@blamejs/blamejs-shop 0.4.1 → 0.4.3

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.3 (2026-06-05) — **Passkey sign-in works again: WebAuthn is permitted on the pages that host it.** The framework's deny-all Permissions-Policy disabled the browser's WebAuthn API everywhere — including the sign-in page's own top-level document — so attempting a passkey sign-in failed with the browser reporting that publickey-credentials-get is not enabled. The policy now permits exactly the WebAuthn capability each ceremony page needs: credential assertion on the sign-in page, credential creation on the registration and passkey-management pages, both scoped to the page's own origin. Every other page keeps the strict deny-all policy, and every other feature (camera, microphone, geolocation, payment outside the payment page) remains denied on the ceremony pages too. **Fixed:** *Passkey ceremonies are no longer blocked by Permissions-Policy* — Sign-in carries publickey-credentials-get=(self); registration and passkey management carry publickey-credentials-create=(self). The allowance is scoped per route following the same pattern the payment page uses, grants apply only to the page's own origin (no cross-origin delegation), and unrecognized feature requests relax nothing. Tests assert the exact header tokens per route and that unrelated pages still deny both WebAuthn features.
+
+- v0.4.2 (2026-06-05) — **Abandoned checkouts release their stock holds, and five more inventory and admin hardening fixes.** The inventory enforcement introduced in 0.4.0 placed a stock hold at checkout but had no path to free it when a buyer abandoned without paying or cancelling — each abandoned checkout permanently subtracted from sellable stock until an operator intervened. A scheduled reaper now cancels pending orders older than a configurable age (default two hours), cancelling the payment intent first so a late payment can never complete against a reaped order, and releasing the held stock through the existing cancellation path. Around it, five more fixes harden the same surface: settlement failures during payment confirmation no longer strand holds silently (each item settles independently and failures land in the operator error log with the exact item and quantity), a rollback path no longer releases holds belonging to an order that was successfully created, pre-order campaigns whose launch date has passed now enforce real stock limits instead of remaining exempt, the admin activity timeline rejects protocol-relative link targets, and activity reads are bounded instead of scanning a customer's full history per page view. **Fixed:** *Stock holds from abandoned checkouts are reclaimed* — A pending order that never completes payment now has its stock hold released automatically. The scheduled reaper cancels pending orders older than CHECKOUT_PENDING_TTL_MINUTES (default 120, minimum 5; invalid values refuse to boot). For card payments the payment intent is cancelled at the processor before the order is touched — if the processor reports the payment already succeeded, the order is left alone for the webhook to settle. Each sweep reports counts of reaped, skipped, and errored orders. · *Payment settlement is crash-safe per item* — When an order is marked paid, each line's stock decrement now settles independently: one item's database failure no longer blocks the others, no longer fails the payment webhook, and is captured to the operator error log naming the item, quantity, and order so the operator can reconcile stock from the existing adjustment screen. · *Checkout rollback no longer releases holds it does not own* — If checkout fails after the order record was created, the error path previously released all of the attempt's stock holds — which could free units belonging to the order itself or, on a shared item, a concurrent shopper's reservation. Holds are now released on failure only when no order was created; once an order exists it owns its holds, and cancellation or the reaper frees them. The same correction applies to the PayPal order-creation path. · *Pre-order campaigns enforce stock after their launch date* — An active pre-order campaign exempts its product from stock holds by design — pre-orders sell beyond the shelf. That exemption now ends when the campaign's launch date passes: a launched product sells from real inventory even if the campaign has not yet been moved out of its pre-order state in the console. · *Admin activity links and reads hardened* — The customer activity timeline's internal-link guard now rejects protocol-relative targets, and each activity source is read with a bound matching the requested page instead of scanning the customer's entire history. Pagination, ordering, and the summary counts are unchanged.
+
 - v0.4.1 (2026-06-05) — **Order notes and a customer activity timeline in the admin console.** Two operator surfaces land in the admin console. Every order detail screen gains a customer-service notes thread: operators record internal notes or customer-visible ones, pin the important thread to the top, and mark issues resolved or reopen them — with note bodies length-bounded, control-character-rejected, and escaped at render. Every customer detail screen gains a read-only activity timeline aggregating what that customer has done across the store — orders placed and their lifecycle transitions, loyalty points earned, wishlist additions, reviews submitted, and support tickets opened — read directly from the tables those features already populate, newest first. Both panels appear only when their backing modules are wired, and every note mutation is ownership-scoped to its order and audited. **Added:** *Customer-service notes on order detail* — The admin order screen shows a notes thread with pinned notes floated first and the rest newest-first. Operators add notes as internal (the default) or customer-visible, pin and unpin them, and resolve or reopen them with a short resolution summary; resolving a customer-visible note is refused so customer-facing context is never silently closed out. Bodies are validated server-side (8000-character cap, control characters rejected) and HTML-escaped at render. Each mutation verifies the note belongs to the order in the URL before acting, returns clean errors for unknown or malformed identifiers, and emits an audit event. The same surface is available as JSON under the admin bearer token. · *Customer activity timeline on customer detail* — The admin customer screen shows an aggregated, newest-first activity feed: order placements and status transitions, loyalty point movements, wishlist additions, review submissions, and support tickets. The timeline is a read-only view over the tables those features already write — no new tracking or recording was added anywhere in the request path. The panel shows the most recent fifty events, links each event to its admin screen where one exists, and renders an explicit empty state for customers with no history. The same feed is available as JSON under the admin bearer token.
 
 - v0.4.0 (2026-06-05) — **Inventory is enforced at the point of sale, completing the transactions, checkout, and analytics surface.** Stock levels were previously display-only: the product page showed honest availability, but nothing reserved inventory at checkout or debited it on a sale, so concurrent buyers could oversell a SKU and stock counts never moved. Checkout now places an atomic per-SKU hold before any charge — a sold-out line re-renders the form with a friendly message instead of charging — and the order lifecycle settles the hold: payment converts it to a real stock decrement (idempotent across webhook re-deliveries), cancellation releases it, and refunds deliberately leave restocking to the operator's judgment. Untracked SKUs remain unlimited, and pre-order campaigns keep their own reservation flow. The README previously described an oversell-prevention mechanism that was not actually wired; it now describes the real one. This minor release caps the transactions, checkout, and analytics arc: server-validated addresses and digital-cart checkout, discount codes with console authoring, gift cards, loyalty, store pickup, a dark-themed Stripe payment surface with express wallets and verified 3-D Secure, shipment tracking timelines, consent-gated funnel analytics with an admin dashboard, abandoned-cart visibility with honest recovery codes, operator error logs, and confirmation resends. Known, documented deferrals: customer receipt downloads (the confirmation page and signed email serve as the receipt), partial refunds from the browser console (the JSON API supports them), and a real-time new-order notification (the dashboard and outbound webhooks cover arrival today). **Added:** *Point-of-sale inventory enforcement* — Checkout reserves stock with an atomic conditional hold per shippable line before charging — insufficient stock re-renders the checkout with a clear message and charges nothing, and two concurrent buyers of the last unit resolve to exactly one sale. Payment converts holds into stock decrements, idempotently across webhook re-deliveries; cancelling a pending order releases its holds precisely, even when other shoppers hold the same SKU. Refunds do not auto-restock — returned goods re-enter stock through the operator's existing restock action, by judgment. SKUs without an inventory row remain available without limit, and pre-order campaigns are unaffected. The inventory primitive gains the hold and decrement operations its documentation previously described, and the README now reflects the actual oversell-prevention mechanism. **Changed:** *The 0.3 series rolls up* — This release follows nineteen 0.3.x patches that built out the commerce surface: server-side address validation with accessible per-field errors, digital-cart checkout without an address, delivery-date estimates, discount unlock codes with cart redemption and console authoring, full shipment-tracking timelines, consent-gated funnel analytics and an Analytics console screen, abandoned-cart visibility with single-use recovery codes, an operator-readable error log with a JSON API, order-confirmation resends, segment CSV exports, payment-processor TLS fixes verified by live payment, a dark-themed payment surface with express wallets, and a vendored-framework refresh. See the changelog for the full sequence.

package/SECURITY.md

@@ -180,6 +180,17 @@ node -e "
   Redemption decrements with an atomic `balance >= amount` SQL guard
   keyed on the order id, so concurrent or replayed checkouts can never
   overdraw a card or apply more than the remaining balance.
+- **Abandoned checkouts don't strand stock forever.** Checkout reserves
+  stock with an atomic conditional hold before charging; an order whose
+  buyer abandons the payment sheet (or whose PaymentIntent expires) would
+  otherwise hold that stock indefinitely. A background tick cancels
+  pending orders older than `CHECKOUT_PENDING_TTL_MINUTES` (default 120,
+  minimum 5) so their holds release back to the shelf. For a Stripe order
+  the tick cancels the PaymentIntent FIRST — if Stripe reports the payment
+  already succeeded, the order is left pending for the webhook to settle,
+  so a reap can never cancel an order whose payment completed. Tune the
+  TTL to the longest payment flow you support (slow 3-D Secure, manual
+  bank pushes) so a legitimate in-progress checkout is never reaped.
 - **Loyalty points are account-scoped money — earned and spent under
   the same double-spend discipline.** The `/account/loyalty` page and
   the redeem actions are login-gated and read the customer id from the

package/lib/admin.js

@@ -13553,7 +13553,11 @@ function renderAdminCustomerDetail(opts) {
   var activityPanel = "";
   if (opts.can_activity) {
     var activityRows = (opts.activity || []).map(function (e) {
-      var link = (typeof e.link === "string" && e.link.charAt(0) === "/") ? e.link : null;
+      // Same-origin path only: a leading "/" that is NOT "//" — a
+      // protocol-relative "//evil.example/x" also starts with "/" but
+      // resolves to an off-site origin, and _htmlEscape leaves "/"
+      // untouched, so it would survive into a working cross-origin href.
+      var link = (typeof e.link === "string" && e.link.charAt(0) === "/" && e.link.charAt(1) !== "/") ? e.link : null;
       var titleCell = link
         ? "<a href=\"" + _htmlEscape(link) + "\">" + _htmlEscape(String(e.title || e.kind)) + "</a>"
         : _htmlEscape(String(e.title || e.kind));

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.1",
+  "version": "0.4.3",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/checkout.js

@@ -606,7 +606,24 @@ function create(deps) {
   async function _holdExempt(sku) {
     if (preorder && typeof preorder.openCampaignForSku === "function") {
       try {
-        if (await preorder.openCampaignForSku(sku)) return true;
+        var campaign = await preorder.openCampaignForSku(sku);
+        // A pre-order line sells beyond the shelf only while the campaign
+        // is genuinely pre-launch: before `launch_at` the unit isn't
+        // released yet, so the hold is deliberately skipped. ONCE
+        // `launch_at` has passed, the SKU is selling against real stock —
+        // keep it hold-exempt and a past-launch campaign that the operator
+        // never manually flipped to `launched` would oversell real
+        // inventory without bound. So past-launch_at → NOT exempt (holds
+        // apply). openCampaignForSku's own semantics are unchanged (the
+        // storefront PDP CTA still keys off the active row); the launch_at
+        // gate lives here, on the buy path. A campaign with no launch_at
+        // is treated as still-pre-launch (exempt).
+        if (campaign) {
+          var launchAt = campaign.launch_at == null ? null : Number(campaign.launch_at);
+          if (launchAt == null || !Number.isFinite(launchAt) || launchAt > Date.now()) {
+            return true;
+          }
+        }
       } catch (_e) { /* not exempt on lookup failure */ }
     }
     if (backorder && typeof backorder.availabilityFor === "function") {
@@ -660,10 +677,12 @@ function create(deps) {
 
   // Best-effort release of a set of placed holds (the rollback path).
   // Drop-silent per hold: a release failure must not mask the original
-  // error that triggered the rollback, and the TTL-free holds here are
-  // only ever consumed by the paid decrement or cleared by a cancel, so
-  // a missed release self-heals when the abandoned pending order is later
-  // cancelled / expired.
+  // error that triggered the rollback. This path runs ONLY when no pending
+  // order was created (the conditional rollback in confirm) — once an order
+  // exists it owns its holds, and the only thing that frees them is the
+  // paid decrement, an explicit cancel, or the stale-pending-order reaper
+  // (`reapStalePending`), driven once a minute by the worker cron, which
+  // cancels pending orders older than the TTL so their holds release.
   async function _releaseStockHolds(holds) {
     if (!Array.isArray(holds)) return;
     for (var i = 0; i < holds.length; i += 1) {
@@ -821,10 +840,19 @@ function create(deps) {
       // before the order is committed, so a refused gift-card / payment
       // error never strands held stock.
       var stockHolds = await _placeStockHolds(quote.lines);
+      // Conditional rollback: the catch releases the placed holds ONLY when
+      // no pending order was created. Once createFromCart succeeds, the
+      // order row OWNS those holds — releasing them here would double-free
+      // (the paid decrement / cancel release, or the stale-pending reaper,
+      // settles them once the order exists), and a floored blanket release
+      // could even eat a CONCURRENT shopper's hold on the same SKU. The
+      // context object is mutated inside _confirmAfterHolds the instant the
+      // order is created.
+      var rollbackCtx = { orderCreated: false };
       try {
-        return await this._confirmAfterHolds(input, quote, email, stockHolds);
+        return await this._confirmAfterHolds(input, quote, email, stockHolds, rollbackCtx);
       } catch (e) {
-        await _releaseStockHolds(stockHolds);
+        if (!rollbackCtx.orderCreated) await _releaseStockHolds(stockHolds);
         throw e;
       }
     },
@@ -835,8 +863,11 @@ function create(deps) {
     // Stripe-intent) both live inside that guard. Internal — invoked only
     // through confirm() above (hence the `_` prefix); `stockHolds` is the
     // list of placed holds, which both terminal paths leave in place (the
-    // pending order owns them until paid / cancelled).
-    _confirmAfterHolds: async function (input, quote, email, stockHolds) {
+    // pending order owns them until paid / cancelled). `rollbackCtx` is the
+    // mutable flag the catch reads: set `orderCreated` true the moment a
+    // pending order exists so a LATER throw doesn't release holds the order
+    // now owns.
+    _confirmAfterHolds: async function (input, quote, email, stockHolds, rollbackCtx) {
       // Already validated in confirm() above; re-read here since the PI
       // creation moved into this split-out body.
       var idempotencyKey = input.idempotency_key;
@@ -906,6 +937,9 @@ function create(deps) {
           customer_email_hash: emailHash,
           lines:             orderLines,
         });
+        // The pending order now owns the holds — a throw from here on must
+        // NOT blanket-release them (see the conditional rollback in confirm).
+        if (rollbackCtx) rollbackCtx.orderCreated = true;
         if (gc) await _redeemGiftCard(gc, paidOrder.id);
         if (loy) await _redeemLoyalty(loy, loyaltyCustomerId, paidOrder.id);
         // Best-effort: record the auto-discount redemptions against the
@@ -962,6 +996,11 @@ function create(deps) {
         customer_email_hash: emailHash,
         lines:             orderLines,
       });
+      // The pending order now owns the holds — a throw from here on (gift-card
+      // burn, discount recording) must NOT blanket-release them (see the
+      // conditional rollback in confirm). The reaper / cancel / paid edge
+      // settles them now that the order exists.
+      if (rollbackCtx) rollbackCtx.orderCreated = true;
 
       // Burn the gift-card + loyalty credits against the created order.
       // Runs after the order row exists so a failed order never spends
@@ -995,6 +1034,93 @@ function create(deps) {
       };
     },
 
+    // Stale-pending-order reaper. A pending order whose buyer abandoned the
+    // payment sheet (Stripe / PayPal) or whose PaymentIntent expired holds
+    // its reserved stock forever — `confirm` places the holds and creates
+    // the pending order, but the only hold-freeing FSM edges are
+    // pending→paid (decrement) and pending→cancelled (release), and nothing
+    // fires the cancel automatically. This reaper, driven once a minute by
+    // the worker cron's `/_/stale-order-reap` tick, cancels orders older
+    // than the TTL so their holds release.
+    //
+    // Per order, Stripe-paid orders: cancel the PaymentIntent FIRST so a
+    // late authorization can't complete AFTER we cancel the order. If Stripe
+    // reports the PI already succeeded / is not cancelable
+    // (`payment_intent_unexpected_state`, or any non-success cancel), SKIP
+    // the order — the webhook has settled or will settle it, and cancelling
+    // an order whose payment may have completed would lose a real sale.
+    // Only after a clean PI cancel (or for an order with no Stripe
+    // PaymentIntent — a PayPal-created order, whose capture path guards on
+    // local status so reaping first is safe, or a zero-amount leftover) do
+    // we fire the cancel transition, which releases the holds via the
+    // existing path.
+    //
+    // Per-order failures are drop-silent + continue (hot-path sink tier) but
+    // COUNTED in the returned summary so the operator sees the reap's shape.
+    // `ttlMinutes` is validated config-time by the caller (the tick handler
+    // throws on garbage at boot); defended here too with a documented
+    // default so a direct call is never unsafe.
+    reapStalePending: async function (opts) {
+      opts = opts || {};
+      var ttlMinutes = opts.ttl_minutes;
+      if (ttlMinutes == null) ttlMinutes = 120;
+      if (typeof ttlMinutes !== "number" || !isFinite(ttlMinutes) || !Number.isInteger(ttlMinutes) || ttlMinutes < 5) {
+        throw new TypeError("checkout.reapStalePending: ttl_minutes must be an integer >= 5");
+      }
+      var nowMs    = typeof opts.now === "number" ? opts.now : Date.now();
+      var cutoffTs = nowMs - b.constants.TIME.minutes(ttlMinutes);
+      var batchLimit = opts.limit == null ? 100 : opts.limit;
+
+      var summary = {
+        scanned:        0,
+        reaped:         0,   // cancelled (holds released)
+        skipped_paid:   0,   // PI already succeeded / not cancelable — left pending
+        errored:        0,   // a per-order failure, dropped + counted
+      };
+
+      var stale;
+      try {
+        stale = (await order.listStalePending(cutoffTs, batchLimit)).rows;
+      } catch (e) {
+        // The candidate read itself failed — surface it in the summary
+        // rather than throwing out of the tick (which would 5xx the cron).
+        return Object.assign({ ok: false, error: (e && e.message) || String(e) }, summary);
+      }
+      summary.scanned = stale.length;
+
+      for (var i = 0; i < stale.length; i += 1) {
+        var row = stale[i];
+        try {
+          var piId = row.payment_intent_id;
+          // A Stripe PaymentIntent id is `pi_…`; a PayPal order id is opaque
+          // (no `pi_` prefix) and has no cancel API for an unapproved order
+          // (its capture path guards on local status, so reaping first can
+          // never double-charge). Only the Stripe case needs a pre-cancel.
+          var isStripePi = typeof piId === "string" && piId.indexOf("pi_") === 0;
+          if (isStripePi && payment && typeof payment.cancelPaymentIntent === "function") {
+            try {
+              await payment.cancelPaymentIntent(piId);
+            } catch (_cancelErr) {
+              // PI already succeeded / not cancelable → the webhook owns this
+              // order's settlement. Leave it pending; never cancel an order
+              // whose payment may have completed.
+              summary.skipped_paid += 1;
+              continue;
+            }
+          }
+          // PI cancelled cleanly (or no Stripe PI) — release the holds by
+          // cancelling the order through the existing FSM edge.
+          await order.transition(row.id, "cancel", { reason: "stale-pending-reap" });
+          summary.reaped += 1;
+        } catch (_e) {
+          // drop-silent per order — by design (hot-path sink): one bad order
+          // must not poison the sweep. Counted so the operator sees it.
+          summary.errored += 1;
+        }
+      }
+      return Object.assign({ ok: true }, summary);
+    },
+
     // Verify a Stripe webhook payload and dispatch the order
     // transition. Returns { handled, order?, event_type }.
     handleStripeEvent: async function (input) {
@@ -1091,6 +1217,14 @@ function create(deps) {
       // here (no PayPal order created). Released on any throw before the
       // local order row commits.
       var ppHolds = await _placeStockHolds(quote.lines);
+      // Conditional rollback, identical discipline to the Stripe confirm:
+      // release the placed holds ONLY when no pending order was created.
+      // Once createFromCart succeeds the order owns the holds; releasing
+      // them here would double-free and could eat a concurrent shopper's
+      // hold on the same SKU. A pending PayPal order that the buyer never
+      // approves is reaped by the stale-pending reaper (no PayPal-side
+      // cancel needed — the capture path guards on local status).
+      var ppOrderCreated = false;
       try {
       // Resolve an optional gift-card credit before opening the PayPal
       // order so a bad code fails without a remote round-trip.
@@ -1121,6 +1255,7 @@ function create(deps) {
           customer_email_hash: emailHash,
           lines:               ppLines,
         });
+        ppOrderCreated = true;
         await _redeemGiftCard(gc, paidOrder.id);
         await cart.setStatus(quote.cart_id, "converted");
         var settled = await order.transition(paidOrder.id, "mark_paid", { reason: "gift_card:full" });
@@ -1149,13 +1284,15 @@ function create(deps) {
         customer_email_hash: emailHash,
         lines:               ppLines,
       });
+      ppOrderCreated = true;
       if (gc) await _redeemGiftCard(gc, createdOrder.id);
       await cart.setStatus(quote.cart_id, "converted");
       return { order: createdOrder, paypal_order_id: ppOrder.id, status: ppOrder.status, gift_card: gc ? { applied_minor: gc.applied_minor, amount_due_minor: amountDue } : null };
       } catch (e) {
-        // Any throw before the order row commits (PayPal open failure,
+        // A throw BEFORE the order row commits (PayPal open failure,
         // gift-card error) releases the holds so PayPal can't strand stock.
-        await _releaseStockHolds(ppHolds);
+        // After the order commits it owns the holds — don't blanket-release.
+        if (!ppOrderCreated) await _releaseStockHolds(ppHolds);
         throw e;
       }
     },

package/lib/customer-activity.js

@@ -248,7 +248,11 @@ function create(opts) {
   // the aggregator). Missing peers collapse to an empty list so the
   // aggregator stays the same shape regardless of wiring.
 
-  async function _collectOrderEvents(customerId, fromTs, toTs) {
+  // A read bound is "active" only for a positive integer; null / undefined
+  // (the summary path) means read everything, as before.
+  function _isBound(n) { return Number.isInteger(n) && n > 0; }
+
+  async function _collectOrderEvents(customerId, fromTs, toTs, boundLimit) {
     if (!orderPeer) return [];
     var sql = "SELECT ot.order_id, ot.from_state, ot.to_state, ot.on_event, " +
               "ot.reason, ot.occurred_at " +
@@ -259,7 +263,11 @@ function create(opts) {
     var idx = 2;
     if (fromTs != null) { sql += " AND ot.occurred_at >= ?" + idx; params.push(fromTs); idx += 1; }
     if (toTs   != null) { sql += " AND ot.occurred_at <= ?" + idx; params.push(toTs);   idx += 1; }
-    sql += " ORDER BY ot.occurred_at ASC";
+    // Bounded read: newest-N (DESC + LIMIT) when the paginated caller supplies
+    // a bound; the aggregator re-sorts newest-first so the DESC here is just
+    // the read order. Unbounded (summary path) keeps the full ASC scan.
+    if (_isBound(boundLimit)) { sql += " ORDER BY ot.occurred_at DESC LIMIT ?" + idx; params.push(boundLimit); }
+    else                      { sql += " ORDER BY ot.occurred_at ASC"; }
     var rows = (await query(sql, params)).rows;
     var out = [];
     for (var i = 0; i < rows.length; i += 1) {
@@ -278,7 +286,7 @@ function create(opts) {
     return out;
   }
 
-  async function _collectWishlistEvents(customerId, fromTs, toTs) {
+  async function _collectWishlistEvents(customerId, fromTs, toTs, boundLimit) {
     if (!wishlistPeer) return [];
     var sql = "SELECT id, product_id, variant_id, notes, created_at " +
               "FROM wishlist_entries WHERE customer_id = ?1";
@@ -286,7 +294,8 @@ function create(opts) {
     var idx = 2;
     if (fromTs != null) { sql += " AND created_at >= ?" + idx; params.push(fromTs); idx += 1; }
     if (toTs   != null) { sql += " AND created_at <= ?" + idx; params.push(toTs);   idx += 1; }
-    sql += " ORDER BY created_at ASC";
+    if (_isBound(boundLimit)) { sql += " ORDER BY created_at DESC LIMIT ?" + idx; params.push(boundLimit); }
+    else                      { sql += " ORDER BY created_at ASC"; }
     var rows = (await query(sql, params)).rows;
     var out = [];
     for (var i = 0; i < rows.length; i += 1) {
@@ -303,7 +312,7 @@ function create(opts) {
     return out;
   }
 
