@blamejs/blamejs-shop 0.4.26 → 0.4.28

package/lib/admin.js

@@ -31,6 +31,7 @@
  */
 
 var pricing = require("./pricing");
+var paymentModule = require("./payment");   // _decimalToMinor — normalize a PayPal refund response's decimal amount to minor units
 var collectionsModule = require("./collections");
 var quantityDiscountsModule = require("./quantity-discounts");
 var loyaltyEarnRulesModule = require("./loyalty-earn-rules");
@@ -396,6 +397,21 @@ function _dollarsToMinor(value, label, currency) {
   return Number(minor);
 }
 
+// Render an integer minor-unit amount back into the major-unit decimal
+// string a money form field expects ("1999" → "19.99"), honouring the
+// currency's exponent the same way _dollarsToMinor does on the way in.
+// Returns "" for a NULL / malformed amount so an unpriced field renders
+// empty rather than crashing the form. The Money toString is
+// "<decimal> <CUR>"; the field wants just the decimal.
+function _minorToMajorInput(minor, currency) {
+  if (minor == null) return "";
+  var n = Number(minor);
+  if (!Number.isSafeInteger(n) || n < 0) return "";
+  var cur = typeof currency === "string" && /^[A-Z]{3}$/.test(currency) ? currency : "USD";
+  try { return b.money.fromMinorUnits(BigInt(n), cur).toString().split(" ")[0]; }
+  catch (_e) { return ""; }
+}
+
 // Strict non-negative integer for a form field (money minor units,
 // dimensions). Refuses "", floats, and parseInt's loose-prefix "12abc"
 // → 12 — the /^\d+$/ test is anchored so the whole string must be
@@ -828,7 +844,8 @@ function mount(router, deps) {
   var catalog       = deps.catalog;
   var order         = deps.order;
   var cart          = deps.cart          || null;   // abandoned-cart visibility console (/admin/carts) disabled when absent
-  var payment       = deps.payment       || null;   // refund endpoints disabled when absent
+  var payment       = deps.payment       || null;   // Stripe handle — Stripe-paid orders refund through this
+  var paypal        = deps.paypal        || null;   // PayPal handle — PayPal-paid orders refund through this; refund endpoints disabled when BOTH are absent
   var mailer        = deps.mailer        || null;   // transactional email factory (lib/email.js) — resend-confirmation disabled when absent
   var _checkout     = deps.checkout      || null;   // reserved — future webhook handler wiring
   var r2            = deps.r2_bridge     || null;   // media-upload endpoint disabled when absent
@@ -867,7 +884,8 @@ function mount(router, deps) {
   var inventoryReceive   = deps.inventoryReceive   || null; // inbound-stock receive console disabled when absent
   var stockTransfers     = deps.stockTransfers     || null; // location→location transfer console (dispatch/receive FSM) disabled when absent
   var inventoryWriteoffs = deps.inventoryWriteoffs || null; // reason-coded write-off / shrinkage console disabled when absent
-  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/withdraw/convert) disabled when absent
+  var quotes          = deps.quotes          || null; // RFQ negotiation console (queue/detail/respond/reprice/withdraw/convert) disabled when absent
+  var convertQuoteToOrder = deps.convertQuoteToOrder || null; // quote → pending-order converter (server.js composition); the console convert action disabled when absent
   var emailCampaigns     = deps.emailCampaigns     || null; // consent-gated broadcast/campaign console disabled when absent
   var mailingAudiences   = deps.mailingAudiences   || null; // audience picker for the campaign console (target-an-audience dropdown)
   // Read-only activity log at /admin/audit. Defaults ON — the framework
@@ -2228,7 +2246,7 @@ function mount(router, deps) {
       // a read failure leaves the panel to treat the order as un-refunded
       // (the route re-validates the cap server-side before moving money).
       var refundedMinor = 0;
-      if (payment && o.payment_intent_id) {
+      if (o.payment_intent_id && _refundHandleFor(o)) {
         try { refundedMinor = await order.refundedTotalMinor(o.id); }
         catch (_re) { refundedMinor = 0; }
       }
@@ -2237,9 +2255,12 @@ function mount(router, deps) {
         nav_available: navAvailable,
         order:       o,
         transitions: order.transitionsFrom(o.status),
-        // Refund moves money, so the console only offers it when a payment
-        // provider is wired AND the order has a captured intent to refund.
-        can_refund:  !!(payment && o.payment_intent_id),
+        // Refund moves money, so the console only offers it when the order
+        // has a captured intent AND the provider that captured it is wired —
+        // a Stripe handle can't refund a PayPal-paid order (and vice versa),
+        // so the gate routes by the order's provider, not by "some payment
+        // handle exists".
+        can_refund:  !!(o.payment_intent_id && _refundHandleFor(o)),
         // Partial-refund panel inputs. `refunded_minor` is the running
         // total already refunded; `refundable_minor` is what's left of the
         // order's grand total. The panel renders a decimal-amount form
@@ -3992,27 +4013,162 @@ function mount(router, deps) {
   }
 
   // ---- refunds --------------------------------------------------------
+  //
+  // PROVIDER ROUTING. An order's payment_intent_id is provider-opaque: the
+  // Stripe flow stores a `pi_...` PaymentIntent id, the PayPal flow stores
+  // the PayPal order id. A refund must dial the provider that captured the
+  // charge — sending a PayPal order id into Stripe's refund API (or vice
+  // versa) is a guaranteed upstream 4xx with the operator left reading a
+  // misleading provider error. Every refund surface below (full, partial,
+  // RMA) resolves the order's provider first and routes through
+  // `_issueProviderRefund`, which normalizes the two providers' shapes:
+  //
+  //   stripe → payment.refund({ payment_intent, amount_minor?, reason })
+  //   paypal → paypal.refund({ capture_id, amount_minor?, currency })
+  //
+  // The PayPal capture id (the refund target — NOT the order id) resolves
+  // from the persisted orders.paypal_capture_id column, falling back to the
+  // mark_paid transition metadata for orders captured before the column
+  // existed, then to a remote getOrder read — and heals the column so the
+  // recovery runs once per order.
+
+  // Which provider captured this order's charge. The persisted column is
+  // authoritative; legacy rows (placed before the column existed) fall back
+  // to the payment_intent_id shape — a Stripe PaymentIntent id always
+  // carries the `pi_` prefix, a PayPal order id never does. Returns
+  // "stripe" | "paypal" | null (no provider charge — gift-card / loyalty
+  // fully-covered orders).
+  function _orderPaymentProvider(o) {
+    if (!o) return null;
+    if (o.payment_provider === "paypal" || o.payment_provider === "stripe") return o.payment_provider;
+    if (!o.payment_intent_id) return null;
+    return /^pi_/.test(o.payment_intent_id) ? "stripe" : "paypal";
+  }
+
+  // The wired adapter that can refund this order, or null when the order's
+  // provider isn't configured. This is what the console's refund affordances
+  // gate on — provider REALITY, not merely "some payment handle exists"
+  // (offering a Stripe-backed Refund button on a PayPal order moves no
+  // money and 502s).
+  function _refundHandleFor(o) {
+    var provider = _orderPaymentProvider(o);
+    if (provider === "stripe") return payment;
+    if (provider === "paypal") return paypal;
+    return null;
+  }
+
+  // Resolve the PayPal CAPTURE id a refund runs against. Local resolution
+  // first (column, then transition-metadata recovery — order.paypalCaptureId
+  // heals the column), then a remote getOrder read for pre-existing orders
+  // whose capture id never reached the local ledger. Throws a coded
+  // TypeError (clean 422, nothing dialed for the refund) when no capture
+  // can be found — refunding the ORDER id instead would 404 at PayPal.
+  async function _paypalCaptureIdFor(o) {
+    var local = await order.paypalCaptureId(o.id);
+    if (local) return local;
+    try {
+      var remote = await paypal.getOrder(o.payment_intent_id);
+      var recovered = remote.purchase_units[0].payments.captures[0].id;
+      if (typeof recovered === "string" && recovered.length) {
+        try { await order.setPaypalCapture(o.id, recovered); }
+        catch (_e) { /* drop-silent — healing the column is best-effort; the refund proceeds on the recovered id */ }
+        return recovered;
+      }
+    } catch (_e2) { /* fall through to the coded refusal below */ }
+    var missing = new TypeError("This PayPal order has no recorded capture to refund against — the payment may not have been captured.");
+    missing._refundCode = "no-paypal-capture";
+    throw missing;
+  }
+
+  // Issue the provider refund for an order, routed by provider, normalized
+  // to `{ provider, id, amount_minor, raw }`. `opts2.amount_minor` absent →
+  // a FULL refund of the charge's remaining balance (both providers
+  // implement that natively). `opts2.idempotency_key` is REQUIRED by the
+  // callers' double-refund discipline: Stripe dedupes on Idempotency-Key;
+  // the PayPal adapter folds it into the PayPal-Request-Id, so two distinct
+  // partial slices on the SAME capture carry distinct request ids (PayPal
+  // silently REPLAYS the first refund when the id repeats — it never
+  // executes a second one) while a retry of the same slice stays
+  // deduplicated.
+  async function _issueProviderRefund(o, opts2) {
+    var provider = _orderPaymentProvider(o);
+    var handle   = _refundHandleFor(o);
+    if (!handle) {
+      var unwired = new TypeError(provider === "paypal"
+        ? "This order was paid through PayPal, but PayPal credentials are not configured — set PAYPAL_CLIENT_ID / PAYPAL_SECRET to refund it."
+        : "No payment provider is configured for this order's charge.");
+      unwired._refundCode = "provider-not-configured";
+      throw unwired;
+    }
+    var raw, refundedMinor = null;
+    if (provider === "paypal") {
+      var captureId = await _paypalCaptureIdFor(o);
+      var ppInput = { capture_id: captureId };
+      if (opts2.amount_minor != null) {
+        ppInput.amount_minor = opts2.amount_minor;
+        // A PayPal partial refund names its amount in the CAPTURE currency —
+        // the order's charge currency.
+        ppInput.currency = String(o.currency || "").toUpperCase();
+      }
+      raw = await handle.refund(ppInput, opts2.idempotency_key);
+      // The refund resource echoes its amount as a decimal string; parse it
+      // exactly, falling back to the requested amount when the response
+      // omits it. Stays null on an unparseable full-refund response — the
+      // ledger row then records no amount rather than a guessed one.
+      if (raw && raw.amount && typeof raw.amount.value === "string") {
+        try {
+          refundedMinor = paymentModule._decimalToMinor(
+            raw.amount.value, String(raw.amount.currency_code || o.currency || "").toUpperCase());
+        } catch (_e) { refundedMinor = null; }
+      }
+      if (refundedMinor == null && opts2.amount_minor != null) refundedMinor = opts2.amount_minor;
+    } else {
+      raw = await handle.refund({
+        payment_intent: o.payment_intent_id,
+        amount_minor:   opts2.amount_minor != null ? opts2.amount_minor : undefined,
+        reason:         opts2.reason || undefined,
+        metadata:       opts2.metadata || undefined,
+      }, opts2.idempotency_key);
+      refundedMinor = Number.isInteger(raw && raw.amount) ? raw.amount
+        : (opts2.amount_minor != null ? opts2.amount_minor : null);
+    }
+    return { provider: provider, id: raw && raw.id, amount_minor: refundedMinor, raw: raw };
+  }
 
-  if (payment) {
+  // Ledger metadata for a provider refund: the provider's refund id under
+  // its provider-named key plus the refunded amount. The PayPal key
+  // (`paypal_refund_id`) is ALSO the dedupe identity the webhook mirror
+  // checks — PayPal echoes every refund back as a PAYMENT.CAPTURE.REFUNDED
+  // event whose resource.id is this refund id, and the mirror skips a row
+  // it already finds in the ledger, so an admin-issued refund is never
+  // double-applied when its own webhook arrives.
+  function _refundLedgerMeta(result, extra) {
+    var meta = Object.assign({}, extra || {});
+    meta[result.provider === "paypal" ? "paypal_refund_id" : "stripe_refund_id"] = result.id;
+    if (Number.isInteger(result.amount_minor) && result.amount_minor > 0) meta.amount_minor = result.amount_minor;
+    return meta;
+  }
+
+  if (payment || paypal) {
     // Issue the actual payment-provider refund, then advance the order
     // FSM. Shared by the JSON API and the browser console so a console
     // "Refund" moves the money first (never a bare state change — that
     // would mark an order refunded with the customer never paid back).
     async function _refundOrder(o, body) {
       var refundIdempotencyKey = "refund:" + o.id + ":" + (body.idempotency_suffix || b.uuid.v7());
-      var refund = await payment.refund({
-        payment_intent: o.payment_intent_id,
-        amount_minor:   body.amount_minor || undefined,
-        reason:         body.reason || undefined,
-        metadata:       { order_id: o.id },
-      }, refundIdempotencyKey);
+      var result = await _issueProviderRefund(o, {
+        amount_minor:    body.amount_minor || undefined,
+        reason:          body.reason || undefined,
+        metadata:        { order_id: o.id },
+        idempotency_key: refundIdempotencyKey,
+      });
       try {
         await order.transition(o.id, "refund", {
           reason:   "admin:refund:" + (body.reason || "requested_by_customer"),
-          metadata: { stripe_refund_id: refund.id, amount_minor: refund.amount },
+          metadata: _refundLedgerMeta(result),
         });
       } catch (_e) { /* refund succeeded at the provider; transition refusal logged, surfaced via re-fetch */ }
-      return { refund: refund, order: await order.get(o.id) };
+      return { refund: result.raw, order: await order.get(o.id) };
     }
 
     // Browser confirmation interstitial for the full refund — it moves
@@ -4028,7 +4184,7 @@ function mount(router, deps) {
         var o;
         try { o = await order.get(id); }
         catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
-        if (!o || !o.payment_intent_id) {
+        if (!o || !o.payment_intent_id || !_refundHandleFor(o)) {
           return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
         }
         var amount = pricing.format(o.grand_total_minor, o.currency);
@@ -4053,8 +4209,14 @@ function mount(router, deps) {
         try {
           result = await _refundOrder(o, req.body || {});
         } catch (e) {
+          // A coded refusal (the order's provider isn't configured / the
+          // PayPal capture can't be resolved) is a clean 422 — nothing was
+          // dialed, the operator gets the actionable message.
+          if (e instanceof TypeError && e._refundCode) {
+            return _problem(res, 422, e._refundCode, e.message);
+          }
           // allow:admin-5xx-echoes-raw-error-message — 502 surfaces the PAYMENT PROVIDER's refund-failure reason (e.g. "charge already refunded"), an operator-actionable upstream message, not a server/storage internal.
-          return _problem(res, 502, "stripe-refund-failed", (e && e.message) || String(e));
+          return _problem(res, 502, _orderPaymentProvider(o) + "-refund-failed", (e && e.message) || String(e));
         }
         _json(res, 200, result);
         return { id: o.id };
@@ -4067,7 +4229,7 @@ function mount(router, deps) {
         var o;
         try { o = await order.get(id); }
         catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
-        if (!o || !o.payment_intent_id) {
+        if (!o || !o.payment_intent_id || !_refundHandleFor(o)) {
           return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
         }
         try {
@@ -4135,15 +4297,19 @@ function mount(router, deps) {
       }
       var clearsBalance = (minor === remainingMinor);
       // Idempotency key folds in the refunded-total seen, so two submits of
-      // the same slice (a double-click, a retry) reuse one provider refund.
+      // the same slice (a double-click, a retry) reuse one provider refund —
+      // and, equally load-bearing on the PayPal side, two DIFFERENT slices
+      // on the same capture carry DIFFERENT keys: the adapter folds this key
+      // into the PayPal-Request-Id, and PayPal silently replays the first
+      // refund (it never executes a second) when the request id repeats.
       var idemKey = "refund:" + o.id + ":partial:" + alreadyMinor + ":" + minor;
-      var refund = await payment.refund({
-        payment_intent: o.payment_intent_id,
-        amount_minor:   minor,
-        reason:         "requested_by_customer",
-        metadata:       { order_id: o.id, partial: !clearsBalance },
-      }, idemKey);
-      var refundedMinor = Number(refund.amount) || minor;
+      var result = await _issueProviderRefund(o, {
+        amount_minor:    minor,
+        reason:          "requested_by_customer",
+        metadata:        { order_id: o.id, partial: !clearsBalance },
+        idempotency_key: idemKey,
+      });
+      var refundedMinor = Number.isInteger(result.amount_minor) && result.amount_minor > 0 ? result.amount_minor : minor;
       if (clearsBalance) {
         // The slice clears the remaining balance — drive the terminal FSM
         // edge so the order moves to `refunded` (and the gift-card / loyalty
@@ -4153,7 +4319,7 @@ function mount(router, deps) {
         try {
           await order.transition(o.id, "refund", {
             reason:   "admin:refund:partial-final",
-            metadata: { stripe_refund_id: refund.id, amount_minor: refundedMinor, partial: true },
+            metadata: _refundLedgerMeta(result, { amount_minor: refundedMinor, partial: true }),
           });
         } catch (_te) { /* provider refund persisted; FSM refusal surfaced via re-fetch */ }
       } else {
@@ -4162,10 +4328,10 @@ function mount(router, deps) {
         await order.recordPartialRefund(o.id, {
           amount_minor: refundedMinor,
           reason:       "admin:refund:partial",
-          metadata:     { stripe_refund_id: refund.id },
+          metadata:     _refundLedgerMeta(result, { amount_minor: refundedMinor }),
         });
       }
-      return { refund: refund, amount_minor: refundedMinor, cleared: clearsBalance };
+      return { refund: result.raw, amount_minor: refundedMinor, cleared: clearsBalance };
     }
 
     router.post("/admin/orders/:id/refund/partial", _pageOrApi(false,
@@ -4179,11 +4345,12 @@ function mount(router, deps) {
           result = await _partialRefund(o, body.amount);
         } catch (e) {
           if (e instanceof TypeError) {
-            var status = e._refundCode === "over-refund" || e._refundCode === "nothing-remaining" ? 422 : 400;
+            var status = e._refundCode === "over-refund" || e._refundCode === "nothing-remaining" ||
+                         e._refundCode === "provider-not-configured" || e._refundCode === "no-paypal-capture" ? 422 : 400;
             return _problem(res, status, e._refundCode || "bad-request", e.message);
           }
           // allow:admin-5xx-echoes-raw-error-message — 502 surfaces the PAYMENT PROVIDER's refund-failure reason, an operator-actionable upstream message, not a server/storage internal.
-          return _problem(res, 502, "stripe-refund-failed", (e && e.message) || String(e));
+          return _problem(res, 502, _orderPaymentProvider(o) + "-refund-failed", (e && e.message) || String(e));
         }
         _json(res, 200, result);
         return { id: o.id };
@@ -4193,7 +4360,7 @@ function mount(router, deps) {
         var o;
         try { o = await order.get(id); }
         catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
-        if (!o || !o.payment_intent_id) {
+        if (!o || !o.payment_intent_id || !_refundHandleFor(o)) {
           return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
         }
         var enc = encodeURIComponent(id);
@@ -4694,10 +4861,13 @@ function mount(router, deps) {
     // degrades to "record-only" rather than throwing.
     async function _rmaProviderContext(rma) {
       var ctx = { order: null, canProviderRefund: false };
-      if (!payment || !rma || !rma.order_id) return ctx;
+      if ((!payment && !paypal) || !rma || !rma.order_id) return ctx;
       try { ctx.order = await order.get(rma.order_id); }
       catch (_e) { ctx.order = null; }
-      ctx.canProviderRefund = !!(ctx.order && ctx.order.payment_intent_id);
+      // Provider reality, not mere handle presence: the linked order must
+      // carry a captured intent AND the provider that captured it must be
+      // the one that's wired (see _refundHandleFor).
+      ctx.canProviderRefund = !!(ctx.order && ctx.order.payment_intent_id && _refundHandleFor(ctx.order));
       return ctx;
     }
 
@@ -4996,12 +5166,16 @@ function mount(router, deps) {
       var idem = "rma-refund:" + rma.id;
       var refund;
       try {
-        refund = await payment.refund({
-          payment_intent: order2.payment_intent_id,
-          amount_minor:   (rma.refund_amount_minor != null && rma.refund_amount_minor > 0) ? rma.refund_amount_minor : undefined,
-          reason:         "requested_by_customer",
-          metadata:       { order_id: order2.id, rma_id: rma.id, rma_code: rma.rma_code || "" },
-        }, idem);
+        // Routed by the linked order's provider (Stripe payment_intent vs
+        // PayPal capture) — see _issueProviderRefund. The deterministic key
+        // keeps a retry of the SAME RMA refund deduplicated at either
+        // provider (Stripe Idempotency-Key / PayPal-Request-Id).
+        refund = (await _issueProviderRefund(order2, {
+          amount_minor:    (rma.refund_amount_minor != null && rma.refund_amount_minor > 0) ? rma.refund_amount_minor : undefined,
+          reason:          "requested_by_customer",
+          metadata:        { order_id: order2.id, rma_id: rma.id, rma_code: rma.rma_code || "" },
+          idempotency_key: idem,
+        })).raw;
       } catch (e) {
         // Provider call failed — release the claim so the operator can retry
         // a transient failure. A release failure can't be recovered here, so
@@ -8112,13 +8286,16 @@ function mount(router, deps) {
 
   // ---- quotes (B2B request-for-quote negotiation) ---------------------
   // The operator side of the RFQ lifecycle. The list is the response queue
-  // (oldest-waiting requests first) plus a recent-activity view; the detail
-  // screen shows the requested lines + the customer message, and — for a
-  // still-requested quote — a per-line pricing form that responds with a
-  // priced quote + validity window. Responded/accepted quotes show the
-  // quoted totals; an operator can withdraw a quote that hasn't been
-  // accepted, or convert an accepted one into a pending order. Content-
-  // negotiated like the other consoles (bearer → JSON, browser → HTML).
+  // (oldest-waiting requests first) plus per-status views (the expired
+  // filter shows what the expiry cron transitioned) and a per-customer
+  // view; the detail screen shows the requested lines + the customer
+  // message, and — for a still-requested quote — a per-line pricing form
+  // that responds with a priced quote + validity window. A responded quote
+  // can be REPRICED (revised offer, fresh window — the customer's existing
+  // link shows the new pricing) or CONVERTED to a pending order against a
+  // recorded out-of-band approval; an operator can withdraw a quote that
+  // hasn't been accepted. Content-negotiated like the other consoles
+  // (bearer → JSON, browser → HTML).
   if (quotes) {
     // Build the respondToQuote line_prices array from the per-line
     // `price_<sku>` dollar fields the detail form posts, converting each to
@@ -8139,28 +8316,46 @@ function mount(router, deps) {
       return out;
     }
 
+    // Status filter for the list — a defensive request-shape reader: an
+    // unknown / absent value falls back to the default response queue
+    // rather than erroring a bookmarked link. `expired` is the one the
+    // chips surface (what the expiry cron transitioned); any lifecycle
+    // status is accepted so tooling can read the others.
+    function _quoteStatusFilter(url) {
+      var s = url && url.searchParams.get("status");
+      return (s && quotes.QUOTE_STATUSES.indexOf(s) !== -1) ? s : null;
+    }
+
     router.get("/admin/quotes", _pageOrApi(true,
       R(async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = cid
           ? await quotes.quotesForCustomer(cid, { limit: 200 })
-          : await quotes.pendingResponse({ limit: 200 });
+          : sf
+            ? await quotes.listByStatus({ status: sf, limit: 200 })
+            : await quotes.pendingResponse({ limit: 200 });
         _json(res, 200, { rows: rows });
       }),
       async function (req, res) {
         var url = req.url ? new URL(req.url, "http://localhost") : null;
         var cid = url && url.searchParams.get("customer_id");
+        var sf  = _quoteStatusFilter(url);
         var rows = [];
         try {
           rows = cid
             ? await quotes.quotesForCustomer(cid, { limit: 200 })
-            : await quotes.pendingResponse({ limit: 200 });
+            : sf
+              ? await quotes.listByStatus({ status: sf, limit: 200 })
+              : await quotes.pendingResponse({ limit: 200 });
         } catch (e) { if (!(e instanceof TypeError)) throw e; }
         _sendHtml(res, 200, renderAdminQuotes({
           shop_name: deps.shop_name, nav_available: navAvailable, quotes: rows,
           customer_filter: cid,
+          status_filter: sf,
           responded: url && url.searchParams.get("responded"),
+          repriced:  url && url.searchParams.get("repriced"),
           withdrawn: url && url.searchParams.get("withdrawn"),
           converted: url && url.searchParams.get("converted"),
           notice: (url && url.searchParams.get("err"))
@@ -8189,6 +8384,8 @@ function mount(router, deps) {
         }));
         _sendHtml(res, 200, renderAdminQuoteDetail({
           shop_name: deps.shop_name, nav_available: navAvailable, quote: row,
+          can_convert: !!convertQuoteToOrder,
+          repriced: url && url.searchParams.get("repriced"),
           notice: (url && url.searchParams.get("err"))
             ? "That action couldn't be completed for the quote." : null,
         }));
@@ -8254,6 +8451,190 @@ function mount(router, deps) {
       },
     ));
 
+    // Reprice: revise a still-responded quote the customer hasn't settled —
+    // improved line prices, fresh shipping / tax / validity, an updated
+    // note. Same payload contract as respond (the browser form posts dollar
+    // amounts + validity-in-days; the bearer JSON contract takes minor units
+    // + an absolute valid_until). The FSM's responded -> responded reprice
+    // edge gates it, surfacing the same statuses the other quote actions
+    // use: wrong state → 409, unknown quote → 404, bad shape → 400. The
+    // quote-responded email is NOT re-fired here: the notifier rotates the
+    // customer's view token, and the reprice contract is that the link the
+    // customer already holds keeps working and shows the new pricing.
+    router.post("/admin/quotes/:id/reprice", _pageOrApi(false,
+      W("quote.reprice", async function (req, res) {
+        var row;
+        try { row = await quotes.repriceQuote(Object.assign({}, req.body || {}, { quote_id: req.params.id })); }
+        catch (e) {
+          if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+          if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+          if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+          throw e;
+        }
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var id = req.params.id;
+        var enc = encodeURIComponent(id);
+        var body = req.body || {};
+        var current = null;
+        try { current = await quotes.getQuote(id); } catch (_e) { current = null; }
+        if (!current) return _redirect(res, "/admin/quotes?err=1");
+        try {
+          var validDays = _strictNonNegIntField(body.valid_days, "valid_days");
+          if (validDays <= 0) throw new TypeError("admin: valid_days must be at least 1");
+          var quoteCurrency = typeof body.currency === "string" && body.currency
+            ? body.currency.toUpperCase() : (current.currency || "USD");
+          await quotes.repriceQuote({
+            quote_id:       id,
+            line_prices:    _quoteLinePricesFromForm(body, current.lines, quoteCurrency),
+            shipping_minor: body.shipping == null || body.shipping === "" ? 0 : _dollarsToMinor(body.shipping, "shipping", quoteCurrency),
+            tax_minor:      body.tax == null || body.tax === "" ? 0 : _dollarsToMinor(body.tax, "tax", quoteCurrency),
+            valid_until:    Date.now() + b.constants.TIME.days(validDays),
+            currency:       quoteCurrency,
+            operator_notes: body.operator_notes || null,
+          });
+        } catch (e) {
+          if (!(e instanceof TypeError) && !(e && (e.code === "QUOTE_TRANSITION_REFUSED" || e.code === "QUOTE_NOT_FOUND"))) throw e;
+          var msg = _safeNotice(e, "quote.reprice");
+          var fresh = await quotes.getQuote(id);
+          return _sendHtml(res, msg.status, renderAdminQuoteDetail({
+            shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+            can_convert: !!convertQuoteToOrder,
+            notice: msg.message.replace(/^(quotes|admin)[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.reprice", outcome: "success", metadata: { quote_id: id } });
+        _redirect(res, "/admin/quotes/" + enc + "?repriced=1");
+      },
+    ));
+
+    // Convert to order without the customer's online acceptance — the
+    // verbal-approval case (a phone / email yes the operator is recording).
+    // Requires a reason naming that approval; the reason is captured on the
+    // quote's acceptance attribution AND the chained operator audit log. A
+    // responded quote is first accepted through the same customerAccept verb
+    // the storefront uses — so the accept-time expiry guard still refuses a
+    // stale price — then converted through the shared server.js composition
+    // (inventory holds first; a hold/order failure releases the convert
+    // claim back to accepted for a retry). An already-accepted quote (e.g.
+    // the customer accepted online but conversion wasn't possible then)
+    // skips straight to the conversion.
+    if (convertQuoteToOrder) {
+      // Shared by the bearer-JSON and browser-form branches. Throws coded
+      // errors the branches map to their surfaces.
+      var _operatorConvertQuote = async function (req, id, reasonRaw) {
+        if (typeof reasonRaw !== "string" || !reasonRaw.trim().length) {
+          throw new TypeError("admin: a reason is required to convert a quote on the customer's behalf");
+        }
+        var reason = reasonRaw.trim();
+        if (reason.length > 200) {
+          throw new TypeError("admin: reason must be <= 200 characters");
+        }
+        var current = await quotes.getQuote(id);   // TypeError on a malformed id → 400
+        if (!current) {
+          var miss = new Error("quote " + id + " not found");
+          miss.code = "QUOTE_NOT_FOUND";
+          throw miss;
+        }
+        if (current.status === "responded") {
+          await quotes.customerAccept({
+            quote_id:             id,
+            accepted_by_customer: "operator-recorded: " + reason,
+          });
+        }
+        // Any other non-accepted state falls through to the converter,
+        // whose own FSM claim refuses it — one error shape per state class.
+        var convertedQuote = await convertQuoteToOrder(id);
+        if (!convertedQuote || !convertedQuote.converted_order_id) {
+          // The only null path after a successful accept: no resolvable
+          // ship-to (the customer has no default shipping address) — or the
+          // quote wasn't accepted (wrong state).
+          var blocked = new Error("the quote could not be converted — it must be accepted and " +
+            "the customer needs a default shipping address on file");
+          blocked.code = "QUOTE_NOT_CONVERTIBLE";
+          throw blocked;
+        }
+        // Chained operator-audit row: WHO converted, WHY, and the order it
+        // minted. Drop-silent — a recording failure must never unwind the
+        // conversion the operator just watched succeed.
+        if (operatorAuditLog && typeof operatorAuditLog.record === "function") {
+          try {
+            await operatorAuditLog.record({
+              actor_type:    "operator",
+              actor_id:      (req.operatorActor && req.operatorActor.operator_id) || "owner",
+              action:        "quote.convert_to_order",
+              resource_kind: "quote",
+              resource_id:   id,
+              before:        { status: current.status },
+              after:         { reason: reason, order_id: convertedQuote.converted_order_id },
+            });
+          } catch (_e) { /* drop-silent */ }
+        }
+        return convertedQuote;
+      };
+
+      router.post("/admin/quotes/:id/convert-to-order", _pageOrApi(false,
+        W("quote.convert", async function (req, res) {
+          var row;
+          try { row = await _operatorConvertQuote(req, req.params.id, req.body && req.body.reason); }
+          catch (e) {
+            if (e && e.code === "QUOTE_NOT_FOUND") return _problem(res, 404, "quote-not-found");
+            if (e && e.code === "QUOTE_TRANSITION_REFUSED") return _problem(res, 409, "quote-transition-refused", e.message);
+            if (e && e.code === "QUOTE_EXPIRED") return _problem(res, 409, "quote-expired", e.message);
+            if (e && e.code === "QUOTE_INSUFFICIENT_STOCK") return _problem(res, 409, "quote-insufficient-stock", e.message);
+            if (e && e.code === "QUOTE_NOT_CONVERTIBLE") return _problem(res, 409, "quote-not-convertible", e.message);
+            if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message);
+            throw e;
+          }
+          _json(res, 200, row);
+          return { id: row.id };
+        }),
+        async function (req, res) {
+          var id = req.params.id;
+          try {
+            await _operatorConvertQuote(req, id, req.body && req.body.reason);
+          } catch (e) {
+            // Per-code operator-safe banner copy (the coded refusals carry no
+            // secrets, but the banner uses authored copy rather than echoing
+            // the thrown text — same no-leak guarantee as _safeNotice, with
+            // a more actionable message per refusal). Anything un-coded
+            // routes through _safeNotice's classifier.
+            var codedCopy = {
+              QUOTE_TRANSITION_REFUSED: "The quote is no longer in a state that can be converted.",
+              QUOTE_EXPIRED:            "The quote's validity window has passed — reprice it before converting.",
+              QUOTE_INSUFFICIENT_STOCK: "Not enough stock is available to fulfil the quote.",
+              QUOTE_NOT_CONVERTIBLE:    "The quote couldn't be converted — it must be accepted and the customer needs a default shipping address on file.",
+              QUOTE_NOT_FOUND:          "Quote not found.",
+            };
+            var codedNotice = e && e.code ? codedCopy[e.code] : null;
+            if (!(e instanceof TypeError) && !codedNotice) throw e;
+            var status, noticeText;
+            if (codedNotice) {
+              status = e.code === "QUOTE_NOT_FOUND" ? 404 : 409;
+              noticeText = codedNotice;
+            } else {
+              // TypeError (validation) — _safeNotice surfaces its operator-
+              // safe message verbatim and never records it as a 5xx.
+              var msg = _safeNotice(e, "quote.convert");
+              status = msg.status;
+              noticeText = msg.message.replace(/^(quotes|admin)[.:]\s*/, "");
+            }
+            var fresh = null;
+            try { fresh = await quotes.getQuote(id); } catch (_e2) { fresh = null; }
+            return _sendHtml(res, status, renderAdminQuoteDetail({
+              shop_name: deps.shop_name, nav_available: navAvailable, quote: fresh,
+              can_convert: true,
+              notice: noticeText,
+            }));
+          }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".quote.convert", outcome: "success", metadata: { quote_id: id } });
+          _redirect(res, "/admin/quotes?converted=1");
+        },
+      ));
+    }
+
     // Withdraw: cancel a quote that hasn't been accepted yet (requested or
     // responded). Accepted / terminal quotes refuse — the FSM gate is the
     // single source of truth, surfaced as a 409.
@@ -21667,14 +22048,21 @@ function renderAdminQuotes(opts) {
   opts = opts || {};
   var rows = opts.quotes || [];
   var responded = opts.responded ? "<div class=\"banner banner--ok\">Quote sent to the customer.</div>" : "";
+  var repriced  = opts.repriced  ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var withdrawn = opts.withdrawn ? "<div class=\"banner banner--ok\">Quote withdrawn.</div>" : "";
   var converted = opts.converted ? "<div class=\"banner banner--ok\">Quote converted to an order.</div>" : "";
   var notice    = opts.notice    ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
 
   var cf = opts.customer_filter;
-  var heading = cf ? "Quotes for this customer" : "Quotes awaiting a response";
+  var sf = opts.status_filter;
+  var heading = cf ? "Quotes for this customer"
+    : sf === "expired" ? "Expired quotes"
+    : sf ? "Quotes — " + sf
+    : "Quotes awaiting a response";
   var chips = "<div class=\"order-filters\">" +
-    "<a class=\"chip" + (cf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (cf == null && sf == null ? " chip--on" : "") + "\" href=\"/admin/quotes\">Response queue</a>" +
+    "<a class=\"chip" + (sf === "expired" ? " chip--on" : "") + "\" href=\"/admin/quotes?status=expired\">Expired</a>" +
+    (sf && sf !== "expired" ? "<a class=\"chip chip--on\" href=\"/admin/quotes?status=" + _htmlEscape(encodeURIComponent(sf)) + "\">" + _htmlEscape(sf) + "</a>" : "") +
     (cf ? "<a class=\"chip chip--on\" href=\"/admin/quotes?customer_id=" + _htmlEscape(encodeURIComponent(cf)) + "\">This customer</a>" : "") +
     "</div>";
 
@@ -21696,9 +22084,11 @@ function renderAdminQuotes(opts) {
 
   var table = rows.length
     ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Quote</th><th scope=\"col\">Customer</th><th scope=\"col\">Status</th><th scope=\"col\" class=\"num\">Lines</th><th scope=\"col\" class=\"num\">Total</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
-    : "<p class=\"empty\">" + (cf ? "No quotes for this customer." : "No quotes are waiting for a response.") + "</p>";
+    : "<p class=\"empty\">" + (cf ? "No quotes for this customer."
+        : sf ? "No " + _htmlEscape(sf) + " quotes."
+        : "No quotes are waiting for a response.") + "</p>";
 
-  var bodyHtml = "<section><h2>Quotes</h2>" + responded + withdrawn + converted + notice +
+  var bodyHtml = "<section><h2>Quotes</h2>" + responded + repriced + withdrawn + converted + notice +
     "<p class=\"meta\">Request-for-quote negotiations. The response queue lists the requests waiting on you, oldest first — open one to price its lines and send the customer a quote.</p>" +
     chips + "<h3 class=\"subhead\">" + _htmlEscape(heading) + "</h3>" + table + "</section>";
   return _renderAdminShell(opts.shop_name, "Quotes", bodyHtml, "quotes", opts.nav_available);
@@ -21713,6 +22103,8 @@ function renderAdminQuoteDetail(opts) {
     return _renderAdminShell(opts.shop_name, "Quote", nf, "quotes", opts.nav_available);
   }
   var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var repricedBanner = opts.repriced
+    ? "<div class=\"banner banner--ok\">Quote repriced — the customer's existing link shows the new pricing.</div>" : "";
   var enc = _htmlEscape(encodeURIComponent(q.id));
   var currency = q.currency || "USD";
 
@@ -21725,6 +22117,8 @@ function renderAdminQuoteDetail(opts) {
       (q.payment_terms ? "<p class=\"meta\">Payment terms: " + _htmlEscape(q.payment_terms) + "</p>" : "") +
       (q.message ? "<p class=\"meta\">Customer message: <q>" + _htmlEscape(q.message) + "</q></p>" : "") +
       (q.valid_until ? "<p class=\"meta\">Valid until: " + _htmlEscape(new Date(Number(q.valid_until)).toISOString()) + "</p>" : "") +
+      (q.response_version != null && Number(q.response_version) > 1
+        ? "<p class=\"meta\">Pricing revision: " + _htmlEscape(String(q.response_version)) + "</p>" : "") +
       (q.total_minor != null ? "<p class=\"meta\">Quoted total: <strong>" + _htmlEscape(pricing.format(q.total_minor, currency)) + "</strong></p>" : "") +
       (q.converted_order_id ? "<p class=\"meta\">Converted to order: <a href=\"/admin/orders/" + _htmlEscape(encodeURIComponent(q.converted_order_id)) + "\"><code class=\"order-id\">" + _htmlEscape(String(q.converted_order_id).slice(0, 8)) + "</code></a></p>" : "") +
     "</div>";
@@ -21775,6 +22169,57 @@ function renderAdminQuoteDetail(opts) {
       "</div>";
   }
 
+  // Reprice form — only for a still-responded quote (the customer hasn't
+  // settled it). Same fields as the respond form, prefilled with the
+  // current pricing so the operator edits an offer rather than retyping
+  // it. Posting re-runs the full pricing math server-side and bumps the
+  // revision counter; the customer's existing link shows the new pricing.
+  var repriceForm = "";
+  if (q.status === "responded") {
+    var repriceFields = (q.lines || []).map(function (l) {
+      return _setupField(l.sku + " — unit price (" + currency + ")", "price_" + l.sku,
+        _minorToMajorInput(l.unit_price_minor, l.currency || currency), "text",
+        "Quantity " + l.quantity + ".", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\" required");
+    }).join("");
+    repriceForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Reprice this quote</h3>" +
+        "<p class=\"meta\">Revise the offer before the customer settles it — new unit prices, shipping, tax, and a fresh validity window. The link the customer already has keeps working and shows the new pricing.</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/reprice\">" +
+          repriceFields +
+          _setupField("Shipping (" + currency + ")", "shipping", _minorToMajorInput(q.shipping_minor, currency), "text", "Optional. Leave blank for free shipping.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Tax (" + currency + ")", "tax", _minorToMajorInput(q.tax_minor, currency), "text", "Optional.", " inputmode=\"decimal\" pattern=\"\\d+(\\.\\d+)?\"") +
+          _setupField("Valid for (days)", "valid_days", "14", "number", "How many days the customer has to accept the revised quote.", " min=\"1\" max=\"365\" required") +
+          _setupField("Currency", "currency", currency, "text", "ISO-4217, e.g. USD.", " maxlength=\"3\" pattern=\"[A-Za-z]{3}\"") +
+          "<label class=\"form-field\"><span>Note to the customer</span><textarea name=\"operator_notes\" maxlength=\"4000\" rows=\"3\">" + _htmlEscape(q.operator_notes || "") + "</textarea></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Send revised quote</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
+  // Convert to order — the verbal-approval path. Rendered for a responded
+  // quote (the operator records the customer's out-of-band yes) and for an
+  // accepted one (the customer accepted online but conversion wasn't
+  // possible then — e.g. no address yet). Requires a reason; the reason
+  // lands on the acceptance attribution and the operator audit log. Only
+  // rendered when the conversion composition is wired.
+  var convertForm = "";
+  if (opts.can_convert && (q.status === "responded" || q.status === "accepted")) {
+    convertForm =
+      "<div class=\"panel mt mw-40\">" +
+        "<h3 class=\"subhead\">Convert to order</h3>" +
+        "<p class=\"meta\">" + (q.status === "responded"
+          ? "Records the customer's out-of-band approval (a phone or email yes) and lands this quote as a pending order at the quoted prices, reserving the stock. An expired quote refuses — reprice it first."
+          : "The customer accepted this quote; convert it into a pending order at the accepted prices.") + "</p>" +
+        "<form method=\"post\" action=\"/admin/quotes/" + enc + "/convert-to-order\">" +
+          _setupField("Reason / approval record", "reason", "", "text",
+            "Required. Who approved and how — e.g. “verbal approval, J. Doe, phone 2026-06-10”.",
+            " maxlength=\"200\" required") +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Convert to order</button></div>" +
+        "</form>" +
+      "</div>";
+  }
+
   // Withdraw — available while the quote hasn't been accepted (requested or
   // responded). The FSM refuses it for accepted/terminal quotes; we only
   // render the button when it would succeed.
@@ -21792,7 +22237,7 @@ function renderAdminQuoteDetail(opts) {
   "</div>";
 
   var bodyHtml = "<section><h2>Quote " + _htmlEscape(String(q.id).slice(0, 8)) + "</h2>" +
-    notice + summary + linesPanel + respondForm + actions + "</section>";
+    notice + repricedBanner + summary + linesPanel + respondForm + repriceForm + convertForm + actions + "</section>";
   return _renderAdminShell(opts.shop_name, "Quote " + String(q.id).slice(0, 8), bodyHtml, "quotes", opts.nav_available);
 }