@blamejs/blamejs-shop 0.4.15 → 0.4.17

package/lib/storefront.js

@@ -8164,6 +8164,36 @@ function _cartCouponBlock(opts) {
     "</section>";
 }
 
+// CONTAINER-ONLY "Request a quote" block for the cart page. Rendered only for
+// a signed-in customer when the quotes primitive is wired (the route gates the
+// flag on both). Buying B2B quantities? Ask for a custom price instead of
+// checking out at list — the form snapshots the active cart into a new RFQ.
+// The optional message field rides along. POST /account/quotes/request is NOT
+// an edge-exempt prefix, so _injectCsrfFields tokens the form. A `?quote_*`
+// PRG notice surfaces the empty-cart / error redirect.
+function _cartQuoteBlock(opts) {
+  if (!opts.can_request_quote) return "";
+  var notice = "";
+  if (opts.quote_empty) {
+    notice = "<p class=\"cart-quote__notice cart-quote__notice--err\" role=\"status\">Add an item to your cart before requesting a quote.</p>";
+  } else if (opts.quote_err) {
+    notice = "<p class=\"cart-quote__notice cart-quote__notice--err\" role=\"status\">We couldn't start a quote from this cart. Please try again.</p>";
+  }
+  return "<section class=\"cart-quote\">" +
+    "<details class=\"cart-quote__details\"" + (opts.quote_err || opts.quote_empty ? " open" : "") + ">" +
+      "<summary class=\"cart-quote__summary\">Buying in bulk? Request a quote</summary>" +
+      notice +
+      "<p class=\"cart-quote__lede\">We'll review the items in your cart and reply with custom pricing you can accept online.</p>" +
+      "<form method=\"post\" action=\"/account/quotes/request\" class=\"cart-quote__form\">" +
+        "<label class=\"form-field\"><span>Anything we should know? (optional)</span>" +
+          "<textarea name=\"message\" maxlength=\"4000\" rows=\"3\" placeholder=\"Quantities, timelines, delivery needs…\"></textarea>" +
+        "</label>" +
+        "<button type=\"submit\" class=\"btn-secondary\">Request a quote</button>" +
+      "</form>" +
+    "</details>" +
+    "</section>";
+}
+
 function renderCart(opts) {
   if (!opts) throw new TypeError("storefront.renderCart: opts required");
   var lines  = opts.lines  || [];
@@ -8323,6 +8353,11 @@ function renderCart(opts) {
     // code echo is escaped at the sink; appended, not String.replace'd, so a
     // `$` in a typed code can't trip dollar substitution).
     body = body + _cartCouponBlock(opts);
+    // CONTAINER-ONLY "Request a quote" entry — a signed-in customer can turn
+    // the cart into a B2B RFQ. Same append-not-replace placement + edge
+    // reasoning; the block carries no shopper free text in its markup (the
+    // typed message rides the POST, never the rendered page).
+    body = body + _cartQuoteBlock(opts);
   }
   return _wrap(Object.assign({
     title:      "Cart",
@@ -9625,6 +9660,7 @@ var ACCOUNT_DASH_PAGE =
   "      <a class=\"btn-secondary\" href=\"/account/referrals\">Refer a friend</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/subscriptions\">Subscriptions</a>\n" +
   "      RAW_PREORDER_LINK\n" +
+  "      RAW_QUOTES_LINK\n" +
   // begin: profile + passkey management actions
   "      <a class=\"btn-secondary\" href=\"/account/profile\">Edit profile</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/privacy\">Privacy &amp; data</a>\n" +
@@ -9745,6 +9781,12 @@ function renderAccount(opts) {
       : "")
     .replace("RAW_PAYMENT_METHODS_LINK", opts.payment_methods_enabled
       ? "<a class=\"btn-secondary\" href=\"/account/payment-methods\">Payment methods</a>"
+      : "")
+    // The Quotes link renders only when the quotes primitive is wired (the
+    // /account/quotes route is mounted), so a deploy without it never links
+    // to a 404.
+    .replace("RAW_QUOTES_LINK", opts.quotes_enabled
+      ? "<a class=\"btn-secondary\" href=\"/account/quotes\">Quotes</a>"
       : "");
   return _wrap({
     title:      "Account",
@@ -10241,6 +10283,151 @@ function renderSurveyPage(opts) {
   });
 }
 
+// ---- quote (token-gated / account-gated) -------------------------------
+
+// One quote's status → the customer-facing label + lede shown when the quote
+// is not in the actionable "responded" state. Keeps the page honest about
+// where the negotiation stands without leaking operator-side internals.
+var _QUOTE_STATE_COPY = {
+  requested: ["We're preparing your quote", "Thanks for your request. We're pricing it now and will email you when it's ready to review."],
+  accepted:  ["Quote accepted", "You've accepted this quote. We're turning it into an order — you'll hear from us shortly."],
+  converted: ["Quote accepted", "You've accepted this quote and it's been turned into an order."],
+  rejected:  ["Quote declined", "You declined this quote. If that wasn't intended, get in touch and we'll prepare a fresh one."],
+  expired:   ["This quote has expired", "The acceptance window for this quote has passed. Request a new quote and we'll re-price it."],
+  cancelled: ["This quote was withdrawn", "This quote is no longer available. Request a new one and we'll be happy to help."],
+};
+
+// Render the customer quote page. `opts.state` is "view" (a responded quote
+// the customer can accept/decline), "notice" (any other status — copy from
+// _QUOTE_STATE_COPY), or "notfound". `opts.quote` is the hydrated quote;
+// `opts.token` (when present) drives the accept/decline form actions on the
+// tokened path, otherwise the account path posts to /account/quotes/:id/*.
+function renderQuotePage(opts) {
+  opts = opts || {};
+  var esc = function (s) { return b.template.escapeHtml(String(s == null ? "" : s)); };
+  var state = opts.state || "notfound";
+  var body;
+
+  if (state === "view") {
+    var q = opts.quote || {};
+    var currency = q.currency || "USD";
+    var notice = opts.notice ? "<p class=\"form-notice\">" + esc(opts.notice) + "</p>" : "";
+    var lineRows = (q.lines || []).map(function (l) {
+      var unit  = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor, l.currency || currency);
+      var total = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor * l.quantity, l.currency || currency);
+      return "<tr><td>" + esc(l.sku) + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
+        "<td class=\"num\">" + esc(unit) + "</td><td class=\"num\">" + esc(total) + "</td></tr>";
+    }).join("");
+    var rowsHtml =
+      "<tr><td colspan=\"3\">Subtotal</td><td class=\"num\">" +
+        esc(pricing.format((q.total_minor || 0) - (q.shipping_minor || 0) - (q.tax_minor || 0), currency)) + "</td></tr>" +
+      "<tr><td colspan=\"3\">Shipping</td><td class=\"num\">" + esc(pricing.format(q.shipping_minor || 0, currency)) + "</td></tr>" +
+      "<tr><td colspan=\"3\">Tax</td><td class=\"num\">" + esc(pricing.format(q.tax_minor || 0, currency)) + "</td></tr>" +
+      "<tr><td colspan=\"3\"><strong>Total</strong></td><td class=\"num\"><strong>" + esc(pricing.format(q.total_minor || 0, currency)) + "</strong></td></tr>";
+
+    var validNote = q.valid_until
+      ? "<p class=\"quote-page__valid\">This quote is valid until " + esc(new Date(Number(q.valid_until)).toUTCString()) + ".</p>"
+      : "";
+    var opMsg = q.operator_notes
+      ? "<div class=\"quote-page__message\"><h2>A note from us</h2><p>" + esc(q.operator_notes) + "</p></div>"
+      : "";
+
+    // The accept / decline form actions. Tokened path posts to /quote/:token;
+    // account path posts to /account/quotes/:id. Both POST forms are tokened
+    // for CSRF by _injectCsrfFields (neither prefix is edge-exempt).
+    var actionBase = opts.token
+      ? "/quote/" + esc(opts.token)
+      : "/account/quotes/" + esc(q.id);
+    var actions =
+      "<div class=\"quote-page__actions\">" +
+        "<form method=\"post\" action=\"" + actionBase + "/accept\" class=\"quote-action\">" +
+          "<button class=\"btn-primary\" type=\"submit\">Accept this quote</button>" +
+        "</form>" +
+        "<form method=\"post\" action=\"" + actionBase + "/decline\" class=\"quote-action\">" +
+          "<button class=\"btn-ghost\" type=\"submit\">Decline</button>" +
+        "</form>" +
+      "</div>";
+
+    body =
+      "<section class=\"quote-page\"><div class=\"quote-page__inner\">" +
+        "<p class=\"eyebrow\">Your quote</p>" +
+        "<h1 class=\"quote-page__title\">Quote " + esc(String(q.id).slice(0, 8)) + "</h1>" +
+        notice +
+        opMsg +
+        "<table class=\"quote-table\"><thead><tr><th scope=\"col\">Item</th><th scope=\"col\" class=\"num\">Qty</th><th scope=\"col\" class=\"num\">Unit</th><th scope=\"col\" class=\"num\">Line total</th></tr></thead>" +
+        "<tbody>" + lineRows + "</tbody>" +
+        "<tfoot>" + rowsHtml + "</tfoot></table>" +
+        validNote +
+        actions +
+      "</div></section>";
+  } else {
+    var copy;
+    if (state === "notice" && opts.quote && _QUOTE_STATE_COPY[opts.quote.status]) {
+      copy = _QUOTE_STATE_COPY[opts.quote.status];
+    } else {
+      copy = ["Quote not found", "This quote link isn't valid. Check the link we sent you, or sign in to your account to view your quotes."];
+    }
+    body =
+      "<section class=\"quote-page\"><div class=\"quote-page__inner quote-page__inner--msg\">" +
+        "<h1 class=\"quote-page__title\">" + esc(copy[0]) + "</h1>" +
+        "<p class=\"quote-page__lede\">" + esc(copy[1]) + "</p>" +
+        "<a class=\"btn-ghost\" href=\"/\">Back to the shop</a>" +
+      "</div></section>";
+  }
+
+  return _wrap({
+    title:      opts.title || "Your quote",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Render the signed-in customer's quote list (/account/quotes). `opts.quotes`
+// is the hydrated quote array (newest activity first). Each row links to the
+// account-gated detail page.
+function renderQuoteList(opts) {
+  opts = opts || {};
+  var esc = function (s) { return b.template.escapeHtml(String(s == null ? "" : s)); };
+  var rows = opts.quotes || [];
+  var body;
+  if (!rows.length) {
+    body =
+      "<section class=\"quote-page\"><div class=\"quote-page__inner quote-page__inner--msg\">" +
+        "<h1 class=\"quote-page__title\">Your quotes</h1>" +
+        "<p class=\"quote-page__lede\">You don't have any quotes yet. Build a cart and choose &ldquo;Request a quote&rdquo; to ask us for B2B pricing.</p>" +
+        "<a class=\"btn-ghost\" href=\"/account\">Back to your account</a>" +
+      "</div></section>";
+  } else {
+    var items = rows.map(function (q) {
+      var currency = q.currency || "USD";
+      var total = q.total_minor == null ? "Awaiting price" : pricing.format(q.total_minor, currency);
+      var statusLabel = q.status === "responded" ? "ready to review" : q.status;
+      return "<li class=\"quote-list__item\">" +
+        "<a href=\"/account/quotes/" + esc(q.id) + "\">" +
+          "<span class=\"quote-list__id\">Quote " + esc(String(q.id).slice(0, 8)) + "</span>" +
+          "<span class=\"quote-list__status\">" + esc(statusLabel) + "</span>" +
+          "<span class=\"quote-list__total\">" + esc(total) + "</span>" +
+        "</a></li>";
+    }).join("");
+    body =
+      "<section class=\"quote-page\"><div class=\"quote-page__inner\">" +
+        "<p class=\"eyebrow\">Account</p>" +
+        "<h1 class=\"quote-page__title\">Your quotes</h1>" +
+        "<ul class=\"quote-list\">" + items + "</ul>" +
+        "<a class=\"btn-ghost\" href=\"/account\">Back to your account</a>" +
+      "</div></section>";
+  }
+  return _wrap({
+    title:      "Your quotes",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
 // ---- business-hours page -----------------------------------------------
 
 var _DOW_NAMES = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"];
@@ -11332,6 +11519,100 @@ function mount(router, deps) {
     });
   }
 
+  // ---- quote (token-gated customer page) ------------------------------
+  // A request-for-quote a customer can review + accept / decline via a single
+  // capability link (/quote/:token) — no login. The token IS the access (the
+  // signed-in owner reaches the same quote through /account/quotes). The
+  // quotes primitive hashes the presented token and constant-time-compares it,
+  // so a garbage / unknown token resolves to null → the not-found state.
+  // Container-only (never edge-cached). Resilient: any read error renders a
+  // clean state page, never a 500.
+  if (deps.quotes) {
+    var _quoteCtx = function (_req) {
+      return {
+        shop_name:  (deps.config && deps.config.shop_name) || "blamejs.shop",
+        cart_count: 0,
+        theme_css:  (deps.theme && deps.theme.assetUrl) ? deps.theme.assetUrl("css/main.css") : DEFAULT_THEME_CSS_URL,
+      };
+    };
+
+    // Map a hydrated quote to the page state: "view" when the customer can act
+    // on it (responded + not yet expired), otherwise "notice" (status copy).
+    var _quotePageState = function (quote) {
+      if (!quote) return "notfound";
+      if (quote.status === "responded") {
+        if (quote.valid_until != null && Number(quote.valid_until) <= Date.now()) return "notice";
+        return "view";
+      }
+      return "notice";
+    };
+
+    router.get("/quote/:token", async function (req, res) {
+      var token = (req.params && req.params.token) || "";
+      var ctx = _quoteCtx(req);
+      var quote = null;
+      try { quote = await deps.quotes.getByViewToken(token); }
+      catch (_e) { quote = null; }
+      var state = _quotePageState(quote);
+      _send(res, state === "notfound" ? 404 : 200, renderQuotePage({
+        state: state, quote: quote, token: token,
+        shop_name: ctx.shop_name, cart_count: ctx.cart_count, theme_css: ctx.theme_css,
+      }));
+    });
+
+    // Accept / decline a quote via the token. The action segment is the last
+    // path token; both verbs replay the quote FSM (accept refuses on an
+    // expired / non-responded quote with a coded error → mapped to the
+    // matching state notice). On a successful accept, when the order +
+    // conversion machinery is wired (deps.convertQuoteToOrder), the quote is
+    // converted into a pending order here so the holds land at acceptance.
+    var _quoteTokenAction = function (action) {
+      return async function (req, res) {
+        var token = (req.params && req.params.token) || "";
+        var ctx = _quoteCtx(req);
+        var quote = null;
+        try { quote = await deps.quotes.getByViewToken(token); }
+        catch (_e) { quote = null; }
+        if (!quote) {
+          return _send(res, 404, renderQuotePage({ state: "notfound", token: token, shop_name: ctx.shop_name, theme_css: ctx.theme_css }));
+        }
+        try {
+          if (action === "accept") {
+            await deps.quotes.customerAccept({ quote_id: quote.id, accepted_by_customer: "customer" });
+            if (typeof deps.convertQuoteToOrder === "function") {
+              try { await deps.convertQuoteToOrder(quote.id); }
+              catch (_eConv) { /* drop-silent — acceptance stands; the operator converts from the console */ }
+            }
+          } else {
+            await deps.quotes.customerReject({ quote_id: quote.id });
+          }
+        } catch (e) {
+          // FSM refusal (already accepted / expired / withdrawn) → re-render
+          // the current state honestly; a validation TypeError → the same.
+          var fresh = null;
+          try { fresh = await deps.quotes.getByViewToken(token); } catch (_e2) { fresh = quote; }
+          var st = _quotePageState(fresh);
+          if (e instanceof TypeError && st === "view") {
+            return _send(res, 400, renderQuotePage({
+              state: "view", quote: fresh, token: token,
+              notice: "We couldn't process that — please try again.",
+              shop_name: ctx.shop_name, theme_css: ctx.theme_css,
+            }));
+          }
+          return _send(res, 200, renderQuotePage({ state: st, quote: fresh, token: token, shop_name: ctx.shop_name, theme_css: ctx.theme_css }));
+        }
+        var after = null;
+        try { after = await deps.quotes.getByViewToken(token); } catch (_e3) { after = null; }
+        _send(res, 200, renderQuotePage({
+          state: "notice", quote: after, token: token,
+          shop_name: ctx.shop_name, theme_css: ctx.theme_css,
+        }));
+      };
+    };
+    router.post("/quote/:token/accept",  _quoteTokenAction("accept"));
+    router.post("/quote/:token/decline", _quoteTokenAction("decline"));
+  }
+
   // ---- business hours (public /hours page) ----------------------------
   // Lists every active schedule with its weekly grid + a live open/closed
   // status computed at request time in the schedule's timezone. Container-
@@ -13214,6 +13495,12 @@ function mount(router, deps) {
       // the inline PRG banner.
       coupon_enabled:  !!(deps.autoDiscount && typeof deps.cart.listDiscountCodes === "function"),
       applied_codes:   appliedCodes,
+      // "Request a quote" entry — only for a signed-in customer (the request
+      // route pins the quote to their customer_id) when the quotes primitive
+      // is wired. A guest sees no quote CTA (they can't own a quote).
+      // `_currentCustomerEnv` is the mount-scope resolver (`_currentCustomer`
+      // lives inside the customers block, out of reach here).
+      can_request_quote: !!(deps.quotes && _currentCustomerEnv(req)),
       shop_name:       shopName,
       theme:           theme,
     }, ccy, extraOpts)));
@@ -13239,6 +13526,9 @@ function mount(router, deps) {
       code_applied: _cartQp("code_applied"),
       code_removed: _cartQp("code_removed"),
       code_err:     _cartQp("code_err"),
+      // Quote-request PRG outcomes (set by POST /account/quotes/request).
+      quote_empty:  _cartQp("quote_empty"),
+      quote_err:    _cartQp("quote_err"),
     });
   });
 
@@ -14955,6 +15245,7 @@ function mount(router, deps) {
         preorders_enabled:     !!preorder,
         pickups_enabled:       !!deps.clickAndCollect,
         payment_methods_enabled: !!(deps.paymentMethods && deps.payment),
+        quotes_enabled:        !!deps.quotes,
         shop_name:             shopName,
         cart_count:            cartCount,
       }));
@@ -15002,6 +15293,131 @@ function mount(router, deps) {
       });
     }
 
+    // ---- account quotes (signed-in owner view) -----------------------
+    // The signed-in customer's request-for-quote surface: a list of their
+    // quotes, the per-quote detail (with accept / decline for a responded
+    // quote), and a "request a quote" action that snapshots their active cart
+    // into a new RFQ. Access is pinned to the session customer_id — a quote
+    // belonging to another customer 404s (never leaks). Mounts only when the
+    // quotes primitive is wired.
+    if (deps.quotes) {
+      var _quoteThemeCss = function () {
+        return (deps.theme && deps.theme.assetUrl) ? deps.theme.assetUrl("css/main.css") : DEFAULT_THEME_CSS_URL;
+      };
+
+      // Resolve a quote BY ID, but only if it belongs to this customer.
+      // Returns null otherwise (the route maps null to a 404), so a customer
+      // can never read or act on someone else's quote by guessing the id.
+      async function _ownedQuote(customerId, quoteId) {
+        var q = null;
+        try { q = await deps.quotes.getQuote(quoteId); }
+        catch (e) { if (e instanceof TypeError) return null; throw e; }
+        if (!q || q.customer_id !== customerId) return null;
+        return q;
+      }
+
+      router.get("/account/quotes", async function (req, res) {
+        var auth = _accountAuth(req, res);
+        if (!auth) return;
+        var rows = [];
+        try { rows = await deps.quotes.quotesForCustomer(auth.customer_id, { limit: 100 }); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        var count = await _cartCountForReq(req);
+        _send(res, 200, renderQuoteList({
+          quotes: rows, shop_name: shopName, cart_count: count, theme_css: _quoteThemeCss(),
+        }));
+      });
+
+      router.get("/account/quotes/:id", async function (req, res) {
+        var auth = _accountAuth(req, res);
+        if (!auth) return;
+        var q = await _ownedQuote(auth.customer_id, req.params && req.params.id);
+        var count = await _cartCountForReq(req);
+        if (!q) {
+          return _send(res, 404, renderQuotePage({ state: "notfound", shop_name: shopName, cart_count: count, theme_css: _quoteThemeCss() }));
+        }
+        var state = "notice";
+        if (q.status === "responded") {
+          state = (q.valid_until != null && Number(q.valid_until) <= Date.now()) ? "notice" : "view";
+        }
+        _send(res, state === "notfound" ? 404 : 200, renderQuotePage({
+          state: state, quote: q, shop_name: shopName, cart_count: count, theme_css: _quoteThemeCss(),
+        }));
+      });
+
+      // Accept / decline via the account path. Owner-gated; replays the FSM
+      // (a non-responded / expired quote refuses → honest re-render). A
+      // successful accept converts to a pending order when the conversion
+      // machinery is wired, so the holds land at acceptance.
+      var _accountQuoteAction = function (action) {
+        return async function (req, res) {
+          var auth = _accountAuth(req, res);
+          if (!auth) return;
+          var q = await _ownedQuote(auth.customer_id, req.params && req.params.id);
+          var count = await _cartCountForReq(req);
+          if (!q) {
+            return _send(res, 404, renderQuotePage({ state: "notfound", shop_name: shopName, cart_count: count, theme_css: _quoteThemeCss() }));
+          }
+          try {
+            if (action === "accept") {
+              await deps.quotes.customerAccept({ quote_id: q.id, accepted_by_customer: auth.customer_id });
+              if (typeof deps.convertQuoteToOrder === "function") {
+                try { await deps.convertQuoteToOrder(q.id); }
+                catch (_eConv) { /* drop-silent — acceptance stands; operator converts from the console */ }
+              }
+            } else {
+              await deps.quotes.customerReject({ quote_id: q.id });
+            }
+          } catch (e) {
+            if (!(e instanceof TypeError) && !(e && e.code === "QUOTE_TRANSITION_REFUSED") && !(e && e.code === "QUOTE_EXPIRED")) throw e;
+            // refused — fall through to re-render the now-current state.
+          }
+          var after = await _ownedQuote(auth.customer_id, q.id);
+          var st = "notice";
+          if (after && after.status === "responded") {
+            st = (after.valid_until != null && Number(after.valid_until) <= Date.now()) ? "notice" : "view";
+          }
+          _send(res, 200, renderQuotePage({ state: st, quote: after, shop_name: shopName, cart_count: count, theme_css: _quoteThemeCss() }));
+        };
+      };
+      router.post("/account/quotes/:id/accept",  _accountQuoteAction("accept"));
+      router.post("/account/quotes/:id/decline", _accountQuoteAction("decline"));
+
+      // Request a quote from the signed-in customer's active cart. Snapshots
+      // the cart's lines into a new RFQ (the quotes primitive aggregates by
+      // SKU), pins it to the session customer, then redirects to the new
+      // quote's account page. An empty / missing cart re-renders the cart
+      // with a notice. The optional `message` field rides along.
+      router.post("/account/quotes/request", async function (req, res) {
+        var auth = _accountAuth(req, res);
+        if (!auth) return;
+        var sid = _readSidCookie(req);
+        var cart = sid ? await deps.cart.bySession(sid) : null;
+        var lines = cart ? await deps.cart.listLines(cart.id) : [];
+        if (!cart || !lines.length) {
+          res.status(303); res.setHeader && res.setHeader("location", "/cart?quote_empty=1");
+          return res.end ? res.end() : res.send("");
+        }
+        var body = req.body || {};
+        var message = typeof body.message === "string" && body.message.trim().length ? body.message.trim() : null;
+        var created;
+        try {
+          created = await deps.quotes.requestQuote({
+            customer_id: auth.customer_id,
+            cart_id:     cart.id,
+            message:     message,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && e.code === "QUOTE_CART_NOT_FOUND")) throw e;
+          res.status(303); res.setHeader && res.setHeader("location", "/cart?quote_err=1");
+          return res.end ? res.end() : res.send("");
+        }
+        res.status(303);
+        res.setHeader && res.setHeader("location", "/account/quotes/" + created.id);
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     router.post("/account/logout", function (req, res) {
       _clearAuthCookie(req, res);
       res.status(303); res.setHeader && res.setHeader("location", "/");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.15",
+  "version": "0.4.17",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {