@blamejs/blamejs-shop 0.4.24 → 0.4.25

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.25 (2026-06-06) — **The admin role gate fails closed, payment-processor calls are host-pinned, the public catalog API stops leaking unpublished products, and privacy requests show their statutory deadline.** A security-hardening release. The staff role matrix now denies an unmapped admin action by default (owner-only) instead of leaving it manager-reachable; outbound Stripe and PayPal calls are pinned to the configured processor host with their idempotency keys validated before they leave; the public catalog API no longer honors a caller-supplied status filter, so draft and archived products can't be enumerated; the privacy-request console surfaces each request's statutory response deadline; and the Apple Pay well-known bot-guard exemption is tightened to an exact-path match. No migrations. **Changed:** *Privacy-request console shows the statutory response deadline* — Each export and erasure request now displays its statutory response deadline — one month under GDPR, 45 days under CCPA, 15 days under LGPD — derived from the request's recorded jurisdiction and timestamp, and flags an open request whose deadline has passed. Requests under no statutory regime show no deadline rather than an invented one. **Security:** *Admin role gate fails closed on unmapped actions* — The operator role matrix is now a declarative registry with role inheritance (owner ⊃ manager ⊃ viewer) validated at boot. A mutating admin action that isn't explicitly mapped to a permission now requires the owner role, instead of falling through to a manager-grantable default — so a newly added admin route can't be reached by a manager or viewer by accident. Existing mapped routes keep their grants. · *Public catalog API no longer leaks unpublished products* — GET /api/catalog/products accepted a caller-supplied ?status= filter and passed it straight through, so an unauthenticated request could list draft or archived products by asking for them. The endpoint now always lists only published products; operators browse other statuses through the authenticated admin catalog screens. · *Payment-processor calls are host-pinned with validated idempotency keys* — Every outbound Stripe and PayPal call is now pinned to the configured processor host (defense-in-depth over the existing private-address and metadata-endpoint blocking), and a malformed or non-HTTPS processor base URL fails at the first call rather than dialing in the clear. The idempotency key each call carries is validated before it leaves, refusing path-traversal, slash, and control-character shapes. · *Apple Pay well-known bot-guard exemption is exact-match* — The bot-guard skip for the Apple Pay domain-association path was matched as a prefix, which would also have exempted any sibling path beneath it. It is now an exact-path match, so only the single static association file skips the guard.
+
 - v0.4.24 (2026-06-06) — **Order timelines, in-console new-order alerts, partial refunds, a customer idea board, storefront sidebar widgets, and Stripe wallet checkout — alongside refund-accounting, inventory-race, and access-control hardening.** This release adds operator and storefront surfaces that compose primitives already in the tree, and closes a set of value-conservation, concurrency, and access-control gaps in the same areas. Operators get a single order-story timeline, an in-console inbox that flags new paid orders with an unread badge, a browser partial-refund control, and curated storefront sidebar widgets. Shoppers get a receipt download on their orders, a suggestion board, and Stripe wallet buttons (Apple Pay, Google Pay, Link) at checkout. The fixes make partial refunds return gift-card and loyalty value in exact proportion, make inventory and quote state transitions race-proof under concurrency, gate the privacy export/erasure routes behind the operator role matrix, and harden the audit log, gift-card ledger, session revocation, and magic-link throttling. Upgrade applies six new D1 migrations and adds one optional environment variable for Apple Pay. **Added:** *Order timeline on the admin order screen* — /admin/orders/:id now shows one chronological feed of the whole order story — state changes, payments and refunds, shipments and carrier tracking events, customer-service notes, returns, and shipping labels — instead of separate panels. Each source is optional; an unwired source simply drops out of the feed. Wire orderTimeline into admin.mount to enable it. · *New-order inbox with an unread badge* — When an order is paid, an entry lands in a new in-console inbox at /admin/inbox and the admin navigation shows an unread count, so a sale is visible on the next page load without polling. Mark a message read once actioned, or archive it. The inbox is addressed to a role broadcast, so a single shared-credential console still sees the badge. Wire operatorInbox into admin.mount to enable it. · *Partial refunds from the browser* — The order screen gains a Refunds panel: enter an amount and the framework charges it back through the payment provider, validates it server-side, and caps it at the order's remaining balance — an over-refund is refused before any money moves. The provider call is keyed so a double-click cannot refund twice. A refund that clears the balance moves the order to refunded; a smaller refund leaves it on its current track and records the slice. · *Customer receipt download* — A customer can download a receipt for their own order from the order page. The document streams in chunks rather than buffering, and the route is gated to the order's owner (and guest-order token holders, matching the existing order-page guard). · *Customer suggestion board* — Shoppers can submit and vote on product and feature ideas at /suggestions (linked from the footer). Operators triage from a new admin console: respond, move ideas along a status flow, merge duplicates, flag spam, or archive. Submissions are rate-limited and bot-guarded, the submitter's email is hashed before storage, and all free text is escaped on both the public board and the admin screen. · *Operator-curated storefront sidebar widgets* — Operators can place an ordered set of sidebar content blocks (newsletter signup, trust badges, social proof, size chart, countdown, featured collection, and more) per page across product, cart, search, and collection pages. The content is operator-authored and global, so it renders identically from the edge cache and the container. Manage widgets and per-page placement from the new Sidebar widgets admin screen. · *Stripe wallet checkout (Apple Pay, Google Pay, Link)* — The pay page now offers the Stripe Express Checkout Element, surfacing the wallet buttons a shopper's browser supports against the existing PaymentIntent. It degrades to the card form when no wallet is available or when payments are unconfigured. Apple Pay additionally needs the domain-association file served (see Migration) and each web domain registered with Stripe. · *Email-change guidance on the profile screen* — The profile screen now explains that a sign-in email cannot be changed in place: addresses are stored as a hash by design, so changing one means re-registering. The copy states what is and is not possible and why, rather than leaving the field unexplained. **Fixed:** *Partial refunds return gift-card and loyalty value in proportion* — A partial refund previously re-minted the entire gift-card spend and clawed back 100% of earned loyalty points the moment the order reached the refunded state, and restored nothing on a smaller slice — so a buyer could keep goods plus the full re-minted gift-card balance. Refunds now re-mint gift-card spend, claw earned loyalty, and restore redeemed loyalty points in exact proportion to the amount refunded, and a partial-then-final refund sequence converges on exactly the amount returned. · *Redeemed loyalty points are restored on refund* — Loyalty points spent as a checkout tender were never returned when the order was refunded, even though gift-card spend was — an inconsistency that cost the customer. Redeemed points are now restored on refund, in proportion to the refunded amount. · *Referral rewards reverse on refund or cancel* — A referral's qualifying first order being refunded or cancelled now rolls back the both-rewarded completion and decrements the referrer's leaderboard count, closing a buy-then-refund reward-farming path. The reversal is claimed once so a re-delivered refund webhook cannot double-reverse. · *Inventory and quote state transitions are race-proof* — Stock-transfer reconcile, inventory receive and reverse, write-off reversal, allocation commit, cycle-count finalize, and quote accept and convert all read state and then mutated it without an atomic guard, so two concurrent calls could both proceed — double-crediting a destination shelf, double-restocking, or minting two orders from one quote. Each transition now claims its state atomically and proceeds only if it won the claim. The stock-transfer and inventory-receipt lifecycles are additionally validated against a declared state machine. **Security:** *Privacy export and erasure now enforce the operator role matrix* — The data-subject export (full customer PII) and erasure routes did not pass through the role check every other mutating admin route uses, so a read-only viewer could export a customer's data and run an irreversible erasure. Both are now gated by the role matrix, and the mutating admin routes were swept to confirm each maps to a required permission. · *Operator audit log no longer self-reports tampering under concurrency* — Two operator actions recorded at the same instant could each read the same chain head and append rows sharing one previous-hash, forking the tamper-evident chain so verification reported a break where no tampering occurred. Audit appends are now serialized per chain, so the hash chain stays linear under concurrent writes. · *Gift-card ledger is now tamper-evident* — The gift-card balance ledger carried no cryptographic linkage, so a direct database edit that inflated a balance or dropped a debit passed balance reads undetected. Each ledger row now carries a per-card hash chain (the same construction the operator audit log uses), and a verification pass surfaces any insert, rewrite, reorder, or deletion. · *Erasure, passkey-revoke, and sign-out terminate live sessions* — The sealed sign-in cookie is self-validating for up to 14 days, so an erased or anonymized account stayed usable until the cookie expired. A per-customer session boundary now lets erasure, passkey revocation, and explicit sign-out invalidate every cookie minted before the boundary. A customer with no boundary is unaffected, so upgrading does not sign anyone out. · *Marketing email honors the suppression list everywhere* — Wishlist price-drop and back-in-stock alerts did not consult the marketing suppression list, and a newsletter one-click unsubscribe recorded the opt-out without adding the address to suppressions — so a hard-bounced, complained, or unsubscribed address could still be mailed by another flow. Both paths now consult and feed the suppression list, matching the transactional and campaign paths. · *Per-recipient throttle on magic-link sign-in* — Magic-link minting was throttled per source address only, so a distributed source could email-bomb one victim's inbox. A per-recipient limit now caps how often a link can be sent to a single address, alongside the existing per-source limit. · *Strict validation of inbound webhook idempotency keys* — The inbound webhook idempotency key was validated against a broad printable-ASCII pattern that accepted path-traversal shapes. It now uses the framework's strict idempotency-key guard, which refuses slash, backslash, and dot-dot sequences. The strict profile permits a space (harmless in the parameterized lookup) while refusing the traversal shapes. **Migration:** *Six new D1 migrations* — 0220 adds the gift-card ledger hash-chain columns; 0221, 0223, 0224, and 0225 add proportional-reversal tracking to gift-card redemptions, loyalty transactions, the loyalty earn log, and referral invitations; 0222 adds the per-customer session-revocation boundary table. All apply cleanly over existing rows (new columns default to nothing-reversed-yet; the revocation table is empty, which is the default-allow state). Run pending migrations and sync theme assets as usual. · *Optional APPLE_PAY_DOMAIN_ASSOCIATION environment variable* — To show the Apple Pay wallet button, set APPLE_PAY_DOMAIN_ASSOCIATION to the file contents Stripe provides (Stripe owns Apple merchant validation, so no Apple Developer account is needed) and register each web domain with Stripe. The shop serves the value verbatim at /.well-known/apple-developer-merchantid-domain-association on both the edge and container. Unset, the path returns 404 and the Apple Pay button stays hidden; card, Google Pay, Link, and PayPal are unaffected.
 
