npm - @blamejs/blamejs-shop - Versions diffs - 0.4.14 → 0.4.16 - Mend

@blamejs/blamejs-shop 0.4.14 → 0.4.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +4 -0
package/README.md +3 -2
package/lib/admin.js +990 -1
package/lib/asset-manifest.json +1 -1
package/lib/catalog.js +51 -1
package/lib/email.js +51 -0
package/lib/inventory-locations.js +103 -66
package/lib/quotes.js +306 -82
package/lib/storefront.js +416 -0
package/package.json +1 -1

package/lib/admin.js CHANGED Viewed

@@ -37,6 +37,7 @@ var loyaltyEarnRulesModule = require("./loyalty-earn-rules");
 var loyaltyRedemptionModule = require("./loyalty-redemption");
 var trustBadgesModule = require("./trust-badges");
 var cartModule = require("./cart");   // ABANDONED_* window/limit constants for the /admin/carts console
+var inventoryWriteoffsModule = require("./inventory-writeoffs");   // WRITEOFF_REASONS enum for the /admin/inventory/writeoffs console
 var textGuard = require("./text-guard");
 var { AsyncLocalStorage } = require("node:async_hooks");   // allow:non-shop-require — Node-core per-request context (no npm dep); the framework itself composes it in db-role-context / log. No b.* request-context primitive exists to wrap it.
@@ -236,6 +237,30 @@ function _strictMinorInt(value, prefix, label) {
   return n;
 }
+// Convert an operator-entered major-unit amount (e.g. "19.99") into integer
+// minor units via the money primitive — so the cents math is the
+// framework's, not a hand-rolled `* 100` that loses precision under IEEE
+// 754, and the conversion honours the target currency's exponent (JPY=0,
+// KWD=3, USD=2). Refuses a missing / non-decimal-shaped / negative value
+// with a TypeError the browser path surfaces as a 400 notice. `b.money.of`
+// rejects Number inputs at the boundary, so the value is normalized to a
+// trimmed decimal string first; the resulting BigInt minor units is range-
+// checked back to a safe integer (quote money fits comfortably).
+function _dollarsToMinor(value, label, currency) {
+  var cur = typeof currency === "string" && /^[A-Z]{3}$/.test(currency) ? currency : "USD";
+  var s = typeof value === "number" ? String(value) : (typeof value === "string" ? value.trim() : "");
+  if (!/^\d+(?:\.\d+)?$/.test(s)) {
+    throw new TypeError("admin: " + label + " must be a non-negative amount (e.g. 19.99)");
+  }
+  var minor;
+  try { minor = b.money.of(s, cur).toMinorUnits(); }
+  catch (_e) { throw new TypeError("admin: " + label + " has more decimal places than " + cur + " allows"); }
+  if (minor > BigInt(Number.MAX_SAFE_INTEGER)) {
+    throw new TypeError("admin: " + label + " is out of range");
+  }
+  return Number(minor);
+}
 // Strict non-negative integer for a form field (money minor units,
 // dimensions). Refuses "", floats, and parseInt's loose-prefix "12abc"
 // → 12 — the /^\d+$/ test is anchored so the whole string must be
@@ -574,6 +599,11 @@ function mount(router, deps) {
   var searchSuggestions = deps.searchSuggestions || null; // featured-suggestion curation + popular-searches view disabled when absent
   var trustBadges     = deps.trustBadges     || null; // trust-badge authoring console disabled when absent
   var preorder        = deps.preorder        || null; // pre-order campaign console (define/launch/close) disabled when absent
+  var inventoryLocations = deps.inventoryLocations || null; // stock-location CRUD + per-location levels console disabled when absent
+  var inventoryReceive   = deps.inventoryReceive   || null; // inbound-stock receive console disabled when absent
+  var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
+  var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
+  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
   // Read-only activity log at /admin/audit. Defaults ON — the framework
   // audit chain is always booted by createApp, so the screen always has a
   // data source (unlike the optional primitives above, which default off).
@@ -593,7 +623,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart };
+  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart, inventoryLocations: !!inventoryLocations, inventoryReceive: !!inventoryReceive, stockTransfers: !!stockTransfers, inventoryWriteoffs: !!inventoryWriteoffs, quotes: !!deps.quotes };
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
@@ -5273,6 +5303,406 @@ function mount(router, deps) {
     });
   }
+  // ---- inventory-ops back-office --------------------------------------
+  //
+  // Per-location stock on top of the single-bucket catalog inventory. The
+  // catalog `inventory.stock_on_hand` stays the storefront source of truth;
+  // these screens keep it in step with the per-location detail so a
+  // multi-location operator's warehouse breakdown never diverges from the
+  // count the storefront sells against. A store that never defines a
+  // location keeps using /admin/inventory unchanged — the default location
+  // is implicit, zero config.
+  // Credit ALL THREE ledgers for an inbound receive of one (sku,
+  // location) line:
+  //   1. inventoryReceive.draft + apply — the batched-receipt record the
+  //      "Recent receipts" history reads, AND the storefront-aggregate
+  //      credit (apply composes catalog.inventory.restock, which fires the
+  //      low-stock observer). A unique reference is auto-generated so two
+  //      receives in the same millisecond don't collide on the UNIQUE
+  //      constraint.
+  //   2. inventoryLocations.adjustStock(+qty) — the per-location detail +
+  //      its reason-coded inventory_adjustments audit row.
+  //
+  // The location credit lands first: it's the verb that refuses an unknown
+  // / deactivated location (a credit never refuses on insufficiency), so a
+  // bad location is rejected before any receipt row is written. If the
+  // receipt record then fails (duplicate reference race, DB error) the
+  // location credit is reversed so the per-location detail doesn't sit
+  // ahead of the aggregate. Returns the location adjust result.
+  async function _receiveToLocation(sku, locationCode, qty, reason) {
+    var adj = await inventoryLocations.adjustStock({
+      sku: sku, location_code: locationCode, delta: qty,
+      reason: reason ? ("receive: " + reason) : "receive",
+    });
+    try {
+      var ref = "RCV-" + Date.now().toString(36).toUpperCase() + "-" +
+        b.uuid.v7().slice(0, 8);
+      var draft = await inventoryReceive.draft({
+        reference:   ref,
+        supplier:    reason ? reason.slice(0, 256) : "",
+        received_by: "admin-console",
+        notes:       locationCode ? ("location: " + locationCode) : "",
+        lines:       [{ sku: sku, qty_received: qty }],
+      });
+      // apply credits the storefront aggregate (restock → low-stock
+      // observer). restock is a no-op for an un-tracked SKU (no inventory
+      // row) — fine: an un-tracked SKU is unlimited in the storefront, so
+      // the per-location detail is the only ledger that needed the credit.
+      await inventoryReceive.apply(draft.id);
+    } catch (e) {
+      // Compensate the per-location credit so the detail doesn't disagree
+      // with the aggregate, then surface the original failure.
+      try {
+        await inventoryLocations.adjustStock({
+          sku: sku, location_code: locationCode, delta: -qty,
+          reason: "receive: rollback",
+        });
+      } catch (_e2) { /* drop-silent — the original error is the operator's signal */ }
+      throw e;
+    }
+    return adj;
+  }
+  // Debit BOTH ledgers for a write-off: the per-location detail (via the
+  // writeoffs primitive, which composes inventoryLocations.adjustStock and
+  // owns the reason-coded audit row) AND the storefront aggregate (catalog
+  // adjustOnHand, which fires the low-stock observer + refuses to eat into
+  // held stock).
+  //
+  // The aggregate mirror is applied BEFORE the write-off is committed as a
+  // real record so the two ledgers never silently diverge. adjustOnHand
+  // returns `{ adjusted: false }` (not a throw) when the debit would eat
+  // into stock already held for paid-but-unfulfilled orders — that's a real
+  // operational conflict (you're writing off units promised to a paid
+  // order), so we reverse the per-location debit and surface it as a
+  // refusal rather than committing a write-off that leaves the storefront
+  // count ahead of the physical shelf. A null result means the SKU is
+  // un-tracked in the catalog aggregate (no inventory row) — the
+  // per-location detail is then the only ledger, and the write-off stands.
+  async function _writeoffFromLocation(input) {
+    var row = await inventoryWriteoffs.recordWriteoff(input);
+    if (input.location_code) {
+      // The per-location debit already landed inside recordWriteoff. Mirror
+      // it onto the storefront aggregate.
+      var mirror = await catalog.inventory.adjustOnHand(input.sku, -input.quantity);
+      if (mirror && mirror.adjusted === false) {
+        // The aggregate refused — reverse the per-location debit AND the
+        // write-off record so neither ledger carries a half-applied move,
+        // then surface the conflict.
+        try {
+          await inventoryWriteoffs.reverseWriteoff({
+            id: row.id,
+            reason: "aggregate-conflict: would oversell held stock",
+          });
+        } catch (_e) { /* drop-silent — the thrown conflict is the operator's signal */ }
+        throw new TypeError("admin.inventory.writeoff: " + input.quantity +
+          " unit(s) of " + input.sku + " can't be written off — that would eat " +
+          "into stock already held for paid orders. Fulfil or cancel those orders first.");
+      }
+    }
+    return row;
+  }
+  if (inventoryLocations) {
+    // GET /admin/inventory/locations — location list with per-location
+    // levels for an optional ?sku= drill-down. JSON for the bearer token.
+    router.get("/admin/inventory/locations", _pageOrApi(true,
+      R(async function (req, res) {
+        var rows = await inventoryLocations.listLocations({});
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var sku = url && url.searchParams.get("sku");
+        var rows = await inventoryLocations.listLocations({});
+        var levels = null;
+        if (sku) {
+          try { levels = await inventoryLocations.stockForSku(sku); }
+          catch (e) { if (!(e instanceof TypeError)) throw e; levels = null; }
+        }
+        _sendHtml(res, 200, renderAdminInvLocations({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          locations: rows, sku: sku || "", levels: levels,
+          saved:  url && url.searchParams.get("saved"),
+          notice: url && url.searchParams.get("err") ? "That location couldn't be saved — check the fields and try again." : null,
+        }));
+      },
+    ));
+    // POST /admin/inventory/locations — defineLocation, or updateLocation
+    // when the code already exists (operator-friendly upsert). A bad shape
+    // is a plain TypeError → 400.
+    router.post("/admin/inventory/locations", _pageOrApi(false,
+      W("inventory.location.save", async function (req, res) {
+        var loc;
+        try { loc = await _saveInvLocationFromBody(req.body || {}); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, loc);
+        return loc;
+      }),
+      async function (req, res) {
+        try { await _saveInvLocationFromBody(req.body || {}); }
+        catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/locations?err=1"); throw e; }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.location.save", outcome: "success", metadata: { code: (req.body || {}).code } });
+        _redirect(res, "/admin/inventory/locations?saved=1");
+      },
+    ));
+    async function _saveInvLocationFromBody(body) {
+      var input = {
+        code:     body.code,
+        name:     body.name,
+        type:     body.type,
+        priority: body.priority == null || body.priority === "" ? undefined : (parseInt(body.priority, 10)),
+      };
+      if (input.priority !== undefined && !Number.isFinite(input.priority)) {
+        throw new TypeError("admin.inventory.location.save: priority must be an integer");
+      }
+      var existing = await inventoryLocations.getLocation(body.code);
+      if (existing) {
+        var patch = { name: input.name, type: input.type };
+        if (input.priority !== undefined) patch.priority = input.priority;
+        return inventoryLocations.updateLocation(body.code, patch);
+      }
+      return inventoryLocations.defineLocation(input);
+    }
+    // POST /admin/inventory/locations/:code/deactivate — soft-delete. The
+    // row survives so historical adjustments still resolve their location.
+    router.post("/admin/inventory/locations/:code/deactivate", _pageOrApi(false,
+      W("inventory.location.deactivate", async function (req, res) {
+        var code = req.params.code;
+        var existing;
+        try { existing = await inventoryLocations.getLocation(code); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!existing) return _problem(res, 404, "inventory-location-not-found");
+        var row = await inventoryLocations.deactivateLocation(code);
+        _json(res, 200, row);
+        return row;
+      }),
+      async function (req, res) {
+        var code = req.params.code;
+        var existing;
+        try { existing = await inventoryLocations.getLocation(code); }
+        catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/locations?err=1"); throw e; }
+        if (!existing) return _redirect(res, "/admin/inventory/locations?err=1");
+        await inventoryLocations.deactivateLocation(code);
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.location.deactivate", outcome: "success", metadata: { code: code } });
+        _redirect(res, "/admin/inventory/locations?saved=1");
+      },
+    ));
+  }
+  if (inventoryReceive && inventoryLocations) {
+    // GET /admin/inventory/receive — the receive form + recent receipt
+    // history (the inventory-receive ledger). The form credits a single
+    // (sku, location) line; the history reads the batched-receipt records.
+    router.get("/admin/inventory/receive", _pageOrApi(true,
+      R(async function (req, res) {
+        var page = await inventoryReceive.list({ limit: 50 });
+        _json(res, 200, { rows: page.rows, next_cursor: page.next_cursor });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var locs = await inventoryLocations.listLocations({ active_only: true });
+        var page = await inventoryReceive.list({ limit: 50 });
+        _sendHtml(res, 200, renderAdminInvReceive({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          locations: locs, receipts: page.rows || [],
+          saved:  url && url.searchParams.get("saved"),
+          notice: url && url.searchParams.get("err") ? "That receipt couldn't be recorded — check the SKU, location, and quantity." : null,
+        }));
+      },
+    ));
+    // POST /admin/inventory/receive — credit a single (sku, location) line
+    // to both ledgers. quantity must be a positive integer; the location
+    // must exist (adjustStock refuses an unknown one).
+    router.post("/admin/inventory/receive", _pageOrApi(false,
+      W("inventory.receive", async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _problem(res, 400, "bad-request", "quantity must be a positive integer");
+        var out;
+        try { out = await _receiveToLocation(body.sku, body.location_code, qty, body.reason); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, out);
+        return out;
+      }),
+      async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _redirect(res, "/admin/inventory/receive?err=1");
+        try { await _receiveToLocation(body.sku, body.location_code, qty, body.reason); }
+        catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/receive?err=1"); throw e; }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.receive", outcome: "success", metadata: { sku: body.sku, location_code: body.location_code, quantity: qty } });
+        _redirect(res, "/admin/inventory/receive?saved=1");
+      },
+    ));
+  }
+  if (stockTransfers && inventoryLocations) {
+    // GET /admin/inventory/transfers — the open-transfer queue + the open
+    // form. The queue shows non-terminal transfers with the FSM actions
+    // legal from each status.
+    router.get("/admin/inventory/transfers", _pageOrApi(true,
+      R(async function (req, res) {
+        var rows = await stockTransfers.listOpen({});
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var locs = await inventoryLocations.listLocations({ active_only: true });
+        var rows = await stockTransfers.listOpen({});
+        _sendHtml(res, 200, renderAdminInvTransfers({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          locations: locs, transfers: rows,
+          saved:  url && url.searchParams.get("saved"),
+          notice: url && url.searchParams.get("err") ? "That transfer action couldn't be completed — check stock at the source and the transfer state." : null,
+        }));
+      },
+    ));
+    // POST /admin/inventory/transfers — openTransfer for one (sku, qty)
+    // line. Debits the source immediately (stock leaves at dispatch).
+    router.post("/admin/inventory/transfers", _pageOrApi(false,
+      W("inventory.transfer.open", async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _problem(res, 400, "bad-request", "quantity must be a positive integer");
+        var t;
+        try {
+          t = await stockTransfers.openTransfer({
+            from_location: body.from_location, to_location: body.to_location,
+            lines: [{ sku: body.sku, quantity: qty }], reason: body.reason,
+          });
+        } catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, t);
+        return t;
+      }),
+      async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _redirect(res, "/admin/inventory/transfers?err=1");
+        try {
+          await stockTransfers.openTransfer({
+            from_location: body.from_location, to_location: body.to_location,
+            lines: [{ sku: body.sku, quantity: qty }], reason: body.reason,
+          });
+        } catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/transfers?err=1"); throw e; }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.transfer.open", outcome: "success", metadata: { sku: body.sku, from: body.from_location, to: body.to_location, quantity: qty } });
+        _redirect(res, "/admin/inventory/transfers?saved=1");
+      },
+    ));
+    // The FSM-action routes: ship → in-transit → receive → reconcile, plus
+    // exception. Each resolves the transfer first (unknown id → err) and
+    // calls the matching primitive verb; a wrong-state transition is a
+    // plain TypeError surfaced as an error redirect / 400.
+    function _transferAction(action, verb) {
+      router.post("/admin/inventory/transfers/:id/" + action, _pageOrApi(false,
+        W("inventory.transfer." + action, async function (req, res) {
+          var id = req.params.id;
+          var out;
+          try { out = await verb(id, req.body || {}); }
+          catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+          _json(res, 200, out);
+          return out;
+        }),
+        async function (req, res) {
+          var id = req.params.id;
+          try { await verb(id, req.body || {}); }
+          catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/transfers?err=1"); throw e; }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.transfer." + action, outcome: "success", metadata: { transfer_id: id } });
+          _redirect(res, "/admin/inventory/transfers?saved=1");
+        },
+      ));
+    }
+    _transferAction("ship", function (id, body) {
+      return stockTransfers.markShipped({ transfer_id: id, carrier: body.carrier || null, tracking_number: body.tracking_number || null });
+    });
+    _transferAction("in-transit", function (id, body) {
+      return stockTransfers.markInTransit({ transfer_id: id, location: body.location || null });
+    });
+    _transferAction("receive", function (id, body) {
+      // Single-line transfers from the open form: receive the full shipped
+      // qty unless the operator overrides quantity_received. Resolve the
+      // shipped line so a blank field receives everything (the happy path).
+      return (async function () {
+        var t = await stockTransfers.getTransfer(id);
+        if (!t) throw new TypeError("transfer not found");
+        var rx = t.lines.map(function (l) {
+          var got = body["rx_" + l.sku];
+          var q = got == null || got === "" ? l.quantity_shipped : parseInt(got, 10);
+          if (!Number.isInteger(q) || q < 0) throw new TypeError("quantity_received must be a non-negative integer");
+          return { sku: l.sku, quantity_received: q };
+        });
+        return stockTransfers.markReceived({ transfer_id: id, received_lines: rx });
+      })();
+    });
+    _transferAction("reconcile", function (id) {
+      return stockTransfers.reconcile({ transfer_id: id });
+    });
+    _transferAction("exception", function (id, body) {
+      return stockTransfers.markException({ transfer_id: id, reason: body.reason });
+    });
+  }
+  if (inventoryWriteoffs && inventoryLocations) {
+    // GET /admin/inventory/writeoffs — the write-off log + the record form.
+    router.get("/admin/inventory/writeoffs", _pageOrApi(true,
+      R(async function (req, res) {
+        var page = await inventoryWriteoffs.listWriteoffs({ limit: 50 });
+        _json(res, 200, { rows: page.rows, next_cursor: page.next_cursor });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var locs = await inventoryLocations.listLocations({ active_only: true });
+        var page = await inventoryWriteoffs.listWriteoffs({ limit: 50 });
+        _sendHtml(res, 200, renderAdminInvWriteoffs({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          locations: locs, writeoffs: page.rows || [],
+          reasons: inventoryWriteoffsModule.WRITEOFF_REASONS,
+          saved:  url && url.searchParams.get("saved"),
+          notice: url && url.searchParams.get("err") ? "That write-off couldn't be recorded — check the SKU, location, quantity, and reason." : null,
+        }));
+      },
+    ));
+    // POST /admin/inventory/writeoffs — recordWriteoff against a location +
+    // mirror the debit onto the storefront aggregate.
+    router.post("/admin/inventory/writeoffs", _pageOrApi(false,
+      W("inventory.writeoff", async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _problem(res, 400, "bad-request", "quantity must be a positive integer");
+        var row;
+        try {
+          row = await _writeoffFromLocation({
+            sku: body.sku, location_code: body.location_code, quantity: qty,
+            reason: body.reason, actor: body.actor || "admin-console", notes: body.notes || null,
+          });
+        } catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, row);
+        return row;
+      }),
+      async function (req, res) {
+        var body = req.body || {};
+        var qty = parseInt(body.quantity, 10);
+        if (!Number.isInteger(qty) || qty <= 0) return _redirect(res, "/admin/inventory/writeoffs?err=1");
+        try {
+          await _writeoffFromLocation({
+            sku: body.sku, location_code: body.location_code, quantity: qty,
+            reason: body.reason, actor: body.actor || "admin-console", notes: body.notes || null,
+          });
+        } catch (e) { if (e instanceof TypeError) return _redirect(res, "/admin/inventory/writeoffs?err=1"); throw e; }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.writeoff", outcome: "success", metadata: { sku: body.sku, location_code: body.location_code, quantity: qty, reason: body.reason } });
+        _redirect(res, "/admin/inventory/writeoffs?saved=1");
+      },
+    ));
+  }
   // ---- gift wraps -----------------------------------------------------
   //
   // The operator-defined gift-wrap catalog: define / update / archive a wrap
@@ -6457,6 +6887,187 @@ function mount(router, deps) {
     ));
   }
+  // ---- quotes (B2B request-for-quote negotiation) ---------------------
+  // The operator side of the RFQ lifecycle. The list is the response queue
+  // (oldest-waiting requests first) plus a recent-activity view; the detail
+  // screen shows the requested lines + the customer message, and — for a
+  // still-requested quote — a per-line pricing form that responds with a
+  // priced quote + validity window. Responded/accepted quotes show the
+  // quoted totals; an operator can withdraw a quote that hasn't been
+  // accepted, or convert an accepted one into a pending order. Content-
+  // negotiated like the other consoles (bearer → JSON, browser → HTML).
+  if (quotes) {
+    // Build the respondToQuote line_prices array from the per-line
+    // `price_<sku>` dollar fields the detail form posts, converting each to
+    // minor units. Every quote line must be priced; a missing / non-numeric
+    // field throws a TypeError the route maps to a 400 re-render. The dollar
+    // string is parsed to integer cents WITHOUT floating-point (split on the
+    // decimal point) so 19.99 never lands as 1998 via float drift.
+    function _quoteLinePricesFromForm(body, lines, currency) {
+      var out = [];
+      for (var i = 0; i < lines.length; i += 1) {
+        var sku = lines[i].sku;
+        var raw = body["price_" + sku];
+        if (raw == null || (typeof raw === "string" && !raw.trim().length)) {
+          throw new TypeError("quotes: a unit price is required for every line (missing " + sku + ")");
+        }
+        out.push({ sku: sku, unit_price_minor: _dollarsToMinor(raw, "unit price for " + sku, currency) });
+      }
+      return out;
+    }
+    router.get("/admin/quotes", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var cid = url && url.searchParams.get("customer_id");
+        var rows = cid
+          ? await quotes.quotesForCustomer(cid, { limit: 200 })
+          : await quotes.pendingResponse({ limit: 200 });
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var cid = url && url.searchParams.get("customer_id");
+        var rows = [];
+        try {
+          rows = cid
+            ? await quotes.quotesForCustomer(cid, { limit: 200 })
+            : await quotes.pendingResponse({ limit: 200 });
+        } catch (e) { if (!(e instanceof TypeError)) throw e; }
+        _sendHtml(res, 200, renderAdminQuotes({
+          shop_name: deps.shop_name, nav_available: navAvailable, quotes: rows,
+          customer_filter: cid,
+          responded: url && url.searchParams.get("responded"),
+          withdrawn: url && url.searchParams.get("withdrawn"),
+          converted: url && url.searchParams.get("converted"),
+          notice: (url && url.searchParams.get("err"))
+            ? "That action couldn't be completed for the quote." : null,
+        }));
+      },
+    ));
+    // Detail: the quote + its lines, plus the per-line respond form (when
+    // still requested) and the withdraw / convert actions.
+    router.get("/admin/quotes/:id", _pageOrApi(true,
+      R(async function (req, res) {
+        var row = null;
+        try { row = await quotes.getQuote(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 404, "quote-not-found"); throw e; }
+        if (!row) return _problem(res, 404, "quote-not-found");
+        _json(res, 200, row);
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var row = null;
+        try { row = await quotes.getQuote(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _sendHtml(res, 404, renderAdminQuoteDetail({
+          shop_name: deps.shop_name, nav_available: navAvailable, quote: null,
+        }));
+        _sendHtml(res, 200, renderAdminQuoteDetail({
+          shop_name: deps.shop_name, nav_available: navAvailable, quote: row,
+          notice: (url && url.searchParams.get("err"))
+            ? "That action couldn't be completed for the quote." : null,
+        }));
+      },
+    ));
+    // Respond: price every line + set shipping / tax / validity. The browser
+    // form posts dollar amounts (converted to minor units here) + a
+    // validity-in-days; the bearer JSON contract takes the primitive's native
+    // shape (minor units + an absolute valid_until). A bad shape is a clean
+    // 400 (bearer) / err re-render (browser), never a 500.
+    router.post("/admin/quotes/:id/respond", _pageOrApi(false,
+      W("quote.respond", async function (req, res) {
+        var row;
+        try { row = await quotes.respondToQuote(Object.assign({}, req.body || {}, { quote_id: req.params.id })); }
+        catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var body = req.body || {};
+        var current = null;
+        try { current = await quotes.getQuote(id); } catch (_e) { current = null; }
+        if (!current) return _redirect(res, "/admin/quotes?err=1");
+        try {
+          var validDays = _strictNonNegIntField(body.valid_days, "valid_days");
+          if (validDays <= 0) throw new TypeError("admin: valid_days must be at least 1");
+          var quoteCurrency = typeof body.currency === "string" && body.currency
+            ? body.currency.toUpperCase() : (current.currency || "USD");
+          await quotes.respondToQuote({
+            quote_id:       id,
+            line_prices:    _quoteLinePricesFromForm(body, current.lines, quoteCurrency),
+            shipping_minor: body.shipping == null || body.shipping === "" ? 0 : _dollarsToMinor(body.shipping, "shipping", quoteCurrency),
+            tax_minor:      body.tax == null || body.tax === "" ? 0 : _dollarsToMinor(body.tax, "tax", quoteCurrency),
+            valid_until:    Date.now() + b.constants.TIME.days(validDays),
+            currency:       quoteCurrency,
+            operator_notes: body.operator_notes || null,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          var msg = _safeNotice(e, "quote.respond");
+          var fresh = await quotes.getQuote(id);
+          return _sendHtml(res, msg.status, renderAdminQuoteDetail({
+            shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+            notice: msg.message.replace(/^(quotes|admin)[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.respond", outcome: "success", metadata: { quote_id: id } });
+        // Fire the quote-responded email (drop-silent, fire-and-forget) when a
+        // notifier is wired — the customer learns their quote is priced.
+        if (typeof deps.notifyQuoteResponded === "function") {
+          try { await deps.notifyQuoteResponded(id); }
+          catch (_e) { /* drop-silent — the response already persisted */ }
+        }
+        _redirect(res, "/admin/quotes/" + enc + "?responded=1");
+      },
+    ));
+    // Withdraw: cancel a quote that hasn't been accepted yet (requested or
+    // responded). Accepted / terminal quotes refuse — the FSM gate is the
+    // single source of truth, surfaced as a 409.
+    router.post("/admin/quotes/:id/withdraw", _pageOrApi(false,
+      W("quote.withdraw", async function (req, res) {
+        var row;
+        try {
+          row = await quotes.cancelQuote({
+            quote_id:      req.params.id,
+            cancel_reason: (req.body && req.body.cancel_reason) || "Withdrawn by operator",
+          });
+        } catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        try {
+          await quotes.cancelQuote({
+            quote_id:      id,
+            cancel_reason: (req.body && req.body.cancel_reason) || "Withdrawn by operator",
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          return _redirect(res, "/admin/quotes/" + encodeURIComponent(id) + "?err=1");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.withdraw", outcome: "success", metadata: { quote_id: id } });
+        _redirect(res, "/admin/quotes?withdrawn=1");
+      },
+    ));
+  }
   // ---- search ranking -------------------------------------------------
   // Operator-tunable storefront search ranking: named weight sets (one
   // active at a time), per-query manual pins, and a per-set metrics rollup.
@@ -11946,7 +12557,12 @@ var ADMIN_NAV_ITEMS = [
   { key: "dashboard",    href: "/admin/dashboard",    label: "Dashboard" },
   { key: "products",     href: "/admin/products",     label: "Products" },
   { key: "inventory",    href: "/admin/inventory",    label: "Inventory" },
+  { key: "inventory-locations", href: "/admin/inventory/locations", label: "Stock locations", requires: "inventoryLocations" },
+  { key: "inventory-receive",   href: "/admin/inventory/receive",   label: "Receive stock",   requires: "inventoryReceive" },
+  { key: "inventory-transfers", href: "/admin/inventory/transfers", label: "Transfers",       requires: "stockTransfers" },
+  { key: "inventory-writeoffs", href: "/admin/inventory/writeoffs", label: "Write-offs",      requires: "inventoryWriteoffs" },
   { key: "orders",       href: "/admin/orders",       label: "Orders" },
+  { key: "quotes",       href: "/admin/quotes",       label: "Quotes",       requires: "quotes" },
   { key: "carts",        href: "/admin/carts",        label: "Abandoned carts", requires: "carts" },
   { key: "reports",      href: "/admin/reports",      label: "Reports" },
   { key: "analytics",    href: "/admin/analytics",    label: "Analytics",    requires: "analytics" },
@@ -14687,6 +15303,236 @@ function renderAdminPickupLocations(opts) {
   return _renderAdminShell(opts.shop_name, "Pickup locations", body, "pickup-locations", opts.nav_available);
 }
+// Stock-location list + the define/update form + an optional per-SKU
+// levels drill-down. Location names and codes are operator free text —
+// escaped at the sink.
+function renderAdminInvLocations(opts) {
+  opts = opts || {};
+  var list = opts.locations || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Stock location saved.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var rows = list.map(function (l) {
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(l.code) + "</code></td>" +
+      "<td>" + _htmlEscape(l.name) + "</td>" +
+      "<td>" + _htmlEscape(l.type) + "</td>" +
+      "<td>" + _htmlEscape(String(l.priority)) + "</td>" +
+      "<td>" + (l.active ? "<span class=\"status-pill\">active</span>" : "<span class=\"meta\">inactive</span>") + "</td>" +
+      "<td>" +
+        (l.active
+          ? "<form method=\"post\" action=\"/admin/inventory/locations/" + encodeURIComponent(l.code) + "/deactivate\" class=\"form-inline\">" +
+              "<button class=\"btn btn--ghost btn--sm\" type=\"submit\">Deactivate</button></form>"
+          : "<span class=\"meta\">—</span>") +
+      "</td>" +
+      "</tr>";
+  }).join("");
+  var table = list.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Code</th><th scope=\"col\">Name</th><th scope=\"col\">Type</th><th scope=\"col\">Priority</th><th scope=\"col\">Status</th><th scope=\"col\">Action</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No stock locations yet. A store with one warehouse needs no location — the default bucket is implicit. Add a location below once you ship from more than one place.</p>";
+  // Per-SKU levels drill-down.
+  var levelsBlock = "";
+  if (opts.levels) {
+    var lv = opts.levels;
+    var lvRows = (lv.by_location || []).map(function (r) {
+      return "<tr><td><code class=\"order-id\">" + _htmlEscape(r.code) + "</code></td><td>" + _htmlEscape(String(r.quantity)) + "</td></tr>";
+    }).join("");
+    levelsBlock =
+      "<div class=\"panel mt\"><h3 class=\"subhead\">Levels for " + _htmlEscape(opts.sku) + " — total " + _htmlEscape(String(lv.total)) + "</h3>" +
+        (lv.by_location && lv.by_location.length
+          ? _tableWrap("<table><thead><tr><th scope=\"col\">Location</th><th scope=\"col\">On hand</th></tr></thead><tbody>" + lvRows + "</tbody></table>")
+          : "<p class=\"empty\">No per-location stock recorded for this SKU.</p>") +
+      "</div>";
+  }
+  var lookup =
+    "<div class=\"panel mt\"><h3 class=\"subhead\">Per-location levels</h3>" +
+      "<form method=\"get\" action=\"/admin/inventory/locations\" class=\"form-inline\">" +
+        _setupField("SKU", "sku", opts.sku || "", "text", "Show the per-location breakdown for one SKU.", " maxlength=\"128\"") +
+        "<button class=\"btn btn--ghost btn--sm\" type=\"submit\">Look up</button>" +
+      "</form>" + levelsBlock +
+    "</div>";
+  var form =
+    "<div class=\"panel mt\"><h3 class=\"subhead\">Add / update a stock location</h3>" +
+      "<form method=\"post\" action=\"/admin/inventory/locations\">" +
+        _setupField("Code", "code", "", "text", "Stable identifier (alnum + . _ -). Re-using a code updates that location.", " maxlength=\"64\" required") +
+        _setupField("Name", "name", "", "text", "Operator-facing label (e.g. East warehouse).", " maxlength=\"128\" required") +
+        "<label class=\"form-field\"><span>Type</span>" +
+          "<select name=\"type\" required>" +
+            "<option value=\"warehouse\">warehouse</option>" +
+            "<option value=\"retail\">retail</option>" +
+            "<option value=\"dropship\">dropship</option>" +
+          "</select>" +
+          "<small>Drives default routing weight; override with priority.</small>" +
+        "</label>" +
+        _setupField("Priority", "priority", "", "number", "Lower picks first (default 100).", " min=\"0\"") +
+        "<div class=\"actions-row\"><button type=\"submit\" class=\"btn\">Save location</button></div>" +
+      "</form>" +
+    "</div>";
+  var body = "<section><h2>Stock locations</h2>" + saved + notice + table + lookup + form + "</section>";
+  return _renderAdminShell(opts.shop_name, "Stock locations", body, "inventory-locations", opts.nav_available);
+}
+// Receive inbound stock against a location. Credits both the per-location
+// detail and the storefront aggregate. Recent receipts (the batched
+// inventory-receive ledger) render below the form. Reference / supplier
+// are operator free text — escaped at the sink.
+function renderAdminInvReceive(opts) {
+  opts = opts || {};
+  var locs = opts.locations || [];
+  var receipts = opts.receipts || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Stock received.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var locOptions = locs.map(function (l) {
+    return "<option value=\"" + _htmlEscape(l.code) + "\">" + _htmlEscape(l.name) + " (" + _htmlEscape(l.code) + ")</option>";
+  }).join("");
+  var form = locs.length
+    ? "<div class=\"panel\"><h3 class=\"subhead\">Receive stock</h3>" +
+        "<form method=\"post\" action=\"/admin/inventory/receive\">" +
+          _setupField("SKU", "sku", "", "text", "", " maxlength=\"128\" required") +
+          "<label class=\"form-field\"><span>Location</span><select name=\"location_code\" required>" + locOptions + "</select></label>" +
+          _setupField("Quantity", "quantity", "", "number", "Units received (positive).", " min=\"1\" required") +
+          _setupField("Reason / reference", "reason", "", "text", "Optional — PO number, supplier, note.", " maxlength=\"256\"") +
+          "<div class=\"actions-row\"><button type=\"submit\" class=\"btn\">Receive</button></div>" +
+        "</form></div>"
+    : "<p class=\"empty\">Add a stock location first, then receive stock against it.</p>";
+  var recRows = receipts.map(function (r) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(String(r.reference || "")) + "</td>" +
+      "<td>" + _htmlEscape(String(r.supplier || "")) + "</td>" +
+      "<td><span class=\"status-pill\">" + _htmlEscape(String(r.status)) + "</span></td>" +
+      "<td>" + _htmlEscape(String(r.total_qty)) + "</td>" +
+      "<td>" + _htmlEscape(_fmtDate(r.received_at)) + "</td>" +
+      "</tr>";
+  }).join("");
+  var history = receipts.length
+    ? "<div class=\"panel mt\"><h3 class=\"subhead\">Recent receipts</h3>" +
+        _tableWrap("<table><thead><tr><th scope=\"col\">Reference</th><th scope=\"col\">Supplier</th><th scope=\"col\">Status</th><th scope=\"col\">Qty</th><th scope=\"col\">Received</th></tr></thead><tbody>" + recRows + "</tbody></table>") +
+      "</div>"
+    : "";
+  var body = "<section><h2>Receive stock</h2>" + saved + notice + form + history + "</section>";
+  return _renderAdminShell(opts.shop_name, "Receive stock", body, "inventory-receive", opts.nav_available);
+}
+// Location→location transfer console: the open form + the open-transfer
+// queue with the FSM action legal from each row's status. Reasons,
+// carriers, and tracking numbers are operator free text — escaped.
+function renderAdminInvTransfers(opts) {
+  opts = opts || {};
+  var locs = opts.locations || [];
+  var transfers = opts.transfers || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Transfer updated.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var locOptions = locs.map(function (l) {
+    return "<option value=\"" + _htmlEscape(l.code) + "\">" + _htmlEscape(l.name) + " (" + _htmlEscape(l.code) + ")</option>";
+  }).join("");
+  function _transferActions(t) {
+    var blocks = [];
+    var act = function (action, label, extra) {
+      return "<form method=\"post\" action=\"/admin/inventory/transfers/" + encodeURIComponent(t.id) + "/" + action + "\" class=\"form-inline\">" +
+        (extra || "") + "<button class=\"btn btn--sm\" type=\"submit\">" + _htmlEscape(label) + "</button></form>";
+    };
+    if (t.status === "open") blocks.push(act("ship", "Mark shipped"));
+    if (t.status === "shipped" || t.status === "in_transit") {
+      blocks.push(act("receive", "Mark received"));
+    }
+    if (t.status === "received") blocks.push(act("reconcile", "Reconcile"));
+    if (t.status !== "reconciled" && t.status !== "exception") {
+      blocks.push(act("exception", "Exception",
+        "<input type=\"text\" name=\"reason\" placeholder=\"reason\" maxlength=\"280\" required>"));
+    }
+    return blocks.length ? blocks.join("") : "<span class=\"meta\">—</span>";
+  }
+  var rows = transfers.map(function (t) {
+    var lineSummary = (t.lines || []).map(function (l) {
+      return _htmlEscape(l.sku) + "×" + _htmlEscape(String(l.quantity_shipped));
+    }).join(", ");
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(String(t.id).slice(0, 8)) + "</code></td>" +
+      "<td>" + _htmlEscape(t.from_location) + " → " + _htmlEscape(t.to_location) + "</td>" +
+      "<td>" + lineSummary + "</td>" +
+      "<td><span class=\"status-pill\">" + _htmlEscape(t.status) + "</span></td>" +
+      "<td>" + _transferActions(t) + "</td>" +
+      "</tr>";
+  }).join("");
+  var queue = transfers.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">ID</th><th scope=\"col\">Route</th><th scope=\"col\">Lines</th><th scope=\"col\">Status</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No open transfers.</p>";
+  var form = locs.length >= 2
+    ? "<div class=\"panel mt\"><h3 class=\"subhead\">Open a transfer</h3>" +
+        "<form method=\"post\" action=\"/admin/inventory/transfers\">" +
+          "<label class=\"form-field\"><span>From</span><select name=\"from_location\" required>" + locOptions + "</select></label>" +
+          "<label class=\"form-field\"><span>To</span><select name=\"to_location\" required>" + locOptions + "</select></label>" +
+          _setupField("SKU", "sku", "", "text", "", " maxlength=\"128\" required") +
+          _setupField("Quantity", "quantity", "", "number", "Units to move (leaves the source immediately).", " min=\"1\" required") +
+          _setupField("Reason", "reason", "", "text", "Optional note.", " maxlength=\"280\"") +
+          "<div class=\"actions-row\"><button type=\"submit\" class=\"btn\">Open transfer</button></div>" +
+        "</form></div>"
+    : "<p class=\"empty\">Define at least two stock locations to transfer between them.</p>";
+  var body = "<section><h2>Stock transfers</h2>" + saved + notice + queue + form + "</section>";
+  return _renderAdminShell(opts.shop_name, "Transfers", body, "inventory-transfers", opts.nav_available);
+}
+// Reason-coded write-off log + record form. SKU, reason, notes, and actor
+// are operator free text — escaped at the sink.
+function renderAdminInvWriteoffs(opts) {
+  opts = opts || {};
+  var locs = opts.locations || [];
+  var list = opts.writeoffs || [];
+  var reasons = opts.reasons || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Write-off recorded.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var locOptions = locs.map(function (l) {
+    return "<option value=\"" + _htmlEscape(l.code) + "\">" + _htmlEscape(l.name) + " (" + _htmlEscape(l.code) + ")</option>";
+  }).join("");
+  var reasonOptions = reasons.map(function (r) {
+    return "<option value=\"" + _htmlEscape(r) + "\">" + _htmlEscape(r) + "</option>";
+  }).join("");
+  var rows = list.map(function (w) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(String(w.sku)) + "</td>" +
+      "<td>" + (w.location_code ? "<code class=\"order-id\">" + _htmlEscape(String(w.location_code)) + "</code>" : "<span class=\"meta\">—</span>") + "</td>" +
+      "<td>" + _htmlEscape(String(w.quantity)) + "</td>" +
+      "<td>" + _htmlEscape(String(w.reason)) + "</td>" +
+      "<td><span class=\"status-pill\">" + _htmlEscape(String(w.status)) + "</span></td>" +
+      "<td>" + _htmlEscape(_fmtDate(w.occurred_at)) + "</td>" +
+      "</tr>";
+  }).join("");
+  var table = list.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">SKU</th><th scope=\"col\">Location</th><th scope=\"col\">Qty</th><th scope=\"col\">Reason</th><th scope=\"col\">Status</th><th scope=\"col\">When</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No write-offs recorded.</p>";
+  var form = locs.length
+    ? "<div class=\"panel mt\"><h3 class=\"subhead\">Record a write-off</h3>" +
+        "<form method=\"post\" action=\"/admin/inventory/writeoffs\">" +
+          _setupField("SKU", "sku", "", "text", "", " maxlength=\"128\" required") +
+          "<label class=\"form-field\"><span>Location</span><select name=\"location_code\" required>" + locOptions + "</select></label>" +
+          _setupField("Quantity", "quantity", "", "number", "Units removed (positive).", " min=\"1\" required") +
+          "<label class=\"form-field\"><span>Reason</span><select name=\"reason\" required>" + reasonOptions + "</select></label>" +
+          _setupField("Notes", "notes", "", "text", "Optional.", " maxlength=\"4096\"") +
+          "<div class=\"actions-row\"><button type=\"submit\" class=\"btn btn--danger\">Record write-off</button></div>" +
+        "</form></div>"
+    : "<p class=\"empty\">Add a stock location first, then record write-offs against it.</p>";
+  var body = "<section><h2>Write-offs</h2>" + saved + notice + table + form + "</section>";
+  return _renderAdminShell(opts.shop_name, "Write-offs", body, "inventory-writeoffs", opts.nav_available);
+}
 // Pickup queue for one location: a location selector + status chips, the
 // scheduled/ready rows, and the FSM action forms (ready / picked-up /
 // no-show) legal from each row's status. The no_show reason is operator-
@@ -18324,6 +19170,149 @@ function _standardSurveyQuestions(kind) {
   ];
 }
+// Map a quote status to a status-pill modifier class (reusing the order
+// pills: paid=green for the live/positive states, cancelled=grey for the
+// terminal-without-sale ones). Purely cosmetic.
+function _quotePillClass(status) {
+  if (status === "responded") return "paid";
+  if (status === "accepted" || status === "converted") return "paid";
+  if (status === "requested") return "pending";
+  return "cancelled"; // rejected / expired / cancelled
+}
+function renderAdminQuotes(opts) {
+  opts = opts || {};
+  var rows = opts.quotes || [];
+  var responded = opts.responded ? "<div class=\"banner banner--ok\">Quote sent to the customer.</div>" : "";
+  var withdrawn = opts.withdrawn ? "<div class=\"banner banner--ok\">Quote withdrawn.</div>" : "";
+  var converted = opts.converted ? "<div class=\"banner banner--ok\">Quote converted to an order.</div>" : "";
+  var notice    = opts.notice    ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var cf = opts.customer_filter;
+  var heading = cf ? "Quotes for this customer" : "Quotes awaiting a response";
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (cf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    (cf ? "<a class=\"chip chip--on\" href=\"/admin/quotes?customer_id=" + _htmlEscape(encodeURIComponent(cf)) + "\">This customer</a>" : "") +
+    "</div>";
+  var bodyRows = rows.map(function (q) {
+    var enc = _htmlEscape(encodeURIComponent(q.id));
+    var total = q.total_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(q.total_minor, q.currency || "USD"));
+    var lineCount = (q.lines || []).length;
+    return "<tr>" +
+      "<td><a href=\"/admin/quotes/" + enc + "\"><code class=\"order-id\">" + _htmlEscape(String(q.id).slice(0, 8)) + "</code></a></td>" +
+      "<td><a href=\"/admin/customers/" + _htmlEscape(encodeURIComponent(q.customer_id)) + "\">" + _htmlEscape(String(q.customer_id).slice(0, 8)) + "</a></td>" +
+      "<td><span class=\"status-pill " + _quotePillClass(q.status) + "\">" + _htmlEscape(q.status) + "</span></td>" +
+      "<td class=\"num\">" + lineCount + "</td>" +
+      "<td class=\"num\">" + total + "</td>" +
+      "<td><a class=\"btn btn--ghost\" href=\"/admin/quotes/" + enc + "\">Open</a></td>" +
+    "</tr>";
+  }).join("");
+  var table = rows.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Quote</th><th scope=\"col\">Customer</th><th scope=\"col\">Status</th><th scope=\"col\" class=\"num\">Lines</th><th scope=\"col\" class=\"num\">Total</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">" + (cf ? "No quotes for this customer." : "No quotes are waiting for a response.") + "</p>";
+  var bodyHtml = "<section><h2>Quotes</h2>" + responded + withdrawn + converted + notice +
+    "<p class=\"meta\">Request-for-quote negotiations. The response queue lists the requests waiting on you, oldest first — open one to price its lines and send the customer a quote.</p>" +
+    chips + "<h3 class=\"subhead\">" + _htmlEscape(heading) + "</h3>" + table + "</section>";
+  return _renderAdminShell(opts.shop_name, "Quotes", bodyHtml, "quotes", opts.nav_available);
+}
+function renderAdminQuoteDetail(opts) {
+  opts = opts || {};
+  var q = opts.quote;
+  if (!q) {
+    var nf = "<section><h2>Quote</h2><p class=\"empty\">Quote not found.</p>" +
+      "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/quotes\">Back to quotes</a></div></section>";
+    return _renderAdminShell(opts.shop_name, "Quote", nf, "quotes", opts.nav_available);
+  }
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var enc = _htmlEscape(encodeURIComponent(q.id));
+  var currency = q.currency || "USD";
+  // Header summary.
+  var summary =
+    "<div class=\"panel\">" +
+      "<p class=\"meta\">Status: <span class=\"status-pill " + _quotePillClass(q.status) + "\">" + _htmlEscape(q.status) + "</span></p>" +
+      "<p class=\"meta\">Customer: <a href=\"/admin/customers/" + _htmlEscape(encodeURIComponent(q.customer_id)) + "\">" + _htmlEscape(q.customer_id) + "</a></p>" +
+      (q.delivery_terms ? "<p class=\"meta\">Delivery terms: " + _htmlEscape(q.delivery_terms) + "</p>" : "") +
+      (q.payment_terms ? "<p class=\"meta\">Payment terms: " + _htmlEscape(q.payment_terms) + "</p>" : "") +
+      (q.message ? "<p class=\"meta\">Customer message: <q>" + _htmlEscape(q.message) + "</q></p>" : "") +
+      (q.valid_until ? "<p class=\"meta\">Valid until: " + _htmlEscape(new Date(Number(q.valid_until)).toISOString()) + "</p>" : "") +
+      (q.total_minor != null ? "<p class=\"meta\">Quoted total: <strong>" + _htmlEscape(pricing.format(q.total_minor, currency)) + "</strong></p>" : "") +
+      (q.converted_order_id ? "<p class=\"meta\">Converted to order: <a href=\"/admin/orders/" + _htmlEscape(encodeURIComponent(q.converted_order_id)) + "\"><code class=\"order-id\">" + _htmlEscape(String(q.converted_order_id).slice(0, 8)) + "</code></a></p>" : "") +
+    "</div>";
+  // Lines table — shows the requested qty + (once responded) the priced
+  // unit + line total.
+  var lineRows = (q.lines || []).map(function (l) {
+    var unit = l.unit_price_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(l.unit_price_minor, l.currency || currency));
+    var lineTotal = l.unit_price_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(l.unit_price_minor * l.quantity, l.currency || currency));
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(l.sku) + "</code></td>" +
+      "<td class=\"num\">" + _htmlEscape(String(l.quantity)) + "</td>" +
+      "<td class=\"num\">" + unit + "</td>" +
+      "<td class=\"num\">" + lineTotal + "</td>" +
+      (l.notes ? "<td>" + _htmlEscape(l.notes) + "</td>" : "<td></td>") +
+    "</tr>";
+  }).join("");
+  var linesPanel = "<div class=\"panel\">" +
+    _tableWrap("<table><thead><tr><th scope=\"col\">SKU</th><th scope=\"col\" class=\"num\">Qty</th><th scope=\"col\" class=\"num\">Unit price</th><th scope=\"col\" class=\"num\">Line total</th><th scope=\"col\">Customer note</th></tr></thead><tbody>" + lineRows + "</tbody></table>") +
+  "</div>";
+  // Respond form — only for a still-requested quote. One unit-price field per
+  // line plus shipping / tax / validity. Major-unit dollar inputs (converted
+  // to minor units server-side).
+  var respondForm = "";
+  if (q.status === "requested") {
+    var priceFields = (q.lines || []).map(function (l) {
+      return _setupField(l.sku + " — unit price (" + currency + ")", "price_" + l.sku, "", "text",
+        "Quantity " + l.quantity + ".", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\" required");
+    }).join("");
+    respondForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Respond with a priced quote</h3>" +
+        "<p class=\"meta\">Set a unit price for every line, plus optional shipping + tax and how long the quote stays valid. The customer is notified and can accept or decline.</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/respond\">" +
+          priceFields +
+          _setupField("Shipping (" + currency + ")", "shipping", "", "text", "Optional. Leave blank for free shipping.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Tax (" + currency + ")", "tax", "", "text", "Optional.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Valid for (days)", "valid_days", "14", "number", "How many days the customer has to accept.", " min=\"1\" max=\"365\" required") +
+          _setupField("Currency", "currency", currency, "text", "ISO-4217, e.g. USD.", " maxlength=\"3\" pattern=\"[A-Za-z]{3}\"") +
+          "<label class=\"form-field\"><span>Note to the customer</span><textarea name=\"operator_notes\" maxlength=\"4000\" rows=\"3\"></textarea></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Send quote</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+  // Withdraw — available while the quote hasn't been accepted (requested or
+  // responded). The FSM refuses it for accepted/terminal quotes; we only
+  // render the button when it would succeed.
+  var withdrawForm = "";
+  if (q.status === "requested" || q.status === "responded") {
+    withdrawForm =
+      "<form method=\"post\" action=\"/admin/quotes/" + enc + "/withdraw\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Withdraw quote</button>" +
+      "</form>";
+  }
+  var actions = "<div class=\"actions-row\">" +
+    "<a class=\"btn btn--ghost\" href=\"/admin/quotes\">Back to quotes</a>" +
+    withdrawForm +
+  "</div>";
+  var bodyHtml = "<section><h2>Quote " + _htmlEscape(String(q.id).slice(0, 8)) + "</h2>" +
+    notice + summary + linesPanel + respondForm + actions + "</section>";
+  return _renderAdminShell(opts.shop_name, "Quote " + String(q.id).slice(0, 8), bodyHtml, "quotes", opts.nav_available);
+}
 function renderAdminSurveys(opts) {
   opts = opts || {};
   var rows = opts.surveys || [];