@blamejs/blamejs-shop 0.4.22 → 0.4.24

package/lib/storefront.js

@@ -313,7 +313,10 @@ var LAYOUT =
   "    </div>\n" +
   "  </header>\n" +
   "\n" +
+  "  <div class=\"page-shell\">\n" +
   "  <main id=\"main\">{{body}}</main>\n" +
+  "RAW_SIDEBAR_RAIL" +
+  "  </div>\n" +
   "\n" +
   "  <section class=\"newsletter-band\" aria-labelledby=\"newsletter-title\">\n" +
   "    <div class=\"newsletter-band__inner\">\n" +
@@ -367,6 +370,7 @@ var LAYOUT =
   "        <ul>\n" +
   "          <li><a href=\"/account\">{{footer_operators_account}}</a></li>\n" +
   "          <li><a href=\"/orders\">{{footer_operators_orders}}</a></li>\n" +
+  "          <li><a href=\"/suggestions\">{{footer_operators_suggestions}}</a></li>\n" +
   "          <li><a href=\"mailto:hello@blamejs.shop\">{{footer_operators_contact}}</a></li>\n" +
   "        </ul>\n" +
   "      </div>\n" +
@@ -739,6 +743,243 @@ function _promoBannerHtml(opts, placement) {
   return "";
 }
 
+// ---- sidebar widgets ---------------------------------------------------
+//
+// Operator-curated content blocks rendered in the storefront's right rail.
+// Each page declares an ordered widget list via the admin console's page
+// placement; the storefront resolves the active widgets for the current page
+// + viewer per request and splices the rail into the LAYOUT. Resolution
+// mirrors the announcement bar + promo banners: a short-TTL in-memory cache
+// of every active widget (refreshed out-of-band, fire-and-forget) feeds a
+// SYNCHRONOUS per-request resolver so the picked widgets ride the same locale
+// ALS the page handler reads. No per-request DB read on the hot render path.
+//
+// Edge-cache-safe: a widget's rendered markup is fully operator-authored and
+// global (no per-session / per-customer data is baked in), and the page_key
+// is derived purely from the request path (the edge cache key), so the rail
+// can render at the Cloudflare edge byte-identical with the container (the
+// `worker/render/_lib.js` `sidebarWidget` twin guards the markup). Audience is
+// the same coarse guest / logged_in cookie bucket the other chrome uses;
+// segment audience is skipped at resolve time (the console doesn't offer it).
+//
+// The render is intentionally static per kind — it surfaces the operator's
+// configured copy (headline, message, badge slugs, CTA labels). Dynamic data
+// enrichment (a real recently-viewed product list, a live visitor count, a
+// rendered featured-collection grid) is layered by client islands keyed off
+// the widget's `data-widget-kind` / `data-widget-slug` attributes, which both
+// substrates emit identically — so the server contract stays edge-cacheable
+// and the dynamic layer is progressive enhancement, never a per-render DB hit.
+var _SIDEBAR_TTL_MS = 30000;
+// page_keys the resolver recognises — kept in lockstep with the admin
+// placement editor's page list + `worker/data/sidebar-widgets.js`.
+var _SIDEBAR_PAGE_KEYS = ["home", "collection", "search", "cart", "product"];
+// Cache shape: `byPage[page_key][viewer_kind]` → ordered array of resolved
+// widget rows (already audience + schedule filtered by the primitive's
+// widgetsForPage). The refresh resolves both viewer buckets per page so the
+// sync per-request resolver just indexes in.
+var _sidebarCache = { byPage: Object.create(null), at: 0, inflight: false };
+
+// The page_key for a request path, derived purely from the path (the edge
+// cache key) so the rail stays edge-cacheable. Kept in lockstep with
+// `worker/data/sidebar-widgets.js`'s `sidebarPageKeyForPath`.
+function _sidebarPageKeyForPath(pathname) {
+  if (typeof pathname !== "string" || !pathname.length) return null;
+  if (pathname === "/")                        return "home";
+  if (pathname === "/cart")                    return "cart";
+  if (pathname === "/search")                  return "search";
+  if (pathname.indexOf("/collections/") === 0) return "collection";
+  if (pathname.indexOf("/products/") === 0)    return "product";
+  return null;
+}
+
+// Refresh the per-page resolved-widget cache when it's older than the TTL.
+// Async + fire-and-forget — a slow D1 read never stalls a render; the request
+// resolves against whatever the cache last held (empty on a cold first
+// request, populated within the TTL after). Resolves both viewer buckets for
+// each page so the sync resolver doesn't have to await. The guest bucket is
+// resolved with no customer_id; the logged_in bucket needs a customer_id, but
+// the storefront only buckets on auth-cookie PRESENCE (exact identity isn't
+// known on the cache path) — so logged_in is resolved with a sentinel id, and
+// any segment-audience widget is skipped at resolve time exactly like the
+// announcement bar (the console never offers segment). A non-segment
+// logged_in widget surfaces correctly because widgetsForPage's audience gate
+// for `logged_in` only checks viewer_kind, not the specific customer.
+function _refreshSidebarCache(sidebarWidgets) {
+  if (!sidebarWidgets) return;
+  var now = Date.now();
+  if (_sidebarCache.inflight) return;
+  if (now - _sidebarCache.at < _SIDEBAR_TTL_MS && _sidebarCache.at !== 0) return;
+  _sidebarCache.inflight = true;
+  Promise.resolve()
+    .then(async function () {
+      var nowTs = Date.now();
+      var byPage = Object.create(null);
+      for (var i = 0; i < _SIDEBAR_PAGE_KEYS.length; i += 1) {
+        var key = _SIDEBAR_PAGE_KEYS[i];
+        byPage[key] = { guest: [], logged_in: [] };
+        try {
+          byPage[key].guest = await sidebarWidgets.widgetsForPage({
+            page_key: key, viewer_kind: "guest", now: nowTs,
+          });
+        } catch (_eg) { byPage[key].guest = []; }
+        try {
+          byPage[key].logged_in = await sidebarWidgets.widgetsForPage({
+            page_key: key, viewer_kind: "logged_in",
+            customer_id: SIDEBAR_LOGGED_IN_SENTINEL, now: nowTs,
+          });
+        } catch (_el) {
+          // A segment-audience widget without a wired segments handle throws
+          // here; the cache then falls back to the guest set for the bucket
+          // so a placed all/guest/logged_in widget still renders (the segment
+          // row is the only one that would drop, matching the announcement
+          // bar's segment skip).
+          byPage[key].logged_in = byPage[key].guest;
+        }
+      }
+      _sidebarCache.byPage = byPage;
+      _sidebarCache.at = Date.now();
+    })
+    .catch(function () { /* drop-silent — keep serving the prior cache */ })
+    .then(function () { _sidebarCache.inflight = false; });
+}
+
+// Sentinel customer id for the logged_in cache bucket — a syntactically valid
+// non-empty string the audience gate accepts. The storefront only buckets on
+// auth-cookie presence (it doesn't know the exact customer on the cache
+// path), and a non-segment logged_in widget's audience gate checks only
+// viewer_kind, so the sentinel resolves the same ordered set every signed-in
+// visitor sees. (Segment widgets are skipped — the console never offers one.)
+var SIDEBAR_LOGGED_IN_SENTINEL = "00000000-0000-7000-8000-000000000000";
+
+// Resolve the ordered widget rows for a page_key + viewer from the cache.
+function _resolveSidebarWidgets(pageKey, viewerKind) {
+  if (!pageKey) return [];
+  var page = _sidebarCache.byPage[pageKey];
+  if (!page) return [];
+  var rows = (viewerKind === "logged_in") ? page.logged_in : page.guest;
+  return Array.isArray(rows) ? rows : [];
+}
+
+// Build the markup for a single resolved widget row — BYTE-IDENTICAL to the
+// edge twin `worker/render/_lib.js`'s `sidebarWidget`. Every operator field is
+// HTML-escaped at the sink. Returns "" for a null/garbage row. The kind-
+// specific body surfaces the operator's static configuration; the dynamic
+// kinds carry a `data-widget-*` shell a client island can enrich.
+function _buildSidebarWidget(w, pageKey) {
+  if (!w || typeof w !== "object") return "";
+  var esc = function (s) { return b.template.escapeHtml(String(s == null ? "" : s)); };
+  var kind    = esc(w.kind);
+  var slug    = esc(w.slug);
+  var title   = esc(w.title);
+  var payload = (w.payload && typeof w.payload === "object") ? w.payload : {};
+  // Route an outbound widget link through the container click counter:
+  // `/sidebar/<slug>/click?to=<dest>&page_key=<page>`. The dest + page_key
+  // are derived from operator-validated slugs (narrow charsets), so the href
+  // is byte-identical edge + container; the edge link simply navigates to the
+  // container counter, which records the click + 303s to `to`. A page_key the
+  // builder wasn't given (a unit test rendering a lone widget) links direct.
+  var _clickHref = function (dest) {
+    if (!pageKey) return dest;
+    return "/sidebar/" + slug + "/click?to=" + encodeURIComponent(dest) + "&page_key=" + esc(pageKey);
+  };
+  var inner;
+
+  if (w.kind === "newsletter_signup") {
+    // A no-JS POST to /newsletter (the existing sitewide newsletter handler).
+    // list_id rides as a hidden field; the handler ignores unknown fields.
+    inner =
+      "<form class=\"sidebar-widget__newsletter\" method=\"post\" action=\"/newsletter\">" +
+        "<input type=\"hidden\" name=\"list_id\" value=\"" + esc(payload.list_id) + "\">" +
+        "<label class=\"skip-link\" for=\"sw-news-" + slug + "\">Email</label>" +
+        "<input id=\"sw-news-" + slug + "\" type=\"email\" name=\"email\" required placeholder=\"you@example.com\" autocomplete=\"email\">" +
+        "<button type=\"submit\">" + esc(payload.cta_label || "Subscribe") + "</button>" +
+      "</form>" +
+      (payload.headline ? "<p class=\"sidebar-widget__lede\">" + esc(payload.headline) + "</p>" : "");
+  } else if (w.kind === "trust_badges") {
+    var badges = Array.isArray(payload.badges) ? payload.badges : [];
+    var items = "";
+    for (var i = 0; i < badges.length; i += 1) {
+      items += "<li class=\"sidebar-widget__badge\" data-badge=\"" + esc(badges[i]) + "\">" + esc(badges[i]) + "</li>";
+    }
+    inner = "<ul class=\"sidebar-widget__badges\">" + items + "</ul>";
+  } else if (w.kind === "social_proof") {
+    inner = (payload.headline ? "<p class=\"sidebar-widget__lede\">" + esc(payload.headline) + "</p>" : "") +
+      "<p class=\"sidebar-widget__proof\" data-message-template=\"" + esc(payload.message_template) + "\">" +
+        esc(payload.message_template) + "</p>";
+  } else if (w.kind === "size_chart") {
+    inner = "<a class=\"sidebar-widget__link\" href=\"" + esc(_clickHref("/pages/" + String(payload.chart_slug == null ? "" : payload.chart_slug))) + "\">View size chart</a>";
+  } else if (w.kind === "featured_collection") {
+    inner = "<a class=\"sidebar-widget__link\" href=\"" + esc(_clickHref("/collections/" + String(payload.collection_slug == null ? "" : payload.collection_slug))) +
+      "\" data-collection-slug=\"" + esc(payload.collection_slug) + "\" data-limit=\"" + esc(String(payload.limit == null ? "" : payload.limit)) + "\">Shop the collection</a>";
+  } else if (w.kind === "recently_viewed") {
+    inner = "<div class=\"sidebar-widget__recent\" data-limit=\"" + esc(String(payload.limit == null ? "" : payload.limit)) +
+      "\"><p class=\"sidebar-widget__hint\">Items you've looked at appear here.</p></div>";
+  } else if (w.kind === "live_visitors") {
+    inner = "<div class=\"sidebar-widget__live\" data-window-minutes=\"" + esc(String(payload.window_minutes == null ? "" : payload.window_minutes)) +
+      "\" data-min-threshold=\"" + esc(String(payload.min_threshold == null ? "" : payload.min_threshold)) + "\"></div>";
+  } else if (w.kind === "countdown_timer") {
+    inner = "<div class=\"sidebar-widget__countdown\" data-target-at=\"" + esc(String(payload.target_at == null ? "" : payload.target_at)) + "\">" +
+      "<span class=\"sidebar-widget__countdown-done\">" + esc(payload.completed_label) + "</span></div>";
+  } else if (w.kind === "sticky_addtocart") {
+    inner = "<div class=\"sidebar-widget__sticky\" data-variant-slug=\"" + esc(payload.variant_slug) + "\"></div>";
+  } else {
+    inner = "";
+  }
+
+  return "<section class=\"sidebar-widget sidebar-widget--" + kind +
+      "\" data-widget-slug=\"" + slug + "\" data-widget-kind=\"" + kind + "\">" +
+      "<h2 class=\"sidebar-widget__title\">" + title + "</h2>" +
+      inner +
+    "</section>";
+}
+
+// Fire-and-forget impression bump for a rendered widget. Drop-silent on the
+// hot render path — the counter is supplementary; an absent handle / failed
+// write never affects the response. recordImpression is itself drop-silent.
+function _fireSidebarImpression(handle, slug, pageKey) {
+  if (!handle || typeof handle.recordImpression !== "function" || !slug || !pageKey) return;
+  try {
+    var r = handle.recordImpression({ widget_slug: slug, page_key: pageKey });
+    if (r && typeof r.then === "function") r.then(function () {}, function () {});
+  } catch (_e) { /* drop-silent — impression bump must not affect render */ }
+}
+
+// Build the full right-rail `<aside>` for a page from a list of resolved
+// widget rows. Returns "" for an empty list so a page with no placed widgets
+// renders no rail. BYTE-IDENTICAL to the edge twin (`worker/render/_lib.js`'s
+// `sidebarRail`). Container-side, a best-effort impression fires per rendered
+// widget (the explicit-opts / edge path passes no handle, so it never counts).
+function _buildSidebarRail(rows, opts) {
+  if (!Array.isArray(rows) || !rows.length) return "";
+  var inner = "";
+  var handle = (opts && opts._sidebar_handle) || null;
+  var pageKey = (opts && opts._sidebar_page_key) || null;
+  for (var i = 0; i < rows.length; i += 1) {
+    var html = _buildSidebarWidget(rows[i], pageKey);
+    if (html) {
+      inner += html;
+      if (handle) _fireSidebarImpression(handle, rows[i].slug, pageKey);
+    }
+  }
+  if (!inner) return "";
+  return "<aside class=\"sidebar-rail\" role=\"complementary\" aria-label=\"More from the shop\">" + inner + "</aside>";
+}
+
+// Resolve the pre-rendered rail HTML for the request. An explicit
+// `opts.sidebar_widgets` string (the edge twin / a unit test) wins; otherwise
+// the ALS store carries the resolved rows + the page_key + handle seeded by
+// `sidebarWidgetMiddleware`, and the rail is built (and impressions fired)
+// here on the container render path. Returns "" when no widgets are placed.
+function _sidebarRailHtml(opts) {
+  if (opts && typeof opts.sidebar_widgets === "string") return opts.sidebar_widgets;
+  var storeCtx = _localeAls.getStore();
+  if (!storeCtx || !Array.isArray(storeCtx.sidebar_widgets_rows) || !storeCtx.sidebar_widgets_rows.length) return "";
+  return _buildSidebarRail(storeCtx.sidebar_widgets_rows, {
+    _sidebar_handle:   storeCtx.sidebar_widgets_handle,
+    _sidebar_page_key: storeCtx.sidebar_widgets_page_key,
+  });
+}
+
 // Multi-currency display switcher — a GET form in the footer listing the
 // operator's display currencies. Selecting one POSTs to /currency, which
 // sets the sealed `shop_ccy` cookie and redirects back. The currently
@@ -963,6 +1204,11 @@ function _wrap(opts) {
   // matching render fn, not the LAYOUT.
   var promoTopStrip = _promoBannerHtml(opts, "top_strip");
   var promoFooter   = _promoBannerHtml(opts, "footer");
+  // Sidebar rail — operator-curated right-rail widgets for the current page,
+  // pre-rendered from the ALS-resolved rows (or "" when none are placed).
+  // Byte-identical to the edge `sidebarRail`; container-side this also fires a
+  // best-effort impression per rendered widget.
+  var sidebarRailHtml = _sidebarRailHtml(opts);
   var chrome = localeCtx.chrome;
   var cartCount = opts.cart_count == null ? 0 : opts.cart_count;
   // The cart aria-label carries the count: when the resolved string is
@@ -1058,6 +1304,10 @@ function _wrap(opts) {
   // announcement bar — byte-consistent with the edge `spliceRaw`.
   assembled = _spliceRaw(assembled, "RAW_PROMO_TOP_STRIP", promoTopStrip);
   assembled = _spliceRaw(assembled, "RAW_PROMO_FOOTER", promoFooter);
+  // Sidebar rail — operator widget copy (HTML-escaped, but a `$` can survive),
+  // so splice via the replacer-function helper like the other chrome blocks;
+  // byte-consistent with the edge `spliceRaw`.
+  assembled = _spliceRaw(assembled, "RAW_SIDEBAR_RAIL", sidebarRailHtml);
   // Primary nav — a raw splice (post strict-render) so the chrome strings
   // it consumes (nav_shop / nav_collections / nav_categories /
   // nav_framework / nav_account / nav_menu / nav_cart_aria) need no LAYOUT
@@ -7544,14 +7794,62 @@ function _orderTrackingBlock(shipments) {
     "<ul class=\"order-shipment-list\">" + cards + "</ul></div>";
 }
 
-// Request-a-return + Reorder affordances for an order, gated on its
-// status. Reorder is a POST (it mutates the cart) carrying the order id
-// in the path; Request-a-return links to the existing return form. The
-// same builder feeds the order page and (via _orderRowActions) the
-// dashboard rows so the eligibility rules live in one place.
-function _orderActionsBlock(o) {
+// A printable receipt is offered on the order page once the order has been
+// paid for — a still-pending (unpaid) order has nothing to receipt, and the
+// terminal off-ramps (cancelled / refunded) still get one because a buyer
+// often needs the receipt for a cancelled/refunded purchase's paperwork. The
+// document itself is rendered + streamed by GET /orders/:id/receipt.
+function _orderEligibleForReceipt(status) {
+  return status !== "pending";
+}
+
+// Size of each receipt body chunk written to the socket. 16 KiB keeps the
+// per-write payload small enough that a slow client backpressures naturally
+// while staying large enough that a single-page receipt finishes in a couple
+// of writes.
+var RECEIPT_CHUNK_BYTES = 16 * 1024;
+
+// Yield a rendered receipt document as an async-iterable of bounded chunks so
+// the download route streams it through res.write rather than buffering the
+// whole body. The source (printReceipts.htmlPdf) returns a complete string
+// today; this slices it on UTF-16 boundaries into RECEIPT_CHUNK_BYTES-sized
+// pieces. A source that already yields chunks (a future bulk/multi-page
+// receipt) plugs into the same `for await` loop in the route unchanged.
+async function* _streamReceiptDocument(source) {
+  if (source == null) return;
+  // An already-async-iterable source streams straight through.
+  if (typeof source !== "string" && typeof source[Symbol.asyncIterator] === "function") {
+    for await (var part of source) {
+      if (part != null) yield String(part);
+    }
+    return;
+  }
+  var text = String(source);
+  for (var i = 0; i < text.length; i += RECEIPT_CHUNK_BYTES) {
+    yield text.slice(i, i + RECEIPT_CHUNK_BYTES);
+  }
+}
+
+// Request-a-return + Reorder + Download-receipt affordances for an order,
+// gated on its status. Reorder is a POST (it mutates the cart) carrying the
+// order id in the path; Request-a-return links to the existing return form;
+// Download receipt is a GET that streams an HTML document. The same builder
+// feeds the order page and (via _orderRowActions) the dashboard rows so the
+// eligibility rules live in one place. `accessToken` is the guest order's
+// emailed capability token (?k=) when the page was opened from the email
+// link — carried onto the receipt link so a fresh-device viewer's download
+// re-proves access; empty/absent for owned orders (gated by the session).
+function _orderActionsBlock(o, accessToken) {
   var esc = b.template.escapeHtml;
   var btns = [];
+  if (_orderEligibleForReceipt(o.status)) {
+    var receiptHref = "/orders/" + esc(String(o.id)) + "/receipt";
+    if (typeof accessToken === "string" && accessToken) {
+      receiptHref += "?k=" + esc(encodeURIComponent(accessToken));
+    }
+    btns.push(
+      "<a class=\"btn-secondary order-action\" href=\"" + receiptHref + "\">Download receipt</a>");
+  }
   if (_orderEligibleForReorder(o.status)) {
     btns.push(
       "<form class=\"order-action\" method=\"post\" action=\"/orders/" + esc(String(o.id)) + "/reorder\">" +
@@ -7842,7 +8140,13 @@ function renderOrder(opts) {
   var shipments    = opts.shipments || [];
   var timelineHtml = _orderTimelineBlock(o.status);
   var trackingHtml = _orderTrackingBlock(shipments);
-  var actionsHtml  = _orderActionsBlock(o);
+  // The receipt-download link carries the guest order's ?k= access token when
+  // the page was opened from the emailed capability link, so the download
+  // re-proves access on a device that holds no access cookie yet. Only set on
+  // the container render (the route passes it); never present at the edge,
+  // which doesn't render this page.
+  var ordAccessToken = typeof opts.access_token === "string" ? opts.access_token : "";
+  var actionsHtml  = _orderActionsBlock(o, ordAccessToken);
   // Post-purchase rating panel — container-only (session-gated). The route
   // passes the resolved getRating row (rating) + the eligibility/notice
   // flags; the edge render never does, so the panel is empty at the edge.
@@ -9085,13 +9389,81 @@ function _setSidCookie(req, res, sid) {
   });
 }
 
+// Store-free device-fingerprint binding for the sealed auth cookie. The
+// sealed envelope is tamper-proof but device-PORTABLE: a cookie lifted
+// off one device replays for the full 14-day life on any other. We bind
+// it softly to a SHAKE256 fingerprint of the device shape (User-Agent +
+// sorted Accept-Language / Accept-Encoding) carried INSIDE the sealed
+// envelope, recomputed + constant-time-compared on read. No external
+// store: `binding.fingerprint(req)` is a pure function of the request, so
+// the fingerprint lives in the cookie itself rather than a session table.
+//
+// The IP component is deliberately disabled (`ipPrefixBits {v4:0, v6:0}`):
+// a mobile or VPN visitor roams networks constantly, and signing them out
+// on a network hop is a worse outcome than the residual portability a
+// UA+Accept-only fingerprint leaves. Drift in the device shape is the
+// signal; a network change is not.
+//
+// `b.sessionDeviceBinding.create()` refuses to construct without either a
+// bindingStore or storeInSession — neither of which the store-free
+// `fingerprint()` path touches. Pass a b.cache-shaped no-op so the
+// constructor's opt-shape gate is satisfied; its methods are never called.
+var _NOOP_BINDING_STORE = {
+  get: function () { return undefined; },
+  set: function () { return undefined; },
+  del: function () { return undefined; },
+};
+var _deviceBinding = null;
+function _deviceBindingInstance() {
+  if (!_deviceBinding) {
+    _deviceBinding = b.sessionDeviceBinding.create({
+      bindingStore: _NOOP_BINDING_STORE,
+      ipPrefixBits: { v4: 0, v6: 0 },
+    });
+  }
+  return _deviceBinding;
+}
+
+// The hex device fingerprint for THIS request, or null when it can't be
+// computed (a request shape the primitive refuses). A null fingerprint is
+// stored as "no binding" — the read side skips the check rather than
+// signing the visitor out over a missing signal.
+function _authDeviceFingerprint(req) {
+  try {
+    var fp = _deviceBindingInstance().fingerprint(req);
+    return fp ? fp.toString("hex") : null;
+  } catch (_e) {
+    return null;
+  }
+}
+
 // Auth + WebAuthn-challenge cookies carry a vault-sealed JSON envelope.
 // writeSealed/readSealed handle the seal + the on-wire prefix; the
 // caller works in plain objects.
 function _setAuthCookie(req, res, env) {
   var T = b.constants.TIME;
   var secure = _secureForReq(req);
-  _cookieJar().writeSealed(res, _authCookieName(secure), JSON.stringify(env), {
+  // Stash the device fingerprint inside the sealed envelope at mint time
+  // so a later read can detect a cookie that has moved to a different
+  // device shape. Additive: an env handed in WITHOUT `fp` (a caller that
+  // doesn't know about binding) just gets it filled here.
+  var sealed = env;
+  if (env && env.fp == null) {
+    var fp = _authDeviceFingerprint(req);
+    if (fp) sealed = Object.assign({}, env, { fp: fp });
+  }
+  // Stamp the issued-at so the server-side revocation gate can tell a
+  // cookie minted BEFORE a customer's revocation boundary (erasure /
+  // passkey-revoke / sign-out) from one minted after. A caller that
+  // already set `iat` keeps it; absent, fill it now. Pre-binding cookies
+  // (minted before this shipped) carry none — the gate treats a missing
+  // `iat` as "predates any boundary" so a revoked customer's old cookie
+  // still dies, while a customer with no boundary is unaffected.
+  if (sealed && sealed.iat == null) {
+    sealed = (sealed === env) ? Object.assign({}, env) : sealed;
+    sealed.iat = Date.now();
+  }
+  _cookieJar().writeSealed(res, _authCookieName(secure), JSON.stringify(sealed), {
     expires: new Date(Date.now() + T.days(14)),
     secure:  secure,
   });
@@ -9570,6 +9942,14 @@ var LOGIN_ERROR_MESSAGES = {
   link:            "That sign-in link is invalid or has expired. Request a fresh one.",
 };
 
+// Neutral (non-error) notices surfaced on the sign-in screen. The
+// device-binding soft sign-out lands here: a reassuring "sign in again"
+// message, never an alarming error, and it discloses nothing about WHY
+// (no "your session looked suspicious" — the visitor just signs in again).
+var LOGIN_NOTICE_MESSAGES = {
+  device: "You've been signed out for your security. Please sign in again.",
+};
+
 function renderAccountLogin(opts) {
   opts = opts || {};
   var oauthButtons = "";
@@ -9588,6 +9968,12 @@ function renderAccountLogin(opts) {
   var errHtml = (opts.error && LOGIN_ERROR_MESSAGES[opts.error])
     ? "<p class=\"auth-form__message auth-form__message--err\">" + b.template.escapeHtml(LOGIN_ERROR_MESSAGES[opts.error]) + "</p>"
     : "";
+  // Neutral notice (e.g. the device-binding soft sign-out) renders in the
+  // same slot with non-error styling. Error wins if both are somehow set.
+  if (!errHtml && opts.notice && LOGIN_NOTICE_MESSAGES[opts.notice]) {
+    errHtml = "<p class=\"auth-form__message\" role=\"status\">" +
+      b.template.escapeHtml(LOGIN_NOTICE_MESSAGES[opts.notice]) + "</p>";
+  }
   // Render the email-link path INLINE (a working no-JS form), not as a link
   // to a separate page, so both passwordless paths live on one screen.
   var magicHtml = opts.magic_link_enabled ? LOGIN_MAGIC_INLINE : "";
@@ -10158,9 +10544,13 @@ function renderProfile(opts) {
         "<div class=\"form-row\"><label class=\"form-field\"><span class=\"form-field__label\">Display name</span>" +
           "<input type=\"text\" name=\"display_name\" maxlength=\"128\" required autocomplete=\"name\" value=\"" + displayValue + "\"></label></div>" +
         "<div class=\"form-row\"><label class=\"form-field\"><span class=\"form-field__label\">Email</span>" +
-          "<input type=\"text\" value=\"Hidden for privacy — stored as a one-way hash\" disabled aria-describedby=\"email-note\"></label></div>" +
-        "<p id=\"email-note\" class=\"form-field__hint\">Your email address is never stored in readable form, so it can't be changed or shown here. " +
-          "Sign in with the address you registered. To use a different address, create a new account with it, or contact support if you need help moving your order history.</p>" +
+          "<input type=\"text\" value=\"Stored as a one-way hash — never in readable form\" disabled aria-describedby=\"email-note\"></label></div>" +
+        "<div id=\"email-note\" class=\"form-field__hint\">" +
+          "<p>We never keep your email address in readable form. At sign-up it's run through a one-way hash so we can match you at sign-in without ever storing the address itself — there is no plaintext copy to display here or to edit.</p>" +
+          "<p>Because of that, an email change isn't a field we can offer: keep signing in with the address you registered. " +
+            "To move to a different address, register a new account with it. " +
+            "If you need your past orders carried over to a new address, contact support and we'll help link them.</p>" +
+          "</div>" +
         "<div class=\"form-actions\"><button type=\"submit\" class=\"btn-primary\">Save changes</button> " +
           "<a class=\"btn-ghost\" href=\"/account\">Cancel</a></div>" +
       "</form>" +
@@ -10336,6 +10726,178 @@ function renderSurveyPage(opts) {
   });
 }
 
+// ---- suggestion box (public idea board) --------------------------------
+
+// Customer-facing labels for the suggestion FSM statuses. The operator-side
+// `under_consideration` / `planned` / `shipped` / `declined` map to plain
+// shopper-readable copy; `open` reads as "Open" and `duplicate` rows are
+// never listed publicly (the primitive's listSuggestions filters them out of
+// the default board only by spam/archive, so the page itself skips them).
+var _SUGGESTION_STATUS_LABEL = {
+  open:                "Open",
+  under_consideration: "Under review",
+  planned:             "Planned",
+  shipped:             "Shipped",
+  declined:            "Not planned",
+  duplicate:           "Merged",
+};
+
+// Human label for a suggestion category value.
+var _SUGGESTION_CATEGORY_LABEL = {
+  product_idea:    "Product idea",
+  feature_request: "Feature request",
+  improvement:     "Improvement",
+  complaint:       "Issue",
+  general:         "General",
+};
+
+// One public suggestion row → its card markup. Every operator/customer
+// free-text value (title, body, response) is HTML-escaped at the sink; the
+// vote control is a no-JS POST form so the board works without scripts.
+function _suggestionCard(row, opts) {
+  var esc = function (s) { return b.template.escapeHtml(String(s == null ? "" : s)); };
+  var slug      = esc(row.id);
+  var statusKey = _SUGGESTION_STATUS_LABEL[row.status] ? row.status : "open";
+  var statusLbl = _SUGGESTION_STATUS_LABEL[statusKey];
+  var catLbl    = _SUGGESTION_CATEGORY_LABEL[row.category] || "General";
+  var voteCount = Number(row.vote_count) || 0;
+  var response  = (row.response_text && String(row.response_text).trim().length)
+    ? "<div class=\"suggestion-card__response\"><span class=\"suggestion-card__response-by\">Response from the team</span>" +
+        "<p>" + esc(row.response_text) + "</p></div>"
+    : "";
+  // The vote form is only offered for a row that is still open to voting —
+  // terminal statuses freeze the count at the primitive layer (it refuses a
+  // vote with SUGGESTION_VOTING_CLOSED), so the page omits the control rather
+  // than render a button that always errors.
+  var votable = ["open", "under_consideration", "planned"].indexOf(row.status) !== -1;
+  var voteForm = votable
+    ? "<form class=\"suggestion-card__vote\" method=\"post\" action=\"/suggestions/" + slug + "/vote\">" +
+        "<input type=\"hidden\" name=\"vote\" value=\"upvote\">" +
+        "<button class=\"suggestion-card__vote-btn\" type=\"submit\" aria-label=\"Upvote this suggestion\">" +
+          "<span class=\"suggestion-card__vote-arrow\" aria-hidden=\"true\">&#9650;</span>" +
+          "<span class=\"suggestion-card__vote-count\">" + esc(String(voteCount)) + "</span>" +
+        "</button>" +
+      "</form>"
+    : "<div class=\"suggestion-card__vote suggestion-card__vote--closed\">" +
+        "<span class=\"suggestion-card__vote-arrow\" aria-hidden=\"true\">&#9650;</span>" +
+        "<span class=\"suggestion-card__vote-count\">" + esc(String(voteCount)) + "</span>" +
+      "</div>";
+  return "<article class=\"suggestion-card\" data-suggestion-id=\"" + slug + "\">" +
+      voteForm +
+      "<div class=\"suggestion-card__body\">" +
+        "<div class=\"suggestion-card__meta\">" +
+          "<span class=\"suggestion-card__category\">" + esc(catLbl) + "</span>" +
+          "<span class=\"suggestion-card__status suggestion-card__status--" + esc(statusKey) + "\">" + esc(statusLbl) + "</span>" +
+        "</div>" +
+        "<h3 class=\"suggestion-card__title\">" + esc(row.title) + "</h3>" +
+        "<p class=\"suggestion-card__text\">" + esc(row.body) + "</p>" +
+        response +
+      "</div>" +
+    "</article>";
+}
+
+// Render the public suggestion board: the submit form on top, then the
+// browsable list of existing suggestions with their vote controls. `opts`:
+//   - suggestions : array of hydrated public rows (newest / top-voted)
+//   - sort        : the active sort ("newest" | "top_voted")
+//   - next_cursor : opaque pagination cursor or null
+//   - notice      : a form-level error message (re-rendered submit failure)
+//   - submitted   : truthy after a successful submit (PRG landing)
+//   - voted       : truthy after a vote POST (PRG landing)
+//   - form        : sticky create-form values on a validation re-render
+function renderSuggestionsPage(opts) {
+  opts = opts || {};
+  var esc = function (s) { return b.template.escapeHtml(String(s == null ? "" : s)); };
+  var rows = opts.suggestions || [];
+  var form = opts.form || {};
+
+  var notice = opts.notice
+    ? "<p class=\"form-notice\">" + esc(opts.notice) + "</p>"
+    : "";
+  var flash = "";
+  if (opts.submitted) {
+    flash = "<p class=\"suggestion-flash suggestion-flash--ok\">Thanks — your suggestion is in. The team reviews every idea.</p>";
+  } else if (opts.voted) {
+    flash = "<p class=\"suggestion-flash suggestion-flash--ok\">Thanks for the vote.</p>";
+  }
+
+  var categoryOpts = ["product_idea", "feature_request", "improvement", "complaint", "general"].map(function (c) {
+    var sel = (form.category === c) ? " selected" : "";
+    return "<option value=\"" + c + "\"" + sel + ">" + esc(_SUGGESTION_CATEGORY_LABEL[c]) + "</option>";
+  }).join("");
+
+  var submitForm =
+    "<section class=\"suggestion-submit\">" +
+      "<h2 class=\"suggestion-submit__title\">Have an idea?</h2>" +
+      "<p class=\"suggestion-submit__lede\">Tell us what you'd like to see — a product to stock, a feature to build, or something to fix. Browse and upvote others' ideas below.</p>" +
+      notice +
+      "<form class=\"suggestion-form\" method=\"post\" action=\"/suggestions\">" +
+        "<label class=\"suggestion-form__field\"><span>Title</span>" +
+          "<input type=\"text\" name=\"title\" maxlength=\"200\" required value=\"" + esc(form.title || "") + "\" placeholder=\"A short summary of your idea\"></label>" +
+        "<label class=\"suggestion-form__field\"><span>Details</span>" +
+          "<textarea name=\"body\" maxlength=\"5000\" rows=\"4\" required placeholder=\"What would you like, and why?\">" + esc(form.body || "") + "</textarea></label>" +
+        "<label class=\"suggestion-form__field\"><span>Category</span>" +
+          "<select name=\"category\">" + categoryOpts + "</select></label>" +
+        "<label class=\"suggestion-form__field\"><span>Email (optional)</span>" +
+          "<input type=\"email\" name=\"customer_email\" autocomplete=\"email\" value=\"" + esc(form.customer_email || "") + "\" placeholder=\"So we can follow up — never shown publicly\"></label>" +
+        "<div class=\"suggestion-form__actions\"><button class=\"btn-primary\" type=\"submit\">Submit idea</button></div>" +
+      "</form>" +
+    "</section>";
+
+  // Sort toggle — newest vs most-upvoted. Plain links so the no-JS board
+  // re-queries with the chosen order.
+  var sort = (opts.sort === "top_voted") ? "top_voted" : "newest";
+  var sortToggle =
+    "<div class=\"suggestion-board__sort\">" +
+      "<a class=\"suggestion-board__sort-link" + (sort === "newest" ? " is-active" : "") + "\" href=\"/suggestions\">Newest</a>" +
+      "<a class=\"suggestion-board__sort-link" + (sort === "top_voted" ? " is-active" : "") + "\" href=\"/suggestions?sort=top_voted\">Most wanted</a>" +
+    "</div>";
+
+  var cards = rows.length
+    ? rows.map(function (r) { return _suggestionCard(r, opts); }).join("")
+    : "<p class=\"empty\">No suggestions yet — be the first to share one.</p>";
+
+  // "Load more" is a plain link carrying the opaque cursor (and the active
+  // sort), so pagination works without scripts.
+  var more = "";
+  if (opts.next_cursor) {
+    var moreHref = "/suggestions?" +
+      (sort === "top_voted" ? "sort=top_voted&" : "") +
+      "cursor=" + encodeURIComponent(opts.next_cursor);
+    more = "<div class=\"suggestion-board__more\"><a class=\"btn-ghost\" href=\"" + esc(moreHref) + "\">Load more</a></div>";
+  }
+
+  var board =
+    "<section class=\"suggestion-board\">" +
+      "<div class=\"suggestion-board__head\">" +
+        "<h2 class=\"suggestion-board__title\">What people are asking for</h2>" +
+        sortToggle +
+      "</div>" +
+      "<div class=\"suggestion-board__list\">" + cards + "</div>" +
+      more +
+    "</section>";
+
+  var body =
+    "<section class=\"suggestions-page\"><div class=\"suggestions-page__inner\">" +
+      "<p class=\"eyebrow\">Suggestion box</p>" +
+      "<h1 class=\"suggestions-page__title\">Help shape the shop</h1>" +
+      flash +
+      submitForm +
+      board +
+    "</div></section>";
+
+  return _wrap({
+    title:         "Suggestion box",
+    shop_name:     opts.shop_name || "blamejs.shop",
+    cart_count:    opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:     opts.theme_css,
+    canonical_url: opts.canonical_url,
+    og_url:        opts.og_url,
+    og_description: "Share product ideas, feature requests, and improvements — and upvote what others have suggested.",
+    body:          body,
+  });
+}
+
 // ---- quote (token-gated / account-gated) -------------------------------
 
 // One quote's status → the customer-facing label + lede shown when the quote
@@ -11485,6 +12047,68 @@ function mount(router, deps) {
     });
   }
 
+  // Sidebar-widget resolution — synchronous (so its `enterWith` reaches the
+  // page handler) and audience-bucketed off the auth-cookie presence, exactly
+  // like the announcement bar + promo banners. Derives the page_key from the
+  // request path (the edge cache key), resolves the placed widgets for that
+  // page + viewer from a short-TTL in-memory cache refreshed out-of-band here
+  // (fire-and-forget — never blocks the render), and seeds the request ALS
+  // with the resolved rows + page_key + handle so `_wrap` can build the rail
+  // and fire impressions. Best-effort: any failure drops the rail, never the
+  // page. Only runs for paths that carry a sidebar (home / collection / search
+  // / cart / product); other paths seed nothing.
+  if (typeof router.use === "function" && deps.sidebarWidgets) {
+    router.use(function sidebarWidgetMiddleware(req, _res, next) {
+      try {
+        _refreshSidebarCache(deps.sidebarWidgets);
+        var pathname = "/";
+        try { pathname = new URL(req.url || "/", "http://localhost").pathname || "/"; }
+        catch (_eu) { pathname = "/"; }
+        var pageKey = _sidebarPageKeyForPath(pathname);
+        if (pageKey) {
+          var viewerKind = _readPrefixedCookie(req, AUTH_COOKIE_NAME_SECURE, AUTH_COOKIE_NAME) ? "logged_in" : "guest";
+          var rows = _resolveSidebarWidgets(pageKey, viewerKind);
+          var cur = _localeAls.getStore() || {};
+          _localeAls.enterWith(Object.assign({}, cur, {
+            sidebar_widgets_rows:     rows,
+            sidebar_widgets_page_key: pageKey,
+            sidebar_widgets_handle:   deps.sidebarWidgets,
+          }));
+        }
+      } catch (_e) { /* drop-silent — no rail this request */ }
+      next();
+    });
+
+    // Click pass-through for a widget's outbound link — bumps recordClick
+    // (best-effort, drop-silent) then 303-redirects to a validated same-origin
+    // path supplied in `?to=`. The destination is re-validated at the sink
+    // (a /-rooted path, not protocol-relative `//`), so a hostile/stale value
+    // falls back to "/" and can never open-redirect or 500. `page_key` carries
+    // the page the click occurred on for the per-page CTR breakdown.
+    router.get("/sidebar/:slug/click", async function (req, res) {
+      var slug = (req.params && typeof req.params.slug === "string") ? req.params.slug : "";
+      var url = null;
+      try { url = new URL(req.url || "/", "http://localhost"); } catch (_eu) { url = null; }
+      var toRaw = url ? url.searchParams.get("to") : null;
+      var pageKey = url ? url.searchParams.get("page_key") : null;
+      var to = "/";
+      if (typeof toRaw === "string" && toRaw.charAt(0) === "/" && toRaw.charAt(1) !== "/" &&
+          toRaw.indexOf("\\") === -1 && !/[\x00-\x1f\x7f]/.test(toRaw)) {
+        to = toRaw;
+      }
+      if (/^[A-Za-z0-9][A-Za-z0-9._-]{0,79}$/.test(slug) &&
+          typeof pageKey === "string" && _SIDEBAR_PAGE_KEYS.indexOf(pageKey) !== -1) {
+        try {
+          var r = deps.sidebarWidgets.recordClick({ widget_slug: slug, page_key: pageKey });
+          if (r && typeof r.then === "function") { try { await r; } catch (_e) { /* drop-silent */ } }
+        } catch (_e) { /* unknown slug / read error → still redirect */ }
+      }
+      res.status(303);
+      res.setHeader && res.setHeader("location", to);
+      return res.end ? res.end() : res.send("");
+    });
+  }
+
   // ---- customer survey (token-gated) ----------------------------------
   // The invitation token IS the access — no login. GET renders the survey
   // (or a state notice); POST records the response. Container-only (the
@@ -11572,6 +12196,118 @@ function mount(router, deps) {
     });
   }
 
+  // ---- suggestion box (public idea board) -----------------------------
+  // The customer-driven "tell us what to build" loop. GET renders the
+  // submit form + the browsable, upvotable board; POST submits a new idea;
+  // POST /:id/vote records an upvote. Container-only — the page carries a
+  // per-session `_csrf` token (it is NOT an EDGE_POST_PATHS prefix, so
+  // `_injectCsrfFields` tokens both forms) and is never edge-cached.
+  // Anonymous: no login is required to submit or vote (an optional email is
+  // hashed at the primitive boundary, never stored raw). The submit + vote
+  // POSTs ride the /suggestions tight rate-limit budget. Resilient: a bad
+  // submit re-renders the form with a cleaned notice; an unknown vote target
+  // or a closed suggestion degrades gracefully, never a 500.
+  if (deps.suggestionBox) {
+    var _suggestionCtx = function (_req) {
+      return {
+        shop_name:  (deps.config && deps.config.shop_name) || "blamejs.shop",
+        cart_count: 0,
+        theme_css:  (deps.theme && deps.theme.assetUrl) ? deps.theme.assetUrl("css/main.css") : DEFAULT_THEME_CSS_URL,
+      };
+    };
+
+    // Page size for the public board. The primitive caps at MAX_LIST_LIMIT;
+    // a single screen of cards keeps the first paint light and pages the rest
+    // through the opaque cursor.
+    var _SUGGESTION_PAGE_SIZE = 20;
+
+    // Load a board page for a sort + optional cursor. Drop-silent to an empty
+    // board on any read error (an unmigrated table, a malformed cursor) so the
+    // page renders rather than 500-ing.
+    var _loadSuggestionBoard = async function (sort, cursor) {
+      try {
+        var listOpts = { sort: sort, limit: _SUGGESTION_PAGE_SIZE };
+        if (cursor) listOpts.cursor = cursor;
+        var page = await deps.suggestionBox.listSuggestions(listOpts);
+        return { rows: page.rows || [], next_cursor: page.next_cursor || null, sort: page.sort || sort };
+      } catch (_e) {
+        return { rows: [], next_cursor: null, sort: sort };
+      }
+    };
+
+    router.get("/suggestions", async function (req, res) {
+      var ctx = _suggestionCtx(req);
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var sort = (url && url.searchParams.get("sort") === "top_voted") ? "top_voted" : "newest";
+      var cursor = url ? url.searchParams.get("cursor") : null;
+      var board = await _loadSuggestionBoard(sort, cursor);
+      _send(res, 200, renderSuggestionsPage({
+        suggestions: board.rows,
+        sort:        board.sort,
+        next_cursor: board.next_cursor,
+        submitted:   url && url.searchParams.get("submitted") === "1",
+        voted:       url && url.searchParams.get("voted") === "1",
+        shop_name:   ctx.shop_name, cart_count: ctx.cart_count, theme_css: ctx.theme_css,
+      }));
+    });
+
+    router.post("/suggestions", async function (req, res) {
+      var ctx  = _suggestionCtx(req);
+      var body = req.body || {};
+      // Coerce the form into the submit shape: trimmed title/body, the
+      // category select, and an optional email (blank → omitted, so an
+      // anonymous submission carries no identity). The primitive validates
+      // length / control bytes / category and throws a TypeError on a bad
+      // shape, which we degrade to a re-render of the form with the cleaned
+      // message + the operator's typed values kept sticky.
+      var input = {
+        title:    typeof body.title === "string" ? body.title : "",
+        body:     typeof body.body  === "string" ? body.body  : "",
+        category: typeof body.category === "string" && body.category ? body.category : "general",
+      };
+      var emailRaw = typeof body.customer_email === "string" ? body.customer_email.trim() : "";
+      if (emailRaw) input.customer_email = emailRaw;
+      try {
+        await deps.suggestionBox.submitSuggestion(input);
+      } catch (e) {
+        if (!(e instanceof TypeError)) throw e;
+        var board = await _loadSuggestionBoard("newest", null);
+        return _send(res, 400, renderSuggestionsPage({
+          suggestions: board.rows, sort: board.sort, next_cursor: board.next_cursor,
+          notice: (e.message || "Please check your suggestion.").replace(/^suggestionBox[.:]\s*/, ""),
+          form:   { title: input.title, body: input.body, category: input.category, customer_email: emailRaw },
+          shop_name: ctx.shop_name, cart_count: ctx.cart_count, theme_css: ctx.theme_css,
+        }));
+      }
+      res.status(303);
+      res.setHeader && res.setHeader("location", "/suggestions?submitted=1");
+      return res.end ? res.end() : res.send("");
+    });
+
+    router.post("/suggestions/:id/vote", async function (req, res) {
+      var id = (req.params && typeof req.params.id === "string") ? req.params.id : "";
+      // The vote is keyed on the cart session id so a repeat vote from the
+      // same browser session collapses to a no-op at the storage UNIQUE. A
+      // visitor with no session yet can't be deduped, so we require one — a
+      // session-less POST simply lands back on the board (the primitive needs
+      // a session_id and would throw a TypeError otherwise). The single
+      // supported direction is "upvote" (the board ranks by demand).
+      var sid = _readSidCookie(req);
+      if (sid) {
+        try {
+          await deps.suggestionBox.voteOnSuggestion({ suggestion_id: id, session_id: sid, vote: "upvote" });
+        } catch (_e) {
+          // Unknown id / closed voting / already voted — drop-silent. The
+          // board re-render reflects the live count; a hostile or stale id
+          // can never 500 the route.
+        }
+      }
+      res.status(303);
+      res.setHeader && res.setHeader("location", "/suggestions?voted=1");
+      return res.end ? res.end() : res.send("");
+    });
+  }
+
   // ---- quote (token-gated customer page) ------------------------------
   // A request-for-quote a customer can review + accept / decline via a single
   // capability link (/quote/:token) — no login. The token IS the access (the
@@ -11910,12 +12646,58 @@ function mount(router, deps) {
   // block) and the account routes inside it, so there's one auth-cookie
   // reader rather than a copy per call site. A missing / malformed /
   // expired cookie returns null — never throws.
+  //
+  // Device-binding (soft): an envelope carrying a stashed `fp` is checked
+  // against THIS request's recomputed fingerprint with a constant-time
+  // compare. On drift the visitor reads as signed-out (return null) and a
+  // one-shot `req._authDeviceDrift` flag is set so the page-level gates
+  // clear the now-stale cookie and bounce to a neutral sign-in — never a
+  // hard 401 mid-page. A pre-binding envelope (no `fp`, minted before this
+  // shipped) passes through unchanged until its natural expiry, so a
+  // deploy never mass-signs-out live sessions.
   function _currentCustomerEnv(req) {
     var env = _readAuthEnv(req);
     if (!env || !env.customer_id || !env.exp || env.exp < Date.now()) return null;
+    if (typeof env.fp === "string" && env.fp.length > 0) {
+      var current = _authDeviceFingerprint(req);
+      // A request whose fingerprint can't be recomputed (current === null)
+      // is NOT treated as drift — absence of signal is not evidence of a
+      // moved cookie. Only a present-but-mismatching fingerprint signs out.
+      if (current !== null && !b.crypto.timingSafeEqual(env.fp, current)) {
+        if (req) req._authDeviceDrift = true;
+        return null;
+      }
+    }
     return env;
   }
 
+  // Server-side session-revocation gate. The sealed cookie is otherwise
+  // self-validating for its 14-day TTL, so erasure / passkey-revoke /
+  // sign-out have no way to kill a LIVE cookie without this check. Resolves
+  // the customer's revocation boundary (sessions_valid_from) and reports
+  // whether THIS envelope is revoked:
+  //
+  //   * no boundary (0)            → never revoked, live (the default; a
+  //                                  deploy adding the table signs no-one out)
+  //   * boundary set, cookie iat   → revoked iff iat < boundary
+  //   * boundary set, no iat       → revoked (a pre-`iat` cookie can't prove
+  //                                  it postdates the boundary)
+  //
+  // Best-effort fail-OPEN on a lookup error: a transient D1 blip must not
+  // lock every signed-in customer out of their account. The durable
+  // credential deletion in erasure is the backstop — a fail-open window
+  // can't re-mint a session, only briefly extend an already-issued one.
+  async function _sessionRevoked(env) {
+    if (!env || !env.customer_id) return false;
+    if (!deps.customers || typeof deps.customers.sessionsValidFrom !== "function") return false;
+    var boundary;
+    try { boundary = await deps.customers.sessionsValidFrom(env.customer_id); }
+    catch (_e) { return false; }
+    if (!boundary || boundary <= 0) return false;
+    if (typeof env.iat !== "number") return true;
+    return env.iat < boundary;
+  }
+
   // The operator's order-access signing key (derived in server.js from the
   // app secret, domain-separated). Absent it, the emailed-token access path
   // is inert — the placing-browser cookie and signed-in-owner paths still
@@ -14510,11 +15292,113 @@ function mount(router, deps) {
         cancelled:       ordUrl ? ordUrl.searchParams.get("cancelled") === "1" : false,
         claim_offer:     claimOffer,
         claim_notice:    claimNotice === "sent" ? "sent" : null,
+        // Carry a guest order's emailed access token onto the receipt-download
+        // link so a viewer on a fresh device (cookie not yet stamped) can pull
+        // the receipt. Only forwarded for a guest order opened via ?k= — an
+        // owned order's receipt is gated by the session, so no token is needed
+        // and none is leaked into the page for a signed-in owner.
+        access_token:    (!o.customer_id && ordAccessToken) ? ordAccessToken : "",
         shop_name:       shopName,
         theme:           theme,
       }));
     });
 
+    // GET /orders/:order_id/receipt — stream a downloadable HTML receipt for
+    // an order the requester is allowed to read. Mounts only when the
+    // printReceipts primitive is wired; absent it the order page renders no
+    // download link and this route is never reached. Access is the SAME gate
+    // as GET /orders/:id — an owned order is downloadable only by its
+    // signed-in owner; a guest order needs a capability proof (placing-browser
+    // cookie, emailed ?k= token, or claim cookie). Anything else 404s,
+    // indistinguishable from a missing order, so a stranger can't pull a
+    // receipt (name / address / line items) by guessing an id.
+    //
+    // The document is written to the socket as the render source yields it —
+    // header first, then one chunk per batch via res.write — so the response
+    // never buffers the whole receipt in memory. printReceipts.htmlPdf returns
+    // a complete self-contained HTML document today; _streamReceiptDocument
+    // slices it through an async-iterable so a future streaming receipt source
+    // (a bulk multi-page document) drops into the same bounded-memory loop.
+    if (deps.printReceipts) {
+      router.get("/orders/:order_id/receipt", async function (req, res) {
+        var orderId = req.params && req.params.order_id;
+        var o;
+        // A malformed / unknown id is a missing receipt, not a server fault —
+        // map the TypeError order.get throws on a non-UUID id to the same 404
+        // path a well-formed-but-unknown id takes (mirrors the order page).
+        try { o = orderId ? await deps.order.get(orderId) : null; }
+        catch (e) { if (e instanceof TypeError) { o = null; } else throw e; }
+        if (!o) return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
+        var rcptAuth = _currentCustomerEnv(req);
+        var rcptToken = (req.query && typeof req.query.k === "string") ? req.query.k : "";
+        if (!_orderAccessGranted(req, o, rcptAuth, rcptToken)) {
+          return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
+        }
+        // A receipt only exists once the order is paid for — a still-pending
+        // (unpaid) order has nothing to receipt. Bounce to the order page
+        // rather than render an empty/misleading document.
+        if (!_orderEligibleForReceipt(o.status)) {
+          res.status(303);
+          res.setHeader && res.setHeader("location", "/orders/" + encodeURIComponent(o.id));
+          return res.end ? res.end() : res.send("");
+        }
+        // A guest order opened from the emailed link carries the proof in ?k=;
+        // stamp the device cookie now (idempotent) so a later receipt pull
+        // without the param keeps resolving. Drop-silent: a stamp failure must
+        // never break the download.
+        if (!o.customer_id && rcptToken && !_hasGuestOrderAccessCookie(req, o.id)) {
+          try { _grantGuestOrderAccess(req, res, o.id); } catch (_eGrant) { /* best-effort */ }
+        }
+        // Render the document source. A coded conflict (an order that raced out
+        // of a receiptable state) maps to 409, a not-found shape to 404, BOTH
+        // checked BEFORE the TypeError→400 fallback so a coded error isn't
+        // swallowed as a generic bad-request. Any other failure is a 500.
+        var locale = (req.query && typeof req.query.locale === "string") ? req.query.locale : undefined;
+        var doc;
+        try {
+          doc = await deps.printReceipts.htmlPdf({ order_id: o.id, locale: locale });
+        } catch (e) {
+          var code = (e && typeof e.code === "string") ? e.code : "";
+          if (code === "CONFLICT" || code === "ORDER_TRANSITION_REFUSED") {
+            return _send(res, 409, renderNotFound({ shop_name: shopName, theme: theme }));
+          }
+          if (code === "NOT_FOUND") {
+            return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
+          }
+          if (e instanceof TypeError) {
+            return _send(res, 400, renderNotFound({ shop_name: shopName, theme: theme }));
+          }
+          throw e;
+        }
+        // Header first, then stream the document body per chunk. The filename
+        // is built from the validated UUID order id alone (hex + hyphens),
+        // carrying no quote/CRLF that could break out of the header.
+        var safeId = String(o.id).replace(/[^A-Za-z0-9._-]/g, "");
+        res.status(200);
+        if (res.setHeader) {
+          res.setHeader("content-type", "text/html; charset=utf-8");
+          res.setHeader("content-disposition", "attachment; filename=\"receipt-" + safeId + ".html\"");
+          res.setHeader("x-content-type-options", "nosniff");
+          // The receipt carries the buyer's name + address + line items —
+          // keep it out of any shared/proxy cache.
+          res.setHeader("cache-control", "no-store");
+        }
+        // One chunk per batch as the source yields it — bounded memory
+        // regardless of document size. A response without an incremental
+        // write() (a JSON test stub) falls back to buffering.
+        if (typeof res.write === "function" && typeof res.end === "function") {
+          for await (var chunk of _streamReceiptDocument(doc)) {
+            if (chunk) res.write(chunk);
+          }
+          res.end();
+        } else {
+          var buffered = "";
+          for await (var c2 of _streamReceiptDocument(doc)) buffered += c2;
+          if (res.end) res.end(buffered); else res.send(buffered);
+        }
+      });
+    }
+
     // POST /orders/:order_id/claim-account — the one-click "save your details
     // / create an account" trigger from the confirmation page. Mounts only
     // when the magic-link surface is wired (customerPortal + a mailer); absent
@@ -14747,8 +15631,22 @@ function mount(router, deps) {
       return b.crypto.toBase64Url(buf);
     }
 
-    function _currentCustomer(req) {
-      return _currentCustomerEnv(req);
+    // Resolve the signed-in customer from the sealed cookie AND enforce
+    // server-side revocation: a cookie that passes the stateless checks but
+    // belongs to an erased / re-secured / signed-out session (its `iat`
+    // predates the customer's revocation boundary) is dead. Returning null
+    // here — and stamping `req._sessionRevoked` so the auth gate can show the
+    // revoked notice — centralizes revocation across EVERY authenticated read,
+    // not just the handlers that route through `_accountAuth`. Async because
+    // the boundary is a per-customer DB read (a no-op for anonymous requests,
+    // which short-circuit before any query).
+    async function _currentCustomer(req) {
+      var env = _currentCustomerEnv(req);
+      if (env && await _sessionRevoked(env)) {
+        if (req) req._sessionRevoked = true;
+        return null;
+      }
+      return env;
     }
 
     function _serviceUnavailable(res, msg) {
@@ -14799,7 +15697,7 @@ function mount(router, deps) {
       // send them to their account instead of re-rendering a login form
       // (mirrors the /account guard's auth read + vault-not-configured catch).
       var signedIn;
-      try { signedIn = _currentCustomer(req); }
+      try { signedIn = await _currentCustomer(req); }
       catch (e) {
         if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
         throw e;
@@ -14808,6 +15706,9 @@ function mount(router, deps) {
         res.status(303); res.setHeader && res.setHeader("location", "/account");
         return res.end ? res.end() : res.send("");
       }
+      // A drifted cookie that reached the sign-in screen directly still gets
+      // cleared so the next request carries no stale envelope.
+      if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
       var cartCount = await _cartCountForReq(req);
       var url = req.url ? new URL(req.url, "http://localhost") : null;
       // Login captcha is opt-in (CAPTCHA_GATE_LOGIN). The widget + the scoped
@@ -14827,6 +15728,7 @@ function mount(router, deps) {
         apple_enabled:  !!deps.oauthApple,
         magic_link_enabled: !!(deps.customerPortal && deps.customerPortalEmail),
         error:          url && url.searchParams.get("error"),
+        notice:         url && url.searchParams.get("signed_out"),
         captcha_kind:        captchaLoginOn ? captchaKind   : null,
         captcha_public_key:  captchaLoginOn ? captchaPubKey : null,
       }));
@@ -15241,13 +16143,18 @@ function mount(router, deps) {
 
     router.get("/account", async function (req, res) {
       var auth;
-      try { auth = _currentCustomer(req); }
+      try { auth = await _currentCustomer(req); }
       catch (e) {
         if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
         throw e;
       }
       if (!auth) {
-        res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+        // On device-binding drift, clear the stale cookie + surface a
+        // neutral sign-in notice (matches _accountAuth's soft sign-out).
+        if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
+        res.status(303);
+        res.setHeader && res.setHeader("location",
+          (req && req._authDeviceDrift) ? "/account/login?signed_out=device" : "/account/login");
         return res.end ? res.end() : res.send("");
       }
       var customer = await deps.customers.get(auth.customer_id);
@@ -15323,7 +16230,7 @@ function mount(router, deps) {
     if (deps.order) {
       router.get("/account/orders", async function (req, res) {
         var ordersAuth;
-        try { ordersAuth = _currentCustomer(req); }
+        try { ordersAuth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -15380,7 +16287,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/quotes", async function (req, res) {
-        var auth = _accountAuth(req, res);
+        var auth = await _accountAuth(req, res);
         if (!auth) return;
         var rows = [];
         try { rows = await deps.quotes.quotesForCustomer(auth.customer_id, { limit: 100 }); }
@@ -15392,7 +16299,7 @@ function mount(router, deps) {
       });
 
       router.get("/account/quotes/:id", async function (req, res) {
-        var auth = _accountAuth(req, res);
+        var auth = await _accountAuth(req, res);
         if (!auth) return;
         var q = await _ownedQuote(auth.customer_id, req.params && req.params.id);
         var count = await _cartCountForReq(req);
@@ -15414,7 +16321,7 @@ function mount(router, deps) {
       // machinery is wired, so the holds land at acceptance.
       var _accountQuoteAction = function (action) {
         return async function (req, res) {
-          var auth = _accountAuth(req, res);
+          var auth = await _accountAuth(req, res);
           if (!auth) return;
           var q = await _ownedQuote(auth.customer_id, req.params && req.params.id);
           var count = await _cartCountForReq(req);
@@ -15452,7 +16359,7 @@ function mount(router, deps) {
       // quote's account page. An empty / missing cart re-renders the cart
       // with a notice. The optional `message` field rides along.
       router.post("/account/quotes/request", async function (req, res) {
-        var auth = _accountAuth(req, res);
+        var auth = await _accountAuth(req, res);
         if (!auth) return;
         var sid = _readSidCookie(req);
         var cart = sid ? await deps.cart.bySession(sid) : null;
@@ -15497,15 +16404,35 @@ function mount(router, deps) {
     // registration page drives, but bound to the ALREADY-authed customer
     // (no email form), so a new credential always lands on the right
     // account.
-    function _accountAuth(req, res) {
+    async function _accountAuth(req, res) {
       var auth;
-      try { auth = _currentCustomer(req); }
+      try { auth = await _currentCustomer(req); }
       catch (e) {
         if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
         throw e;
       }
+      // Server-side revocation: a cookie that passes the stateless checks but
+      // belongs to an erased / re-secured / signed-out session is dead.
+      // `_currentCustomer` already enforces this for every authenticated read —
+      // it returns null and stamps `req._sessionRevoked`. Here we turn that into
+      // the soft sign-out (clear the cookie + bounce to a revoked notice) rather
+      // than the generic not-signed-in redirect.
+      if (req && req._sessionRevoked) {
+        _clearAuthCookie(req, res);
+        res.status(303);
+        res.setHeader && res.setHeader("location", "/account/login?signed_out=revoked");
+        res.end ? res.end() : res.send("");
+        return null;
+      }
       if (!auth) {
-        res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+        // Device-binding drift: clear the now-stale cookie and bounce to a
+        // neutral sign-in notice (never a hard 401 mid-page). Any other
+        // not-signed-in case (no cookie, expired) bounces to the plain
+        // login with no notice.
+        if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
+        res.status(303);
+        res.setHeader && res.setHeader("location",
+          (req && req._authDeviceDrift) ? "/account/login?signed_out=device" : "/account/login");
         res.end ? res.end() : res.send("");
         return null;
       }
@@ -15565,7 +16492,7 @@ function mount(router, deps) {
     }
 
     router.get("/account/passkeys", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       await _renderPasskeysPage(req, res, auth, null);
     });
 
@@ -15573,7 +16500,7 @@ function mount(router, deps) {
     // server-rendered confirm page; the POST that actually revokes lives
     // behind it.
     router.get("/account/passkeys/:id/remove", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       var pk = await _ownedPasskey(req, res, auth); if (!pk) return;
       var cartCount = await _cartCountForReq(req);
       _send(res, 200, renderPasskeyRemoveConfirm({
@@ -15584,7 +16511,7 @@ function mount(router, deps) {
     });
 
     router.post("/account/passkeys/:id/revoke", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       var pk = await _ownedPasskey(req, res, auth); if (!pk) return;
       // Last-credential guard: refuse to remove the only sign-in method
       // when there's no federated fallback — surface a clear notice rather
@@ -15613,7 +16540,7 @@ function mount(router, deps) {
     // on both so an add-finish can't be replayed against a register/login
     // challenge.
     router.post("/account/passkey/add-begin", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       try {
         var customer = await deps.customers.get(auth.customer_id);
         if (!customer) { res.status(401); return res.end ? res.end("unknown customer") : res.send("unknown customer"); }
@@ -15655,7 +16582,7 @@ function mount(router, deps) {
     });
 
     router.post("/account/passkey/add-finish", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       try {
         var env = _readChallengeEnv(req);
         if (!env) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
@@ -15767,7 +16694,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/payment-methods", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         await _renderPaymentMethodsPage(req, res, auth, null);
       });
 
@@ -15777,7 +16704,7 @@ function mount(router, deps) {
       // script). Requires the publishable key; absent it, a 503 like the pay
       // page.
       router.get("/account/payment-methods/add", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var pk = deps.stripe_publishable_key || "";
         if (!pk) {
           return _send(res, 503, _wrap({
@@ -15804,7 +16731,7 @@ function mount(router, deps) {
       // the customers table; Stripe dedupes by metadata/email) — acceptable
       // v1, documented in the build spec.
       router.post("/account/payment-methods/setup-intent", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         function _json(status, obj) {
           res.status(status);
           res.setHeader && res.setHeader("content-type", "application/json; charset=utf-8");
@@ -15827,7 +16754,7 @@ function mount(router, deps) {
       // pm_… → its display fields → stores via paymentMethods.add. A
       // duplicate token (already on file) is an idempotent notice, not a 500.
       router.post("/account/payment-methods", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var body = req.body || {};
         var setupIntentId = typeof body.setup_intent_id === "string" ? body.setup_intent_id : "";
         if (!setupIntentId) return _renderPaymentMethodsPage(req, res, auth, "Couldn't add that card — please try again.", 400);
@@ -15862,7 +16789,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/payment-methods/:id/default", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var pm = await _ownedPaymentMethod(req, res, auth); if (!pm) return;
         try { await deps.paymentMethods.setDefault(pm.id); }
         catch (e) {
@@ -15876,7 +16803,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/payment-methods/:id/archive", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var pm = await _ownedPaymentMethod(req, res, auth); if (!pm) return;
         try { await deps.paymentMethods.archive({ payment_method_id: pm.id, reason: "customer_request" }); }
         catch (e) {
@@ -15909,7 +16836,7 @@ function mount(router, deps) {
     }
 
     router.get("/account/profile", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       var customer = await deps.customers.get(auth.customer_id);
       if (!customer) {
         _clearAuthCookie(req, res);
@@ -15920,7 +16847,7 @@ function mount(router, deps) {
     });
 
     router.post("/account/profile", async function (req, res) {
-      var auth = _accountAuth(req, res); if (!auth) return;
+      var auth = await _accountAuth(req, res); if (!auth) return;
       var customer = await deps.customers.get(auth.customer_id);
       if (!customer) {
         _clearAuthCookie(req, res);
@@ -16163,7 +17090,7 @@ function mount(router, deps) {
       // a forged slug can't drive an open redirect).
       router.post("/wishlist/toggle", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16203,7 +17130,7 @@ function mount(router, deps) {
       // archived renders as "unavailable" (the row is orphan-tolerant).
       router.get("/account/wishlist", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16319,7 +17246,7 @@ function mount(router, deps) {
       if (deps.wishlistAlerts) {
         router.post("/account/wishlist/alerts", async function (req, res) {
           var auth;
-          try { auth = _currentCustomer(req); }
+          try { auth = await _currentCustomer(req); }
           catch (e) {
             if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
             throw e;
@@ -16353,7 +17280,7 @@ function mount(router, deps) {
       if (deps.wishlistDigest) {
         router.post("/account/wishlist/digest", async function (req, res) {
           var auth;
-          try { auth = _currentCustomer(req); }
+          try { auth = await _currentCustomer(req); }
           catch (e) {
             if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
             throw e;
@@ -16463,7 +17390,7 @@ function mount(router, deps) {
       // redirect so the one-time URL is shown.
       router.post("/wishlist/share", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16502,7 +17429,7 @@ function mount(router, deps) {
       // its id (IDOR).
       router.post("/wishlist/share/:share_id/revoke", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16649,7 +17576,7 @@ function mount(router, deps) {
       // its progress rollup, plus the create form.
       router.get("/account/registry", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16683,7 +17610,7 @@ function mount(router, deps) {
       // shopper can only ever create a registry under their own id.
       router.post("/account/registry", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16742,7 +17669,7 @@ function mount(router, deps) {
       // slug) 404s.
       router.get("/account/registry/:slug", async function (req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
           throw e;
@@ -16809,7 +17736,7 @@ function mount(router, deps) {
       // session customer owns. Ownership-scoped (404 on a foreign / unknown
       // registry).
       router.post("/account/registry/:slug/items", async function (req, res) {
-        var auth = _registryAuthOrRedirect(req, res);
+        var auth = await _registryAuthOrRedirect(req, res);
         if (!auth) return;
         var slug = (req.params && req.params.slug) || "";
         var reg = await _ownedRegistry(slug, auth.customer_id);
@@ -16837,7 +17764,7 @@ function mount(router, deps) {
       // POST /account/registry/:slug/items/:item_id/remove — archive an item
       // on a registry the session customer owns.
       router.post("/account/registry/:slug/items/:item_id/remove", async function (req, res) {
-        var auth = _registryAuthOrRedirect(req, res);
+        var auth = await _registryAuthOrRedirect(req, res);
         if (!auth) return;
         var slug = (req.params && req.params.slug) || "";
         var reg = await _ownedRegistry(slug, auth.customer_id);
@@ -16861,7 +17788,7 @@ function mount(router, deps) {
       // (title / recipient_name / event_date / privacy) on a registry the
       // session customer owns.
       router.post("/account/registry/:slug/edit", async function (req, res) {
-        var auth = _registryAuthOrRedirect(req, res);
+        var auth = await _registryAuthOrRedirect(req, res);
         if (!auth) return;
         var slug = (req.params && req.params.slug) || "";
         var reg = await _ownedRegistry(slug, auth.customer_id);
@@ -16893,7 +17820,7 @@ function mount(router, deps) {
       // POST /account/registry/:slug/close — close a registry the session
       // customer owns (the only FSM transition; refuses further mutation).
       router.post("/account/registry/:slug/close", async function (req, res) {
-        var auth = _registryAuthOrRedirect(req, res);
+        var auth = await _registryAuthOrRedirect(req, res);
         if (!auth) return;
         var slug = (req.params && req.params.slug) || "";
         var reg = await _ownedRegistry(slug, auth.customer_id);
@@ -17023,7 +17950,7 @@ function mount(router, deps) {
         var buyerId = null;
         if (reveal) {
           var giverAuth = null;
-          try { giverAuth = _currentCustomer(req); } catch (_e) { giverAuth = null; }
+          try { giverAuth = await _currentCustomer(req); } catch (_e) { giverAuth = null; }
           if (giverAuth && giverAuth.customer_id) buyerId = giverAuth.customer_id;
           else reveal = false;   // not signed in → fall back to anonymous
         }
@@ -17054,9 +17981,9 @@ function mount(router, deps) {
       // Shared owner-route auth gate: resolve the session customer or send the
       // redirect / 503 and return null. Mirrors the wishlist `_savedAuth`
       // shape so every owner registry write funnels through one check.
-      function _registryAuthOrRedirect(req, res) {
+      async function _registryAuthOrRedirect(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -17111,9 +18038,9 @@ function mount(router, deps) {
     // Save for later — move a cart line into a per-customer holding
     // list and back. Login required (the list is per-customer).
     if (deps.saveForLater) {
-      function _savedAuth(req, res) {
+      async function _savedAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -17129,7 +18056,7 @@ function mount(router, deps) {
       // POST /cart/lines/:line_id/save — move the line out of the cart
       // into the customer's saved list. Redirects back to /cart.
       router.post("/cart/lines/:line_id/save", async function (req, res) {
-        var auth = _savedAuth(req, res);
+        var auth = await _savedAuth(req, res);
         if (!auth) return;
         var sid = _readSidCookie(req);
         var cart = sid ? await deps.cart.bySession(sid) : null;
@@ -17153,7 +18080,7 @@ function mount(router, deps) {
 
       // GET /account/saved — the customer's saved-for-later list.
       router.get("/account/saved", async function (req, res) {
-        var auth = _savedAuth(req, res);
+        var auth = await _savedAuth(req, res);
         if (!auth) return;
         var page = await deps.saveForLater.listForCustomer({ customer_id: auth.customer_id, limit: 50 });
         var items = [];
@@ -17184,7 +18111,7 @@ function mount(router, deps) {
       // POST /saved/:save_id/move-to-cart — move a saved row back into
       // the session cart (created if absent). Redirects to /cart.
       router.post("/saved/:save_id/move-to-cart", async function (req, res) {
-        var auth = _savedAuth(req, res);
+        var auth = await _savedAuth(req, res);
         if (!auth) return;
         var resolved = await _getOrCreateCart(req, res, "USD");
         try {
@@ -17224,7 +18151,7 @@ function mount(router, deps) {
 
       // POST /saved/:save_id/remove — drop a saved row.
       router.post("/saved/:save_id/remove", async function (req, res) {
-        var auth = _savedAuth(req, res);
+        var auth = await _savedAuth(req, res);
         if (!auth) return;
         try {
           await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
@@ -17242,9 +18169,9 @@ function mount(router, deps) {
     // (the primitive operates by id alone, so ownership is enforced here
     // to prevent cross-customer access via a guessed id).
     if (deps.addresses) {
-      function _addrAuth(req, res) {
+      async function _addrAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -17333,18 +18260,18 @@ function mount(router, deps) {
       }
 
       router.get("/account/addresses", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         await _renderAddrPage(req, res, auth, null);
       });
 
       router.get("/account/addresses/:id/edit", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         var addr = await _ownedAddress(req, res, auth); if (!addr) return;
         await _renderAddrPage(req, res, auth, addr);
       });
 
       router.post("/account/addresses", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         try {
           await deps.addresses.add(_addrInput(req.body || {}, auth.customer_id));
         } catch (e) {
@@ -17359,7 +18286,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/addresses/:id", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         var addr = await _ownedAddress(req, res, auth); if (!addr) return;
         try {
           await deps.addresses.update(addr.id, _addrInput(req.body || {}, auth.customer_id));
@@ -17377,7 +18304,7 @@ function mount(router, deps) {
 
       function _addrAction(verb, okKind, fn) {
         router.post("/account/addresses/:id/" + verb, async function (req, res) {
-          var auth = _addrAuth(req, res); if (!auth) return;
+          var auth = await _addrAuth(req, res); if (!auth) return;
           var addr = await _ownedAddress(req, res, auth); if (!addr) return;
           try { await fn(addr.id); }
           catch (e) {
@@ -17396,7 +18323,7 @@ function mount(router, deps) {
       // actually archives lives behind that page. The list then surfaces a
       // success notice with an Undo (unarchive) control.
       router.get("/account/addresses/:id/remove", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         var addr = await _ownedAddress(req, res, auth); if (!addr) return;
         var cartCount = await _cartCountForReq(req);
         _send(res, 200, renderAddressRemoveConfirm({
@@ -17407,7 +18334,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/addresses/:id/archive", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         var addr = await _ownedAddress(req, res, auth); if (!addr) return;
         try { await deps.addresses.archive(addr.id); }
         catch (e) {
@@ -17424,7 +18351,7 @@ function mount(router, deps) {
       // address is archived by definition here) but still enforces
       // customer ownership before un-archiving.
       router.post("/account/addresses/:id/unarchive", async function (req, res) {
-        var auth = _addrAuth(req, res); if (!auth) return;
+        var auth = await _addrAuth(req, res); if (!auth) return;
         var addr;
         try { addr = await deps.addresses.get(req.params && req.params.id); }
         catch (e) {
@@ -17463,9 +18390,9 @@ function mount(router, deps) {
       // handle. The list above stays a read-only view when this is absent.
       var subControls = deps.subscriptionControls || null;
 
-      function _subsAuth(req, res) {
+      async function _subsAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -17522,7 +18449,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/subscriptions", async function (req, res) {
-        var auth = _subsAuth(req, res); if (!auth) return;
+        var auth = await _subsAuth(req, res); if (!auth) return;
         var rows = await _subsForCustomer(auth.customer_id);
         var cartCount = await _cartCountForReq(req);
         var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -17605,7 +18532,7 @@ function mount(router, deps) {
         // currently-active subscription; a paused/cancelled row bounces
         // back to the list.
         router.get("/account/subscriptions/:id/pause", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           if (_subscriptionControlState(sub) !== "active") return _redirect(res, "");
           if (sub.plan_id != null) {
@@ -17621,7 +18548,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/pause", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           try {
             await subControls.pause({ subscription_id: sub.id, reason: "customer self-service pause", actor: SELF_ACTOR });
@@ -17633,7 +18560,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/resume", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           try {
             await subControls.resume({ subscription_id: sub.id, reason: "customer self-service resume", actor: SELF_ACTOR });
@@ -17645,7 +18572,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/skip", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           try {
             await subControls.skipNext({ subscription_id: sub.id, count: 1, reason: "customer self-service skip", actor: SELF_ACTOR });
@@ -17657,7 +18584,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/quantity", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           // Backend validates: a non-positive / non-integer / missing value
           // is a client error → bounce with the quantity error code rather
@@ -17684,7 +18611,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/frequency", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedManageableSubscription(req, res, auth); if (!sub) return;
           // Backend validates: reject anything outside the allowed cadence
           // enum before composing the primitive.
@@ -17701,7 +18628,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/reactivate", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           // Reactivate is the recovery path for a cancelled subscription,
           // so it is NOT gated on the terminal-status guard (a Stripe-
           // canceled status is the normal state of a row being
@@ -17726,7 +18653,7 @@ function mount(router, deps) {
         // immediate cancel. A subscription that isn't cancelable
         // (already canceled / winding down) redirects back to the list.
         router.get("/account/subscriptions/:id/cancel", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedSubscription(req, res, auth); if (!sub) return;
           if (!_subscriptionIsCancelable(sub)) {
             res.status(303); res.setHeader && res.setHeader("location", "/account/subscriptions");
@@ -17747,7 +18674,7 @@ function mount(router, deps) {
         });
 
         router.post("/account/subscriptions/:id/cancel", async function (req, res) {
-          var auth = _subsAuth(req, res); if (!auth) return;
+          var auth = await _subsAuth(req, res); if (!auth) return;
           var sub = await _ownedSubscription(req, res, auth); if (!sub) return;
           // Default cancel-at-period-end (the customer keeps access through
           // the period they've paid for); the form opts into immediate via
@@ -17778,9 +18705,9 @@ function mount(router, deps) {
     // the launch flow later converts it into a regular (Stripe-gated) order.
     // Mounts only when the preorder primitive is wired.
     if (preorder) {
-      function _preorderAuth(req, res) {
+      async function _preorderAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -17812,7 +18739,7 @@ function mount(router, deps) {
       // shows. Over-cap / closed / missing campaign → a clean 4xx PRG back to
       // the PDP with a fixed ?preorder error code (no raw error text).
       router.post("/products/:slug/preorder", async function (req, res) {
-        var auth = _preorderAuth(req, res); if (!auth) return;
+        var auth = await _preorderAuth(req, res); if (!auth) return;
         var slug = req.params && req.params.slug;
         var enc = encodeURIComponent(slug || "");
         var product = slug ? await deps.catalog.products.bySlug(slug) : null;
@@ -17895,7 +18822,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/preorders", async function (req, res) {
-        var auth = _preorderAuth(req, res); if (!auth) return;
+        var auth = await _preorderAuth(req, res); if (!auth) return;
         var rows = await _preordersForCustomer(auth.customer_id);
         var cartCount = await _cartCountForReq(req);
         var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -17915,7 +18842,7 @@ function mount(router, deps) {
       // non-active reservation (already converted / cancelled) is a clean PRG
       // back to the list, not a 500.
       router.post("/account/preorders/:id/cancel", async function (req, res) {
-        var auth = _preorderAuth(req, res); if (!auth) return;
+        var auth = await _preorderAuth(req, res); if (!auth) return;
         var resv = await _ownedReservation(req, res, auth); if (!resv) return;
         try {
           await preorder.cancelReservation({ reservation_id: resv.id, reason: "customer-cancelled" });
@@ -17935,9 +18862,9 @@ function mount(router, deps) {
     // the admin /admin/returns queue. Needs the returns primitive + an
     // order handle (to load + ownership-check the order being returned).
     if (deps.returns && deps.order) {
-      function _returnsAuth(req, res) {
+      async function _returnsAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -18001,7 +18928,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/returns", async function (req, res) {
-        var auth = _returnsAuth(req, res); if (!auth) return;
+        var auth = await _returnsAuth(req, res); if (!auth) return;
         var page = await deps.returns.listForCustomer(auth.customer_id, { limit: 50 });
         var cartCount = await _cartCountForReq(req);
         var retUrl = req.url ? new URL(req.url, "http://localhost") : null;
@@ -18018,7 +18945,7 @@ function mount(router, deps) {
       // through _ownedReturn (foreign / unknown / malformed id → 404). A
       // return with no issued label renders a neutral "no label yet" state.
       router.get("/account/returns/:id", async function (req, res) {
-        var auth = _returnsAuth(req, res); if (!auth) return;
+        var auth = await _returnsAuth(req, res); if (!auth) return;
         var rma = await _ownedReturn(req, res, auth); if (!rma) return;
         var label = await _labelForReturn(rma.id);
         var events = [];
@@ -18046,7 +18973,7 @@ function mount(router, deps) {
       // primitive is wired.
       if (deps.returnLabels) {
         router.get("/account/returns/:id/label", async function (req, res) {
-          var auth = _returnsAuth(req, res); if (!auth) return;
+          var auth = await _returnsAuth(req, res); if (!auth) return;
           var rma = await _ownedReturn(req, res, auth); if (!rma) return;
           var label = await _labelForReturn(rma.id);
           if (!label || !label.label_url) {
@@ -18066,7 +18993,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/orders/:order_id/return", async function (req, res) {
-        var auth = _returnsAuth(req, res); if (!auth) return;
+        var auth = await _returnsAuth(req, res); if (!auth) return;
         var order = await _ownedOrder(req, res, auth); if (!order) return;
         var cartCount = await _cartCountForReq(req);
         // An ineligible order (unpaid, cancelled, or already refunded) never
@@ -18085,7 +19012,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/orders/:order_id/return", async function (req, res) {
-        var auth = _returnsAuth(req, res); if (!auth) return;
+        var auth = await _returnsAuth(req, res); if (!auth) return;
         var order = await _ownedOrder(req, res, auth); if (!order) return;
         var body = req.body || {};
         var cartCount = await _cartCountForReq(req);
@@ -18162,9 +19089,9 @@ function mount(router, deps) {
     // exactly like the returns + support gates. The exchange primitive
     // moves a row by id alone, so the route owns the ownership decision.
     if (deps.orderExchanges && deps.order) {
-      function _exchangeAuth(req, res) {
+      async function _exchangeAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -18247,7 +19174,7 @@ function mount(router, deps) {
       // primitive resolves the customer→order linkage through the injected
       // order handle, so a foreign order's exchange never appears here.
       router.get("/account/exchanges", async function (req, res) {
-        var auth = _exchangeAuth(req, res); if (!auth) return;
+        var auth = await _exchangeAuth(req, res); if (!auth) return;
         var exchanges = [];
         try { exchanges = await deps.orderExchanges.exchangesForCustomer(auth.customer_id, { limit: 100 }); }
         catch (e) { if (!(e instanceof TypeError)) throw e; exchanges = []; }
@@ -18264,7 +19191,7 @@ function mount(router, deps) {
       // One exchange's status detail. Ownership-scoped through the parent
       // order (foreign / unknown → 404).
       router.get("/account/exchanges/:id", async function (req, res) {
-        var auth = _exchangeAuth(req, res); if (!auth) return;
+        var auth = await _exchangeAuth(req, res); if (!auth) return;
         var exchange = await _ownedExchange(req, res, auth); if (!exchange) return;
         var cartCount = await _cartCountForReq(req);
         _send(res, 200, renderExchangeDetail({ exchange: exchange, shop_name: shopName, cart_count: cartCount }));
@@ -18273,7 +19200,7 @@ function mount(router, deps) {
       // The exchange-request form for one of the customer's own orders,
       // gated on the same eligibility window as a return.
       router.get("/account/orders/:order_id/exchange", async function (req, res) {
-        var auth = _exchangeAuth(req, res); if (!auth) return;
+        var auth = await _exchangeAuth(req, res); if (!auth) return;
         var order = await _ownedOrderForExchange(req, res, auth); if (!order) return;
         var cartCount = await _cartCountForReq(req);
         if (!_orderEligibleForExchange(order.status)) {
@@ -18292,7 +19219,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/orders/:order_id/exchange", async function (req, res) {
-        var auth = _exchangeAuth(req, res); if (!auth) return;
+        var auth = await _exchangeAuth(req, res); if (!auth) return;
         var order = await _ownedOrderForExchange(req, res, auth); if (!order) return;
         var body = req.body || {};
         var cartCount = await _cartCountForReq(req);
@@ -18390,7 +19317,7 @@ function mount(router, deps) {
     // when the primitive is wired.
     if (deps.clickAndCollect) {
       router.get("/account/pickups", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var schedules = [];
         try { schedules = await deps.clickAndCollect.customerSchedules(auth.customer_id); }
         catch (e) { if (!(e instanceof TypeError)) throw e; schedules = []; }
@@ -18415,9 +19342,9 @@ function mount(router, deps) {
     if (deps.supportTickets) {
       var support = deps.supportTickets;
 
-      function _supportAuth(req, res) {
+      async function _supportAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -18452,7 +19379,7 @@ function mount(router, deps) {
 
       // The customer's own ticket list, scoped to their session customer_id.
       router.get("/account/support", async function (req, res) {
-        var auth = _supportAuth(req, res); if (!auth) return;
+        var auth = await _supportAuth(req, res); if (!auth) return;
         var tickets = await support.listByCustomerId(auth.customer_id, { limit: 100 });
         var cartCount = await _cartCountForReq(req);
         var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -18467,7 +19394,7 @@ function mount(router, deps) {
       // The new-ticket form. Offers the customer's recent orders as an
       // optional attachment.
       router.get("/account/support/new", async function (req, res) {
-        var auth = _supportAuth(req, res); if (!auth) return;
+        var auth = await _supportAuth(req, res); if (!auth) return;
         var orders = [];
         if (deps.order) {
           try {
@@ -18493,7 +19420,7 @@ function mount(router, deps) {
       // email shape and surfaces a TypeError on bad input as a clean
       // re-render, never a 500.
       router.post("/account/support", async function (req, res) {
-        var auth = _supportAuth(req, res); if (!auth) return;
+        var auth = await _supportAuth(req, res); if (!auth) return;
         var body = req.body || {};
         var cartCount = await _cartCountForReq(req);
 
@@ -18544,7 +19471,7 @@ function mount(router, deps) {
       // Internal operator notes are filtered out before render — the
       // customer never sees an internal=1 message.
       router.get("/account/support/:id", async function (req, res) {
-        var auth = _supportAuth(req, res); if (!auth) return;
+        var auth = await _supportAuth(req, res); if (!auth) return;
         var ticket = await _ownedTicket(req, res, auth); if (!ticket) return;
         var thread = await support.thread(ticket.id);
         var visible = (thread.messages || []).filter(function (m) { return Number(m.internal) !== 1; });
@@ -18564,7 +19491,7 @@ function mount(router, deps) {
       // SUPPORT_TICKET_CLOSED error — surfaced as a 409 re-render, never a
       // 500). author is pinned to "customer".
       router.post("/account/support/:id/reply", async function (req, res) {
-        var auth = _supportAuth(req, res); if (!auth) return;
+        var auth = await _supportAuth(req, res); if (!auth) return;
         var ticket = await _ownedTicket(req, res, auth); if (!ticket) return;
         var body = req.body || {};
         var cartCount = await _cartCountForReq(req);
@@ -18625,7 +19552,7 @@ function mount(router, deps) {
       var streamDsr   = deps.streamDsrBundle;
 
       router.get("/account/privacy", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var history = [];
         try { history = await dsr.auditForCustomer(auth.customer_id); } catch (_e) { history = []; }
         var cartCount = await _cartCountForReq(req);
@@ -18643,7 +19570,7 @@ function mount(router, deps) {
       // with a notice, never a 500. No row is created on a bad enum (the
       // primitive validates before INSERT).
       router.post("/account/privacy/export", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var body = req.body || {};
         try {
           await dsr.requestExport({
@@ -18672,7 +19599,7 @@ function mount(router, deps) {
       });
 
       router.get("/account/delete", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var cartCount = await _cartCountForReq(req);
         _send(res, 200, renderAccountDelete({ shop_name: shopName, cart_count: cartCount }));
       });
@@ -18682,7 +19609,7 @@ function mount(router, deps) {
       // (the operator reviews identity + runs processDeletion from the admin
       // queue). A bad enum / empty reason throws TypeError → a 400 re-render.
       router.post("/account/delete", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var body = req.body || {};
         try {
           await dsr.requestDeletion({
@@ -18714,7 +19641,7 @@ function mount(router, deps) {
       // a fulfilled/delivered export, then stream. Status + ownership are
       // validated BEFORE the first write (the bundle streams header-first).
       router.get("/account/privacy/:id/export.json", async function (req, res) {
-        var auth = _accountAuth(req, res); if (!auth) return;
+        var auth = await _accountAuth(req, res); if (!auth) return;
         var row;
         try { row = await dsr.getRequest(req.params && req.params.id); }
         catch (e) {
@@ -18738,9 +19665,9 @@ function mount(router, deps) {
     // control. Login-gated; a read failure on any optional sub-read
     // degrades that section to empty rather than 500-ing the page.
     if (deps.loyalty) {
-      function _loyaltyAuth(req, res) {
+      async function _loyaltyAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -18797,7 +19724,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/loyalty", async function (req, res) {
-        var auth = _loyaltyAuth(req, res); if (!auth) return;
+        var auth = await _loyaltyAuth(req, res); if (!auth) return;
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cursorRaw = url && url.searchParams.get("cursor");
         var cursor;
@@ -18817,7 +19744,7 @@ function mount(router, deps) {
       // not-redeemable surface as a 400 re-render, never a 500.
       if (deps.loyaltyRedemption) {
         router.post("/account/loyalty/redeem", async function (req, res) {
-          var auth = _loyaltyAuth(req, res); if (!auth) return;
+          var auth = await _loyaltyAuth(req, res); if (!auth) return;
           var body = req.body || {};
           var rewardSlug = body.reward_slug;
           try {
@@ -18865,9 +19792,9 @@ function mount(router, deps) {
     // their OWN wallet. Granting / deducting credit is operator-only on
     // the admin customer-detail screen — this surface writes nothing.
     if (deps.storeCredit) {
-      function _storeCreditAuth(req, res) {
+      async function _storeCreditAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -18912,7 +19839,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/credit", async function (req, res) {
-        var auth = _storeCreditAuth(req, res); if (!auth) return;
+        var auth = await _storeCreditAuth(req, res); if (!auth) return;
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cursorRaw = url && url.searchParams.get("cursor");
         var cursor;
@@ -18960,9 +19887,9 @@ function mount(router, deps) {
     // overwrites the cookie when none is already set (below), so the
     // first referral link a visitor follows wins.
     if (deps.referrals) {
-      function _referralsAuth(req, res) {
+      async function _referralsAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -19073,13 +20000,13 @@ function mount(router, deps) {
       }
 
       router.get("/account/referrals", async function (req, res) {
-        var auth = _referralsAuth(req, res); if (!auth) return;
+        var auth = await _referralsAuth(req, res); if (!auth) return;
         var view = await _referralsView(req, auth, {});
         _send(res, 200, renderReferrals(view));
       });
 
       router.post("/account/referrals/code", async function (req, res) {
-        var auth = _referralsAuth(req, res); if (!auth) return;
+        var auth = await _referralsAuth(req, res); if (!auth) return;
         try {
           await deps.referrals.issueCode({ referrer_customer_id: auth.customer_id });
         } catch (e) {
@@ -19108,9 +20035,9 @@ function mount(router, deps) {
     // history. Views are recorded server-side on the (container-rendered)
     // PDP; this surface lets the customer review + clear that history.
     if (deps.recentlyViewed) {
-      function _rvAuth(req, res) {
+      async function _rvAuth(req, res) {
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -19124,7 +20051,7 @@ function mount(router, deps) {
       }
 
       router.get("/account/recently-viewed", async function (req, res) {
-        var auth = _rvAuth(req, res); if (!auth) return;
+        var auth = await _rvAuth(req, res); if (!auth) return;
         // A read failure (table not migrated) degrades to the empty
         // state rather than 500-ing the account page.
         var rows = [];
@@ -19140,7 +20067,7 @@ function mount(router, deps) {
       });
 
       router.post("/account/recently-viewed/clear", async function (req, res) {
-        var auth = _rvAuth(req, res); if (!auth) return;
+        var auth = await _rvAuth(req, res); if (!auth) return;
         try { await deps.recentlyViewed.purgeCustomer(auth.customer_id); }
         catch (_e) { /* drop-silent — a failed clear leaves history intact, no error surface needed */ }
         res.status(303); res.setHeader && res.setHeader("location", "/account/recently-viewed");
@@ -19158,7 +20085,7 @@ function mount(router, deps) {
         var product = slug ? await deps.catalog.products.bySlug(slug) : null;
         if (!product) { _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme })); return null; }
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -19247,7 +20174,7 @@ function mount(router, deps) {
         var product = slug ? await deps.catalog.products.bySlug(slug) : null;
         if (!product) { _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme })); return null; }
         var auth;
-        try { auth = _currentCustomer(req); }
+        try { auth = await _currentCustomer(req); }
         catch (e) {
           if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
           throw e;
@@ -20339,6 +21266,32 @@ function mount(router, deps) {
   // requirements also replace the file at the same path via R2 (the
   // Worker's static-asset bridge serves it ahead of this route if a
   // `robots.txt` key exists in the bucket).
+  // Apple Pay domain-association file. Apple Pay (rendered by Stripe's
+  // Express Checkout Element on the pay page) only appears once Apple has
+  // verified the domain, which it does by fetching this exact path. In
+  // production that crawl lands on the edge Worker, which serves the same
+  // bytes from its own binding (worker/index.js); this container twin keeps
+  // a direct-to-container hit (and the e2e harness) in parity. The file's
+  // bytes are Stripe-provided (downloaded from the Stripe dashboard); the
+  // operator supplies them verbatim via the APPLE_PAY_DOMAIN_ASSOCIATION
+  // value injected here as `deps.apple_pay_domain_association`. Served
+  // unchanged as text/plain — Apple's crawl rejects any HTML wrapper,
+  // redirect, or appended byte, so no transform is applied. Unset → 404:
+  // the documented fail-open posture where the Apple Pay button simply does
+  // not render and every other payment method is unaffected.
+  var applePayAssoc = typeof deps.apple_pay_domain_association === "string"
+    ? deps.apple_pay_domain_association : "";
+  router.get("/.well-known/apple-developer-merchantid-domain-association", function (req, res) {
+    res.setHeader && res.setHeader("content-type", "text/plain; charset=utf-8");
+    if (!applePayAssoc) {
+      res.status(404);
+      return res.end ? res.end("Not Found") : res.send("Not Found");
+    }
+    res.status(200);
+    res.setHeader && res.setHeader("cache-control", "public, max-age=300");
+    res.end ? res.end(applePayAssoc) : res.send(applePayAssoc);
+  });
+
   router.get("/robots.txt", async function (req, res) {
     res.status(200);
     res.setHeader && res.setHeader("content-type", "text/plain; charset=utf-8");
@@ -20581,8 +21534,14 @@ module.exports = {
   renderAccountSubscriptions: renderAccountSubscriptions,
   renderCookiePreferences: renderCookiePreferences,
   renderSurveyPage:      renderSurveyPage,
+  renderSuggestionsPage: renderSuggestionsPage,
   renderNewsletterError: renderNewsletterError,
   renderNotFound:        renderNotFound,
+  // Sidebar-widget render builders exposed so the dual-render parity test can
+  // pin the container output byte-for-byte against the edge twin.
+  buildSidebarWidget:    _buildSidebarWidget,
+  buildSidebarRail:      _buildSidebarRail,
+  sidebarPageKeyForPath: _sidebarPageKeyForPath,
   // Layout exposed so operators forking the framework can override.
   _wrap:                 _wrap,
   LAYOUT:                LAYOUT,