@blamejs/blamejs-shop 0.4.24 → 0.4.26

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.26 (2026-06-06) — **Guest orders attach to an account on verified sign-in; privacy exports and erasures now cover suggestions, saved-for-later, and store credit; HSTS ships on container responses behind the CDN; and internal cron POSTs are secret-checked at the edge.** A guest-order-claim, privacy-completeness, and edge-hardening release. When a shopper who checked out as a guest later signs in or registers with a verified email that matches the order, those orders now attach to their account and appear in their order history. A subject-access export now includes the customer's suggestion-box submissions, their save-for-later list, and their store-credit ledger, and an erasure anonymizes the suggestions, deletes the saved list, and retains the store-credit ledger under its accounting basis — a domain whose reader isn't wired still shows in the export manifest rather than being silently dropped. Strict-Transport-Security now ships on responses served directly by the container behind the Cloudflare proxy, not only on edge-rendered pages. The worker now verifies the shared secret on internal cron and event POSTs before forwarding them to the container. Upgrade applies one D1 migration. **Added:** *Guest orders reconcile to an account on verified sign-in* — An order placed as a guest carries the buyer's email as a one-way hash. When that buyer later signs in or registers — including through Sign in with Google — and their verified email hashes to the same value, the matching guest orders attach to their account and show up under their order history. Attachment is driven only by verified-email ownership, never by unauthenticated email knowledge, and is idempotent: re-signing-in attaches nothing new, a non-matching email attaches nothing, and the placing-browser cookie and emailed-access-token routes to a guest order keep working unchanged. **Changed:** *Privacy export and erasure cover suggestions, saved-for-later, and store credit* — A full subject-access export now includes three more customer-keyed domains: the customer's suggestion-box submissions (product ideas and complaints, matched on the account id or the hashed email the submission carried), their save-for-later list, and their store-credit balance and ledger history. Erasure anonymizes each suggestion in place — severing both identity keys so the row can no longer be traced to the person while leaving the de-identified roadmap signal — deletes the save-for-later list outright, and retains the store-credit ledger under the same accounting / legal-obligation basis the loyalty ledger and gift cards already use. Each domain reports its effect in the request's completeness manifest, so a domain whose reader isn't wired is visible as absent rather than silently omitted. **Security:** *HSTS ships on container responses behind the proxy* — Strict-Transport-Security is emitted on responses served directly by the application container, not only on pages rendered at the edge. Behind the Cloudflare proxy the container connection is plain HTTP and the real scheme arrives in the forwarded-proto header; the security-headers middleware now trusts that header, so a direct-to-container or edge-render-off response carries the same two-year, includeSubDomains, preload HSTS value the edge sends. Plain-HTTP local and direct connections still omit the header, which user agents ignore over HTTP anyway. · *Internal cron and event POSTs are secret-checked at the edge* — The worker now verifies the shared secret on its internal cron and event POSTs (cart-recovery, stock-alert and wishlist sweeps, the stale-order reap, portal-session expiry, and campaign sends) before forwarding them to the container, refusing a forged public request at the edge instead of relying solely on the container's own check. The check is skipped when the secret isn't configured, so a deployment that hasn't set it still forwards rather than refusing every scheduled task.
+
+- v0.4.25 (2026-06-06) — **The admin role gate fails closed, payment-processor calls are host-pinned, the public catalog API stops leaking unpublished products, and privacy requests show their statutory deadline.** A security-hardening release. The staff role matrix now denies an unmapped admin action by default (owner-only) instead of leaving it manager-reachable; outbound Stripe and PayPal calls are pinned to the configured processor host with their idempotency keys validated before they leave; the public catalog API no longer honors a caller-supplied status filter, so draft and archived products can't be enumerated; the privacy-request console surfaces each request's statutory response deadline; and the Apple Pay well-known bot-guard exemption is tightened to an exact-path match. No migrations. **Changed:** *Privacy-request console shows the statutory response deadline* — Each export and erasure request now displays its statutory response deadline — one month under GDPR, 45 days under CCPA, 15 days under LGPD — derived from the request's recorded jurisdiction and timestamp, and flags an open request whose deadline has passed. Requests under no statutory regime show no deadline rather than an invented one. **Security:** *Admin role gate fails closed on unmapped actions* — The operator role matrix is now a declarative registry with role inheritance (owner ⊃ manager ⊃ viewer) validated at boot. A mutating admin action that isn't explicitly mapped to a permission now requires the owner role, instead of falling through to a manager-grantable default — so a newly added admin route can't be reached by a manager or viewer by accident. Existing mapped routes keep their grants. · *Public catalog API no longer leaks unpublished products* — GET /api/catalog/products accepted a caller-supplied ?status= filter and passed it straight through, so an unauthenticated request could list draft or archived products by asking for them. The endpoint now always lists only published products; operators browse other statuses through the authenticated admin catalog screens. · *Payment-processor calls are host-pinned with validated idempotency keys* — Every outbound Stripe and PayPal call is now pinned to the configured processor host (defense-in-depth over the existing private-address and metadata-endpoint blocking), and a malformed or non-HTTPS processor base URL fails at the first call rather than dialing in the clear. The idempotency key each call carries is validated before it leaves, refusing path-traversal, slash, and control-character shapes. · *Apple Pay well-known bot-guard exemption is exact-match* — The bot-guard skip for the Apple Pay domain-association path was matched as a prefix, which would also have exempted any sibling path beneath it. It is now an exact-path match, so only the single static association file skips the guard.
+
 - v0.4.24 (2026-06-06) — **Order timelines, in-console new-order alerts, partial refunds, a customer idea board, storefront sidebar widgets, and Stripe wallet checkout — alongside refund-accounting, inventory-race, and access-control hardening.** This release adds operator and storefront surfaces that compose primitives already in the tree, and closes a set of value-conservation, concurrency, and access-control gaps in the same areas. Operators get a single order-story timeline, an in-console inbox that flags new paid orders with an unread badge, a browser partial-refund control, and curated storefront sidebar widgets. Shoppers get a receipt download on their orders, a suggestion board, and Stripe wallet buttons (Apple Pay, Google Pay, Link) at checkout. The fixes make partial refunds return gift-card and loyalty value in exact proportion, make inventory and quote state transitions race-proof under concurrency, gate the privacy export/erasure routes behind the operator role matrix, and harden the audit log, gift-card ledger, session revocation, and magic-link throttling. Upgrade applies six new D1 migrations and adds one optional environment variable for Apple Pay. **Added:** *Order timeline on the admin order screen* — /admin/orders/:id now shows one chronological feed of the whole order story — state changes, payments and refunds, shipments and carrier tracking events, customer-service notes, returns, and shipping labels — instead of separate panels. Each source is optional; an unwired source simply drops out of the feed. Wire orderTimeline into admin.mount to enable it. · *New-order inbox with an unread badge* — When an order is paid, an entry lands in a new in-console inbox at /admin/inbox and the admin navigation shows an unread count, so a sale is visible on the next page load without polling. Mark a message read once actioned, or archive it. The inbox is addressed to a role broadcast, so a single shared-credential console still sees the badge. Wire operatorInbox into admin.mount to enable it. · *Partial refunds from the browser* — The order screen gains a Refunds panel: enter an amount and the framework charges it back through the payment provider, validates it server-side, and caps it at the order's remaining balance — an over-refund is refused before any money moves. The provider call is keyed so a double-click cannot refund twice. A refund that clears the balance moves the order to refunded; a smaller refund leaves it on its current track and records the slice. · *Customer receipt download* — A customer can download a receipt for their own order from the order page. The document streams in chunks rather than buffering, and the route is gated to the order's owner (and guest-order token holders, matching the existing order-page guard). · *Customer suggestion board* — Shoppers can submit and vote on product and feature ideas at /suggestions (linked from the footer). Operators triage from a new admin console: respond, move ideas along a status flow, merge duplicates, flag spam, or archive. Submissions are rate-limited and bot-guarded, the submitter's email is hashed before storage, and all free text is escaped on both the public board and the admin screen. · *Operator-curated storefront sidebar widgets* — Operators can place an ordered set of sidebar content blocks (newsletter signup, trust badges, social proof, size chart, countdown, featured collection, and more) per page across product, cart, search, and collection pages. The content is operator-authored and global, so it renders identically from the edge cache and the container. Manage widgets and per-page placement from the new Sidebar widgets admin screen. · *Stripe wallet checkout (Apple Pay, Google Pay, Link)* — The pay page now offers the Stripe Express Checkout Element, surfacing the wallet buttons a shopper's browser supports against the existing PaymentIntent. It degrades to the card form when no wallet is available or when payments are unconfigured. Apple Pay additionally needs the domain-association file served (see Migration) and each web domain registered with Stripe. · *Email-change guidance on the profile screen* — The profile screen now explains that a sign-in email cannot be changed in place: addresses are stored as a hash by design, so changing one means re-registering. The copy states what is and is not possible and why, rather than leaving the field unexplained. **Fixed:** *Partial refunds return gift-card and loyalty value in proportion* — A partial refund previously re-minted the entire gift-card spend and clawed back 100% of earned loyalty points the moment the order reached the refunded state, and restored nothing on a smaller slice — so a buyer could keep goods plus the full re-minted gift-card balance. Refunds now re-mint gift-card spend, claw earned loyalty, and restore redeemed loyalty points in exact proportion to the amount refunded, and a partial-then-final refund sequence converges on exactly the amount returned. · *Redeemed loyalty points are restored on refund* — Loyalty points spent as a checkout tender were never returned when the order was refunded, even though gift-card spend was — an inconsistency that cost the customer. Redeemed points are now restored on refund, in proportion to the refunded amount. · *Referral rewards reverse on refund or cancel* — A referral's qualifying first order being refunded or cancelled now rolls back the both-rewarded completion and decrements the referrer's leaderboard count, closing a buy-then-refund reward-farming path. The reversal is claimed once so a re-delivered refund webhook cannot double-reverse. · *Inventory and quote state transitions are race-proof* — Stock-transfer reconcile, inventory receive and reverse, write-off reversal, allocation commit, cycle-count finalize, and quote accept and convert all read state and then mutated it without an atomic guard, so two concurrent calls could both proceed — double-crediting a destination shelf, double-restocking, or minting two orders from one quote. Each transition now claims its state atomically and proceeds only if it won the claim. The stock-transfer and inventory-receipt lifecycles are additionally validated against a declared state machine. **Security:** *Privacy export and erasure now enforce the operator role matrix* — The data-subject export (full customer PII) and erasure routes did not pass through the role check every other mutating admin route uses, so a read-only viewer could export a customer's data and run an irreversible erasure. Both are now gated by the role matrix, and the mutating admin routes were swept to confirm each maps to a required permission. · *Operator audit log no longer self-reports tampering under concurrency* — Two operator actions recorded at the same instant could each read the same chain head and append rows sharing one previous-hash, forking the tamper-evident chain so verification reported a break where no tampering occurred. Audit appends are now serialized per chain, so the hash chain stays linear under concurrent writes. · *Gift-card ledger is now tamper-evident* — The gift-card balance ledger carried no cryptographic linkage, so a direct database edit that inflated a balance or dropped a debit passed balance reads undetected. Each ledger row now carries a per-card hash chain (the same construction the operator audit log uses), and a verification pass surfaces any insert, rewrite, reorder, or deletion. · *Erasure, passkey-revoke, and sign-out terminate live sessions* — The sealed sign-in cookie is self-validating for up to 14 days, so an erased or anonymized account stayed usable until the cookie expired. A per-customer session boundary now lets erasure, passkey revocation, and explicit sign-out invalidate every cookie minted before the boundary. A customer with no boundary is unaffected, so upgrading does not sign anyone out. · *Marketing email honors the suppression list everywhere* — Wishlist price-drop and back-in-stock alerts did not consult the marketing suppression list, and a newsletter one-click unsubscribe recorded the opt-out without adding the address to suppressions — so a hard-bounced, complained, or unsubscribed address could still be mailed by another flow. Both paths now consult and feed the suppression list, matching the transactional and campaign paths. · *Per-recipient throttle on magic-link sign-in* — Magic-link minting was throttled per source address only, so a distributed source could email-bomb one victim's inbox. A per-recipient limit now caps how often a link can be sent to a single address, alongside the existing per-source limit. · *Strict validation of inbound webhook idempotency keys* — The inbound webhook idempotency key was validated against a broad printable-ASCII pattern that accepted path-traversal shapes. It now uses the framework's strict idempotency-key guard, which refuses slash, backslash, and dot-dot sequences. The strict profile permits a space (harmless in the parameterized lookup) while refusing the traversal shapes. **Migration:** *Six new D1 migrations* — 0220 adds the gift-card ledger hash-chain columns; 0221, 0223, 0224, and 0225 add proportional-reversal tracking to gift-card redemptions, loyalty transactions, the loyalty earn log, and referral invitations; 0222 adds the per-customer session-revocation boundary table. All apply cleanly over existing rows (new columns default to nothing-reversed-yet; the revocation table is empty, which is the default-allow state). Run pending migrations and sync theme assets as usual. · *Optional APPLE_PAY_DOMAIN_ASSOCIATION environment variable* — To show the Apple Pay wallet button, set APPLE_PAY_DOMAIN_ASSOCIATION to the file contents Stripe provides (Stripe owns Apple merchant validation, so no Apple Developer account is needed) and register each web domain with Stripe. The shop serves the value verbatim at /.well-known/apple-developer-merchantid-domain-association on both the edge and container. Unset, the path returns 404 and the Apple Pay button stays hidden; card, Google Pay, Link, and PayPal are unaffected.
 
 - v0.4.23 (2026-06-06) — **A stolen sign-in cookie stops working on another device, payment-provider outages fail fast and recover, replayed payment webhooks are refused, and the staff audit log is rewrite-evident.** A security-hardening release. The signed-in session cookie now carries a device fingerprint — a cookie lifted from one browser softly signs out instead of working anywhere for two weeks. Payment-provider calls run behind a circuit breaker, so a provider brown-out fails fast into the existing payment-unavailable page and recovers automatically instead of hanging every checkout. A captured payment-webhook payload can no longer be replayed inside the signature tolerance window. And the staff-activity audit log is anchored with post-quantum checkpoint signatures, with a verification endpoint that detects any rewrite of its history. **Security:** *The sign-in cookie is pinned to the device that signed in* — The signed-in session cookie was tamper-proof but portable — exfiltrated once, it worked from any device until expiry. Signing in now embeds a fingerprint of the signing-in browser inside the sealed cookie, and every authenticated request re-checks it in constant time. A mismatch signs the visitor out gently to the sign-in page rather than failing the request mid-page; network changes don't trip it (the fingerprint deliberately excludes the IP address), and sessions issued before this release continue to work until they expire naturally. · *Payment-provider calls are circuit-broken and retried where safe* — A payment-provider brown-out previously failed every checkout serially, each waiting out the full network timeout. Provider calls now run behind a circuit breaker: repeated failures trip it, subsequent checkouts fail fast into the existing payment-unavailable page, and the circuit closes again when the provider recovers. Idempotent calls — reads and writes carrying an idempotency key — retry through brief blips; non-idempotent calls never retry. The TLS configuration for provider connections is unchanged. · *Replayed payment webhooks are refused* — A captured, validly-signed payment-webhook payload could be replayed within the signature timestamp tolerance and re-drive order transitions. Each event is now recorded on first receipt and a replay of the same event answers as an already-processed no-op — enforced with a single atomic write, so two concurrent deliveries of the same event also collapse to one. Replay records expire with the signature tolerance window. · *The staff audit log detects history rewrites* — Staff-activity audit rows were hash-linked, which catches tampering with a single row but not a consistent rewrite of the whole chain. The chain is now anchored with periodic checkpoint signatures (ML-DSA, the same signing the framework audit chain uses), and `/admin/operators/audit/verify` reports both link integrity and checkpoint verification — a rewritten history fails the check. Stores that disable destructive operations behind a second approver were also evaluated: with one active operator the gate would deadlock the store, so gift-card voids, refunds, and operator disables remain single-approver — role-gated, bounded, reversible, and audited — with the stance and its revisit condition documented in the module.

package/README.md

@@ -69,7 +69,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/delivery-estimate.js`** | "Get it by <date>" promises. Operators define carrier transit times, warehouse cutoffs, holidays, and postal-prefix zones at `/admin/delivery-estimates`; the product and cart pages then show a signed-in customer a delivery date computed against their saved shipping address and the configured origin (`SHOP_ESTIMATE_ORIGIN` or the `shop.estimate_origin` config row). Anonymous, edge-cached pages deliberately render no date — estimates are destination-specific and never bake into the shared cache. Unconfigured stores render nothing, never an error. |
 | **`lib/promo-banners.js`** | Placement-targeted marketing banners (top strip, homepage hero, PDP-side, cart-side, empty-search, footer) with schedule windows, audience targeting, themes, priorities, and click/impression counts. Authored at `/admin/promo-banners`; rendered on both substrates with edge-cache-safe resolution. |
 | **`lib/payment.js`** | Payment adapters — **Stripe** (verify webhook HMAC-SHA256 via upstream `b.webhook.verify`, create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains for Apple/Google Pay) and **PayPal** (`adapter: "paypal"` — OAuth2 client-credentials token, create / capture / get / refund Orders v2, webhook verify via PayPal's verify-webhook-signature API). No `stripe` / `paypal` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
-| **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
+| **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. Guest orders carry the buyer's email as a one-way hash and attach to a customer account when a verified sign-in (passkey / Google / Apple) proves ownership of the same address — never from email knowledge alone — after which they appear in the account's order history. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` validates the ship-to address (real ISO 3166-1 country; US/CA state + ZIP/postal formats; lenient elsewhere) and the customer email shape, then creates a Stripe PaymentIntent + persists order pending; `handleStripeEvent()` verifies webhook + fires the FSM transition. PayPal path: `createPaypalOrder()` opens a PayPal order + persists pending, `capturePaypalOrder()` captures → paid, `handlePaypalEvent()` is the webhook backstop. All idempotent on re-delivery. |
 | **`lib/email.js`** | Transactional templates — order receipt, ship notification, refund confirmation, wishlist price-drop, abandoned-cart, review request, back-in-stock, **wishlist digest** (the periodic saved-items rollup, rendered per-line from the structured digest so every title / price is independently escaped), and **email magic-link sign-in**. Strict `{{var}}` renderer with HTML escape + refusal of unknown / unused placeholders. Composed on `b.mail` (DKIM/SPF/DMARC/BIMI upstream). |
 | **`lib/storefront.js`** | Server-rendered HTML — utility bar + sticky header + dark hero with code-preview card + primitives marquee + featured-product callout + collections grid + framework feature band + designed catalog grid + newsletter band + four-column footer. Designed surfaces also for PDP, cart, checkout, pay, order, account login / register / dashboard, quote review / accept, search results, `/admin` API landing, 404. Image-bearing cards on the home + search grids pull from `catalog.media`. The default theme stylesheet is external (R2-served `themes/default/assets/css/main.css`) and CSP-compliant; the typeface (Inter / Inter Tight) is self-hosted from `themes/default/assets/fonts`, so no page loads a cross-origin font. Operators override by uploading a replacement at the same key, by passing `opts.theme_css` to renderers, or by registering a named theme through the `theme` primitive. |

package/SECURITY.md

@@ -142,7 +142,12 @@ node -e "
   ticks): those paths skip the bot guard's browser-fingerprint
   heuristics — the Worker's machine-to-machine calls carry no browser
   headers — so the constant-time secret check is the deciding gate,
-  and an unauthenticated caller gets a 401. Generate ≥ 32 bytes of OS
+  and an unauthenticated caller gets a 401. The Worker also verifies
+  the same secret on these cron/event POSTs before forwarding them, so
+  a forged public request is refused at the edge before it reaches the
+  container (the edge check is skipped when the secret is unset, so a
+  deployment that hasn't wired it still forwards rather than dropping
+  every scheduled task). Generate ≥ 32 bytes of OS
   randomness and set the value identically on the Worker (`wrangler
   secret put D1_BRIDGE_SECRET`) and the container env. Rotate
   quarterly or after any Worker-credential compromise.
@@ -293,6 +298,33 @@ node -e "
   (success / failure / denied) and paginated. Opening the log is itself
   recorded (an `audit.read` row), so reviewing the audit trail leaves
   its own forensic mark.
+- **Privacy exports hold the whole record; erasure states a basis per
+  domain.** A subject-access export walks every table that keys a row
+  by the customer — identity, orders, subscriptions, addresses, saved
+  payment-method metadata, support tickets, loyalty, reviews, the
+  consent ledger, wishlist, surveys, recently-viewed, suggestion-box
+  submissions, the save-for-later list, and the store-credit ledger —
+  so the bundle is the full record, not just the order/identity core.
+  The bundle carries a completeness manifest: every in-scope domain is
+  marked exported, empty, or absent, so a domain whose reader isn't
+  wired is visible rather than silently dropped. Erasure deletes the
+  pure-personalization domains (wishlist, recently-viewed, save-for-
+  later), anonymizes the suggestion-box rows in place (both identity
+  keys cleared, the de-identified text left as roadmap signal), revokes
+  every sign-in path and anonymizes the customer profile, and RETAINS
+  the records a controller keeps under a legal-obligation / accounting
+  basis (orders, loyalty ledger, store-credit ledger, consent
+  evidence, published reviews) — each with a stated basis in the
+  per-domain result. Preview a deletion with the dry-run flag to see
+  the blast radius before the irreversible call.
+- **HSTS on every TLS response, edge and container.** Both substrates
+  send `Strict-Transport-Security: max-age=63072000; includeSubDomains;
+  preload` (two years, above the preload-list minimum). The container
+  emits it behind the Cloudflare proxy by trusting the Worker-set
+  `X-Forwarded-Proto`, so a direct-to-container or edge-render-off
+  response carries the same header the edge sends; a plain-HTTP request
+  (local dev, direct non-TLS) omits it, which user agents ignore over
+  HTTP anyway.
 - **Email deliverability — SPF / DKIM / DMARC + one-click unsubscribe.**
   Transactional and broadcast mail is composed on `b.mail`, which signs
   each message with DKIM, but the receiving server still rejects or

package/lib/admin.js

@@ -98,30 +98,52 @@ var _errorLogSink = null;
 // the verb itself, not merely hidden in the nav. Read routes (`R`, no
 // audit action) demand no permission beyond a valid credential.
 
-// The three built-in roles and their permission grants. `owner` holds the
-// full set including operator management; `manager` covers catalog /
-// orders / customers / marketing writes; `viewer` is read-only — it holds
-// NO write permission, so every `W`-wrapped route refuses it. The role set
-// is the v1-defensible surface; operators wanting finer-grained custom
-// roles compose lib/operator-roles.js on top.
-var OPERATOR_PERMISSIONS = Object.freeze([
-  "catalog.write",   // products, variants, prices, media, inventory, collections, merchandising, marketing content
-  "orders.write",    // orders, returns, exchanges, refunds, fulfilment, exports, quotes, gift cards
-  "customers.write", // customer records, segments, notes, store credit
-  "settings.write",  // shop configuration
-  "operators.manage", // create / disable / re-role other operators
-]);
-
-var ROLE_GRANTS = Object.freeze({
-  owner:   Object.freeze(OPERATOR_PERMISSIONS.slice()),
-  manager: Object.freeze(["catalog.write", "orders.write", "customers.write"]),
-  viewer:  Object.freeze([]),
+// The three built-in roles, declared as a `b.permissions` registry. The
+// registry gives role inheritance (owner ⊃ manager ⊃ viewer), wildcard
+// scope coverage, and boot-time validation — a typo in a scope string, an
+// unknown `extends` target, or a cycle throws at module-eval rather than
+// silently mis-granting on the first request. `owner` holds the full set
+// including operator management plus the `*` root scope (so it grants the
+// owner-only fallback below); `manager` covers catalog / orders / customers
+// / marketing writes; `viewer` is read-only — it holds NO write scope, so
+// every `W`-wrapped route refuses it. The role set is the v1-defensible
+// surface; operators wanting finer-grained custom roles compose
+// lib/operator-roles.js on top.
+//
+// Scope strings use `:` segments (the matcher's wildcard syntax —
+// `b.permissions` rejects `.`-separated scopes). The action→permission map
+// below still names the operator-facing permission in `domain.write` dot
+// form (what an auditor reads in the denial row); `_scopeFor` translates
+// the dotted name to its `:` scope at the single check boundary.
+var _perms = b.permissions.create({
+  roles: {
+    viewer:  [],
+    manager: { extends: ["viewer"], permissions: ["catalog:write", "orders:write", "customers:write"] },
+    // `*` is the root-greedy scope — it covers every required scope,
+    // INCLUDING the owner-only fallback (`owner:only`) that an unmapped
+    // mutating action resolves to. A manager never holds `*`, so a new,
+    // un-mapped write route is owner-reachable only — fail-closed.
+    owner:   { extends: ["manager"], permissions: ["settings:write", "operators:manage", "*"] },
+  },
 });
 
+// Role-existence check (replaces the old ROLE_GRANTS-keyed lookup). The
+// sealed-cookie path falls back to viewer for any role this registry
+// doesn't know.
+function _knownRole(role) { return typeof role === "string" && _perms.has(role); }
+
+// The owner-only fallback permission. An action whose prefix is NOT in
+// `_ACTION_PERMISSION` resolves here, so a newly-added W()-route nobody
+// maps requires the owner role rather than the broad (manager-grantable)
+// merchandising write. The dotted name is what the denial audit records;
+// it maps to the `owner:only` scope only `owner` (via `*`) can match.
+var OWNER_ONLY_PERMISSION = "owner.only";
+
 // Map a `W(...)` audit-action's first segment to the permission it
 // requires. Every mutating admin route is covered; an action whose prefix
-// is not listed falls back to `catalog.write` (the broad merchandising
-// grant) so a newly-added write route is gated rather than silently open.
+// is not listed FAILS CLOSED to the owner-only fallback (not the broad
+// merchandising write) so a newly-added write route is owner-reachable
+// only until it's mapped to the role that should hold it.
 var _ACTION_PERMISSION = Object.freeze({
   // catalog / merchandising / marketing content
   product: "catalog.write", variant: "catalog.write", price: "catalog.write",
@@ -131,7 +153,7 @@ var _ACTION_PERMISSION = Object.freeze({
   gift: "catalog.write", preorder: "catalog.write", quantity_discount: "catalog.write",
   auto_discount: "catalog.write", coupon_policy: "catalog.write",
   promo_banner: "catalog.write", announcement: "catalog.write", blog: "catalog.write",
-  suggestion: "catalog.write", sidebar_widget: "catalog.write",
+  email_campaign: "catalog.write", suggestion: "catalog.write", sidebar_widget: "catalog.write",
   page: "catalog.write", help: "catalog.write", survey: "catalog.write",
   hours: "catalog.write", delivery_holiday: "catalog.write",
   delivery_transit: "catalog.write", tax_rate: "catalog.write",
@@ -153,21 +175,32 @@ var _ACTION_PERMISSION = Object.freeze({
   operator: "operators.manage",
 });
 
+// Translate an operator-facing `domain.write` permission name to the
+// `b.permissions` `:` scope the registry matches on. The owner-only
+// fallback maps to `owner:only` — a scope only the `*`-holding owner role
+// covers.
+function _scopeFor(permission) {
+  if (permission === OWNER_ONLY_PERMISSION) return "owner:only";
+  return permission.replace(/\./g, ":");
+}
+
 // Permission a `W(auditAction, ...)` route requires, derived from the
-// action's first dotted segment. Unmapped prefixes default to the broad
-// merchandising write so an un-mapped new route fails closed for viewers.
+// action's first dotted segment. Unmapped prefixes FAIL CLOSED to the
+// owner-only fallback so an un-mapped new route can't be reached by a
+// manager — it requires the owner role (or an explicit map entry).
 function _permissionForAction(auditAction) {
-  if (typeof auditAction !== "string" || !auditAction.length) return "catalog.write";
+  if (typeof auditAction !== "string" || !auditAction.length) return OWNER_ONLY_PERMISSION;
   var seg = auditAction.split(".")[0];
-  return _ACTION_PERMISSION[seg] || "catalog.write";
+  return _ACTION_PERMISSION[seg] || OWNER_ONLY_PERMISSION;
 }
 
-// True when `role` grants `permission`. The owner role always grants
-// everything; an unknown role grants nothing (fails closed).
+// True when `role` grants `permission`. Delegates to the `b.permissions`
+// registry: the owner role holds `*` (grants everything including the
+// owner-only fallback), manager inherits viewer + its three writes, viewer
+// holds nothing, and an unknown role grants nothing (fails closed).
 function _roleGrants(role, permission) {
-  var grants = ROLE_GRANTS[role];
-  if (!grants) return false;
-  return grants.indexOf(permission) !== -1;
+  if (!_knownRole(role)) return false;
+  return _perms.check({ roles: [role] }, _scopeFor(permission));
 }
 
 // Per-request store for the double-submit CSRF token. The admin console is
@@ -610,7 +643,7 @@ async function _resolveActor(req, authCtx) {
   // No accounts handle wired but the cookie names an operator — treat the
   // sealed claim's role as authoritative (the cookie is vault-sealed, so it
   // can't be forged); fail closed to viewer if the role is unexpected.
-  var role = ROLE_GRANTS[claims.role] ? claims.role : "viewer";
+  var role = _knownRole(claims.role) ? claims.role : "viewer";
   return { kind: "operator", operator_id: String(claims.operator_id), role: role, via: "operator_cookie" };
 }
 
@@ -14186,16 +14219,21 @@ function renderAdminConfirm(opts) {
 // 403 page shown when a signed-in operator's role does not grant the
 // permission a browser-form mutation requires. The required permission is
 // stated plainly so the operator knows what to ask the owner for. `perm`
-// is one of the closed OPERATOR_PERMISSIONS tokens (never untrusted), but
-// it is escaped anyway to keep the render escape-by-default.
+// is one of the closed `_ACTION_PERMISSION` tokens or the owner-only
+// fallback (never untrusted), but it is escaped anyway to keep the render
+// escape-by-default.
 function _renderAdminForbidden(shopName, navAvailable, perm) {
   var name = shopName || "blamejs.shop";
+  // The owner-only fallback has no operator-friendly grant name — an
+  // un-mapped action is owner-reachable only — so render its requirement
+  // as "owner" rather than the internal `owner.only` token.
+  var permLabel = perm === OWNER_ONLY_PERMISSION ? "owner" : (perm || "");
   var body =
     "<section class=\"mw-42\">" +
       "<h2>Not permitted</h2>" +
       "<div class=\"banner banner--err\">Your role does not permit this action.</div>" +
       "<div class=\"panel\">" +
-        "<p>This action requires the <code>" + _htmlEscape(perm || "") + "</code> permission. " +
+        "<p>This action requires the <code>" + _htmlEscape(permLabel) + "</code> permission. " +
         "Ask an owner to grant your account a role that includes it.</p>" +
         "<a class=\"btn btn--ghost\" href=\"/admin\">Back to dashboard</a>" +
       "</div>" +
@@ -16763,6 +16801,23 @@ function _dsrPillClass(status) {
 // Operator queue. Status chips filter the board; each row links to the
 // request detail. Renders the customer (short id), kind, jurisdiction,
 // scope, status pill, and when it was requested.
+// Render the statutory-deadline cell for a DSR row. The deadline is the
+// derived `statutory_deadline` the primitive computes from jurisdiction +
+// requested_at (GDPR one month, CCPA 45 days, LGPD 15 days; null for a
+// jurisdiction with no statutory clock). For an OPEN request (received /
+// processing) an elapsed wall is flagged "overdue"; a closed request shows
+// the date plainly (the clock no longer runs against the controller).
+function _dsrDeadlineCell(r) {
+  var d = r && r.statutory_deadline;
+  if (!d || typeof d.due_by !== "number") return "<span class=\"meta\">—</span>";
+  var dateStr = _htmlEscape(_fmtDate(d.due_by));
+  var open = r.status === "received" || r.status === "processing";
+  if (open && Date.now() > d.due_by) {
+    return "<span class=\"status-pill cancelled\" title=\"" + _htmlEscape(d.statute) + "\">overdue · " + dateStr + "</span>";
+  }
+  return "<span title=\"" + _htmlEscape(d.statute) + "\">" + dateStr + "</span>";
+}
+
 function renderAdminDsr(opts) {
   opts = opts || {};
   var requests = opts.requests || [];
@@ -16783,11 +16838,12 @@ function renderAdminDsr(opts) {
       "<td>" + _htmlEscape(r.scope || "—") + "</td>" +
       "<td><span class=\"status-pill " + _dsrPillClass(r.status) + "\">" + _htmlEscape(r.status) + "</span></td>" +
       "<td>" + _htmlEscape(_fmtDate(r.requested_at)) + "</td>" +
+      "<td>" + _dsrDeadlineCell(r) + "</td>" +
       "</tr>";
   }).join("");
 
   var table = requests.length
-    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Customer</th><th scope=\"col\">Kind</th><th scope=\"col\">Jurisdiction</th><th scope=\"col\">Scope</th><th scope=\"col\">Status</th><th scope=\"col\">Requested</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Customer</th><th scope=\"col\">Kind</th><th scope=\"col\">Jurisdiction</th><th scope=\"col\">Scope</th><th scope=\"col\">Status</th><th scope=\"col\">Requested</th><th scope=\"col\">Statutory deadline</th></tr></thead><tbody>" + rows + "</tbody></table>") + "</div>"
     : "<p class=\"empty\">No “" + _htmlEscape(active) + "” privacy requests.</p>";
 
   var body = "<section><h2>Privacy requests</h2>" +
@@ -16901,6 +16957,9 @@ function renderAdminDsrDetail(opts) {
       "<div class=\"two-col\">" +
         "<div class=\"panel\"><h3 class=\"subhead\">Details</h3>" +
           _field("Jurisdiction", r.jurisdiction) +
+          _field("Statutory deadline", r.statutory_deadline
+            ? _fmtDate(r.statutory_deadline.due_by) + " (" + r.statutory_deadline.statute + ")"
+            : null) +
           _field("Scope", r.scope) +
           _field("Reason", r.reason) +
           _field("Dismiss reason", r.dismiss_reason) +
@@ -22856,6 +22915,13 @@ function renderAdminProduct(opts) {
 module.exports = {
   mount:           mount,
   AUDIT_NAMESPACE: AUDIT_NAMESPACE,
+  // RBAC introspection — the action→permission resolver + the role-grant
+  // predicate the `_wrap` chokepoint uses, surfaced so a test can pin the
+  // fail-closed boundary (an unmapped mutating action is owner-only) without
+  // standing up a live route for every possible un-mapped prefix.
+  _permissionForAction: _permissionForAction,
+  _roleGrants:          _roleGrants,
+  _OWNER_ONLY_PERMISSION: OWNER_ONLY_PERMISSION,
   renderDashboard: renderDashboard,
   renderAdminAnalytics:    renderAdminAnalytics,
   renderAdminLogin:        renderAdminLogin,

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.24",
+  "version": "0.4.26",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",
@@ -38,8 +38,8 @@
       "fingerprinted": "js/passkey-register.02b0e196fb9608d8.js"
     },
     "js/pay-trusted-types.js": {
-      "integrity": "sha384-jD90N8l7J3Vcu+aPSFRi6AE/5XKHQl58/avwHE9PH0mHwMavX991OCsEcznEf3n5",
-      "fingerprinted": "js/pay-trusted-types.53d0df13f9480a66.js"
+      "integrity": "sha384-h+/EjwX7ee88MouudamS26SgRg1bUXasRs9qD0Wcg6bGkK51CluebA3iATzedwdz",
+      "fingerprinted": "js/pay-trusted-types.08dc910a5c35d38a.js"
     },
     "js/pay.js": {
       "integrity": "sha384-W11JVQhv1RZq4WhsAOglu56gTZTDz1ByLd+b1HFQBCi8xGoEhJ0PZ2yI3FqbYzt6",

package/lib/compliance-export.js

@@ -11,9 +11,10 @@
  *   The primitive owns the request lifecycle + composes per-domain
  *   readers (customers, order, order-notes, subscriptions,
  *   addresses, payment-methods, support-tickets, loyalty, reviews,
- *   consent ledger, wishlist, surveys, recently-viewed) to assemble
- *   the bundle — every table that keys a row by the customer, so the
- *   export holds the whole record, not just the order/identity core.
+ *   consent ledger, wishlist, surveys, recently-viewed, suggestion
+ *   box, save-for-later, store credit) to assemble the bundle —
+ *   every table that keys a row by the customer, so the export holds
+ *   the whole record, not just the order/identity core.
  *   Delivery (email / signed URL / secure
  *   download portal) is the operator worker's concern — this
  *   primitive returns the bundle as structured JSON and stamps
@@ -83,7 +84,8 @@
  *                          orders, subscriptions, addresses, payment
  *                          methods, support tickets, loyalty, reviews,
  *                          consent ledger, wishlist, surveys,
- *                          recently-viewed).
+ *                          recently-viewed, suggestion box,
+ *                          save-for-later, store credit).
  *     - `orders_only`    — only `order` + `orderNotes` contribute;
  *                          identity / loyalty / subscriptions /
  *                          addresses / payment methods / support
@@ -101,7 +103,7 @@
  * @related    customers, order, orderNotes, subscriptions, addresses,
  *             paymentMethods, supportTickets, loyalty, reviews,
  *             consentLedger, wishlist, customerSurveys, recentlyViewed,
- *             orderExport
+ *             suggestionBox, saveForLater, storeCredit, orderExport
  */
 
 var b = require("./vendor/blamejs");
@@ -115,6 +117,48 @@ var STATUSES       = Object.freeze([
   "received", "processing", "fulfilled", "delivered", "dismissed",
 ]);
 
+// Statutory response window per jurisdiction — the clock a supervisory
+// authority measures the controller against once a subject files the
+// request. The deadline is `requested_at + days`. GDPR Art. 12(3): one
+// month from receipt (encoded as 30 days — the controller-defensible
+// reading; extendable by two further months for complex requests, which an
+// operator records out of band). CCPA Cal. Civ. Code §1798.130(a)(2): 45
+// days (one 45-day extension permitted). LGPD Art. 19 §II / §3: 15 days for
+// the full declaration. `other` carries no statutory clock — the operator's
+// own SLA governs, so no deadline is surfaced rather than inventing one.
+//
+// This is the DSR-response analogue of b.breach.deadline (which encodes the
+// US-state breach-NOTIFICATION statutes — a different clock with different
+// citations); a subject-access response window has no entry in that
+// registry, so the per-jurisdiction window lives here keyed to the same
+// jurisdiction vocabulary the request rows already carry.
+var DSR_RESPONSE_WINDOW = Object.freeze({
+  gdpr: Object.freeze({ days: 30, statute: "GDPR Art. 12(3) (one month from receipt)" }),
+  ccpa: Object.freeze({ days: 45, statute: "Cal. Civ. Code §1798.130(a)(2)" }),
+  lgpd: Object.freeze({ days: 15, statute: "LGPD Art. 19 §II" }),
+  other: null,   // operator SLA governs — no statutory clock to surface
+});
+
+var MS_PER_DAY = b.constants.TIME.days(1);
+
+// Compute the statutory response deadline for a DSR request. Returns null
+// for a jurisdiction with no statutory clock (`other`) or a non-finite
+// requested-at. The shape mirrors b.breach.deadline.forStates entries —
+// `{ jurisdiction, days, due_by, statute }` — so a future operator clock
+// (b.breach.deadline.createClock-style escalation) can adapt it without a
+// reshape.
+function _statutoryDeadline(jurisdiction, requestedAtMs) {
+  var win = DSR_RESPONSE_WINDOW[jurisdiction];
+  if (!win) return null;
+  if (typeof requestedAtMs !== "number" || !isFinite(requestedAtMs)) return null;
+  return {
+    jurisdiction: jurisdiction,
+    days:         win.days,
+    due_by:       requestedAtMs + (win.days * MS_PER_DAY),
+    statute:      win.statute,
+  };
+}
+
 var MAX_REASON_LEN          = 4000;
 var MAX_DISMISS_REASON_LEN  = 4000;
 var MAX_DELIVERY_METHOD_LEN = 64;
@@ -146,6 +190,11 @@ var SCOPE_SECTIONS = Object.freeze({
     "customers", "addresses", "order", "orderNotes",
     "subscriptions", "paymentMethods", "supportTickets", "loyalty",
     "reviews", "consentLedger", "wishlist", "surveys", "recentlyViewed",
+    // Customer-authored feedback (ideas + complaints, keyed by id or a
+    // hashed email), the save-for-later holdover list, and the store-
+    // credit wallet ledger — each keys a row by the customer, so a
+    // subject-access export holds them too.
+    "suggestionBox", "saveForLater", "storeCredit",
   ]),
   orders_only: Object.freeze(["order", "orderNotes"]),
   identity_only: Object.freeze(["customers", "addresses"]),
@@ -264,6 +313,7 @@ function _isEmptySection(section) {
 
 function _hydrate(r) {
   if (!r) return null;
+  var requestedAt = Number(r.requested_at);
   return {
     id:               r.id,
     customer_id:      r.customer_id,
@@ -272,13 +322,19 @@ function _hydrate(r) {
     scope:            r.scope == null ? null : r.scope,
     status:           r.status,
     requested_by:     r.requested_by,
-    requested_at:     Number(r.requested_at),
+    requested_at:     requestedAt,
     fulfilled_at:     r.fulfilled_at == null ? null : Number(r.fulfilled_at),
     delivered_at:     r.delivered_at == null ? null : Number(r.delivered_at),
     dismiss_reason:   r.dismiss_reason == null ? null : r.dismiss_reason,
     delivery_method:  r.delivery_method == null ? null : r.delivery_method,
     delivery_address: r.delivery_address == null ? null : r.delivery_address,
     reason:           r.reason == null ? null : r.reason,
+    // Derived: the statutory response deadline the supervisory authority
+    // measures against (computed from jurisdiction + requested_at, never
+    // persisted — so it always reflects the current registry). Null for a
+    // jurisdiction with no statutory clock. The admin DSR console surfaces
+    // `due_by` so an operator sees the wall before it elapses.
+    statutory_deadline: _statutoryDeadline(r.jurisdiction, requestedAt),
   };
 }
 
@@ -312,6 +368,9 @@ function create(opts) {
     wishlist:       opts.wishlist       || null,
     surveys:        opts.surveys        || null,
     recentlyViewed: opts.recentlyViewed || null,
+    suggestionBox:  opts.suggestionBox  || null,
+    saveForLater:   opts.saveForLater   || null,
+    storeCredit:    opts.storeCredit    || null,
   };
 
   // ---- requestExport -------------------------------------------------
@@ -560,9 +619,10 @@ function create(opts) {
     }
 
     var domainOrder = [
-      "recentlyViewed", "wishlist", "surveys", "reviews", "consentLedger",
+      "recentlyViewed", "wishlist", "saveForLater", "suggestionBox",
+      "surveys", "reviews", "consentLedger",
       "supportTickets", "orderNotes", "order", "subscriptions",
-      "paymentMethods", "loyalty", "addresses", "customers",
+      "paymentMethods", "loyalty", "storeCredit", "addresses", "customers",
     ];
     var perDomain     = [];
     var domainsAbsent = [];
@@ -658,10 +718,15 @@ function create(opts) {
 }
 
 module.exports = {
-  create:         create,
-  REQUEST_KINDS:  REQUEST_KINDS,
-  JURISDICTIONS:  JURISDICTIONS,
-  SCOPES:         SCOPES,
-  STATUSES:       STATUSES,
-  SCOPE_SECTIONS: SCOPE_SECTIONS,
+  create:               create,
+  REQUEST_KINDS:        REQUEST_KINDS,
+  JURISDICTIONS:        JURISDICTIONS,
+  SCOPES:               SCOPES,
+  STATUSES:             STATUSES,
+  SCOPE_SECTIONS:       SCOPE_SECTIONS,
+  // DSR statutory response-window registry + the per-request deadline
+  // calculator (the console reads the calculator's `due_by`; tests pin the
+  // per-jurisdiction windows).
+  DSR_RESPONSE_WINDOW:  DSR_RESPONSE_WINDOW,
+  statutoryDeadline:    _statutoryDeadline,
 };

package/lib/order.js

@@ -110,6 +110,14 @@ var ORDER_STATES = Object.freeze([
   "pending", "paid", "fulfilling", "shipped", "delivered", "refunded", "cancelled",
 ]);
 
+// The proof routes a guest-order reconciliation can be attributed to.
+// "verified-email" = an OIDC sign-in whose provider verified the address;
+// "magic-link" = the buyer clicked a sign-in link emailed to the address.
+// Both prove control of the email — the trust anchor for the attach. An
+// unknown linked_via falls back to "verified-email" so a typo can't write
+// an unfiltered audit string.
+var RECONCILE_LINKED_VIA = Object.freeze(["verified-email", "magic-link"]);
+
 // Cursor key for listForCustomer — paginates by (updated_at DESC, id
 // DESC) so a newly transitioned order surfaces at the top of the
 // customer's order history without a stable-id tie-break flake.
@@ -1051,22 +1059,98 @@ function create(opts) {
 
     // Claim guest orders into a customer account by matching the
     // recorded buyer-email hash. The CALLER must only pass a hash for an
-    // email the identity provider VERIFIED — this method does not (and
-    // cannot) re-verify; linking an unverified email would be account
-    // takeover. Only touches orders with no owner yet (customer_id IS
-    // NULL), so it never re-assigns another customer's order. Returns
-    // the count linked.
-    linkGuestOrdersByEmailHash: async function (customerId, emailHash) {
+    // email the identity provider VERIFIED (an OIDC email_verified claim)
+    // or the buyer has otherwise proven control of (clicking an emailed
+    // magic-link) — this method does not (and cannot) re-verify; linking
+    // an unverified email would be account takeover. Only touches orders
+    // with no owner yet (customer_id IS NULL), so it never re-assigns
+    // another customer's order.
+    //
+    // Each newly-attached order also gets one append-only row in
+    // guest_order_reconciliations recording WHEN it was attached, to WHICH
+    // customer, by WHICH proof (linked_via), and the email_hash matched —
+    // so a disputed link is traceable and an operator/DSR review can replay
+    // it without inferring it from a customer_id that was overwritten. The
+    // audit row is the verified linking key only (the plaintext address is
+    // never stored anywhere).
+    //
+    // Idempotent at BOTH layers: the per-order claim-guard UPDATE only
+    // flips a still-unowned order (so a re-run links nothing new), and the
+    // audit INSERT is INSERT-OR-IGNORE against a UNIQUE (order_id,
+    // customer_id) index (so even a forced re-write records nothing new).
+    // The audit table is optional — when the migration hasn't run (a
+    // partial-schema test, or a deploy mid-migration) the INSERT throws and
+    // is swallowed so reconciliation never fails on the audit write; the
+    // attach (the load-bearing effect) still lands.
+    //
+    // `linkedVia` names the proof route — defaulted + constrained to a known
+    // token so a typo can't write an unfiltered string; an unknown value
+    // falls back to "verified-email". Returns the count linked.
+    linkGuestOrdersByEmailHash: async function (customerId, emailHash, opts2) {
       _uuid(customerId, "customer id");
       if (typeof emailHash !== "string" || !emailHash.length) {
         throw new TypeError("order.linkGuestOrdersByEmailHash: emailHash must be a non-empty string");
       }
-      var r = await query(
-        "UPDATE orders SET customer_id = ?1, updated_at = ?2 " +
-        "WHERE customer_id IS NULL AND customer_email_hash = ?3",
-        [customerId, _now(), emailHash],
-      );
-      return Number(r.rowCount || 0);
+      var linkedVia = (opts2 && opts2.linked_via) || "verified-email";
+      if (RECONCILE_LINKED_VIA.indexOf(linkedVia) === -1) linkedVia = "verified-email";
+
+      // The candidate set: every still-unowned order placed under this
+      // verified email. Claiming per-id (not one bulk UPDATE) is what lets
+      // the audit trail name the exact orders attached AND keeps the attach
+      // race-safe — a concurrent reconciliation for the same email can't
+      // double-claim because each UPDATE re-checks customer_id IS NULL.
+      var candidates = (await query(
+        "SELECT id FROM orders WHERE customer_id IS NULL AND customer_email_hash = ?1",
+        [emailHash],
+      )).rows;
+      var linked = 0;
+      for (var i = 0; i < candidates.length; i += 1) {
+        var orderId = candidates[i].id;
+        var ts = _now();
+        // Claim-guard: only flip an order STILL unowned at write time.
+        var upd = await query(
+          "UPDATE orders SET customer_id = ?1, updated_at = ?2 " +
+          "WHERE id = ?3 AND customer_id IS NULL",
+          [customerId, ts, orderId],
+        );
+        if (Number(upd.rowCount || 0) === 0) continue; // lost the race — another writer claimed it.
+        linked += 1;
+        // Append-only audit row. INSERT OR IGNORE against the UNIQUE
+        // (order_id, customer_id) index, so a re-run records nothing new.
+        // Swallowed on a missing-table error so the attach never fails on
+        // the audit write (the attach already landed above).
+        try {
+          await query(
+            "INSERT OR IGNORE INTO guest_order_reconciliations " +
+            "(id, order_id, customer_id, email_hash, linked_via, occurred_at) " +
+            "VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+            [b.uuid.v7(), orderId, customerId, emailHash, linkedVia, ts],
+          );
+        } catch (_e) { /* drop-silent — audit table optional; the attach is the load-bearing effect */ }
+      }
+      return linked;
+    },
+
+    // Every guest order reconciled into a customer account, newest first —
+    // the operator/DSR "how did this order get attached?" view. Returns the
+    // append-only audit rows (order_id, email_hash, linked_via, occurred_at)
+    // for the customer; an account that never claimed a guest order returns
+    // []. Defensive: when the audit table hasn't been migrated yet the read
+    // throws and is collapsed to [] (the feature degrades to "no trail",
+    // never a 500).
+    reconciliationsForCustomer: async function (customerId) {
+      _uuid(customerId, "customer id");
+      try {
+        var rows = (await query(
+          "SELECT id, order_id, customer_id, email_hash, linked_via, occurred_at " +
+          "FROM guest_order_reconciliations WHERE customer_id = ?1 " +
+          "ORDER BY occurred_at DESC, id DESC",
+          [customerId],
+        )).rows;
+        return rows;
+      } catch (_e) {
+        return [];
+      }
     },
 
     // Has this customer purchased this product? True iff an order

package/lib/payment.js

@@ -177,6 +177,56 @@ function _formEncode(obj, prefix) {
   return parts.filter(Boolean).join("&");
 }
 
+// ---- egress hardening + outbound idempotency-key validation ----------------
+//
+// b.httpClient already routes every dial through b.ssrfGuard (private /
+// loopback / link-local / reserved / cloud-metadata IP classes refused) and
+// pins the TCP connect to the guard's resolved IP set even on the PSP path's
+// caller-supplied TLS agent, so DNS rebinding can't flip the answer between
+// check and connect. The remaining gap is a HOST allowlist: nothing today
+// stops an `opts.apiBase` pointed at an unexpected public host (config
+// injection, or a future code path that derives the base from request data)
+// from reaching a non-PSP upstream. We pin `allowedHosts` to the configured
+// PSP host on every dial so a compromised process can only ever talk to the
+// host the adapter was constructed against — defense-in-depth layered on top
+// of the IP-class SSRF gate.
+
+// Extract the lowercase hostname from a PSP base URL. Throws a TypeError on a
+// non-string / non-https / hostless base — config-time validation (entry
+// point), so an operator's typo'd apiBase surfaces at adapter construction
+// rather than on the first charge.
+function _pspHost(baseUrl, label) {
+  if (typeof baseUrl !== "string" || !baseUrl.length) {
+    throw new TypeError("payment: " + label + " must be a non-empty URL string");
+  }
+  var parsed;
+  try { parsed = new URL(baseUrl); } catch (_e) {
+    throw new TypeError("payment: " + label + " must be a valid absolute URL (got " + JSON.stringify(baseUrl) + ")");
+  }
+  if (parsed.protocol !== "https:") {
+    throw new TypeError("payment: " + label + " must be https (a payment processor is never dialed over plaintext)");
+  }
+  if (!parsed.hostname) {
+    throw new TypeError("payment: " + label + " has no hostname");
+  }
+  return parsed.hostname.toLowerCase();
+}
+
+// Validate + normalize an idempotency key that crosses the wire as an
+// outbound header (Stripe `Idempotency-Key` / PayPal `PayPal-Request-Id`).
+// Composes b.guardIdempotencyKey (strict profile): bounded length, control-
+// char / path-traversal / slash refusal, ASCII-only — so a key carrying a
+// log-injection or traversal shape never reaches the processor or the local
+// replay cache. Returns the validated key; throws TypeError on refusal (the
+// caller's bad-shape path is a clean 400, matching every other field guard).
+function _assertOutboundKey(key, label) {
+  try {
+    return b.guardIdempotencyKey.validate(key, { profile: "strict" });
+  } catch (e) {
+    throw new TypeError("payment: " + (label || "idempotency key") + " — " + ((e && e.message) || "invalid idempotency key"));
+  }
+}
+
 // ---- webhook verifier -----------------------------------------------------
 //
 // Composes b.webhook.verify (alg: "hmac-sha256-stripe") — the
@@ -239,7 +289,12 @@ async function _verifyWebhook(headers, rawBody, secret, opts) {
 // ---- Stripe API call ------------------------------------------------------
 
 async function _stripeCall(opts, method, path, params, idempotencyKey) {
-  var url = (opts.apiBase || STRIPE_API_BASE_DEFAULT) + path;
+  var apiBase = opts.apiBase || STRIPE_API_BASE_DEFAULT;
+  var url = apiBase + path;
+  // Pin the dial to the configured Stripe host (computed once per adapter).
+  // Layered on top of b.httpClient's IP-class SSRF gate — the process can
+  // only ever reach the host the adapter was built against.
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(apiBase, "apiBase");
   var headers = {
     "authorization": "Bearer " + opts.apiKey,
     "accept":         "application/json",
@@ -252,7 +307,9 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
     headers["content-length"] = Buffer.byteLength(body, "utf8");
   }
   if (idempotencyKey) {
-    headers["idempotency-key"] = idempotencyKey;
+    // The key crosses the wire as the `Idempotency-Key` header — validate +
+    // refuse traversal / control-char / oversize shapes before it leaves.
+    headers["idempotency-key"] = _assertOutboundKey(idempotencyKey, "idempotency_key");
   }
   var httpClient = opts.httpClient || b.httpClient;
   // A GET read is always idempotent; a write is idempotent only when it
@@ -268,12 +325,13 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
   // acceptable since a sustained stream of 4xx is itself a degraded state.
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       url,
-      headers:   headers,
-      body:      body || undefined,
-      timeoutMs: opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          url,
+      headers:      headers,
+      body:         body || undefined,
+      timeoutMs:    opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [opts._allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed = null;
@@ -709,6 +767,14 @@ function _paypalApiBase(opts) {
   return opts.sandbox ? PAYPAL_API_BASE_SANDBOX : PAYPAL_API_BASE_LIVE;
 }
 
+// The PayPal host the adapter is allowed to dial (computed once, cached on
+// opts). Pins every PayPal dial — token exchange + Orders-v2 — to the
+// configured host, layered on b.httpClient's IP-class SSRF gate.
+function _paypalAllowedHost(opts) {
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(_paypalApiBase(opts), "apiBase");
+  return opts._allowedHost;
+}
+
 function _minorToDecimalString(minor, currency) {
   var dec = PAYPAL_ZERO_DECIMAL[currency] ? 0 : 2;
   var neg = minor < 0;
@@ -745,9 +811,10 @@ async function _paypalToken(opts, state) {
         "content-type":   "application/x-www-form-urlencoded",
         "user-agent":     "blamejs-shop (zero-dep)",
       },
-      body:      "grant_type=client_credentials",
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      body:         "grant_type=client_credentials",
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [_paypalAllowedHost(opts)],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = {}; }
@@ -774,10 +841,15 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
     "content-type":  "application/json",
     "user-agent":    "blamejs-shop (zero-dep)",
   };
-  if (requestId) headers["paypal-request-id"] = requestId;
+  // The request id crosses the wire as the `PayPal-Request-Id` header —
+  // validate + refuse traversal / control-char / oversize shapes before it
+  // leaves (covers both operator-supplied keys and the adapter-constructed
+  // `order:`/`capture:` ids).
+  if (requestId) headers["paypal-request-id"] = _assertOutboundKey(requestId, "paypal_request_id");
   var body = bodyObj != null ? JSON.stringify(bodyObj) : undefined;
   if (body) headers["content-length"] = Buffer.byteLength(body, "utf8");
   var httpClient = opts.httpClient || b.httpClient;
+  var allowedHost = _paypalAllowedHost(opts);
   // A GET is idempotent; a write is idempotent only when it carries a
   // PayPal-Request-Id (PayPal dedupes a replay of the SAME id, and the
   // same id rides every retry attempt within one call). A keyless write
@@ -785,12 +857,13 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
   var idempotent = method === "GET" || !!requestId;
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       _paypalApiBase(opts) + path,
-      headers:   headers,
-      body:      body,
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          _paypalApiBase(opts) + path,
+      headers:      headers,
+      body:         body,
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = { _raw: text }; }

package/lib/save-for-later.js

@@ -56,6 +56,12 @@
  *       current; returns the count of rows actually changed.
  *     - `expireOlderThan(days)` — operator-scheduler entry point
  *       that prunes saves older than the supplied age.
+ *     - `exportForCustomer(customer_id)` — DSR export reader: the
+ *       subject's saved rows.
+ *     - `eraseForCustomer(customer_id, { dry_run? })` — DSR erasure:
+ *       deletes the subject's saved rows (pure personalization, no
+ *       retention basis). Returns the `{ table, deleted }` reader
+ *       contract.
  *
  *   Storage:
  *     - `save_for_later` (migration `0041_save_for_later.sql`).
@@ -641,6 +647,46 @@ function create(opts) {
       return { changed: changed };
     },
 
+    // ---- exportForCustomer / eraseForCustomer (DSR) -----------------
+    //
+    // Subject-access-request hooks consumed by complianceExport. A
+    // save-for-later row keys directly on `customer_id` — there is no
+    // hashed-identity branch (every row is account-bound).
+    //
+    // exportForCustomer(customer_id) — the subject's saved rows. Pure
+    // read; capped at MAX_LIMIT so one customer can't unbounded-stream
+    // the export.
+    exportForCustomer: async function (customerId) {
+      var cid = _uuid(customerId, "customer_id");
+      var rows = (await query(
+        "SELECT * FROM save_for_later WHERE customer_id = ?1 " +
+        "ORDER BY saved_at DESC, id DESC LIMIT ?2",
+        [cid, MAX_LIMIT],
+      )).rows;
+      return rows;
+    },
+
+    // eraseForCustomer(customer_id, { dry_run }) — GDPR Art. 17
+    // erasure. A save-for-later list is pure personalization with no
+    // retention basis, so erasure DELETES every row for the customer
+    // (the same effect as `clear`, returned in the complianceExport
+    // reader contract shape `{ table, deleted }`). dry_run counts the
+    // rows it WOULD remove without mutating. A re-run finds none
+    // (idempotent).
+    eraseForCustomer: async function (customerId, opts) {
+      var cid = _uuid(customerId, "customer_id");
+      var dryRun = !!(opts && opts.dry_run);
+      if (dryRun) {
+        var c = (await query(
+          "SELECT COUNT(*) AS n FROM save_for_later WHERE customer_id = ?1",
+          [cid],
+        )).rows[0];
+        return { table: "save_for_later", deleted: c ? Number(c.n) : 0 };
+      }
+      var r = await query("DELETE FROM save_for_later WHERE customer_id = ?1", [cid]);
+      return { table: "save_for_later", deleted: Number(r.rowCount || 0) };
+    },
+
     // Operator scheduler entry point: remove every save older than
     // the supplied age. Returns the count of removed rows so the
     // cron / scheduled-worker layer can emit a metric.

package/lib/security-middleware.js

@@ -290,7 +290,25 @@ function clientKey(req) {
  * so both substrates stay header-consistent.
  */
 function securityHeadersOpts() {
-  return { documentPolicy: false, referrerPolicy: "same-origin" };
+  // `trustProxy: true` is what lets the vendored HSTS header actually
+  // ship from the container. The vendored securityHeaders middleware
+  // emits Strict-Transport-Security ONLY when the request protocol
+  // resolves to https (RFC 6797 §7.2: HSTS over plain HTTP is ignored by
+  // UAs, so the middleware suppresses it on non-TLS requests). Behind the
+  // Cloudflare Worker the container socket is plain http and the real
+  // scheme rides in the Worker-set `x-forwarded-proto: https` — without
+  // trustProxy the middleware reads `http`, decides the request isn't
+  // TLS, and drops HSTS on EVERY container-served response. The edge
+  // Worker sets its own HSTS on edge-rendered pages, but a direct-to-
+  // container request (edge render off, or an internal hop that returns
+  // HTML) then carries no HSTS at all. Opting into the forwarded-proto
+  // header — the same stance the csrf gate already takes (mountRouteGuards
+  // passes trustProxy:true) and the storefront session-cookie path takes
+  // (`_secureForReq`) — restores the header on container responses. HSTS
+  // stays OWNED by the vendored middleware (we set no header ourselves),
+  // so there is no double-set: on an edge-rendered page only the Worker's
+  // header is present; on a container-served page only this one is.
+  return { documentPolicy: false, referrerPolicy: "same-origin", trustProxy: true };
 }
 
 // ---- route-scoped CSP (payment processors + CAPTCHA providers) ----------
@@ -608,7 +626,13 @@ function globalRateLimitOpts() {
 function botGuardOpts() {
   return {
     skipPaths: INTERNAL_BRIDGE_PATHS.slice()
-      .concat(PUBLIC_WELL_KNOWN_PATHS)
+      // EXACT-match the well-known paths. A bare-string skip is matched as a
+      // PREFIX by the bot guard, which would also exempt any sibling under the
+      // directory (e.g. /.well-known/apple-...-association/anything), re-opening
+      // the guard on routes that aren't the single static association file.
+      .concat(PUBLIC_WELL_KNOWN_PATHS.map(function (p) {
+        return new RegExp("^" + p.replace(/[-/\\^$*+?.()|[\]{}]/g, "\\$&") + "$");
+      }))
       .concat([/^\/admin(\/|$)/]),
   };
 }

package/lib/store-credit.js

@@ -52,6 +52,11 @@
  *     - expiringWithin({ customer_id, days })
  *     - bulkBalance({ customer_ids })
  *     - cleanupExpired({ now })
+ *     - exportForCustomer(customer_id) — DSR export reader: the
+ *       subject's balance + full ledger history.
+ *     - eraseForCustomer(customer_id, { dry_run? }) — DSR erasure:
+ *       RETAINS (financial ledger, legal-obligation basis). Returns
+ *       the `{ table, deleted: 0, note }` reader contract.
  *
  *   Storage:
  *     - store_credit_ledger (migration 0094).
@@ -491,6 +496,42 @@ function create(opts) {
       return out;
     },
 
+    // ---- exportForCustomer / eraseForCustomer (DSR) -----------------
+    //
+    // Subject-access-request hooks consumed by complianceExport. The
+    // ledger keys on `customer_id`.
+    //
+    // exportForCustomer(customer_id) — the subject's current balance +
+    // their full ledger history (the financial record of every credit /
+    // debit / expire against their wallet). Pure read; the history is
+    // capped at the same 500-row ceiling `history()` enforces.
+    exportForCustomer: async function (customerId) {
+      var cid = _uuid(customerId, "customer_id");
+      var bal = await _currentBalance(cid);
+      var r = await query(
+        "SELECT id, customer_id, kind, amount_minor, source, source_ref, order_id, " +
+        "balance_after_minor, expires_at, occurred_at FROM store_credit_ledger " +
+        "WHERE customer_id = ?1 ORDER BY occurred_at DESC, id DESC LIMIT 500",
+        [cid],
+      );
+      return { balance_minor: bal, history: r.rows };
+    },
+
+    // eraseForCustomer(customer_id, { dry_run }) — store credit is a
+    // financial ledger: an audited record of money owed to and spent by
+    // the customer, retained under the controller's legal-obligation /
+    // accounting basis (the same posture as the loyalty ledger and gift
+    // cards in the DSR reader map). Erasure RETAINS — deleting the rows
+    // would destroy the proof of a balance the customer may still be
+    // entitled to and the accounting trail a tax / chargeback audit
+    // needs. Returns `{ table, deleted: 0, note }`; dry_run reports the
+    // same retain decision (0 rows would be removed). The customer-
+    // identity scrub rides the anonymized customers row.
+    eraseForCustomer: async function (customerId, _opts) {
+      _uuid(customerId, "customer_id");
+      return { table: "store_credit_ledger", deleted: 0, note: "retained-financial-ledger" };
+    },
+
     cleanupExpired: async function (input) {
       input = input || {};
       var now = _epochMs(input.now, "now");

package/lib/storefront.js

@@ -15873,7 +15873,8 @@ function mount(router, deps) {
           try {
             var portalCust = await deps.customers.get(rv.customer_id);
             if (portalCust && portalCust.email_hash) {
-              await deps.order.linkGuestOrdersByEmailHash(rv.customer_id, portalCust.email_hash);
+              await deps.order.linkGuestOrdersByEmailHash(
+                rv.customer_id, portalCust.email_hash, { linked_via: "magic-link" });
             }
           } catch (_eLink) { /* drop-silent — sign-in itself succeeds */ }
         }
@@ -16124,6 +16125,17 @@ function mount(router, deps) {
             if (anonCart) await deps.cart.setCustomer(anonCart.id, customer.id);
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
+        // Guest-order reconciliation is deliberately NOT done here. A passkey
+        // assertion proves control of the AUTHENTICATOR, not of the account's
+        // email — and a passkey-registered account's email_hash was never
+        // verified (the register path stores whatever address was typed). The
+        // attach is gated strictly on PROVEN email ownership: an OIDC sign-in
+        // the provider verified, or a magic-link the buyer clicked. Linking on
+        // the account's unverified email_hash here would let an attacker who
+        // registered a passkey under a victim's address inherit the victim's
+        // guest orders — the takeover class the customers model guards against.
+        // A passkey-account holder who wants their guest orders attached signs
+        // in once via the magic-link, which proves the email and reconciles.
         _clearChallengeCookie(res);
         _setAuthCookie(req, res, {
           customer_id: customer.id,
@@ -16949,7 +16961,8 @@ function mount(router, deps) {
         if (claims.email_verified === true && claims.email && deps.order &&
             typeof deps.order.linkGuestOrdersByEmailHash === "function") {
           try {
-            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+            await deps.order.linkGuestOrdersByEmailHash(
+              rv.customer.id, deps.customers.hashEmail(claims.email), { linked_via: "verified-email" });
           } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
         }
         // Attribute a referral ONLY on a genuinely new account
@@ -17063,7 +17076,8 @@ function mount(router, deps) {
         if (emailVerified && claims.email && deps.order &&
             typeof deps.order.linkGuestOrdersByEmailHash === "function") {
           try {
-            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+            await deps.order.linkGuestOrdersByEmailHash(
+              rv.customer.id, deps.customers.hashEmail(claims.email), { linked_via: "verified-email" });
           } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
         }
         // Attribute a referral ONLY on a genuinely new account (rv.created)

package/lib/suggestion-box.js

@@ -102,6 +102,13 @@
  *     - metricsForCategory({ category, from, to })
  *     - archiveSuggestion(id)
  *     - flagAsSpam({ suggestion_id, flagged })
+ *     - exportForCustomer({ customer_id?, email_hash? }) — DSR export
+ *       reader: the subject's own suggestion rows (matched on
+ *       customer_id OR the suggestion-box-namespace email hash).
+ *     - eraseForCustomer({ customer_id?, email_hash?, dry_run? }) —
+ *       DSR erasure: anonymizes the subject's rows in place (both
+ *       identity keys -> NULL), keeping the de-identified roadmap
+ *       signal. Returns the `{ table, deleted }` reader contract.
  *
  *   Storage: `migrations-d1/0181_suggestion_box.sql` —
  *     `suggestions` + `suggestion_votes`.
@@ -850,6 +857,121 @@ function create(opts) {
     return _decode(await _getRaw(sid));
   }
 
+  // ---- exportForCustomer / eraseForCustomer (DSR) -----------------------
+  //
+  // Subject-access-request hooks consumed by complianceExport. A
+  // suggestion row is keyed to a person by EITHER `customer_id` (an
+  // authenticated submission) OR `customer_email_hash` (a storefront
+  // visitor who supplied a confirmed email but wasn't signed in). The
+  // email is hashed under the `suggestion-box-email` namespace
+  // (EMAIL_NAMESPACE), distinct from the customers table's own
+  // `customer-email` namespace, and the raw email is never stored —
+  // so an email-only row can be matched to a customer ONLY when the
+  // caller can supply that same suggestion-box namespace hash.
+  //
+  // The DSR composition root resolves a customer by `customer_id`
+  // (no raw email is held anywhere in the system to re-hash), so it
+  // passes `customer_id` and — when the requesting customer's email
+  // is known in-session — the derived `email_hash`. Both keys are
+  // matched with OR so a customer's authenticated AND email-only
+  // submissions are covered. A caller WITH the raw email derives the
+  // hash via the exported EMAIL_NAMESPACE + b.crypto.namespaceHash.
+
+  // Normalize the DSR selector: at least one of customer_id /
+  // email_hash must be present. Returns { custId, emailHash } with
+  // validated/null values. Defensive request-shape reader at the
+  // primitive boundary — bad UUID shape throws (operator catches the
+  // typo); a null/absent key is simply not used in the predicate.
+  function _dsrSelector(input, method) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("suggestionBox." + method + ": input object required");
+    }
+    var custId    = _customerIdOpt(input.customer_id);
+    var emailHash = null;
+    if (input.email_hash != null) {
+      if (typeof input.email_hash !== "string" || !input.email_hash.length || input.email_hash.length > 256) {
+        throw new TypeError("suggestionBox." + method + ": email_hash must be a non-empty string <= 256 chars when provided");
+      }
+      if (CONTROL_BYTE_STRICT_RE.test(input.email_hash) || ZERO_WIDTH_RE.test(input.email_hash)) {
+        throw new TypeError("suggestionBox." + method + ": email_hash contains control / zero-width bytes");
+      }
+      emailHash = input.email_hash;
+    }
+    if (custId == null && emailHash == null) {
+      throw new TypeError("suggestionBox." + method + ": at least one of customer_id / email_hash is required");
+    }
+    return { custId: custId, emailHash: emailHash };
+  }
+
+  // Build the `customer_id = ? OR customer_email_hash = ?` predicate
+  // from whichever selector keys are present, returning { clause,
+  // params }. Shared by export + erase so the two never diverge on
+  // which rows belong to the subject.
+  function _dsrWhere(sel) {
+    var ors    = [];
+    var params = [];
+    var idx    = 1;
+    if (sel.custId != null)    { ors.push("customer_id = ?" + idx);         params.push(sel.custId);    idx += 1; }
+    if (sel.emailHash != null) { ors.push("customer_email_hash = ?" + idx); params.push(sel.emailHash); idx += 1; }
+    return { clause: "(" + ors.join(" OR ") + ")", params: params };
+  }
+
+  // exportForCustomer({ customer_id?, email_hash? }) — returns the
+  // subject's own suggestion rows (decoded). Read-only; capped at
+  // MAX_LIST_LIMIT so a single customer's history can't unbounded-
+  // stream the export. Spam-flagged / archived rows ARE included —
+  // the subject is entitled to a copy of everything held about them,
+  // including operator-only tombstoned rows.
+  async function exportForCustomer(input) {
+    var sel = _dsrSelector(input, "exportForCustomer");
+    var w   = _dsrWhere(sel);
+    var r = await query(
+      "SELECT * FROM suggestions WHERE " + w.clause +
+      " ORDER BY created_at DESC, id DESC LIMIT ?" + (w.params.length + 1),
+      w.params.concat([MAX_LIST_LIMIT]),
+    );
+    var out = [];
+    for (var i = 0; i < r.rows.length; i += 1) out.push(_decode(r.rows[i]));
+    return out;
+  }
+
+  // eraseForCustomer({ customer_id?, email_hash?, dry_run? }) —
+  // GDPR Art. 17 erasure. A suggestion (especially a `complaint`)
+  // carries the customer's own free-text words + a hashed email, so
+  // it is personal data with no retention basis once the subject
+  // asks for erasure. Rather than DELETE the row (which would orphan
+  // any votes / canonical-link pointers and lose the operator's
+  // roadmap signal), this ANONYMIZES it in place: severs both
+  // identity keys (customer_id + customer_email_hash → NULL) so the
+  // row can no longer be traced to the person, while the
+  // already-published title/body/votes stay as de-identified
+  // roadmap input. dry_run counts the rows it WOULD anonymize
+  // without mutating. Returns the complianceExport reader contract
+  // shape `{ table, deleted }`.
+  async function eraseForCustomer(input) {
+    var dryRun = !!(input && input.dry_run);
+    var sel = _dsrSelector(input, "eraseForCustomer");
+    var w   = _dsrWhere(sel);
+    // Only rows still carrying an identity key need anonymizing —
+    // a re-run finds none (idempotent).
+    var countRow = (await query(
+      "SELECT COUNT(*) AS n FROM suggestions WHERE " + w.clause +
+      " AND (customer_id IS NOT NULL OR customer_email_hash IS NOT NULL)",
+      w.params,
+    )).rows[0];
+    var n = countRow ? Number(countRow.n) : 0;
+    if (dryRun) return { table: "suggestions", deleted: n };
+    if (n === 0) return { table: "suggestions", deleted: 0 };
+    var ts = _now();
+    var res = await query(
+      "UPDATE suggestions SET customer_id = NULL, customer_email_hash = NULL, updated_at = ?" +
+      (w.params.length + 1) + " WHERE " + w.clause +
+      " AND (customer_id IS NOT NULL OR customer_email_hash IS NOT NULL)",
+      w.params.concat([ts]),
+    );
+    return { table: "suggestions", deleted: Number((res && res.rowCount) || 0) };
+  }
+
   // ---- flagAsSpam -------------------------------------------------------
   //
   // Operator-only. Sets spam_flagged = 1 (or back to 0 if the
@@ -897,6 +1019,8 @@ function create(opts) {
     metricsForCategory:   metricsForCategory,
     archiveSuggestion:    archiveSuggestion,
     flagAsSpam:           flagAsSpam,
+    exportForCustomer:    exportForCustomer,
+    eraseForCustomer:     eraseForCustomer,
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.24",
+  "version": "0.4.26",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {