@blamejs/blamejs-shop 0.4.25 → 0.4.27

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.27 (2026-06-11) — **Stale quotes expire on schedule, operators can reprice an open quote or convert a verbally-approved one to an order, and customers see the operator's per-line notes and the validity window.** A quote-lifecycle release. Quotes whose validity window has elapsed now transition to expired on a scheduled sweep instead of lingering as open work — the accept-time guard already refused stale prices; now the console's queue and the customer's account list reflect that reality, and the admin list gains an expired filter. Operators can reprice a quote that is awaiting the customer's answer (the customer's existing link immediately shows the new pricing) and can convert a quote the customer approved outside the site — by phone or email — directly to an order, with a required reason recorded in the audit log. The customer-facing quote view now renders the per-line notes the operator wrote alongside each price and shows the validity date in the account list. Upgrade applies one D1 migration. **Added:** *Quotes past their validity window expire on a scheduled sweep* — A scheduled tick transitions responded quotes whose valid-until date has elapsed to expired, in one bounded pass per fire. The transition is race-safe: each row re-checks its status and validity inside a conditional update, so a customer accepting at the same moment wins, a reprice that extends validity rescues the quote, and overlapping ticks never double-transition. The sweep rides the same shared-secret internal endpoint discipline as the other scheduled tasks — secret-checked at the edge and again in the container. The per-pass batch size is tunable with QUOTE_EXPIRY_BATCH (validated at boot). · *Operators can reprice a quote awaiting the customer's answer* — A responded quote that the customer has not yet accepted can be repriced from the console — new per-line pricing, shipping, tax, and validity window through the same validation as the original response, with a version counter recording each revision. The customer's existing quote link keeps working and renders the new pricing; no new email is sent, so the link the customer already holds stays valid. Repricing a quote in any other state is refused with a conflict. · *Operators can convert a verbally-approved quote to an order* — When a customer approves a quote outside the site — by phone or email — the operator can convert it to an order directly from the console. The action requires a written reason, records an audit row with the operator, the reason, and the minted order id, and runs through the same conversion path customer acceptance uses: inventory holds are placed first and released if order creation fails, and the accept-time expiry guard still refuses a quote past its validity window. The action requires order-write permission. **Changed:** *The customer quote view shows per-line notes and the validity window* — Notes the operator writes against individual quote lines now render on the customer's quote page under the line they describe, and the account quote list shows the validity date for open quotes — so the customer sees the full offer, not just the numbers, and knows how long it stands. · *The admin quote list gains an expired filter* — The console's quote list accepts a status filter and ships an Expired view, so quotes the sweep transitioned are reviewable rather than invisible. An unrecognized status value falls back to the default queue.
+
+- v0.4.26 (2026-06-06) — **Guest orders attach to an account on verified sign-in; privacy exports and erasures now cover suggestions, saved-for-later, and store credit; HSTS ships on container responses behind the CDN; and internal cron POSTs are secret-checked at the edge.** A guest-order-claim, privacy-completeness, and edge-hardening release. When a shopper who checked out as a guest later signs in or registers with a verified email that matches the order, those orders now attach to their account and appear in their order history. A subject-access export now includes the customer's suggestion-box submissions, their save-for-later list, and their store-credit ledger, and an erasure anonymizes the suggestions, deletes the saved list, and retains the store-credit ledger under its accounting basis — a domain whose reader isn't wired still shows in the export manifest rather than being silently dropped. Strict-Transport-Security now ships on responses served directly by the container behind the Cloudflare proxy, not only on edge-rendered pages. The worker now verifies the shared secret on internal cron and event POSTs before forwarding them to the container. Upgrade applies one D1 migration. **Added:** *Guest orders reconcile to an account on verified sign-in* — An order placed as a guest carries the buyer's email as a one-way hash. When that buyer later signs in or registers — including through Sign in with Google — and their verified email hashes to the same value, the matching guest orders attach to their account and show up under their order history. Attachment is driven only by verified-email ownership, never by unauthenticated email knowledge, and is idempotent: re-signing-in attaches nothing new, a non-matching email attaches nothing, and the placing-browser cookie and emailed-access-token routes to a guest order keep working unchanged. **Changed:** *Privacy export and erasure cover suggestions, saved-for-later, and store credit* — A full subject-access export now includes three more customer-keyed domains: the customer's suggestion-box submissions (product ideas and complaints, matched on the account id or the hashed email the submission carried), their save-for-later list, and their store-credit balance and ledger history. Erasure anonymizes each suggestion in place — severing both identity keys so the row can no longer be traced to the person while leaving the de-identified roadmap signal — deletes the save-for-later list outright, and retains the store-credit ledger under the same accounting / legal-obligation basis the loyalty ledger and gift cards already use. Each domain reports its effect in the request's completeness manifest, so a domain whose reader isn't wired is visible as absent rather than silently omitted. **Security:** *HSTS ships on container responses behind the proxy* — Strict-Transport-Security is emitted on responses served directly by the application container, not only on pages rendered at the edge. Behind the Cloudflare proxy the container connection is plain HTTP and the real scheme arrives in the forwarded-proto header; the security-headers middleware now trusts that header, so a direct-to-container or edge-render-off response carries the same two-year, includeSubDomains, preload HSTS value the edge sends. Plain-HTTP local and direct connections still omit the header, which user agents ignore over HTTP anyway. · *Internal cron and event POSTs are secret-checked at the edge* — The worker now verifies the shared secret on its internal cron and event POSTs (cart-recovery, stock-alert and wishlist sweeps, the stale-order reap, portal-session expiry, and campaign sends) before forwarding them to the container, refusing a forged public request at the edge instead of relying solely on the container's own check. The check is skipped when the secret isn't configured, so a deployment that hasn't set it still forwards rather than refusing every scheduled task.
+
 - v0.4.25 (2026-06-06) — **The admin role gate fails closed, payment-processor calls are host-pinned, the public catalog API stops leaking unpublished products, and privacy requests show their statutory deadline.** A security-hardening release. The staff role matrix now denies an unmapped admin action by default (owner-only) instead of leaving it manager-reachable; outbound Stripe and PayPal calls are pinned to the configured processor host with their idempotency keys validated before they leave; the public catalog API no longer honors a caller-supplied status filter, so draft and archived products can't be enumerated; the privacy-request console surfaces each request's statutory response deadline; and the Apple Pay well-known bot-guard exemption is tightened to an exact-path match. No migrations. **Changed:** *Privacy-request console shows the statutory response deadline* — Each export and erasure request now displays its statutory response deadline — one month under GDPR, 45 days under CCPA, 15 days under LGPD — derived from the request's recorded jurisdiction and timestamp, and flags an open request whose deadline has passed. Requests under no statutory regime show no deadline rather than an invented one. **Security:** *Admin role gate fails closed on unmapped actions* — The operator role matrix is now a declarative registry with role inheritance (owner ⊃ manager ⊃ viewer) validated at boot. A mutating admin action that isn't explicitly mapped to a permission now requires the owner role, instead of falling through to a manager-grantable default — so a newly added admin route can't be reached by a manager or viewer by accident. Existing mapped routes keep their grants. · *Public catalog API no longer leaks unpublished products* — GET /api/catalog/products accepted a caller-supplied ?status= filter and passed it straight through, so an unauthenticated request could list draft or archived products by asking for them. The endpoint now always lists only published products; operators browse other statuses through the authenticated admin catalog screens. · *Payment-processor calls are host-pinned with validated idempotency keys* — Every outbound Stripe and PayPal call is now pinned to the configured processor host (defense-in-depth over the existing private-address and metadata-endpoint blocking), and a malformed or non-HTTPS processor base URL fails at the first call rather than dialing in the clear. The idempotency key each call carries is validated before it leaves, refusing path-traversal, slash, and control-character shapes. · *Apple Pay well-known bot-guard exemption is exact-match* — The bot-guard skip for the Apple Pay domain-association path was matched as a prefix, which would also have exempted any sibling path beneath it. It is now an exact-path match, so only the single static association file skips the guard.
 
 - v0.4.24 (2026-06-06) — **Order timelines, in-console new-order alerts, partial refunds, a customer idea board, storefront sidebar widgets, and Stripe wallet checkout — alongside refund-accounting, inventory-race, and access-control hardening.** This release adds operator and storefront surfaces that compose primitives already in the tree, and closes a set of value-conservation, concurrency, and access-control gaps in the same areas. Operators get a single order-story timeline, an in-console inbox that flags new paid orders with an unread badge, a browser partial-refund control, and curated storefront sidebar widgets. Shoppers get a receipt download on their orders, a suggestion board, and Stripe wallet buttons (Apple Pay, Google Pay, Link) at checkout. The fixes make partial refunds return gift-card and loyalty value in exact proportion, make inventory and quote state transitions race-proof under concurrency, gate the privacy export/erasure routes behind the operator role matrix, and harden the audit log, gift-card ledger, session revocation, and magic-link throttling. Upgrade applies six new D1 migrations and adds one optional environment variable for Apple Pay. **Added:** *Order timeline on the admin order screen* — /admin/orders/:id now shows one chronological feed of the whole order story — state changes, payments and refunds, shipments and carrier tracking events, customer-service notes, returns, and shipping labels — instead of separate panels. Each source is optional; an unwired source simply drops out of the feed. Wire orderTimeline into admin.mount to enable it. · *New-order inbox with an unread badge* — When an order is paid, an entry lands in a new in-console inbox at /admin/inbox and the admin navigation shows an unread count, so a sale is visible on the next page load without polling. Mark a message read once actioned, or archive it. The inbox is addressed to a role broadcast, so a single shared-credential console still sees the badge. Wire operatorInbox into admin.mount to enable it. · *Partial refunds from the browser* — The order screen gains a Refunds panel: enter an amount and the framework charges it back through the payment provider, validates it server-side, and caps it at the order's remaining balance — an over-refund is refused before any money moves. The provider call is keyed so a double-click cannot refund twice. A refund that clears the balance moves the order to refunded; a smaller refund leaves it on its current track and records the slice. · *Customer receipt download* — A customer can download a receipt for their own order from the order page. The document streams in chunks rather than buffering, and the route is gated to the order's owner (and guest-order token holders, matching the existing order-page guard). · *Customer suggestion board* — Shoppers can submit and vote on product and feature ideas at /suggestions (linked from the footer). Operators triage from a new admin console: respond, move ideas along a status flow, merge duplicates, flag spam, or archive. Submissions are rate-limited and bot-guarded, the submitter's email is hashed before storage, and all free text is escaped on both the public board and the admin screen. · *Operator-curated storefront sidebar widgets* — Operators can place an ordered set of sidebar content blocks (newsletter signup, trust badges, social proof, size chart, countdown, featured collection, and more) per page across product, cart, search, and collection pages. The content is operator-authored and global, so it renders identically from the edge cache and the container. Manage widgets and per-page placement from the new Sidebar widgets admin screen. · *Stripe wallet checkout (Apple Pay, Google Pay, Link)* — The pay page now offers the Stripe Express Checkout Element, surfacing the wallet buttons a shopper's browser supports against the existing PaymentIntent. It degrades to the card form when no wallet is available or when payments are unconfigured. Apple Pay additionally needs the domain-association file served (see Migration) and each web domain registered with Stripe. · *Email-change guidance on the profile screen* — The profile screen now explains that a sign-in email cannot be changed in place: addresses are stored as a hash by design, so changing one means re-registering. The copy states what is and is not possible and why, rather than leaving the field unexplained. **Fixed:** *Partial refunds return gift-card and loyalty value in proportion* — A partial refund previously re-minted the entire gift-card spend and clawed back 100% of earned loyalty points the moment the order reached the refunded state, and restored nothing on a smaller slice — so a buyer could keep goods plus the full re-minted gift-card balance. Refunds now re-mint gift-card spend, claw earned loyalty, and restore redeemed loyalty points in exact proportion to the amount refunded, and a partial-then-final refund sequence converges on exactly the amount returned. · *Redeemed loyalty points are restored on refund* — Loyalty points spent as a checkout tender were never returned when the order was refunded, even though gift-card spend was — an inconsistency that cost the customer. Redeemed points are now restored on refund, in proportion to the refunded amount. · *Referral rewards reverse on refund or cancel* — A referral's qualifying first order being refunded or cancelled now rolls back the both-rewarded completion and decrements the referrer's leaderboard count, closing a buy-then-refund reward-farming path. The reversal is claimed once so a re-delivered refund webhook cannot double-reverse. · *Inventory and quote state transitions are race-proof* — Stock-transfer reconcile, inventory receive and reverse, write-off reversal, allocation commit, cycle-count finalize, and quote accept and convert all read state and then mutated it without an atomic guard, so two concurrent calls could both proceed — double-crediting a destination shelf, double-restocking, or minting two orders from one quote. Each transition now claims its state atomically and proceeds only if it won the claim. The stock-transfer and inventory-receipt lifecycles are additionally validated against a declared state machine. **Security:** *Privacy export and erasure now enforce the operator role matrix* — The data-subject export (full customer PII) and erasure routes did not pass through the role check every other mutating admin route uses, so a read-only viewer could export a customer's data and run an irreversible erasure. Both are now gated by the role matrix, and the mutating admin routes were swept to confirm each maps to a required permission. · *Operator audit log no longer self-reports tampering under concurrency* — Two operator actions recorded at the same instant could each read the same chain head and append rows sharing one previous-hash, forking the tamper-evident chain so verification reported a break where no tampering occurred. Audit appends are now serialized per chain, so the hash chain stays linear under concurrent writes. · *Gift-card ledger is now tamper-evident* — The gift-card balance ledger carried no cryptographic linkage, so a direct database edit that inflated a balance or dropped a debit passed balance reads undetected. Each ledger row now carries a per-card hash chain (the same construction the operator audit log uses), and a verification pass surfaces any insert, rewrite, reorder, or deletion. · *Erasure, passkey-revoke, and sign-out terminate live sessions* — The sealed sign-in cookie is self-validating for up to 14 days, so an erased or anonymized account stayed usable until the cookie expired. A per-customer session boundary now lets erasure, passkey revocation, and explicit sign-out invalidate every cookie minted before the boundary. A customer with no boundary is unaffected, so upgrading does not sign anyone out. · *Marketing email honors the suppression list everywhere* — Wishlist price-drop and back-in-stock alerts did not consult the marketing suppression list, and a newsletter one-click unsubscribe recorded the opt-out without adding the address to suppressions — so a hard-bounced, complained, or unsubscribed address could still be mailed by another flow. Both paths now consult and feed the suppression list, matching the transactional and campaign paths. · *Per-recipient throttle on magic-link sign-in* — Magic-link minting was throttled per source address only, so a distributed source could email-bomb one victim's inbox. A per-recipient limit now caps how often a link can be sent to a single address, alongside the existing per-source limit. · *Strict validation of inbound webhook idempotency keys* — The inbound webhook idempotency key was validated against a broad printable-ASCII pattern that accepted path-traversal shapes. It now uses the framework's strict idempotency-key guard, which refuses slash, backslash, and dot-dot sequences. The strict profile permits a space (harmless in the parameterized lookup) while refusing the traversal shapes. **Migration:** *Six new D1 migrations* — 0220 adds the gift-card ledger hash-chain columns; 0221, 0223, 0224, and 0225 add proportional-reversal tracking to gift-card redemptions, loyalty transactions, the loyalty earn log, and referral invitations; 0222 adds the per-customer session-revocation boundary table. All apply cleanly over existing rows (new columns default to nothing-reversed-yet; the revocation table is empty, which is the default-allow state). Run pending migrations and sync theme assets as usual. · *Optional APPLE_PAY_DOMAIN_ASSOCIATION environment variable* — To show the Apple Pay wallet button, set APPLE_PAY_DOMAIN_ASSOCIATION to the file contents Stripe provides (Stripe owns Apple merchant validation, so no Apple Developer account is needed) and register each web domain with Stripe. The shop serves the value verbatim at /.well-known/apple-developer-merchantid-domain-association on both the edge and container. Unset, the path returns 404 and the Apple Pay button stays hidden; card, Google Pay, Link, and PayPal are unaffected.

package/README.md

@@ -69,7 +69,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/delivery-estimate.js`** | "Get it by <date>" promises. Operators define carrier transit times, warehouse cutoffs, holidays, and postal-prefix zones at `/admin/delivery-estimates`; the product and cart pages then show a signed-in customer a delivery date computed against their saved shipping address and the configured origin (`SHOP_ESTIMATE_ORIGIN` or the `shop.estimate_origin` config row). Anonymous, edge-cached pages deliberately render no date — estimates are destination-specific and never bake into the shared cache. Unconfigured stores render nothing, never an error. |
 | **`lib/promo-banners.js`** | Placement-targeted marketing banners (top strip, homepage hero, PDP-side, cart-side, empty-search, footer) with schedule windows, audience targeting, themes, priorities, and click/impression counts. Authored at `/admin/promo-banners`; rendered on both substrates with edge-cache-safe resolution. |
 | **`lib/payment.js`** | Payment adapters — **Stripe** (verify webhook HMAC-SHA256 via upstream `b.webhook.verify`, create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains for Apple/Google Pay) and **PayPal** (`adapter: "paypal"` — OAuth2 client-credentials token, create / capture / get / refund Orders v2, webhook verify via PayPal's verify-webhook-signature API). No `stripe` / `paypal` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
-| **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
+| **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. Guest orders carry the buyer's email as a one-way hash and attach to a customer account when a verified sign-in (passkey / Google / Apple) proves ownership of the same address — never from email knowledge alone — after which they appear in the account's order history. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` validates the ship-to address (real ISO 3166-1 country; US/CA state + ZIP/postal formats; lenient elsewhere) and the customer email shape, then creates a Stripe PaymentIntent + persists order pending; `handleStripeEvent()` verifies webhook + fires the FSM transition. PayPal path: `createPaypalOrder()` opens a PayPal order + persists pending, `capturePaypalOrder()` captures → paid, `handlePaypalEvent()` is the webhook backstop. All idempotent on re-delivery. |
 | **`lib/email.js`** | Transactional templates — order receipt, ship notification, refund confirmation, wishlist price-drop, abandoned-cart, review request, back-in-stock, **wishlist digest** (the periodic saved-items rollup, rendered per-line from the structured digest so every title / price is independently escaped), and **email magic-link sign-in**. Strict `{{var}}` renderer with HTML escape + refusal of unknown / unused placeholders. Composed on `b.mail` (DKIM/SPF/DMARC/BIMI upstream). |
 | **`lib/storefront.js`** | Server-rendered HTML — utility bar + sticky header + dark hero with code-preview card + primitives marquee + featured-product callout + collections grid + framework feature band + designed catalog grid + newsletter band + four-column footer. Designed surfaces also for PDP, cart, checkout, pay, order, account login / register / dashboard, quote review / accept, search results, `/admin` API landing, 404. Image-bearing cards on the home + search grids pull from `catalog.media`. The default theme stylesheet is external (R2-served `themes/default/assets/css/main.css`) and CSP-compliant; the typeface (Inter / Inter Tight) is self-hosted from `themes/default/assets/fonts`, so no page loads a cross-origin font. Operators override by uploading a replacement at the same key, by passing `opts.theme_css` to renderers, or by registering a named theme through the `theme` primitive. |
@@ -78,7 +78,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/product-qa.js`** | Customer questions and operator/customer answers per product, operator-moderated, distinct from the rating-based reviews. A signed-in shopper asks at `/products/:slug/question`; questions land `pending` and surface only after approval. Author identity is the customer id (verified against the customers primitive) or a hash-only email — the raw address is never stored. The product page renders approved questions with their approved answers (seller / customer / system badge, pinned 'top answer' first) in both the edge and container paths. `/admin/questions` is the moderation console: the cross-product queue (`listQuestionsByStatus`), and a per-question detail to approve / reject the question, post the seller answer (`submitAnswer`), approve / reject / pin answers. |
 | **`lib/wishlist.js`** + **`lib/wishlist-alerts.js`** + **`lib/wishlist-digest.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived) and carries a per-customer opt-in panel for **sale + restock alerts** (price-drop / back-in-stock, event-driven) and the **periodic digest** (the saved-items rollup on a weekly / monthly schedule). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. Both notification paths are off by default and require a configured mailer plus an email-address resolver to actually send (the customer store keeps only an email hash) — see *Optional integrations*. UUID-shape-validated ids, `b.pagination` HMAC cursors; prices rendered through `pricing.format` (locale + zero-decimal-currency correct). |
 | **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
-| **`lib/quotes.js`** | Request-for-quote negotiation. A signed-in customer requests a quote from the cart (line quantities + an optional message); the operator responds from the console with per-line pricing and a validity window; the customer reviews and accepts or declines from `/account/quotes` or through a single-use capability link (`/quote/:token` — the token is stored only as a namespaced hash and compared timing-safe). Accepting converts through the normal order path — inventory holds are placed first and rolled back if order creation fails — and every status change replays a `b.fsm` lifecycle (requested → responded → accepted / declined / expired / withdrawn / converted), with expiry enforced at accept time so a stale price is never honored. |
+| **`lib/quotes.js`** | Request-for-quote negotiation. A signed-in customer requests a quote from the cart (line quantities + an optional message); the operator responds from the console with per-line pricing and a validity window; the customer reviews and accepts or declines from `/account/quotes` or through a single-use capability link (`/quote/:token` — the token is stored only as a namespaced hash and compared timing-safe). Accepting converts through the normal order path — inventory holds are placed first and rolled back if order creation fails — and every status change replays a `b.fsm` lifecycle (requested → responded → accepted / declined / expired / withdrawn / converted), with expiry enforced at accept time so a stale price is never honored. A scheduled sweep also transitions quotes past their validity window to `expired` (so the console's expired filter reflects the real lifecycle), operators can reprice an open quote (the customer's existing link shows the new pricing) or convert a verbally-approved one to an order with a recorded reason, and the customer view renders the operator's per-line notes and the validity date. |
 | **`lib/addresses.js`** | Per-customer address book at `/account/addresses` — add / edit / set default shipping or billing / remove. One-default-per-role invariant (promoting clears the prior). Every by-id route confirms the address belongs to the signed-in customer before acting (a guessed id returns 404). `b.guardUuid` ids, 2-char ISO country. |
 | **`lib/returns.js`** | Self-serve RMAs. Customer requests a return against their own order at `/account/orders/:id/return` (items + reason, ownership-checked, lines built from the order's own records) and tracks status at `/account/returns`. Operators work `/admin/returns` — approve (refund amount) / mark received / refund / reject — over the pending → approved → received → refunded FSM; illegal transitions are 409, bad ids 404. |
 | **`lib/loyalty.js`** + **`lib/loyalty-earn-rules.js`** + **`lib/loyalty-redemption.js`** | Customer rewards. `loyalty` owns the points balance, lifetime total, tier (bronze → platinum on operator-tunable thresholds), and an audited transaction ledger. `loyalty-earn-rules` defines how points are minted (per-dollar-spent, per-order, signup, birthday, …) keyed to lifecycle events; `loyalty-redemption` is the reward catalog customers spend points against. Customers see all of it at `/account/loyalty` — balance + tier, the earn rules in plain language, the reward catalog with a one-click Redeem, past redemptions, and the paginated earn/redeem ledger (login-gated). Paid orders award points automatically: the order FSM's paid transition fans out to the earn rules fire-and-forget, deduped on the order id so a re-delivered payment webhook never double-credits. At checkout a signed-in customer can spend points for a credit against the order total — valued by the redemption ratio (100 points = $1 default), capped at the order's worth and the balance, debited once behind a balance-guarded SQL decrement, stacking with any gift-card credit; surplus points stay in the balance. |

package/SECURITY.md

@@ -142,7 +142,12 @@ node -e "
   ticks): those paths skip the bot guard's browser-fingerprint
   heuristics — the Worker's machine-to-machine calls carry no browser
   headers — so the constant-time secret check is the deciding gate,
-  and an unauthenticated caller gets a 401. Generate ≥ 32 bytes of OS
+  and an unauthenticated caller gets a 401. The Worker also verifies
+  the same secret on these cron/event POSTs before forwarding them, so
+  a forged public request is refused at the edge before it reaches the
+  container (the edge check is skipped when the secret is unset, so a
+  deployment that hasn't wired it still forwards rather than dropping
+  every scheduled task). Generate ≥ 32 bytes of OS
   randomness and set the value identically on the Worker (`wrangler
   secret put D1_BRIDGE_SECRET`) and the container env. Rotate
   quarterly or after any Worker-credential compromise.
@@ -293,6 +298,33 @@ node -e "
   (success / failure / denied) and paginated. Opening the log is itself
   recorded (an `audit.read` row), so reviewing the audit trail leaves
   its own forensic mark.
+- **Privacy exports hold the whole record; erasure states a basis per
+  domain.** A subject-access export walks every table that keys a row
+  by the customer — identity, orders, subscriptions, addresses, saved
+  payment-method metadata, support tickets, loyalty, reviews, the
+  consent ledger, wishlist, surveys, recently-viewed, suggestion-box
+  submissions, the save-for-later list, and the store-credit ledger —
+  so the bundle is the full record, not just the order/identity core.
+  The bundle carries a completeness manifest: every in-scope domain is
+  marked exported, empty, or absent, so a domain whose reader isn't
+  wired is visible rather than silently dropped. Erasure deletes the
+  pure-personalization domains (wishlist, recently-viewed, save-for-
+  later), anonymizes the suggestion-box rows in place (both identity
+  keys cleared, the de-identified text left as roadmap signal), revokes
+  every sign-in path and anonymizes the customer profile, and RETAINS
+  the records a controller keeps under a legal-obligation / accounting
+  basis (orders, loyalty ledger, store-credit ledger, consent
+  evidence, published reviews) — each with a stated basis in the
+  per-domain result. Preview a deletion with the dry-run flag to see
+  the blast radius before the irreversible call.
+- **HSTS on every TLS response, edge and container.** Both substrates
+  send `Strict-Transport-Security: max-age=63072000; includeSubDomains;
+  preload` (two years, above the preload-list minimum). The container
+  emits it behind the Cloudflare proxy by trusting the Worker-set
+  `X-Forwarded-Proto`, so a direct-to-container or edge-render-off
+  response carries the same header the edge sends; a plain-HTTP request
+  (local dev, direct non-TLS) omits it, which user agents ignore over
+  HTTP anyway.
 - **Email deliverability — SPF / DKIM / DMARC + one-click unsubscribe.**
   Transactional and broadcast mail is composed on `b.mail`, which signs
   each message with DKIM, but the receiving server still rejects or

package/lib/admin.js

@@ -396,6 +396,21 @@ function _dollarsToMinor(value, label, currency) {
   return Number(minor);
 }
 
+// Render an integer minor-unit amount back into the major-unit decimal
+// string a money form field expects ("1999" → "19.99"), honouring the
+// currency's exponent the same way _dollarsToMinor does on the way in.
+// Returns "" for a NULL / malformed amount so an unpriced field renders
+// empty rather than crashing the form. The Money toString is
+// "<decimal> <CUR>"; the field wants just the decimal.
+function _minorToMajorInput(minor, currency) {
+  if (minor == null) return "";
+  var n = Number(minor);
+  if (!Number.isSafeInteger(n) || n < 0) return "";
+  var cur = typeof currency === "string" && /^[A-Z]{3}$/.test(currency) ? currency : "USD";
+  try { return b.money.fromMinorUnits(BigInt(n), cur).toString().split(" ")[0]; }
+  catch (_e) { return ""; }
+}
+
 // Strict non-negative integer for a form field (money minor units,
 // dimensions). Refuses "", floats, and parseInt's loose-prefix "12abc"
 // → 12 — the /^\d+$/ test is anchored so the whole string must be
@@ -867,7 +882,8 @@ function mount(router, deps) {
   var inventoryReceive   = deps.inventoryReceive   || null; // inbound-stock receive console disabled when absent
   var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
   var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
-  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
+  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/reprice/withdraw/convert) disabled when absent
+  var convertQuoteToOrder = deps.convertQuoteToOrder || null; // quote → pending-order converter (server.js composition); the console convert action disabled when absent
   var emailCampaigns     = deps.emailCampaigns     || null; // consent-gated broadcast/campaign console disabled when absent
   var mailingAudiences   = deps.mailingAudiences   || null; // audience picker for the campaign console (target-an-audience dropdown)
   // Read-only activity log at /admin/audit. Defaults ON — the framework
@@ -8112,13 +8128,16 @@ function mount(router, deps) {
 
   // ---- quotes (B2B request-for-quote negotiation) ---------------------
   // The operator side of the RFQ lifecycle. The list is the response queue
-  // (oldest-waiting requests first) plus a recent-activity view; the detail
-  // screen shows the requested lines + the customer message, and — for a
-  // still-requested quote — a per-line pricing form that responds with a
-  // priced quote + validity window. Responded/accepted quotes show the
-  // quoted totals; an operator can withdraw a quote that hasn't been
-  // accepted, or convert an accepted one into a pending order. Content-
-  // negotiated like the other consoles (bearer → JSON, browser → HTML).
+  // (oldest-waiting requests first) plus per-status views (the expired
+  // filter shows what the expiry cron transitioned) and a per-customer
+  // view; the detail screen shows the requested lines + the customer
+  // message, and — for a still-requested quote — a per-line pricing form
+  // that responds with a priced quote + validity window. A responded quote
+  // can be REPRICED (revised offer, fresh window — the customer's existing
+  // link shows the new pricing) or CONVERTED to a pending order against a
+  // recorded out-of-band approval; an operator can withdraw a quote that
+  // hasn't been accepted. Content-negotiated like the other consoles
+  // (bearer → JSON, browser → HTML).
   if (quotes) {
     // Build the respondToQuote line_prices array from the per-line
     // `price_<sku>` dollar fields the detail form posts, converting each to
@@ -8139,28 +8158,46 @@ function mount(router, deps) {
       return out;
     }
 
+    // Status filter for the list — a defensive request-shape reader: an
+    // unknown / absent value falls back to the default response queue
+    // rather than erroring a bookmarked link. `expired` is the one the
+    // chips surface (what the expiry cron transitioned); any lifecycle
+    // status is accepted so tooling can read the others.
+    function _quoteStatusFilter(url) {
+      var s = url && url.searchParams.get("status");
+      return (s && quotes.QUOTE_STATUSES.indexOf(s) !== -1) ? s : null;
+    }
+
     router.get("/admin/quotes", _pageOrApi(true,
       R(async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = cid
           ? await quotes.quotesForCustomer(cid, { limit: 200 })
-          : await quotes.pendingResponse({ limit: 200 });
+          : sf
+            ? await quotes.listByStatus({ status: sf, limit: 200 })
+            : await quotes.pendingResponse({ limit: 200 });
         _json(res, 200, { rows: rows });
       }),
       async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = [];
         try {
           rows = cid
             ? await quotes.quotesForCustomer(cid, { limit: 200 })
-            : await quotes.pendingResponse({ limit: 200 });
+            : sf
+              ? await quotes.listByStatus({ status: sf, limit: 200 })
+              : await quotes.pendingResponse({ limit: 200 });
         } catch (e) { if (!(e instanceof TypeError)) throw e; }
         _sendHtml(res, 200, renderAdminQuotes({
           shop_name: deps.shop_name, nav_available: navAvailable, quotes: rows,
           customer_filter: cid,
+          status_filter: sf,
           responded: url && url.searchParams.get("responded"),
+          repriced:  url && url.searchParams.get("repriced"),
           withdrawn: url && url.searchParams.get("withdrawn"),
           converted: url && url.searchParams.get("converted"),
           notice: (url && url.searchParams.get("err"))
@@ -8189,6 +8226,8 @@ function mount(router, deps) {
         }));
         _sendHtml(res, 200, renderAdminQuoteDetail({
           shop_name: deps.shop_name, nav_available: navAvailable, quote: row,
+          can_convert: !!convertQuoteToOrder,
+          repriced: url && url.searchParams.get("repriced"),
           notice: (url && url.searchParams.get("err"))
             ? "That action couldn't be completed for the quote." : null,
         }));
@@ -8254,6 +8293,190 @@ function mount(router, deps) {
       },
     ));
 
+    // Reprice: revise a still-responded quote the customer hasn't settled —
+    // improved line prices, fresh shipping / tax / validity, an updated
+    // note. Same payload contract as respond (the browser form posts dollar
+    // amounts + validity-in-days; the bearer JSON contract takes minor units
+    // + an absolute valid_until). The FSM's responded -> responded reprice
+    // edge gates it, surfacing the same statuses the other quote actions
+    // use: wrong state → 409, unknown quote → 404, bad shape → 400. The
+    // quote-responded email is NOT re-fired here: the notifier rotates the
+    // customer's view token, and the reprice contract is that the link the
+    // customer already holds keeps working and shows the new pricing.
+    router.post("/admin/quotes/:id/reprice", _pageOrApi(false,
+      W("quote.reprice", async function (req, res) {
+        var row;
+        try { row = await quotes.repriceQuote(Object.assign({}, req.body || {}, { quote_id: req.params.id })); }
+        catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var body = req.body || {};
+        var current = null;
+        try { current = await quotes.getQuote(id); } catch (_e) { current = null; }
+        if (!current) return _redirect(res, "/admin/quotes?err=1");
+        try {
+          var validDays = _strictNonNegIntField(body.valid_days, "valid_days");
+          if (validDays <= 0) throw new TypeError("admin: valid_days must be at least 1");
+          var quoteCurrency = typeof body.currency === "string" && body.currency
+            ? body.currency.toUpperCase() : (current.currency || "USD");
+          await quotes.repriceQuote({
+            quote_id:       id,
+            line_prices:    _quoteLinePricesFromForm(body, current.lines, quoteCurrency),
+            shipping_minor: body.shipping == null || body.shipping === "" ? 0 : _dollarsToMinor(body.shipping, "shipping", quoteCurrency),
+            tax_minor:      body.tax == null || body.tax === "" ? 0 : _dollarsToMinor(body.tax, "tax", quoteCurrency),
+            valid_until:    Date.now() + b.constants.TIME.days(validDays),
+            currency:       quoteCurrency,
+            operator_notes: body.operator_notes || null,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          var msg = _safeNotice(e, "quote.reprice");
+          var fresh = await quotes.getQuote(id);
+          return _sendHtml(res, msg.status, renderAdminQuoteDetail({
+            shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+            can_convert: !!convertQuoteToOrder,
+            notice: msg.message.replace(/^(quotes|admin)[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.reprice", outcome: "success", metadata: { quote_id: id } });
+        _redirect(res, "/admin/quotes/" + enc + "?repriced=1");
+      },
+    ));
+
+    // Convert to order without the customer's online acceptance — the
+    // verbal-approval case (a phone / email yes the operator is recording).
+    // Requires a reason naming that approval; the reason is captured on the
+    // quote's acceptance attribution AND the chained operator audit log. A
+    // responded quote is first accepted through the same customerAccept verb
+    // the storefront uses — so the accept-time expiry guard still refuses a
+    // stale price — then converted through the shared server.js composition
+    // (inventory holds first; a hold/order failure releases the convert
+    // claim back to accepted for a retry). An already-accepted quote (e.g.
+    // the customer accepted online but conversion wasn't possible then)
+    // skips straight to the conversion.
+    if (convertQuoteToOrder) {
+      // Shared by the bearer-JSON and browser-form branches. Throws coded
+      // errors the branches map to their surfaces.
+      var _operatorConvertQuote = async function (req, id, reasonRaw) {
+        if (typeof reasonRaw !== "string" || !reasonRaw.trim().length) {
+          throw new TypeError("admin: a reason is required to convert a quote on the customer's behalf");
+        }
+        var reason = reasonRaw.trim();
+        if (reason.length > 200) {
+          throw new TypeError("admin: reason must be <= 200 characters");
+        }
+        var current = await quotes.getQuote(id);   // TypeError on a malformed id → 400
+        if (!current) {
+          var miss = new Error("quote " + id + " not found");
+          miss.code = "QUOTE_NOT_FOUND";
+          throw miss;
+        }
+        if (current.status === "responded") {
+          await quotes.customerAccept({
+            quote_id:             id,
+            accepted_by_customer: "operator-recorded: " + reason,
+          });
+        }
+        // Any other non-accepted state falls through to the converter,
+        // whose own FSM claim refuses it — one error shape per state class.
+        var convertedQuote = await convertQuoteToOrder(id);
+        if (!convertedQuote || !convertedQuote.converted_order_id) {
+          // The only null path after a successful accept: no resolvable
+          // ship-to (the customer has no default shipping address) — or the
+          // quote wasn't accepted (wrong state).
+          var blocked = new Error("the quote could not be converted — it must be accepted and " +
+            "the customer needs a default shipping address on file");
+          blocked.code = "QUOTE_NOT_CONVERTIBLE";
+          throw blocked;
+        }
+        // Chained operator-audit row: WHO converted, WHY, and the order it
+        // minted. Drop-silent — a recording failure must never unwind the
+        // conversion the operator just watched succeed.
+        if (operatorAuditLog && typeof operatorAuditLog.record === "function") {
+          try {
+            await operatorAuditLog.record({
+              actor_type:    "operator",
+              actor_id:      (req.operatorActor && req.operatorActor.operator_id) || "owner",
+              action:        "quote.convert_to_order",
+              resource_kind: "quote",
+              resource_id:   id,
+              before:        { status: current.status },
+              after:         { reason: reason, order_id: convertedQuote.converted_order_id },
+            });
+          } catch (_e) { /* drop-silent */ }
+        }
+        return convertedQuote;
+      };
+
+      router.post("/admin/quotes/:id/convert-to-order", _pageOrApi(false,
+        W("quote.convert", async function (req, res) {
+          var row;
+          try { row = await _operatorConvertQuote(req, req.params.id, req.body && req.body.reason); }
+          catch (e) {
+            if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+            if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+            if (e && e.code === "QUOTE_EXPIRED") return _problem(res, 409, "quote-expired", e.message);
+            if (e && e.code === "QUOTE_INSUFFICIENT_STOCK") return _problem(res, 409, "quote-insufficient-stock", e.message);
+            if (e && e.code === "QUOTE_NOT_CONVERTIBLE") return _problem(res, 409, "quote-not-convertible", e.message);
+            if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+            throw e;
+          }
+          _json(res, 200, row);
+          return { id: row.id };
+        }),
+        async function (req, res) {
+          var id = req.params.id;
+          try {
+            await _operatorConvertQuote(req, id, req.body && req.body.reason);
+          } catch (e) {
+            // Per-code operator-safe banner copy (the coded refusals carry no
+            // secrets, but the banner uses authored copy rather than echoing
+            // the thrown text — same no-leak guarantee as _safeNotice, with
+            // a more actionable message per refusal). Anything un-coded
+            // routes through _safeNotice's classifier.
+            var codedCopy = {
+              QUOTE_TRANSITION_REFUSED: "The quote is no longer in a state that can be converted.",
+              QUOTE_EXPIRED:            "The quote's validity window has passed — reprice it before converting.",
+              QUOTE_INSUFFICIENT_STOCK: "Not enough stock is available to fulfil the quote.",
+              QUOTE_NOT_CONVERTIBLE:    "The quote couldn't be converted — it must be accepted and the customer needs a default shipping address on file.",
+              QUOTE_NOT_FOUND:          "Quote not found.",
+            };
+            var codedNotice = e && e.code ? codedCopy[e.code] : null;
+            if (!(e instanceof TypeError) && !codedNotice) throw e;
+            var status, noticeText;
+            if (codedNotice) {
+              status = e.code === "QUOTE_NOT_FOUND" ? 404 : 409;
+              noticeText = codedNotice;
+            } else {
+              // TypeError (validation) — _safeNotice surfaces its operator-
+              // safe message verbatim and never records it as a 5xx.
+              var msg = _safeNotice(e, "quote.convert");
+              status = msg.status;
+              noticeText = msg.message.replace(/^(quotes|admin)[.:]\s*/, "");
+            }
+            var fresh = null;
+            try { fresh = await quotes.getQuote(id); } catch (_e2) { fresh = null; }
+            return _sendHtml(res, status, renderAdminQuoteDetail({
+              shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+              can_convert: true,
+              notice: noticeText,
+            }));
+          }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.convert", outcome: "success", metadata: { quote_id: id } });
+          _redirect(res, "/admin/quotes?converted=1");
+        },
+      ));
+    }
+
     // Withdraw: cancel a quote that hasn't been accepted yet (requested or
     // responded). Accepted / terminal quotes refuse — the FSM gate is the
     // single source of truth, surfaced as a 409.
@@ -21667,14 +21890,21 @@ function renderAdminQuotes(opts) {
   opts = opts || {};
   var rows = opts.quotes || [];
   var responded = opts.responded ? "<div class=\"banner banner--ok\">Quote sent to the customer.</div>" : "";
+  var repriced  = opts.repriced  ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var withdrawn = opts.withdrawn ? "<div class=\"banner banner--ok\">Quote withdrawn.</div>" : "";
   var converted = opts.converted ? "<div class=\"banner banner--ok\">Quote converted to an order.</div>" : "";
   var notice    = opts.notice    ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
 
   var cf = opts.customer_filter;
-  var heading = cf ? "Quotes for this customer" : "Quotes awaiting a response";
+  var sf = opts.status_filter;
+  var heading = cf ? "Quotes for this customer"
+    : sf === "expired" ? "Expired quotes"
+    : sf ? "Quotes — " + sf
+    : "Quotes awaiting a response";
   var chips = "<div class=\"order-filters\">" +
-    "<a class=\"chip" + (cf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (cf == null && sf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (sf === "expired" ? " chip--on" : "") + "\" href=\"/admin/quotes?status=expired\">Expired</a>" +
+    (sf && sf !== "expired" ? "<a class=\"chip chip--on\" href=\"/admin/quotes?status=" + _htmlEscape(encodeURIComponent(sf)) + "\">" + _htmlEscape(sf) + "</a>" : "") +
     (cf ? "<a class=\"chip chip--on\" href=\"/admin/quotes?customer_id=" + _htmlEscape(encodeURIComponent(cf)) + "\">This customer</a>" : "") +
     "</div>";
 
@@ -21696,9 +21926,11 @@ function renderAdminQuotes(opts) {
 
   var table = rows.length
     ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Quote</th><th scope=\"col\">Customer</th><th scope=\"col\">Status</th><th scope=\"col\" class=\"num\">Lines</th><th scope=\"col\" class=\"num\">Total</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
-    : "<p class=\"empty\">" + (cf ? "No quotes for this customer." : "No quotes are waiting for a response.") + "</p>";
+    : "<p class=\"empty\">" + (cf ? "No quotes for this customer."
+        : sf ? "No " + _htmlEscape(sf) + " quotes."
+        : "No quotes are waiting for a response.") + "</p>";
 
-  var bodyHtml = "<section><h2>Quotes</h2>" + responded + withdrawn + converted + notice +
+  var bodyHtml = "<section><h2>Quotes</h2>" + responded + repriced + withdrawn + converted + notice +
     "<p class=\"meta\">Request-for-quote negotiations. The response queue lists the requests waiting on you, oldest first — open one to price its lines and send the customer a quote.</p>" +
     chips + "<h3 class=\"subhead\">" + _htmlEscape(heading) + "</h3>" + table + "</section>";
   return _renderAdminShell(opts.shop_name, "Quotes", bodyHtml, "quotes", opts.nav_available);
@@ -21713,6 +21945,8 @@ function renderAdminQuoteDetail(opts) {
     return _renderAdminShell(opts.shop_name, "Quote", nf, "quotes", opts.nav_available);
   }
   var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var repricedBanner = opts.repriced
+    ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var enc = _htmlEscape(encodeURIComponent(q.id));
   var currency = q.currency || "USD";
 
@@ -21725,6 +21959,8 @@ function renderAdminQuoteDetail(opts) {
       (q.payment_terms ? "<p class=\"meta\">Payment terms: " + _htmlEscape(q.payment_terms) + "</p>" : "") +
       (q.message ? "<p class=\"meta\">Customer message: <q>" + _htmlEscape(q.message) + "</q></p>" : "") +
       (q.valid_until ? "<p class=\"meta\">Valid until: " + _htmlEscape(new Date(Number(q.valid_until)).toISOString()) + "</p>" : "") +
+      (q.response_version != null && Number(q.response_version) > 1
+        ? "<p class=\"meta\">Pricing revision: " + _htmlEscape(String(q.response_version)) + "</p>" : "") +
       (q.total_minor != null ? "<p class=\"meta\">Quoted total: <strong>" + _htmlEscape(pricing.format(q.total_minor, currency)) + "</strong></p>" : "") +
       (q.converted_order_id ? "<p class=\"meta\">Converted to order: <a href=\"/admin/orders/" + _htmlEscape(encodeURIComponent(q.converted_order_id)) + "\"><code class=\"order-id\">" + _htmlEscape(String(q.converted_order_id).slice(0, 8)) + "</code></a></p>" : "") +
     "</div>";
@@ -21775,6 +22011,57 @@ function renderAdminQuoteDetail(opts) {
       "</div>";
   }
 
+  // Reprice form — only for a still-responded quote (the customer hasn't
+  // settled it). Same fields as the respond form, prefilled with the
+  // current pricing so the operator edits an offer rather than retyping
+  // it. Posting re-runs the full pricing math server-side and bumps the
+  // revision counter; the customer's existing link shows the new pricing.
+  var repriceForm = "";
+  if (q.status === "responded") {
+    var repriceFields = (q.lines || []).map(function (l) {
+      return _setupField(l.sku + " — unit price (" + currency + ")", "price_" + l.sku,
+        _minorToMajorInput(l.unit_price_minor, l.currency || currency), "text",
+        "Quantity " + l.quantity + ".", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\" required");
+    }).join("");
+    repriceForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Reprice this quote</h3>" +
+        "<p class=\"meta\">Revise the offer before the customer settles it — new unit prices, shipping, tax, and a fresh validity window. The link the customer already has keeps working and shows the new pricing.</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/reprice\">" +
+          repriceFields +
+          _setupField("Shipping (" + currency + ")", "shipping", _minorToMajorInput(q.shipping_minor, currency), "text", "Optional. Leave blank for free shipping.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Tax (" + currency + ")", "tax", _minorToMajorInput(q.tax_minor, currency), "text", "Optional.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Valid for (days)", "valid_days", "14", "number", "How many days the customer has to accept the revised quote.", " min=\"1\" max=\"365\" required") +
+          _setupField("Currency", "currency", currency, "text", "ISO-4217, e.g. USD.", " maxlength=\"3\" pattern=\"[A-Za-z]{3}\"") +
+          "<label class=\"form-field\"><span>Note to the customer</span><textarea name=\"operator_notes\" maxlength=\"4000\" rows=\"3\">" + _htmlEscape(q.operator_notes || "") + "</textarea></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Send revised quote</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
+  // Convert to order — the verbal-approval path. Rendered for a responded
+  // quote (the operator records the customer's out-of-band yes) and for an
+  // accepted one (the customer accepted online but conversion wasn't
+  // possible then — e.g. no address yet). Requires a reason; the reason
+  // lands on the acceptance attribution and the operator audit log. Only
+  // rendered when the conversion composition is wired.
+  var convertForm = "";
+  if (opts.can_convert && (q.status === "responded" || q.status === "accepted")) {
+    convertForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Convert to order</h3>" +
+        "<p class=\"meta\">" + (q.status === "responded"
+          ? "Records the customer's out-of-band approval (a phone or email yes) and lands this quote as a pending order at the quoted prices, reserving the stock. An expired quote refuses — reprice it first."
+          : "The customer accepted this quote; convert it into a pending order at the accepted prices.") + "</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/convert-to-order\">" +
+          _setupField("Reason / approval record", "reason", "", "text",
+            "Required. Who approved and how — e.g. “verbal approval, J. Doe, phone 2026-06-10”.",
+            " maxlength=\"200\" required") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Convert to order</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
   // Withdraw — available while the quote hasn't been accepted (requested or
   // responded). The FSM refuses it for accepted/terminal quotes; we only
   // render the button when it would succeed.
@@ -21792,7 +22079,7 @@ function renderAdminQuoteDetail(opts) {
   "</div>";
 
   var bodyHtml = "<section><h2>Quote " + _htmlEscape(String(q.id).slice(0, 8)) + "</h2>" +
-    notice + summary + linesPanel + respondForm + actions + "</section>";
+    notice + repricedBanner + summary + linesPanel + respondForm + repriceForm + convertForm + actions + "</section>";
   return _renderAdminShell(opts.shop_name, "Quote " + String(q.id).slice(0, 8), bodyHtml, "quotes", opts.nav_available);
 }
 

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.25",
+  "version": "0.4.27",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",
@@ -38,8 +38,8 @@
       "fingerprinted": "js/passkey-register.02b0e196fb9608d8.js"
     },
     "js/pay-trusted-types.js": {
-      "integrity": "sha384-jD90N8l7J3Vcu+aPSFRi6AE/5XKHQl58/avwHE9PH0mHwMavX991OCsEcznEf3n5",
-      "fingerprinted": "js/pay-trusted-types.53d0df13f9480a66.js"
+      "integrity": "sha384-h+/EjwX7ee88MouudamS26SgRg1bUXasRs9qD0Wcg6bGkK51CluebA3iATzedwdz",
+      "fingerprinted": "js/pay-trusted-types.08dc910a5c35d38a.js"
     },
     "js/pay.js": {
       "integrity": "sha384-W11JVQhv1RZq4WhsAOglu56gTZTDz1ByLd+b1HFQBCi8xGoEhJ0PZ2yI3FqbYzt6",