-  async function _collectLoyaltyEvents(customerId, fromTs, toTs) {
+  async function _collectLoyaltyEvents(customerId, fromTs, toTs, boundLimit) {
     if (!loyaltyPeer) return [];
     var sql = "SELECT id, transaction_type, points, source, order_id, notes, " +
               "occurred_at FROM loyalty_transactions WHERE customer_id = ?1";
@@ -311,7 +320,8 @@ function create(opts) {
     var idx = 2;
     if (fromTs != null) { sql += " AND occurred_at >= ?" + idx; params.push(fromTs); idx += 1; }
     if (toTs   != null) { sql += " AND occurred_at <= ?" + idx; params.push(toTs);   idx += 1; }
-    sql += " ORDER BY occurred_at ASC";
+    if (_isBound(boundLimit)) { sql += " ORDER BY occurred_at DESC LIMIT ?" + idx; params.push(boundLimit); }
+    else                      { sql += " ORDER BY occurred_at ASC"; }
     var rows = (await query(sql, params)).rows;
     var out = [];
     for (var i = 0; i < rows.length; i += 1) {
@@ -331,19 +341,27 @@ function create(opts) {
     return out;
   }
 
-  async function _collectSupportEvents(customerId, fromTs, toTs) {
+  async function _collectSupportEvents(customerId, fromTs, toTs, boundLimit) {
     if (!supportPeer) return [];
     // The support_tickets row contributes an "opened" event at
     // opened_at and a "resolved" event at resolved_at when stamped.
     // The bounded-window filter is applied per-event after
     // splitting (a ticket opened inside the window but resolved
-    // outside still surfaces its opened event).
-    var rows = (await query(
-      "SELECT id, subject, category, status, priority, opened_at, " +
-      "resolved_at, closed_at FROM support_tickets WHERE customer_id = ?1 " +
-      "ORDER BY opened_at ASC",
-      [customerId],
-    )).rows;
+    // outside still surfaces its opened event). Bounded read: order by
+    // the ticket's NEWEST event timestamp — MAX(opened_at, resolved_at)
+    // — not opened_at alone, or an old ticket resolved recently would
+    // be dropped and its resolved event would vanish from the page.
+    // Every event in the true newest-`boundLimit` set belongs to a
+    // ticket whose newest-event timestamp is at least that event's, so
+    // the newest `boundLimit` tickets under this ordering cover any
+    // single page of `boundLimit` events. Unbounded (summary path)
+    // keeps the full ASC scan for exact windowed counts.
+    var supSql = "SELECT id, subject, category, status, priority, opened_at, " +
+      "resolved_at, closed_at FROM support_tickets WHERE customer_id = ?1 ";
+    var supParams = [customerId];
+    if (_isBound(boundLimit)) { supSql += "ORDER BY MAX(opened_at, COALESCE(resolved_at, opened_at)) DESC LIMIT ?2"; supParams.push(boundLimit); }
+    else                      { supSql += "ORDER BY opened_at ASC"; }
+    var rows = (await query(supSql, supParams)).rows;
     var out = [];
     for (var i = 0; i < rows.length; i += 1) {
       var t = rows[i];
@@ -375,7 +393,7 @@ function create(opts) {
     return out;
   }
 
-  async function _collectReviewEvents(customerId, fromTs, toTs) {
+  async function _collectReviewEvents(customerId, fromTs, toTs, boundLimit) {
     if (!reviewsPeer) return [];
     // Only authenticated-customer reviews carry a customer_id (the
     // anonymous email-hash submissions land in the reviews table
@@ -387,7 +405,8 @@ function create(opts) {
     var idx = 2;
     if (fromTs != null) { sql += " AND created_at >= ?" + idx; params.push(fromTs); idx += 1; }
     if (toTs   != null) { sql += " AND created_at <= ?" + idx; params.push(toTs);   idx += 1; }
-    sql += " ORDER BY created_at ASC";
+    if (_isBound(boundLimit)) { sql += " ORDER BY created_at DESC LIMIT ?" + idx; params.push(boundLimit); }
+    else                      { sql += " ORDER BY created_at ASC"; }
     var rows = (await query(sql, params)).rows;
     var out = [];
     for (var i = 0; i < rows.length; i += 1) {
@@ -406,13 +425,18 @@ function create(opts) {
 
   // ---- aggregation ------------------------------------------------------
 
-  async function _collectAll(customerId, fromTs, toTs) {
+  // `boundLimit` (optional) caps each collector's read to the newest N rows
+  // — passed by the paginated `forCustomer` read where a page is at most
+  // `limit` events. The summary path passes null/undefined (unbounded) so
+  // the 30/90/365-day windowed kind-counts stay exact for a very active
+  // customer. A null bound preserves the original read-everything behavior.
+  async function _collectAll(customerId, fromTs, toTs, boundLimit) {
     var batches = await Promise.all([
-      _collectOrderEvents(customerId, fromTs, toTs),
-      _collectWishlistEvents(customerId, fromTs, toTs),
-      _collectLoyaltyEvents(customerId, fromTs, toTs),
-      _collectSupportEvents(customerId, fromTs, toTs),
-      _collectReviewEvents(customerId, fromTs, toTs),
+      _collectOrderEvents(customerId, fromTs, toTs, boundLimit),
+      _collectWishlistEvents(customerId, fromTs, toTs, boundLimit),
+      _collectLoyaltyEvents(customerId, fromTs, toTs, boundLimit),
+      _collectSupportEvents(customerId, fromTs, toTs, boundLimit),
+      _collectReviewEvents(customerId, fromTs, toTs, boundLimit),
     ]);
     var flat = [];
     for (var b = 0; b < batches.length; b += 1) {
@@ -647,7 +671,32 @@ function create(opts) {
       var limit  = _limit(input.limit, MAX_LIMIT, DEFAULT_LIMIT);
       var cursor = _decodeCursor(input.cursor, "forCustomer");
 
-      var events = await _collectAll(customerId, fromTs, toTs);
+      // Per-collector read bound: a single page draws at most `limit` events
+      // total across all sources, so the newest rows from EACH source (at or
+      // before the cursor's timestamp when paginating) are a sufficient
+      // superset — the merge + sort + cursor + slice below can never need an
+      // older row than the `limit`-th newest of any one source. A customer
+      // with thousands of events no longer reads them all per panel render.
+      //
+      // The cursor's tail timestamp tightens the upper edge so deep pages
+      // stay correct: collectors return the newest events at-or-before it,
+      // and _applyCursor then drops the equal-or-newer boundary tuple. Because
+      // that drop removes the single boundary event per source, the bound is
+      // `limit + 1` — enough that a full `limit` page (and a correct
+      // next_cursor) survives the drop and pagination doesn't stall early.
+      // A `kinds` filter narrows the OUTPUT after collection, so when one is
+      // active the bound widens to MAX_LIMIT to give the filter enough
+      // candidates per source.
+      var collectorBound = kinds ? MAX_LIMIT : (limit + 1);
+      var collectorToTs = toTs;
+      if (cursor && cursor.length) {
+        var cursorTs = Number(cursor[0]);
+        if (Number.isFinite(cursorTs)) {
+          collectorToTs = (collectorToTs == null) ? cursorTs : Math.min(collectorToTs, cursorTs);
+        }
+      }
+
+      var events = await _collectAll(customerId, fromTs, collectorToTs, collectorBound);
       events = _filterKinds(events, kinds);
       _sortNewestFirst(events);
       if (cursor) events = _applyCursor(events, cursor);

package/lib/order.js

@@ -209,6 +209,14 @@ function create(opts) {
   // the physical return is inspected. Opt-in like the other handles so
   // tests and an inventory-less deploy run unchanged.
   var inventory = opts.inventory || null;
+  // Optional error-log handle — when present, an inventory settlement
+  // failure (a decrement / release throw on the paid / cancel edge) is
+  // captured to the operator's error feed (/admin/errors) with the exact
+  // sku / qty / order so the stranded hold is reconcilable by hand via the
+  // inventory-adjustment surface. Opt-in like the other handles; absent it,
+  // settlement failures still surface to the audit sink (b.audit.safeEmit
+  // below), just not the durable error feed.
+  var errorLog = opts.errorLog || null;
   // Pagination cursors for listForCustomer are HMAC-tagged via
   // b.pagination so an operator can't hand-craft one to skip past a
   // hidden order or replay across deployments. The secret defaults
@@ -223,6 +231,48 @@ function create(opts) {
   }
   var cursorSecret = opts.cursorSecret;
 
+  // Settle one held SKU on a state edge — `inventory.decrement` on the
+  // paid edge, `inventory.release` on the cancel-from-pending edge.
+  //
+  // drop-silent-with-capture — by design: the order's payment has already
+  // succeeded (paid edge) or the cancel has already persisted (cancel
+  // edge), and the webhook driving this MUST return 2xx or Stripe retries
+  // forever. A throw here would 500 the webhook, the retry would hit the
+  // already-advanced guard and skip, and the hold would strand silently.
+  // So a per-SKU settlement failure is caught, NOT re-thrown, and surfaced
+  // LOUDLY instead: an `order.settlement.error` audit event plus, when the
+  // error-log handle is wired, a durable row in /admin/errors carrying the
+  // exact sku / qty / order so the operator reconciles the stranded hold
+  // via the inventory-adjustment surface. Returns true on success, false on
+  // a (captured) failure so the caller can count strandings.
+  async function _settleSku(verb, sku, qty, orderId) {
+    try {
+      await inventory[verb](sku, qty);
+      return true;
+    } catch (e) {
+      var message = "order.settlement." + verb + " failed — sku=" + sku +
+        " qty=" + qty + " order=" + orderId + ": " + (e && e.message || e);
+      try {
+        b.audit.safeEmit({
+          action:   "order.settlement.error",
+          outcome:  "failure",
+          metadata: { verb: verb, sku: sku, qty: qty, order_id: orderId, message: (e && e.message) || String(e) },
+        });
+      } catch (_auditErr) { /* drop-silent — the capture below is the durable record */ }
+      if (errorLog && typeof errorLog.captureServerError === "function") {
+        try {
+          await errorLog.captureServerError({
+            route:   "/order/" + orderId + "/settlement",
+            method:  "POST",
+            status:  500,
+            message: message,
+          });
+        } catch (_logErr) { /* drop-silent — never let the error-feed write mask the original failure */ }
+      }
+      return false;
+    }
+  }
+
   return {
     TERMINAL_STATES: TERMINAL_STATES,
 
@@ -376,6 +426,13 @@ function create(opts) {
         var holdMap = _stockHoldMap(refreshed);
         var holdSkus = Object.keys(holdMap);
         if (holdSkus.length) {
+          // Each SKU settles in its own try/catch (_settleSku) so a single
+          // SKU's decrement / release throw on a transient DB error can't
+          // strand the OTHER SKUs' holds or 500 the webhook — the remaining
+          // SKUs in the loop still settle, and each failure surfaces loudly
+          // (audit + error-feed) for manual reconciliation. The transition
+          // has already persisted; settlement is post-commit best-effort
+          // with a durable failure trail, never a hard gate.
           if (result.from === "pending" && result.to === "paid"
               && typeof inventory.decrement === "function") {
             // Convert each held SKU's reservation into a real shelf debit,
@@ -383,7 +440,7 @@ function create(opts) {
             // guard (stock_held >= qty) makes a re-delivered mark_paid a
             // no-op, so this is idempotent across webhook re-deliveries.
             for (var di = 0; di < holdSkus.length; di += 1) {
-              await inventory.decrement(holdSkus[di], holdMap[holdSkus[di]]);
+              await _settleSku("decrement", holdSkus[di], holdMap[holdSkus[di]], orderId);
             }
           } else if (result.from === "pending" && result.to === "cancelled"
               && typeof inventory.release === "function") {
@@ -393,7 +450,7 @@ function create(opts) {
             // another shopper holds on the same SKU. release floors at zero
             // so a double-cancel can't underflow stock_held.
             for (var ri = 0; ri < holdSkus.length; ri += 1) {
-              await inventory.release(holdSkus[ri], holdMap[holdSkus[ri]]);
+              await _settleSku("release", holdSkus[ri], holdMap[holdSkus[ri]], orderId);
             }
           }
         }
@@ -586,6 +643,34 @@ function create(opts) {
       return { rows: rows };
     },
 
+    // Pending orders whose `created_at` is at or before `olderThanTs` —
+    // the candidate set for the stale-pending-order reaper. A pending
+    // order that never advanced to paid (the buyer abandoned the Stripe /
+    // PayPal sheet, the PaymentIntent expired) holds its reserved stock
+    // forever with no FSM edge to free it; the reaper cancels these so the
+    // hold releases. Bounded (`limit`, default 100, capped at
+    // MAX_LIST_LIMIT) so one tick reaps a chunk and the next picks up the
+    // rest. Returns the raw row (id + payment_intent_id + created_at are
+    // what the reaper needs); the reaper drives the actual hold release
+    // through `transition(id, "cancel", …)`. Oldest-first so the longest-
+    // stranded holds free first.
+    listStalePending: async function (olderThanTs, limit) {
+      if (typeof olderThanTs !== "number" || !isFinite(olderThanTs) || olderThanTs < 0) {
+        throw new TypeError("order.listStalePending: olderThanTs must be a non-negative epoch-ms number");
+      }
+      var lim = limit == null ? 100 : limit;
+      if (!Number.isInteger(lim) || lim <= 0 || lim > MAX_LIST_LIMIT) {
+        throw new TypeError("order.listStalePending: limit must be 1..." + MAX_LIST_LIMIT);
+      }
+      var rows = (await query(
+        "SELECT id, payment_intent_id, created_at FROM orders " +
+        "WHERE status = 'pending' AND created_at <= ?1 " +
+        "ORDER BY created_at ASC, id ASC LIMIT ?2",
+        [olderThanTs, lim],
+      )).rows;
+      return { rows: rows };
+    },
+
     // The actions available from a given status, as {on, to, label} —
     // drives the transition buttons on the operator order-detail page.
     // A terminal status returns []. Synchronous (pure lookup).

package/lib/security-middleware.js

@@ -380,31 +380,42 @@ function scopedCsp(keys) {
   }).join("; ") + ";";
 }
 
-// ---- route-scoped Permissions-Policy (payment surface) ------------------
+// ---- route-scoped Permissions-Policy (payment + passkey surfaces) --------
 //
 // The app-level Permissions-Policy is the vendored strict denylist
-// (DEFAULT_PERMISSIONS) — every powerful API, including `payment=()`,
-// disabled in every document. That is correct everywhere EXCEPT the one
-// page whose entire job is taking a payment: GET /pay/:order_id mounts
-// Stripe's Express Checkout Element, whose Google Pay / Apple Pay buttons
-// drive the Payment Request API. Under `payment=()` the browser refuses
-// the API inside the cross-origin pay.google.com / Stripe wallet frames
-// ("Permissions policy violation: payment is not allowed in this
-// document"), so the wallet express buttons are degraded on the payment
-// page. The card form is unaffected (it doesn't use the Payment Request
-// API), which is why card captures complete while wallets don't.
+// (DEFAULT_PERMISSIONS) — every powerful API disabled in every document,
+// including `payment=()`, `publickey-credentials-get=()`, and
+// `publickey-credentials-create=()`. That is correct everywhere EXCEPT the
+// handful of pages whose whole job needs one of those features:
 //
-// `scopedPermissionsPolicy()` returns a Permissions-Policy string for
-// `res.setHeader("permissions-policy", ...)` on the /pay route's response:
-// byte-identical to the vendored default EXCEPT the `payment=()` entry,
-// which becomes `payment=(self "https://js.stripe.com" "https://pay.google.com")`
-// — granting the feature ONLY to the same origin + the Stripe SDK frame +
-// the Google Pay frame, ONLY on that one response. setHeader OVERWRITES, so
-// the app-level strict header still governs every OTHER route. Every other
-// feature in the denylist stays `()`. Derived from the vendored
-// DEFAULT_PERMISSIONS array (the single source the app-level header is also
-// built from in `securityHeadersOpts` → the vendored default), never a
-// hand-forked copy of the list.
+//   - GET /pay/:order_id mounts Stripe's Express Checkout Element, whose
+//     Google Pay / Apple Pay buttons drive the Payment Request API. Under
+//     `payment=()` the browser refuses the API inside the cross-origin
+//     pay.google.com / Stripe wallet frames, degrading the wallet express
+//     buttons (the card form is unaffected, which is why card captures
+//     complete while wallets don't).
+//
+//   - The passkey (WebAuthn) ceremonies. `navigator.credentials.get()`
+//     (assertion / sign-in) is gated by `publickey-credentials-get`;
+//     `navigator.credentials.create()` (registration / enrollment) by
+//     `publickey-credentials-create`. Under the deny-all default the browser
+//     refuses the API in the TOP-LEVEL document with "The
+//     'publickey-credentials-get' feature is not enabled in this document"
+//     (resp. -create), so sign-in / enrollment fail outright. These run on
+//     container-served routes:
+//       publickey-credentials-get    — GET /account/login (passkey-login.js)
+//       publickey-credentials-create — GET /account/register (passkey-register.js)
+//                                       GET /account/passkeys (passkey-add.js)
+//
+// `scopedPermissionsPolicy(opts)` returns a Permissions-Policy string for
+// `res.setHeader("permissions-policy", ...)` on the route's response:
+// byte-identical to the vendored default EXCEPT the named feature(s), each
+// re-enabled for ONLY the allowlist that feature needs, ONLY on that one
+// response. setHeader OVERWRITES, so the app-level strict header still
+// governs every OTHER route. Every other feature in the denylist stays `()`.
+// Derived from the vendored DEFAULT_PERMISSIONS array (the single source the
+// app-level header is also built from in `securityHeadersOpts` → the vendored
+// default), never a hand-forked copy of the list.
 
 // The allowlist that replaces `payment=()` on the pay surface: same origin
 // (the pay page's own form), the Stripe SDK frame, and the Google Pay frame
@@ -415,21 +426,61 @@ function scopedCsp(keys) {
 // it here.
 var _PAYMENT_ALLOWLIST = 'payment=(self "https://js.stripe.com" "https://pay.google.com")';
 
+// WebAuthn assertion / attestation run in the page's OWN top-level document
+// (the islands call navigator.credentials.get / .create directly, never from
+// a cross-origin child frame), so `self` is the entire allowlist — no third-
+// party origin is delegated. Keeping the grant to `self` is the tightest
+// value that unblocks the ceremony: a cross-origin iframe on the same page
+// still cannot drive WebAuthn. Single source — every passkey page names the
+// feature → allowlist mapping here.
+var _PASSKEY_FEATURE_ALLOWLIST = {
+  "publickey-credentials-get":    "publickey-credentials-get=(self)",
+  "publickey-credentials-create": "publickey-credentials-create=(self)",
+};
+
+// Feature name → its scoped allowlist token. The pay surface relaxes
+// `payment`; the passkey surfaces relax the two WebAuthn features. A caller
+// names which feature(s) to relax; every feature NOT named stays at the
+// vendored `()` deny. This is the single registry of "which feature may be
+// re-enabled, and to exactly what" — nothing outside it can be loosened.
+var _SCOPED_FEATURE_OVERRIDES = Object.assign(
+  { payment: _PAYMENT_ALLOWLIST },
+  _PASSKEY_FEATURE_ALLOWLIST
+);
+
 /**
  * Build a route-scoped Permissions-Policy string from the vendored strict
- * denylist with the `payment` feature re-enabled for the same origin + the
- * Stripe / Google Pay wallet frames. Every other feature is carried through
- * verbatim as `feature=()`. Returns the string for the pay route's
+ * denylist with one or more features re-enabled to their scoped allowlist.
+ * `opts.features` is an array of feature names to relax (each must appear in
+ * `_SCOPED_FEATURE_OVERRIDES`); every other feature is carried through
+ * verbatim as `feature=()`. With no argument it defaults to relaxing
+ * `payment` — the established pay-surface behavior — so existing callers are
+ * unchanged. Returns the string for the route's
  * `res.setHeader("permissions-policy", ...)`; the app-level strict header is
  * unchanged on every other route (setHeader overwrites this one response).
  *
- * Called per-response on the pay render path, so it never throws — it maps
- * over the vendored default array and swaps the one entry, failing safe (a
- * missing `payment` entry simply yields the strict default for that feature).
+ * Called per-response on a render path, so it never throws — it maps over the
+ * vendored default array and swaps only the named entries, failing safe (an
+ * unknown feature name simply leaves that feature at the strict deny, and a
+ * feature the default does not list is never invented).
  */
-function scopedPermissionsPolicy() {
+function scopedPermissionsPolicy(opts) {
+  var features = (opts && Array.isArray(opts.features) && opts.features.length)
+    ? opts.features
+    : ["payment"];
+  // Map requested feature names → their override token, ignoring any name not
+  // in the registry (fail-safe: an unknown key relaxes nothing).
+  var overrides = {};
+  features.forEach(function (name) {
+    if (Object.prototype.hasOwnProperty.call(_SCOPED_FEATURE_OVERRIDES, name)) {
+      overrides[name] = _SCOPED_FEATURE_OVERRIDES[name];
+    }
+  });
   return _vendoredSecurityHeaders.DEFAULT_PERMISSIONS.map(function (entry) {
-    return entry.indexOf("payment=") === 0 ? _PAYMENT_ALLOWLIST : entry;
+    var feature = entry.split("=")[0];
+    return Object.prototype.hasOwnProperty.call(overrides, feature)
+      ? overrides[feature]
+      : entry;
   }).join(", ");
 }
 

package/lib/storefront.js

@@ -13447,6 +13447,13 @@ function mount(router, deps) {
       // Login captcha is opt-in (CAPTCHA_GATE_LOGIN). The widget + the scoped
       // CSP that admits the provider host render only when login is opted in.
       _setAuthCaptchaCsp(res, "login");
+      // Passkey sign-in (passkey-login.js) calls navigator.credentials.get(),
+      // which the app-level Permissions-Policy denies via
+      // publickey-credentials-get=(). Re-enable it for self on THIS response
+      // only so the assertion runs in the top-level document; every other
+      // feature stays denied and every other route keeps the strict default.
+      res.setHeader && res.setHeader("permissions-policy",
+        securityMiddleware.scopedPermissionsPolicy({ features: ["publickey-credentials-get"] }));
       _send(res, 200, renderAccountLogin({
         shop_name:      shopName,
         cart_count:     cartCount,
@@ -13464,6 +13471,12 @@ function mount(router, deps) {
       // Signup captcha renders whenever a provider is active; the scoped CSP
       // admits the provider host only then (no setHeader otherwise).
       _setAuthCaptchaCsp(res, "signup");
+      // Passkey enrollment (passkey-register.js) calls
+      // navigator.credentials.create(), denied by the app-level
+      // publickey-credentials-create=(). Re-enable it for self on THIS
+      // response only so registration runs in the top-level document.
+      res.setHeader && res.setHeader("permissions-policy",
+        securityMiddleware.scopedPermissionsPolicy({ features: ["publickey-credentials-create"] }));
       _send(res, 200, renderAccountRegister({
         shop_name: shopName,
         cart_count: cartCount,
@@ -13982,6 +13995,12 @@ function mount(router, deps) {
       var cartCount = await _cartCountForReq(req);
       var url = req.url ? new URL(req.url, "http://localhost") : null;
       var okKind = url ? url.searchParams.get("ok") : null;
+      // The "Add a passkey" island (passkey-add.js) calls
+      // navigator.credentials.create(), denied by the app-level
+      // publickey-credentials-create=(). Re-enable it for self on THIS
+      // response only so enrollment runs in the top-level document.
+      res.setHeader && res.setHeader("permissions-policy",
+        securityMiddleware.scopedPermissionsPolicy({ features: ["publickey-credentials-create"] }));
       _send(res, code || 200, renderPasskeys({
         passkeys:   pks,
         has_oauth:  hasOAuth,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {