@blamejs/blamejs-shop 0.4.26 → 0.4.27

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.27 (2026-06-11) — **Stale quotes expire on schedule, operators can reprice an open quote or convert a verbally-approved one to an order, and customers see the operator's per-line notes and the validity window.** A quote-lifecycle release. Quotes whose validity window has elapsed now transition to expired on a scheduled sweep instead of lingering as open work — the accept-time guard already refused stale prices; now the console's queue and the customer's account list reflect that reality, and the admin list gains an expired filter. Operators can reprice a quote that is awaiting the customer's answer (the customer's existing link immediately shows the new pricing) and can convert a quote the customer approved outside the site — by phone or email — directly to an order, with a required reason recorded in the audit log. The customer-facing quote view now renders the per-line notes the operator wrote alongside each price and shows the validity date in the account list. Upgrade applies one D1 migration. **Added:** *Quotes past their validity window expire on a scheduled sweep* — A scheduled tick transitions responded quotes whose valid-until date has elapsed to expired, in one bounded pass per fire. The transition is race-safe: each row re-checks its status and validity inside a conditional update, so a customer accepting at the same moment wins, a reprice that extends validity rescues the quote, and overlapping ticks never double-transition. The sweep rides the same shared-secret internal endpoint discipline as the other scheduled tasks — secret-checked at the edge and again in the container. The per-pass batch size is tunable with QUOTE_EXPIRY_BATCH (validated at boot). · *Operators can reprice a quote awaiting the customer's answer* — A responded quote that the customer has not yet accepted can be repriced from the console — new per-line pricing, shipping, tax, and validity window through the same validation as the original response, with a version counter recording each revision. The customer's existing quote link keeps working and renders the new pricing; no new email is sent, so the link the customer already holds stays valid. Repricing a quote in any other state is refused with a conflict. · *Operators can convert a verbally-approved quote to an order* — When a customer approves a quote outside the site — by phone or email — the operator can convert it to an order directly from the console. The action requires a written reason, records an audit row with the operator, the reason, and the minted order id, and runs through the same conversion path customer acceptance uses: inventory holds are placed first and released if order creation fails, and the accept-time expiry guard still refuses a quote past its validity window. The action requires order-write permission. **Changed:** *The customer quote view shows per-line notes and the validity window* — Notes the operator writes against individual quote lines now render on the customer's quote page under the line they describe, and the account quote list shows the validity date for open quotes — so the customer sees the full offer, not just the numbers, and knows how long it stands. · *The admin quote list gains an expired filter* — The console's quote list accepts a status filter and ships an Expired view, so quotes the sweep transitioned are reviewable rather than invisible. An unrecognized status value falls back to the default queue.
+
 - v0.4.26 (2026-06-06) — **Guest orders attach to an account on verified sign-in; privacy exports and erasures now cover suggestions, saved-for-later, and store credit; HSTS ships on container responses behind the CDN; and internal cron POSTs are secret-checked at the edge.** A guest-order-claim, privacy-completeness, and edge-hardening release. When a shopper who checked out as a guest later signs in or registers with a verified email that matches the order, those orders now attach to their account and appear in their order history. A subject-access export now includes the customer's suggestion-box submissions, their save-for-later list, and their store-credit ledger, and an erasure anonymizes the suggestions, deletes the saved list, and retains the store-credit ledger under its accounting basis — a domain whose reader isn't wired still shows in the export manifest rather than being silently dropped. Strict-Transport-Security now ships on responses served directly by the container behind the Cloudflare proxy, not only on edge-rendered pages. The worker now verifies the shared secret on internal cron and event POSTs before forwarding them to the container. Upgrade applies one D1 migration. **Added:** *Guest orders reconcile to an account on verified sign-in* — An order placed as a guest carries the buyer's email as a one-way hash. When that buyer later signs in or registers — including through Sign in with Google — and their verified email hashes to the same value, the matching guest orders attach to their account and show up under their order history. Attachment is driven only by verified-email ownership, never by unauthenticated email knowledge, and is idempotent: re-signing-in attaches nothing new, a non-matching email attaches nothing, and the placing-browser cookie and emailed-access-token routes to a guest order keep working unchanged. **Changed:** *Privacy export and erasure cover suggestions, saved-for-later, and store credit* — A full subject-access export now includes three more customer-keyed domains: the customer's suggestion-box submissions (product ideas and complaints, matched on the account id or the hashed email the submission carried), their save-for-later list, and their store-credit balance and ledger history. Erasure anonymizes each suggestion in place — severing both identity keys so the row can no longer be traced to the person while leaving the de-identified roadmap signal — deletes the save-for-later list outright, and retains the store-credit ledger under the same accounting / legal-obligation basis the loyalty ledger and gift cards already use. Each domain reports its effect in the request's completeness manifest, so a domain whose reader isn't wired is visible as absent rather than silently omitted. **Security:** *HSTS ships on container responses behind the proxy* — Strict-Transport-Security is emitted on responses served directly by the application container, not only on pages rendered at the edge. Behind the Cloudflare proxy the container connection is plain HTTP and the real scheme arrives in the forwarded-proto header; the security-headers middleware now trusts that header, so a direct-to-container or edge-render-off response carries the same two-year, includeSubDomains, preload HSTS value the edge sends. Plain-HTTP local and direct connections still omit the header, which user agents ignore over HTTP anyway. · *Internal cron and event POSTs are secret-checked at the edge* — The worker now verifies the shared secret on its internal cron and event POSTs (cart-recovery, stock-alert and wishlist sweeps, the stale-order reap, portal-session expiry, and campaign sends) before forwarding them to the container, refusing a forged public request at the edge instead of relying solely on the container's own check. The check is skipped when the secret isn't configured, so a deployment that hasn't set it still forwards rather than refusing every scheduled task.
 
 - v0.4.25 (2026-06-06) — **The admin role gate fails closed, payment-processor calls are host-pinned, the public catalog API stops leaking unpublished products, and privacy requests show their statutory deadline.** A security-hardening release. The staff role matrix now denies an unmapped admin action by default (owner-only) instead of leaving it manager-reachable; outbound Stripe and PayPal calls are pinned to the configured processor host with their idempotency keys validated before they leave; the public catalog API no longer honors a caller-supplied status filter, so draft and archived products can't be enumerated; the privacy-request console surfaces each request's statutory response deadline; and the Apple Pay well-known bot-guard exemption is tightened to an exact-path match. No migrations. **Changed:** *Privacy-request console shows the statutory response deadline* — Each export and erasure request now displays its statutory response deadline — one month under GDPR, 45 days under CCPA, 15 days under LGPD — derived from the request's recorded jurisdiction and timestamp, and flags an open request whose deadline has passed. Requests under no statutory regime show no deadline rather than an invented one. **Security:** *Admin role gate fails closed on unmapped actions* — The operator role matrix is now a declarative registry with role inheritance (owner ⊃ manager ⊃ viewer) validated at boot. A mutating admin action that isn't explicitly mapped to a permission now requires the owner role, instead of falling through to a manager-grantable default — so a newly added admin route can't be reached by a manager or viewer by accident. Existing mapped routes keep their grants. · *Public catalog API no longer leaks unpublished products* — GET /api/catalog/products accepted a caller-supplied ?status= filter and passed it straight through, so an unauthenticated request could list draft or archived products by asking for them. The endpoint now always lists only published products; operators browse other statuses through the authenticated admin catalog screens. · *Payment-processor calls are host-pinned with validated idempotency keys* — Every outbound Stripe and PayPal call is now pinned to the configured processor host (defense-in-depth over the existing private-address and metadata-endpoint blocking), and a malformed or non-HTTPS processor base URL fails at the first call rather than dialing in the clear. The idempotency key each call carries is validated before it leaves, refusing path-traversal, slash, and control-character shapes. · *Apple Pay well-known bot-guard exemption is exact-match* — The bot-guard skip for the Apple Pay domain-association path was matched as a prefix, which would also have exempted any sibling path beneath it. It is now an exact-path match, so only the single static association file skips the guard.

package/README.md

@@ -78,7 +78,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/product-qa.js`** | Customer questions and operator/customer answers per product, operator-moderated, distinct from the rating-based reviews. A signed-in shopper asks at `/products/:slug/question`; questions land `pending` and surface only after approval. Author identity is the customer id (verified against the customers primitive) or a hash-only email — the raw address is never stored. The product page renders approved questions with their approved answers (seller / customer / system badge, pinned 'top answer' first) in both the edge and container paths. `/admin/questions` is the moderation console: the cross-product queue (`listQuestionsByStatus`), and a per-question detail to approve / reject the question, post the seller answer (`submitAnswer`), approve / reject / pin answers. |
 | **`lib/wishlist.js`** + **`lib/wishlist-alerts.js`** + **`lib/wishlist-digest.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived) and carries a per-customer opt-in panel for **sale + restock alerts** (price-drop / back-in-stock, event-driven) and the **periodic digest** (the saved-items rollup on a weekly / monthly schedule). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. Both notification paths are off by default and require a configured mailer plus an email-address resolver to actually send (the customer store keeps only an email hash) — see *Optional integrations*. UUID-shape-validated ids, `b.pagination` HMAC cursors; prices rendered through `pricing.format` (locale + zero-decimal-currency correct). |
 | **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
-| **`lib/quotes.js`** | Request-for-quote negotiation. A signed-in customer requests a quote from the cart (line quantities + an optional message); the operator responds from the console with per-line pricing and a validity window; the customer reviews and accepts or declines from `/account/quotes` or through a single-use capability link (`/quote/:token` — the token is stored only as a namespaced hash and compared timing-safe). Accepting converts through the normal order path — inventory holds are placed first and rolled back if order creation fails — and every status change replays a `b.fsm` lifecycle (requested → responded → accepted / declined / expired / withdrawn / converted), with expiry enforced at accept time so a stale price is never honored. |
+| **`lib/quotes.js`** | Request-for-quote negotiation. A signed-in customer requests a quote from the cart (line quantities + an optional message); the operator responds from the console with per-line pricing and a validity window; the customer reviews and accepts or declines from `/account/quotes` or through a single-use capability link (`/quote/:token` — the token is stored only as a namespaced hash and compared timing-safe). Accepting converts through the normal order path — inventory holds are placed first and rolled back if order creation fails — and every status change replays a `b.fsm` lifecycle (requested → responded → accepted / declined / expired / withdrawn / converted), with expiry enforced at accept time so a stale price is never honored. A scheduled sweep also transitions quotes past their validity window to `expired` (so the console's expired filter reflects the real lifecycle), operators can reprice an open quote (the customer's existing link shows the new pricing) or convert a verbally-approved one to an order with a recorded reason, and the customer view renders the operator's per-line notes and the validity date. |
 | **`lib/addresses.js`** | Per-customer address book at `/account/addresses` — add / edit / set default shipping or billing / remove. One-default-per-role invariant (promoting clears the prior). Every by-id route confirms the address belongs to the signed-in customer before acting (a guessed id returns 404). `b.guardUuid` ids, 2-char ISO country. |
 | **`lib/returns.js`** | Self-serve RMAs. Customer requests a return against their own order at `/account/orders/:id/return` (items + reason, ownership-checked, lines built from the order's own records) and tracks status at `/account/returns`. Operators work `/admin/returns` — approve (refund amount) / mark received / refund / reject — over the pending → approved → received → refunded FSM; illegal transitions are 409, bad ids 404. |
 | **`lib/loyalty.js`** + **`lib/loyalty-earn-rules.js`** + **`lib/loyalty-redemption.js`** | Customer rewards. `loyalty` owns the points balance, lifetime total, tier (bronze → platinum on operator-tunable thresholds), and an audited transaction ledger. `loyalty-earn-rules` defines how points are minted (per-dollar-spent, per-order, signup, birthday, …) keyed to lifecycle events; `loyalty-redemption` is the reward catalog customers spend points against. Customers see all of it at `/account/loyalty` — balance + tier, the earn rules in plain language, the reward catalog with a one-click Redeem, past redemptions, and the paginated earn/redeem ledger (login-gated). Paid orders award points automatically: the order FSM's paid transition fans out to the earn rules fire-and-forget, deduped on the order id so a re-delivered payment webhook never double-credits. At checkout a signed-in customer can spend points for a credit against the order total — valued by the redemption ratio (100 points = $1 default), capped at the order's worth and the balance, debited once behind a balance-guarded SQL decrement, stacking with any gift-card credit; surplus points stay in the balance. |

package/lib/admin.js

@@ -396,6 +396,21 @@ function _dollarsToMinor(value, label, currency) {
   return Number(minor);
 }
 
+// Render an integer minor-unit amount back into the major-unit decimal
+// string a money form field expects ("1999" → "19.99"), honouring the
+// currency's exponent the same way _dollarsToMinor does on the way in.
+// Returns "" for a NULL / malformed amount so an unpriced field renders
+// empty rather than crashing the form. The Money toString is
+// "<decimal> <CUR>"; the field wants just the decimal.
+function _minorToMajorInput(minor, currency) {
+  if (minor == null) return "";
+  var n = Number(minor);
+  if (!Number.isSafeInteger(n) || n < 0) return "";
+  var cur = typeof currency === "string" && /^[A-Z]{3}$/.test(currency) ? currency : "USD";
+  try { return b.money.fromMinorUnits(BigInt(n), cur).toString().split(" ")[0]; }
+  catch (_e) { return ""; }
+}
+
 // Strict non-negative integer for a form field (money minor units,
 // dimensions). Refuses "", floats, and parseInt's loose-prefix "12abc"
 // → 12 — the /^\d+$/ test is anchored so the whole string must be
@@ -867,7 +882,8 @@ function mount(router, deps) {
   var inventoryReceive   = deps.inventoryReceive   || null; // inbound-stock receive console disabled when absent
   var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
   var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
-  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
+  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/reprice/withdraw/convert) disabled when absent
+  var convertQuoteToOrder = deps.convertQuoteToOrder || null; // quote → pending-order converter (server.js composition); the console convert action disabled when absent
   var emailCampaigns     = deps.emailCampaigns     || null; // consent-gated broadcast/campaign console disabled when absent
   var mailingAudiences   = deps.mailingAudiences   || null; // audience picker for the campaign console (target-an-audience dropdown)
   // Read-only activity log at /admin/audit. Defaults ON — the framework
@@ -8112,13 +8128,16 @@ function mount(router, deps) {
 
   // ---- quotes (B2B request-for-quote negotiation) ---------------------
   // The operator side of the RFQ lifecycle. The list is the response queue
-  // (oldest-waiting requests first) plus a recent-activity view; the detail
-  // screen shows the requested lines + the customer message, and — for a
-  // still-requested quote — a per-line pricing form that responds with a
-  // priced quote + validity window. Responded/accepted quotes show the
-  // quoted totals; an operator can withdraw a quote that hasn't been
-  // accepted, or convert an accepted one into a pending order. Content-
-  // negotiated like the other consoles (bearer → JSON, browser → HTML).
+  // (oldest-waiting requests first) plus per-status views (the expired
+  // filter shows what the expiry cron transitioned) and a per-customer
+  // view; the detail screen shows the requested lines + the customer
+  // message, and — for a still-requested quote — a per-line pricing form
+  // that responds with a priced quote + validity window. A responded quote
+  // can be REPRICED (revised offer, fresh window — the customer's existing
+  // link shows the new pricing) or CONVERTED to a pending order against a
+  // recorded out-of-band approval; an operator can withdraw a quote that
+  // hasn't been accepted. Content-negotiated like the other consoles
+  // (bearer → JSON, browser → HTML).
   if (quotes) {
     // Build the respondToQuote line_prices array from the per-line
     // `price_<sku>` dollar fields the detail form posts, converting each to
@@ -8139,28 +8158,46 @@ function mount(router, deps) {
       return out;
     }
 
+    // Status filter for the list — a defensive request-shape reader: an
+    // unknown / absent value falls back to the default response queue
+    // rather than erroring a bookmarked link. `expired` is the one the
+    // chips surface (what the expiry cron transitioned); any lifecycle
+    // status is accepted so tooling can read the others.
+    function _quoteStatusFilter(url) {
+      var s = url && url.searchParams.get("status");
+      return (s && quotes.QUOTE_STATUSES.indexOf(s) !== -1) ? s : null;
+    }
+
     router.get("/admin/quotes", _pageOrApi(true,
       R(async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = cid
           ? await quotes.quotesForCustomer(cid, { limit: 200 })
-          : await quotes.pendingResponse({ limit: 200 });
+          : sf
+            ? await quotes.listByStatus({ status: sf, limit: 200 })
+            : await quotes.pendingResponse({ limit: 200 });
         _json(res, 200, { rows: rows });
       }),
       async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = [];
         try {
           rows = cid
             ? await quotes.quotesForCustomer(cid, { limit: 200 })
-            : await quotes.pendingResponse({ limit: 200 });
+            : sf
+              ? await quotes.listByStatus({ status: sf, limit: 200 })
+              : await quotes.pendingResponse({ limit: 200 });
         } catch (e) { if (!(e instanceof TypeError)) throw e; }
         _sendHtml(res, 200, renderAdminQuotes({
           shop_name: deps.shop_name, nav_available: navAvailable, quotes: rows,
           customer_filter: cid,
+          status_filter: sf,
           responded: url && url.searchParams.get("responded"),
+          repriced:  url && url.searchParams.get("repriced"),
           withdrawn: url && url.searchParams.get("withdrawn"),
           converted: url && url.searchParams.get("converted"),
           notice: (url && url.searchParams.get("err"))
@@ -8189,6 +8226,8 @@ function mount(router, deps) {
         }));
         _sendHtml(res, 200, renderAdminQuoteDetail({
           shop_name: deps.shop_name, nav_available: navAvailable, quote: row,
+          can_convert: !!convertQuoteToOrder,
+          repriced: url && url.searchParams.get("repriced"),
           notice: (url && url.searchParams.get("err"))
             ? "That action couldn't be completed for the quote." : null,
         }));
@@ -8254,6 +8293,190 @@ function mount(router, deps) {
       },
     ));
 
+    // Reprice: revise a still-responded quote the customer hasn't settled —
+    // improved line prices, fresh shipping / tax / validity, an updated
+    // note. Same payload contract as respond (the browser form posts dollar
+    // amounts + validity-in-days; the bearer JSON contract takes minor units
+    // + an absolute valid_until). The FSM's responded -> responded reprice
+    // edge gates it, surfacing the same statuses the other quote actions
+    // use: wrong state → 409, unknown quote → 404, bad shape → 400. The
+    // quote-responded email is NOT re-fired here: the notifier rotates the
+    // customer's view token, and the reprice contract is that the link the
+    // customer already holds keeps working and shows the new pricing.
+    router.post("/admin/quotes/:id/reprice", _pageOrApi(false,
+      W("quote.reprice", async function (req, res) {
+        var row;
+        try { row = await quotes.repriceQuote(Object.assign({}, req.body || {}, { quote_id: req.params.id })); }
+        catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var body = req.body || {};
+        var current = null;
+        try { current = await quotes.getQuote(id); } catch (_e) { current = null; }
+        if (!current) return _redirect(res, "/admin/quotes?err=1");
+        try {
+          var validDays = _strictNonNegIntField(body.valid_days, "valid_days");
+          if (validDays <= 0) throw new TypeError("admin: valid_days must be at least 1");
+          var quoteCurrency = typeof body.currency === "string" && body.currency
+            ? body.currency.toUpperCase() : (current.currency || "USD");
+          await quotes.repriceQuote({
+            quote_id:       id,
+            line_prices:    _quoteLinePricesFromForm(body, current.lines, quoteCurrency),
+            shipping_minor: body.shipping == null || body.shipping === "" ? 0 : _dollarsToMinor(body.shipping, "shipping", quoteCurrency),
+            tax_minor:      body.tax == null || body.tax === "" ? 0 : _dollarsToMinor(body.tax, "tax", quoteCurrency),
+            valid_until:    Date.now() + b.constants.TIME.days(validDays),
+            currency:       quoteCurrency,
+            operator_notes: body.operator_notes || null,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          var msg = _safeNotice(e, "quote.reprice");
+          var fresh = await quotes.getQuote(id);
+          return _sendHtml(res, msg.status, renderAdminQuoteDetail({
+            shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+            can_convert: !!convertQuoteToOrder,
+            notice: msg.message.replace(/^(quotes|admin)[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.reprice", outcome: "success", metadata: { quote_id: id } });
+        _redirect(res, "/admin/quotes/" + enc + "?repriced=1");
+      },
+    ));
+
+    // Convert to order without the customer's online acceptance — the
+    // verbal-approval case (a phone / email yes the operator is recording).
+    // Requires a reason naming that approval; the reason is captured on the
+    // quote's acceptance attribution AND the chained operator audit log. A
+    // responded quote is first accepted through the same customerAccept verb
+    // the storefront uses — so the accept-time expiry guard still refuses a
+    // stale price — then converted through the shared server.js composition
+    // (inventory holds first; a hold/order failure releases the convert
+    // claim back to accepted for a retry). An already-accepted quote (e.g.
+    // the customer accepted online but conversion wasn't possible then)
+    // skips straight to the conversion.
+    if (convertQuoteToOrder) {
+      // Shared by the bearer-JSON and browser-form branches. Throws coded
+      // errors the branches map to their surfaces.
+      var _operatorConvertQuote = async function (req, id, reasonRaw) {
+        if (typeof reasonRaw !== "string" || !reasonRaw.trim().length) {
+          throw new TypeError("admin: a reason is required to convert a quote on the customer's behalf");
+        }
+        var reason = reasonRaw.trim();
+        if (reason.length > 200) {
+          throw new TypeError("admin: reason must be <= 200 characters");
+        }
+        var current = await quotes.getQuote(id);   // TypeError on a malformed id → 400
+        if (!current) {
+          var miss = new Error("quote " + id + " not found");
+          miss.code = "QUOTE_NOT_FOUND";
+          throw miss;
+        }
+        if (current.status === "responded") {
+          await quotes.customerAccept({
+            quote_id:             id,
+            accepted_by_customer: "operator-recorded: " + reason,
+          });
+        }
+        // Any other non-accepted state falls through to the converter,
+        // whose own FSM claim refuses it — one error shape per state class.
+        var convertedQuote = await convertQuoteToOrder(id);
+        if (!convertedQuote || !convertedQuote.converted_order_id) {
+          // The only null path after a successful accept: no resolvable
+          // ship-to (the customer has no default shipping address) — or the
+          // quote wasn't accepted (wrong state).
+          var blocked = new Error("the quote could not be converted — it must be accepted and " +
+            "the customer needs a default shipping address on file");
+          blocked.code = "QUOTE_NOT_CONVERTIBLE";
+          throw blocked;
+        }
+        // Chained operator-audit row: WHO converted, WHY, and the order it
+        // minted. Drop-silent — a recording failure must never unwind the
+        // conversion the operator just watched succeed.
+        if (operatorAuditLog && typeof operatorAuditLog.record === "function") {
+          try {
+            await operatorAuditLog.record({
+              actor_type:    "operator",
+              actor_id:      (req.operatorActor && req.operatorActor.operator_id) || "owner",
+              action:        "quote.convert_to_order",
+              resource_kind: "quote",
+              resource_id:   id,
+              before:        { status: current.status },
+              after:         { reason: reason, order_id: convertedQuote.converted_order_id },
+            });
+          } catch (_e) { /* drop-silent */ }
+        }
+        return convertedQuote;
+      };
+
+      router.post("/admin/quotes/:id/convert-to-order", _pageOrApi(false,
+        W("quote.convert", async function (req, res) {
+          var row;
+          try { row = await _operatorConvertQuote(req, req.params.id, req.body && req.body.reason); }
+          catch (e) {
+            if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+            if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+            if (e && e.code === "QUOTE_EXPIRED") return _problem(res, 409, "quote-expired", e.message);
+            if (e && e.code === "QUOTE_INSUFFICIENT_STOCK") return _problem(res, 409, "quote-insufficient-stock", e.message);
+            if (e && e.code === "QUOTE_NOT_CONVERTIBLE") return _problem(res, 409, "quote-not-convertible", e.message);
+            if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+            throw e;
+          }
+          _json(res, 200, row);
+          return { id: row.id };
+        }),
+        async function (req, res) {
+          var id = req.params.id;
+          try {
+            await _operatorConvertQuote(req, id, req.body && req.body.reason);
+          } catch (e) {
+            // Per-code operator-safe banner copy (the coded refusals carry no
+            // secrets, but the banner uses authored copy rather than echoing
+            // the thrown text — same no-leak guarantee as _safeNotice, with
+            // a more actionable message per refusal). Anything un-coded
+            // routes through _safeNotice's classifier.
+            var codedCopy = {
+              QUOTE_TRANSITION_REFUSED: "The quote is no longer in a state that can be converted.",
+              QUOTE_EXPIRED:            "The quote's validity window has passed — reprice it before converting.",
+              QUOTE_INSUFFICIENT_STOCK: "Not enough stock is available to fulfil the quote.",
+              QUOTE_NOT_CONVERTIBLE:    "The quote couldn't be converted — it must be accepted and the customer needs a default shipping address on file.",
+              QUOTE_NOT_FOUND:          "Quote not found.",
+            };
+            var codedNotice = e && e.code ? codedCopy[e.code] : null;
+            if (!(e instanceof TypeError) && !codedNotice) throw e;
+            var status, noticeText;
+            if (codedNotice) {
+              status = e.code === "QUOTE_NOT_FOUND" ? 404 : 409;
+              noticeText = codedNotice;
+            } else {
+              // TypeError (validation) — _safeNotice surfaces its operator-
+              // safe message verbatim and never records it as a 5xx.
+              var msg = _safeNotice(e, "quote.convert");
+              status = msg.status;
+              noticeText = msg.message.replace(/^(quotes|admin)[.:]\s*/, "");
+            }
+            var fresh = null;
+            try { fresh = await quotes.getQuote(id); } catch (_e2) { fresh = null; }
+            return _sendHtml(res, status, renderAdminQuoteDetail({
+              shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+              can_convert: true,
+              notice: noticeText,
+            }));
+          }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.convert", outcome: "success", metadata: { quote_id: id } });
+          _redirect(res, "/admin/quotes?converted=1");
+        },
+      ));
+    }
+
     // Withdraw: cancel a quote that hasn't been accepted yet (requested or
     // responded). Accepted / terminal quotes refuse — the FSM gate is the
     // single source of truth, surfaced as a 409.
@@ -21667,14 +21890,21 @@ function renderAdminQuotes(opts) {
   opts = opts || {};
   var rows = opts.quotes || [];
   var responded = opts.responded ? "<div class=\"banner banner--ok\">Quote sent to the customer.</div>" : "";
+  var repriced  = opts.repriced  ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var withdrawn = opts.withdrawn ? "<div class=\"banner banner--ok\">Quote withdrawn.</div>" : "";
   var converted = opts.converted ? "<div class=\"banner banner--ok\">Quote converted to an order.</div>" : "";
   var notice    = opts.notice    ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
 
   var cf = opts.customer_filter;
-  var heading = cf ? "Quotes for this customer" : "Quotes awaiting a response";
+  var sf = opts.status_filter;
+  var heading = cf ? "Quotes for this customer"
+    : sf === "expired" ? "Expired quotes"
+    : sf ? "Quotes — " + sf
+    : "Quotes awaiting a response";
   var chips = "<div class=\"order-filters\">" +
-    "<a class=\"chip" + (cf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (cf == null && sf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (sf === "expired" ? " chip--on" : "") + "\" href=\"/admin/quotes?status=expired\">Expired</a>" +
+    (sf && sf !== "expired" ? "<a class=\"chip chip--on\" href=\"/admin/quotes?status=" + _htmlEscape(encodeURIComponent(sf)) + "\">" + _htmlEscape(sf) + "</a>" : "") +
     (cf ? "<a class=\"chip chip--on\" href=\"/admin/quotes?customer_id=" + _htmlEscape(encodeURIComponent(cf)) + "\">This customer</a>" : "") +
     "</div>";
 
@@ -21696,9 +21926,11 @@ function renderAdminQuotes(opts) {
 
   var table = rows.length
     ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Quote</th><th scope=\"col\">Customer</th><th scope=\"col\">Status</th><th scope=\"col\" class=\"num\">Lines</th><th scope=\"col\" class=\"num\">Total</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
-    : "<p class=\"empty\">" + (cf ? "No quotes for this customer." : "No quotes are waiting for a response.") + "</p>";
+    : "<p class=\"empty\">" + (cf ? "No quotes for this customer."
+        : sf ? "No " + _htmlEscape(sf) + " quotes."
+        : "No quotes are waiting for a response.") + "</p>";
 
-  var bodyHtml = "<section><h2>Quotes</h2>" + responded + withdrawn + converted + notice +
+  var bodyHtml = "<section><h2>Quotes</h2>" + responded + repriced + withdrawn + converted + notice +
     "<p class=\"meta\">Request-for-quote negotiations. The response queue lists the requests waiting on you, oldest first — open one to price its lines and send the customer a quote.</p>" +
     chips + "<h3 class=\"subhead\">" + _htmlEscape(heading) + "</h3>" + table + "</section>";
   return _renderAdminShell(opts.shop_name, "Quotes", bodyHtml, "quotes", opts.nav_available);
@@ -21713,6 +21945,8 @@ function renderAdminQuoteDetail(opts) {
     return _renderAdminShell(opts.shop_name, "Quote", nf, "quotes", opts.nav_available);
   }
   var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var repricedBanner = opts.repriced
+    ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var enc = _htmlEscape(encodeURIComponent(q.id));
   var currency = q.currency || "USD";
 
@@ -21725,6 +21959,8 @@ function renderAdminQuoteDetail(opts) {
       (q.payment_terms ? "<p class=\"meta\">Payment terms: " + _htmlEscape(q.payment_terms) + "</p>" : "") +
       (q.message ? "<p class=\"meta\">Customer message: <q>" + _htmlEscape(q.message) + "</q></p>" : "") +
       (q.valid_until ? "<p class=\"meta\">Valid until: " + _htmlEscape(new Date(Number(q.valid_until)).toISOString()) + "</p>" : "") +
+      (q.response_version != null && Number(q.response_version) > 1
+        ? "<p class=\"meta\">Pricing revision: " + _htmlEscape(String(q.response_version)) + "</p>" : "") +
       (q.total_minor != null ? "<p class=\"meta\">Quoted total: <strong>" + _htmlEscape(pricing.format(q.total_minor, currency)) + "</strong></p>" : "") +
       (q.converted_order_id ? "<p class=\"meta\">Converted to order: <a href=\"/admin/orders/" + _htmlEscape(encodeURIComponent(q.converted_order_id)) + "\"><code class=\"order-id\">" + _htmlEscape(String(q.converted_order_id).slice(0, 8)) + "</code></a></p>" : "") +
     "</div>";
@@ -21775,6 +22011,57 @@ function renderAdminQuoteDetail(opts) {
       "</div>";
   }
 
+  // Reprice form — only for a still-responded quote (the customer hasn't
+  // settled it). Same fields as the respond form, prefilled with the
+  // current pricing so the operator edits an offer rather than retyping
+  // it. Posting re-runs the full pricing math server-side and bumps the
+  // revision counter; the customer's existing link shows the new pricing.
+  var repriceForm = "";
+  if (q.status === "responded") {
+    var repriceFields = (q.lines || []).map(function (l) {
+      return _setupField(l.sku + " — unit price (" + currency + ")", "price_" + l.sku,
+        _minorToMajorInput(l.unit_price_minor, l.currency || currency), "text",
+        "Quantity " + l.quantity + ".", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\" required");
+    }).join("");
+    repriceForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Reprice this quote</h3>" +
+        "<p class=\"meta\">Revise the offer before the customer settles it — new unit prices, shipping, tax, and a fresh validity window. The link the customer already has keeps working and shows the new pricing.</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/reprice\">" +
+          repriceFields +
+          _setupField("Shipping (" + currency + ")", "shipping", _minorToMajorInput(q.shipping_minor, currency), "text", "Optional. Leave blank for free shipping.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Tax (" + currency + ")", "tax", _minorToMajorInput(q.tax_minor, currency), "text", "Optional.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Valid for (days)", "valid_days", "14", "number", "How many days the customer has to accept the revised quote.", " min=\"1\" max=\"365\" required") +
+          _setupField("Currency", "currency", currency, "text", "ISO-4217, e.g. USD.", " maxlength=\"3\" pattern=\"[A-Za-z]{3}\"") +
+          "<label class=\"form-field\"><span>Note to the customer</span><textarea name=\"operator_notes\" maxlength=\"4000\" rows=\"3\">" + _htmlEscape(q.operator_notes || "") + "</textarea></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Send revised quote</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
+  // Convert to order — the verbal-approval path. Rendered for a responded
+  // quote (the operator records the customer's out-of-band yes) and for an
+  // accepted one (the customer accepted online but conversion wasn't
+  // possible then — e.g. no address yet). Requires a reason; the reason
+  // lands on the acceptance attribution and the operator audit log. Only
+  // rendered when the conversion composition is wired.
+  var convertForm = "";
+  if (opts.can_convert && (q.status === "responded" || q.status === "accepted")) {
+    convertForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Convert to order</h3>" +
+        "<p class=\"meta\">" + (q.status === "responded"
+          ? "Records the customer's out-of-band approval (a phone or email yes) and lands this quote as a pending order at the quoted prices, reserving the stock. An expired quote refuses — reprice it first."
+          : "The customer accepted this quote; convert it into a pending order at the accepted prices.") + "</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/convert-to-order\">" +
+          _setupField("Reason / approval record", "reason", "", "text",
+            "Required. Who approved and how — e.g. “verbal approval, J. Doe, phone 2026-06-10”.",
+            " maxlength=\"200\" required") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Convert to order</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
   // Withdraw — available while the quote hasn't been accepted (requested or
   // responded). The FSM refuses it for accepted/terminal quotes; we only
   // render the button when it would succeed.
@@ -21792,7 +22079,7 @@ function renderAdminQuoteDetail(opts) {
   "</div>";
 
   var bodyHtml = "<section><h2>Quote " + _htmlEscape(String(q.id).slice(0, 8)) + "</h2>" +
-    notice + summary + linesPanel + respondForm + actions + "</section>";
+    notice + repricedBanner + summary + linesPanel + respondForm + repriceForm + convertForm + actions + "</section>";
   return _renderAdminShell(opts.shop_name, "Quote " + String(q.id).slice(0, 8), bodyHtml, "quotes", opts.nav_available);
 }
 

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.26",
+  "version": "0.4.27",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/quotes.js

@@ -22,6 +22,7 @@
  *
  *     requested -> responded -> accepted -> converted   (happy path)
  *                          |
+ *                          +-> responded              (reprice — operator revises the offer)
  *                          +-> rejected               (customer says no)
  *                          +-> expired                (valid_until passed)
  *                          +-> cancelled              (cancelled before accept)
@@ -34,8 +35,17 @@
  *     expired    -> *                                 (terminal)
  *
  *   `valid_until` is the operator-set expiry timestamp (ms). After
- *   it elapses, `listExpired({ as_of })` surfaces the row so a
- *   cron / dunning job can transition it to `expired`.
+ *   it elapses, `listExpired({ as_of })` surfaces the row and
+ *   `expireDue({ as_of })` — driven by the worker cron's
+ *   `/_/quote-expiry-tick` — transitions each due row to `expired`
+ *   through the same atomic status claim every other verb uses, so
+ *   a concurrent accept / reprice and the sweep can never both win.
+ *
+ *   `response_version` counts the operator's pricing passes:
+ *   `respondToQuote` stamps 1, each `repriceQuote` on a
+ *   still-responded quote increments it. The customer's view-token
+ *   link is NOT rotated by a reprice — the link they already hold
+ *   resolves the same row and renders the new pricing.
  *
  *   `total_minor` is the operator-quoted grand total — the sum of
  *   the quote_lines line-totals plus `shipping_minor` + `tax_minor`.
@@ -78,6 +88,10 @@
  *                      tax_minor?, valid_until, currency,
  *                      operator_notes?, delivery_terms?,
  *                      payment_terms? })
+ *     repriceQuote({ quote_id, line_prices, shipping_minor?,
+ *                    tax_minor?, valid_until, currency,
+ *                    operator_notes?, delivery_terms?,
+ *                    payment_terms? })
  *     customerAccept({ quote_id, accepted_by_customer })
  *     customerReject({ quote_id, reject_reason? })
  *     cancelQuote({ quote_id, cancel_reason })
@@ -85,10 +99,15 @@
  *     getQuote(quote_id)
  *     quotesForCustomer(customer_id, { status?, limit? })
  *     pendingResponse({ limit? })
- *     listExpired({ as_of })
+ *     listByStatus({ status, limit? })
+ *     listExpired({ as_of, limit? })
+ *     expireDue({ as_of, limit? })
+ *     markExpired({ quote_id, as_of })
  *
  *   Storage: `migrations-d1/0102_quotes.sql` — two tables, `quotes`
  *     + `quote_lines`. ON DELETE CASCADE from quote -> lines.
+ *     `0227_quote_response_version.sql` adds the response_version
+ *     revision counter.
  *
  * @primitive quotes
  * @related   b.fsm, b.uuid, b.guardUuid, shop.cart, shop.order
@@ -152,6 +171,7 @@ var b = require("./vendor/blamejs");
 // fires it:
 //
 //   respond   requested            -> responded   (operator prices the quote)
+//   reprice   responded            -> responded   (operator revises the offer)
 //   accept    responded            -> accepted    (customer accepts)
 //   reject    responded            -> rejected    (customer declines)
 //   cancel    requested|responded  -> cancelled   (either side pulls it)
@@ -163,6 +183,7 @@ var b = require("./vendor/blamejs");
 var QUOTE_TRANSITIONS = Object.freeze([
   { from: "requested", to: "responded", on: "respond" },
   { from: "requested", to: "cancelled", on: "cancel" },
+  { from: "responded", to: "responded", on: "reprice" },
   { from: "responded", to: "accepted",  on: "accept" },
   { from: "responded", to: "rejected",  on: "reject" },
   { from: "responded", to: "cancelled", on: "cancel" },
@@ -454,6 +475,7 @@ function _hydrateQuote(row) {
     tax_minor:            row.tax_minor            == null ? null : Number(row.tax_minor),
     total_minor:          row.total_minor          == null ? null : Number(row.total_minor),
     currency:             row.currency == null ? null : row.currency,
+    response_version:     row.response_version == null ? null : Number(row.response_version),
     valid_until:          row.valid_until == null ? null : Number(row.valid_until),
     accepted_at:          row.accepted_at == null ? null : Number(row.accepted_at),
     accepted_by_customer: row.accepted_by_customer == null ? null : row.accepted_by_customer,
@@ -590,6 +612,101 @@ function create(opts) {
     }
   }
 
+  // Shared body of respondToQuote (event "respond", requested -> responded)
+  // and repriceQuote (event "reprice", responded -> responded). Validates the
+  // full pricing payload, asks the FSM whether the edge is legal for the
+  // row's CURRENT status, recomputes the totals server-side, then claims the
+  // transition atomically (`AND status = <the legal from-state>`) so a
+  // concurrent accept / reject / cancel / expire sweep and this write can
+  // never both commit. respond stamps response_version = 1; reprice
+  // increments it (COALESCE'd so a row priced before the column shipped
+  // lands on 2). Neither path touches view_token_hash — the customer's
+  // existing link keeps working and renders the latest pricing.
+  async function _applyQuoteResponse(input, event, verbLabel) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("quotes." + verbLabel + ": input object required");
+    }
+    var quoteId = _id(input.quote_id, "quote_id");
+    var currency = _currency(input.currency);
+    var shipping = input.shipping_minor == null ? 0 : input.shipping_minor;
+    var tax      = input.tax_minor      == null ? 0 : input.tax_minor;
+    _moneyMinor(shipping, "shipping_minor");
+    _moneyMinor(tax,      "tax_minor");
+    var validUntil    = _ts(input.valid_until, "valid_until");
+    var operatorNotes = _optLongText(input.operator_notes, "operator_notes", MAX_OPERATOR_NOTES_LEN);
+    var delivery      = _optShortText(input.delivery_terms, "delivery_terms", MAX_TERMS_LEN);
+    var payment       = _optShortText(input.payment_terms,  "payment_terms",  MAX_TERMS_LEN);
+
+    var current = await _getQuoteRaw(quoteId);
+    if (!current) {
+      var miss = new Error("quotes." + verbLabel + ": quote " + quoteId + " not found");
+      miss.code = "QUOTE_NOT_FOUND";
+      throw miss;
+    }
+    _assertTransition(current.status, event, verbLabel);
+    // The FSM only declares this event from one source state (respond:
+    // requested, reprice: responded); having passed the assert, the row's
+    // current status IS that state — it pins the atomic claim below.
+    var fromStatus = current.status;
+
+    var lines = await _getLinesRaw(quoteId);
+    var lineSkus = lines.map(function (r) { return r.sku; });
+    var pricesBySku = _validateLinePrices(input.line_prices, lineSkus);
+
+    // valid_until must be strictly in the future. A past expiry on
+    // a fresh response / revision is operator error — the quote would
+    // be expired the moment it lands.
+    var ts = _now();
+    if (validUntil <= ts) {
+      throw new TypeError("quotes." + verbLabel + ": valid_until must be in the future");
+    }
+
+    // Compute totals from the priced lines + shipping + tax. Math
+    // is integer-only; sum is bounded by MAX_LINES *
+    // MAX_QUANTITY * MAX_UNIT_PRICE_MINOR which fits Number.
+    var subtotal = 0;
+    for (var i = 0; i < lines.length; i += 1) {
+      var qty = Number(lines[i].quantity);
+      var price = pricesBySku[lines[i].sku];
+      subtotal += qty * price;
+    }
+    var total = subtotal + shipping + tax;
+    _moneyMinor(total, "total_minor");
+
+    // Update header + each line. The line update sets unit_price_minor +
+    // currency per-line. The header UPDATE claims the transition atomically
+    // (`AND status = ?`) so a concurrent settle can't both commit against
+    // the same row — for reprice that same clause also means an accept that
+    // lands first wins and the revision refuses instead of clobbering the
+    // accepted price.
+    var versionSql = event === "respond" ? "1" : "COALESCE(response_version, 1) + 1";
+    var claim = await query(
+      "UPDATE quotes SET status = 'responded', shipping_minor = ?1, " +
+      "tax_minor = ?2, total_minor = ?3, currency = ?4, valid_until = ?5, " +
+      "operator_notes = ?6, " +
+      "response_version = " + versionSql + ", " +
+      "delivery_terms = COALESCE(?7, delivery_terms), " +
+      "payment_terms  = COALESCE(?8, payment_terms),  " +
+      "updated_at = ?9 WHERE id = ?10 AND status = ?11",
+      [shipping, tax, total, currency, validUntil, operatorNotes,
+       delivery, payment, ts, quoteId, fromStatus],
+    );
+    if (Number(claim.rowCount || 0) !== 1) {
+      var raced = new Error("quotes." + verbLabel + ": refused — quote " + quoteId +
+        " is no longer in the " + fromStatus + " state (settled by a concurrent call)");
+      raced.code = "QUOTE_TRANSITION_REFUSED";
+      throw raced;
+    }
+    for (var j = 0; j < lines.length; j += 1) {
+      var line = lines[j];
+      await query(
+        "UPDATE quote_lines SET unit_price_minor = ?1, currency = ?2 WHERE id = ?3",
+        [pricesBySku[line.sku], currency, line.id],
+      );
+    }
+    return await _hydrated(quoteId);
+  }
+
   return {
     QUOTE_STATUSES:    QUOTE_STATUSES.slice(),
     TERMINAL_STATUSES: TERMINAL_STATUSES.slice(),
@@ -714,84 +831,25 @@ function create(opts) {
     // sets shipping + tax + grand total currency, and stamps an
     // expiry. The total_minor is computed from the priced lines +
     // shipping_minor + tax_minor; the caller doesn't pass it (and
-    // can't override it — the math is the contract).
+    // can't override it — the math is the contract). Stamps
+    // response_version = 1 (the first pricing pass).
     respondToQuote: async function (input) {
-      if (!input || typeof input !== "object") {
-        throw new TypeError("quotes.respondToQuote: input object required");
-      }
-      var quoteId = _id(input.quote_id, "quote_id");
-      var currency = _currency(input.currency);
-      var shipping = input.shipping_minor == null ? 0 : input.shipping_minor;
-      var tax      = input.tax_minor      == null ? 0 : input.tax_minor;
-      _moneyMinor(shipping, "shipping_minor");
-      _moneyMinor(tax,      "tax_minor");
-      var validUntil   = _ts(input.valid_until, "valid_until");
-      var operatorNotes = _optLongText(input.operator_notes, "operator_notes", MAX_OPERATOR_NOTES_LEN);
-      var delivery     = _optShortText(input.delivery_terms, "delivery_terms", MAX_TERMS_LEN);
-      var payment      = _optShortText(input.payment_terms,  "payment_terms",  MAX_TERMS_LEN);
-
-      var current = await _getQuoteRaw(quoteId);
-      if (!current) {
-        var miss = new Error("quotes.respondToQuote: quote " + quoteId + " not found");
-        miss.code = "QUOTE_NOT_FOUND";
-        throw miss;
-      }
-      _assertTransition(current.status, "respond", "respondToQuote");
-
-      var lines = await _getLinesRaw(quoteId);
-      var lineSkus = lines.map(function (r) { return r.sku; });
-      var pricesBySku = _validateLinePrices(input.line_prices, lineSkus);
-
-      // valid_until must be strictly in the future. A past expiry on
-      // a fresh response is operator error — the quote would be
-      // expired the moment it lands.
-      var ts = _now();
-      if (validUntil <= ts) {
-        throw new TypeError("quotes.respondToQuote: valid_until must be in the future");
-      }
+      return await _applyQuoteResponse(input, "respond", "respondToQuote");
+    },
 
-      // Compute totals from the priced lines + shipping + tax. Math
-      // is integer-only; sum is bounded by MAX_LINES *
-      // MAX_QUANTITY * MAX_UNIT_PRICE_MINOR which fits Number.
-      var subtotal = 0;
-      for (var i = 0; i < lines.length; i += 1) {
-        var qty = Number(lines[i].quantity);
-        var price = pricesBySku[lines[i].sku];
-        subtotal += qty * price;
-      }
-      var total = subtotal + shipping + tax;
-      _moneyMinor(total, "total_minor");
-
-      // Update header + each line. The line update sets
-      // unit_price_minor + currency per-line so a future single-line
-      // re-quote (out of scope here) has a place to land. The header
-      // UPDATE claims the requested -> responded transition atomically
-      // (`AND status = 'requested'`) so a concurrent cancel/respond can't
-      // both commit against the same row.
-      var claim = await query(
-        "UPDATE quotes SET status = 'responded', shipping_minor = ?1, " +
-        "tax_minor = ?2, total_minor = ?3, currency = ?4, valid_until = ?5, " +
-        "operator_notes = ?6, " +
-        "delivery_terms = COALESCE(?7, delivery_terms), " +
-        "payment_terms  = COALESCE(?8, payment_terms),  " +
-        "updated_at = ?9 WHERE id = ?10 AND status = 'requested'",
-        [shipping, tax, total, currency, validUntil, operatorNotes,
-         delivery, payment, ts, quoteId],
-      );
-      if (Number(claim.rowCount || 0) !== 1) {
-        var raced = new Error("quotes.respondToQuote: refused — quote " + quoteId +
-          " is no longer in the requested state (settled by a concurrent call)");
-        raced.code = "QUOTE_TRANSITION_REFUSED";
-        throw raced;
-      }
-      for (var j = 0; j < lines.length; j += 1) {
-        var line = lines[j];
-        await query(
-          "UPDATE quote_lines SET unit_price_minor = ?1, currency = ?2 WHERE id = ?3",
-          [pricesBySku[line.sku], currency, line.id],
-        );
-      }
-      return await _hydrated(quoteId);
+    // FSM: responded -> responded (the reprice edge). Operator revises
+    // a quote the customer hasn't settled yet — improved line prices,
+    // fresh shipping / tax / validity window, an updated note. Same
+    // payload contract as respondToQuote (every line re-priced; the
+    // math is the contract), refused with QUOTE_TRANSITION_REFUSED on
+    // any other state so a settled (accepted / declined / expired /
+    // withdrawn) quote can never be silently re-opened. Increments
+    // response_version so the revision is visible on the row, and
+    // deliberately leaves view_token_hash untouched — the link the
+    // customer already holds keeps resolving and renders the new
+    // pricing.
+    repriceQuote: async function (input) {
+      return await _applyQuoteResponse(input, "reprice", "repriceQuote");
     },
 
     // FSM: responded -> accepted. Customer accepts the operator's
@@ -1176,12 +1234,39 @@ function create(opts) {
       return out;
     },
 
+    // List quotes in one lifecycle state, newest activity first — the
+    // operator console's status filter (e.g. the expired view that shows
+    // what the cron sweep transitioned). Validated against QUOTE_STATUSES
+    // so a garbage status throws rather than silently matching nothing.
+    listByStatus: async function (listOpts) {
+      if (!listOpts || typeof listOpts !== "object") {
+        throw new TypeError("quotes.listByStatus: input object required");
+      }
+      var status = _status(listOpts.status);
+      var limit = listOpts.limit == null ? DEFAULT_LIMIT : listOpts.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > MAX_LIMIT) {
+        throw new TypeError("quotes.listByStatus: limit must be 1..." + MAX_LIMIT);
+      }
+      var r = await query(
+        "SELECT * FROM quotes WHERE status = ?1 " +
+        "ORDER BY updated_at DESC, id DESC LIMIT ?2",
+        [status, limit],
+      );
+      var out = [];
+      for (var i = 0; i < r.rows.length; i += 1) {
+        var hydrated = _hydrateQuote(r.rows[i]);
+        hydrated.lines = (await _getLinesRaw(r.rows[i].id)).map(_hydrateLine);
+        out.push(hydrated);
+      }
+      return out;
+    },
+
     // List responded quotes whose `valid_until` has elapsed. A cron
     // job walks the result and either fires `customerAccept` (rare —
     // requires the customer-side timing) or transitions each row to
-    // expired via an operator-side step (out of scope here; the
-    // operator updates the row directly to expired via
-    // `markExpired` when they own the cron).
+    // expired via an operator-side step (`expireDue` is that sweep;
+    // `markExpired` is the single-row flip when the operator owns the
+    // cron).
     listExpired: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("quotes.listExpired: input object required");
@@ -1206,6 +1291,55 @@ function create(opts) {
       return out;
     },
 
+    // One bounded expiry sweep — the worker cron's `/_/quote-expiry-tick`
+    // drives this once a minute. Scans up to `limit` responded quotes whose
+    // valid_until has elapsed as of `as_of` and flips each to expired
+    // through an atomic conditional UPDATE that re-checks BOTH the status
+    // AND the elapsed expiry, so:
+    //   - two overlapping ticks can't double-transition a row (the loser's
+    //     UPDATE matches nothing and is counted as skipped, not an error);
+    //   - a customer accept / reject / operator cancel that lands between
+    //     the scan and the flip wins — the flip refuses;
+    //   - a reprice that lands in that window and pushes valid_until back
+    //     into the future also wins — the `valid_until <= as_of` re-check
+    //     keeps a freshly revised quote alive.
+    // Per-row failures never abort the pass; the summary reports what
+    // happened. Input validation throws (a cron caller with a bad clock /
+    // batch size is a config bug to surface, not to swallow).
+    expireDue: async function (input) {
+      if (!input || typeof input !== "object") {
+        throw new TypeError("quotes.expireDue: input object required");
+      }
+      var asOf = _ts(input.as_of, "as_of");
+      var limit = input.limit == null ? DEFAULT_LIMIT : input.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > MAX_LIMIT) {
+        throw new TypeError("quotes.expireDue: limit must be 1..." + MAX_LIMIT);
+      }
+      // The machine is the single source of truth for the expire edge — the
+      // sweep's `status = 'responded'` claims below encode the same source
+      // state, and this assert keeps them honest if the FSM ever changes.
+      _assertTransition("responded", "expire", "expireDue");
+      var r = await query(
+        "SELECT id FROM quotes WHERE status = 'responded' " +
+        "AND valid_until IS NOT NULL AND valid_until <= ?1 " +
+        "ORDER BY valid_until ASC, id ASC LIMIT ?2",
+        [asOf, limit],
+      );
+      var expired = 0;
+      var skipped = 0;
+      for (var i = 0; i < r.rows.length; i += 1) {
+        var claim = await query(
+          "UPDATE quotes SET status = 'expired', updated_at = ?1 " +
+          "WHERE id = ?2 AND status = 'responded' " +
+          "AND valid_until IS NOT NULL AND valid_until <= ?3",
+          [asOf, r.rows[i].id, asOf],
+        );
+        if (Number(claim.rowCount || 0) === 1) expired += 1;
+        else skipped += 1;
+      }
+      return { scanned: r.rows.length, expired: expired, skipped: skipped };
+    },
+
     // Operator-side expiry flip. Walks a single quote whose
     // valid_until has elapsed and moves it from responded -> expired.
     // Refuses if the quote is not in the responded state or if the

package/lib/security-middleware.js

@@ -101,6 +101,7 @@ var INTERNAL_BRIDGE_PATHS = [
   "/_/campaign-send-tick",
   "/_/customer-portal-expire",
   "/_/stale-order-reap",
+  "/_/quote-expiry-tick",
 ];
 
 // Public well-known paths fetched by third-party verification crawlers

package/lib/storefront.js

@@ -10930,7 +10930,13 @@ function renderQuotePage(opts) {
     var lineRows = (q.lines || []).map(function (l) {
       var unit  = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor, l.currency || currency);
       var total = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor * l.quantity, l.currency || currency);
-      return "<tr><td>" + esc(l.sku) + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
+      // Per-line note — free text captured on the RFQ line, rendered under
+      // the item so the priced offer reads against what was asked for.
+      // Escaped like every other free-text field on this page.
+      var note = l.notes
+        ? "<div class=\"quote-line__note\">" + esc(l.notes) + "</div>"
+        : "";
+      return "<tr><td>" + esc(l.sku) + note + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
         "<td class=\"num\">" + esc(unit) + "</td><td class=\"num\">" + esc(total) + "</td></tr>";
     }).join("");
     var rowsHtml =
@@ -11019,11 +11025,17 @@ function renderQuoteList(opts) {
       var currency = q.currency || "USD";
       var total = q.total_minor == null ? "Awaiting price" : pricing.format(q.total_minor, currency);
       var statusLabel = q.status === "responded" ? "ready to review" : q.status;
+      // Make the acceptance window visible from the list — a plain
+      // server-rendered date on quotes that are still open to accept.
+      var valid = (q.status === "responded" && q.valid_until)
+        ? "<span class=\"quote-list__valid\">Valid until " + esc(new Date(Number(q.valid_until)).toUTCString()) + "</span>"
+        : "";
       return "<li class=\"quote-list__item\">" +
         "<a href=\"/account/quotes/" + esc(q.id) + "\">" +
           "<span class=\"quote-list__id\">Quote " + esc(String(q.id).slice(0, 8)) + "</span>" +
           "<span class=\"quote-list__status\">" + esc(statusLabel) + "</span>" +
           "<span class=\"quote-list__total\">" + esc(total) + "</span>" +
+          valid +
         "</a></li>";
     }).join("");
     body =

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.26",
+  "version": "0.4.27",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {