@blamejs/blamejs-shop 0.4.12 → 0.4.14

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.14 (2026-06-06) — **Gift wrap charges exactly the fee it displays, the per-order wrap cap is enforced, low-stock events reach subscribed webhooks, and the admin API accepts curl as documented.** Three storefront fixes and two admin-surface fixes. Gift wrap now charges the configured wrap fee rather than the wrap variant's catalog price, and a wrap's per-order cap is enforced at the cart with a clear message. The low-stock inventory event is now a registered webhook event, so endpoints subscribed to specific events receive it. The account profile explains plainly why an email address cannot be changed. And the admin JSON API now answers automation clients such as curl the way the documentation has always shown, with the bearer key as the deciding check. **Changed:** *The account profile explains why the email address cannot be changed* — The store keeps only a one-way hash of each account's email address, so an address can never be read back or rewritten — an email change is not possible by design. The profile screen now says this plainly where an email-change control would normally sit, and points to the alternatives: create a new account under the new address, or contact the store to reconcile order history. **Fixed:** *Gift wrap charges the configured fee, not the wrap variant's catalog price* — The gift-wrap selector displayed the wrap fee configured in the admin console, but checkout added the wrap to the order at the underlying catalog variant's price — when the two diverged, the customer was silently charged a different amount than the page showed. The cart now snapshots the configured fee onto the wrap line, so the displayed fee and the charged fee always agree. A regression test keeps the two amounts pinned together with deliberately different fee and catalog values. · *A gift wrap's per-order cap is enforced at the cart* — A wrap option's maximum-per-order value was validated, stored, and shown in the admin console but never enforced — any quantity could be applied. Applying a wrap beyond its cap is now rejected with a 422 and the cart page re-renders with a readable message; an application at the cap continues to succeed and the cart is left unchanged on rejection. · *The low-stock event is a registered webhook event* — Inventory low-stock alerts emitted `inventory.low_stock`, but the event was missing from the webhook event registry — endpoints subscribed to specific events never received it, and the admin endpoint form never offered it. The event is now registered, appears in the endpoint form's event checklist, and is delivered to endpoints that subscribe to it. Wildcard subscriptions, which already received it, are unchanged. · *Documented curl commands against the admin API work as written* — Every admin endpoint is bearer-key-gated JSON, and the documentation drives it with plain curl — but the bot guard's user-agent deny list refused automation clients on `/admin` before the key was ever checked, so the documented commands answered 403. The admin surface now runs the bot guard in tag mode: automation is recorded in the audit trail (`system.botguard.tag`) instead of refused, and the timing-safe bearer key remains the deciding check. A curl call with a valid key reaches the endpoint; one without a key is refused by the key check with a 401.
+
+- v0.4.13 (2026-06-06) — **Security: a passkey can no longer be added to an existing account from the public register page, and the email sign-in link no longer reveals which addresses have accounts.** Two fixes to the account sign-in surface. The public passkey-registration endpoint reused an existing customer record when the submitted email already had an account, which let anyone who knew a registered email enroll their own authenticator onto that account and sign in as its owner. Registration now creates new accounts only: it refuses any email that already has an account — whether it signs in by passkey, by Google or Apple, or is a guest order awaiting a sign-in link — and directs the visitor to sign in instead. Separately, the email sign-in-link request did its account lookup, session creation, and email send before replying, so a registered address took measurably longer to answer than an unregistered one — a timing signal that revealed which addresses have accounts despite the identical on-screen confirmation. The reply is now sent first and the link is prepared and mailed afterward, so both cases answer at the same speed. **Security:** *Passkey registration can no longer enroll a credential onto someone else's account* — The public passkey-registration ceremony reused an existing customer record whenever the submitted email already had an account, then bound the registration challenge to that account — so a visitor who knew a registered email could complete the ceremony on their own device and be issued a sign-in session for the account's owner, without any proof of controlling the email. The path now creates new accounts only: it refuses any email that already has an account and binds no challenge to it, returning a clear "this email already has an account — sign in instead" response. The refusal covers every existing account, not only those with a passkey — a Google or Apple account and a guest order awaiting a sign-in link both have no passkey yet a real owner, and an attacker enrolling onto either would take it over just the same. An owner adding a second passkey continues to use the signed-in add-a-passkey flow, which has always required an active session and matches the challenge to the signed-in account; an owner who has no passkey, or whose first attempt was interrupted, signs in with the email link. · *The email sign-in link no longer leaks which addresses have accounts* — The "email me a sign-in link" request answered with the same confirmation whether or not the address matched an account, but it performed the account lookup, session creation, and email dispatch before replying when the address did match — so a registered address answered measurably more slowly than an unregistered one, a timing side channel that distinguished real accounts from non-accounts. The confirmation is now sent before any of that work; when the address matches an account, the sign-in link is prepared and mailed afterward, off the response path. A matched and an unmatched address now take the same time to answer, and the link still arrives for real accounts.
+
 - v0.4.12 (2026-06-05) — **Blog posts render their Markdown, plural search queries match again, and the search-ranking metrics view gets the impression and click data it was built to read.** Four search-and-content fixes. Published blog posts were showing their raw Markdown source — headings, bold, and links rendered as literal text — even though the authoring screen has always promised Markdown; the edge now renders it through the same sanitized renderer the post primitive uses, so the live page matches the editor's promise. The query stemmer over-stripped plurals ending in a vowel plus "es" ("tees", "shoes", "does"), so those searches missed their synonym groups and matched unrelated products; it now strips those down to the right singular. The search-ranking event log finally has production writers — every search records an impression and every result click records a click against the active weight set, so the admin search-metrics view shows real click-through and conversion instead of an empty table. And the analytics search funnel now applies the same hygiene the autocomplete log does, so "Popular searches" and the analytics top-terms report agree. **Added:** *Search-ranking impressions and clicks are recorded, so the admin metrics view has data* — The search-ranking feature ships a weight-set metrics view that reads an event log to report click-through, conversion, and click-to-purchase per weight set — but nothing ever wrote those events, so the view was always empty. Two writers are now wired. Every search records one impression against the active weight set (a drop-silent, fire-and-forget write that never affects the search response). Every search result link carries a `?from=search` marker plus the query it was ranked for; when a shopper follows one to a product page, that page records a click against the active weight set. Both work with JavaScript off — the click signal is read server-side from the link, with no tracking beacon. Facet narrowing is recorded the same way, so the facet-usage rollup reflects real use. Purchase attribution is deliberately left out of this release: tying a completed order back to the search that led to it needs a session-to-order link the event schema doesn't carry, so the metrics view reports impressions, clicks, and the click-through ratio from real traffic while purchase counts and conversion stay at zero until that linkage ships. **Fixed:** *Blog posts render Markdown instead of showing the raw source* — A published post's body is authored in Markdown — the editor labels the field "Body (Markdown)" and the post primitive's renderer turns headings, lists, blockquotes, rules, inline code, bold, italic, and https-or-rooted links into HTML. But the edge-served public post page painted the body as plain escaped text, so a shopper saw literal `## Heading` and `**bold**` markers rather than formatted copy. The edge now renders the body through the same sanitized renderer the primitive uses, so the live page matches what the editor previews and the authoring screen promises. The security posture is unchanged: every operator-authored byte is HTML-escaped, raw HTML never passes through (any `<` lands as `&lt;`), and link URLs are restricted to https or `/`-rooted paths — a `<script>` or `javascript:` link in a post body renders inert. · *Plural search queries ending in a vowel plus "es" match again* — The query stemmer tried its `-es` plural rule before its `-s` rule, so a word ending in a vowel plus "es" was over-stripped: "tees" became "te", "shoes" became "sho", "does" became "do". Two things broke as a result — the over-stripped term no longer matched its operator-curated synonym group (so a search for "tees" missed a "tee"/"t-shirt" grouping), and the truncated term fed a broad substring match that surfaced unrelated products. The stemmer now strips the full `-es` only when the stem ends in a sibilant ("boxes" → "box", "dishes" → "dish", "churches" → "church") and takes the bare `-s` otherwise ("tees" → "tee", "shoes" → "shoe", "does" → "doe"). The edge search mirror carries the identical rule, so the result is the same whether the page is served from the edge cache or the container. · *The analytics search funnel and the autocomplete log apply the same query hygiene* — Two search sinks recorded the typed query with different cleaning. The autocomplete query log stripped control bytes and lowercased before writing; the analytics funnel that feeds the top-search-terms report trimmed only — so a control byte could reach the analytics table raw, and the two reports counted differently. The storefront now normalizes the query once (strip control bytes, trim, lowercase) and hands the same value to both sinks. The analytics top-terms report also groups case-insensitively, so a term typed as "Hat" and "hat" collapses into one row — folding any mixed-case history written before this — matching how "Popular searches" has always counted. The consent gate on analytics recording is unchanged.
 
 - v0.4.11 (2026-06-05) — **Search autocomplete: a live suggestions dropdown in the header, plus an admin screen to curate it.** Typing in the storefront search box now opens an autocomplete dropdown with matching products, what other shoppers are searching for, and operator-curated featured links. A new admin screen pins those featured suggestions and surfaces a popular-searches report so you can see demand and spot terms that return nothing. The search box keeps working with JavaScript off — the dropdown is a progressive enhancement on top of the plain form. **Added:** *Search autocomplete in the storefront header* — As a shopper types in the header search box, a dropdown opens beneath it with up to three groups: matching products (linking straight to the product page), popular recent searches (click one to run it), and operator-curated featured suggestions (linking wherever you point them). It's keyboard-navigable — arrow keys move through the list, Enter picks, Escape dismisses — and announces itself to screen readers as a combobox. The dropdown is served from a cacheable JSON endpoint that carries no per-visitor data, and it's a pure enhancement: with JavaScript off, or before the data loads, the box stays an ordinary search form that submits to the results page. · *Search-suggestions admin screen* — A new Search suggestions screen under the admin console lets you curate featured suggestions: pin a typed prefix (for example, prefix "free" surfaces "Free shipping over $50"), set its destination link, priority, and an optional active window, then edit the priority or status inline or remove it. Below the curation table, a read-only Popular searches view reports what shoppers have typed over the last 30 days — each term's search count, its zero-result share, and when it was last seen — so a high zero-result term flags a stock or naming gap worth closing. Every search a shopper runs is logged for this report (the visitor's session identifier is hashed before storage), and entries older than 90 days are pruned automatically.

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.12",
+  "version": "0.4.14",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/security-middleware.js

@@ -561,10 +561,21 @@ function globalRateLimitOpts() {
  * are machine-to-machine and authenticate with the shared
  * D1_BRIDGE_SECRET, so on those paths the secret gate — not a browser
  * fingerprint — is the deciding check (see INTERNAL_BRIDGE_PATHS).
+ *
+ * `/admin` is skipped HERE but re-guarded in tag mode inside
+ * `mountRouteGuards`: every admin route is gated on the timing-safe
+ * bearer-key check, and the documented way to drive the admin JSON
+ * surface is curl — whose User-Agent is on the vendored deny list, and
+ * the UA check fires before auth is ever consulted. In block mode the
+ * README / onboarding curl examples answer 403 "Forbidden" instead of
+ * reaching the 401/200 bearer gate; in tag mode automation is audited
+ * (`system.botguard.tag` + `req.suspectedBot`) while the bearer key
+ * stays the deciding check. The regex matches `/admin` and
+ * `/admin/...` only — not other `/admin…`-prefixed names.
  */
 function botGuardOpts() {
   return {
-    skipPaths: INTERNAL_BRIDGE_PATHS.slice(),
+    skipPaths: INTERNAL_BRIDGE_PATHS.slice().concat([/^\/admin(\/|$)/]),
   };
 }
 
@@ -584,6 +595,22 @@ function _hasPrefix(pathname, prefixes) {
  * @param r  the blamejs Router passed to createApp's routes(r) callback.
  */
 function mountRouteGuards(r) {
+  // --- bot-guard, tag mode, /admin only -------------------------------
+  //
+  // The app-level bot-guard (block mode) skips /admin — see
+  // botGuardOpts: curl is the documented admin client and the UA
+  // deny-list check fires before the bearer gate, so block mode turns
+  // every documented example into a 403. The surface still wants the
+  // signal, though: this tag-mode instance audits automation
+  // (system.botguard.tag + req.suspectedBot) without refusing it, and
+  // the timing-safe bearer key stays the deciding check.
+  var adminBotTag = b.middleware.botGuard({ mode: "tag" });
+  r.use(function adminBotTagGuard(req, res, next) {
+    var pathname = req.pathname || req.url || "/";
+    if (!/^\/admin(\/|$)/.test(pathname)) return next();
+    return adminBotTag(req, res, next);
+  });
+
   // --- CSRF: double-submit token on authenticated state-changing POSTs ---
   //
   // The vendored createApp enforces CSRF by default; the entry points pass

package/lib/storefront.js

@@ -8085,9 +8085,18 @@ function _cartGiftBlock(opts) {
         (w.wrap_sku === current ? " selected" : "") + ">" +
         esc(String(w.title)) + " (" + esc(feeStr) + ")</option>";
     }).join("");
+  // Over-limit (or any rejected /cart/gift apply) renders an inline error
+  // banner. The message carries the operator-authored wrap title, so it is
+  // escaped at the sink — the cap value the route interpolates is a plain
+  // integer, but escaping the whole string is the safe default. `role=alert`
+  // so a screen reader announces the rejection.
+  var giftError = (typeof opts.gift_error === "string" && opts.gift_error)
+    ? "<p class=\"cart-gift__error\" role=\"alert\">" + esc(opts.gift_error) + "</p>"
+    : "";
   return "<section class=\"cart-gift\">" +
-    "<details class=\"cart-gift__details\"" + (current ? " open" : "") + ">" +
+    "<details class=\"cart-gift__details\"" + (current || giftError ? " open" : "") + ">" +
       "<summary class=\"cart-gift__summary\">Add a gift wrap</summary>" +
+      giftError +
       "<form method=\"post\" action=\"/cart/gift\" class=\"cart-gift__form\">" +
         "<label class=\"form-field\"><span>Gift wrap</span>" +
           "<select name=\"wrap_sku\">" + options + "</select>" +
@@ -10023,11 +10032,13 @@ function renderAddPaymentMethod(opts) {
 // ---- profile edit ------------------------------------------------------
 //
 // Display-name edit for the signed-in customer. Email is stored hash-only
-// and is the OAuth account-linking key, so it's shown read-only (masked)
-// and cannot be changed here — the primitive refuses an email patch until
-// a verification ceremony exists. The form is a plain server-rendered
-// POST with a PRG `?ok=updated` success notice, matching the addresses
-// pattern.
+// (a one-way hash, never the plaintext) and is the OAuth account-linking
+// key, so it is shown read-only and genuinely cannot be changed — there is
+// no readable address to edit. The field's hint tells the customer what to
+// do instead (sign in with the registered address; create a new account to
+// use a different one; contact support to move order history). The form is
+// a plain server-rendered POST with a PRG `?ok=updated` success notice,
+// matching the addresses pattern.
 function renderProfile(opts) {
   opts = opts || {};
   var esc = b.template.escapeHtml;
@@ -10054,7 +10065,7 @@ function renderProfile(opts) {
         "<div class=\"form-row\"><label class=\"form-field\"><span class=\"form-field__label\">Email</span>" +
           "<input type=\"text\" value=\"Hidden for privacy — stored as a one-way hash\" disabled aria-describedby=\"email-note\"></label></div>" +
         "<p id=\"email-note\" class=\"form-field__hint\">Your email address is never stored in readable form, so it can't be changed or shown here. " +
-          "Sign in with the address you registered.</p>" +
+          "Sign in with the address you registered. To use a different address, create a new account with it, or contact support if you need help moving your order history.</p>" +
         "<div class=\"form-actions\"><button type=\"submit\" class=\"btn-primary\">Save changes</button> " +
           "<a class=\"btn-ghost\" href=\"/account\">Cancel</a></div>" +
       "</form>" +
@@ -13088,38 +13099,27 @@ function mount(router, deps) {
     return res.end ? res.end(payload) : res.send(payload);
   });
 
-  router.get("/cart", async function (req, res) {
+  // Assemble the full cart-page render and emit it at `status`. Shared by
+  // GET /cart and by POST /cart/gift's over-limit rejection (a 4xx that must
+  // still show the customer their cart, with a gift error banner), so the two
+  // surfaces never drift. `extraOpts` overlays render flags the caller knows
+  // (the post-add banner, the coupon PRG notices, a gift_error message).
+  async function _renderCartResponse(req, res, status, extraOpts) {
+    extraOpts = extraOpts || {};
     var ccy = await _currencyForReq(req);
     var sid = _readSidCookie(req);
-    // `?added=1` after a POST /cart/lines redirect — drives the
-    // "Added to cart" status banner. Read from the parsed query when the
-    // router populated it, else from the raw URL.
-    var cartUrl = req.url ? new URL(req.url, "http://localhost") : null;
-    var added = (req.query && req.query.added === "1") ||
-      (cartUrl && cartUrl.searchParams.get("added") === "1") || false;
-    // Coupon-entry PRG outcomes (set by POST /cart/coupon[/remove]). One of
-    // applied / removed / err so the cart shows an inline notice. `?code_err`
-    // carries no detail beyond "couldn't apply" — a uniform message, no
-    // code-existence oracle.
-    function _cartQp(name) {
-      return (req.query && req.query[name] === "1") ||
-        (cartUrl && cartUrl.searchParams.get(name) === "1") || false;
-    }
-    var codeApplied = _cartQp("code_applied");
-    var codeRemoved = _cartQp("code_removed");
-    var codeErr     = _cartQp("code_err");
     if (!sid) {
-      return _send(res, 200, renderCart(Object.assign({
+      return _send(res, status, renderCart(Object.assign({
         lines: [], totals: { subtotal_minor: 0, grand_total_minor: 0, currency: "USD" },
         shop_name: shopName, theme: theme,
-      }, ccy)));
+      }, ccy, extraOpts)));
     }
     var c = await deps.cart.bySession(sid);
     if (!c) {
-      return _send(res, 200, renderCart(Object.assign({
+      return _send(res, status, renderCart(Object.assign({
         lines: [], totals: { subtotal_minor: 0, grand_total_minor: 0, currency: "USD" },
         shop_name: shopName, theme: theme,
-      }, ccy)));
+      }, ccy, extraOpts)));
     }
     var rawLines = await deps.cart.listLines(c.id);
     // Reapply the active quantity-break for each line at its current
@@ -13197,7 +13197,7 @@ function mount(router, deps) {
     // the primitive falls back to its weight-agnostic transit rows. Drop-
     // silent → null, and the summary renders no estimate.
     var cartEstimate = await _resolveDeliveryEstimate(req, { dest: estimateDest });
-    _send(res, 200, renderCart(Object.assign({
+    _send(res, status, renderCart(Object.assign({
       lines:           lines,
       totals:          totals,
       totals_detail:   totalsDetail,
@@ -13208,19 +13208,38 @@ function mount(router, deps) {
       checkout_available: !!(deps.checkout && deps.order),
       gift_wraps:      giftWraps,
       gift_wrap_in_cart: giftWrapInCart,
-      added:           added,
       // Coupon entry: surfaced only when the discount engine is wired (the
       // POST routes mount on the same condition). `applied_codes` echoes the
       // typed codes so each gets a remove control; the *_notice flags drive
       // the inline PRG banner.
       coupon_enabled:  !!(deps.autoDiscount && typeof deps.cart.listDiscountCodes === "function"),
       applied_codes:   appliedCodes,
-      code_applied:    codeApplied,
-      code_removed:    codeRemoved,
-      code_err:        codeErr,
       shop_name:       shopName,
       theme:           theme,
-    }, ccy)));
+    }, ccy, extraOpts)));
+  }
+
+  router.get("/cart", async function (req, res) {
+    // `?added=1` after a POST /cart/lines redirect — drives the
+    // "Added to cart" status banner. Read from the parsed query when the
+    // router populated it, else from the raw URL.
+    var cartUrl = req.url ? new URL(req.url, "http://localhost") : null;
+    var added = (req.query && req.query.added === "1") ||
+      (cartUrl && cartUrl.searchParams.get("added") === "1") || false;
+    // Coupon-entry PRG outcomes (set by POST /cart/coupon[/remove]). One of
+    // applied / removed / err so the cart shows an inline notice. `?code_err`
+    // carries no detail beyond "couldn't apply" — a uniform message, no
+    // code-existence oracle.
+    function _cartQp(name) {
+      return (req.query && req.query[name] === "1") ||
+        (cartUrl && cartUrl.searchParams.get(name) === "1") || false;
+    }
+    return await _renderCartResponse(req, res, 200, {
+      added:        added,
+      code_applied: _cartQp("code_applied"),
+      code_removed: _cartQp("code_removed"),
+      code_err:     _cartQp("code_err"),
+    });
   });
 
   // ---- checkout flow -------------------------------------------------
@@ -14519,16 +14538,34 @@ function mount(router, deps) {
           if (cust && cust.id) customerId = cust.id;
         } catch (_e) { customerId = null; }
 
+        // Resolve the absolute origin while the request is in hand (the
+        // mint + send below runs after the response, but reads no further
+        // request state).
+        var origin = "";
+        try { origin = new URL(_requestUrls(req).canonical_url).origin; }
+        catch (_e2) { origin = ""; }
+
+        // SECURITY (no account-existence oracle): send the generic
+        // confirmation 303 BEFORE any matched-only work, so a registered
+        // and an unregistered address are indistinguishable by response
+        // latency. The session mint + the outbound email round-trip used
+        // to run inside `if (customerId)` and be AWAITED before the 303 —
+        // a non-matching email skipped both and answered near-instantly,
+        // restoring exactly the account-existence oracle the identical
+        // body is meant to remove. The work now runs fire-and-forget on
+        // the next microtask, off the response's critical path; it stays
+        // drop-silent and best-effort (a failure simply means the link
+        // doesn't arrive), unchanged but for no longer being timed.
+        res.status(303);
+        res.setHeader && res.setHeader("location", "/account/login/link?sent=1");
+        if (res.end) res.end(); else res.send("");
+
         if (customerId) {
-          try {
+          Promise.resolve().then(async function () {
             var minted = await deps.customerPortal.createSession({
               customer_id: customerId,
               scope:       "full",
             });
-            // Build the absolute redemption link from this request's origin.
-            var origin = "";
-            try { origin = new URL(_requestUrls(req).canonical_url).origin; }
-            catch (_e2) { origin = ""; }
             var linkUrl = origin + "/account/portal/" + encodeURIComponent(minted.plaintext_token);
             // The customer's plaintext address: the portal flow needs a
             // deliverable address. The customers store keeps only the hash,
@@ -14538,12 +14575,8 @@ function mount(router, deps) {
               customer_email: emailRaw,
               link_url:       linkUrl,
             });
-          } catch (_e3) { /* drop-silent — generic confirmation regardless */ }
+          }).catch(function () { /* drop-silent — best-effort; the link simply doesn't arrive */ });
         }
-        // 303 to the GET with the generic confirmation flag.
-        res.status(303);
-        res.setHeader && res.setHeader("location", "/account/login/link?sent=1");
-        return res.end ? res.end() : res.send("");
       });
 
       // GET — redeem the magic-link token. verifyToken is single-use (flips
@@ -14606,22 +14639,37 @@ function mount(router, deps) {
           res.status(regCaptcha.status || 400);
           return res.end ? res.end(regCaptcha.message) : res.send(regCaptcha.message);
         }
-        // Persist the customer row up-front. The address is the
-        // registration's natural identifier — if enrollment fails
-        // the customer can re-attempt with the same email; the
-        // primitive's duplicate-refusal surfaces as a typed code.
+        // SECURITY: the public passkey-register path creates NEW accounts
+        // ONLY. It must never reuse — or mint a ceremony challenge bound to
+        // — an email that already has an account, for ANY reason. Reusing
+        // the row would let a visitor who merely knows the email finish the
+        // WebAuthn ceremony on their own device and be issued a sign-in
+        // session for the account's owner: account takeover. A row carrying
+        // zero passkeys is NOT a safely-reusable "interrupted registration"
+        // — a Google/Apple (OIDC) account and a guest-order row awaiting a
+        // magic-link claim both have no passkey yet a real owner, and an
+        // attacker enrolling onto either takes it over just the same. So
+        // refuse uniformly on ANY existing account (the duplicate-email
+        // refusal customers.register already enforces) and point to
+        // sign-in. An owner adding another passkey uses the session-gated
+        // /account/passkey/add-* flow; a passwordless owner — or one whose
+        // first ceremony was interrupted — signs in with the magic-link.
         var existing = await deps.customers.byEmailHash(
           deps.customers.hashEmail(body.email),
         );
-        var customer;
         if (existing) {
-          customer = existing;
-        } else {
-          customer = await deps.customers.register({
-            email:        body.email,
-            display_name: body.display_name,
+          res.status(409);
+          res.setHeader && res.setHeader("content-type", "application/json");
+          var dupMsg = JSON.stringify({
+            error:   "account_exists",
+            message: "An account with this email already exists. Sign in instead.",
           });
+          return res.end ? res.end(dupMsg) : res.send(dupMsg);
         }
+        var customer = await deps.customers.register({
+          email:        body.email,
+          display_name: body.display_name,
+        });
         var startOpts = await b.auth.passkey.startRegistration({
           rpName:           rpName,
           rpId:             rpId,
@@ -15364,9 +15412,10 @@ function mount(router, deps) {
     }
 
     // Profile edit — display-name only. Email is hash-only + the OAuth
-    // linking key, so the primitive refuses an email change without a
-    // verification ceremony; the form shows it read-only. PRG with a
-    // ?ok=updated success notice, matching the addresses pattern.
+    // linking key, so it genuinely can't be changed (no readable address to
+    // edit); the form shows it read-only and the route never accepts an email
+    // field. PRG with a ?ok=updated success notice, matching the addresses
+    // pattern.
     async function _renderProfilePage(req, res, auth, customer, notice, code) {
       var cartCount = await _cartCountForReq(req);
       var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -18978,21 +19027,59 @@ function mount(router, deps) {
   // a REAL cart line so its fee flows through pricing.totals and is charged
   // by checkout.confirm (NEVER a post-commit hook — that would mis-charge).
   // Selecting "No gift wrap" removes any wrap line. Selecting a wrap removes
-  // any prior wrap line then adds the chosen one (qty 1, capped by
-  // max_per_order). The message / recipient are collected at checkout (they
-  // need the order id). Mounts only when the gift-options primitive is wired.
+  // any prior wrap line then adds the chosen one.
+  //
+  // Authoritative fee: the wrap line's price snapshot is the operator-
+  // configured gift_wraps.fee_minor — NOT the wrap variant's catalog price.
+  // fee_minor is the single source the admin sets and the cart selector
+  // displays, so the charge must read it too (an explicit unit_amount_minor
+  // snapshot on cart.addLine), or the displayed fee and the charged fee would
+  // silently diverge whenever the catalog price differs from the wrap fee.
+  //
+  // Cap: gift_wraps.max_per_order bounds how many of that wrap one order may
+  // carry. The request quantity (defensive reader, default 1) is checked
+  // against it BEFORE any mutation — over the cap is rejected with a 422 and
+  // the cart re-rendered with a customer-readable error, the cart unchanged.
+  //
+  // The message / recipient are collected at checkout (they need the order
+  // id). Mounts only when the gift-options primitive is wired.
   if (deps.giftOptions) {
     router.post("/cart/gift", async function (req, res) {
       var body = req.body || {};
       var wrapSku = typeof body.wrap_sku === "string" ? body.wrap_sku.trim() : "";
+      // Defensive request-shape reader: qty defaults to 1, and any non-
+      // positive-integer field (blank, garbage, fractional, negative) falls
+      // back to 1 rather than throwing — the cap check below is the only gate
+      // that rejects, and it rejects on "too many", never on a malformed qty.
+      var reqQty = 1;
+      var rawQty = body.qty;
+      if (rawQty != null && rawQty !== "") {
+        var s = String(rawQty).trim();
+        if (/^\d+$/.test(s)) {
+          var n = Number(s);
+          if (Number.isInteger(n) && n > 0) reqQty = n;
+        }
+      }
       var resolved = await _getOrCreateCart(req, res, "USD");
-      var cartId = resolved.cart.id;
+      var cart = resolved.cart;
+      var cartId = cart.id;
       try {
         // Resolve the active wrap catalog so we know every wrap sku (to
-        // remove a stale wrap line) and the selected wrap's cap.
+        // remove a stale wrap line) and the selected wrap's fee + cap.
         var wraps = await deps.giftOptions.listWraps({ active_only: true });
         var wrapBySku = {};
         for (var i = 0; i < wraps.length; i += 1) wrapBySku[wraps[i].wrap_sku] = wraps[i];
+        var chosen = (wrapSku && wrapBySku[wrapSku]) ? wrapBySku[wrapSku] : null;
+        // Enforce max_per_order before mutating anything. A null cap means
+        // "no limit"; a set cap rejects a request for more wraps than the
+        // order may carry. The cart is left untouched so the customer can
+        // resubmit with a smaller quantity.
+        if (chosen && chosen.max_per_order != null && reqQty > chosen.max_per_order) {
+          return await _renderCartResponse(req, res, 422, {
+            gift_error: "You can add at most " + chosen.max_per_order + " of “" +
+              chosen.title + "” to one order. Please choose a smaller quantity.",
+          });
+        }
         // Remove any existing wrap line first (every active wrap's sku).
         var existingLines = await deps.cart.listLines(cartId);
         for (var li = 0; li < existingLines.length; li += 1) {
@@ -19001,13 +19088,19 @@ function mount(router, deps) {
           }
         }
         // Add the selected wrap (when one was chosen + it's a real active
-        // wrap). The wrap_sku is a real catalog variant; resolve its variant
-        // id and add it as a line — the price snapshot comes from the catalog
-        // price, so the fee is charged through the normal quote path.
-        if (wrapSku && wrapBySku[wrapSku]) {
+        // wrap). The wrap_sku is a real catalog variant — resolve its variant
+        // id, then add it as a line whose unit price is the AUTHORITATIVE
+        // gift_wraps.fee_minor (the configured + displayed wrap fee), pinned
+        // via an explicit price snapshot so the charge matches the display.
+        if (chosen) {
           var variant = await deps.catalog.variants.bySku(wrapSku);
           if (variant) {
-            await deps.cart.addLine(cartId, { variant_id: variant.id, qty: 1 });
+            await deps.cart.addLine(cartId, {
+              variant_id:        variant.id,
+              qty:               reqQty,
+              unit_amount_minor: chosen.fee_minor,
+              unit_currency:     cart.currency || "USD",
+            });
           }
         }
       } catch (e) {

package/lib/webhooks.js

@@ -18,8 +18,9 @@
  *   `events` is either the wildcard `*` or a comma-separated allowlist
  *   of recognized event types — `order.mark_paid`,
  *   `order.start_fulfillment`, `order.mark_shipped`,
- *   `order.mark_delivered`, `order.cancel`, `order.refund`. Endpoints
- *   only receive event types they subscribed to.
+ *   `order.mark_delivered`, `order.cancel`, `order.refund`,
+ *   `inventory.low_stock`. Endpoints only receive event types they
+ *   subscribed to.
  *
  *   `send(eventType, payload)` is fire-and-flag-failure: every active
  *   endpoint subscribed to the event gets a delivery row before the
@@ -65,6 +66,7 @@ var KNOWN_EVENTS = Object.freeze([
   "order.mark_delivered",
   "order.cancel",
   "order.refund",
+  "inventory.low_stock",
 ]);
 
 var SECRET_BYTES = 32;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.12",
+  "version": "0.4.14",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {