@blamejs/blamejs-shop 0.4.26 → 0.4.28

package/lib/quotes.js

@@ -22,6 +22,7 @@
  *
  *     requested -> responded -> accepted -> converted   (happy path)
  *                          |
+ *                          +-> responded              (reprice — operator revises the offer)
  *                          +-> rejected               (customer says no)
  *                          +-> expired                (valid_until passed)
  *                          +-> cancelled              (cancelled before accept)
@@ -34,8 +35,17 @@
  *     expired    -> *                                 (terminal)
  *
  *   `valid_until` is the operator-set expiry timestamp (ms). After
- *   it elapses, `listExpired({ as_of })` surfaces the row so a
- *   cron / dunning job can transition it to `expired`.
+ *   it elapses, `listExpired({ as_of })` surfaces the row and
+ *   `expireDue({ as_of })` — driven by the worker cron's
+ *   `/_/quote-expiry-tick` — transitions each due row to `expired`
+ *   through the same atomic status claim every other verb uses, so
+ *   a concurrent accept / reprice and the sweep can never both win.
+ *
+ *   `response_version` counts the operator's pricing passes:
+ *   `respondToQuote` stamps 1, each `repriceQuote` on a
+ *   still-responded quote increments it. The customer's view-token
+ *   link is NOT rotated by a reprice — the link they already hold
+ *   resolves the same row and renders the new pricing.
  *
  *   `total_minor` is the operator-quoted grand total — the sum of
  *   the quote_lines line-totals plus `shipping_minor` + `tax_minor`.
@@ -78,6 +88,10 @@
  *                      tax_minor?, valid_until, currency,
  *                      operator_notes?, delivery_terms?,
  *                      payment_terms? })
+ *     repriceQuote({ quote_id, line_prices, shipping_minor?,
+ *                    tax_minor?, valid_until, currency,
+ *                    operator_notes?, delivery_terms?,
+ *                    payment_terms? })
  *     customerAccept({ quote_id, accepted_by_customer })
  *     customerReject({ quote_id, reject_reason? })
  *     cancelQuote({ quote_id, cancel_reason })
@@ -85,10 +99,15 @@
  *     getQuote(quote_id)
  *     quotesForCustomer(customer_id, { status?, limit? })
  *     pendingResponse({ limit? })
- *     listExpired({ as_of })
+ *     listByStatus({ status, limit? })
+ *     listExpired({ as_of, limit? })
+ *     expireDue({ as_of, limit? })
+ *     markExpired({ quote_id, as_of })
  *
  *   Storage: `migrations-d1/0102_quotes.sql` — two tables, `quotes`
  *     + `quote_lines`. ON DELETE CASCADE from quote -> lines.
+ *     `0227_quote_response_version.sql` adds the response_version
+ *     revision counter.
  *
  * @primitive quotes
  * @related   b.fsm, b.uuid, b.guardUuid, shop.cart, shop.order
@@ -152,6 +171,7 @@ var b = require("./vendor/blamejs");
 // fires it:
 //
 //   respond   requested            -> responded   (operator prices the quote)
+//   reprice   responded            -> responded   (operator revises the offer)
 //   accept    responded            -> accepted    (customer accepts)
 //   reject    responded            -> rejected    (customer declines)
 //   cancel    requested|responded  -> cancelled   (either side pulls it)
@@ -163,6 +183,7 @@ var b = require("./vendor/blamejs");
 var QUOTE_TRANSITIONS = Object.freeze([
   { from: "requested", to: "responded", on: "respond" },
   { from: "requested", to: "cancelled", on: "cancel" },
+  { from: "responded", to: "responded", on: "reprice" },
   { from: "responded", to: "accepted",  on: "accept" },
   { from: "responded", to: "rejected",  on: "reject" },
   { from: "responded", to: "cancelled", on: "cancel" },
@@ -454,6 +475,7 @@ function _hydrateQuote(row) {
     tax_minor:            row.tax_minor            == null ? null : Number(row.tax_minor),
     total_minor:          row.total_minor          == null ? null : Number(row.total_minor),
     currency:             row.currency == null ? null : row.currency,
+    response_version:     row.response_version == null ? null : Number(row.response_version),
     valid_until:          row.valid_until == null ? null : Number(row.valid_until),
     accepted_at:          row.accepted_at == null ? null : Number(row.accepted_at),
     accepted_by_customer: row.accepted_by_customer == null ? null : row.accepted_by_customer,
@@ -590,6 +612,101 @@ function create(opts) {
     }
   }
 
+  // Shared body of respondToQuote (event "respond", requested -> responded)
+  // and repriceQuote (event "reprice", responded -> responded). Validates the
+  // full pricing payload, asks the FSM whether the edge is legal for the
+  // row's CURRENT status, recomputes the totals server-side, then claims the
+  // transition atomically (`AND status = <the legal from-state>`) so a
+  // concurrent accept / reject / cancel / expire sweep and this write can
+  // never both commit. respond stamps response_version = 1; reprice
+  // increments it (COALESCE'd so a row priced before the column shipped
+  // lands on 2). Neither path touches view_token_hash — the customer's
+  // existing link keeps working and renders the latest pricing.
+  async function _applyQuoteResponse(input, event, verbLabel) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("quotes." + verbLabel + ": input object required");
+    }
+    var quoteId = _id(input.quote_id, "quote_id");
+    var currency = _currency(input.currency);
+    var shipping = input.shipping_minor == null ? 0 : input.shipping_minor;
+    var tax      = input.tax_minor      == null ? 0 : input.tax_minor;
+    _moneyMinor(shipping, "shipping_minor");
+    _moneyMinor(tax,      "tax_minor");
+    var validUntil    = _ts(input.valid_until, "valid_until");
+    var operatorNotes = _optLongText(input.operator_notes, "operator_notes", MAX_OPERATOR_NOTES_LEN);
+    var delivery      = _optShortText(input.delivery_terms, "delivery_terms", MAX_TERMS_LEN);
+    var payment       = _optShortText(input.payment_terms,  "payment_terms",  MAX_TERMS_LEN);
+
+    var current = await _getQuoteRaw(quoteId);
+    if (!current) {
+      var miss = new Error("quotes." + verbLabel + ": quote " + quoteId + " not found");
+      miss.code = "QUOTE_NOT_FOUND";
+      throw miss;
+    }
+    _assertTransition(current.status, event, verbLabel);
+    // The FSM only declares this event from one source state (respond:
+    // requested, reprice: responded); having passed the assert, the row's
+    // current status IS that state — it pins the atomic claim below.
+    var fromStatus = current.status;
+
+    var lines = await _getLinesRaw(quoteId);
+    var lineSkus = lines.map(function (r) { return r.sku; });
+    var pricesBySku = _validateLinePrices(input.line_prices, lineSkus);
+
+    // valid_until must be strictly in the future. A past expiry on
+    // a fresh response / revision is operator error — the quote would
+    // be expired the moment it lands.
+    var ts = _now();
+    if (validUntil <= ts) {
+      throw new TypeError("quotes." + verbLabel + ": valid_until must be in the future");
+    }
+
+    // Compute totals from the priced lines + shipping + tax. Math
+    // is integer-only; sum is bounded by MAX_LINES *
+    // MAX_QUANTITY * MAX_UNIT_PRICE_MINOR which fits Number.
+    var subtotal = 0;
+    for (var i = 0; i < lines.length; i += 1) {
+      var qty = Number(lines[i].quantity);
+      var price = pricesBySku[lines[i].sku];
+      subtotal += qty * price;
+    }
+    var total = subtotal + shipping + tax;
+    _moneyMinor(total, "total_minor");
+
+    // Update header + each line. The line update sets unit_price_minor +
+    // currency per-line. The header UPDATE claims the transition atomically
+    // (`AND status = ?`) so a concurrent settle can't both commit against
+    // the same row — for reprice that same clause also means an accept that
+    // lands first wins and the revision refuses instead of clobbering the
+    // accepted price.
+    var versionSql = event === "respond" ? "1" : "COALESCE(response_version, 1) + 1";
+    var claim = await query(
+      "UPDATE quotes SET status = 'responded', shipping_minor = ?1, " +
+      "tax_minor = ?2, total_minor = ?3, currency = ?4, valid_until = ?5, " +
+      "operator_notes = ?6, " +
+      "response_version = " + versionSql + ", " +
+      "delivery_terms = COALESCE(?7, delivery_terms), " +
+      "payment_terms  = COALESCE(?8, payment_terms),  " +
+      "updated_at = ?9 WHERE id = ?10 AND status = ?11",
+      [shipping, tax, total, currency, validUntil, operatorNotes,
+       delivery, payment, ts, quoteId, fromStatus],
+    );
+    if (Number(claim.rowCount || 0) !== 1) {
+      var raced = new Error("quotes." + verbLabel + ": refused — quote " + quoteId +
+        " is no longer in the " + fromStatus + " state (settled by a concurrent call)");
+      raced.code = "QUOTE_TRANSITION_REFUSED";
+      throw raced;
+    }
+    for (var j = 0; j < lines.length; j += 1) {
+      var line = lines[j];
+      await query(
+        "UPDATE quote_lines SET unit_price_minor = ?1, currency = ?2 WHERE id = ?3",
+        [pricesBySku[line.sku], currency, line.id],
+      );
+    }
+    return await _hydrated(quoteId);
+  }
+
   return {
     QUOTE_STATUSES:    QUOTE_STATUSES.slice(),
     TERMINAL_STATUSES: TERMINAL_STATUSES.slice(),
@@ -714,84 +831,25 @@ function create(opts) {
     // sets shipping + tax + grand total currency, and stamps an
     // expiry. The total_minor is computed from the priced lines +
     // shipping_minor + tax_minor; the caller doesn't pass it (and
-    // can't override it — the math is the contract).
+    // can't override it — the math is the contract). Stamps
+    // response_version = 1 (the first pricing pass).
     respondToQuote: async function (input) {
-      if (!input || typeof input !== "object") {
-        throw new TypeError("quotes.respondToQuote: input object required");
-      }
-      var quoteId = _id(input.quote_id, "quote_id");
-      var currency = _currency(input.currency);
-      var shipping = input.shipping_minor == null ? 0 : input.shipping_minor;
-      var tax      = input.tax_minor      == null ? 0 : input.tax_minor;
-      _moneyMinor(shipping, "shipping_minor");
-      _moneyMinor(tax,      "tax_minor");
-      var validUntil   = _ts(input.valid_until, "valid_until");
-      var operatorNotes = _optLongText(input.operator_notes, "operator_notes", MAX_OPERATOR_NOTES_LEN);
-      var delivery     = _optShortText(input.delivery_terms, "delivery_terms", MAX_TERMS_LEN);
-      var payment      = _optShortText(input.payment_terms,  "payment_terms",  MAX_TERMS_LEN);
-
-      var current = await _getQuoteRaw(quoteId);
-      if (!current) {
-        var miss = new Error("quotes.respondToQuote: quote " + quoteId + " not found");
-        miss.code = "QUOTE_NOT_FOUND";
-        throw miss;
-      }
-      _assertTransition(current.status, "respond", "respondToQuote");
-
-      var lines = await _getLinesRaw(quoteId);
-      var lineSkus = lines.map(function (r) { return r.sku; });
-      var pricesBySku = _validateLinePrices(input.line_prices, lineSkus);
-
-      // valid_until must be strictly in the future. A past expiry on
-      // a fresh response is operator error — the quote would be
-      // expired the moment it lands.
-      var ts = _now();
-      if (validUntil <= ts) {
-        throw new TypeError("quotes.respondToQuote: valid_until must be in the future");
-      }
+      return await _applyQuoteResponse(input, "respond", "respondToQuote");
+    },
 
-      // Compute totals from the priced lines + shipping + tax. Math
-      // is integer-only; sum is bounded by MAX_LINES *
-      // MAX_QUANTITY * MAX_UNIT_PRICE_MINOR which fits Number.
-      var subtotal = 0;
-      for (var i = 0; i < lines.length; i += 1) {
-        var qty = Number(lines[i].quantity);
-        var price = pricesBySku[lines[i].sku];
-        subtotal += qty * price;
-      }
-      var total = subtotal + shipping + tax;
-      _moneyMinor(total, "total_minor");
-
-      // Update header + each line. The line update sets
-      // unit_price_minor + currency per-line so a future single-line
-      // re-quote (out of scope here) has a place to land. The header
-      // UPDATE claims the requested -> responded transition atomically
-      // (`AND status = 'requested'`) so a concurrent cancel/respond can't
-      // both commit against the same row.
-      var claim = await query(
-        "UPDATE quotes SET status = 'responded', shipping_minor = ?1, " +
-        "tax_minor = ?2, total_minor = ?3, currency = ?4, valid_until = ?5, " +
-        "operator_notes = ?6, " +
-        "delivery_terms = COALESCE(?7, delivery_terms), " +
-        "payment_terms  = COALESCE(?8, payment_terms),  " +
-        "updated_at = ?9 WHERE id = ?10 AND status = 'requested'",
-        [shipping, tax, total, currency, validUntil, operatorNotes,
-         delivery, payment, ts, quoteId],
-      );
-      if (Number(claim.rowCount || 0) !== 1) {
-        var raced = new Error("quotes.respondToQuote: refused — quote " + quoteId +
-          " is no longer in the requested state (settled by a concurrent call)");
-        raced.code = "QUOTE_TRANSITION_REFUSED";
-        throw raced;
-      }
-      for (var j = 0; j < lines.length; j += 1) {
-        var line = lines[j];
-        await query(
-          "UPDATE quote_lines SET unit_price_minor = ?1, currency = ?2 WHERE id = ?3",
-          [pricesBySku[line.sku], currency, line.id],
-        );
-      }
-      return await _hydrated(quoteId);
+    // FSM: responded -> responded (the reprice edge). Operator revises
+    // a quote the customer hasn't settled yet — improved line prices,
+    // fresh shipping / tax / validity window, an updated note. Same
+    // payload contract as respondToQuote (every line re-priced; the
+    // math is the contract), refused with QUOTE_TRANSITION_REFUSED on
+    // any other state so a settled (accepted / declined / expired /
+    // withdrawn) quote can never be silently re-opened. Increments
+    // response_version so the revision is visible on the row, and
+    // deliberately leaves view_token_hash untouched — the link the
+    // customer already holds keeps resolving and renders the new
+    // pricing.
+    repriceQuote: async function (input) {
+      return await _applyQuoteResponse(input, "reprice", "repriceQuote");
     },
 
     // FSM: responded -> accepted. Customer accepts the operator's
@@ -1176,12 +1234,39 @@ function create(opts) {
       return out;
     },
 
+    // List quotes in one lifecycle state, newest activity first — the
+    // operator console's status filter (e.g. the expired view that shows
+    // what the cron sweep transitioned). Validated against QUOTE_STATUSES
+    // so a garbage status throws rather than silently matching nothing.
+    listByStatus: async function (listOpts) {
+      if (!listOpts || typeof listOpts !== "object") {
+        throw new TypeError("quotes.listByStatus: input object required");
+      }
+      var status = _status(listOpts.status);
+      var limit = listOpts.limit == null ? DEFAULT_LIMIT : listOpts.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > MAX_LIMIT) {
+        throw new TypeError("quotes.listByStatus: limit must be 1..." + MAX_LIMIT);
+      }
+      var r = await query(
+        "SELECT * FROM quotes WHERE status = ?1 " +
+        "ORDER BY updated_at DESC, id DESC LIMIT ?2",
+        [status, limit],
+      );
+      var out = [];
+      for (var i = 0; i < r.rows.length; i += 1) {
+        var hydrated = _hydrateQuote(r.rows[i]);
+        hydrated.lines = (await _getLinesRaw(r.rows[i].id)).map(_hydrateLine);
+        out.push(hydrated);
+      }
+      return out;
+    },
+
     // List responded quotes whose `valid_until` has elapsed. A cron
     // job walks the result and either fires `customerAccept` (rare —
     // requires the customer-side timing) or transitions each row to
-    // expired via an operator-side step (out of scope here; the
-    // operator updates the row directly to expired via
-    // `markExpired` when they own the cron).
+    // expired via an operator-side step (`expireDue` is that sweep;
+    // `markExpired` is the single-row flip when the operator owns the
+    // cron).
     listExpired: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("quotes.listExpired: input object required");
@@ -1206,6 +1291,55 @@ function create(opts) {
       return out;
     },
 
+    // One bounded expiry sweep — the worker cron's `/_/quote-expiry-tick`
+    // drives this once a minute. Scans up to `limit` responded quotes whose
+    // valid_until has elapsed as of `as_of` and flips each to expired
+    // through an atomic conditional UPDATE that re-checks BOTH the status
+    // AND the elapsed expiry, so:
+    //   - two overlapping ticks can't double-transition a row (the loser's
+    //     UPDATE matches nothing and is counted as skipped, not an error);
+    //   - a customer accept / reject / operator cancel that lands between
+    //     the scan and the flip wins — the flip refuses;
+    //   - a reprice that lands in that window and pushes valid_until back
+    //     into the future also wins — the `valid_until <= as_of` re-check
+    //     keeps a freshly revised quote alive.
+    // Per-row failures never abort the pass; the summary reports what
+    // happened. Input validation throws (a cron caller with a bad clock /
+    // batch size is a config bug to surface, not to swallow).
+    expireDue: async function (input) {
+      if (!input || typeof input !== "object") {
+        throw new TypeError("quotes.expireDue: input object required");
+      }
+      var asOf = _ts(input.as_of, "as_of");
+      var limit = input.limit == null ? DEFAULT_LIMIT : input.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > MAX_LIMIT) {
+        throw new TypeError("quotes.expireDue: limit must be 1..." + MAX_LIMIT);
+      }
+      // The machine is the single source of truth for the expire edge — the
+      // sweep's `status = 'responded'` claims below encode the same source
+      // state, and this assert keeps them honest if the FSM ever changes.
+      _assertTransition("responded", "expire", "expireDue");
+      var r = await query(
+        "SELECT id FROM quotes WHERE status = 'responded' " +
+        "AND valid_until IS NOT NULL AND valid_until <= ?1 " +
+        "ORDER BY valid_until ASC, id ASC LIMIT ?2",
+        [asOf, limit],
+      );
+      var expired = 0;
+      var skipped = 0;
+      for (var i = 0; i < r.rows.length; i += 1) {
+        var claim = await query(
+          "UPDATE quotes SET status = 'expired', updated_at = ?1 " +
+          "WHERE id = ?2 AND status = 'responded' " +
+          "AND valid_until IS NOT NULL AND valid_until <= ?3",
+          [asOf, r.rows[i].id, asOf],
+        );
+        if (Number(claim.rowCount || 0) === 1) expired += 1;
+        else skipped += 1;
+      }
+      return { scanned: r.rows.length, expired: expired, skipped: skipped };
+    },
+
     // Operator-side expiry flip. Walks a single quote whose
     // valid_until has elapsed and moves it from responded -> expired.
     // Refuses if the quote is not in the responded state or if the

package/lib/refund-automation.js

@@ -342,6 +342,11 @@ function create(opts) {
   var refundPolicyHandle  = opts.refundPolicy        || null;
   var returnsHandle       = opts.returns             || null;
   var paymentHandle       = opts.payment             || null;
+  // PayPal adapter — PayPal-captured orders refund against their CAPTURE id
+  // through this handle (executeAutoRefund routes by the request's
+  // `provider`). Absent, PayPal-provider requests are refused with a clear
+  // error instead of dialing Stripe with a PayPal id.
+  var paypalHandle        = opts.paypal              || null;
   var riskProfileHandle   = opts.customerRiskProfile || null;
 
   // Per-factory monotonic clock. Two decisions written against the
@@ -664,6 +669,28 @@ function create(opts) {
       }
       paymentIntent = input.payment_intent;
     }
+    // Which provider captured the order's charge — routes the refund dial.
+    // 'stripe' (default — the original surface) refunds the payment_intent
+    // through the `payment` handle; 'paypal' refunds the CAPTURE
+    // (`paypal_capture_id`, never the PayPal order id) through the `paypal`
+    // handle, with the amount named in `currency`. Validated up front so a
+    // request can never reach the wrong provider's API.
+    var provider = input.provider == null ? "stripe" : input.provider;
+    if (provider !== "stripe" && provider !== "paypal") {
+      throw new TypeError("refundAutomation.executeAutoRefund: provider must be 'stripe' or 'paypal'");
+    }
+    var paypalCaptureId = null;
+    var paypalCurrency  = null;
+    if (provider === "paypal") {
+      if (typeof input.paypal_capture_id !== "string" || !input.paypal_capture_id.length) {
+        throw new TypeError("refundAutomation.executeAutoRefund: paypal_capture_id required when provider is 'paypal'");
+      }
+      if (typeof input.currency !== "string" || !CURRENCY_RE.test(input.currency)) {
+        throw new TypeError("refundAutomation.executeAutoRefund: currency (ISO 4217 alpha) required when provider is 'paypal'");
+      }
+      paypalCaptureId = input.paypal_capture_id;
+      paypalCurrency  = input.currency;
+    }
 
     var verdict = await evaluateForRefundRequest({
       order_id:             orderId,
@@ -685,20 +712,36 @@ function create(opts) {
       [id, orderId, customerId, verdict.applied_rule, amount, reason, ts],
     );
 
-    // Compose payment.refund when wired. The handle's exact shape
-    // mirrors the framework's payment primitive (`{ payment_intent,
-    // amount_minor, reason, metadata }`). Absent a handle the
-    // primitive still records the decision so the operator can
-    // drive the actual refund out-of-band.
+    // Compose the provider refund when the matching handle is wired,
+    // routed by `provider`. Absent the matching handle the primitive still
+    // records the decision so the operator can drive the actual refund
+    // out-of-band — EXCEPT a PayPal request with no PayPal handle, which is
+    // refused up front (falling through to the Stripe handle would dial
+    // Stripe with PayPal identifiers). The decision row above is already
+    // written either way, mirroring the decision-before-payment ordering.
     var paymentResult = null;
-    if (paymentHandle && typeof paymentHandle.refund === "function") {
+    if (provider === "paypal") {
+      if (paypalHandle && typeof paypalHandle.refund === "function") {
+        // Each auto-refund decision is its own refund — the decision id as
+        // the idempotency key keeps a retry of THIS decision deduplicated at
+        // PayPal (the adapter folds it into the PayPal-Request-Id) while two
+        // distinct decisions on the same capture stay distinct refunds.
+        paymentResult = await paypalHandle.refund({
+          capture_id:   paypalCaptureId,
+          amount_minor: amount,
+          currency:     paypalCurrency,
+        }, "auto-refund:" + id);
+      } else if (paymentHandle) {
+        throw new TypeError("refundAutomation.executeAutoRefund: provider is 'paypal' but no paypal handle is wired — refusing to refund PayPal identifiers through the Stripe handle");
+      }
+    } else if (paymentHandle && typeof paymentHandle.refund === "function") {
       var refundInput = {
         amount_minor: amount,
         reason:       reason,
         metadata:     { order_id: orderId, customer_id: customerId, applied_rule: verdict.applied_rule },
       };
       if (paymentIntent != null) refundInput.payment_intent = paymentIntent;
-      paymentResult = await paymentHandle.refund(refundInput);
+      paymentResult = await paymentHandle.refund(refundInput, "auto-refund:" + id);
     }
 
     return {

package/lib/security-middleware.js

@@ -77,6 +77,14 @@ var WEBHOOK_PATHS = [
 // could wedge the health signal.
 var HEALTH_PATH = "/_/health";
 
+// Per-client-IP budget on POST /api/webhooks/paypal (see the limiter in
+// mountRouteGuards). Generous against PayPal's real delivery cadence —
+// redelivery is ~25 attempts per event spread over days, so even a
+// post-downtime backlog flush of distinct events sits far under this —
+// while bounding how many verify-webhook-signature dials a spammer can
+// force per minute.
+var PAYPAL_WEBHOOK_BUDGET_PER_MINUTE = 120;
+
 // Worker→container internal endpoints — machine-to-machine POSTs over
 // the Cloudflare service binding (cron ticks + the InventoryLock DO's
 // low-stock event), each authenticated FIRST thing in its handler by a
@@ -101,6 +109,7 @@ var INTERNAL_BRIDGE_PATHS = [
   "/_/campaign-send-tick",
   "/_/customer-portal-expire",
   "/_/stale-order-reap",
+  "/_/quote-expiry-tick",
 ];
 
 // Public well-known paths fetched by third-party verification crawlers
@@ -744,6 +753,36 @@ function mountRouteGuards(r) {
       return clientKey(req) + "|" + (req.pathname || req.url || "/");
     },
   });
+  // --- PayPal webhook per-IP budget -----------------------------------
+  //
+  // The webhook paths are exempt from the global + tight limiters above
+  // (a processor's server-to-server POST is unthrottleable by a human
+  // budget), but /api/webhooks/paypal is uniquely expensive to probe:
+  // verification is a server-to-server dial to PayPal's
+  // verify-webhook-signature API, so every header-complete spam POST costs
+  // an outbound request. The adapter's verify dial rides its own circuit
+  // (never the payment circuit — lib/payment.js), so spam can't fast-fail
+  // checkouts; this budget bounds the outbound dial volume itself. Sized
+  // for PayPal's real delivery shape: legitimate redelivery after downtime
+  // is ~25 attempts per event spread over days, so even a backlog flush of
+  // many distinct events sits far under this per-minute ceiling — and a
+  // clipped delivery is never lost: the limiter answers 429, PayPal treats
+  // any non-2xx as retry-later and redelivers. Stripe's webhook keeps no
+  // budget — its verification is a local HMAC (no dial to amplify).
+  var PAYPAL_WEBHOOK_PATH = "/api/webhooks/paypal";
+  var paypalWebhookLimiter = b.middleware.rateLimit({
+    backend:   "memory",
+    algorithm: "fixed-window",
+    max:       PAYPAL_WEBHOOK_BUDGET_PER_MINUTE,
+    windowMs:  C.TIME.minutes(1),
+    keyFn:     clientKey,
+  });
+  r.use(function paypalWebhookRateGuard(req, res, next) {
+    var pathname = req.pathname || req.url || "/";
+    if (pathname !== PAYPAL_WEBHOOK_PATH) return next();
+    return paypalWebhookLimiter(req, res, next);
+  });
+
   r.use(function tightRateGuard(req, res, next) {
     var pathname = req.pathname || req.url || "/";
     // Never throttle the webhook or health paths.
@@ -780,6 +819,7 @@ module.exports = {
   CSP_HOSTS:            CSP_HOSTS,
   WEBHOOK_PATHS:        WEBHOOK_PATHS,
   HEALTH_PATH:          HEALTH_PATH,
+  PAYPAL_WEBHOOK_BUDGET_PER_MINUTE: PAYPAL_WEBHOOK_BUDGET_PER_MINUTE,
   TIGHT_PREFIXES:       TIGHT_PREFIXES,
   EDGE_POST_PATHS:      EDGE_POST_PATHS,
   PUBLIC_WELL_KNOWN_PATHS: PUBLIC_WELL_KNOWN_PATHS,

package/lib/storefront.js

@@ -10930,7 +10930,13 @@ function renderQuotePage(opts) {
     var lineRows = (q.lines || []).map(function (l) {
       var unit  = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor, l.currency || currency);
       var total = l.unit_price_minor == null ? "—" : pricing.format(l.unit_price_minor * l.quantity, l.currency || currency);
-      return "<tr><td>" + esc(l.sku) + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
+      // Per-line note — free text captured on the RFQ line, rendered under
+      // the item so the priced offer reads against what was asked for.
+      // Escaped like every other free-text field on this page.
+      var note = l.notes
+        ? "<div class=\"quote-line__note\">" + esc(l.notes) + "</div>"
+        : "";
+      return "<tr><td>" + esc(l.sku) + note + "</td><td class=\"num\">" + esc(String(l.quantity)) + "</td>" +
         "<td class=\"num\">" + esc(unit) + "</td><td class=\"num\">" + esc(total) + "</td></tr>";
     }).join("");
     var rowsHtml =
@@ -11019,11 +11025,17 @@ function renderQuoteList(opts) {
       var currency = q.currency || "USD";
       var total = q.total_minor == null ? "Awaiting price" : pricing.format(q.total_minor, currency);
       var statusLabel = q.status === "responded" ? "ready to review" : q.status;
+      // Make the acceptance window visible from the list — a plain
+      // server-rendered date on quotes that are still open to accept.
+      var valid = (q.status === "responded" && q.valid_until)
+        ? "<span class=\"quote-list__valid\">Valid until " + esc(new Date(Number(q.valid_until)).toUTCString()) + "</span>"
+        : "";
       return "<li class=\"quote-list__item\">" +
         "<a href=\"/account/quotes/" + esc(q.id) + "\">" +
           "<span class=\"quote-list__id\">Quote " + esc(String(q.id).slice(0, 8)) + "</span>" +
           "<span class=\"quote-list__status\">" + esc(statusLabel) + "</span>" +
           "<span class=\"quote-list__total\">" + esc(total) + "</span>" +
+          valid +
         "</a></li>";
     }).join("");
     body =
@@ -14964,6 +14976,10 @@ function mount(router, deps) {
             selected_shipping_id: body.selected_shipping_id || defaultShipId || "std",
             customer:             { email: body.email, name: body.name },
             gift_card_code:       body.gift_card_code || undefined,
+            // Loyalty points the signed-in shopper asked to spend — same
+            // parse + credit handling as the card-form confirm, so both
+            // payment buttons honor identical credits.
+            loyalty_redeem_points: _parseRedeemPoints(body.loyalty_redeem_points),
             codes:                ppCodes.length ? ppCodes : undefined,
             idempotency_key:      "paypal:" + c.id + ":" + b.uuid.v7(),
             return_url:           body.return_url || undefined,
@@ -14979,7 +14995,10 @@ function mount(router, deps) {
           return _json(200, { id: created.paypal_order_id, order_id: created.order.id });
         } catch (e) {
           var ecode = (e && typeof e.code === "string") ? e.code : "";
-          var gcErr = ecode.indexOf("GIFTCARD_") === 0;
+          // Customer-correctable credit errors (bad gift-card code,
+          // insufficient loyalty balance, points on a guest cart) are 400s
+          // whose message the button surfaces inline.
+          var gcErr = ecode.indexOf("GIFTCARD_") === 0 || ecode.indexOf("LOYALTY_") === 0;
           // Out-of-stock is a 409 (conflict) carrying the friendly per-line
           // message so the PayPal button surfaces it; nothing was charged
           // and the mid-confirm holds were already released.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.26",
+  "version": "0.4.28",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {