed of this customer's recent events — orders, wishlist saves, loyalty changes, support tickets, and reviews — newest first. Each event lives in its source record; nothing is edited here.</p>" +
|
|
13570
|
+
((opts.activity || []).length
|
|
13571
|
+
? "<ul class=\"note-list\">" + activityRows + "</ul>"
|
|
13572
|
+
: "<p class=\"empty\">No recorded activity yet.</p>") +
|
|
13573
|
+
"</div>";
|
|
13574
|
+
}
|
|
13575
|
+
|
|
13263
13576
|
var body = "<section>" +
|
|
13264
13577
|
"<div class=\"actions-row\"><h2>" + _htmlEscape(c.display_name) + "</h2>" +
|
|
13265
13578
|
"<a class=\"btn btn--ghost\" href=\"/admin/customers\"><span aria-hidden=\"true\">←</span> All customers</a></div>" +
|
|
13266
13579
|
saved +
|
|
13267
|
-
identity + ordersPanel + creditPanel + loyaltyPanel + notesPanel + segmentsPanel +
|
|
13580
|
+
identity + ordersPanel + creditPanel + loyaltyPanel + notesPanel + segmentsPanel + activityPanel +
|
|
13268
13581
|
"</section>";
|
|
13269
13582
|
return _renderAdminShell(opts.shop_name, c.display_name || "Customer", body, "customers", opts.nav_available);
|
|
13270
13583
|
}
|
package/lib/asset-manifest.json
CHANGED
package/package.json
CHANGED