@blamejs/blamejs-shop 0.4.28 → 0.4.29

package/lib/store-credit.js

@@ -146,16 +146,17 @@ function create(opts) {
     query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
-  // O(1) current-balance read: the latest row by `occurred_at DESC`
-  // holds `balance_after_minor` as the denormalized snapshot. No SUM
+  // O(1) current-balance read: the latest row by `occurred_at DESC, id
+  // DESC` holds `balance_after_minor` as the denormalized snapshot. No SUM
   // aggregation at read time. Falls through to 0 when no rows exist
-  // (a customer that has never had a ledger row has zero credit).
-  // Returns both the snapshot and the occurred_at so the write path
-  // can guarantee strict monotonicity (see `_resolveOccurredAt`).
+  // (a customer that has never had a ledger row has zero credit). The id
+  // tie-break keeps any legacy same-millisecond rows deterministic; new
+  // writes can't tie — _writeRowAtomic computes a strictly-monotonic
+  // per-customer occurred_at inside the INSERT itself.
   async function _readLatest(customerId) {
     var r = await query(
       "SELECT balance_after_minor, occurred_at FROM store_credit_ledger " +
-      "WHERE customer_id = ?1 ORDER BY occurred_at DESC LIMIT 1",
+      "WHERE customer_id = ?1 ORDER BY occurred_at DESC, id DESC LIMIT 1",
       [customerId],
     );
     if (!r.rows.length) return { balance: 0, occurred_at: null };
@@ -167,27 +168,62 @@ function create(opts) {
     return latest.balance;
   }
 
-  // Two writes against the same customer in the same millisecond
-  // would tie on `occurred_at` and make the "latest row" ambiguous.
-  // Bump the requested timestamp to `prior + 1` when it would
-  // collide (or land older than the prior row, which an
-  // out-of-order operator write could trigger). The result is a
-  // strictly-monotonic per-customer `occurred_at` sequence.
-  function _resolveOccurredAt(requestedTs, latestTs) {
-    if (latestTs == null) return requestedTs;
-    if (requestedTs > latestTs) return requestedTs;
-    return latestTs + 1;
-  }
-
-  async function _writeRow(customerId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, expiresAt, ts) {
+  // Single-statement guarded write — the concurrency spine of the wallet.
+  // The live balance AND the strictly-monotonic per-customer occurred_at
+  // are computed by correlated subqueries INSIDE the INSERT, so two
+  // concurrent writes can never base off the same stale snapshot: the
+  // statements serialize at the database and the second sees the first's
+  // row. (A JS-side read-then-write here double-fulfilled concurrent
+  // debits and silently dropped one of two same-millisecond credits.)
+  // `kind` selects the guard + arithmetic:
+  //   credit — balance_after = live + amount, no balance gate (the in-SQL
+  //            occurred_at is what closes the same-millisecond tie);
+  //   debit  — balance_after = live - amount, gated on live >= amount
+  //            (zero rows = insufficient, or lost the race — same refusal);
+  //   expire — burns MIN(amount, live), gated on live > 0 (zero rows =
+  //            wallet already empty; callers degrade gracefully — by
+  //            design, never a throw).
+  // Returns the written row's resolved values, or null when the guard
+  // refused the write.
+  async function _writeRowAtomic(kind, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs) {
     var id = b.uuid.v7();
-    await query(
+    var balSub = "COALESCE((SELECT balance_after_minor FROM store_credit_ledger " +
+                 "WHERE customer_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
+    var tsSub  = "COALESCE((SELECT occurred_at FROM store_credit_ledger " +
+                 "WHERE customer_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
+    var tsExpr = "CASE WHEN ?8 > " + tsSub + " THEN ?8 ELSE " + tsSub + " + 1 END";
+    var amountExpr, afterExpr, guard;
+    if (kind === "credit") {
+      amountExpr = "?3";
+      afterExpr  = balSub + " + ?3";
+      guard      = "1";
+    } else if (kind === "debit") {
+      amountExpr = "?3";
+      afterExpr  = balSub + " - ?3";
+      guard      = balSub + " >= ?3";
+    } else {            // expire — burn MIN(amount, live balance)
+      amountExpr = "CASE WHEN " + balSub + " < ?3 THEN " + balSub + " ELSE ?3 END";
+      afterExpr  = "CASE WHEN " + balSub + " < ?3 THEN 0 ELSE " + balSub + " - ?3 END";
+      guard      = balSub + " > 0";
+    }
+    var res = await query(
       "INSERT INTO store_credit_ledger " +
       "(id, customer_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, expires_at, occurred_at) " +
-      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10)",
-      [id, customerId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, expiresAt, ts],
+      "SELECT ?1, ?2, ?9, " + amountExpr + ", ?4, ?5, ?6, " + afterExpr + ", ?7, " + tsExpr + " " +
+      "WHERE " + guard,
+      [id, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs, kind],
     );
-    return id;
+    if (Number(res.rowCount || 0) === 0) return null;
+    var row = (await query(
+      "SELECT amount_minor, balance_after_minor, occurred_at FROM store_credit_ledger WHERE id = ?1",
+      [id],
+    )).rows[0];
+    return {
+      id:                  id,
+      amount_minor:        row.amount_minor,
+      balance_after_minor: row.balance_after_minor,
+      occurred_at:         row.occurred_at,
+    };
   }
 
   return {
@@ -206,21 +242,18 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      var ts     = _resolveOccurredAt(requested, latest.occurred_at);
-      var after  = latest.balance + amount;
-      var id = await _writeRow(customerId, "credit", amount, source, sourceRef, null, after, expiresAt, ts);
+      var w = await _writeRowAtomic("credit", customerId, amount, source, sourceRef, null, expiresAt, requested);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "credit",
         amount_minor:        amount,
         source:              source,
         source_ref:          sourceRef,
         expires_at:          expiresAt,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -234,24 +267,24 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      if (amount > latest.balance) {
+      // The balance gate lives INSIDE the insert — a refused write covers
+      // both "always insufficient" and "a concurrent debit drained it
+      // first", with no window between check and write.
+      var w = await _writeRowAtomic("debit", customerId, amount, null, null, orderId, null, requested);
+      if (!w) {
         var insufficient = new Error("storeCredit.debit: amount exceeds available balance");
         insufficient.code = "STORE_CREDIT_INSUFFICIENT_BALANCE";
         throw insufficient;
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - amount;
-      var id = await _writeRow(customerId, "debit", amount, null, null, orderId, after, null, ts);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "debit",
         amount_minor:        amount,
         order_id:            orderId,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -272,18 +305,15 @@ function create(opts) {
       var requested = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      // Expire caps at the current balance — operators running a
-      // scheduled sweep over computed "expiring before X" amounts
-      // should degrade gracefully rather than refusing when an
-      // interim debit has already drained the wallet.
-      var toBurn = amount > latest.balance ? latest.balance : amount;
-      if (toBurn === 0) {
-        // No-op write: persisting a zero-amount row would violate
-        // the CHECK(amount_minor > 0) constraint. Surface a
-        // structured refusal so the caller can distinguish "already
-        // empty" from "actually burned N". A no-op expire is a
-        // valid outcome of a bulk sweep — don't throw.
+      // Expire caps at the current balance INSIDE the insert — operators
+      // running a scheduled sweep over computed "expiring before X"
+      // amounts degrade gracefully rather than refusing when an interim
+      // debit has already drained the wallet. A refused write (wallet
+      // already at zero) is the structured no-op below, never a throw —
+      // by design: a no-op expire is a valid outcome of a bulk sweep,
+      // and a zero-amount row would violate CHECK(amount_minor > 0).
+      var w = await _writeRowAtomic("expire", customerId, amount, null, reason, null, null, requested);
+      if (!w) {
         return {
           id:                  null,
           customer_id:         customerId,
@@ -291,24 +321,21 @@ function create(opts) {
           amount_minor:        0,
           requested_minor:     amount,
           reason:              reason,
-          balance_after_minor: latest.balance,
+          balance_after_minor: await _currentBalance(customerId),
           occurred_at:         requested,
           noop:                true,
         };
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - toBurn;
-      var id = await _writeRow(customerId, "expire", toBurn, null, reason, null, after, null, ts);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "expire",
-        amount_minor:        toBurn,
+        amount_minor:        w.amount_minor,
         requested_minor:     amount,
         reason:              reason,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
         noop:                false,
       };
     },
@@ -585,29 +612,22 @@ function create(opts) {
           continue;
         }
 
-        var latest = await _readLatest(customerId);
-        // Cap the burn at the wallet's current balance.
-        // Debits between the credit and the sweep may have spent
-        // the expired amount already; we never drive the balance
-        // negative. The expired credits were "first-out" from the
-        // operator's POV — but the schema doesn't track FIFO at
-        // row-level, so cap by current balance and let the audit
-        // trail reflect what was actually burned.
-        var toBurn = pendingBurn > latest.balance ? latest.balance : pendingBurn;
-        if (toBurn <= 0) {
-          // Wallet already empty — record nothing (no CHECK > 0
-          // violation). Operator can reconcile via history.
-          continue;
-        }
-        var ts    = _resolveOccurredAt(now, latest.occurred_at);
-        var after = latest.balance - toBurn;
-        var id    = await _writeRow(customerId, "expire", toBurn, null, SWEEP_SOURCE_REF, null, after, null, ts);
+        // The burn caps at the wallet's current balance INSIDE the
+        // guarded insert. Debits between the credit and the sweep may
+        // have spent the expired amount already; the write never drives
+        // the balance negative, and a wallet already at zero refuses the
+        // write entirely (no CHECK > 0 violation; operator reconciles
+        // via history). The expired credits were "first-out" from the
+        // operator's POV — the schema doesn't track FIFO at row level,
+        // so the audit trail reflects what was actually burned.
+        var w = await _writeRowAtomic("expire", customerId, pendingBurn, null, SWEEP_SOURCE_REF, null, null, now);
+        if (!w) continue;
         processed.push({
-          id:                  id,
+          id:                  w.id,
           customer_id:         customerId,
-          amount_minor:        toBurn,
-          balance_after_minor: after,
-          occurred_at:         ts,
+          amount_minor:        w.amount_minor,
+          balance_after_minor: w.balance_after_minor,
+          occurred_at:         w.occurred_at,
         });
       }
       return { processed: processed, swept_at: now };

package/lib/storefront.js

@@ -14864,7 +14864,7 @@ function mount(router, deps) {
         // the buyer must lower a quantity or drop a line; nothing was
         // charged and any holds placed mid-confirm were already released.
         if (code.indexOf("GIFTCARD_") === 0 || code.indexOf("LOYALTY_") === 0 ||
-            code === "INSUFFICIENT_STOCK") {
+            code === "INSUFFICIENT_STOCK" || code === "AUTO_DISCOUNT_EXHAUSTED") {
           try {
             var coLines = await _repriceCartLines(await deps.cart.listLines(c.id));
             if (coLines.length) {
@@ -14998,7 +14998,7 @@ function mount(router, deps) {
           // Customer-correctable credit errors (bad gift-card code,
           // insufficient loyalty balance, points on a guest cart) are 400s
           // whose message the button surfaces inline.
-          var gcErr = ecode.indexOf("GIFTCARD_") === 0 || ecode.indexOf("LOYALTY_") === 0;
+          var gcErr = ecode.indexOf("GIFTCARD_") === 0 || ecode.indexOf("LOYALTY_") === 0 || ecode === "AUTO_DISCOUNT_EXHAUSTED";
           // Out-of-stock is a 409 (conflict) carrying the friendly per-line
           // message so the PayPal button surfaces it; nothing was charged
           // and the mid-confirm holds were already released.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.28",
+  "version": "0.4.29",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {