@blamejs/blamejs-shop 0.4.20 → 0.4.22

package/lib/customers.js

@@ -535,6 +535,78 @@ function create(opts) {
       return true;
     },
 
+    // Right-to-erasure auth revocation. A subject-access deletion must
+    // leave the customer UNABLE TO SIGN BACK IN — anonymizing the profile
+    // row alone is not erasure if every login credential still resolves.
+    // This deletes the THREE durable sign-in credentials keyed to the
+    // customer and severs the magic-link lookup key in ONE call:
+    //
+    //   * customer_passkeys           — every enrolled WebAuthn authenticator
+    //                                    (passkey sign-in resolves a credential
+    //                                    to this id; gone, the assertion misses).
+    //   * customer_oauth_identities   — every federated link (Google / Apple
+    //                                    OIDC resolves byOAuthIdentity to this
+    //                                    id; gone, the federated sign-in creates
+    //                                    a fresh unrelated account instead).
+    //   * email_hash -> tombstone     — the magic-link / guest-order-claim path
+    //                                    resolves byEmailHash; overwriting the
+    //                                    hash with a per-id, non-reversible
+    //                                    tombstone means no future link for the
+    //                                    erased address can ever resolve this row
+    //                                    (the address itself is never stored, so
+    //                                    there is no plaintext to scrub — only
+    //                                    the lookup key to break).
+    //
+    // The sealed 14-day auth cookie is stateless (no server session row to
+    // kill), but with no credential left to re-mint it and no lookup key to
+    // re-issue a magic link, the account cannot be re-entered after the
+    // cookie expires; the live customer-portal sessions are revoked
+    // separately by the caller (customerPortal.revokeAllForCustomer). Each
+    // step is idempotent — re-running on an already-erased row deletes
+    // nothing more and returns zero counts. dry_run reports the counts the
+    // wet run WOULD remove without mutating, so the operator preview shows
+    // the blast radius. Returns `{ passkeys, oauth_identities, email_hash_cleared }`.
+    eraseAuthForCustomer: async function (id, opts) {
+      _uuid(id, "customer id");
+      var dryRun = !!(opts && opts.dry_run);
+      var pkRows = (await query(
+        "SELECT COUNT(*) AS n FROM customer_passkeys WHERE customer_id = ?1", [id],
+      )).rows[0];
+      var oaRows = (await query(
+        "SELECT COUNT(*) AS n FROM customer_oauth_identities WHERE customer_id = ?1", [id],
+      )).rows[0];
+      var existing = (await query("SELECT email_hash FROM customers WHERE id = ?1", [id])).rows[0];
+      var emailHashSet = !!(existing && existing.email_hash && String(existing.email_hash).indexOf("erased:") !== 0);
+      if (dryRun) {
+        return {
+          passkeys:            pkRows ? Number(pkRows.n) : 0,
+          oauth_identities:    oaRows ? Number(oaRows.n) : 0,
+          email_hash_cleared:  emailHashSet ? 1 : 0,
+        };
+      }
+      var ts = _now();
+      var pkDel = await query("DELETE FROM customer_passkeys WHERE customer_id = ?1", [id]);
+      var oaDel = await query("DELETE FROM customer_oauth_identities WHERE customer_id = ?1", [id]);
+      // Tombstone the lookup key with a per-id, non-reversible value that
+      // can never collide with a real namespaceHash digest (those are hex)
+      // and can never be re-derived from any email address. Only rewrite a
+      // live (non-tombstoned) hash so a re-run is a no-op.
+      var emailHashCleared = 0;
+      if (emailHashSet) {
+        var tombstone = "erased:" + b.crypto.namespaceHash("customer-erased-email", id);
+        var upd = await query(
+          "UPDATE customers SET email_hash = ?1, updated_at = ?2 WHERE id = ?3 AND email_hash = ?4",
+          [tombstone, ts, id, existing.email_hash],
+        );
+        emailHashCleared = Number((upd && upd.rowCount) || 0);
+      }
+      return {
+        passkeys:            Number((pkDel && pkDel.rowCount) || 0),
+        oauth_identities:    Number((oaDel && oaDel.rowCount) || 0),
+        email_hash_cleared:  emailHashCleared,
+      };
+    },
+
     // Mutate a customer's editable profile fields. v1 covers display_name
     // only — the one field a customer can safely change without a
     // verification round trip.

package/lib/email-campaigns.js

@@ -783,7 +783,14 @@ function create(opts) {
     var signup = await newsletter.byEmailHash(emailHash);
     if (!signup || !signup.id) return null;
     var issued = await newsletter.issueUnsubscribeToken(signup.id);
-    var url = unsubscribeBaseUrl + "/newsletter/unsubscribe?token=" + encodeURIComponent(issued.token);
+    // The storefront mounts the one-click unsubscribe at GET/POST
+    // /unsubscribe (lib/storefront.js + EDGE_POST_PATHS). The token rides
+    // in the URL — a mail client's RFC 8058 one-click POST fires at this
+    // exact URL with a `List-Unsubscribe=One-Click` body and no token of
+    // its own, so the route MUST be the real one and MUST read the token
+    // from here. (An earlier `/newsletter/unsubscribe` target had no route
+    // behind it — every native one-click POST 404'd and never unsubscribed.)
+    var url = unsubscribeBaseUrl + "/unsubscribe?token=" + encodeURIComponent(issued.token);
     // Validate the header SHAPE through the vendored RFC 2369 + RFC 8058
     // guard so a malformed link (non-https, control byte) never reaches
     // the wire — Gmail / Yahoo refuse mail that carries a broken pair.

package/lib/gift-card-ledger.js

@@ -240,24 +240,53 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(giftCardId);
-      if (amount > latest.balance) {
+      // Atomic guarded INSERT — the overdraft check and the row write
+      // happen in ONE statement so two concurrent debits can't both
+      // read the same balance, both pass the check, and both write
+      // (the read-then-write race that corrupted `balance_after_minor`).
+      // The latest row's snapshot (balance + occurred_at) is read by
+      // correlated scalar subqueries INSIDE the INSERT; the WHERE gates
+      // the write on `current_balance >= amount` against that live
+      // value, and the inserted `balance_after_minor` /  monotonic
+      // `occurred_at` are derived from the same subqueries — so on D1
+      // (where a single statement is atomic) exactly one of two racing
+      // debits lands. rowCount === 0 means the guard refused: either a
+      // genuine overdraft or the loser of a race.
+      var id = b.uuid.v7();
+      var balSub =
+        "COALESCE((SELECT balance_after_minor FROM gift_card_ledger " +
+        "WHERE gift_card_id = ?2 ORDER BY occurred_at DESC LIMIT 1), 0)";
+      var tsSub =
+        "(SELECT occurred_at FROM gift_card_ledger " +
+        "WHERE gift_card_id = ?2 ORDER BY occurred_at DESC LIMIT 1)";
+      var ins = await query(
+        "INSERT INTO gift_card_ledger " +
+        "(id, gift_card_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, occurred_at) " +
+        "SELECT ?1, ?2, 'debit', ?3, NULL, NULL, ?4, " +
+        balSub + " - ?3, " +
+        "CASE WHEN ?5 > COALESCE(" + tsSub + ", 0) THEN ?5 ELSE COALESCE(" + tsSub + ", 0) + 1 END " +
+        "WHERE " + balSub + " >= ?3",
+        [id, giftCardId, amount, orderId, requested],
+      );
+      if (Number(ins.rowCount || 0) === 0) {
         var insufficient = new Error("giftCardLedger.debit: amount exceeds available balance");
         insufficient.code = "GIFT_CARD_LEDGER_INSUFFICIENT_BALANCE";
         throw insufficient;
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - amount;
-      var id = await _writeRow(giftCardId, "debit", amount, null, null, orderId, after, ts);
-
+      // Re-read the row we just wrote to surface the resolved
+      // balance_after / occurred_at without recomputing them client-side.
+      var wrote = (await query(
+        "SELECT balance_after_minor, occurred_at FROM gift_card_ledger WHERE id = ?1",
+        [id],
+      )).rows[0];
       return {
         id:                  id,
         gift_card_id:        giftCardId,
         kind:                "debit",
         amount_minor:        amount,
         order_id:            orderId,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: wrote ? wrote.balance_after_minor : null,
+        occurred_at:         wrote ? wrote.occurred_at : requested,
       };
     },
 

package/lib/gift-registry.js

@@ -622,10 +622,12 @@ function create(opts) {
     if (item.archived_at != null) {
       throw new TypeError("giftRegistry.purchaseItem: item " + JSON.stringify(itemId) + " has been removed");
     }
-    // Refuse over-purchase: aggregate prior purchases + this one
-    // must not exceed `quantity_desired`. The owner's wish-list is
+    // Refuse over-purchase: aggregate prior purchases + this one must
+    // not exceed `quantity_desired`. The owner's wish-list is
     // authoritative — a fourth blender is not a gift, it's a return
-    // pending.
+    // pending. The pre-read below only shapes a friendly "remaining N"
+    // error for the common (uncontended) case; the AUTHORITATIVE check
+    // is the guarded INSERT that follows.
     var priorRes = await query(
       "SELECT COALESCE(SUM(quantity), 0) AS sum FROM gift_registry_purchases " +
       "WHERE registry_slug = ?1 AND item_id = ?2",
@@ -644,12 +646,48 @@ function create(opts) {
 
     var id = b.uuid.v7();
     var ts = _now();
-    await query(
+    // Atomic guarded INSERT — the SUM-of-prior-purchases check and the
+    // purchase write land in ONE statement so two concurrent buyers
+    // can't both read the same prior sum, both pass the pre-check, and
+    // both insert (the read-then-write race that let purchases exceed
+    // `quantity_desired`). The constraint is re-evaluated against the
+    // LIVE purchase sum + the item's live `quantity_desired` inside the
+    // INSERT; the item must also still exist and be unarchived. On D1 a
+    // single statement is atomic, so exactly one of two racing
+    // purchases for the last unit lands. rowCount === 0 means the guard
+    // refused — a concurrent purchase claimed the remaining quantity
+    // first (or the item was archived between the pre-check and here).
+    var ins = await query(
       "INSERT INTO gift_registry_purchases " +
       "(id, registry_slug, item_id, quantity, buyer_customer_id, buyer_message, reveal_buyer, occurred_at) " +
-      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)",
+      "SELECT ?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8 " +
+      "WHERE EXISTS (" +
+      "  SELECT 1 FROM gift_registry_items gi " +
+      "  WHERE gi.id = ?3 AND gi.registry_slug = ?2 AND gi.archived_at IS NULL " +
+      "  AND (" +
+      "    SELECT COALESCE(SUM(gp.quantity), 0) FROM gift_registry_purchases gp " +
+      "    WHERE gp.registry_slug = ?2 AND gp.item_id = ?3" +
+      "  ) + ?4 <= gi.quantity_desired" +
+      ")",
       [id, slug, itemId, qty, buyerId, buyerMsg, reveal ? 1 : 0, ts],
     );
+    if (Number(ins.rowCount || 0) === 0) {
+      // Lost the race (or the item was archived between the pre-check
+      // and the guarded INSERT). Recompute the live remaining for an
+      // honest message; the write applied nothing.
+      var liveSum = Number((await query(
+        "SELECT COALESCE(SUM(quantity), 0) AS sum FROM gift_registry_purchases " +
+        "WHERE registry_slug = ?1 AND item_id = ?2",
+        [slug, itemId],
+      )).rows[0].sum || 0);
+      var raced = new Error(
+        "giftRegistry.purchaseItem: quantity " + qty +
+        " exceeds remaining " + Math.max(0, item.quantity_desired - liveSum) +
+        " on item " + itemId,
+      );
+      raced.code = "GIFT_REGISTRY_OVER_PURCHASE";
+      throw raced;
+    }
     await query(
       "UPDATE gift_registries SET updated_at = ?1 WHERE slug = ?2",
       [ts, slug],

package/lib/loyalty-earn-rules.js

@@ -648,6 +648,111 @@ function create(opts) {
     };
   }
 
+  // ---- reverseForEvent ------------------------------------------------
+
+  // Reverse every award booked for one (customer, event) — the
+  // counterpart to awardForEvent on an order's cancel / refund edge. A
+  // paid order awards points; if that order later dies the points must
+  // come back off the balance or a buy-then-refund mints free rewards.
+  //
+  // The earn-log `reversed_at` claim IS the idempotency guard: the
+  // `UPDATE ... WHERE reversed_at IS NULL` serializes a concurrent
+  // double-fire (a re-delivered webhook, or the stale-order reaper
+  // racing a refund) so the points are clawed back exactly once. A
+  // never-awarded event (a guest order, or one that never reached paid)
+  // claims zero rows and is a natural no-op — no paid-state precondition
+  // needed. Returns { reversed_points, clawed_points }: reversed_points
+  // is what the awards totalled; clawed_points is what actually came off
+  // the balance (floored at zero — a customer may have already spent the
+  // points, and the balance can't go negative).
+  async function reverseForEvent(input) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("loyaltyEarnRules.reverseForEvent: input object required");
+    }
+    var customerId      = _uuid(input.customer_id, "customer_id");
+    var triggerEventRef = _triggerEventRef(input.trigger_event_ref);
+
+    // Atomic claim across every rule that awarded for this event. The
+    // unreversed predicate is the serialization point — a row claimed
+    // here can't be claimed by a racing reversal, and an already-reversed
+    // (or never-awarded) event claims nothing.
+    var ts = _now();
+    var claim = await query(
+      "UPDATE loyalty_earn_log SET reversed_at = ?1 " +
+      "WHERE customer_id = ?2 AND trigger_event_ref = ?3 AND reversed_at IS NULL",
+      [ts, customerId, triggerEventRef],
+    );
+    if (Number(claim.rowCount || 0) === 0) {
+      return { reversed_points: 0, clawed_points: 0 };
+    }
+
+    // Sum exactly the rows this call claimed (reversed_at === ts pins them
+    // to this reversal, not an earlier one against the same event).
+    var sumRow = (await query(
+      "SELECT COALESCE(SUM(points_awarded), 0) AS earned FROM loyalty_earn_log " +
+      "WHERE customer_id = ?1 AND trigger_event_ref = ?2 AND reversed_at = ?3",
+      [customerId, triggerEventRef, ts],
+    )).rows[0] || { earned: 0 };
+    var earned = Number(sumRow.earned || 0);
+
+    // Claw the earned points back off the running balance, floored at
+    // zero. loyalty.adjust refuses an underflow by THROWING an Error with
+    // code LOYALTY_INSUFFICIENT_BALANCE; a concurrent spend can shrink the
+    // balance between our read and the adjust, so on that refusal we
+    // re-read and retry against the smaller balance (≤3 attempts). The
+    // non-negative guard inside adjust makes the race safe — the worst
+    // case is we claw less, never below zero, never negative. Lifetime is
+    // not decremented (adjust's stance — tier never downgrades
+    // retroactively). Skip the adjust entirely when there's nothing to
+    // claw (adjust requires a non-zero delta).
+    var clawed = 0;
+    if (loyaltyHandle && typeof loyaltyHandle.adjust === "function"
+        && typeof loyaltyHandle.balance === "function" && earned > 0) {
+      try {
+        for (var attempt = 0; attempt < 3; attempt += 1) {
+          var bal = await loyaltyHandle.balance(customerId);
+          var claw = Math.min(earned, Number((bal && bal.balance) || 0));
+          if (claw <= 0) break;
+          try {
+            await loyaltyHandle.adjust({
+              customer_id: customerId,
+              points:      -claw,
+              source:      "earn-reversal",
+              notes:       "reversed ref=" + triggerEventRef,
+            });
+            clawed = claw;
+            break;
+          } catch (err) {
+            // A concurrent spend drained the balance below `claw` between
+            // the read and the adjust. Re-read and retry against the new,
+            // smaller balance. Any other failure escapes to the claim
+            // release below.
+            if (!(err && err.code === "LOYALTY_INSUFFICIENT_BALANCE")) throw err;
+          }
+        }
+      } catch (clawErr) {
+        // The clawback failed for a reason that is NOT the floor-at-zero
+        // refusal (a transient DB fault, an unmigrated ledger). Holding
+        // the claim would be a silent loss: a retry would see the rows
+        // already reversed and no-op while the balance keeps the points.
+        // Release the claim so a later reversal can run, then surface the
+        // original failure. The release is best-effort — if it ALSO
+        // fails, the original error still propagates and the rows stay
+        // claimed for manual reconciliation.
+        try {
+          await query(
+            "UPDATE loyalty_earn_log SET reversed_at = NULL " +
+            "WHERE customer_id = ?1 AND trigger_event_ref = ?2 AND reversed_at = ?3",
+            [customerId, triggerEventRef, ts],
+          );
+        } catch (_releaseErr) { /* drop-silent — the original failure is the signal */ }
+        throw clawErr;
+      }
+    }
+
+    return { reversed_points: earned, clawed_points: clawed };
+  }
+
   // ---- metricsForRule -------------------------------------------------
 
   async function metricsForRule(input) {
@@ -767,6 +872,7 @@ function create(opts) {
     archiveRule:       archiveRule,
     evaluateForEvent:  evaluateForEvent,
     awardForEvent:     awardForEvent,
+    reverseForEvent:   reverseForEvent,
     metricsForRule:    metricsForRule,
     applyBatch:        applyBatch,
   };

package/lib/loyalty.js

@@ -228,6 +228,25 @@ function create(opts) {
     );
   }
 
+  // SQL fragment that derives the tier from a lifetime-points
+  // expression evaluated INSIDE the UPDATE statement, so balance,
+  // lifetime, and tier all move in one atomic write off the row's
+  // live value rather than a stale snapshot. `lifetimeExpr` is the
+  // post-mutation lifetime SQL (e.g. `lifetime_points + ?2`). The
+  // operator-tunable thresholds bind as literals — they're validated
+  // non-negative integers at factory time, never operator input here,
+  // so inlining them keeps the CASE a single self-contained
+  // expression without widening the bound-parameter list per call.
+  // Mirrors computeTier's highest-threshold-first ladder so the SQL
+  // and JS classifications never diverge.
+  function _tierCase(lifetimeExpr) {
+    return "CASE" +
+      " WHEN (" + lifetimeExpr + ") >= " + thresholds.platinum + " THEN 'platinum'" +
+      " WHEN (" + lifetimeExpr + ") >= " + thresholds.gold     + " THEN 'gold'" +
+      " WHEN (" + lifetimeExpr + ") >= " + thresholds.silver   + " THEN 'silver'" +
+      " ELSE 'bronze' END";
+  }
+
   return {
     TIERS:                  TIERS.slice(),
     TX_TYPES:               TX_TYPES.slice(),
@@ -260,24 +279,27 @@ function create(opts) {
 
       var ts = _now();
       await _ensureAccountRow(customerId, ts);
+      // Snapshot the tier ONLY to report `tier_changed` — the balance /
+      // lifetime / tier mutation itself is relative-atomic below, so a
+      // concurrent earn can't clobber this credit (the lost-update the
+      // absolute write suffered). The tier is recomputed in-SQL off the
+      // row's live `lifetime_points`, not this stale snapshot.
       var before = await _readAccount(customerId);
-      var newLifetime = before.lifetime_points + points;
-      var newBalance  = before.balance_points + points;
-      var newTier     = computeTier(newLifetime);
-      var tierChanged = newTier !== before.tier;
-
       await query(
-        "UPDATE loyalty_accounts SET balance_points = ?1, lifetime_points = ?2, " +
-        "tier = ?3, updated_at = ?4 WHERE customer_id = ?5",
-        [newBalance, newLifetime, newTier, ts, customerId],
+        "UPDATE loyalty_accounts SET balance_points = balance_points + ?1, " +
+        "lifetime_points = lifetime_points + ?1, " +
+        "tier = " + _tierCase("lifetime_points + ?1") + ", " +
+        "updated_at = ?2 WHERE customer_id = ?3",
+        [points, ts, customerId],
       );
       await _writeTx(customerId, "earn", points, source, orderId, notes, ts);
 
+      var after = await _readAccount(customerId);
       return {
-        balance:      newBalance,
-        lifetime:     newLifetime,
-        tier:         newTier,
-        tier_changed: tierChanged,
+        balance:      after.balance_points,
+        lifetime:     after.lifetime_points,
+        tier:         after.tier,
+        tier_changed: after.tier !== before.tier,
       };
     },
 
@@ -335,34 +357,45 @@ function create(opts) {
 
       var ts = _now();
       await _ensureAccountRow(customerId, ts);
+      // Snapshot the pre-adjust tier only to report `tier_changed`. The
+      // mutation is relative-atomic with an underflow guard at the SQL
+      // tier so two concurrent adjustments can't lose an update or drive
+      // the balance negative past each other.
       var before = await _readAccount(customerId);
 
-      var newBalance = before.balance_points + delta;
-      if (newBalance < 0) {
-        var ins = new Error("loyalty.adjust: adjustment would underflow balance");
-        ins.code = "LOYALTY_INSUFFICIENT_BALANCE";
-        throw ins;
-      }
       // Positive adjustments also increment lifetime — operators
       // crediting a customer for a service recovery should see that
       // credit count toward tier. Negative adjustments do NOT
       // decrement lifetime (otherwise a clawback could downgrade tier
-      // retroactively, which is a customer-facing surprise).
-      var newLifetime = delta > 0 ? before.lifetime_points + delta : before.lifetime_points;
-      var newTier     = computeTier(newLifetime);
-
-      await query(
-        "UPDATE loyalty_accounts SET balance_points = ?1, lifetime_points = ?2, " +
-        "tier = ?3, updated_at = ?4 WHERE customer_id = ?5",
-        [newBalance, newLifetime, newTier, ts, customerId],
+      // retroactively, which is a customer-facing surprise). The
+      // lifetime delta is therefore the positive part of `delta`.
+      var lifetimeDelta = delta > 0 ? delta : 0;
+      // Conditional UPDATE: the row mutates ONLY when the post-adjust
+      // balance stays non-negative, checked against the row's LIVE
+      // balance (not the stale snapshot). A racing concurrent adjust
+      // that already spent the balance makes this match zero rows, so
+      // we surface the same insufficient-balance refusal rather than
+      // writing a ledger row that diverges from the account.
+      var upd = await query(
+        "UPDATE loyalty_accounts SET balance_points = balance_points + ?1, " +
+        "lifetime_points = lifetime_points + ?2, " +
+        "tier = " + _tierCase("lifetime_points + ?2") + ", " +
+        "updated_at = ?3 WHERE customer_id = ?4 AND balance_points + ?1 >= 0",
+        [delta, lifetimeDelta, ts, customerId],
       );
+      if (Number(upd.rowCount || 0) === 0) {
+        var ins = new Error("loyalty.adjust: adjustment would underflow balance");
+        ins.code = "LOYALTY_INSUFFICIENT_BALANCE";
+        throw ins;
+      }
       await _writeTx(customerId, "adjust", delta, source, null, notes, ts);
 
+      var after = await _readAccount(customerId);
       return {
-        balance:      newBalance,
-        lifetime:     newLifetime,
-        tier:         newTier,
-        tier_changed: newTier !== before.tier,
+        balance:      after.balance_points,
+        lifetime:     after.lifetime_points,
+        tier:         after.tier,
+        tier_changed: after.tier !== before.tier,
       };
     },
 

package/lib/order-export.js

@@ -212,7 +212,8 @@ function _limit(n) {
 // RFC-4180 quoting: every cell wrapped in `"`, embedded `"` doubled.
 // We quote unconditionally — the cost is a few extra bytes per cell;
 // the win is that a downstream parser never has to track quote-vs-
-// bare-cell state for a column with mixed shapes.
+// bare-cell state for a column with mixed shapes. The injection
+// neutralization runs first via the shared vendored primitive.
 function _csvCell(value) {
   var s = _coerceCell(value);
   s = _neutralizeInjection(s);
@@ -227,23 +228,19 @@ function _coerceCell(value) {
   return JSON.stringify(value);
 }
 
-// Numeric-with-sign detector — `+15.00` / `-3.50` / `+0` parse as
-// legitimate amounts and should pass through unmolested. The
-// detector rejects anything with embedded whitespace or trailing
-// non-numeric tail so `+15 SUM(A1)` still gets escaped.
-var _NUMERIC_SIGN_RE = /^[+-](?:\d+(?:\.\d+)?|\.\d+)$/;
-
-// CSV injection neutralization — see OWASP "CSV Injection". A cell
-// beginning with `=`, `+`, `-`, or `@` is interpreted as a formula
-// by most spreadsheet renderers. The defense is to prefix with `'`
-// so the renderer treats the cell as literal text. Signed numerics
-// are the deliberate exception (legitimate amount strings).
+// CSV injection neutralization — composes the vendored b.guardCsv.escapeCell
+// (OWASP "CSV Injection" defense). The vendored primitive is the single
+// shared neutralizer across every CSV export surface (order-export +
+// customer-segments). It prefixes a leading TAB when a cell starts with ANY
+// formula-trigger char — `= + - @` AND the tab / CR / LF / pipe / full-width
+// variants a hand-rolled `= + - @`-only check misses. A leading tab renders
+// as invisible whitespace in a spreadsheet, so the cell reads as text and
+// never evaluates as a formula. The earlier in-tree check exempted signed
+// numerics (`+15.00`); the shared primitive prefixes those too (the safe
+// OWASP posture — `-2+3+cmd|…` is a real injection that begins like an
+// amount), which is the more complete behavior this consolidation buys.
 function _neutralizeInjection(s) {
-  if (s.length === 0) return s;
-  var first = s.charAt(0);
-  if (first !== "=" && first !== "+" && first !== "-" && first !== "@") return s;
-  if ((first === "+" || first === "-") && _NUMERIC_SIGN_RE.test(s)) return s;
-  return "'" + s;
+  return b.guardCsv.escapeCell(s);
 }
 
 function _csvRow(cells) {

package/lib/order.js

@@ -587,6 +587,30 @@ function create(opts) {
       if (result.to === "cancelled" || result.to === "refunded") {
         await _settleGiftCards(orderId);
       }
+      // Loyalty earn-reversal fan-out — fire-and-forget, same discipline
+      // as the earn-on-purchase block below. On a cancel / refund edge for
+      // an order carrying a customer_id, the points awarded when the order
+      // went paid are clawed back off the balance (floored at zero), or a
+      // buy-then-refund mints free rewards. reverseForEvent claims the
+      // earn-log rows with an unreversed predicate, so it is idempotent (a
+      // re-delivered cancel webhook or the reaper racing a refund reverses
+      // exactly once) and a natural no-op for an order that never earned
+      // (a guest order, or one that never reached paid — the never-awarded
+      // earn-log is empty). The award is detached so a loyalty failure
+      // lives in the loyalty ledger's own audit trail, never as an
+      // unhandledRejection and never on the transition's latency.
+      if (loyaltyEarnRules && typeof loyaltyEarnRules.reverseForEvent === "function"
+          && (result.to === "cancelled" || result.to === "refunded")
+          && refreshed && refreshed.customer_id) {
+        var _revCustomer = refreshed.customer_id;
+        var _revOrderId  = refreshed.id;
+        Promise.resolve().then(function () {
+          return loyaltyEarnRules.reverseForEvent({
+            customer_id:       _revCustomer,
+            trigger_event_ref: "order:" + _revOrderId,
+          });
+        }).catch(function () { /* drop-silent — loyalty ledger holds its own audit trail */ });
+      }
       // Fan-out to merchant webhook subscribers is fire-and-forget. The
       // transition has already persisted; the request must not wait on
       // outbound HTTP, or a slow / unreachable endpoint would block the

package/lib/search-ranking.js

@@ -700,6 +700,48 @@ function create(opts) {
       if (input.session_id != null) {
         sessionHash = _hashSession(_sessionIdRaw(input.session_id, "searchRanking.recordSearchEvent"));
       }
+
+      // Server-side click attribution. A `click` carries a `?sq=<query>`
+      // marker from the result link, but the marker is attacker-
+      // controllable: anyone can hit a PDP with `?from=search&sq=dress`
+      // and inflate the click count for "dress" without ever having
+      // seen — let alone clicked through — a real result list. That let
+      // CTR be spoofed and pushed past 100% (more clicks than the
+      // impressions that were ever rendered). When the click carries a
+      // session, we only record it if THAT session already logged an
+      // `impression` for the same (weights_slug, query): the click must
+      // descend from a search the same session actually ran. An
+      // unattributed click (no matching impression for the session) is
+      // dropped — it never reaches the event log, so the rollup can't
+      // count it. Clicks without a session (a session-less worker
+      // deployment, or a click whose session cookie was lost) can't be
+      // attribution-checked, so they record as before; the storefront
+      // attaches the session whenever one exists, so the spoof path is
+      // closed in the deployed configuration.
+      if (eventType === "click" && sessionHash != null) {
+        var imp = await query(
+          "SELECT 1 FROM search_events " +
+          "WHERE weights_slug = ?1 AND query = ?2 AND session_id_hash = ?3 " +
+          "AND event_type = 'impression' LIMIT 1",
+          [weightsSlug, normalizedQuery, sessionHash]
+        );
+        if (!imp.rows.length) {
+          // No impression for this session + query under this weight
+          // set — the click can't be a genuine result-list click-
+          // through. Refuse to record it (drop, don't throw — the hot
+          // path swallows the result).
+          return {
+            query:        normalizedQuery,
+            product_id:   productId,
+            weights_slug: weightsSlug,
+            event_type:   eventType,
+            position:     position,
+            recorded:     false,
+            reason:       "click-without-matching-impression",
+          };
+        }
+      }
+
       var ts = _now();
       await query(
         "INSERT INTO search_events " +
@@ -714,6 +756,7 @@ function create(opts) {
         event_type:   eventType,
         position:     position,
         occurred_at:  ts,
+        recorded:     true,
       };
     },
 
@@ -757,6 +800,19 @@ function create(opts) {
         else if (row.event_type === "click")      clicks      = c;
         else if (row.event_type === "purchase")   purchases   = c;
       }
+      // A single rendered result list (one impression) can legitimately
+      // yield more than one click — the shopper opens a product, returns
+      // to the same list, opens another. So clicks/impressions can
+      // exceed 1.0 even on honest data; an unbounded ratio reads as a
+      // nonsensical ">100% CTR" on the operator dashboard. Bound the
+      // reported CTR at 1.0 so the metric stays interpretable (the raw
+      // counts remain available for an operator who wants the unbounded
+      // figure). conversion_rate is bounded the same way — purchases are
+      // gated by clicks which are gated by impressions, but the bound
+      // keeps the displayed rate honest under the same multi-click
+      // reality.
+      var rawCtr = impressions > 0 ? clicks    / impressions : null;
+      var rawConv = impressions > 0 ? purchases / impressions : null;
       return {
         weights_slug:      weightsSlug,
         from:              from,
@@ -764,8 +820,8 @@ function create(opts) {
         impressions:       impressions,
         clicks:            clicks,
         purchases:         purchases,
-        ctr:               impressions > 0 ? clicks    / impressions : null,
-        conversion_rate:   impressions > 0 ? purchases / impressions : null,
+        ctr:               rawCtr == null  ? null : Math.min(1, rawCtr),
+        conversion_rate:   rawConv == null ? null : Math.min(1, rawConv),
         click_to_purchase: clicks > 0      ? purchases / clicks      : null,
       };
     },