@blamejs/blamejs-shop 0.4.14 → 0.4.16

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.14",
+  "version": "0.4.16",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/catalog.js

@@ -11,7 +11,7 @@
  *   - `variants`   — create, get, listForProduct, update, delete
  *   - `prices`     — set (versioned), current, history
  *   - `inventory`  — create, get, list, hold, decrement, release,
- *                    restock, setThreshold, checkLowStock
+ *                    restock, adjustOnHand, setThreshold, checkLowStock
  *   - `media`      — attach, get, listForProduct, listForVariant, delete,
  *                    reorder, setPrimary
  *
@@ -706,6 +706,56 @@ function _inventoryModule(query, opts) {
       return await this.get(sku);
     },
 
+    // Signed-delta adjustment of the storefront aggregate, fired by the
+    // inventory-ops back-office when a per-location move changes the
+    // total a single-bucket storefront sells against (a receive credits
+    // the aggregate, a write-off / shrinkage debits it). `restock` only
+    // grows on-hand and `decrement` only consumes a matching hold;
+    // neither expresses "the warehouse count just dropped by 5 because a
+    // pallet was damaged." A positive delta is an unconditional credit.
+    // A negative delta is an atomic conditional UPDATE — the
+    // `stock_on_hand - stock_held >= need` guard refuses (zero rows →
+    // `{ adjusted: false }`) when the debit would eat into stock that is
+    // already held for in-flight orders, so a write-off can never
+    // oversell a paid-but-unfulfilled line. Returns `{ adjusted, sku,
+    // delta }`; `null` when the SKU has no inventory row at all
+    // (un-tracked SKUs are unlimited everywhere in the storefront, so an
+    // aggregate adjustment simply doesn't apply). Fires the low-stock
+    // observer on success so a debit that crosses the threshold alerts.
+    adjustOnHand: async function (sku, delta) {
+      _sku(sku);
+      if (!Number.isInteger(delta) || delta === 0) {
+        throw new TypeError("catalog.inventory.adjustOnHand: delta must be a non-zero integer");
+      }
+      var ts = _now();
+      if (delta > 0) {
+        var rUp = await query(
+          "UPDATE inventory SET stock_on_hand = stock_on_hand + ?1, updated_at = ?2 WHERE sku = ?3",
+          [delta, ts, sku],
+        );
+        if (rUp.rowCount === 0) return null;
+        await _afterMutation(sku);
+        return { adjusted: true, sku: sku, delta: delta };
+      }
+      var need = -delta;
+      var rDown = await query(
+        "UPDATE inventory SET stock_on_hand = stock_on_hand - ?1, updated_at = ?2 " +
+        "WHERE sku = ?3 AND (stock_on_hand - stock_held) >= ?1",
+        [need, ts, sku],
+      );
+      if (rDown.rowCount === 1) {
+        await _afterMutation(sku);
+        return { adjusted: true, sku: sku, delta: delta };
+      }
+      // Zero rows: either no inventory row (un-tracked SKU) or the debit
+      // would eat into held stock. Distinguish so the caller can let an
+      // un-tracked SKU through while refusing a tracked-but-insufficient
+      // one.
+      var existing = await this.get(sku);
+      if (!existing) return null;
+      return { adjusted: false, sku: sku, delta: delta };
+    },
+
     release: async function (sku, qty) {
       _sku(sku);
       _positiveInt(qty, "qty");

package/lib/email.js

@@ -143,6 +143,32 @@ var REFUND_TEXT =
   "We've issued a refund of {{amount_formatted}} against order {{order_id}}.\n" +
   "The funds will appear on your statement within 5-10 business days.\n";
 
+// Quote responded — the operator priced a request-for-quote and the
+// customer can now review + accept it. The view link carries the quote's
+// capability token (built by the caller from the plaintext the quotes
+// primitive minted), so the customer opens the quote page without signing
+// in. The total is already formatted by the caller (pricing.format off the
+// quoted total_minor) so the email never re-derives money math.
+var QUOTE_RESPONDED_HTML =
+  "<!DOCTYPE html>\n" +
+  "<html lang=\"en\"><head><meta charset=\"utf-8\"><title>Your quote is ready</title></head>" +
+  "<body style=\"margin:0;background:#ffffff;color:#0d0d0d;font-family:system-ui,sans-serif;\">\n" +
+  "<div style=\"max-width:560px;margin:0 auto;padding:24px;\">\n" +
+  "  <h1 style=\"color:#0d0d0d;margin:0 0 12px;\">Your quote is ready</h1>\n" +
+  "  <p style=\"margin:0 0 16px;\">Hi {{customer_name}}, we've priced your request. Your quoted total is <strong style=\"color:#fa4f09;\">{{total_formatted}}</strong>.</p>\n" +
+  "  <p style=\"margin:0 0 16px;\">This quote is valid until {{valid_until}}. Review the full breakdown and accept or decline on the quote page.</p>\n" +
+  "  <p style=\"margin:24px 0;\"><a href=\"{{quote_url}}\" style=\"background:#fa4f09;color:#ffffff;padding:12px 20px;text-decoration:none;display:inline-block;font-weight:bold;\">Review your quote</a></p>\n" +
+  "  <p style=\"margin:0;color:#0d0d0d;font-size:13px;\">If the button doesn't work, paste this link into your browser: {{quote_url}}</p>\n" +
+  "</div>\n" +
+  "</body></html>\n";
+
+var QUOTE_RESPONDED_TEXT =
+  "Your quote is ready\n\n" +
+  "Hi {{customer_name}}, we've priced your request.\n" +
+  "Quoted total: {{total_formatted}}\n" +
+  "Valid until: {{valid_until}}\n\n" +
+  "Review and accept or decline your quote: {{quote_url}}\n";
+
 // Wishlist discount — a watched product just dropped in price.
 // Brand tokens: #0d0d0d ink, #fa4f09 accent, #ffffff paper.
 
@@ -488,6 +514,31 @@ function create(opts) {
       return await _send(input.customer.email, "Refund issued — " + input.order.id, html, text, input.replyTo);
     },
 
+    // Quote responded — the operator priced an RFQ; tell the customer it's
+    // ready to review. The caller passes the customer's deliverable email,
+    // an already-formatted `total_formatted` (pricing.format off the quoted
+    // total), a human `valid_until` string, and the absolute `quote_url`
+    // (built from the quote's capability token). Every value rides through
+    // the strict {{var}} renderer (HTML-escaped); no raw HTML flows in.
+    quoteResponded: async function (input) {
+      if (!input) throw new TypeError("email.quoteResponded: input object required");
+      if (typeof input.customer_email !== "string" || !input.customer_email) {
+        throw new TypeError("email.quoteResponded: customer_email required");
+      }
+      if (typeof input.quote_url !== "string" || !input.quote_url) {
+        throw new TypeError("email.quoteResponded: quote_url required");
+      }
+      var vars = {
+        customer_name:   input.customer_name || "there",
+        total_formatted: input.total_formatted == null ? "—" : String(input.total_formatted),
+        valid_until:     input.valid_until == null ? "—" : String(input.valid_until),
+        quote_url:       input.quote_url,
+      };
+      var html = _render(QUOTE_RESPONDED_HTML, vars);
+      var text = _render(QUOTE_RESPONDED_TEXT, vars);
+      return await _send(input.customer_email, "Your quote is ready", html, text, input.replyTo);
+    },
+
     // Wishlist discount — a watched product just dropped in price.
     // Operator passes already-formatted `old_price` / `new_price`
     // strings; pricing rules vary (locale, multi-currency, promo

package/lib/inventory-locations.js

@@ -32,12 +32,20 @@
  *                              duplicate code, invalid type, etc).
  *     listLocations / getLocation / updateLocation / deactivateLocation
  *                            — operator CRUD over the location set.
- *     setStock               — absolute set (overwrite).
- *     adjustStock            — relative delta with audit row.
- *     transferStock          — atomic two-row write moving qty
- *                              from one location to another; if
- *                              the source doesn't have enough, the
- *                              whole transfer refuses (no money
+ *     setStock               — absolute set (overwrite) via an
+ *                              atomic upsert.
+ *     adjustStock            — relative delta with audit row. Debits
+ *                              run as a single conditional UPDATE
+ *                              (`quantity >= need`); credits as an
+ *                              upsert. No read-then-write window — a
+ *                              debit that would drive the row below
+ *                              zero matches no rows and refuses.
+ *     transferStock          — moves qty from one location to
+ *                              another; the source debit is the same
+ *                              conditional UPDATE guard, so a transfer
+ *                              racing a checkout debit (or another
+ *                              transfer) for the last unit can't
+ *                              oversell — the loser refuses (no money
  *                              created, no row half-committed).
  *     stockForSku            — `{ total, by_location: [...] }`.
  *     totalForSku            — sum across every location.
@@ -521,20 +529,21 @@ function create(opts) {
         throw new TypeError("inventory-locations.setStock: location_code " +
           JSON.stringify(input.location_code) + " not found");
       }
+      // Absolute set is last-writer-wins by contract — the operator is
+      // declaring the authoritative count, not applying a relative
+      // change. The prior value is read only to record the signed
+      // delta on the audit row; the upsert itself is a single atomic
+      // statement so a first-touch insert and an overwrite never
+      // collide on the composite PK.
       var prev = await _getStockRow(input.sku, input.location_code);
       var prevQty = prev ? prev.quantity : 0;
       var ts = _now();
-      if (prev) {
-        await query(
-          "UPDATE inventory_stock SET quantity = ?1, updated_at = ?2 WHERE sku = ?3 AND location_code = ?4",
-          [input.quantity, ts, input.sku, input.location_code],
-        );
-      } else {
-        await query(
-          "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) VALUES (?1, ?2, ?3, ?4)",
-          [input.sku, input.location_code, input.quantity, ts],
-        );
-      }
+      await query(
+        "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4) " +
+        "ON CONFLICT(sku, location_code) DO UPDATE SET quantity = ?3, updated_at = ?4",
+        [input.sku, input.location_code, input.quantity, ts],
+      );
       var delta = input.quantity - prevQty;
       await _audit(input.sku, input.location_code, delta, _reason(input.reason));
       return { sku: input.sku, location_code: input.location_code, quantity: input.quantity, delta: delta };
@@ -545,6 +554,18 @@ function create(opts) {
     // row below zero refuses the whole operation. Inserts a row
     // at quantity 0 + delta if the (sku, location_code) pair has
     // never been touched before (and delta is positive).
+    //
+    // Concurrency: the negative-delta path is a single atomic
+    // conditional UPDATE — `SET quantity = quantity + delta WHERE
+    // quantity + delta >= 0` — mirroring the catalog hold/decrement
+    // guards. D1 evaluates the predicate and applies the write inside
+    // one statement, so two racing debits against the last unit can't
+    // both succeed: the second racer's predicate sees the first's
+    // decrement and matches zero rows. The positive-delta path is an
+    // upsert (ON CONFLICT DO UPDATE) so a credit and a fresh-row
+    // insert never collide. Both paths re-read the post-write quantity
+    // for the audit row + return value rather than trusting a stale
+    // pre-read.
     adjustStock: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("inventory-locations.adjustStock: input object required");
@@ -560,28 +581,42 @@ function create(opts) {
         throw new TypeError("inventory-locations.adjustStock: location_code " +
           JSON.stringify(input.location_code) + " not found");
       }
-      var prev = await _getStockRow(input.sku, input.location_code);
-      var prevQty = prev ? prev.quantity : 0;
-      var next = prevQty + input.delta;
-      if (next < 0) {
-        throw new TypeError("inventory-locations.adjustStock: delta " + input.delta +
-          " would drive stock below zero (current=" + prevQty + ", sku=" + input.sku +
-          ", location=" + input.location_code + ")");
-      }
       var ts = _now();
-      if (prev) {
+      if (input.delta > 0) {
+        // Credit: upsert in one atomic statement. A concurrent credit
+        // + first-touch insert serialize on the composite PK.
         await query(
-          "UPDATE inventory_stock SET quantity = ?1, updated_at = ?2 WHERE sku = ?3 AND location_code = ?4",
-          [next, ts, input.sku, input.location_code],
+          "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) " +
+          "VALUES (?1, ?2, ?3, ?4) " +
+          "ON CONFLICT(sku, location_code) DO UPDATE SET " +
+          "quantity = quantity + ?3, updated_at = ?4",
+          [input.sku, input.location_code, input.delta, ts],
         );
       } else {
-        await query(
-          "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) VALUES (?1, ?2, ?3, ?4)",
-          [input.sku, input.location_code, next, ts],
+        // Debit: atomic conditional UPDATE. The WHERE predicate is the
+        // serialization point — it refuses the write (zero rows) when
+        // the shelf lacks enough to cover the debit, so the row never
+        // goes negative even under concurrent debits. A SKU with no
+        // row at this location can't be debited (no negative
+        // first-touch); zero rows there is the insufficient case too.
+        var need = -input.delta;
+        var r = await query(
+          "UPDATE inventory_stock SET quantity = quantity + ?1, updated_at = ?2 " +
+          "WHERE sku = ?3 AND location_code = ?4 AND quantity >= ?5",
+          [input.delta, ts, input.sku, input.location_code, need],
         );
+        if (r.rowCount === 0) {
+          var cur = await _getStockRow(input.sku, input.location_code);
+          var have = cur ? cur.quantity : 0;
+          throw new TypeError("inventory-locations.adjustStock: delta " + input.delta +
+            " would drive stock below zero (current=" + have + ", sku=" + input.sku +
+            ", location=" + input.location_code + ")");
+        }
       }
+      var after = await _getStockRow(input.sku, input.location_code);
+      var nextQty = after ? after.quantity : 0;
       await _audit(input.sku, input.location_code, input.delta, _reason(input.reason));
-      return { sku: input.sku, location_code: input.location_code, quantity: next, delta: input.delta };
+      return { sku: input.sku, location_code: input.location_code, quantity: nextQty, delta: input.delta };
     },
 
     // Atomic two-row move. Reads the source quantity; if
@@ -612,44 +647,44 @@ function create(opts) {
           JSON.stringify(input.to_location) + " not found");
       }
 
-      var fromRow = await _getStockRow(input.sku, input.from_location);
-      var fromQty = fromRow ? fromRow.quantity : 0;
-      if (fromQty < input.quantity) {
-        throw new TypeError("inventory-locations.transferStock: insufficient stock at " +
-          input.from_location + " (have " + fromQty + ", need " + input.quantity + ")");
-      }
-      var toRow = await _getStockRow(input.sku, input.to_location);
-      var toQty = toRow ? toRow.quantity : 0;
-
       var ts = _now();
-      // Decrement source first. If the destination upsert below
-      // fails for any reason, the rollback path re-increments the
-      // source so the invariant (total quantity unchanged) holds.
-      await query(
-        "UPDATE inventory_stock SET quantity = ?1, updated_at = ?2 WHERE sku = ?3 AND location_code = ?4",
-        [fromQty - input.quantity, ts, input.sku, input.from_location],
+      // Debit the source with a single atomic conditional UPDATE. The
+      // `quantity >= need` predicate is the serialization point: two
+      // racing transfers (or a transfer racing a checkout debit)
+      // against the last unit can't both succeed — the second sees the
+      // first's decrement and matches zero rows, which we surface as
+      // the insufficient-stock refusal. No read-then-write window.
+      var srcDebit = await query(
+        "UPDATE inventory_stock SET quantity = quantity - ?1, updated_at = ?2 " +
+        "WHERE sku = ?3 AND location_code = ?4 AND quantity >= ?1",
+        [input.quantity, ts, input.sku, input.from_location],
       );
+      if (srcDebit.rowCount === 0) {
+        var fromRow = await _getStockRow(input.sku, input.from_location);
+        var fromHave = fromRow ? fromRow.quantity : 0;
+        throw new TypeError("inventory-locations.transferStock: insufficient stock at " +
+          input.from_location + " (have " + fromHave + ", need " + input.quantity + ")");
+      }
       try {
-        if (toRow) {
-          await query(
-            "UPDATE inventory_stock SET quantity = ?1, updated_at = ?2 WHERE sku = ?3 AND location_code = ?4",
-            [toQty + input.quantity, ts, input.sku, input.to_location],
-          );
-        } else {
-          await query(
-            "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) VALUES (?1, ?2, ?3, ?4)",
-            [input.sku, input.to_location, input.quantity, ts],
-          );
-        }
+        // Credit the destination via an atomic upsert. A concurrent
+        // credit + first-touch insert serialize on the composite PK.
+        await query(
+          "INSERT INTO inventory_stock (sku, location_code, quantity, updated_at) " +
+          "VALUES (?1, ?2, ?3, ?4) " +
+          "ON CONFLICT(sku, location_code) DO UPDATE SET " +
+          "quantity = quantity + ?3, updated_at = ?4",
+          [input.sku, input.to_location, input.quantity, ts],
+        );
       } catch (e) {
-        // Best-effort compensating restore on the source so the
-        // pair stays balanced. If THIS write also fails the
-        // operator will see two adjacent audit rows with no
-        // counterpart — the caller can replay or reconcile.
+        // Best-effort compensating restore on the source so the pair
+        // stays balanced. The restore is itself an atomic increment
+        // (no read-then-write), so it can't clobber a concurrent
+        // mutation that landed between the debit and this catch.
         try {
           await query(
-            "UPDATE inventory_stock SET quantity = ?1, updated_at = ?2 WHERE sku = ?3 AND location_code = ?4",
-            [fromQty, _now(), input.sku, input.from_location],
+            "UPDATE inventory_stock SET quantity = quantity + ?1, updated_at = ?2 " +
+            "WHERE sku = ?3 AND location_code = ?4",
+            [input.quantity, _now(), input.sku, input.from_location],
           );
         } catch (_e2) { /* drop-silent — the original error is what the caller needs to fix */ }
         throw e;
@@ -659,13 +694,15 @@ function create(opts) {
       await _audit(input.sku, input.from_location, -input.quantity, reason);
       await _audit(input.sku, input.to_location,    input.quantity, reason);
 
+      var fromAfterRow = await _getStockRow(input.sku, input.from_location);
+      var toAfterRow   = await _getStockRow(input.sku, input.to_location);
       return {
         sku:           input.sku,
         from_location: input.from_location,
         to_location:   input.to_location,
         quantity:      input.quantity,
-        from_after:    fromQty - input.quantity,
-        to_after:      toQty + input.quantity,
+        from_after:    fromAfterRow ? fromAfterRow.quantity : 0,
+        to_after:      toAfterRow ? toAfterRow.quantity : 0,
       };
     },