@blamejs/blamejs-shop 0.4.25 → 0.4.27

package/lib/security-middleware.js

@@ -101,6 +101,7 @@ var INTERNAL_BRIDGE_PATHS = [
   "/_/campaign-send-tick",
   "/_/customer-portal-expire",
   "/_/stale-order-reap",
+  "/_/quote-expiry-tick",
 ];
 
 // Public well-known paths fetched by third-party verification crawlers
@@ -290,7 +291,25 @@ function clientKey(req) {
  * so both substrates stay header-consistent.
  */
 function securityHeadersOpts() {
-  return { documentPolicy: false, referrerPolicy: "same-origin" };
+  // `trustProxy: true` is what lets the vendored HSTS header actually
+  // ship from the container. The vendored securityHeaders middleware
+  // emits Strict-Transport-Security ONLY when the request protocol
+  // resolves to https (RFC 6797 §7.2: HSTS over plain HTTP is ignored by
+  // UAs, so the middleware suppresses it on non-TLS requests). Behind the
+  // Cloudflare Worker the container socket is plain http and the real
+  // scheme rides in the Worker-set `x-forwarded-proto: https` — without
+  // trustProxy the middleware reads `http`, decides the request isn't
+  // TLS, and drops HSTS on EVERY container-served response. The edge
+  // Worker sets its own HSTS on edge-rendered pages, but a direct-to-
+  // container request (edge render off, or an internal hop that returns
+  // HTML) then carries no HSTS at all. Opting into the forwarded-proto
+  // header — the same stance the csrf gate already takes (mountRouteGuards
+  // passes trustProxy:true) and the storefront session-cookie path takes
+  // (`_secureForReq`) — restores the header on container responses. HSTS
+  // stays OWNED by the vendored middleware (we set no header ourselves),
+  // so there is no double-set: on an edge-rendered page only the Worker's
+  // header is present; on a container-served page only this one is.
+  return { documentPolicy: false, referrerPolicy: "same-origin", trustProxy: true };
 }
 
 // ---- route-scoped CSP (payment processors + CAPTCHA providers) ----------

package/lib/store-credit.js

@@ -52,6 +52,11 @@
  *     - expiringWithin({ customer_id, days })
  *     - bulkBalance({ customer_ids })
  *     - cleanupExpired({ now })
+ *     - exportForCustomer(customer_id) — DSR export reader: the
+ *       subject's balance + full ledger history.
+ *     - eraseForCustomer(customer_id, { dry_run? }) — DSR erasure:
+ *       RETAINS (financial ledger, legal-obligation basis). Returns
+ *       the `{ table, deleted: 0, note }` reader contract.
  *
  *   Storage:
  *     - store_credit_ledger (migration 0094).
@@ -491,6 +496,42 @@ function create(opts) {
       return out;
     },
 
+    // ---- exportForCustomer / eraseForCustomer (DSR) -----------------
+    //
+    // Subject-access-request hooks consumed by complianceExport. The
+    // ledger keys on `customer_id`.
+    //
+    // exportForCustomer(customer_id) — the subject's current balance +
+    // their full ledger history (the financial record of every credit /
+    // debit / expire against their wallet). Pure read; the history is
+    // capped at the same 500-row ceiling `history()` enforces.
+    exportForCustomer: async function (customerId) {
+      var cid = _uuid(customerId, "customer_id");
+      var bal = await _currentBalance(cid);
+      var r = await query(
+        "SELECT id, customer_id, kind, amount_minor, source, source_ref, order_id, " +
+        "balance_after_minor, expires_at, occurred_at FROM store_credit_ledger " +
+        "WHERE customer_id = ?1 ORDER BY occurred_at DESC, id DESC LIMIT 500",
+        [cid],
+      );
+      return { balance_minor: bal, history: r.rows };
+    },
+
+    // eraseForCustomer(customer_id, { dry_run }) — store credit is a
+    // financial ledger: an audited record of money owed to and spent by
+    // the customer, retained under the controller's legal-obligation /
+    // accounting basis (the same posture as the loyalty ledger and gift
+    // cards in the DSR reader map). Erasure RETAINS — deleting the rows
+    // would destroy the proof of a balance the customer may still be
+    // entitled to and the accounting trail a tax / chargeback audit
+    // needs. Returns `{ table, deleted: 0, note }`; dry_run reports the
+    // same retain decision (0 rows would be removed). The customer-
+    // identity scrub rides the anonymized customers row.
+    eraseForCustomer: async function (customerId, _opts) {
+      _uuid(customerId, "customer_id");
+      return { table: "store_credit_ledger", deleted: 0, note: "retained-financial-ledger" };
+    },
+
     cleanupExpired: async function (input) {
       input = input || {};
       var now = _epochMs(input.now, "now");

package/lib/storefront.js

@@ -10930,7 +10930,13 @@ function renderQuotePage(opts) {
     var lineRows = (q.lines || []).map(function (l) {
       var unit  = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor, l.currency || currency);
       var total = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor * l.quantity, l.currency || currency);
-      return "<tr><td>" + esc(l.sku) + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
+      // Per-line note — free text captured on the RFQ line, rendered under
+      // the item so the priced offer reads against what was asked for.
+      // Escaped like every other free-text field on this page.
+      var note = l.notes
+        ? "<div class=\"quote-line__note\">" + esc(l.notes) + "</div>"
+        : "";
+      return "<tr><td>" + esc(l.sku) + note + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
         "<td class=\"num\">" + esc(unit) + "</td><td class=\"num\">" + esc(total) + "</td></tr>";
     }).join("");
     var rowsHtml =
@@ -11019,11 +11025,17 @@ function renderQuoteList(opts) {
       var currency = q.currency || "USD";
       var total = q.total_minor == null ? "Awaiting price" : pricing.format(q.total_minor, currency);
       var statusLabel = q.status === "responded" ? "ready to review" : q.status;
+      // Make the acceptance window visible from the list — a plain
+      // server-rendered date on quotes that are still open to accept.
+      var valid = (q.status === "responded" && q.valid_until)
+        ? "<span class=\"quote-list__valid\">Valid until " + esc(new Date(Number(q.valid_until)).toUTCString()) + "</span>"
+        : "";
       return "<li class=\"quote-list__item\">" +
         "<a href=\"/account/quotes/" + esc(q.id) + "\">" +
           "<span class=\"quote-list__id\">Quote " + esc(String(q.id).slice(0, 8)) + "</span>" +
           "<span class=\"quote-list__status\">" + esc(statusLabel) + "</span>" +
           "<span class=\"quote-list__total\">" + esc(total) + "</span>" +
+          valid +
         "</a></li>";
     }).join("");
     body =
@@ -15873,7 +15885,8 @@ function mount(router, deps) {
           try {
             var portalCust = await deps.customers.get(rv.customer_id);
             if (portalCust && portalCust.email_hash) {
-              await deps.order.linkGuestOrdersByEmailHash(rv.customer_id, portalCust.email_hash);
+              await deps.order.linkGuestOrdersByEmailHash(
+                rv.customer_id, portalCust.email_hash, { linked_via: "magic-link" });
             }
           } catch (_eLink) { /* drop-silent — sign-in itself succeeds */ }
         }
@@ -16124,6 +16137,17 @@ function mount(router, deps) {
             if (anonCart) await deps.cart.setCustomer(anonCart.id, customer.id);
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
+        // Guest-order reconciliation is deliberately NOT done here. A passkey
+        // assertion proves control of the AUTHENTICATOR, not of the account's
+        // email — and a passkey-registered account's email_hash was never
+        // verified (the register path stores whatever address was typed). The
+        // attach is gated strictly on PROVEN email ownership: an OIDC sign-in
+        // the provider verified, or a magic-link the buyer clicked. Linking on
+        // the account's unverified email_hash here would let an attacker who
+        // registered a passkey under a victim's address inherit the victim's
+        // guest orders — the takeover class the customers model guards against.
+        // A passkey-account holder who wants their guest orders attached signs
+        // in once via the magic-link, which proves the email and reconciles.
         _clearChallengeCookie(res);
         _setAuthCookie(req, res, {
           customer_id: customer.id,
@@ -16949,7 +16973,8 @@ function mount(router, deps) {
         if (claims.email_verified === true && claims.email && deps.order &&
             typeof deps.order.linkGuestOrdersByEmailHash === "function") {
           try {
-            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+            await deps.order.linkGuestOrdersByEmailHash(
+              rv.customer.id, deps.customers.hashEmail(claims.email), { linked_via: "verified-email" });
           } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
         }
         // Attribute a referral ONLY on a genuinely new account
@@ -17063,7 +17088,8 @@ function mount(router, deps) {
         if (emailVerified && claims.email && deps.order &&
             typeof deps.order.linkGuestOrdersByEmailHash === "function") {
           try {
-            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+            await deps.order.linkGuestOrdersByEmailHash(
+              rv.customer.id, deps.customers.hashEmail(claims.email), { linked_via: "verified-email" });
           } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
         }
         // Attribute a referral ONLY on a genuinely new account (rv.created)

package/lib/suggestion-box.js

@@ -102,6 +102,13 @@
  *     - metricsForCategory({ category, from, to })
  *     - archiveSuggestion(id)
  *     - flagAsSpam({ suggestion_id, flagged })
+ *     - exportForCustomer({ customer_id?, email_hash? }) — DSR export
+ *       reader: the subject's own suggestion rows (matched on
+ *       customer_id OR the suggestion-box-namespace email hash).
+ *     - eraseForCustomer({ customer_id?, email_hash?, dry_run? }) —
+ *       DSR erasure: anonymizes the subject's rows in place (both
+ *       identity keys -> NULL), keeping the de-identified roadmap
+ *       signal. Returns the `{ table, deleted }` reader contract.
  *
  *   Storage: `migrations-d1/0181_suggestion_box.sql` —
  *     `suggestions` + `suggestion_votes`.
@@ -850,6 +857,121 @@ function create(opts) {
     return _decode(await _getRaw(sid));
   }
 
+  // ---- exportForCustomer / eraseForCustomer (DSR) -----------------------
+  //
+  // Subject-access-request hooks consumed by complianceExport. A
+  // suggestion row is keyed to a person by EITHER `customer_id` (an
+  // authenticated submission) OR `customer_email_hash` (a storefront
+  // visitor who supplied a confirmed email but wasn't signed in). The
+  // email is hashed under the `suggestion-box-email` namespace
+  // (EMAIL_NAMESPACE), distinct from the customers table's own
+  // `customer-email` namespace, and the raw email is never stored —
+  // so an email-only row can be matched to a customer ONLY when the
+  // caller can supply that same suggestion-box namespace hash.
+  //
+  // The DSR composition root resolves a customer by `customer_id`
+  // (no raw email is held anywhere in the system to re-hash), so it
+  // passes `customer_id` and — when the requesting customer's email
+  // is known in-session — the derived `email_hash`. Both keys are
+  // matched with OR so a customer's authenticated AND email-only
+  // submissions are covered. A caller WITH the raw email derives the
+  // hash via the exported EMAIL_NAMESPACE + b.crypto.namespaceHash.
+
+  // Normalize the DSR selector: at least one of customer_id /
+  // email_hash must be present. Returns { custId, emailHash } with
+  // validated/null values. Defensive request-shape reader at the
+  // primitive boundary — bad UUID shape throws (operator catches the
+  // typo); a null/absent key is simply not used in the predicate.
+  function _dsrSelector(input, method) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("suggestionBox." + method + ": input object required");
+    }
+    var custId    = _customerIdOpt(input.customer_id);
+    var emailHash = null;
+    if (input.email_hash != null) {
+      if (typeof input.email_hash !== "string" || !input.email_hash.length || input.email_hash.length > 256) {
+        throw new TypeError("suggestionBox." + method + ": email_hash must be a non-empty string <= 256 chars when provided");
+      }
+      if (CONTROL_BYTE_STRICT_RE.test(input.email_hash) || ZERO_WIDTH_RE.test(input.email_hash)) {
+        throw new TypeError("suggestionBox." + method + ": email_hash contains control / zero-width bytes");
+      }
+      emailHash = input.email_hash;
+    }
+    if (custId == null && emailHash == null) {
+      throw new TypeError("suggestionBox." + method + ": at least one of customer_id / email_hash is required");
+    }
+    return { custId: custId, emailHash: emailHash };
+  }
+
+  // Build the `customer_id = ? OR customer_email_hash = ?` predicate
+  // from whichever selector keys are present, returning { clause,
+  // params }. Shared by export + erase so the two never diverge on
+  // which rows belong to the subject.
+  function _dsrWhere(sel) {
+    var ors    = [];
+    var params = [];
+    var idx    = 1;
+    if (sel.custId != null)    { ors.push("customer_id = ?" + idx);         params.push(sel.custId);    idx += 1; }
+    if (sel.emailHash != null) { ors.push("customer_email_hash = ?" + idx); params.push(sel.emailHash); idx += 1; }
+    return { clause: "(" + ors.join(" OR ") + ")", params: params };
+  }
+
+  // exportForCustomer({ customer_id?, email_hash? }) — returns the
+  // subject's own suggestion rows (decoded). Read-only; capped at
+  // MAX_LIST_LIMIT so a single customer's history can't unbounded-
+  // stream the export. Spam-flagged / archived rows ARE included —
+  // the subject is entitled to a copy of everything held about them,
+  // including operator-only tombstoned rows.
+  async function exportForCustomer(input) {
+    var sel = _dsrSelector(input, "exportForCustomer");
+    var w   = _dsrWhere(sel);
+    var r = await query(
+      "SELECT * FROM suggestions WHERE " + w.clause +
+      " ORDER BY created_at DESC, id DESC LIMIT ?" + (w.params.length + 1),
+      w.params.concat([MAX_LIST_LIMIT]),
+    );
+    var out = [];
+    for (var i = 0; i < r.rows.length; i += 1) out.push(_decode(r.rows[i]));
+    return out;
+  }
+
+  // eraseForCustomer({ customer_id?, email_hash?, dry_run? }) —
+  // GDPR Art. 17 erasure. A suggestion (especially a `complaint`)
+  // carries the customer's own free-text words + a hashed email, so
+  // it is personal data with no retention basis once the subject
+  // asks for erasure. Rather than DELETE the row (which would orphan
+  // any votes / canonical-link pointers and lose the operator's
+  // roadmap signal), this ANONYMIZES it in place: severs both
+  // identity keys (customer_id + customer_email_hash → NULL) so the
+  // row can no longer be traced to the person, while the
+  // already-published title/body/votes stay as de-identified
+  // roadmap input. dry_run counts the rows it WOULD anonymize
+  // without mutating. Returns the complianceExport reader contract
+  // shape `{ table, deleted }`.
+  async function eraseForCustomer(input) {
+    var dryRun = !!(input && input.dry_run);
+    var sel = _dsrSelector(input, "eraseForCustomer");
+    var w   = _dsrWhere(sel);
+    // Only rows still carrying an identity key need anonymizing —
+    // a re-run finds none (idempotent).
+    var countRow = (await query(
+      "SELECT COUNT(*) AS n FROM suggestions WHERE " + w.clause +
+      " AND (customer_id IS NOT NULL OR customer_email_hash IS NOT NULL)",
+      w.params,
+    )).rows[0];
+    var n = countRow ? Number(countRow.n) : 0;
+    if (dryRun) return { table: "suggestions", deleted: n };
+    if (n === 0) return { table: "suggestions", deleted: 0 };
+    var ts = _now();
+    var res = await query(
+      "UPDATE suggestions SET customer_id = NULL, customer_email_hash = NULL, updated_at = ?" +
+      (w.params.length + 1) + " WHERE " + w.clause +
+      " AND (customer_id IS NOT NULL OR customer_email_hash IS NOT NULL)",
+      w.params.concat([ts]),
+    );
+    return { table: "suggestions", deleted: Number((res && res.rowCount) || 0) };
+  }
+
   // ---- flagAsSpam -------------------------------------------------------
   //
   // Operator-only. Sets spam_flagged = 1 (or back to 0 if the
@@ -897,6 +1019,8 @@ function create(opts) {
     metricsForCategory:   metricsForCategory,
     archiveSuggestion:    archiveSuggestion,
     flagAsSpam:           flagAsSpam,
+    exportForCustomer:    exportForCustomer,
+    eraseForCustomer:     eraseForCustomer,
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.25",
+  "version": "0.4.27",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {