npm - @blamejs/blamejs-shop - Versions diffs - 0.4.15 → 0.4.17 - Mend

@blamejs/blamejs-shop 0.4.15 → 0.4.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +4 -0
package/README.md +3 -2
package/lib/admin.js +787 -1
package/lib/asset-manifest.json +1 -1
package/lib/email-campaigns.js +799 -9
package/lib/email.js +51 -0
package/lib/quotes.js +306 -82
package/lib/security-middleware.js +1 -0
package/lib/storefront.js +416 -0
package/package.json +1 -1

package/lib/admin.js CHANGED Viewed

@@ -237,6 +237,30 @@ function _strictMinorInt(value, prefix, label) {
   return n;
 }
+// Convert an operator-entered major-unit amount (e.g. "19.99") into integer
+// minor units via the money primitive — so the cents math is the
+// framework's, not a hand-rolled `* 100` that loses precision under IEEE
+// 754, and the conversion honours the target currency's exponent (JPY=0,
+// KWD=3, USD=2). Refuses a missing / non-decimal-shaped / negative value
+// with a TypeError the browser path surfaces as a 400 notice. `b.money.of`
+// rejects Number inputs at the boundary, so the value is normalized to a
+// trimmed decimal string first; the resulting BigInt minor units is range-
+// checked back to a safe integer (quote money fits comfortably).
+function _dollarsToMinor(value, label, currency) {
+  var cur = typeof currency === "string" && /^[A-Z]{3}$/.test(currency) ? currency : "USD";
+  var s = typeof value === "number" ? String(value) : (typeof value === "string" ? value.trim() : "");
+  if (!/^\d+(?:\.\d+)?$/.test(s)) {
+    throw new TypeError("admin: " + label + " must be a non-negative amount (e.g. 19.99)");
+  }
+  var minor;
+  try { minor = b.money.of(s, cur).toMinorUnits(); }
+  catch (_e) { throw new TypeError("admin: " + label + " has more decimal places than " + cur + " allows"); }
+  if (minor > BigInt(Number.MAX_SAFE_INTEGER)) {
+    throw new TypeError("admin: " + label + " is out of range");
+  }
+  return Number(minor);
+}
 // Strict non-negative integer for a form field (money minor units,
 // dimensions). Refuses "", floats, and parseInt's loose-prefix "12abc"
 // → 12 — the /^\d+$/ test is anchored so the whole string must be
@@ -579,6 +603,9 @@ function mount(router, deps) {
   var inventoryReceive   = deps.inventoryReceive   || null; // inbound-stock receive console disabled when absent
   var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
   var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
+  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
+  var emailCampaigns     = deps.emailCampaigns     || null; // consent-gated broadcast/campaign console disabled when absent
+  var mailingAudiences   = deps.mailingAudiences   || null; // audience picker for the campaign console (target-an-audience dropdown)
   // Read-only activity log at /admin/audit. Defaults ON — the framework
   // audit chain is always booted by createApp, so the screen always has a
   // data source (unlike the optional primitives above, which default off).
@@ -598,7 +625,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart, inventoryLocations: !!inventoryLocations, inventoryReceive: !!inventoryReceive, stockTransfers: !!stockTransfers, inventoryWriteoffs: !!inventoryWriteoffs };
+  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart, inventoryLocations: !!inventoryLocations, inventoryReceive: !!inventoryReceive, stockTransfers: !!stockTransfers, inventoryWriteoffs: !!inventoryWriteoffs, quotes: !!deps.quotes, emailCampaigns: !!emailCampaigns };
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
@@ -5678,6 +5705,250 @@ function mount(router, deps) {
     ));
   }
+  // ---- email campaigns (consent-gated broadcast) ----------------------
+  //
+  // The marketing-broadcast console. An operator authors a campaign
+  // (subject + Markdown body), targets an existing mailing audience, sees
+  // the RESOLVED REACHABLE count (who is actually marketing-consented +
+  // deliverable right now — never the raw membership), test-sends to their
+  // own inbox, then sends. Consent is resolved AT SEND TIME, per recipient:
+  // only a marketing-consented (newsletter-subscribed, not suppressed)
+  // recipient with a deliverable plaintext address gets the broadcast, and
+  // someone who unsubscribes after the send starts is honored mid-send.
+  // Every broadcast carries an RFC 8058 one-click List-Unsubscribe header
+  // pair plus an in-body unsubscribe link. The operator-authored body is
+  // treated as hostile: it renders escape-by-default (any `<` lands as
+  // `&lt;`; links pass the https-only safeUrl gate) so a compromised admin
+  // key can't inject script into mail or stored XSS into this console.
+  if (emailCampaigns) {
+    var _campaignAudiences = function () {
+      if (!mailingAudiences) return Promise.resolve([]);
+      return mailingAudiences.listAudiences({ include_archived: false });
+    };
+    // List — every campaign with status + per-campaign delivery counts.
+    // Content-negotiated: bearer → the JSON array; browser → the table.
+    router.get("/admin/campaigns", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var status = url && url.searchParams.get("status");
+        var rows = await emailCampaigns.listCampaigns(status ? { status: status } : {});
+        _json(res, 200, { campaigns: rows, can_broadcast: emailCampaigns.canBroadcast() });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var rows = await emailCampaigns.listCampaigns({});
+        // Roll each campaign's per-recipient send ledger up for the count
+        // column — bounded read per row (the list is operator-scale).
+        var withCounts = [];
+        for (var i = 0; i < rows.length; i += 1) {
+          var counts = null;
+          try { counts = await emailCampaigns.sendCounts(rows[i].slug); }
+          catch (_e) { counts = null; }
+          withCounts.push({ campaign: rows[i], counts: counts });
+        }
+        _sendHtml(res, 200, renderAdminCampaigns({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          rows: withCounts, can_broadcast: emailCampaigns.canBroadcast(),
+          sent:    url && url.searchParams.get("sent"),
+          saved:   url && url.searchParams.get("saved"),
+          tested:  url && url.searchParams.get("tested"),
+          notice:  (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    // New-campaign form — its own GET so a bad submit's err redirect
+    // keeps the operator's context.
+    router.get("/admin/campaigns/new", _pageOrApi(true,
+      R(async function (_req, res) {
+        _json(res, 200, { audiences: await _campaignAudiences() });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        _sendHtml(res, 200, renderAdminCampaignNew({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          audiences: await _campaignAudiences(),
+          notice: (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    function _campaignInput(body) {
+      return {
+        slug:          body.slug,
+        subject:       body.subject,
+        body_html:     body.body_html,
+        // Markdown source is the single authored body; the text alt is
+        // derived from it at send time, so persist the same source in
+        // both columns (the renderer produces the HTML + text views).
+        body_text:     body.body_text != null && body.body_text !== "" ? body.body_text : body.body_html,
+        audience_slug: body.audience_slug,
+        from_address:  body.from_address,
+        from_name:     body.from_name,
+        reply_to:      body.reply_to != null && body.reply_to !== "" ? body.reply_to : undefined,
+      };
+    }
+    // Create — composes defineCampaign (validates slug / subject / body /
+    // audience / sender identity, throws TypeError → 400 / err redirect).
+    router.post("/admin/campaigns", _pageOrApi(false,
+      W("email_campaign.create", async function (req, res) {
+        var c;
+        try { c = await emailCampaigns.defineCampaign(_campaignInput(req.body || {})); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, c);
+        return { id: c.slug };
+      }),
+      async function (req, res) {
+        try { await emailCampaigns.defineCampaign(_campaignInput(req.body || {})); }
+        catch (e) {
+          var n = _safeNotice(e, "email_campaign.create");
+          if (n.status >= 500) throw e;
+          return _redirect(res, "/admin/campaigns/new?err=bad");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.create", outcome: "success" });
+        _redirect(res, "/admin/campaigns?saved=1");
+      },
+    ));
+    // Detail — the campaign + its rendered (escape-by-default) preview, the
+    // resolved reachable count (computed live), the send-ledger counts, and
+    // the test-send + send actions. Content-negotiated.
+    router.get("/admin/campaigns/:slug", _pageOrApi(true,
+      R(async function (req, res) {
+        var c = await emailCampaigns.getCampaign(req.params.slug);
+        if (!c) return _problem(res, 404, "email-campaign-not-found");
+        var reach = null;
+        try { reach = await emailCampaigns.reachability(req.params.slug); }
+        catch (_e) { reach = null; }
+        var counts = await emailCampaigns.sendCounts(req.params.slug);
+        _json(res, 200, Object.assign({}, c, { reachability: reach, send_counts: counts, can_broadcast: emailCampaigns.canBroadcast() }));
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var c = await emailCampaigns.getCampaign(req.params.slug);
+        if (!c) return _sendHtml(res, 404, renderAdminCampaigns({
+          shop_name: deps.shop_name, nav_available: navAvailable, rows: [],
+          can_broadcast: emailCampaigns.canBroadcast(), notice: "Campaign not found.",
+        }));
+        var preview = null;
+        try { preview = await emailCampaigns.previewCampaign(req.params.slug); }
+        catch (_e) { preview = null; }
+        var reach = null;
+        try { reach = await emailCampaigns.reachability(req.params.slug); }
+        catch (_e) { reach = null; }
+        var counts = await emailCampaigns.sendCounts(req.params.slug);
+        _sendHtml(res, 200, renderAdminCampaign({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          campaign: c, preview: preview, reachability: reach, counts: counts,
+          can_broadcast: emailCampaigns.canBroadcast(),
+          sent:   url && url.searchParams.get("sent"),
+          tested: url && url.searchParams.get("tested"),
+          notice: (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    // Test-send — render + mail the campaign to ONE operator-supplied
+    // address (bypasses the audience + consent gate; it's the operator's
+    // own inbox). Rate-bound on the shared send window.
+    router.post("/admin/campaigns/:slug/test", _pageOrApi(false,
+      W("email_campaign.test", async function (req, res) {
+        var slug = req.params.slug;
+        var out;
+        try { out = await emailCampaigns.testSend(slug, (req.body || {}).to); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var code = e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? 429 : 400;
+            return _problem(res, code, e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? "rate-limited" : "bad-request", e.message);
+          }
+          _safeNotice(e, "email_campaign.test");
+          return _problem(res, 502, "send-failed", "The test message could not be sent.");
+        }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        try { await emailCampaigns.testSend(slug, (req.body || {}).to); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var reason = e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? "rate" : "test";
+            return _redirect(res, "/admin/campaigns/" + enc + "?err=" + reason);
+          }
+          _safeNotice(e, "email_campaign.test");
+          return _redirect(res, "/admin/campaigns/" + enc + "?err=send");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.test", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns/" + enc + "?tested=1");
+      },
+    ));
+    // Send — the consent-gated broadcast. Resolves reachability at the
+    // send moment, drains the audience, only marketing-consented +
+    // deliverable recipients receive, every message carries the one-click
+    // unsubscribe pair. One bad address is counted, never fatal.
+    router.post("/admin/campaigns/:slug/send", _pageOrApi(false,
+      W("email_campaign.send", async function (req, res) {
+        var slug = req.params.slug;
+        var c = await emailCampaigns.getCampaign(slug);
+        if (!c) return _problem(res, 404, "email-campaign-not-found");
+        var out;
+        try { out = await emailCampaigns.broadcast(slug); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var code = e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? 409 : 400;
+            return _problem(res, code, e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? "broadcast-unavailable" : "bad-request", e.message);
+          }
+          throw e;
+        }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        var c = await emailCampaigns.getCampaign(slug);
+        if (!c) return _redirect(res, "/admin/campaigns?err=notfound");
+        try { await emailCampaigns.broadcast(slug); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var reason = e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? "unavailable" : "send";
+            return _redirect(res, "/admin/campaigns/" + enc + "?err=" + reason);
+          }
+          _safeNotice(e, "email_campaign.send");
+          return _redirect(res, "/admin/campaigns/" + enc + "?err=send");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.send", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns/" + enc + "?sent=1");
+      },
+    ));
+    // Cancel — terminal off-ramp for a draft / scheduled campaign.
+    router.post("/admin/campaigns/:slug/cancel", _pageOrApi(false,
+      W("email_campaign.cancel", async function (req, res) {
+        var slug = req.params.slug;
+        var reason = (req.body || {}).reason || "Cancelled from the console.";
+        var out;
+        try { out = await emailCampaigns.cancelCampaign(slug, reason); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        var reason = (req.body || {}).reason || "Cancelled from the console.";
+        try { await emailCampaigns.cancelCampaign(slug, reason); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; return _redirect(res, "/admin/campaigns/" + enc + "?err=cancel"); }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.cancel", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns?saved=1");
+      },
+    ));
+  }
   // ---- gift wraps -----------------------------------------------------
   //
   // The operator-defined gift-wrap catalog: define / update / archive a wrap
@@ -6862,6 +7133,187 @@ function mount(router, deps) {
     ));
   }
+  // ---- quotes (B2B request-for-quote negotiation) ---------------------
+  // The operator side of the RFQ lifecycle. The list is the response queue
+  // (oldest-waiting requests first) plus a recent-activity view; the detail
+  // screen shows the requested lines + the customer message, and — for a
+  // still-requested quote — a per-line pricing form that responds with a
+  // priced quote + validity window. Responded/accepted quotes show the
+  // quoted totals; an operator can withdraw a quote that hasn't been
+  // accepted, or convert an accepted one into a pending order. Content-
+  // negotiated like the other consoles (bearer → JSON, browser → HTML).
+  if (quotes) {
+    // Build the respondToQuote line_prices array from the per-line
+    // `price_<sku>` dollar fields the detail form posts, converting each to
+    // minor units. Every quote line must be priced; a missing / non-numeric
+    // field throws a TypeError the route maps to a 400 re-render. The dollar
+    // string is parsed to integer cents WITHOUT floating-point (split on the
+    // decimal point) so 19.99 never lands as 1998 via float drift.
+    function _quoteLinePricesFromForm(body, lines, currency) {
+      var out = [];
+      for (var i = 0; i < lines.length; i += 1) {
+        var sku = lines[i].sku;
+        var raw = body["price_" + sku];
+        if (raw == null || (typeof raw === "string" && !raw.trim().length)) {
+          throw new TypeError("quotes: a unit price is required for every line (missing " + sku + ")");
+        }
+        out.push({ sku: sku, unit_price_minor: _dollarsToMinor(raw, "unit price for " + sku, currency) });
+      }
+      return out;
+    }
+    router.get("/admin/quotes", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var cid = url && url.searchParams.get("customer_id");
+        var rows = cid
+          ? await quotes.quotesForCustomer(cid, { limit: 200 })
+          : await quotes.pendingResponse({ limit: 200 });
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var cid = url && url.searchParams.get("customer_id");
+        var rows = [];
+        try {
+          rows = cid
+            ? await quotes.quotesForCustomer(cid, { limit: 200 })
+            : await quotes.pendingResponse({ limit: 200 });
+        } catch (e) { if (!(e instanceof TypeError)) throw e; }
+        _sendHtml(res, 200, renderAdminQuotes({
+          shop_name: deps.shop_name, nav_available: navAvailable, quotes: rows,
+          customer_filter: cid,
+          responded: url && url.searchParams.get("responded"),
+          withdrawn: url && url.searchParams.get("withdrawn"),
+          converted: url && url.searchParams.get("converted"),
+          notice: (url && url.searchParams.get("err"))
+            ? "That action couldn't be completed for the quote." : null,
+        }));
+      },
+    ));
+    // Detail: the quote + its lines, plus the per-line respond form (when
+    // still requested) and the withdraw / convert actions.
+    router.get("/admin/quotes/:id", _pageOrApi(true,
+      R(async function (req, res) {
+        var row = null;
+        try { row = await quotes.getQuote(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 404, "quote-not-found"); throw e; }
+        if (!row) return _problem(res, 404, "quote-not-found");
+        _json(res, 200, row);
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var row = null;
+        try { row = await quotes.getQuote(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _sendHtml(res, 404, renderAdminQuoteDetail({
+          shop_name: deps.shop_name, nav_available: navAvailable, quote: null,
+        }));
+        _sendHtml(res, 200, renderAdminQuoteDetail({
+          shop_name: deps.shop_name, nav_available: navAvailable, quote: row,
+          notice: (url && url.searchParams.get("err"))
+            ? "That action couldn't be completed for the quote." : null,
+        }));
+      },
+    ));
+    // Respond: price every line + set shipping / tax / validity. The browser
+    // form posts dollar amounts (converted to minor units here) + a
+    // validity-in-days; the bearer JSON contract takes the primitive's native
+    // shape (minor units + an absolute valid_until). A bad shape is a clean
+    // 400 (bearer) / err re-render (browser), never a 500.
+    router.post("/admin/quotes/:id/respond", _pageOrApi(false,
+      W("quote.respond", async function (req, res) {
+        var row;
+        try { row = await quotes.respondToQuote(Object.assign({}, req.body || {}, { quote_id: req.params.id })); }
+        catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var body = req.body || {};
+        var current = null;
+        try { current = await quotes.getQuote(id); } catch (_e) { current = null; }
+        if (!current) return _redirect(res, "/admin/quotes?err=1");
+        try {
+          var validDays = _strictNonNegIntField(body.valid_days, "valid_days");
+          if (validDays <= 0) throw new TypeError("admin: valid_days must be at least 1");
+          var quoteCurrency = typeof body.currency === "string" && body.currency
+            ? body.currency.toUpperCase() : (current.currency || "USD");
+          await quotes.respondToQuote({
+            quote_id:       id,
+            line_prices:    _quoteLinePricesFromForm(body, current.lines, quoteCurrency),
+            shipping_minor: body.shipping == null || body.shipping === "" ? 0 : _dollarsToMinor(body.shipping, "shipping", quoteCurrency),
+            tax_minor:      body.tax == null || body.tax === "" ? 0 : _dollarsToMinor(body.tax, "tax", quoteCurrency),
+            valid_until:    Date.now() + b.constants.TIME.days(validDays),
+            currency:       quoteCurrency,
+            operator_notes: body.operator_notes || null,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          var msg = _safeNotice(e, "quote.respond");
+          var fresh = await quotes.getQuote(id);
+          return _sendHtml(res, msg.status, renderAdminQuoteDetail({
+            shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+            notice: msg.message.replace(/^(quotes|admin)[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.respond", outcome: "success", metadata: { quote_id: id } });
+        // Fire the quote-responded email (drop-silent, fire-and-forget) when a
+        // notifier is wired — the customer learns their quote is priced.
+        if (typeof deps.notifyQuoteResponded === "function") {
+          try { await deps.notifyQuoteResponded(id); }
+          catch (_e) { /* drop-silent — the response already persisted */ }
+        }
+        _redirect(res, "/admin/quotes/" + enc + "?responded=1");
+      },
+    ));
+    // Withdraw: cancel a quote that hasn't been accepted yet (requested or
+    // responded). Accepted / terminal quotes refuse — the FSM gate is the
+    // single source of truth, surfaced as a 409.
+    router.post("/admin/quotes/:id/withdraw", _pageOrApi(false,
+      W("quote.withdraw", async function (req, res) {
+        var row;
+        try {
+          row = await quotes.cancelQuote({
+            quote_id:      req.params.id,
+            cancel_reason: (req.body && req.body.cancel_reason) || "Withdrawn by operator",
+          });
+        } catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        try {
+          await quotes.cancelQuote({
+            quote_id:      id,
+            cancel_reason: (req.body && req.body.cancel_reason) || "Withdrawn by operator",
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          return _redirect(res, "/admin/quotes/" + encodeURIComponent(id) + "?err=1");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.withdraw", outcome: "success", metadata: { quote_id: id } });
+        _redirect(res, "/admin/quotes?withdrawn=1");
+      },
+    ));
+  }
   // ---- search ranking -------------------------------------------------
   // Operator-tunable storefront search ranking: named weight sets (one
   // active at a time), per-query manual pins, and a per-set metrics rollup.
@@ -12356,6 +12808,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "inventory-transfers", href: "/admin/inventory/transfers", label: "Transfers",       requires: "stockTransfers" },
   { key: "inventory-writeoffs", href: "/admin/inventory/writeoffs", label: "Write-offs",      requires: "inventoryWriteoffs" },
   { key: "orders",       href: "/admin/orders",       label: "Orders" },
+  { key: "quotes",       href: "/admin/quotes",       label: "Quotes",       requires: "quotes" },
   { key: "carts",        href: "/admin/carts",        label: "Abandoned carts", requires: "carts" },
   { key: "reports",      href: "/admin/reports",      label: "Reports" },
   { key: "analytics",    href: "/admin/analytics",    label: "Analytics",    requires: "analytics" },
@@ -12391,6 +12844,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "pick-lists",   href: "/admin/pick-lists",   label: "Pick lists",   requires: "pickLists" },
   { key: "announcements", href: "/admin/announcements", label: "Announcements", requires: "announcementBar" },
   { key: "promo-banners", href: "/admin/promo-banners", label: "Promo banners", requires: "promoBanners" },
+  { key: "campaigns",    href: "/admin/campaigns",    label: "Email campaigns", requires: "emailCampaigns" },
   { key: "blog",         href: "/admin/blog",         label: "Blog",         requires: "blog" },
   { key: "help",         href: "/admin/help",         label: "Help center",  requires: "knowledgeBase" },
   { key: "pages",        href: "/admin/pages",        label: "Pages",        requires: "storefrontPages" },
@@ -15214,6 +15668,195 @@ function renderAdminInvReceive(opts) {
   return _renderAdminShell(opts.shop_name, "Receive stock", body, "inventory-receive", opts.nav_available);
 }
+// ---- email campaign console renders ----------------------------------
+// Map an ?err= code on a campaign console redirect to an operator-facing
+// notice. The codes are emitted by the campaign routes, never operator
+// free text, so no escaping concern here.
+function _campaignErrNotice(code) {
+  if (code === "bad")         return "Check the campaign — slug, subject, body, audience, and a valid sender address are all required.";
+  if (code === "rate")        return "Send rate limit reached. Try again in a moment.";
+  if (code === "test")        return "The test recipient address wasn't valid.";
+  if (code === "send")        return "The send couldn't be completed. Check the error log.";
+  if (code === "unavailable") return "Broadcast isn't available — this deployment has no deliverable-address source (newsletter list) or no configured unsubscribe origin.";
+  if (code === "cancel")      return "That campaign can't be cancelled from its current state.";
+  if (code === "notfound")    return "Campaign not found.";
+  return "That action couldn't be completed.";
+}
+function _campaignStatusPill(status) {
+  var cls = "status-pill";
+  if (status === "sent")      cls = "status-pill status-pill--ok";
+  if (status === "cancelled") cls = "status-pill status-pill--muted";
+  if (status === "sending")   cls = "status-pill status-pill--warn";
+  return "<span class=\"" + cls + "\">" + _htmlEscape(String(status)) + "</span>";
+}
+// Per-recipient delivery counts cell — "12 sent · 3 skipped · 1 failed".
+// All four outcomes roll into a compact summary; a zero-everything
+// campaign shows an em-dash.
+function _campaignCountsSummary(counts) {
+  if (!counts) return "<span class=\"meta\">—</span>";
+  var sent = Number(counts.sent || 0);
+  var skipped = Number(counts.skipped_unsubscribed || 0) + Number(counts.skipped_suppressed || 0);
+  var failed = Number(counts.failed || 0);
+  if (!sent && !skipped && !failed) return "<span class=\"meta\">—</span>";
+  var parts = [];
+  parts.push(_htmlEscape(String(sent)) + " sent");
+  if (skipped) parts.push(_htmlEscape(String(skipped)) + " skipped");
+  if (failed)  parts.push(_htmlEscape(String(failed)) + " failed");
+  return _htmlEscape(parts.join(" · "));
+}
+function renderAdminCampaigns(opts) {
+  opts = opts || {};
+  var rows = opts.rows || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Campaign saved.</div>" : "";
+  var sent   = opts.sent   ? "<div class=\"banner banner--ok\">Campaign sent.</div>" : "";
+  var tested = opts.tested ? "<div class=\"banner banner--ok\">Test message sent.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  // Honesty banner — when the broadcast path isn't wired (no deliverable
+  // address source / no unsubscribe origin), say so plainly. Campaigns
+  // can still be authored + previewed; the Send action will refuse.
+  var reachBanner = opts.can_broadcast
+    ? ""
+    : "<div class=\"banner banner--warn\">Sending is unavailable: this store has no deliverable-address source " +
+      "(a newsletter subscriber list with plaintext addresses) or no configured unsubscribe origin. " +
+      "Customer email is stored hash-only, so only newsletter subscribers are reachable. You can still draft and preview campaigns.</div>";
+  var tableRows = rows.map(function (rc) {
+    var c = rc.campaign;
+    var enc = encodeURIComponent(c.slug);
+    return "<tr>" +
+      "<td><a href=\"/admin/campaigns/" + enc + "\">" + _htmlEscape(c.subject) + "</a><div class=\"meta\"><code>" + _htmlEscape(c.slug) + "</code></div></td>" +
+      "<td>" + _htmlEscape(c.audience_slug) + "</td>" +
+      "<td>" + _campaignStatusPill(c.status) + "</td>" +
+      "<td>" + _campaignCountsSummary(rc.counts) + "</td>" +
+      "</tr>";
+  }).join("");
+  var list = rows.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Subject</th><th scope=\"col\">Audience</th><th scope=\"col\">Status</th><th scope=\"col\">Delivery</th></tr></thead><tbody>" + tableRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No campaigns yet. Create one to broadcast to a mailing audience.</p>";
+  var body =
+    "<section><h2>Email campaigns</h2>" +
+      "<p class=\"meta\">Broadcast a message to a mailing audience. Only marketing-consented, reachable subscribers receive a campaign — consent is checked at send time, and every message carries a one-click unsubscribe.</p>" +
+      saved + sent + tested + notice + reachBanner +
+      "<div class=\"actions-row\"><a class=\"btn\" href=\"/admin/campaigns/new\">New campaign</a></div>" +
+      list +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Email campaigns", body, "campaigns", opts.nav_available);
+}
+function renderAdminCampaignNew(opts) {
+  opts = opts || {};
+  var audiences = opts.audiences || [];
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var audOptions = audiences.map(function (a) {
+    return "<option value=\"" + _htmlEscape(a.slug) + "\">" + _htmlEscape(a.title) + " (" + _htmlEscape(a.slug) + ")</option>";
+  }).join("");
+  var audField = audiences.length
+    ? "<label class=\"form-field\"><span>Audience</span><select name=\"audience_slug\" required>" + audOptions + "</select>" +
+        "<small>The mailing audience to broadcast to. Manage audiences from the mailing-audiences API.</small></label>"
+    : "<label class=\"form-field\"><span>Audience slug</span><input type=\"text\" name=\"audience_slug\" maxlength=\"64\" required>" +
+        "<small>No mailing audiences are defined yet — enter the slug of one you've created via the API.</small></label>";
+  var body =
+    "<section class=\"mw-42\"><h2>New campaign</h2>" + notice +
+      "<form method=\"post\" action=\"/admin/campaigns\">" +
+        _setupField("Campaign slug", "slug", "", "text", "Lowercase id, e.g. spring-sale-2026.", " maxlength=\"64\" required") +
+        _setupField("Subject", "subject", "", "text", "The email subject line.", " maxlength=\"200\" required") +
+        "<label class=\"form-field\"><span>Body (Markdown)</span>" +
+          "<textarea name=\"body_html\" rows=\"10\" maxlength=\"100000\" required></textarea>" +
+          "<small>Markdown — headings, lists, links, bold/italic. Rendered escape-by-default: raw HTML is shown as text, links must be https.</small></label>" +
+        audField +
+        _setupField("From address", "from_address", "", "email", "The sender address (must be a domain you can send from).", " maxlength=\"254\" required") +
+        _setupField("From name", "from_name", "", "text", "The friendly sender name.", " maxlength=\"100\" required") +
+        _setupField("Reply-to", "reply_to", "", "email", "Optional — where replies land.", " maxlength=\"254\"") +
+        "<div class=\"actions-row\"><button type=\"submit\" class=\"btn\">Create campaign</button>" +
+          "<a class=\"btn btn--ghost\" href=\"/admin/campaigns\">Cancel</a></div>" +
+      "</form>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "New campaign", body, "campaigns", opts.nav_available);
+}
+function renderAdminCampaign(opts) {
+  opts = opts || {};
+  var c = opts.campaign;
+  var enc = encodeURIComponent(c.slug);
+  var sent   = opts.sent   ? "<div class=\"banner banner--ok\">Campaign sent.</div>" : "";
+  var tested = opts.tested ? "<div class=\"banner banner--ok\">Test message sent.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  // Resolved reachable count — the true send size, computed live. The
+  // operator sees this BEFORE confirming a send.
+  var reach = opts.reachability;
+  var reachPanel = reach
+    ? "<div class=\"panel\"><h3 class=\"subhead\">Reachable recipients</h3>" +
+        "<p class=\"big-stat\">" + _htmlEscape(String(reach.reachable)) + "</p>" +
+        "<p class=\"meta\">Resolved at send time from " + _htmlEscape(String(reach.resolved)) + " audience members: " +
+          _htmlEscape(String(reach.reachable)) + " reachable, " +
+          _htmlEscape(String(reach.suppressed)) + " suppressed, " +
+          _htmlEscape(String(reach.unsubscribed)) + " unsubscribed, " +
+          _htmlEscape(String(reach.no_address)) + " with no deliverable address.</p>" +
+      "</div>"
+    : "<div class=\"panel\"><p class=\"meta\">Reachability can't be resolved — no deliverable-address source is wired.</p></div>";
+  // Per-recipient delivery counts from the send ledger.
+  var counts = opts.counts || {};
+  var countsPanel = "<div class=\"panel\"><h3 class=\"subhead\">Delivery</h3>" +
+    "<ul class=\"kv-list\">" +
+      "<li><span>Sent</span><strong>" + _htmlEscape(String(counts.sent || 0)) + "</strong></li>" +
+      "<li><span>Skipped (unsubscribed)</span><strong>" + _htmlEscape(String(counts.skipped_unsubscribed || 0)) + "</strong></li>" +
+      "<li><span>Skipped (suppressed)</span><strong>" + _htmlEscape(String(counts.skipped_suppressed || 0)) + "</strong></li>" +
+      "<li><span>Failed</span><strong>" + _htmlEscape(String(counts.failed || 0)) + "</strong></li>" +
+    "</ul></div>";
+  // Rendered preview — the renderer already escaped the operator body, so
+  // the preview HTML is splice-safe (no double-escape). Spliced literally
+  // so a `$` in the body can't trip String.replace dollar substitution.
+  var previewBody = opts.preview ? opts.preview.body_html : "<span class=\"meta\">Preview unavailable.</span>";
+  var previewPanel = "<div class=\"panel\"><h3 class=\"subhead\">Preview</h3>" +
+    "<div class=\"mail-preview\">RAW_PREVIEW_BODY</div></div>";
+  // Send / test actions only when the campaign isn't terminal.
+  var isTerminal = c.status === "sent" || c.status === "cancelled";
+  var actions = "";
+  if (!isTerminal) {
+    var sendBtn = opts.can_broadcast
+      ? "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/send\" class=\"form-inline\">" +
+          "<button class=\"btn\" type=\"submit\">Send to " + _htmlEscape(reach ? String(reach.reachable) : "0") + " recipient(s)</button></form>"
+      : "<span class=\"meta\">Sending is unavailable on this deployment.</span>";
+    actions =
+      "<div class=\"panel\"><h3 class=\"subhead\">Send a test</h3>" +
+        "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/test\" class=\"form-inline\">" +
+          "<input type=\"email\" name=\"to\" placeholder=\"you@example.com\" maxlength=\"254\" required>" +
+          "<button class=\"btn btn--ghost\" type=\"submit\">Send test</button></form></div>" +
+      "<div class=\"panel\"><h3 class=\"subhead\">Send campaign</h3>" + sendBtn +
+        "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/cancel\" class=\"form-inline mt\">" +
+          "<button class=\"btn btn--ghost btn--sm\" type=\"submit\">Cancel campaign</button></form></div>";
+  }
+  var meta = "<p class=\"meta\">Audience <code>" + _htmlEscape(c.audience_slug) + "</code> · " +
+    "from " + _htmlEscape(c.from_name) + " &lt;" + _htmlEscape(c.from_address) + "&gt; · " +
+    _campaignStatusPill(c.status) + "</p>";
+  var body =
+    "<section><h2>" + _htmlEscape(c.subject) + "</h2>" + meta +
+      sent + tested + notice +
+      reachPanel + countsPanel + previewPanel + actions +
+      "<div class=\"actions-row mt\"><a class=\"btn btn--ghost\" href=\"/admin/campaigns\">&larr; All campaigns</a></div>" +
+    "</section>";
+  var html = _renderAdminShell(opts.shop_name, c.subject, body, "campaigns", opts.nav_available);
+  // Splice the already-escaped preview body literally (it contains only the
+  // fixed tag set the escape-by-default renderer emits; the operator's
+  // bytes were escaped before this point).
+  return _spliceRaw(html, "RAW_PREVIEW_BODY", previewBody);
+}
 // Location→location transfer console: the open form + the open-transfer
 // queue with the FSM action legal from each row's status. Reasons,
 // carriers, and tracking numbers are operator free text — escaped.
@@ -18963,6 +19606,149 @@ function _standardSurveyQuestions(kind) {
   ];
 }
+// Map a quote status to a status-pill modifier class (reusing the order
+// pills: paid=green for the live/positive states, cancelled=grey for the
+// terminal-without-sale ones). Purely cosmetic.
+function _quotePillClass(status) {
+  if (status === "responded") return "paid";
+  if (status === "accepted" || status === "converted") return "paid";
+  if (status === "requested") return "pending";
+  return "cancelled"; // rejected / expired / cancelled
+}
+function renderAdminQuotes(opts) {
+  opts = opts || {};
+  var rows = opts.quotes || [];
+  var responded = opts.responded ? "<div class=\"banner banner--ok\">Quote sent to the customer.</div>" : "";
+  var withdrawn = opts.withdrawn ? "<div class=\"banner banner--ok\">Quote withdrawn.</div>" : "";
+  var converted = opts.converted ? "<div class=\"banner banner--ok\">Quote converted to an order.</div>" : "";
+  var notice    = opts.notice    ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var cf = opts.customer_filter;
+  var heading = cf ? "Quotes for this customer" : "Quotes awaiting a response";
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (cf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    (cf ? "<a class=\"chip chip--on\" href=\"/admin/quotes?customer_id=" + _htmlEscape(encodeURIComponent(cf)) + "\">This customer</a>" : "") +
+    "</div>";
+  var bodyRows = rows.map(function (q) {
+    var enc = _htmlEscape(encodeURIComponent(q.id));
+    var total = q.total_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(q.total_minor, q.currency || "USD"));
+    var lineCount = (q.lines || []).length;
+    return "<tr>" +
+      "<td><a href=\"/admin/quotes/" + enc + "\"><code class=\"order-id\">" + _htmlEscape(String(q.id).slice(0, 8)) + "</code></a></td>" +
+      "<td><a href=\"/admin/customers/" + _htmlEscape(encodeURIComponent(q.customer_id)) + "\">" + _htmlEscape(String(q.customer_id).slice(0, 8)) + "</a></td>" +
+      "<td><span class=\"status-pill " + _quotePillClass(q.status) + "\">" + _htmlEscape(q.status) + "</span></td>" +
+      "<td class=\"num\">" + lineCount + "</td>" +
+      "<td class=\"num\">" + total + "</td>" +
+      "<td><a class=\"btn btn--ghost\" href=\"/admin/quotes/" + enc + "\">Open</a></td>" +
+    "</tr>";
+  }).join("");
+  var table = rows.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Quote</th><th scope=\"col\">Customer</th><th scope=\"col\">Status</th><th scope=\"col\" class=\"num\">Lines</th><th scope=\"col\" class=\"num\">Total</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">" + (cf ? "No quotes for this customer." : "No quotes are waiting for a response.") + "</p>";
+  var bodyHtml = "<section><h2>Quotes</h2>" + responded + withdrawn + converted + notice +
+    "<p class=\"meta\">Request-for-quote negotiations. The response queue lists the requests waiting on you, oldest first — open one to price its lines and send the customer a quote.</p>" +
+    chips + "<h3 class=\"subhead\">" + _htmlEscape(heading) + "</h3>" + table + "</section>";
+  return _renderAdminShell(opts.shop_name, "Quotes", bodyHtml, "quotes", opts.nav_available);
+}
+function renderAdminQuoteDetail(opts) {
+  opts = opts || {};
+  var q = opts.quote;
+  if (!q) {
+    var nf = "<section><h2>Quote</h2><p class=\"empty\">Quote not found.</p>" +
+      "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/quotes\">Back to quotes</a></div></section>";
+    return _renderAdminShell(opts.shop_name, "Quote", nf, "quotes", opts.nav_available);
+  }
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var enc = _htmlEscape(encodeURIComponent(q.id));
+  var currency = q.currency || "USD";
+  // Header summary.
+  var summary =
+    "<div class=\"panel\">" +
+      "<p class=\"meta\">Status: <span class=\"status-pill " + _quotePillClass(q.status) + "\">" + _htmlEscape(q.status) + "</span></p>" +
+      "<p class=\"meta\">Customer: <a href=\"/admin/customers/" + _htmlEscape(encodeURIComponent(q.customer_id)) + "\">" + _htmlEscape(q.customer_id) + "</a></p>" +
+      (q.delivery_terms ? "<p class=\"meta\">Delivery terms: " + _htmlEscape(q.delivery_terms) + "</p>" : "") +
+      (q.payment_terms ? "<p class=\"meta\">Payment terms: " + _htmlEscape(q.payment_terms) + "</p>" : "") +
+      (q.message ? "<p class=\"meta\">Customer message: <q>" + _htmlEscape(q.message) + "</q></p>" : "") +
+      (q.valid_until ? "<p class=\"meta\">Valid until: " + _htmlEscape(new Date(Number(q.valid_until)).toISOString()) + "</p>" : "") +
+      (q.total_minor != null ? "<p class=\"meta\">Quoted total: <strong>" + _htmlEscape(pricing.format(q.total_minor, currency)) + "</strong></p>" : "") +
+      (q.converted_order_id ? "<p class=\"meta\">Converted to order: <a href=\"/admin/orders/" + _htmlEscape(encodeURIComponent(q.converted_order_id)) + "\"><code class=\"order-id\">" + _htmlEscape(String(q.converted_order_id).slice(0, 8)) + "</code></a></p>" : "") +
+    "</div>";
+  // Lines table — shows the requested qty + (once responded) the priced
+  // unit + line total.
+  var lineRows = (q.lines || []).map(function (l) {
+    var unit = l.unit_price_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(l.unit_price_minor, l.currency || currency));
+    var lineTotal = l.unit_price_minor == null
+      ? "<span class=\"u-mute\">—</span>"
+      : _htmlEscape(pricing.format(l.unit_price_minor * l.quantity, l.currency || currency));
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(l.sku) + "</code></td>" +
+      "<td class=\"num\">" + _htmlEscape(String(l.quantity)) + "</td>" +
+      "<td class=\"num\">" + unit + "</td>" +
+      "<td class=\"num\">" + lineTotal + "</td>" +
+      (l.notes ? "<td>" + _htmlEscape(l.notes) + "</td>" : "<td></td>") +
+    "</tr>";
+  }).join("");
+  var linesPanel = "<div class=\"panel\">" +
+    _tableWrap("<table><thead><tr><th scope=\"col\">SKU</th><th scope=\"col\" class=\"num\">Qty</th><th scope=\"col\" class=\"num\">Unit price</th><th scope=\"col\" class=\"num\">Line total</th><th scope=\"col\">Customer note</th></tr></thead><tbody>" + lineRows + "</tbody></table>") +
+  "</div>";
+  // Respond form — only for a still-requested quote. One unit-price field per
+  // line plus shipping / tax / validity. Major-unit dollar inputs (converted
+  // to minor units server-side).
+  var respondForm = "";
+  if (q.status === "requested") {
+    var priceFields = (q.lines || []).map(function (l) {
+      return _setupField(l.sku + " — unit price (" + currency + ")", "price_" + l.sku, "", "text",
+        "Quantity " + l.quantity + ".", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\" required");
+    }).join("");
+    respondForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Respond with a priced quote</h3>" +
+        "<p class=\"meta\">Set a unit price for every line, plus optional shipping + tax and how long the quote stays valid. The customer is notified and can accept or decline.</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/respond\">" +
+          priceFields +
+          _setupField("Shipping (" + currency + ")", "shipping", "", "text", "Optional. Leave blank for free shipping.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Tax (" + currency + ")", "tax", "", "text", "Optional.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Valid for (days)", "valid_days", "14", "number", "How many days the customer has to accept.", " min=\"1\" max=\"365\" required") +
+          _setupField("Currency", "currency", currency, "text", "ISO-4217, e.g. USD.", " maxlength=\"3\" pattern=\"[A-Za-z]{3}\"") +
+          "<label class=\"form-field\"><span>Note to the customer</span><textarea name=\"operator_notes\" maxlength=\"4000\" rows=\"3\"></textarea></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Send quote</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+  // Withdraw — available while the quote hasn't been accepted (requested or
+  // responded). The FSM refuses it for accepted/terminal quotes; we only
+  // render the button when it would succeed.
+  var withdrawForm = "";
+  if (q.status === "requested" || q.status === "responded") {
+    withdrawForm =
+      "<form method=\"post\" action=\"/admin/quotes/" + enc + "/withdraw\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Withdraw quote</button>" +
+      "</form>";
+  }
+  var actions = "<div class=\"actions-row\">" +
+    "<a class=\"btn btn--ghost\" href=\"/admin/quotes\">Back to quotes</a>" +
+    withdrawForm +
+  "</div>";
+  var bodyHtml = "<section><h2>Quote " + _htmlEscape(String(q.id).slice(0, 8)) + "</h2>" +
+    notice + summary + linesPanel + respondForm + actions + "</section>";
+  return _renderAdminShell(opts.shop_name, "Quote " + String(q.id).slice(0, 8), bodyHtml, "quotes", opts.nav_available);
+}
 function renderAdminSurveys(opts) {
   opts = opts || {};
   var rows = opts.surveys || [];