@blamejs/blamejs-shop 0.4.28 → 0.4.30

package/lib/gift-card-ledger.js

@@ -241,32 +241,84 @@ function create(opts) {
     return latestTs + 1;
   }
 
-  // credit() + expire() write through here: they already read the prior
-  // row (balance + occurred_at), so chaining is a straight read-then-write
-  // — `prevHash` is that prior row's row_hash, and row_hash is computed
-  // over the fully-resolved field tuple before the INSERT. debit() does
-  // NOT use this path: its overdraft guard must stay a single atomic
-  // statement, so it chains separately (see below).
-  async function _writeRow(giftCardId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, ts, prevHash) {
+  // How many times a writer re-derives the chain tip when the parent fence
+  // refuses its INSERT (another write landed first). Each retry re-reads
+  // the tip, so contention resolves in one extra round trip per racing
+  // writer; five attempts is far beyond any realistic burst.
+  var CHAIN_WRITE_ATTEMPTS = 5;
+
+  function _isChainFenceCollision(err) {
+    var msg = (err && err.message) || "";
+    return /UNIQUE constraint failed/i.test(msg) && /(prev_hash|chain_parent)/i.test(msg);
+  }
+
+  // One fenced write attempt against a tip the caller just read. EVERY
+  // event kind writes through here so every row participates in the
+  // per-card hash chain — prev_hash + row_hash are computed app-side over
+  // the fully-resolved tuple and bound explicitly. What makes the
+  // app-computed values safe to bind is the chain-parent fence
+  // (UNIQUE(gift_card_id, prev_hash), migration 0230): a row's prev_hash
+  // names its parent, a chain has exactly one child per parent, so a
+  // write derived from a STALE tip collides at the constraint instead of
+  // forking the chain or persisting a stale balance_after — the caller
+  // re-reads and retries. The debit overdraft gate additionally stays
+  // INSIDE the statement (WHERE live-balance >= amount, the correlated
+  // subquery — never an app-side check): with the fence it is
+  // defense-in-depth, and it is what turns a genuine overdraft into a
+  // zero-row refusal rather than a retry loop. Returns one of
+  // { written }, { refused } (guard said no against the live tip), or
+  // { collided } (tip moved — retry).
+  async function _attemptChainedWrite(giftCardId, kind, latest, d) {
     var id = b.uuid.v7();
-    var rowHash = _computeRowHash(prevHash, {
+    var rowHash = _computeRowHash(latest.row_hash, {
       id:                  id,
       gift_card_id:        giftCardId,
       kind:                kind,
-      amount_minor:        amountMinor,
-      source:              source,
-      source_ref:          sourceRef,
-      order_id:            orderId,
-      balance_after_minor: balanceAfter,
-      occurred_at:         ts,
+      amount_minor:        d.amount,
+      source:              d.source,
+      source_ref:          d.sourceRef,
+      order_id:            d.orderId,
+      balance_after_minor: d.after,
+      occurred_at:         d.ts,
     });
-    await query(
-      "INSERT INTO gift_card_ledger " +
-      "(id, gift_card_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, occurred_at, prev_hash, row_hash) " +
-      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11)",
-      [id, giftCardId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, ts, prevHash, rowHash],
-    );
-    return id;
+    var balSub =
+      "COALESCE((SELECT balance_after_minor FROM gift_card_ledger " +
+      "WHERE gift_card_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
+    try {
+      var res = await query(
+        "INSERT INTO gift_card_ledger " +
+        "(id, gift_card_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, occurred_at, prev_hash, row_hash) " +
+        "SELECT ?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11 " +
+        "WHERE " + (d.guarded ? balSub + " >= ?4" : "1"),
+        [id, giftCardId, kind, d.amount, d.source, d.sourceRef, d.orderId, d.after, d.ts, latest.row_hash, rowHash],
+      );
+      if (Number(res.rowCount || 0) === 0) return { refused: true };
+      return { written: { id: id, balance_after_minor: d.after, occurred_at: d.ts } };
+    } catch (e) {
+      if (_isChainFenceCollision(e)) return { collided: true };
+      throw e;
+    }
+  }
+
+  // Run a chained write with bounded tip-contention retries. `derive` maps
+  // the freshly-read tip to the attempt's concrete fields — or a noop
+  // sentinel ({ noop: true }) for writes that degrade gracefully on an
+  // empty wallet. Each fence collision re-reads the tip and re-derives, so
+  // the values that land are always consistent with the parent they chain
+  // off.
+  async function _writeChained(giftCardId, kind, derive) {
+    for (var attempt = 0; attempt < CHAIN_WRITE_ATTEMPTS; attempt += 1) {
+      var latest = await _readLatest(giftCardId);
+      var d = derive(latest);
+      if (d.noop) return { noop: true, balance: latest.balance };
+      var r = await _attemptChainedWrite(giftCardId, kind, latest, d);
+      if (r.collided) continue;
+      if (r.refused) return { refused: true };
+      return r.written;
+    }
+    var contention = new Error("giftCardLedger." + kind + ": persistent chain-tip contention — retry the write");
+    contention.code = "GIFT_CARD_LEDGER_CONTENTION";
+    throw contention;
   }
 
   return {
@@ -284,20 +336,27 @@ function create(opts) {
       var requested = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(giftCardId);
-      var ts     = _resolveOccurredAt(requested, latest.occurred_at);
-      var after  = latest.balance + amount;
-      var id = await _writeRow(giftCardId, "credit", amount, source, sourceRef, null, after, ts, latest.row_hash);
+      var w = await _writeChained(giftCardId, "credit", function (latest) {
+        return {
+          amount:    amount,
+          source:    source,
+          sourceRef: sourceRef,
+          orderId:   null,
+          after:     latest.balance + amount,
+          ts:        _resolveOccurredAt(requested, latest.occurred_at),
+          guarded:   false,
+        };
+      });
 
       return {
-        id:                  id,
+        id:                  w.id,
         gift_card_id:        giftCardId,
         kind:                "credit",
         amount_minor:        amount,
         source:              source,
         source_ref:          sourceRef,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -311,53 +370,38 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      // Atomic guarded INSERT — the overdraft check and the row write
-      // happen in ONE statement so two concurrent debits can't both
-      // read the same balance, both pass the check, and both write
-      // (the read-then-write race that corrupted `balance_after_minor`).
-      // The latest row's snapshot (balance + occurred_at) is read by
-      // correlated scalar subqueries INSIDE the INSERT; the WHERE gates
-      // the write on `current_balance >= amount` against that live
-      // value, and the inserted `balance_after_minor` /  monotonic
-      // `occurred_at` are derived from the same subqueries — so on D1
-      // (where a single statement is atomic) exactly one of two racing
-      // debits lands. rowCount === 0 means the guard refused: either a
-      // genuine overdraft or the loser of a race.
-      var id = b.uuid.v7();
-      var balSub =
-        "COALESCE((SELECT balance_after_minor FROM gift_card_ledger " +
-        "WHERE gift_card_id = ?2 ORDER BY occurred_at DESC LIMIT 1), 0)";
-      var tsSub =
-        "(SELECT occurred_at FROM gift_card_ledger " +
-        "WHERE gift_card_id = ?2 ORDER BY occurred_at DESC LIMIT 1)";
-      var ins = await query(
-        "INSERT INTO gift_card_ledger " +
-        "(id, gift_card_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, occurred_at) " +
-        "SELECT ?1, ?2, 'debit', ?3, NULL, NULL, ?4, " +
-        balSub + " - ?3, " +
-        "CASE WHEN ?5 > COALESCE(" + tsSub + ", 0) THEN ?5 ELSE COALESCE(" + tsSub + ", 0) + 1 END " +
-        "WHERE " + balSub + " >= ?3",
-        [id, giftCardId, amount, orderId, requested],
-      );
-      if (Number(ins.rowCount || 0) === 0) {
+      // The overdraft gate stays INSIDE the guarded INSERT (live correlated
+      // subquery — never an app-side check), and the debit row now ALSO
+      // binds prev_hash/row_hash so it participates in the per-card chain
+      // like every other kind: the chain-parent fence is what makes the
+      // app-computed values safe (a stale-tip write collides and retries
+      // instead of forking the chain). A zero-row refusal against the live
+      // tip is a genuine overdraft — either always insufficient, or the
+      // loser of a race whose winner drained the balance.
+      var w = await _writeChained(giftCardId, "debit", function (latest) {
+        return {
+          amount:    amount,
+          source:    null,
+          sourceRef: null,
+          orderId:   orderId,
+          after:     latest.balance - amount,
+          ts:        _resolveOccurredAt(requested, latest.occurred_at),
+          guarded:   true,
+        };
+      });
+      if (w.refused) {
         var insufficient = new Error("giftCardLedger.debit: amount exceeds available balance");
         insufficient.code = "GIFT_CARD_LEDGER_INSUFFICIENT_BALANCE";
         throw insufficient;
       }
-      // Re-read the row we just wrote to surface the resolved
-      // balance_after / occurred_at without recomputing them client-side.
-      var wrote = (await query(
-        "SELECT balance_after_minor, occurred_at FROM gift_card_ledger WHERE id = ?1",
-        [id],
-      )).rows[0];
       return {
-        id:                  id,
+        id:                  w.id,
         gift_card_id:        giftCardId,
         kind:                "debit",
         amount_minor:        amount,
         order_id:            orderId,
-        balance_after_minor: wrote ? wrote.balance_after_minor : null,
-        occurred_at:         wrote ? wrote.occurred_at : requested,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -377,20 +421,30 @@ function create(opts) {
       var requested = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(giftCardId);
-      // Expire caps at the current balance — operators running a
-      // scheduled sweep over computed "expiring before X" amounts
-      // should degrade gracefully rather than refusing when an
-      // interim debit has already drained the card. A capped expire
-      // returns the actual amount burned so the operator can
-      // reconcile.
-      var toBurn = amount > latest.balance ? latest.balance : amount;
-      if (toBurn === 0) {
-        // No-op write: persist a zero-amount row would violate the
-        // CHECK(amount_minor > 0) constraint. Surface a structured
-        // refusal so the caller can distinguish "already empty" from
-        // "actually burned N". A no-op expire is a valid outcome of
-        // a bulk sweep — we don't throw.
+      // Expire caps at the current balance — operators running a scheduled
+      // sweep over computed "expiring before X" amounts degrade gracefully
+      // rather than refusing when an interim debit has already drained the
+      // card. The cap re-derives on every fence retry, so the burn is
+      // always consistent with the tip it chains off. An empty wallet is
+      // the structured no-op below, never a throw — a zero-amount row
+      // would violate CHECK(amount_minor > 0), and a no-op expire is a
+      // valid outcome of a bulk sweep.
+      var burned = { amount: 0 };
+      var w = await _writeChained(giftCardId, "expire", function (latest) {
+        var toBurn = amount > latest.balance ? latest.balance : amount;
+        if (toBurn === 0) return { noop: true };
+        burned.amount = toBurn;
+        return {
+          amount:    toBurn,
+          source:    null,
+          sourceRef: reason,
+          orderId:   null,
+          after:     latest.balance - toBurn,
+          ts:        _resolveOccurredAt(requested, latest.occurred_at),
+          guarded:   false,
+        };
+      });
+      if (w.noop) {
         return {
           id:                  null,
           gift_card_id:        giftCardId,
@@ -398,28 +452,94 @@ function create(opts) {
           amount_minor:        0,
           requested_minor:     amount,
           reason:              reason,
-          balance_after_minor: latest.balance,
+          balance_after_minor: w.balance,
           occurred_at:         requested,
           noop:                true,
         };
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - toBurn;
-      var id = await _writeRow(giftCardId, "expire", toBurn, null, reason, null, after, ts, latest.row_hash);
 
       return {
-        id:                  id,
+        id:                  w.id,
         gift_card_id:        giftCardId,
         kind:                "expire",
-        amount_minor:        toBurn,
+        amount_minor:        burned.amount,
         requested_minor:     amount,
         reason:              reason,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
         noop:                false,
       };
     },
 
+    // Recompute one card's hash chain and flag the first divergence — the
+    // tamper-evidence READ side of the chain the writers maintain. Walks
+    // the card's rows in (occurred_at, id) order; rows from before the
+    // chain columns existed (NULL row_hash) are tolerated as an
+    // unverifiable legacy PREFIX and counted, but once a hashed row
+    // appears every later row must link — an unhashed row after the
+    // anchor, a prev_hash that doesn't name its parent, or a row_hash
+    // that doesn't recompute is a break. O(n) per card; operator-audit
+    // use, not hot-path.
+    verifyChain: async function (giftCardId) {
+      _uuid(giftCardId, "gift_card_id");
+      var r = await query(
+        "SELECT * FROM gift_card_ledger WHERE gift_card_id = ?1 " +
+        "ORDER BY occurred_at ASC, id ASC",
+        [giftCardId],
+      );
+      var rows = r.rows;
+      var legacyPrefix = 0;
+      var anchored = false;
+      var prevHash = ZERO_HASH;
+      for (var i = 0; i < rows.length; i += 1) {
+        var row = rows[i];
+        if (!anchored && row.row_hash == null) { legacyPrefix += 1; continue; }
+        anchored = true;
+        var breakBase = {
+          ok:             false,
+          rows_verified:  i - legacyPrefix,
+          legacy_prefix:  legacyPrefix,
+          break_at:       i,
+          break_row_id:   row.id,
+        };
+        if (row.row_hash == null) {
+          return Object.assign(breakBase, { reason: "unhashed row after chain anchor" });
+        }
+        if (row.prev_hash !== prevHash) {
+          return Object.assign(breakBase, {
+            reason:   "prev_hash mismatch",
+            expected: prevHash,
+            actual:   row.prev_hash,
+          });
+        }
+        var computed = _computeRowHash(prevHash, {
+          id:                  row.id,
+          gift_card_id:        row.gift_card_id,
+          kind:                row.kind,
+          amount_minor:        row.amount_minor,
+          source:              row.source,
+          source_ref:          row.source_ref,
+          order_id:            row.order_id,
+          balance_after_minor: row.balance_after_minor,
+          occurred_at:         row.occurred_at,
+        });
+        if (computed !== row.row_hash) {
+          return Object.assign(breakBase, {
+            reason:   "row_hash mismatch",
+            expected: computed,
+            actual:   row.row_hash,
+          });
+        }
+        prevHash = row.row_hash;
+      }
+      return {
+        ok:            true,
+        rows_verified: rows.length - legacyPrefix,
+        legacy_prefix: legacyPrefix,
+        last_hash:     prevHash,
+      };
+    },
+
     balance: async function (giftCardId) {
       _uuid(giftCardId, "gift_card_id");
       var bal = await _currentBalance(giftCardId);

package/lib/giftcards.js

@@ -406,6 +406,62 @@ function create(opts) {
       return reversed;
     },
 
+    // Attach a redemption that was debited BEFORE its order existed to the
+    // order it paid for. Checkout debits the card pre-charge (the debit is
+    // the double-spend gate, so it must land before any money moves) with
+    // `order_id` NULL, then links the row here once the order row exists.
+    // The link is what the refund/cancel reversers key on — an unlinked
+    // redemption is invisible to reverseRedemption / reverseRedemptionProRata.
+    // Write-once: only a NULL order_id row accepts a link, so a re-fire or a
+    // mistaken second link against a settled redemption is a no-op rather
+    // than a silent re-keying. Returns true when the link landed.
+    linkRedemptionToOrder: async function (redemptionId, orderId) {
+      _uuid(redemptionId, "redemption_id");
+      _uuid(orderId, "order_id");
+      var res = await query(
+        "UPDATE giftcard_redemptions SET order_id = ?1 WHERE id = ?2 AND order_id IS NULL",
+        [orderId, redemptionId],
+      );
+      return Number(res.rowCount || 0) === 1;
+    },
+
+    // Reverse ONE redemption by its own id — the compensation edge for a
+    // pre-charge debit whose checkout failed before the order existed
+    // (PaymentIntent refused, order insert threw). reverseRedemption can't
+    // reach these rows: it keys on order_id, which is still NULL at that
+    // point. Same claim discipline as the order-keyed reversal — the
+    // `reversed_at IS NULL` predicate is the serialization point, so a
+    // double-fire credits the balance back exactly once — and the same
+    // status semantics (a card that drained to `redeemed` reactivates; a
+    // voided/expired card keeps its terminal status). Returns the reversed
+    // row, or null when the claim was already taken (or the id is unknown).
+    reverseRedemptionById: async function (redemptionId) {
+      _uuid(redemptionId, "redemption_id");
+      var red = (await query(
+        "SELECT id, giftcard_id, amount_minor FROM giftcard_redemptions " +
+        "WHERE id = ?1 AND reversed_at IS NULL",
+        [redemptionId],
+      )).rows[0];
+      if (!red) return null;
+      var ts = _now();
+      var claim = await query(
+        "UPDATE giftcard_redemptions SET reversed_at = ?1 WHERE id = ?2 AND reversed_at IS NULL",
+        [ts, red.id],
+      );
+      if (Number(claim.rowCount || 0) === 0) return null;   // lost the claim
+      await query(
+        "UPDATE giftcards SET balance_minor = balance_minor + ?1, " +
+        "status = CASE WHEN status = 'redeemed' THEN 'active' ELSE status END, " +
+        "updated_at = ?2 WHERE id = ?3",
+        [red.amount_minor, ts, red.giftcard_id],
+      );
+      return {
+        redemption_id: red.id,
+        gift_card_id:  red.giftcard_id,
+        amount_minor:  red.amount_minor,
+      };
+    },
+
     // Credit a card's spend back PROPORTIONALLY to a partial refund — the
     // refund-by-amount counterpart to reverseRedemption's all-or-nothing
     // (cancel) release. A full refund (cancel / payment-failed) returns the

package/lib/loyalty.js

@@ -335,7 +335,7 @@ function create(opts) {
         throw raced;
       }
 
-      await _writeTx(customerId, "redeem", -points, "redeem", orderId, notes, ts);
+      var txId = await _writeTx(customerId, "redeem", -points, "redeem", orderId, notes, ts);
 
       var after = await _readAccount(customerId);
       return {
@@ -343,9 +343,69 @@ function create(opts) {
         lifetime:        after.lifetime_points,
         tier:            after.tier,
         tier_expires_at: after.tier_expires_at,
+        // Ledger row id of this burn — checkout debits points BEFORE its
+        // order exists (the debit is the double-spend gate) and links the
+        // row to the order afterwards via linkRedemptionToOrder, or
+        // compensates via reverseRedemptionById when the checkout dies
+        // before the order is created.
+        tx_id:           txId,
       };
     },
 
+    // Attach a redeem ledger row that was debited BEFORE its order existed
+    // to the order it tendered for. The order link is what
+    // restoreRedemption keys on — an unlinked burn is invisible to the
+    // refund restore. Write-once: only a NULL order_id redeem row accepts a
+    // link, so a re-fire never re-keys a settled burn. Returns true when
+    // the link landed.
+    linkRedemptionToOrder: async function (txId, orderId) {
+      var tid = _uuid(txId, "tx_id");
+      var oid = _uuid(orderId, "order_id");
+      var res = await query(
+        "UPDATE loyalty_transactions SET order_id = ?1 " +
+        "WHERE id = ?2 AND transaction_type = 'redeem' AND order_id IS NULL",
+        [oid, tid],
+      );
+      return Number(res.rowCount || 0) === 1;
+    },
+
+    // Reverse ONE redeem burn by its ledger row id — the compensation edge
+    // for a pre-charge debit whose checkout failed before the order existed
+    // (PaymentIntent refused, order insert threw). restoreRedemption can't
+    // reach these rows: it keys on order_id, still NULL at that point. The
+    // claim rides the same restored_points column the refund restore uses —
+    // advancing it 0 → spent is the serialization point, so a double-fire
+    // credits the balance back exactly once. Balance only; lifetime is
+    // untouched (the burn never moved it). Returns { restored_points }, 0
+    // when the claim was already taken (or the id is unknown / not a burn).
+    reverseRedemptionById: async function (txId) {
+      var tid = _uuid(txId, "tx_id");
+      var row = (await query(
+        "SELECT id, customer_id, points, restored_points FROM loyalty_transactions " +
+        "WHERE id = ?1 AND transaction_type = 'redeem'",
+        [tid],
+      )).rows[0];
+      if (!row) return { restored_points: 0 };
+      var spent = Math.abs(Number(row.points || 0));
+      if (spent <= 0 || Number(row.restored_points || 0) !== 0) return { restored_points: 0 };
+      var ts = _now();
+      var claim = await query(
+        "UPDATE loyalty_transactions SET restored_points = ?1 " +
+        "WHERE id = ?2 AND restored_points = 0",
+        [spent, row.id],
+      );
+      if (Number(claim.rowCount || 0) === 0) return { restored_points: 0 };   // lost the claim
+      await _ensureAccountRow(row.customer_id, ts);
+      await query(
+        "UPDATE loyalty_accounts SET balance_points = balance_points + ?1, " +
+        "updated_at = ?2 WHERE customer_id = ?3",
+        [spent, ts, row.customer_id],
+      );
+      await _writeTx(row.customer_id, "redeem", spent, "redeem-reversal", null,
+        "restored ref=tx:" + row.id, ts);
+      return { restored_points: spent };
+    },
+
     // Restore points a customer SPENT as a checkout tender when the order
     // that spent them is refunded — the symmetric counterpart to the
     // gift-card-spend restore. `redeem` debited the balance at checkout

package/lib/order.js

@@ -1219,6 +1219,52 @@ function create(opts) {
       }
     },
 
+    // Erasure scrub for the reconciliation audit trail. The attach linkage
+    // (order_id / customer_id / linked_via / occurred_at) is RETAINED under
+    // the same audit basis the orders themselves carry — a disputed link
+    // must stay traceable after the account is gone. But the recorded
+    // email_hash is a verbatim copy of the live customer-email lookup key,
+    // and account erasure deliberately severs that key on the customers
+    // row, so a surviving copy here would defeat the severance for any
+    // customer who ever claimed a guest order. This rewrites it to a
+    // per-customer, non-reversible tombstone under its OWN hash namespace
+    // ("guest-recon-erased-email" — deliberately distinct from the
+    // customers row's "customer-erased-email" label, so the two tombstones
+    // never share a digest and can't be correlated as the same
+    // derivation). Only live (non-tombstoned) hashes rewrite, so a re-run
+    // is a no-op.
+    //
+    // `dry_run: true` counts the rows a wet run WOULD rewrite without
+    // mutating anything — the side-effect-free preview the deletion
+    // pipeline's dry-run contract requires. Returns `{ table, deleted }`
+    // where `deleted` is the rows tombstoned (the rows themselves stay).
+    // Defensive: a schema without the audit table collapses to
+    // `{ table, deleted: 0 }` (drop-silent, same posture as the sibling
+    // reads) so a partial schema never fails the caller's erasure run.
+    scrubReconciliationEmailHashForCustomer: async function (customerId, opts2) {
+      _uuid(customerId, "customer id");
+      var dryRun = !!(opts2 && opts2.dry_run);
+      try {
+        if (dryRun) {
+          var c = (await query(
+            "SELECT COUNT(*) AS n FROM guest_order_reconciliations " +
+            "WHERE customer_id = ?1 AND email_hash NOT LIKE 'erased:%'",
+            [customerId],
+          )).rows[0];
+          return { table: "guest_order_reconciliations", deleted: c ? Number(c.n) : 0 };
+        }
+        var tombstone = "erased:" + b.crypto.namespaceHash("guest-recon-erased-email", customerId);
+        var r = await query(
+          "UPDATE guest_order_reconciliations SET email_hash = ?1 " +
+          "WHERE customer_id = ?2 AND email_hash NOT LIKE 'erased:%'",
+          [tombstone, customerId],
+        );
+        return { table: "guest_order_reconciliations", deleted: Number((r && r.rowCount) || 0) };
+      } catch (_e) {
+        return { table: "guest_order_reconciliations", deleted: 0 };
+      }
+    },
+
     // Has this customer purchased this product? True iff an order
     // line for any variant of the product sits in an order owned by
     // the customer whose status is a real purchase — anything except

package/lib/payment.js

@@ -438,12 +438,43 @@ async function _runIdempotent(state, operation, key, requestObj, doCall) {
     ? result._stripeRawText
     : JSON.stringify(result);
 
-  await query(
+  // Atomic claim: two concurrent same-key calls both miss the lookup above
+  // and both reach here — ON CONFLICT DO NOTHING lets exactly one cache its
+  // response while the loser defers to the winner's row instead of dying on
+  // the PRIMARY KEY violation. Never OR REPLACE / DO UPDATE: the loser must
+  // not overwrite the winner's cached response, and a same-key racer with a
+  // DIFFERENT body must still hit the collision refusal below.
+  var ins = await query(
     "INSERT INTO payment_idempotency " +
     "(idempotency_key, operation, request_hash, response_status, response_body, created_at, expires_at) " +
-    "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
+    "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7) " +
+    "ON CONFLICT(idempotency_key) DO NOTHING",
     [key, operation, requestHash, status, rawText, now, now + IDEMPOTENCY_TTL_MS],
   );
+  var changes = ins && (ins.rowCount != null ? ins.rowCount
+    : (ins.meta && ins.meta.changes != null ? ins.meta.changes : ins.changes));
+  if (Number(changes || 0) === 0) {
+    // A concurrent call claimed the key first. Replay its cached row —
+    // unless our request body differs, which is the same collision the
+    // up-front check refuses.
+    var winner = (await query(
+      "SELECT request_hash, response_status, response_body " +
+      "FROM payment_idempotency WHERE idempotency_key = ?1 LIMIT 1",
+      [key],
+    )).rows[0];
+    if (winner && winner.request_hash !== requestHash) {
+      throw new TypeError("payment: idempotency_key collision (different inputs)");
+    }
+    if (winner) {
+      var winnerReplay = null;
+      try { winnerReplay = JSON.parse(winner.response_body); } catch (_e) { winnerReplay = { _raw: winner.response_body }; }
+      Object.defineProperty(winnerReplay, "_stripeStatus", { value: Number(winner.response_status), enumerable: false });
+      Object.defineProperty(winnerReplay, "_replayed",     { value: true,                            enumerable: false });
+      return winnerReplay;
+    }
+    // Conflicted but the row vanished (TTL purge between the two
+    // statements) — fall through: our own result is still the outcome.
+  }
 
   return result;
 }