npm - @blamejs/blamejs-shop - Versions diffs - 0.4.16 → 0.4.17 - Mend

@blamejs/blamejs-shop 0.4.16 → 0.4.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +2 -0
package/README.md +1 -1
package/lib/admin.js +437 -1
package/lib/asset-manifest.json +1 -1
package/lib/email-campaigns.js +799 -9
package/lib/security-middleware.js +1 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.4.x
+- v0.4.17 (2026-06-06) — **Email campaigns: consent-gated broadcasts to the newsletter list, with one-click unsubscribe and a send ledger that never re-mails.** The admin console gains an Email campaigns screen: author a broadcast, target a mailing audience, preview it, test-send to yourself, and send. Consent is the design center — the recipient set resolves at send time from the newsletter list (the only place a deliverable address exists; customer accounts keep only an email hash), every recipient is re-checked against the unsubscribe flag and the marketing suppression list at the moment their message sends, and every message carries one-click unsubscribe headers plus an in-body link. Sending drains in rate-bounded batches on the scheduled tick, one bad address never aborts a campaign, and a per-recipient ledger makes a resumed send never deliver twice. **Added:** *Campaign console: author, preview, test-send, send* — `/admin/campaigns` lists campaigns with status and delivered / failed / skipped counts, and a campaign editor takes a subject and a Markdown-or-plaintext body. The body renders escape-by-default with an https-only link gate — the same rendering discipline as the blog — so markup or script in a body lands as inert text in the inbox and in the console list. Preview and an operator-addressed test send are available before any real send. · *Consent resolved per recipient, at the send moment* — The reachable-recipient count shown before sending is computed live from the newsletter list, excluding anyone unsubscribed or on the marketing suppression list — and the same two checks run again for each recipient at the moment their message sends, so someone who unsubscribes mid-broadcast is skipped. Customer accounts keep only an email hash by design, so the newsletter list is the only deliverable-address source and the console says exactly how many recipients are reachable. · *One-click unsubscribe on every broadcast* — Every campaign message carries the RFC 8058 `List-Unsubscribe` / `List-Unsubscribe-Post` headers (so mail clients show their native unsubscribe control), an RFC 2919 `List-Id`, and an in-body unsubscribe link through the existing newsletter opt-out flow. · *Rate-bounded, resumable sending* — Sends drain in batches on the scheduled tick with a reserved hourly budget, so a large campaign spreads out rather than bursting. Each recipient's outcome lands in a send ledger keyed uniquely per campaign and recipient — a send interrupted by the rate budget or a restart resumes where it left off and never mails anyone twice. A failing address is counted and shown, never fatal to the rest of the campaign.
 - v0.4.16 (2026-06-06) — **Quotes: customers request a quote from the cart, operators respond with custom pricing, and an accepted quote becomes an order.** A full request-for-quote flow for bulk and negotiated purchases. A signed-in customer requests a quote from their cart with an optional message; the operator answers from a new Quotes console screen with per-line pricing and a validity window; the customer reviews the offer from their account or through a single-use link and accepts or declines. Accepting converts the quote into a normal pending order — stock is held the same way a checkout hold works — and an expired offer can no longer be accepted. **Added:** *Request a quote from the cart* — A signed-in customer with items in the cart can request a quote — line quantities plus an optional message — from a new cart panel. The request appears under `/account/quotes` with its status, and the optional message is HTML-escaped wherever it renders. · *Quotes console for responding with custom pricing* — `/admin/quotes` lists open requests newest-first with status filters. Opening a request shows its lines and the customer's message; the operator responds with per-line unit pricing and a validity window — the total is computed in minor units — or withdraws a response. The screen appears in the admin nav when the quotes primitive is wired. · *Review and accept through the account or a single-use link* — A responded quote can be reviewed and accepted or declined from the customer's account, or through a capability link (`/quote/{token}`) suited to sharing by whatever channel the store uses to reach the customer. The token is stored only as a namespaced hash and compared in constant time; an unknown token answers 404. Account access is owner-checked — another customer's quote id answers 404. · *Accepted quotes convert to real orders with stock holds* — Acceptance places inventory holds first and then creates a pending order through the same path checkout uses — if order creation fails the holds are rolled back, and the order annotates its held quantities so fulfillment sees them. A quote whose validity window has elapsed is refused at acceptance, so a stale price is never honored. The whole lifecycle (requested → responded → accepted, declined, expired, withdrawn, converted) is enforced by a state machine — out-of-order transitions are refused.
 - v0.4.15 (2026-06-06) — **Multi-location inventory: stock locations, receiving, transfers, and write-offs in the admin console.** The admin console gains a location-aware inventory back office. Define warehouse, retail, and virtual stock locations and see per-location levels; record reason-coded inbound stock against a location; move stock between locations through a dispatch-and-receive flow; and record reason-coded write-offs with a full audit trail. Single-location stores are untouched — no configuration is needed and existing stock behavior is unchanged. **Added:** *Stock locations with per-location levels* — `/admin/inventory/locations` defines stock locations (warehouse, retail, or virtual, with a priority order) and shows each SKU's quantity at each location. A store that never defines a location keeps working exactly as before — the default location stays implicit and nothing about existing stock semantics changes. · *Receive stock against a location* — `/admin/inventory/receive` records inbound stock — SKU, quantity, location, reason — crediting both the location's level and the sellable aggregate in one step, with a batched receipt history on the same screen. If the receipt record cannot be written the stock credit is reversed, so the ledger and the levels never diverge. · *Location-to-location transfers with a dispatch/receive lifecycle* — `/admin/inventory/transfers` moves stock between locations through a real state machine: a draft transfer dispatches (debiting the source) and is later received (crediting the destination) or cancelled (restoring the source). Stock movements use the same atomic guards as checkout holds — a transfer dispatch racing a checkout for the last unit has exactly one winner, and a level can never go negative. · *Reason-coded write-offs with an audit trail* — `/admin/inventory/writeoffs` records stock losses — damage, shrinkage, expiry — against a location, with every write-off in the tamper-evident audit chain. A write-off that would eat into stock already promised to paid orders is refused with a clear message rather than silently unbalancing the ledgers, and low-stock alerts fire when a write-off takes a SKU under its threshold.

package/README.md CHANGED Viewed

@@ -100,7 +100,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
 | **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, tracks new SKUs, and opens the low-stock alert history (`/admin/inventory/alerts`) — each alert row is written when a checkout decrement crosses a SKU's threshold, alongside an `inventory.low_stock` webhook to subscribed endpoints; **Stock locations** (`/admin/inventory/locations`) defines warehouse / retail / virtual locations with per-location stock levels (a single-location store needs no configuration — the default location stays implicit), **Receive stock** (`/admin/inventory/receive`) records reason-coded inbound stock against a location with a batched receipt history, **Transfers** (`/admin/inventory/transfers`) moves stock between locations through a dispatch → receive state machine — the source is debited at dispatch, the destination credited on receive, and a dispatch racing a checkout hold for the last unit has exactly one winner — and **Write-offs** (`/admin/inventory/writeoffs`) records reason-coded stock losses with an audit trail, refusing a write-off that would eat into stock already held for paid orders; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer, plus a customer-service notes thread per order (internal or customer-visible, pinnable, resolvable); **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); each customer opens to an aggregated activity timeline (orders, loyalty, wishlist, reviews, support) read from the tables those primitives already populate; customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Quotes** (`/admin/quotes`) is the RFQ response queue — open a request's lines and customer message, respond with per-line pricing and a validity window, or withdraw a responded quote; an accepted quote converts to an order through the storefront's normal checkout path, holds included. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Carts** (`/admin/carts`) lists abandoned carts — active, has items, idle past a tunable window (24h default) — with line counts, value at risk, and guest/signed-in attribution; a per-cart action mints a single-use, code-gated discount the operator shares through their own channel (recovery email is impossible by design: buyer addresses are stored only as hashes, and the screen says so). **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. **Search suggestions** (`/admin/search-suggestions`) curates the storefront autocomplete — pin a featured link to a typed prefix, set its priority / status / active window, edit or remove it inline — and surfaces a read-only popular-searches report (each term's 30-day count, zero-result share, and last-seen) so an unmatched term flags a stock or naming gap. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, Search suggestions, Carts, Errors, Stock locations, Receive stock, Transfers, Write-offs, and Quotes links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, tracks new SKUs, and opens the low-stock alert history (`/admin/inventory/alerts`) — each alert row is written when a checkout decrement crosses a SKU's threshold, alongside an `inventory.low_stock` webhook to subscribed endpoints; **Stock locations** (`/admin/inventory/locations`) defines warehouse / retail / virtual locations with per-location stock levels (a single-location store needs no configuration — the default location stays implicit), **Receive stock** (`/admin/inventory/receive`) records reason-coded inbound stock against a location with a batched receipt history, **Transfers** (`/admin/inventory/transfers`) moves stock between locations through a dispatch → receive state machine — the source is debited at dispatch, the destination credited on receive, and a dispatch racing a checkout hold for the last unit has exactly one winner — and **Write-offs** (`/admin/inventory/writeoffs`) records reason-coded stock losses with an audit trail, refusing a write-off that would eat into stock already held for paid orders; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, with a rate-bounded resend of the order confirmation to an operator-supplied address (the buyer's email is stored only as a hash, so the operator types the recipient), and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer, plus a customer-service notes thread per order (internal or customer-visible, pinnable, resolvable); **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); each customer opens to an aggregated activity timeline (orders, loyalty, wishlist, reviews, support) read from the tables those primitives already populate; customer segments export their members as a streamed CSV — id, display name, join date, order count, deliberately no email column; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Email campaigns** (`/admin/campaigns`) is the consent-gated broadcast console — author a campaign (escape-by-default Markdown body), target a mailing audience, preview, test-send to an operator-supplied address, and send to the recipients who are actually reachable: the recipient set resolves at send time from the newsletter list (the only place a deliverable address exists — customer accounts keep only an email hash), every recipient is re-checked against the unsubscribe flag and the marketing suppression list at the send moment, every message carries RFC 8058 one-click unsubscribe headers plus an in-body link, and a per-recipient send ledger makes a resumed broadcast never re-mail. Sending drains in rate-bounded batches on the scheduled tick; per-campaign delivered / failed / skipped counts show on the detail screen. **Quotes** (`/admin/quotes`) is the RFQ response queue — open a request's lines and customer message, respond with per-line pricing and a validity window, or withdraw a responded quote; an accepted quote converts to an order through the storefront's normal checkout path, holds included. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules — including code-unlocked rules a shopper redeems with a discount code on the cart page — + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. **Carts** (`/admin/carts`) lists abandoned carts — active, has items, idle past a tunable window (24h default) — with line counts, value at risk, and guest/signed-in attribution; a per-cart action mints a single-use, code-gated discount the operator shares through their own channel (recovery email is impossible by design: buyer addresses are stored only as hashes, and the screen says so). **Analytics** (`/admin/analytics`) is the pre-purchase view the sales report can't see — browse-to-buy funnel with conversion rate, top search terms, most-viewed products, units-ranked top SKUs, and a revenue-by-day sparkline — cross-linked with the Reports screen, read-only, every aggregate window- and limit-bounded. **Search suggestions** (`/admin/search-suggestions`) curates the storefront autocomplete — pin a featured link to a typed prefix, set its priority / status / active window, edit or remove it inline — and surfaces a read-only popular-searches report (each term's 30-day count, zero-result share, and last-seen) so an unmatched term flags a stock or naming gap. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, Analytics, Search suggestions, Carts, Errors, Stock locations, Receive stock, Transfers, Write-offs, Quotes, and Email campaigns links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |

package/lib/admin.js CHANGED Viewed

@@ -604,6 +604,8 @@ function mount(router, deps) {
   var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
   var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
   var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
+  var emailCampaigns     = deps.emailCampaigns     || null; // consent-gated broadcast/campaign console disabled when absent
+  var mailingAudiences   = deps.mailingAudiences   || null; // audience picker for the campaign console (target-an-audience dropdown)
   // Read-only activity log at /admin/audit. Defaults ON — the framework
   // audit chain is always booted by createApp, so the screen always has a
   // data source (unlike the optional primitives above, which default off).
@@ -623,7 +625,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart, inventoryLocations: !!inventoryLocations, inventoryReceive: !!inventoryReceive, stockTransfers: !!stockTransfers, inventoryWriteoffs: !!inventoryWriteoffs, quotes: !!deps.quotes };
+  var navAvailable = { analytics: !!deps.analytics, returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, promoBanners: !!deps.promoBanners, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, searchSuggestions: !!searchSuggestions, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog, carts: !!cart, inventoryLocations: !!inventoryLocations, inventoryReceive: !!inventoryReceive, stockTransfers: !!stockTransfers, inventoryWriteoffs: !!inventoryWriteoffs, quotes: !!deps.quotes, emailCampaigns: !!emailCampaigns };
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
@@ -5703,6 +5705,250 @@ function mount(router, deps) {
     ));
   }
+  // ---- email campaigns (consent-gated broadcast) ----------------------
+  //
+  // The marketing-broadcast console. An operator authors a campaign
+  // (subject + Markdown body), targets an existing mailing audience, sees
+  // the RESOLVED REACHABLE count (who is actually marketing-consented +
+  // deliverable right now — never the raw membership), test-sends to their
+  // own inbox, then sends. Consent is resolved AT SEND TIME, per recipient:
+  // only a marketing-consented (newsletter-subscribed, not suppressed)
+  // recipient with a deliverable plaintext address gets the broadcast, and
+  // someone who unsubscribes after the send starts is honored mid-send.
+  // Every broadcast carries an RFC 8058 one-click List-Unsubscribe header
+  // pair plus an in-body unsubscribe link. The operator-authored body is
+  // treated as hostile: it renders escape-by-default (any `<` lands as
+  // `&lt;`; links pass the https-only safeUrl gate) so a compromised admin
+  // key can't inject script into mail or stored XSS into this console.
+  if (emailCampaigns) {
+    var _campaignAudiences = function () {
+      if (!mailingAudiences) return Promise.resolve([]);
+      return mailingAudiences.listAudiences({ include_archived: false });
+    };
+    // List — every campaign with status + per-campaign delivery counts.
+    // Content-negotiated: bearer → the JSON array; browser → the table.
+    router.get("/admin/campaigns", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var status = url && url.searchParams.get("status");
+        var rows = await emailCampaigns.listCampaigns(status ? { status: status } : {});
+        _json(res, 200, { campaigns: rows, can_broadcast: emailCampaigns.canBroadcast() });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var rows = await emailCampaigns.listCampaigns({});
+        // Roll each campaign's per-recipient send ledger up for the count
+        // column — bounded read per row (the list is operator-scale).
+        var withCounts = [];
+        for (var i = 0; i < rows.length; i += 1) {
+          var counts = null;
+          try { counts = await emailCampaigns.sendCounts(rows[i].slug); }
+          catch (_e) { counts = null; }
+          withCounts.push({ campaign: rows[i], counts: counts });
+        }
+        _sendHtml(res, 200, renderAdminCampaigns({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          rows: withCounts, can_broadcast: emailCampaigns.canBroadcast(),
+          sent:    url && url.searchParams.get("sent"),
+          saved:   url && url.searchParams.get("saved"),
+          tested:  url && url.searchParams.get("tested"),
+          notice:  (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    // New-campaign form — its own GET so a bad submit's err redirect
+    // keeps the operator's context.
+    router.get("/admin/campaigns/new", _pageOrApi(true,
+      R(async function (_req, res) {
+        _json(res, 200, { audiences: await _campaignAudiences() });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        _sendHtml(res, 200, renderAdminCampaignNew({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          audiences: await _campaignAudiences(),
+          notice: (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    function _campaignInput(body) {
+      return {
+        slug:          body.slug,
+        subject:       body.subject,
+        body_html:     body.body_html,
+        // Markdown source is the single authored body; the text alt is
+        // derived from it at send time, so persist the same source in
+        // both columns (the renderer produces the HTML + text views).
+        body_text:     body.body_text != null && body.body_text !== "" ? body.body_text : body.body_html,
+        audience_slug: body.audience_slug,
+        from_address:  body.from_address,
+        from_name:     body.from_name,
+        reply_to:      body.reply_to != null && body.reply_to !== "" ? body.reply_to : undefined,
+      };
+    }
+    // Create — composes defineCampaign (validates slug / subject / body /
+    // audience / sender identity, throws TypeError → 400 / err redirect).
+    router.post("/admin/campaigns", _pageOrApi(false,
+      W("email_campaign.create", async function (req, res) {
+        var c;
+        try { c = await emailCampaigns.defineCampaign(_campaignInput(req.body || {})); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 201, c);
+        return { id: c.slug };
+      }),
+      async function (req, res) {
+        try { await emailCampaigns.defineCampaign(_campaignInput(req.body || {})); }
+        catch (e) {
+          var n = _safeNotice(e, "email_campaign.create");
+          if (n.status >= 500) throw e;
+          return _redirect(res, "/admin/campaigns/new?err=bad");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.create", outcome: "success" });
+        _redirect(res, "/admin/campaigns?saved=1");
+      },
+    ));
+    // Detail — the campaign + its rendered (escape-by-default) preview, the
+    // resolved reachable count (computed live), the send-ledger counts, and
+    // the test-send + send actions. Content-negotiated.
+    router.get("/admin/campaigns/:slug", _pageOrApi(true,
+      R(async function (req, res) {
+        var c = await emailCampaigns.getCampaign(req.params.slug);
+        if (!c) return _problem(res, 404, "email-campaign-not-found");
+        var reach = null;
+        try { reach = await emailCampaigns.reachability(req.params.slug); }
+        catch (_e) { reach = null; }
+        var counts = await emailCampaigns.sendCounts(req.params.slug);
+        _json(res, 200, Object.assign({}, c, { reachability: reach, send_counts: counts, can_broadcast: emailCampaigns.canBroadcast() }));
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var c = await emailCampaigns.getCampaign(req.params.slug);
+        if (!c) return _sendHtml(res, 404, renderAdminCampaigns({
+          shop_name: deps.shop_name, nav_available: navAvailable, rows: [],
+          can_broadcast: emailCampaigns.canBroadcast(), notice: "Campaign not found.",
+        }));
+        var preview = null;
+        try { preview = await emailCampaigns.previewCampaign(req.params.slug); }
+        catch (_e) { preview = null; }
+        var reach = null;
+        try { reach = await emailCampaigns.reachability(req.params.slug); }
+        catch (_e) { reach = null; }
+        var counts = await emailCampaigns.sendCounts(req.params.slug);
+        _sendHtml(res, 200, renderAdminCampaign({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          campaign: c, preview: preview, reachability: reach, counts: counts,
+          can_broadcast: emailCampaigns.canBroadcast(),
+          sent:   url && url.searchParams.get("sent"),
+          tested: url && url.searchParams.get("tested"),
+          notice: (url && url.searchParams.get("err")) ? _campaignErrNotice(url.searchParams.get("err")) : null,
+        }));
+      },
+    ));
+    // Test-send — render + mail the campaign to ONE operator-supplied
+    // address (bypasses the audience + consent gate; it's the operator's
+    // own inbox). Rate-bound on the shared send window.
+    router.post("/admin/campaigns/:slug/test", _pageOrApi(false,
+      W("email_campaign.test", async function (req, res) {
+        var slug = req.params.slug;
+        var out;
+        try { out = await emailCampaigns.testSend(slug, (req.body || {}).to); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var code = e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? 429 : 400;
+            return _problem(res, code, e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? "rate-limited" : "bad-request", e.message);
+          }
+          _safeNotice(e, "email_campaign.test");
+          return _problem(res, 502, "send-failed", "The test message could not be sent.");
+        }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        try { await emailCampaigns.testSend(slug, (req.body || {}).to); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var reason = e.code === "EMAIL_CAMPAIGN_RATE_LIMITED" ? "rate" : "test";
+            return _redirect(res, "/admin/campaigns/" + enc + "?err=" + reason);
+          }
+          _safeNotice(e, "email_campaign.test");
+          return _redirect(res, "/admin/campaigns/" + enc + "?err=send");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.test", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns/" + enc + "?tested=1");
+      },
+    ));
+    // Send — the consent-gated broadcast. Resolves reachability at the
+    // send moment, drains the audience, only marketing-consented +
+    // deliverable recipients receive, every message carries the one-click
+    // unsubscribe pair. One bad address is counted, never fatal.
+    router.post("/admin/campaigns/:slug/send", _pageOrApi(false,
+      W("email_campaign.send", async function (req, res) {
+        var slug = req.params.slug;
+        var c = await emailCampaigns.getCampaign(slug);
+        if (!c) return _problem(res, 404, "email-campaign-not-found");
+        var out;
+        try { out = await emailCampaigns.broadcast(slug); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var code = e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? 409 : 400;
+            return _problem(res, code, e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? "broadcast-unavailable" : "bad-request", e.message);
+          }
+          throw e;
+        }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        var c = await emailCampaigns.getCampaign(slug);
+        if (!c) return _redirect(res, "/admin/campaigns?err=notfound");
+        try { await emailCampaigns.broadcast(slug); }
+        catch (e) {
+          if (e instanceof TypeError) {
+            var reason = e.code === "EMAIL_CAMPAIGN_BROADCAST_UNAVAILABLE" ? "unavailable" : "send";
+            return _redirect(res, "/admin/campaigns/" + enc + "?err=" + reason);
+          }
+          _safeNotice(e, "email_campaign.send");
+          return _redirect(res, "/admin/campaigns/" + enc + "?err=send");
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.send", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns/" + enc + "?sent=1");
+      },
+    ));
+    // Cancel — terminal off-ramp for a draft / scheduled campaign.
+    router.post("/admin/campaigns/:slug/cancel", _pageOrApi(false,
+      W("email_campaign.cancel", async function (req, res) {
+        var slug = req.params.slug;
+        var reason = (req.body || {}).reason || "Cancelled from the console.";
+        var out;
+        try { out = await emailCampaigns.cancelCampaign(slug, reason); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        _json(res, 200, out);
+        return { id: slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        var reason = (req.body || {}).reason || "Cancelled from the console.";
+        try { await emailCampaigns.cancelCampaign(slug, reason); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; return _redirect(res, "/admin/campaigns/" + enc + "?err=cancel"); }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".email_campaign.cancel", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/campaigns?saved=1");
+      },
+    ));
+  }
   // ---- gift wraps -----------------------------------------------------
   //
   // The operator-defined gift-wrap catalog: define / update / archive a wrap
@@ -12598,6 +12844,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "pick-lists",   href: "/admin/pick-lists",   label: "Pick lists",   requires: "pickLists" },
   { key: "announcements", href: "/admin/announcements", label: "Announcements", requires: "announcementBar" },
   { key: "promo-banners", href: "/admin/promo-banners", label: "Promo banners", requires: "promoBanners" },
+  { key: "campaigns",    href: "/admin/campaigns",    label: "Email campaigns", requires: "emailCampaigns" },
   { key: "blog",         href: "/admin/blog",         label: "Blog",         requires: "blog" },
   { key: "help",         href: "/admin/help",         label: "Help center",  requires: "knowledgeBase" },
   { key: "pages",        href: "/admin/pages",        label: "Pages",        requires: "storefrontPages" },
@@ -15421,6 +15668,195 @@ function renderAdminInvReceive(opts) {
   return _renderAdminShell(opts.shop_name, "Receive stock", body, "inventory-receive", opts.nav_available);
 }
+// ---- email campaign console renders ----------------------------------
+// Map an ?err= code on a campaign console redirect to an operator-facing
+// notice. The codes are emitted by the campaign routes, never operator
+// free text, so no escaping concern here.
+function _campaignErrNotice(code) {
+  if (code === "bad")         return "Check the campaign — slug, subject, body, audience, and a valid sender address are all required.";
+  if (code === "rate")        return "Send rate limit reached. Try again in a moment.";
+  if (code === "test")        return "The test recipient address wasn't valid.";
+  if (code === "send")        return "The send couldn't be completed. Check the error log.";
+  if (code === "unavailable") return "Broadcast isn't available — this deployment has no deliverable-address source (newsletter list) or no configured unsubscribe origin.";
+  if (code === "cancel")      return "That campaign can't be cancelled from its current state.";
+  if (code === "notfound")    return "Campaign not found.";
+  return "That action couldn't be completed.";
+}
+function _campaignStatusPill(status) {
+  var cls = "status-pill";
+  if (status === "sent")      cls = "status-pill status-pill--ok";
+  if (status === "cancelled") cls = "status-pill status-pill--muted";
+  if (status === "sending")   cls = "status-pill status-pill--warn";
+  return "<span class=\"" + cls + "\">" + _htmlEscape(String(status)) + "</span>";
+}
+// Per-recipient delivery counts cell — "12 sent · 3 skipped · 1 failed".
+// All four outcomes roll into a compact summary; a zero-everything
+// campaign shows an em-dash.
+function _campaignCountsSummary(counts) {
+  if (!counts) return "<span class=\"meta\">—</span>";
+  var sent = Number(counts.sent || 0);
+  var skipped = Number(counts.skipped_unsubscribed || 0) + Number(counts.skipped_suppressed || 0);
+  var failed = Number(counts.failed || 0);
+  if (!sent && !skipped && !failed) return "<span class=\"meta\">—</span>";
+  var parts = [];
+  parts.push(_htmlEscape(String(sent)) + " sent");
+  if (skipped) parts.push(_htmlEscape(String(skipped)) + " skipped");
+  if (failed)  parts.push(_htmlEscape(String(failed)) + " failed");
+  return _htmlEscape(parts.join(" · "));
+}
+function renderAdminCampaigns(opts) {
+  opts = opts || {};
+  var rows = opts.rows || [];
+  var saved  = opts.saved  ? "<div class=\"banner banner--ok\">Campaign saved.</div>" : "";
+  var sent   = opts.sent   ? "<div class=\"banner banner--ok\">Campaign sent.</div>" : "";
+  var tested = opts.tested ? "<div class=\"banner banner--ok\">Test message sent.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  // Honesty banner — when the broadcast path isn't wired (no deliverable
+  // address source / no unsubscribe origin), say so plainly. Campaigns
+  // can still be authored + previewed; the Send action will refuse.
+  var reachBanner = opts.can_broadcast
+    ? ""
+    : "<div class=\"banner banner--warn\">Sending is unavailable: this store has no deliverable-address source " +
+      "(a newsletter subscriber list with plaintext addresses) or no configured unsubscribe origin. " +
+      "Customer email is stored hash-only, so only newsletter subscribers are reachable. You can still draft and preview campaigns.</div>";
+  var tableRows = rows.map(function (rc) {
+    var c = rc.campaign;
+    var enc = encodeURIComponent(c.slug);
+    return "<tr>" +
+      "<td><a href=\"/admin/campaigns/" + enc + "\">" + _htmlEscape(c.subject) + "</a><div class=\"meta\"><code>" + _htmlEscape(c.slug) + "</code></div></td>" +
+      "<td>" + _htmlEscape(c.audience_slug) + "</td>" +
+      "<td>" + _campaignStatusPill(c.status) + "</td>" +
+      "<td>" + _campaignCountsSummary(rc.counts) + "</td>" +
+      "</tr>";
+  }).join("");
+  var list = rows.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Subject</th><th scope=\"col\">Audience</th><th scope=\"col\">Status</th><th scope=\"col\">Delivery</th></tr></thead><tbody>" + tableRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No campaigns yet. Create one to broadcast to a mailing audience.</p>";
+  var body =
+    "<section><h2>Email campaigns</h2>" +
+      "<p class=\"meta\">Broadcast a message to a mailing audience. Only marketing-consented, reachable subscribers receive a campaign — consent is checked at send time, and every message carries a one-click unsubscribe.</p>" +
+      saved + sent + tested + notice + reachBanner +
+      "<div class=\"actions-row\"><a class=\"btn\" href=\"/admin/campaigns/new\">New campaign</a></div>" +
+      list +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Email campaigns", body, "campaigns", opts.nav_available);
+}
+function renderAdminCampaignNew(opts) {
+  opts = opts || {};
+  var audiences = opts.audiences || [];
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var audOptions = audiences.map(function (a) {
+    return "<option value=\"" + _htmlEscape(a.slug) + "\">" + _htmlEscape(a.title) + " (" + _htmlEscape(a.slug) + ")</option>";
+  }).join("");
+  var audField = audiences.length
+    ? "<label class=\"form-field\"><span>Audience</span><select name=\"audience_slug\" required>" + audOptions + "</select>" +
+        "<small>The mailing audience to broadcast to. Manage audiences from the mailing-audiences API.</small></label>"
+    : "<label class=\"form-field\"><span>Audience slug</span><input type=\"text\" name=\"audience_slug\" maxlength=\"64\" required>" +
+        "<small>No mailing audiences are defined yet — enter the slug of one you've created via the API.</small></label>";
+  var body =
+    "<section class=\"mw-42\"><h2>New campaign</h2>" + notice +
+      "<form method=\"post\" action=\"/admin/campaigns\">" +
+        _setupField("Campaign slug", "slug", "", "text", "Lowercase id, e.g. spring-sale-2026.", " maxlength=\"64\" required") +
+        _setupField("Subject", "subject", "", "text", "The email subject line.", " maxlength=\"200\" required") +
+        "<label class=\"form-field\"><span>Body (Markdown)</span>" +
+          "<textarea name=\"body_html\" rows=\"10\" maxlength=\"100000\" required></textarea>" +
+          "<small>Markdown — headings, lists, links, bold/italic. Rendered escape-by-default: raw HTML is shown as text, links must be https.</small></label>" +
+        audField +
+        _setupField("From address", "from_address", "", "email", "The sender address (must be a domain you can send from).", " maxlength=\"254\" required") +
+        _setupField("From name", "from_name", "", "text", "The friendly sender name.", " maxlength=\"100\" required") +
+        _setupField("Reply-to", "reply_to", "", "email", "Optional — where replies land.", " maxlength=\"254\"") +
+        "<div class=\"actions-row\"><button type=\"submit\" class=\"btn\">Create campaign</button>" +
+          "<a class=\"btn btn--ghost\" href=\"/admin/campaigns\">Cancel</a></div>" +
+      "</form>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "New campaign", body, "campaigns", opts.nav_available);
+}
+function renderAdminCampaign(opts) {
+  opts = opts || {};
+  var c = opts.campaign;
+  var enc = encodeURIComponent(c.slug);
+  var sent   = opts.sent   ? "<div class=\"banner banner--ok\">Campaign sent.</div>" : "";
+  var tested = opts.tested ? "<div class=\"banner banner--ok\">Test message sent.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  // Resolved reachable count — the true send size, computed live. The
+  // operator sees this BEFORE confirming a send.
+  var reach = opts.reachability;
+  var reachPanel = reach
+    ? "<div class=\"panel\"><h3 class=\"subhead\">Reachable recipients</h3>" +
+        "<p class=\"big-stat\">" + _htmlEscape(String(reach.reachable)) + "</p>" +
+        "<p class=\"meta\">Resolved at send time from " + _htmlEscape(String(reach.resolved)) + " audience members: " +
+          _htmlEscape(String(reach.reachable)) + " reachable, " +
+          _htmlEscape(String(reach.suppressed)) + " suppressed, " +
+          _htmlEscape(String(reach.unsubscribed)) + " unsubscribed, " +
+          _htmlEscape(String(reach.no_address)) + " with no deliverable address.</p>" +
+      "</div>"
+    : "<div class=\"panel\"><p class=\"meta\">Reachability can't be resolved — no deliverable-address source is wired.</p></div>";
+  // Per-recipient delivery counts from the send ledger.
+  var counts = opts.counts || {};
+  var countsPanel = "<div class=\"panel\"><h3 class=\"subhead\">Delivery</h3>" +
+    "<ul class=\"kv-list\">" +
+      "<li><span>Sent</span><strong>" + _htmlEscape(String(counts.sent || 0)) + "</strong></li>" +
+      "<li><span>Skipped (unsubscribed)</span><strong>" + _htmlEscape(String(counts.skipped_unsubscribed || 0)) + "</strong></li>" +
+      "<li><span>Skipped (suppressed)</span><strong>" + _htmlEscape(String(counts.skipped_suppressed || 0)) + "</strong></li>" +
+      "<li><span>Failed</span><strong>" + _htmlEscape(String(counts.failed || 0)) + "</strong></li>" +
+    "</ul></div>";
+  // Rendered preview — the renderer already escaped the operator body, so
+  // the preview HTML is splice-safe (no double-escape). Spliced literally
+  // so a `$` in the body can't trip String.replace dollar substitution.
+  var previewBody = opts.preview ? opts.preview.body_html : "<span class=\"meta\">Preview unavailable.</span>";
+  var previewPanel = "<div class=\"panel\"><h3 class=\"subhead\">Preview</h3>" +
+    "<div class=\"mail-preview\">RAW_PREVIEW_BODY</div></div>";
+  // Send / test actions only when the campaign isn't terminal.
+  var isTerminal = c.status === "sent" || c.status === "cancelled";
+  var actions = "";
+  if (!isTerminal) {
+    var sendBtn = opts.can_broadcast
+      ? "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/send\" class=\"form-inline\">" +
+          "<button class=\"btn\" type=\"submit\">Send to " + _htmlEscape(reach ? String(reach.reachable) : "0") + " recipient(s)</button></form>"
+      : "<span class=\"meta\">Sending is unavailable on this deployment.</span>";
+    actions =
+      "<div class=\"panel\"><h3 class=\"subhead\">Send a test</h3>" +
+        "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/test\" class=\"form-inline\">" +
+          "<input type=\"email\" name=\"to\" placeholder=\"you@example.com\" maxlength=\"254\" required>" +
+          "<button class=\"btn btn--ghost\" type=\"submit\">Send test</button></form></div>" +
+      "<div class=\"panel\"><h3 class=\"subhead\">Send campaign</h3>" + sendBtn +
+        "<form method=\"post\" action=\"/admin/campaigns/" + enc + "/cancel\" class=\"form-inline mt\">" +
+          "<button class=\"btn btn--ghost btn--sm\" type=\"submit\">Cancel campaign</button></form></div>";
+  }
+  var meta = "<p class=\"meta\">Audience <code>" + _htmlEscape(c.audience_slug) + "</code> · " +
+    "from " + _htmlEscape(c.from_name) + " &lt;" + _htmlEscape(c.from_address) + "&gt; · " +
+    _campaignStatusPill(c.status) + "</p>";
+  var body =
+    "<section><h2>" + _htmlEscape(c.subject) + "</h2>" + meta +
+      sent + tested + notice +
+      reachPanel + countsPanel + previewPanel + actions +
+      "<div class=\"actions-row mt\"><a class=\"btn btn--ghost\" href=\"/admin/campaigns\">&larr; All campaigns</a></div>" +
+    "</section>";
+  var html = _renderAdminShell(opts.shop_name, c.subject, body, "campaigns", opts.nav_available);
+  // Splice the already-escaped preview body literally (it contains only the
+  // fixed tag set the escape-by-default renderer emits; the operator's
+  // bytes were escaped before this point).
+  return _spliceRaw(html, "RAW_PREVIEW_BODY", previewBody);
+}
 // Location→location transfer console: the open form + the open-transfer
 // queue with the FSM action legal from each row's status. Reasons,
 // carriers, and tracking numbers are operator free text — escaped.

package/lib/asset-manifest.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.16",
+  "version": "0.4.17",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",