@blamejs/blamejs-shop 0.4.20 → 0.4.22

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.22 (2026-06-06) — **Privacy export covers every table, erasure revokes the login, one-click unsubscribe actually works, and bounces feed the suppression list.** A privacy and email-integrity release. The data-subject export now includes reviews, consent history, wishlist, surveys, and recently-viewed data — with a manifest that makes any absent section visible. Erasing a customer also deletes their passkeys and social-login links and revokes live sessions, so a deleted account can no longer sign in. The one-click unsubscribe that mail clients invoke from their native button now works (it pointed at a route that didn't exist), a new intake endpoint feeds provider bounce and complaint webhooks into the marketing suppression list, support-ticket edge cases are fixed, and the CSV exports share one complete injection-neutralizer. **Added:** *Bounce and complaint webhook intake* — A new `POST /api/webhooks/mail-bounce` endpoint accepts bounce and complaint webhooks from Postmark, SES, or Resend (selectable per request). Spam complaints and permanently-dead addresses land on the marketing suppression list — transactional mail still flows — and campaign metrics gain the bounce events they were built to read. The endpoint is armed only when `MAIL_BOUNCE_SECRET` is set and the provider presents it in the `x-mail-bounce-secret` header; unconfigured, it answers 503 and accepts nothing. **Fixed:** *The data-subject export includes every table that holds the customer* — The export bundle silently omitted reviews, consent history, wishlist items, survey responses, and recently-viewed data. All five are now included, and the bundle carries a completeness manifest listing every section as exported, empty, or absent — an omission is visible rather than silent. · *Erasure revokes the customer's ability to sign in* — Deleting a customer scrubbed their profile but left passkeys, Google/Apple login links, and live sessions intact — the "deleted" account could sign right back in. Erasure now deletes the passkeys and social-login links, revokes live portal sessions, and tombstones the email lookup hash irreversibly, while the anonymized record survives for order-history integrity. · *One-click unsubscribe works from the mail client's native button* — The unsubscribe headers stamped on every campaign pointed at a route that didn't exist, and the unsubscribe endpoint read its token from the form body — which a mail client's native one-click POST never carries. The header now points at the real endpoint and the token rides the URL, so the RFC 8058 one-click flow a mail client fires actually unsubscribes. The browser confirmation page is unchanged. · *Support tickets: reopen on customer reply, atomic tags, honest first-response time* — A customer reply to a resolved ticket silently disappeared from every operator queue — it now reopens the ticket with a fresh activity timestamp. Concurrent tag edits no longer overwrite each other (tag changes are single-statement updates). And an internal-only operator note no longer counts as the first response — only a reply the customer can actually see stamps the first-response time. · *CSV exports share one complete injection neutralizer* — The order-export and segment-members CSV exports each carried their own formula-injection defense, and both missed the tab, carriage-return, newline, and pipe vectors. Both now compose the framework's CSV cell guard, which covers the full vector set — including signed numerics, which the previous neutralizers deliberately exempted.
+
+- v0.4.21 (2026-06-06) — **Subscription changes reach the payment processor, smart collections match real products, refunds claw back earned points, and the remaining balance races are closed.** A correctness release across the commerce surfaces. Changing a subscription's quantity now updates the processor before the local record — what the customer sees is what they're billed — and a cadence change on a processor-backed plan is honestly refused rather than silently ignored. Smart collections, which matched zero products in production because their rules read fields the catalog rows never carried, now evaluate against the real product data. Loyalty points earned on a purchase are reversed when the order is refunded or cancelled. And the loyalty, store-credit, gift-registry, and gift-card-ledger write paths that could lose updates or oversell under concurrency now use atomic guards. **Fixed:** *Subscription quantity changes reach the payment processor* — Changing a subscription's quantity updated the local record and showed a success message while the processor kept billing the original amount. The change is now pushed to the processor first — a processor failure leaves the local record untouched and surfaces the error, so the customer-visible state and the billed state can no longer diverge. Changing delivery frequency on a processor-backed subscription is refused with honest guidance (the billing cadence is bound to the plan's price and cannot be re-cadenced in place); self-managed local subscriptions keep their frequency controls. Self-manage controls also now respect the processor's status — a subscription the processor reports as cancelled or expired shows its state instead of live controls. · *Smart collections match real catalog products* — Smart-collection rules read fields like tags, price, and stock from each product row — fields the real catalog listing never carried, so every smart collection matched zero products in production even though admin previews built on richer mock rows looked right. Rule evaluation now joins the real tag, category, vendor, price, and inventory data onto each product page, and the admin preview routes through the same path the storefront uses. Smart-collection pages also stop re-walking the entire catalog on every paginated request — the matched set is briefly cached and a rule edit invalidates it. · *Refunds and cancellations reverse the loyalty points the order earned* — Points awarded when an order was paid survived a refund or cancellation — buying, earning, and refunding farmed points indefinitely. The earn record is now claimed atomically on the order's refund or cancel transition and the awarded points are clawed back from the balance, floored at zero when some were already spent. The reversal is idempotent (a re-delivered payment webhook reverses exactly once) and lifetime points — which drive tier — are deliberately untouched. · *Balance and inventory-adjacent races closed across loyalty, store credit, gift registry, and gift-card ledger* — Loyalty earn and adjust used read-then-write absolute updates that could lose concurrent updates; the gift-registry purchase check could oversell a registry item under two simultaneous purchases; and the gift-card ledger's overdraft check could let two concurrent debits both pass. All of these now use single-statement conditional writes that refuse cleanly when the guard fails. Store-credit expiry sweeps also stop under-expiring when operator-initiated deductions exist — the sweep now keys on its own prior output rather than netting all expiry rows together. · *Search-ranking click-through metrics are bounded and attributed* — The ranking metrics screen could show click-through rates above 100%, and clicks were attributed from the query string alone — trivially spoofable. A click now only counts when the same session recorded a real impression for that query, and displayed rates are bounded at 100%.
+
 - v0.4.20 (2026-06-06) — **Payment integrity: refunds, gift-card balances, and checkout submission are race-proof, and abandoned checkouts return gift-card funds.** A money-path hardening release. Concurrent refund clicks on the same return can no longer reach the payment provider twice. A gift card that part-paid a checkout gets its balance back when the order is cancelled, fails payment, or is reaped as stale. Double-submitting checkout can no longer create two charges and two orders. Return requests are refused server-side on orders that aren't in a returnable state, the refund confirmation screen shows the currency the provider will actually refund, and a buy-online-pickup-in-store order now reaches its delivered state when picked up. **Fixed:** *A return can only be refunded once, even under concurrent requests* — Two simultaneous refund requests for the same approved return could both pass the status check and both reach the payment provider, each with a fresh idempotency key — a double refund. The refund now claims the return atomically before the provider is called (the second request answers 409), the provider call uses a key derived from the return itself so even a retry collapses into the same refund, and a provider failure releases the claim so the refund can be retried. · *Gift-card funds come back when a part-paid checkout dies* — When a gift card partially covered a checkout and the order was then cancelled, failed payment, or sat abandoned until reaped, the card's debit was never returned — the balance was permanently gone. Redemptions are now reversed on those order transitions: the card balance is restored (a fully drained card is reactivated), the reversal is idempotent, and it rides the same order lifecycle that releases inventory holds. · *Double-submitting checkout creates one charge and one order* — Two concurrent checkout submissions could both pass the cart-status read and each create a payment intent and an order. The cart is now claimed atomically as the single gate — the second submission is redirected back to the cart — and the payment-provider idempotency key is derived from the cart, so even a duplicate that slipped through would collapse into one charge on the provider's side. A failure before the order exists releases the claim so the customer can retry. · *Return requests are validated server-side* — The return-request form and its submission are now refused on orders that are not in a returnable state — a refunded, cancelled, or unpaid order answers with a clear message instead of opening a return that could feed a second refund downstream. Previously only the button's visibility enforced this. · *A failed gift-card settlement no longer strands a completed payment* — If recording a gift card's redemption failed after the payment had already succeeded and the order existed, the checkout aborted mid-way — leaving a paid order with a cart that never converted. The settlement step now completes the order regardless and surfaces the failure for follow-up instead of stranding the purchase. · *The refund confirmation shows the currency the provider refunds* — The confirmation screen displayed the return's approved currency, but the provider refunds in the original charge's currency. The screen now reads the same source the refund uses. · *Pickup orders reach their delivered state* — Marking a pickup order as picked up drove an order transition that was only legal for shipped orders, and the failure was silently swallowed — the pickup schedule said picked up while the order stayed in its paid state. The order lifecycle now has a pickup-completion transition, so a picked-up order genuinely lands in delivered and downstream reporting sees it.
 
 - v0.4.19 (2026-06-06) — **Wishlist alerts fire once per event instead of repeating daily, stale digests catch up with a single email, and webhook delivery stops throttling itself.** A set of notification and delivery fixes. Back-in-stock and price-drop wishlist alerts now fire only when something actually changes — a steadily in-stock item no longer re-alerts every day. A wishlist digest whose schedule fell behind sends one catch-up email instead of one per minute until current. Outbound webhook delivery no longer counts its own rate-limit refusals against the limit (which kept the throttle tripped once hit), retrying an exhausted delivery no longer duplicates its dead-letter record, and the blog RSS feed renders correctly when a post title or body contains dollar-sign sequences. **Fixed:** *Back-in-stock and price-drop alerts fire on the change, not the state* — The wishlist alert sweep evaluated the current state of each item, so anything in stock re-alerted every wishlister on every sweep — the daily dedupe window just made the flood daily. Alerts now track the last-observed state per customer and item: back-in-stock fires only on an out-of-stock-to-in-stock transition, price-drop only when the price falls below the level already alerted, and a recovered price re-arms the alert. A steadily in-stock item never re-fires. The weekly cap and dedupe are also enforced atomically, so two overlapping sweeps can't double-send past the cap. · *A stale digest enrollment catches up with one email* — A wishlist digest whose next-send time had fallen far behind advanced one period per scheduler tick and sent an email each time — a subscriber could receive dozens of digests in an hour while the schedule caught up. Catching up now snaps the schedule to the present and sends at most one digest. · *Webhook delivery rate limiting no longer feeds on its own refusals* — The outbound webhook rate-limit gate counted its own refusal records toward the limit, so once an endpoint tripped the throttle it could stay tripped indefinitely, and every suppressed attempt persisted another row. Refusals are no longer counted by the gate and collapse to a single record per endpoint per window. · *Retrying an exhausted webhook delivery is idempotent* — Manually retrying a delivery that had already exhausted its attempts inserted a fresh dead-letter record on every click. Retry of an exhausted or already-delivered delivery now answers as a clean no-op, and the dead-letter table enforces one record per delivery. · *The RSS feed renders posts containing dollar-sign sequences* — The feed assembled items with a plain string replacement, which gives `$` sequences special meaning — a post title or body containing a dollar sign followed by a backtick or ampersand could corrupt the entire feed XML. The feed now uses the same literal splice the page renderers use. The feed's author field also no longer exposes an internal identifier; it carries the shop name, matching the blog pages.

package/README.md

@@ -204,6 +204,7 @@ variables. A signed-in operator can see the live on/off status of each at
 | **PayPal checkout** | A native PayPal button on `/checkout` (PayPal Orders v2 — create / approve / capture), distinct from PayPal-through-Stripe. | `PAYPAL_CLIENT_ID`, `PAYPAL_SECRET` (a PayPal REST app), `PAYPAL_WEBHOOK_ID`, `PAYPAL_ENV` (`sandbox`\|`live`); Stripe checkout must also be live | The shop exchanges the OAuth2 token and creates / captures orders server-side; the button drives `/checkout/paypal/create` + `/checkout/paypal/capture`. Point a PayPal webhook at `/api/webhooks/paypal` (verified through PayPal's API). Allow `www.paypal.com` in your CSP `script-src` / `frame-src` (as you would `js.stripe.com`). |
 | **Transactional email (SMTP)** | Order/ship/refund mail, abandoned-cart recovery, back-in-stock alerts, **wishlist sale + restock alerts and the periodic wishlist digest** (opt-in per customer on `/account/wishlist`), and **email magic-link sign-in** (a *Email me a sign-in link* option on `/account/login` for shoppers without a passkey or social login). | `SMTP_HOST`, `MAIL_FROM` (plus optional `SMTP_PORT` / `SMTP_USER` / `SMTP_PASS`) | Without a mailer these surfaces stay inert — the wishlist crons scan nothing, the magic-link page reports email sign-in unavailable, and passkey / social login are unchanged. **Wishlist alerts + digests are additionally gated on an email-address resolver:** the customer store keeps only a salted email *hash* (never the plaintext), so out of the box there is no deliverable address and the crons send nothing even with SMTP set. They begin sending once you supply a resolver that maps a customer id to a deliverable address from your own plaintext-address store — the same hook abandoned-cart recovery uses. |
 
+| **Email bounce / complaint intake** | Hard bounces and spam complaints from your email provider land on the marketing suppression list automatically (and backfill campaign metrics), so broadcasts stop mailing dead or complaining addresses. | `MAIL_BOUNCE_SECRET` (the value your provider sends in an `x-mail-bounce-secret` header), optional `MAIL_BOUNCE_VENDOR` (`postmark`\|`ses`\|`resend`, default `postmark`); point the provider's bounce/complaint webhook at `POST /api/webhooks/mail-bounce` (a `?vendor=` query overrides per request) | Without the secret the endpoint answers 503 — it never accepts an unauthenticated bounce. Complaints and hard bounces suppress at marketing scope (transactional mail still flows); soft bounces only backfill metrics. |
 **Planned / not available:**
 
 - **Shop Pay / "Sign in with Shop"** — **not available** to a self-hosted,

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.20",
+  "version": "0.4.22",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",

package/lib/collections.js

@@ -248,21 +248,45 @@ function _now() { return Date.now(); }
 // in isolation against a synthetic product.
 function _matchRule(rule, product) {
   var fieldVal = product == null ? undefined : product[rule.field];
+  // A catalog field can be MULTI-VALUED — a product carries an array
+  // of `tags` and an array of `category` memberships. For the scalar
+  // ops (`eq` / `neq` / `in` / `not_in`) an array field matches with
+  // membership semantics ("any of the product's categories equals X").
+  // A scalar field value keeps strict-equality semantics, so the
+  // existing single-valued fields (`vendor`, numeric fields) are
+  // unaffected. This is what lets a smart rule like
+  // `{ field: "category", op: "eq", value: "apparel" }` match a
+  // product that lives in apparel + clearance + outdoor.
+  var isArrayVal = Array.isArray(fieldVal);
   switch (rule.op) {
-    case "eq":  return fieldVal === rule.value;
-    case "neq": return fieldVal !== rule.value;
+    case "eq":  return isArrayVal ? fieldVal.indexOf(rule.value) >= 0 : fieldVal === rule.value;
+    case "neq": return isArrayVal ? fieldVal.indexOf(rule.value) < 0  : fieldVal !== rule.value;
     case "contains": {
       // Validator guaranteed an array field; if the catalog row
       // hasn't populated it, treat as empty (not a match).
-      if (!Array.isArray(fieldVal)) return false;
+      if (!isArrayVal) return false;
       return fieldVal.indexOf(rule.value) >= 0;
     }
     case "gt":  return typeof fieldVal === "number" && fieldVal >  rule.value;
     case "gte": return typeof fieldVal === "number" && fieldVal >= rule.value;
     case "lt":  return typeof fieldVal === "number" && fieldVal <  rule.value;
     case "lte": return typeof fieldVal === "number" && fieldVal <= rule.value;
-    case "in":  return rule.value.indexOf(fieldVal) >= 0;
-    case "not_in": return rule.value.indexOf(fieldVal) < 0;
+    case "in":
+      if (isArrayVal) {
+        for (var ai = 0; ai < fieldVal.length; ai += 1) {
+          if (rule.value.indexOf(fieldVal[ai]) >= 0) return true;
+        }
+        return false;
+      }
+      return rule.value.indexOf(fieldVal) >= 0;
+    case "not_in":
+      if (isArrayVal) {
+        for (var ni = 0; ni < fieldVal.length; ni += 1) {
+          if (rule.value.indexOf(fieldVal[ni]) >= 0) return false;
+        }
+        return true;
+      }
+      return rule.value.indexOf(fieldVal) < 0;
     case "between": {
       if (typeof fieldVal !== "number") return false;
       return fieldVal >= rule.value[0] && fieldVal <= rule.value[1];
@@ -299,6 +323,20 @@ function _evaluateRules(input) {
   return _matchRuleset(rules, product);
 }
 
+// Collect the distinct catalog fields a (validated) rule set reads, so
+// the smart-eval path can enrich ONLY the fields a collection actually
+// references rather than every supported field on every product. `rules`
+// is the `{ all, any }` shape `_validateRules` returns.
+function _fieldsReferenced(rules) {
+  var seen = Object.create(null);
+  function _walk(list) {
+    for (var i = 0; i < list.length; i += 1) seen[list[i].field] = true;
+  }
+  _walk(rules.all);
+  _walk(rules.any);
+  return Object.keys(seen);
+}
+
 // ---- sort comparators for smart collections ------------------------------
 
 // Best-selling needs a sales-rank on the product object; the catalog
@@ -369,6 +407,63 @@ function create(opts) {
   }
   var cursorSecret = opts.cursorSecret;
 
+  // Smart-collection matched-roster cache. A smart collection has no
+  // materialised membership — `productsIn` walks the WHOLE catalog,
+  // evaluates rules, sorts, then slices the requested page. Paginating
+  // a smart collection therefore re-walked the entire catalog on every
+  // page request (page 2 redid the work page 1 already did). This brief
+  // in-process cache holds the sorted matched roster keyed by the
+  // collection's identity + rule fingerprint, so successive page
+  // requests within the TTL slice the cached roster instead of
+  // re-walking. The TTL is short (a smart collection that just lost a
+  // product to an archive shows the stale member for at most one TTL)
+  // and configurable; pass `smartCacheTtlMs: 0` to disable. The cache
+  // is per-factory-instance and bounded by an LRU-ish cap so it can't
+  // grow unbounded across many distinct collections.
+  var SMART_CACHE_TTL_MS = opts.smartCacheTtlMs != null
+    ? opts.smartCacheTtlMs
+    : b.constants.TIME.seconds(30);
+  if (typeof SMART_CACHE_TTL_MS !== "number" || !isFinite(SMART_CACHE_TTL_MS) || SMART_CACHE_TTL_MS < 0) {
+    throw new TypeError("collections.create: smartCacheTtlMs must be a non-negative number of ms");
+  }
+  var SMART_CACHE_MAX_ENTRIES = 64;
+  var _smartCache = new Map();   // key -> { roster, expires_at }
+
+  function _smartCacheKey(slug, row) {
+    // The rule fingerprint + sort_strategy + updated_at are part of the
+    // key, so re-defining a smart collection's rules (which bumps
+    // updated_at and rewrites rules_json) misses the prior entry and
+    // re-walks — no stale roster after an operator edit. NUL joins the
+    // parts (it can't appear in a slug, timestamp, sort strategy, or
+    // JSON, so the parts can't collide), written as an escape so the
+    // source stays plain text.
+    return slug + "\u0000" + (row.updated_at == null ? "" : row.updated_at) +
+      "\u0000" + (row.sort_strategy || "") + "\u0000" + (row.rules_json || "");
+  }
+
+  function _smartCacheGet(key) {
+    if (SMART_CACHE_TTL_MS === 0) return null;
+    var hit = _smartCache.get(key);
+    if (!hit) return null;
+    if (hit.expires_at <= _now()) { _smartCache.delete(key); return null; }
+    // Refresh LRU recency.
+    _smartCache.delete(key);
+    _smartCache.set(key, hit);
+    return hit.roster;
+  }
+
+  function _smartCacheSet(key, roster) {
+    if (SMART_CACHE_TTL_MS === 0) return;
+    if (_smartCache.size >= SMART_CACHE_MAX_ENTRIES) {
+      // Evict the least-recently-used entry (first key in insertion
+      // order — `get` re-inserts on hit so live entries drift to the
+      // tail).
+      var oldest = _smartCache.keys().next().value;
+      if (oldest !== undefined) _smartCache.delete(oldest);
+    }
+    _smartCache.set(key, { roster: roster, expires_at: _now() + SMART_CACHE_TTL_MS });
+  }
+
   // ---- internal helpers --------------------------------------------------
 
   async function _row(slug) {
@@ -406,8 +501,12 @@ function create(opts) {
   // caller-supplied visitor. The catalog is expected to expose
   // `products.list({ limit, cursor?, status? })`; the smart-eval
   // path filters to `status = 'active'` so archived rows never leak
-  // into a smart collection.
-  async function _walkCatalogActive(visit) {
+  // into a smart collection. `enrichFields` (optional) is the list of
+  // smart-rule fields to join onto each page's rows before the visitor
+  // sees them, so the rule evaluator reads real catalog data rather
+  // than `undefined` — enrichment is batched per page (one query per
+  // referenced supporting table per page, not per product).
+  async function _walkCatalogActive(visit, enrichFields) {
     var cursor = null;
     var pages = 0;
     var pageLimit = 200;
@@ -419,6 +518,7 @@ function create(opts) {
     while (pages < MAX_PAGES) {
       var page = await catalog.products.list({ status: "active", limit: pageLimit, cursor: cursor });
       var rows = (page && page.rows) || [];
+      if (enrichFields && enrichFields.length) await _enrichRows(rows, enrichFields);
       for (var i = 0; i < rows.length; i += 1) await visit(rows[i]);
       cursor = (page && page.next_cursor) || null;
       pages += 1;
@@ -427,6 +527,149 @@ function create(opts) {
     throw new Error("collections: catalog walk exceeded " + MAX_PAGES + " pages — pre-materialise smart membership");
   }
 
+  // ---- smart-rule field enrichment --------------------------------------
+
+  // The catalog's `products.list` returns the bare product row — id,
+  // slug, title, description, status, created_at, updated_at. A smart
+  // collection's rules read `tags`, `category`, `vendor`, `price_minor`,
+  // and `inventory_count`, none of which live on that row; they're
+  // joined from supporting tables (`product_tags`, `product_categories`,
+  // `vendor_skus` via `variants.sku`, `prices`, `inventory`). Without
+  // this enrichment every rule on those fields evaluated against
+  // `undefined` and a smart collection matched ZERO products in
+  // production while the unit-test mock (which pre-stuffs the fields)
+  // stayed green — a dark feature.
+  //
+  // Enrichment is batched per catalog page and scoped to ONLY the fields
+  // the active rule set references (computed once by the caller), so a
+  // collection that filters on price alone never pays for the tag /
+  // category / vendor joins. A row that ALREADY carries a field (e.g. a
+  // caller that pre-decorated, or the test mock) is left untouched — the
+  // enrichment only fills gaps. Each supporting-table read is wrapped so
+  // an unmigrated table degrades the field to its empty form (empty
+  // array / null / 0) rather than throwing out of the catalog walk.
+  async function _enrichRows(rows, fields) {
+    if (!rows.length || !fields.length) return;
+    var need = {};
+    for (var f = 0; f < fields.length; f += 1) need[fields[f]] = true;
+
+    // Only enrich product rows that are MISSING the requested field —
+    // gather their ids per field so a pre-decorated row is never
+    // re-queried.
+    var ids = [];
+    var idSeen = Object.create(null);
+    for (var i = 0; i < rows.length; i += 1) {
+      var id = rows[i] && rows[i].id;
+      if (id == null) continue;
+      if (!idSeen[id]) { idSeen[id] = true; ids.push(id); }
+    }
+    if (!ids.length) return;
+    var ph = ids.map(function (_v, n) { return "?" + (n + 1); }).join(",");
+
+    async function _safeQuery(sql, params) {
+      try { return (await query(sql, params)).rows; }
+      catch (_e) { return []; }   // unmigrated supporting table → empty
+    }
+
+    var tagsByProduct = null;
+    if (need.tags) {
+      tagsByProduct = Object.create(null);
+      var tagRows = await _safeQuery(
+        "SELECT product_id, tag FROM product_tags WHERE product_id IN (" + ph + ")",
+        ids,
+      );
+      for (var t = 0; t < tagRows.length; t += 1) {
+        var tp = tagRows[t].product_id;
+        (tagsByProduct[tp] || (tagsByProduct[tp] = [])).push(tagRows[t].tag);
+      }
+    }
+
+    var catByProduct = null;
+    if (need.category) {
+      catByProduct = Object.create(null);
+      var catRows = await _safeQuery(
+        "SELECT product_id, category FROM product_categories WHERE product_id IN (" + ph + ")",
+        ids,
+      );
+      for (var c = 0; c < catRows.length; c += 1) {
+        var cp = catRows[c].product_id;
+        (catByProduct[cp] || (catByProduct[cp] = [])).push(catRows[c].category);
+      }
+    }
+
+    var vendorByProduct = null;
+    if (need.vendor) {
+      vendorByProduct = Object.create(null);
+      // Vendor binds to a SKU (vendor_skus.sku), and a SKU belongs to a
+      // variant of a product. A product with several variants could in
+      // principle map to more than one vendor; the smart-rule field is
+      // scalar, so we take the lexicographically-smallest assigned
+      // vendor slug for determinism. Products with no assigned vendor
+      // get null (no row), and the rule on `vendor` simply won't match.
+      var venRows = await _safeQuery(
+        "SELECT v.product_id AS product_id, MIN(vs.vendor_slug) AS vendor " +
+        "FROM variants v JOIN vendor_skus vs ON vs.sku = v.sku " +
+        "WHERE v.product_id IN (" + ph + ") GROUP BY v.product_id",
+        ids,
+      );
+      for (var vi = 0; vi < venRows.length; vi += 1) {
+        vendorByProduct[venRows[vi].product_id] = venRows[vi].vendor;
+      }
+    }
+
+    var priceByProduct = null;
+    if (need.price_minor) {
+      priceByProduct = Object.create(null);
+      // Lowest CURRENT price across the product's variants — the
+      // `effective_until IS NULL` row is the live price the catalog's
+      // own decorator reads. "Starting at" is the natural price a
+      // price-bounded smart rule (`price_minor < 5000`) should test.
+      var priceRows = await _safeQuery(
+        "SELECT v.product_id AS product_id, MIN(pr.amount_minor) AS price_minor " +
+        "FROM variants v JOIN prices pr ON pr.variant_id = v.id " +
+        "WHERE v.product_id IN (" + ph + ") AND pr.effective_until IS NULL " +
+        "GROUP BY v.product_id",
+        ids,
+      );
+      for (var pi = 0; pi < priceRows.length; pi += 1) {
+        priceByProduct[priceRows[pi].product_id] = priceRows[pi].price_minor;
+      }
+    }
+
+    var invByProduct = null;
+    if (need.inventory_count) {
+      invByProduct = Object.create(null);
+      // Total on-hand units across the product's variant SKUs. A rule
+      // like `inventory_count > 0` ("only in-stock") reads this.
+      var invRows = await _safeQuery(
+        "SELECT v.product_id AS product_id, COALESCE(SUM(inv.stock_on_hand), 0) AS inventory_count " +
+        "FROM variants v JOIN inventory inv ON inv.sku = v.sku " +
+        "WHERE v.product_id IN (" + ph + ") GROUP BY v.product_id",
+        ids,
+      );
+      for (var ii = 0; ii < invRows.length; ii += 1) {
+        invByProduct[invRows[ii].product_id] = invRows[ii].inventory_count;
+      }
+    }
+
+    for (var r = 0; r < rows.length; r += 1) {
+      var row = rows[r];
+      var rid = row && row.id;
+      if (rid == null) continue;
+      if (need.tags && !("tags" in row)) row.tags = tagsByProduct[rid] || [];
+      if (need.category && !("category" in row)) row.category = catByProduct[rid] || [];
+      if (need.vendor && !("vendor" in row)) {
+        row.vendor = Object.prototype.hasOwnProperty.call(vendorByProduct, rid) ? vendorByProduct[rid] : null;
+      }
+      if (need.price_minor && !("price_minor" in row)) {
+        row.price_minor = Object.prototype.hasOwnProperty.call(priceByProduct, rid) ? priceByProduct[rid] : null;
+      }
+      if (need.inventory_count && !("inventory_count" in row)) {
+        row.inventory_count = Object.prototype.hasOwnProperty.call(invByProduct, rid) ? invByProduct[rid] : 0;
+      }
+    }
+  }
+
   // ---- defineManual ------------------------------------------------------
 
   async function defineManual(input) {
@@ -824,12 +1067,22 @@ function create(opts) {
       }
     }
 
-    var matched = [];
-    await _walkCatalogActive(function (product) {
-      if (_matchRuleset(rules, product)) matched.push(product);
-    });
-    var sortStrategy = row.sort_strategy === "manual" ? "newest" : row.sort_strategy;
-    matched.sort(_smartCompare(sortStrategy));
+    // Reuse the cached sorted roster when a recent page request already
+    // walked + sorted this exact (slug, rules, sort, updated_at)
+    // combination; otherwise walk the catalog once, sort, and cache.
+    // Paginating no longer re-walks the whole catalog per page.
+    var cacheKey = _smartCacheKey(input.slug, row);
+    var matched = _smartCacheGet(cacheKey);
+    if (matched == null) {
+      var enrichFields = _fieldsReferenced(rules);
+      matched = [];
+      await _walkCatalogActive(function (product) {
+        if (_matchRuleset(rules, product)) matched.push(product);
+      }, enrichFields);
+      var sortStrategy = row.sort_strategy === "manual" ? "newest" : row.sort_strategy;
+      matched.sort(_smartCompare(sortStrategy));
+      _smartCacheSet(cacheKey, matched);
+    }
     var slice = matched.slice(startIdx, startIdx + limit);
     var nextS = null;
     if (startIdx + slice.length < matched.length) {
@@ -879,12 +1132,27 @@ function create(opts) {
           "SELECT * FROM collections WHERE type = 'smart' AND archived_at IS NULL",
           [],
         );
+        // Parse every active smart rule set once, collecting the UNION
+        // of catalog fields they read so the single product can be
+        // enriched with real tag / category / vendor / price /
+        // inventory data in one batch before any rule evaluates —
+        // mirroring the productsIn smart path. Without this the reverse
+        // lookup matched zero smart collections for the same dark-feature
+        // reason the forward path did.
+        var parsed = [];
+        var fieldSeen = Object.create(null);
         for (var s = 0; s < smartRows.rows.length; s += 1) {
           if (seen[smartRows.rows[s].slug]) continue;
           var rules;
           try { rules = JSON.parse(smartRows.rows[s].rules_json); }
           catch (_e) { continue; }
-          if (_matchRuleset(rules, product)) out.push(_decode(smartRows.rows[s]));
+          parsed.push({ row: smartRows.rows[s], rules: rules });
+          var refs = _fieldsReferenced(rules);
+          for (var rf = 0; rf < refs.length; rf += 1) fieldSeen[refs[rf]] = true;
+        }
+        await _enrichRows([product], Object.keys(fieldSeen));
+        for (var pj = 0; pj < parsed.length; pj += 1) {
+          if (_matchRuleset(parsed[pj].rules, product)) out.push(_decode(parsed[pj].row));
         }
       }
     }

package/lib/compliance-export.js

@@ -10,8 +10,11 @@
  *   me" (export) or "erase everything you hold on me" (deletion).
  *   The primitive owns the request lifecycle + composes per-domain
  *   readers (customers, order, order-notes, subscriptions,
- *   addresses, payment-methods, support-tickets, loyalty) to
- *   assemble the bundle. Delivery (email / signed URL / secure
+ *   addresses, payment-methods, support-tickets, loyalty, reviews,
+ *   consent ledger, wishlist, surveys, recently-viewed) to assemble
+ *   the bundle — every table that keys a row by the customer, so the
+ *   export holds the whole record, not just the order/identity core.
+ *   Delivery (email / signed URL / secure
  *   download portal) is the operator worker's concern — this
  *   primitive returns the bundle as structured JSON and stamps
  *   the lifecycle row when the worker confirms dispatch.
@@ -76,7 +79,11 @@
  *
  *   Scope semantics on export:
  *
- *     - `full`           — every injected reader contributes.
+ *     - `full`           — every injected reader contributes (identity,
+ *                          orders, subscriptions, addresses, payment
+ *                          methods, support tickets, loyalty, reviews,
+ *                          consent ledger, wishlist, surveys,
+ *                          recently-viewed).
  *     - `orders_only`    — only `order` + `orderNotes` contribute;
  *                          identity / loyalty / subscriptions /
  *                          addresses / payment methods / support
@@ -92,7 +99,9 @@
  *
  * @primitive complianceExport
  * @related    customers, order, orderNotes, subscriptions, addresses,
- *             paymentMethods, supportTickets, loyalty, orderExport
+ *             paymentMethods, supportTickets, loyalty, reviews,
+ *             consentLedger, wishlist, customerSurveys, recentlyViewed,
+ *             orderExport
  */
 
 var b = require("./vendor/blamejs");
@@ -124,10 +133,19 @@ var ZERO_WIDTH_RE   = new RegExp(
 
 // Scope -> which injected readers contribute on export. Keeps the
 // fulfillRequest logic a single lookup instead of nested if-else.
+//
+// `full` enumerates every domain that keys a row by the customer
+// (directly via customer_id, or via a per-customer hash) so a
+// subject-access export holds everything the controller stores about
+// the person — not just the order / identity core. A domain that
+// isn't wired (or whose reader is absent) is reported in
+// `sections_absent`, so an unexported table is always visible in the
+// bundle manifest rather than silently dropped.
 var SCOPE_SECTIONS = Object.freeze({
   full: Object.freeze([
     "customers", "addresses", "order", "orderNotes",
     "subscriptions", "paymentMethods", "supportTickets", "loyalty",
+    "reviews", "consentLedger", "wishlist", "surveys", "recentlyViewed",
   ]),
   orders_only: Object.freeze(["order", "orderNotes"]),
   identity_only: Object.freeze(["customers", "addresses"]),
@@ -220,6 +238,28 @@ function _limit(n) {
 
 function _now() { return Date.now(); }
 
+// Classify a reader's returned section for the completeness manifest.
+// A section is "empty" when the reader is wired but holds nothing for
+// this customer: null, an empty array, or an object whose own values
+// are all themselves empty (e.g. `{ balance: 0, history: [] }`). Any
+// other shape (a non-empty array, an object carrying a row, a scalar)
+// counts as "exported". The distinction lets the auditor tell "we hold
+// nothing here" apart from "this is real PII we exported".
+function _isEmptySection(section) {
+  if (section == null) return true;
+  if (Array.isArray(section)) return section.length === 0;
+  if (typeof section === "object") {
+    var keys = Object.keys(section);
+    if (keys.length === 0) return true;
+    for (var i = 0; i < keys.length; i += 1) {
+      if (!_isEmptySection(section[keys[i]])) return false;
+    }
+    return true;
+  }
+  // A scalar (string / number / boolean) is real exported data.
+  return false;
+}
+
 // ---- row hydration ------------------------------------------------------
 
 function _hydrate(r) {
@@ -267,6 +307,11 @@ function create(opts) {
     paymentMethods: opts.paymentMethods || null,
     supportTickets: opts.supportTickets || null,
     loyalty:        opts.loyalty        || null,
+    reviews:        opts.reviews        || null,
+    consentLedger:  opts.consentLedger  || null,
+    wishlist:       opts.wishlist       || null,
+    surveys:        opts.surveys        || null,
+    recentlyViewed: opts.recentlyViewed || null,
   };
 
   // ---- requestExport -------------------------------------------------
@@ -391,12 +436,21 @@ function create(opts) {
     var bundle          = {};
     var sectionsPresent = [];
     var sectionsAbsent  = [];
+    // Per-section completeness manifest. Every scope section lands here
+    // with an explicit status — "exported" (reader wired + returned
+    // data), "empty" (reader wired but the customer has no rows here),
+    // or "absent" (no reader wired at fulfillment time). An auditor (or
+    // the data subject) reads this to confirm the bundle isn't
+    // surreptitiously incomplete: an unexported table is visible as
+    // `absent`, never silently dropped.
+    var manifest = [];
 
     for (var s = 0; s < sections.length; s += 1) {
       var sectionName = sections[s];
       var reader      = injectedReaders[sectionName];
       if (!reader || typeof reader.forCustomerExport !== "function") {
         sectionsAbsent.push(sectionName);
+        manifest.push({ section: sectionName, status: "absent" });
         continue;
       }
       // The reader returns whatever shape it owns (array of rows,
@@ -406,6 +460,7 @@ function create(opts) {
       var section = await reader.forCustomerExport(row.customer_id);
       bundle[sectionName] = section == null ? null : section;
       sectionsPresent.push(sectionName);
+      manifest.push({ section: sectionName, status: _isEmptySection(section) ? "empty" : "exported" });
     }
 
     var fulfilledAt = _now();
@@ -422,6 +477,7 @@ function create(opts) {
       fulfilled_at:     fulfilledAt,
       sections_present: sectionsPresent,
       sections_absent:  sectionsAbsent,
+      manifest:         manifest,
       data:             bundle,
     };
   }
@@ -504,6 +560,7 @@ function create(opts) {
     }
 
     var domainOrder = [
+      "recentlyViewed", "wishlist", "surveys", "reviews", "consentLedger",
       "supportTickets", "orderNotes", "order", "subscriptions",
       "paymentMethods", "loyalty", "addresses", "customers",
     ];

package/lib/customer-portal.js

@@ -287,6 +287,29 @@ function create(opts) {
       return { revoked: Number(r.rowCount || 0) > 0 };
     },
 
+    // Bulk eject every LIVE (issued) session for one customer in a
+    // single statement. The right-to-erasure / password-reset hammer:
+    // where `revokeSession` kills one id, this kills the whole live set
+    // so a deleted (or compromised) customer's outstanding portal links
+    // all stop working at once. Idempotent — a customer with no issued
+    // session flips zero rows. Only `issued` rows move (consumed /
+    // expired / already-revoked stay terminal). Returns the count.
+    revokeAllForCustomer: async function (customerId, reason) {
+      var cid   = _uuid(customerId, "customer_id");
+      var clean = _optShortString(reason, "reason", MAX_REASON_LEN);
+      if (clean == null) {
+        throw new TypeError("customer-portal.revokeAllForCustomer: reason required (non-empty string ≤ " + MAX_REASON_LEN + " chars)");
+      }
+      var now = _now();
+      var r = await query(
+        "UPDATE customer_portal_sessions " +
+        "SET status = 'revoked', revoked_at = ?1, revoke_reason = ?2 " +
+        "WHERE customer_id = ?3 AND status = 'issued'",
+        [now, clean, cid],
+      );
+      return { revoked: Number(r.rowCount || 0) };
+    },
+
     // Audit / debugging entry point. Returns every session ever
     // minted for a customer, newest-first by created_at (id as
     // tiebreak — both are uuid.v7-derived so the ordering is

package/lib/customer-segments.js

@@ -332,10 +332,13 @@ function _now() { return Date.now(); }
 // ---- CSV helpers (members export) ---------------------------------------
 //
 // Same RFC-4180 quoting + spreadsheet-formula-injection neutralization
-// the order-export primitive uses: every cell is quoted, embedded `"`
-// doubled, and any cell beginning with `=` / `+` / `-` / `@` is prefixed
-// with `'` so a spreadsheet treats it as text (a customer-controlled
-// display_name is the injection vector). Signed numerics pass through.
+// the order-export primitive uses, composing the SAME shared vendored
+// neutralizer (b.guardCsv.escapeCell) so the two CSV surfaces can't drift:
+// every cell is quoted, embedded `"` doubled, and a cell beginning with any
+// formula-trigger char — `= + - @` plus the tab / CR / LF / pipe / full-
+// width variants an `= + - @`-only check misses — gets a leading TAB so a
+// spreadsheet treats it as text (a customer-controlled display_name is the
+// injection vector here).
 
 function _coerceCell(value) {
   if (value == null) return "";
@@ -344,14 +347,8 @@ function _coerceCell(value) {
   return JSON.stringify(value);
 }
 
-var _NUMERIC_SIGN_RE = /^[+-](?:\d+(?:\.\d+)?|\.\d+)$/;
-
 function _neutralizeInjection(s) {
-  if (s.length === 0) return s;
-  var first = s.charAt(0);
-  if (first !== "=" && first !== "+" && first !== "-" && first !== "@") return s;
-  if ((first === "+" || first === "-") && _NUMERIC_SIGN_RE.test(s)) return s;
-  return "'" + s;
+  return b.guardCsv.escapeCell(s);
 }
 
 function _csvCell(value) {