 - v0.4.23 (2026-06-06) — **A stolen sign-in cookie stops working on another device, payment-provider outages fail fast and recover, replayed payment webhooks are refused, and the staff audit log is rewrite-evident.** A security-hardening release. The signed-in session cookie now carries a device fingerprint — a cookie lifted from one browser softly signs out instead of working anywhere for two weeks. Payment-provider calls run behind a circuit breaker, so a provider brown-out fails fast into the existing payment-unavailable page and recovers automatically instead of hanging every checkout. A captured payment-webhook payload can no longer be replayed inside the signature tolerance window. And the staff-activity audit log is anchored with post-quantum checkpoint signatures, with a verification endpoint that detects any rewrite of its history. **Security:** *The sign-in cookie is pinned to the device that signed in* — The signed-in session cookie was tamper-proof but portable — exfiltrated once, it worked from any device until expiry. Signing in now embeds a fingerprint of the signing-in browser inside the sealed cookie, and every authenticated request re-checks it in constant time. A mismatch signs the visitor out gently to the sign-in page rather than failing the request mid-page; network changes don't trip it (the fingerprint deliberately excludes the IP address), and sessions issued before this release continue to work until they expire naturally. · *Payment-provider calls are circuit-broken and retried where safe* — A payment-provider brown-out previously failed every checkout serially, each waiting out the full network timeout. Provider calls now run behind a circuit breaker: repeated failures trip it, subsequent checkouts fail fast into the existing payment-unavailable page, and the circuit closes again when the provider recovers. Idempotent calls — reads and writes carrying an idempotency key — retry through brief blips; non-idempotent calls never retry. The TLS configuration for provider connections is unchanged. · *Replayed payment webhooks are refused* — A captured, validly-signed payment-webhook payload could be replayed within the signature timestamp tolerance and re-drive order transitions. Each event is now recorded on first receipt and a replay of the same event answers as an already-processed no-op — enforced with a single atomic write, so two concurrent deliveries of the same event also collapse to one. Replay records expire with the signature tolerance window. · *The staff audit log detects history rewrites* — Staff-activity audit rows were hash-linked, which catches tampering with a single row but not a consistent rewrite of the whole chain. The chain is now anchored with periodic checkpoint signatures (ML-DSA, the same signing the framework audit chain uses), and `/admin/operators/audit/verify` reports both link integrity and checkpoint verification — a rewritten history fails the check. Stores that disable destructive operations behind a second approver were also evaluated: with one active operator the gate would deadlock the store, so gift-card voids, refunds, and operator disables remain single-approver — role-gated, bounded, reversible, and audited — with the stance and its revisit condition documented in the module.

package/lib/admin.js

@@ -98,30 +98,52 @@ var _errorLogSink = null;
 // the verb itself, not merely hidden in the nav. Read routes (`R`, no
 // audit action) demand no permission beyond a valid credential.
 
-// The three built-in roles and their permission grants. `owner` holds the
-// full set including operator management; `manager` covers catalog /
-// orders / customers / marketing writes; `viewer` is read-only — it holds
-// NO write permission, so every `W`-wrapped route refuses it. The role set
-// is the v1-defensible surface; operators wanting finer-grained custom
-// roles compose lib/operator-roles.js on top.
-var OPERATOR_PERMISSIONS = Object.freeze([
-  "catalog.write",   // products, variants, prices, media, inventory, collections, merchandising, marketing content
-  "orders.write",    // orders, returns, exchanges, refunds, fulfilment, exports, quotes, gift cards
-  "customers.write", // customer records, segments, notes, store credit
-  "settings.write",  // shop configuration
-  "operators.manage", // create / disable / re-role other operators
-]);
-
-var ROLE_GRANTS = Object.freeze({
-  owner:   Object.freeze(OPERATOR_PERMISSIONS.slice()),
-  manager: Object.freeze(["catalog.write", "orders.write", "customers.write"]),
-  viewer:  Object.freeze([]),
+// The three built-in roles, declared as a `b.permissions` registry. The
+// registry gives role inheritance (owner ⊃ manager ⊃ viewer), wildcard
+// scope coverage, and boot-time validation — a typo in a scope string, an
+// unknown `extends` target, or a cycle throws at module-eval rather than
+// silently mis-granting on the first request. `owner` holds the full set
+// including operator management plus the `*` root scope (so it grants the
+// owner-only fallback below); `manager` covers catalog / orders / customers
+// / marketing writes; `viewer` is read-only — it holds NO write scope, so
+// every `W`-wrapped route refuses it. The role set is the v1-defensible
+// surface; operators wanting finer-grained custom roles compose
+// lib/operator-roles.js on top.
+//
+// Scope strings use `:` segments (the matcher's wildcard syntax —
+// `b.permissions` rejects `.`-separated scopes). The action→permission map
+// below still names the operator-facing permission in `domain.write` dot
+// form (what an auditor reads in the denial row); `_scopeFor` translates
+// the dotted name to its `:` scope at the single check boundary.
+var _perms = b.permissions.create({
+  roles: {
+    viewer:  [],
+    manager: { extends: ["viewer"], permissions: ["catalog:write", "orders:write", "customers:write"] },
+    // `*` is the root-greedy scope — it covers every required scope,
+    // INCLUDING the owner-only fallback (`owner:only`) that an unmapped
+    // mutating action resolves to. A manager never holds `*`, so a new,
+    // un-mapped write route is owner-reachable only — fail-closed.
+    owner:   { extends: ["manager"], permissions: ["settings:write", "operators:manage", "*"] },
+  },
 });
 
+// Role-existence check (replaces the old ROLE_GRANTS-keyed lookup). The
+// sealed-cookie path falls back to viewer for any role this registry
+// doesn't know.
+function _knownRole(role) { return typeof role === "string" && _perms.has(role); }
+
+// The owner-only fallback permission. An action whose prefix is NOT in
+// `_ACTION_PERMISSION` resolves here, so a newly-added W()-route nobody
+// maps requires the owner role rather than the broad (manager-grantable)
+// merchandising write. The dotted name is what the denial audit records;
+// it maps to the `owner:only` scope only `owner` (via `*`) can match.
+var OWNER_ONLY_PERMISSION = "owner.only";
+
 // Map a `W(...)` audit-action's first segment to the permission it
 // requires. Every mutating admin route is covered; an action whose prefix
-// is not listed falls back to `catalog.write` (the broad merchandising
-// grant) so a newly-added write route is gated rather than silently open.
+// is not listed FAILS CLOSED to the owner-only fallback (not the broad
+// merchandising write) so a newly-added write route is owner-reachable
+// only until it's mapped to the role that should hold it.
 var _ACTION_PERMISSION = Object.freeze({
   // catalog / merchandising / marketing content
   product: "catalog.write", variant: "catalog.write", price: "catalog.write",
@@ -131,7 +153,7 @@ var _ACTION_PERMISSION = Object.freeze({
   gift: "catalog.write", preorder: "catalog.write", quantity_discount: "catalog.write",
   auto_discount: "catalog.write", coupon_policy: "catalog.write",
   promo_banner: "catalog.write", announcement: "catalog.write", blog: "catalog.write",
-  suggestion: "catalog.write", sidebar_widget: "catalog.write",
+  email_campaign: "catalog.write", suggestion: "catalog.write", sidebar_widget: "catalog.write",
   page: "catalog.write", help: "catalog.write", survey: "catalog.write",
   hours: "catalog.write", delivery_holiday: "catalog.write",
   delivery_transit: "catalog.write", tax_rate: "catalog.write",
@@ -153,21 +175,32 @@ var _ACTION_PERMISSION = Object.freeze({
   operator: "operators.manage",
 });
 
+// Translate an operator-facing `domain.write` permission name to the
+// `b.permissions` `:` scope the registry matches on. The owner-only
+// fallback maps to `owner:only` — a scope only the `*`-holding owner role
+// covers.
+function _scopeFor(permission) {
+  if (permission === OWNER_ONLY_PERMISSION) return "owner:only";
+  return permission.replace(/\./g, ":");
+}
+
 // Permission a `W(auditAction, ...)` route requires, derived from the
-// action's first dotted segment. Unmapped prefixes default to the broad
-// merchandising write so an un-mapped new route fails closed for viewers.
+// action's first dotted segment. Unmapped prefixes FAIL CLOSED to the
+// owner-only fallback so an un-mapped new route can't be reached by a
+// manager — it requires the owner role (or an explicit map entry).
 function _permissionForAction(auditAction) {
-  if (typeof auditAction !== "string" || !auditAction.length) return "catalog.write";
+  if (typeof auditAction !== "string" || !auditAction.length) return OWNER_ONLY_PERMISSION;
   var seg = auditAction.split(".")[0];
-  return _ACTION_PERMISSION[seg] || "catalog.write";
+  return _ACTION_PERMISSION[seg] || OWNER_ONLY_PERMISSION;
 }
 
-// True when `role` grants `permission`. The owner role always grants
-// everything; an unknown role grants nothing (fails closed).
+// True when `role` grants `permission`. Delegates to the `b.permissions`
+// registry: the owner role holds `*` (grants everything including the
+// owner-only fallback), manager inherits viewer + its three writes, viewer
+// holds nothing, and an unknown role grants nothing (fails closed).
 function _roleGrants(role, permission) {
-  var grants = ROLE_GRANTS[role];
-  if (!grants) return false;
-  return grants.indexOf(permission) !== -1;
+  if (!_knownRole(role)) return false;
+  return _perms.check({ roles: [role] }, _scopeFor(permission));
 }
 
 // Per-request store for the double-submit CSRF token. The admin console is
@@ -610,7 +643,7 @@ async function _resolveActor(req, authCtx) {
   // No accounts handle wired but the cookie names an operator — treat the
   // sealed claim's role as authoritative (the cookie is vault-sealed, so it
   // can't be forged); fail closed to viewer if the role is unexpected.
-  var role = ROLE_GRANTS[claims.role] ? claims.role : "viewer";
+  var role = _knownRole(claims.role) ? claims.role : "viewer";
   return { kind: "operator", operator_id: String(claims.operator_id), role: role, via: "operator_cookie" };
 }
 
@@ -14186,16 +14219,21 @@ function renderAdminConfirm(opts) {
 // 403 page shown when a signed-in operator's role does not grant the
 // permission a browser-form mutation requires. The required permission is
 // stated plainly so the operator knows what to ask the owner for. `perm`
-// is one of the closed OPERATOR_PERMISSIONS tokens (never untrusted), but
-// it is escaped anyway to keep the render escape-by-default.
+// is one of the closed `_ACTION_PERMISSION` tokens or the owner-only
+// fallback (never untrusted), but it is escaped anyway to keep the render
+// escape-by-default.
 function _renderAdminForbidden(shopName, navAvailable, perm) {
   var name = shopName || "blamejs.shop";
+  // The owner-only fallback has no operator-friendly grant name — an
+  // un-mapped action is owner-reachable only — so render its requirement
+  // as "owner" rather than the internal `owner.only` token.
+  var permLabel = perm === OWNER_ONLY_PERMISSION ? "owner" : (perm || "");
   var body =
     "<section class=\"mw-42\">" +
       "<h2>Not permitted</h2>" +
       "<div class=\"banner banner--err\">Your role does not permit this action.</div>" +
       "<div class=\"panel\">" +
-        "<p>This action requires the <code>" + _htmlEscape(perm || "") + "</code> permission. " +
+        "<p>This action requires the <code>" + _htmlEscape(permLabel) + "</code> permission. " +
         "Ask an owner to grant your account a role that includes it.</p>" +
         "<a class=\"btn btn--ghost\" href=\"/admin\">Back to dashboard</a>" +
       "</div>" +
@@ -16763,6 +16801,23 @@ function _dsrPillClass(status) {
 // Operator queue. Status chips filter the board; each row links to the
 // request detail. Renders the customer (short id), kind, jurisdiction,
 // scope, status pill, and when it was requested.
+// Render the statutory-deadline cell for a DSR row. The deadline is the
+// derived `statutory_deadline` the primitive computes from jurisdiction +
+// requested_at (GDPR one month, CCPA 45 days, LGPD 15 days; null for a
+// jurisdiction with no statutory clock). For an OPEN request (received /
+// processing) an elapsed wall is flagged "overdue"; a closed request shows
+// the date plainly (the clock no longer runs against the controller).
+function _dsrDeadlineCell(r) {
+  var d = r && r.statutory_deadline;
+  if (!d || typeof d.due_by !== "number") return "<span class=\"meta\">—</span>";
+  var dateStr = _htmlEscape(_fmtDate(d.due_by));
+  var open = r.status === "received" || r.status === "processing";
+  if (open && Date.now() > d.due_by) {
+    return "<span class=\"status-pill cancelled\" title=\"" + _htmlEscape(d.statute) + "\">overdue · " + dateStr + "</span>";
+  }
+  return "<span title=\"" + _htmlEscape(d.statute) + "\">" + dateStr + "</span>";
+}
+
 function renderAdminDsr(opts) {
   opts = opts || {};
   var requests = opts.requests || [];
@@ -16783,11 +16838,12 @@ function renderAdminDsr(opts) {
       "<td>" + _htmlEscape(r.scope || "—") + "</td>" +
       "<td><span class=\"status-pill " + _dsrPillClass(r.status) + "\">" + _htmlEscape(r.status) + "</span></td>" +
       "<td>" + _htmlEscape(_fmtDate(r.requested_at)) + "</td>" +
+      "<td>" + _dsrDeadlineCell(r) + "</td>" +
       "</tr>";
   }).join("");
 
   var table = requests.length
-    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Customer</th><th scope=\"col\">Kind</th><th scope=\"col\">Jurisdiction</th><th scope=\"col\">Scope</th><th scope=\"col\">Status</th><th scope=\"col\">Requested</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Customer</th><th scope=\"col\">Kind</th><th scope=\"col\">Jurisdiction</th><th scope=\"col\">Scope</th><th scope=\"col\">Status</th><th scope=\"col\">Requested</th><th scope=\"col\">Statutory deadline</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
     : "<p class=\"empty\">No “" + _htmlEscape(active) + "” privacy requests.</p>";
 
   var body = "<section><h2>Privacy requests</h2>" +
@@ -16901,6 +16957,9 @@ function renderAdminDsrDetail(opts) {
       "<div class=\"two-col\">" +
         "<div class=\"panel\"><h3 class=\"subhead\">Details</h3>" +
           _field("Jurisdiction", r.jurisdiction) +
+          _field("Statutory deadline", r.statutory_deadline
+            ? _fmtDate(r.statutory_deadline.due_by) + " (" + r.statutory_deadline.statute + ")"
+            : null) +
           _field("Scope", r.scope) +
           _field("Reason", r.reason) +
           _field("Dismiss reason", r.dismiss_reason) +
@@ -22856,6 +22915,13 @@ function renderAdminProduct(opts) {
 module.exports = {
   mount:           mount,
   AUDIT_NAMESPACE: AUDIT_NAMESPACE,
+  // RBAC introspection — the action→permission resolver + the role-grant
+  // predicate the `_wrap` chokepoint uses, surfaced so a test can pin the
+  // fail-closed boundary (an unmapped mutating action is owner-only) without
+  // standing up a live route for every possible un-mapped prefix.
+  _permissionForAction: _permissionForAction,
+  _roleGrants:          _roleGrants,
+  _OWNER_ONLY_PERMISSION: OWNER_ONLY_PERMISSION,
   renderDashboard: renderDashboard,
   renderAdminAnalytics:    renderAdminAnalytics,
   renderAdminLogin:        renderAdminLogin,

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.24",
+  "version": "0.4.25",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/compliance-export.js

@@ -115,6 +115,48 @@ var STATUSES       = Object.freeze([
   "received", "processing", "fulfilled", "delivered", "dismissed",
 ]);
 
+// Statutory response window per jurisdiction — the clock a supervisory
+// authority measures the controller against once a subject files the
+// request. The deadline is `requested_at + days`. GDPR Art. 12(3): one
+// month from receipt (encoded as 30 days — the controller-defensible
+// reading; extendable by two further months for complex requests, which an
+// operator records out of band). CCPA Cal. Civ. Code §1798.130(a)(2): 45
+// days (one 45-day extension permitted). LGPD Art. 19 §II / §3: 15 days for
+// the full declaration. `other` carries no statutory clock — the operator's
+// own SLA governs, so no deadline is surfaced rather than inventing one.
+//
+// This is the DSR-response analogue of b.breach.deadline (which encodes the
+// US-state breach-NOTIFICATION statutes — a different clock with different
+// citations); a subject-access response window has no entry in that
+// registry, so the per-jurisdiction window lives here keyed to the same
+// jurisdiction vocabulary the request rows already carry.
+var DSR_RESPONSE_WINDOW = Object.freeze({
+  gdpr: Object.freeze({ days: 30, statute: "GDPR Art. 12(3) (one month from receipt)" }),
+  ccpa: Object.freeze({ days: 45, statute: "Cal. Civ. Code §1798.130(a)(2)" }),
+  lgpd: Object.freeze({ days: 15, statute: "LGPD Art. 19 §II" }),
+  other: null,   // operator SLA governs — no statutory clock to surface
+});
+
+var MS_PER_DAY = b.constants.TIME.days(1);
+
+// Compute the statutory response deadline for a DSR request. Returns null
+// for a jurisdiction with no statutory clock (`other`) or a non-finite
+// requested-at. The shape mirrors b.breach.deadline.forStates entries —
+// `{ jurisdiction, days, due_by, statute }` — so a future operator clock
+// (b.breach.deadline.createClock-style escalation) can adapt it without a
+// reshape.
+function _statutoryDeadline(jurisdiction, requestedAtMs) {
+  var win = DSR_RESPONSE_WINDOW[jurisdiction];
+  if (!win) return null;
+  if (typeof requestedAtMs !== "number" || !isFinite(requestedAtMs)) return null;
+  return {
+    jurisdiction: jurisdiction,
+    days:         win.days,
+    due_by:       requestedAtMs + (win.days * MS_PER_DAY),
+    statute:      win.statute,
+  };
+}
+
 var MAX_REASON_LEN          = 4000;
 var MAX_DISMISS_REASON_LEN  = 4000;
 var MAX_DELIVERY_METHOD_LEN = 64;
@@ -264,6 +306,7 @@ function _isEmptySection(section) {
 
 function _hydrate(r) {
   if (!r) return null;
+  var requestedAt = Number(r.requested_at);
   return {
     id:               r.id,
     customer_id:      r.customer_id,
@@ -272,13 +315,19 @@ function _hydrate(r) {
     scope:            r.scope == null ? null : r.scope,
     status:           r.status,
     requested_by:     r.requested_by,
-    requested_at:     Number(r.requested_at),
+    requested_at:     requestedAt,
     fulfilled_at:     r.fulfilled_at == null ? null : Number(r.fulfilled_at),
     delivered_at:     r.delivered_at == null ? null : Number(r.delivered_at),
     dismiss_reason:   r.dismiss_reason == null ? null : r.dismiss_reason,
     delivery_method:  r.delivery_method == null ? null : r.delivery_method,
     delivery_address: r.delivery_address == null ? null : r.delivery_address,
     reason:           r.reason == null ? null : r.reason,
+    // Derived: the statutory response deadline the supervisory authority
+    // measures against (computed from jurisdiction + requested_at, never
+    // persisted — so it always reflects the current registry). Null for a
+    // jurisdiction with no statutory clock. The admin DSR console surfaces
+    // `due_by` so an operator sees the wall before it elapses.
+    statutory_deadline: _statutoryDeadline(r.jurisdiction, requestedAt),
   };
 }
 
@@ -658,10 +707,15 @@ function create(opts) {
 }
 
 module.exports = {
-  create:         create,
-  REQUEST_KINDS:  REQUEST_KINDS,
-  JURISDICTIONS:  JURISDICTIONS,
-  SCOPES:         SCOPES,
-  STATUSES:       STATUSES,
-  SCOPE_SECTIONS: SCOPE_SECTIONS,
+  create:               create,
+  REQUEST_KINDS:        REQUEST_KINDS,
+  JURISDICTIONS:        JURISDICTIONS,
+  SCOPES:               SCOPES,
+  STATUSES:             STATUSES,
+  SCOPE_SECTIONS:       SCOPE_SECTIONS,
+  // DSR statutory response-window registry + the per-request deadline
+  // calculator (the console reads the calculator's `due_by`; tests pin the
+  // per-jurisdiction windows).
+  DSR_RESPONSE_WINDOW:  DSR_RESPONSE_WINDOW,
+  statutoryDeadline:    _statutoryDeadline,
 };

package/lib/payment.js

@@ -177,6 +177,56 @@ function _formEncode(obj, prefix) {
   return parts.filter(Boolean).join("&");
 }
 
+// ---- egress hardening + outbound idempotency-key validation ----------------
+//
+// b.httpClient already routes every dial through b.ssrfGuard (private /
+// loopback / link-local / reserved / cloud-metadata IP classes refused) and
+// pins the TCP connect to the guard's resolved IP set even on the PSP path's
+// caller-supplied TLS agent, so DNS rebinding can't flip the answer between
+// check and connect. The remaining gap is a HOST allowlist: nothing today
+// stops an `opts.apiBase` pointed at an unexpected public host (config
+// injection, or a future code path that derives the base from request data)
+// from reaching a non-PSP upstream. We pin `allowedHosts` to the configured
+// PSP host on every dial so a compromised process can only ever talk to the
+// host the adapter was constructed against — defense-in-depth layered on top
+// of the IP-class SSRF gate.
+
+// Extract the lowercase hostname from a PSP base URL. Throws a TypeError on a
+// non-string / non-https / hostless base — config-time validation (entry
+// point), so an operator's typo'd apiBase surfaces at adapter construction
+// rather than on the first charge.
+function _pspHost(baseUrl, label) {
+  if (typeof baseUrl !== "string" || !baseUrl.length) {
+    throw new TypeError("payment: " + label + " must be a non-empty URL string");
+  }
+  var parsed;
+  try { parsed = new URL(baseUrl); } catch (_e) {
+    throw new TypeError("payment: " + label + " must be a valid absolute URL (got " + JSON.stringify(baseUrl) + ")");
+  }
+  if (parsed.protocol !== "https:") {
+    throw new TypeError("payment: " + label + " must be https (a payment processor is never dialed over plaintext)");
+  }
+  if (!parsed.hostname) {
+    throw new TypeError("payment: " + label + " has no hostname");
+  }
+  return parsed.hostname.toLowerCase();
+}
+
+// Validate + normalize an idempotency key that crosses the wire as an
+// outbound header (Stripe `Idempotency-Key` / PayPal `PayPal-Request-Id`).
+// Composes b.guardIdempotencyKey (strict profile): bounded length, control-
+// char / path-traversal / slash refusal, ASCII-only — so a key carrying a
+// log-injection or traversal shape never reaches the processor or the local
+// replay cache. Returns the validated key; throws TypeError on refusal (the
+// caller's bad-shape path is a clean 400, matching every other field guard).
+function _assertOutboundKey(key, label) {
+  try {
+    return b.guardIdempotencyKey.validate(key, { profile: "strict" });
+  } catch (e) {
+    throw new TypeError("payment: " + (label || "idempotency key") + " — " + ((e && e.message) || "invalid idempotency key"));
+  }
+}
+
 // ---- webhook verifier -----------------------------------------------------
 //
 // Composes b.webhook.verify (alg: "hmac-sha256-stripe") — the
@@ -239,7 +289,12 @@ async function _verifyWebhook(headers, rawBody, secret, opts) {
 // ---- Stripe API call ------------------------------------------------------
 
 async function _stripeCall(opts, method, path, params, idempotencyKey) {
-  var url = (opts.apiBase || STRIPE_API_BASE_DEFAULT) + path;
+  var apiBase = opts.apiBase || STRIPE_API_BASE_DEFAULT;
+  var url = apiBase + path;
+  // Pin the dial to the configured Stripe host (computed once per adapter).
+  // Layered on top of b.httpClient's IP-class SSRF gate — the process can
+  // only ever reach the host the adapter was built against.
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(apiBase, "apiBase");
   var headers = {
     "authorization": "Bearer " + opts.apiKey,
     "accept":         "application/json",
@@ -252,7 +307,9 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
     headers["content-length"] = Buffer.byteLength(body, "utf8");
   }
   if (idempotencyKey) {
-    headers["idempotency-key"] = idempotencyKey;
+    // The key crosses the wire as the `Idempotency-Key` header — validate +
+    // refuse traversal / control-char / oversize shapes before it leaves.
+    headers["idempotency-key"] = _assertOutboundKey(idempotencyKey, "idempotency_key");
   }
   var httpClient = opts.httpClient || b.httpClient;
   // A GET read is always idempotent; a write is idempotent only when it
@@ -268,12 +325,13 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
   // acceptable since a sustained stream of 4xx is itself a degraded state.
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       url,
-      headers:   headers,
-      body:      body || undefined,
-      timeoutMs: opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          url,
+      headers:      headers,
+      body:         body || undefined,
+      timeoutMs:    opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [opts._allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed = null;
@@ -709,6 +767,14 @@ function _paypalApiBase(opts) {
   return opts.sandbox ? PAYPAL_API_BASE_SANDBOX : PAYPAL_API_BASE_LIVE;
 }
 
+// The PayPal host the adapter is allowed to dial (computed once, cached on
+// opts). Pins every PayPal dial — token exchange + Orders-v2 — to the
+// configured host, layered on b.httpClient's IP-class SSRF gate.
+function _paypalAllowedHost(opts) {
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(_paypalApiBase(opts), "apiBase");
+  return opts._allowedHost;
+}
+
 function _minorToDecimalString(minor, currency) {
   var dec = PAYPAL_ZERO_DECIMAL[currency] ? 0 : 2;
   var neg = minor < 0;
@@ -745,9 +811,10 @@ async function _paypalToken(opts, state) {
         "content-type":   "application/x-www-form-urlencoded",
         "user-agent":     "blamejs-shop (zero-dep)",
       },
-      body:      "grant_type=client_credentials",
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      body:         "grant_type=client_credentials",
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [_paypalAllowedHost(opts)],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = {}; }
@@ -774,10 +841,15 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
     "content-type":  "application/json",
     "user-agent":    "blamejs-shop (zero-dep)",
   };
-  if (requestId) headers["paypal-request-id"] = requestId;
+  // The request id crosses the wire as the `PayPal-Request-Id` header —
+  // validate + refuse traversal / control-char / oversize shapes before it
+  // leaves (covers both operator-supplied keys and the adapter-constructed
+  // `order:`/`capture:` ids).
+  if (requestId) headers["paypal-request-id"] = _assertOutboundKey(requestId, "paypal_request_id");
   var body = bodyObj != null ? JSON.stringify(bodyObj) : undefined;
   if (body) headers["content-length"] = Buffer.byteLength(body, "utf8");
   var httpClient = opts.httpClient || b.httpClient;
+  var allowedHost = _paypalAllowedHost(opts);
   // A GET is idempotent; a write is idempotent only when it carries a
   // PayPal-Request-Id (PayPal dedupes a replay of the SAME id, and the
   // same id rides every retry attempt within one call). A keyless write
@@ -785,12 +857,13 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
   var idempotent = method === "GET" || !!requestId;
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       _paypalApiBase(opts) + path,
-      headers:   headers,
-      body:      body,
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          _paypalApiBase(opts) + path,
+      headers:      headers,
+      body:         body,
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = { _raw: text }; }

package/lib/security-middleware.js

@@ -608,7 +608,13 @@ function globalRateLimitOpts() {
 function botGuardOpts() {
   return {
     skipPaths: INTERNAL_BRIDGE_PATHS.slice()
-      .concat(PUBLIC_WELL_KNOWN_PATHS)
+      // EXACT-match the well-known paths. A bare-string skip is matched as a
+      // PREFIX by the bot guard, which would also exempt any sibling under the
+      // directory (e.g. /.well-known/apple-...-association/anything), re-opening
+      // the guard on routes that aren't the single static association file.
+      .concat(PUBLIC_WELL_KNOWN_PATHS.map(function (p) {
+        return new RegExp("^" + p.replace(/[-/\\^$*+?.()|[\]{}]/g, "\\$&") + "$");
+      }))
       .concat([/^\/admin(\/|$)/]),
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.24",
+  "version": "0.4.25",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {