@blamejs/blamejs-shop 0.4.28 → 0.4.30

package/lib/stock-alerts.js

@@ -33,6 +33,15 @@
  *   prior row's terminal state is cleared from the unique-index slot
  *   first.
  *
+ *   Privacy requests. `exportForCustomer({ customer_id?, email_hash? })`
+ *   returns the subject's subscription rows (the plaintext address
+ *   included — it is the subject's own data; token hashes excluded)
+ *   and `eraseForCustomer({ customer_id?, email_hash?, dry_run? })`
+ *   hard-deletes them — a stock alert is convenience data with no
+ *   retention basis. Both match on customer_id OR the stock-alert-
+ *   namespace email hash, so a caller holding either key covers the
+ *   subject's rows.
+ *
  *   Composes:
  *     - `b.crypto.namespaceHash` — email hash + token hash.
  *     - `b.crypto.generateBytes` — 24 random bytes →
@@ -157,6 +166,43 @@ function _hashUnsubToken(plaintext) {
   return b.crypto.namespaceHash(UNSUB_NAMESPACE, plaintext);
 }
 
+// Normalize the DSR selector for exportForCustomer / eraseForCustomer:
+// at least one of customer_id / email_hash must be present. Bad UUID
+// shape throws (operator catches the typo at the boundary); a null /
+// absent key is simply not used in the predicate. `email_hash` is the
+// stock-alert-namespace digest (hex from b.crypto.namespaceHash), so a
+// generous shape gate (non-empty printable string) is all it needs.
+function _dsrSelector(input, method) {
+  if (!input || typeof input !== "object") {
+    throw new TypeError("stockAlerts." + method + ": input object required");
+  }
+  var custId    = _optUuid(input.customer_id, "customer_id");
+  var emailHash = null;
+  if (input.email_hash != null) {
+    if (typeof input.email_hash !== "string" || !input.email_hash.length ||
+        input.email_hash.length > 256 || /[\x00-\x1f\x7f]/.test(input.email_hash)) {
+      throw new TypeError("stockAlerts." + method + ": email_hash must be a non-empty printable string <= 256 chars when provided");
+    }
+    emailHash = input.email_hash;
+  }
+  if (custId == null && emailHash == null) {
+    throw new TypeError("stockAlerts." + method + ": at least one of customer_id / email_hash is required");
+  }
+  return { custId: custId, emailHash: emailHash };
+}
+
+// Build the `customer_id = ? OR email_hash = ?` predicate from whichever
+// selector keys are present. Shared by export + erase so the two never
+// diverge on which rows belong to the subject.
+function _dsrWhere(sel) {
+  var ors    = [];
+  var params = [];
+  var idx    = 1;
+  if (sel.custId != null)    { ors.push("customer_id = ?" + idx); params.push(sel.custId);    idx += 1; }
+  if (sel.emailHash != null) { ors.push("email_hash = ?" + idx);  params.push(sel.emailHash); idx += 1; }
+  return { clause: "(" + ors.join(" OR ") + ")", params: params };
+}
+
 // ---- factory ------------------------------------------------------------
 
 function create(opts) {
@@ -235,6 +281,14 @@ function create(opts) {
       if (existing) {
         var stillLive = existing.notified_at == null && Number(existing.expires_at) > now;
         if (stillLive) {
+          // A re-subscribe NEVER re-keys the existing row's customer_id.
+          // The email on this request is caller-supplied and unproven, so
+          // adopting a row first created by someone else would let a
+          // signed-in caller pull a stranger's subscription into their own
+          // account scope. A row stays owned by whoever the INSERT linked
+          // it to (or anonymous); anonymous rows are reachable for privacy
+          // requests via the email_hash key + bearer token, exactly as
+          // eraseForCustomer's residual-scope note documents.
           return {
             id:         existing.id,
             status:     existing.confirmed_at == null ? "already-pending" : "already-confirmed",
@@ -427,6 +481,62 @@ function create(opts) {
       return rows;
     },
 
+    // exportForCustomer({ customer_id?, email_hash? }) — subject-access
+    // (Art. 15) read. A subscription is keyed to a person by EITHER
+    // customer_id (a signed-in subscriber) OR the module's own
+    // stock-alert-namespace email hash (an anonymous subscriber). Both
+    // keys are matched with OR so a caller holding both covers every row;
+    // a caller resolving the subject by customer_id alone (the DSR
+    // composition root — no raw email is held anywhere to re-hash under
+    // this namespace) covers every account-linked row. The exported shape
+    // includes `email_normalised` — the subject's own address, stored
+    // plaintext by design for the notification dispatcher — and excludes
+    // the confirmation / unsubscribe token hashes (bearer credentials,
+    // not subject data).
+    exportForCustomer: async function (input) {
+      var sel = _dsrSelector(input, "exportForCustomer");
+      var w   = _dsrWhere(sel);
+      return (await query(
+        "SELECT id, email_hash, email_normalised, sku, variant_id, customer_id, " +
+        "confirmed_at, notified_at, expires_at, created_at " +
+        "FROM stock_alerts WHERE " + w.clause +
+        " ORDER BY created_at DESC, id DESC LIMIT ?" + (w.params.length + 1),
+        w.params.concat([MAX_LIST_LIMIT]),
+      )).rows;
+    },
+
+    // eraseForCustomer({ customer_id?, email_hash?, dry_run? }) — GDPR
+    // Art. 17 erasure. A stock alert is pure convenience data holding a
+    // PLAINTEXT email with no retention basis, so erasure hard-DELETEs
+    // the rows (which also frees the (email, sku, variant) unique-index
+    // slot cleanly — the person can re-subscribe later). Same dual-key
+    // selector as the export so the two never diverge on which rows
+    // belong to the subject. `dry_run: true` counts the rows a wet run
+    // WOULD delete without mutating. Returns the DSR reader contract
+    // shape `{ table, deleted }`.
+    //
+    // Residual scope, stated rather than implied: rows subscribed
+    // anonymously (customer_id NULL) are reachable only via the
+    // email_hash key — a customer_id-only call cannot match them because
+    // the system never holds the raw address to re-derive this
+    // namespace's hash. Those rows stay covered by the retention TTL
+    // (default 90 days, swept by cleanupExpired) and by the per-row
+    // bearer unsubscribe token the subscriber holds.
+    eraseForCustomer: async function (input) {
+      var dryRun = !!(input && input.dry_run);
+      var sel = _dsrSelector(input, "eraseForCustomer");
+      var w   = _dsrWhere(sel);
+      if (dryRun) {
+        var c = (await query(
+          "SELECT COUNT(*) AS n FROM stock_alerts WHERE " + w.clause,
+          w.params,
+        )).rows[0];
+        return { table: "stock_alerts", deleted: c ? Number(c.n) : 0 };
+      }
+      var r = await query("DELETE FROM stock_alerts WHERE " + w.clause, w.params);
+      return { table: "stock_alerts", deleted: Number((r && r.rowCount) || 0) };
+    },
+
     // Operator-driven sweeper. Walks every pending (confirmed +
     // un-notified + un-expired) subscription whose SKU now has
     // catalog.inventory.stock_on_hand - stock_held > 0 and:

package/lib/store-credit.js

@@ -146,16 +146,17 @@ function create(opts) {
     query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
-  // O(1) current-balance read: the latest row by `occurred_at DESC`
-  // holds `balance_after_minor` as the denormalized snapshot. No SUM
+  // O(1) current-balance read: the latest row by `occurred_at DESC, id
+  // DESC` holds `balance_after_minor` as the denormalized snapshot. No SUM
   // aggregation at read time. Falls through to 0 when no rows exist
-  // (a customer that has never had a ledger row has zero credit).
-  // Returns both the snapshot and the occurred_at so the write path
-  // can guarantee strict monotonicity (see `_resolveOccurredAt`).
+  // (a customer that has never had a ledger row has zero credit). The id
+  // tie-break keeps any legacy same-millisecond rows deterministic; new
+  // writes can't tie — _writeRowAtomic computes a strictly-monotonic
+  // per-customer occurred_at inside the INSERT itself.
   async function _readLatest(customerId) {
     var r = await query(
       "SELECT balance_after_minor, occurred_at FROM store_credit_ledger " +
-      "WHERE customer_id = ?1 ORDER BY occurred_at DESC LIMIT 1",
+      "WHERE customer_id = ?1 ORDER BY occurred_at DESC, id DESC LIMIT 1",
       [customerId],
     );
     if (!r.rows.length) return { balance: 0, occurred_at: null };
@@ -167,27 +168,62 @@ function create(opts) {
     return latest.balance;
   }
 
-  // Two writes against the same customer in the same millisecond
-  // would tie on `occurred_at` and make the "latest row" ambiguous.
-  // Bump the requested timestamp to `prior + 1` when it would
-  // collide (or land older than the prior row, which an
-  // out-of-order operator write could trigger). The result is a
-  // strictly-monotonic per-customer `occurred_at` sequence.
-  function _resolveOccurredAt(requestedTs, latestTs) {
-    if (latestTs == null) return requestedTs;
-    if (requestedTs > latestTs) return requestedTs;
-    return latestTs + 1;
-  }
-
-  async function _writeRow(customerId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, expiresAt, ts) {
+  // Single-statement guarded write — the concurrency spine of the wallet.
+  // The live balance AND the strictly-monotonic per-customer occurred_at
+  // are computed by correlated subqueries INSIDE the INSERT, so two
+  // concurrent writes can never base off the same stale snapshot: the
+  // statements serialize at the database and the second sees the first's
+  // row. (A JS-side read-then-write here double-fulfilled concurrent
+  // debits and silently dropped one of two same-millisecond credits.)
+  // `kind` selects the guard + arithmetic:
+  //   credit — balance_after = live + amount, no balance gate (the in-SQL
+  //            occurred_at is what closes the same-millisecond tie);
+  //   debit  — balance_after = live - amount, gated on live >= amount
+  //            (zero rows = insufficient, or lost the race — same refusal);
+  //   expire — burns MIN(amount, live), gated on live > 0 (zero rows =
+  //            wallet already empty; callers degrade gracefully — by
+  //            design, never a throw).
+  // Returns the written row's resolved values, or null when the guard
+  // refused the write.
+  async function _writeRowAtomic(kind, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs) {
     var id = b.uuid.v7();
-    await query(
+    var balSub = "COALESCE((SELECT balance_after_minor FROM store_credit_ledger " +
+                 "WHERE customer_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
+    var tsSub  = "COALESCE((SELECT occurred_at FROM store_credit_ledger " +
+                 "WHERE customer_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
+    var tsExpr = "CASE WHEN ?8 > " + tsSub + " THEN ?8 ELSE " + tsSub + " + 1 END";
+    var amountExpr, afterExpr, guard;
+    if (kind === "credit") {
+      amountExpr = "?3";
+      afterExpr  = balSub + " + ?3";
+      guard      = "1";
+    } else if (kind === "debit") {
+      amountExpr = "?3";
+      afterExpr  = balSub + " - ?3";
+      guard      = balSub + " >= ?3";
+    } else {            // expire — burn MIN(amount, live balance)
+      amountExpr = "CASE WHEN " + balSub + " < ?3 THEN " + balSub + " ELSE ?3 END";
+      afterExpr  = "CASE WHEN " + balSub + " < ?3 THEN 0 ELSE " + balSub + " - ?3 END";
+      guard      = balSub + " > 0";
+    }
+    var res = await query(
       "INSERT INTO store_credit_ledger " +
       "(id, customer_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, expires_at, occurred_at) " +
-      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10)",
-      [id, customerId, kind, amountMinor, source, sourceRef, orderId, balanceAfter, expiresAt, ts],
+      "SELECT ?1, ?2, ?9, " + amountExpr + ", ?4, ?5, ?6, " + afterExpr + ", ?7, " + tsExpr + " " +
+      "WHERE " + guard,
+      [id, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs, kind],
     );
-    return id;
+    if (Number(res.rowCount || 0) === 0) return null;
+    var row = (await query(
+      "SELECT amount_minor, balance_after_minor, occurred_at FROM store_credit_ledger WHERE id = ?1",
+      [id],
+    )).rows[0];
+    return {
+      id:                  id,
+      amount_minor:        row.amount_minor,
+      balance_after_minor: row.balance_after_minor,
+      occurred_at:         row.occurred_at,
+    };
   }
 
   return {
@@ -206,21 +242,18 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      var ts     = _resolveOccurredAt(requested, latest.occurred_at);
-      var after  = latest.balance + amount;
-      var id = await _writeRow(customerId, "credit", amount, source, sourceRef, null, after, expiresAt, ts);
+      var w = await _writeRowAtomic("credit", customerId, amount, source, sourceRef, null, expiresAt, requested);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "credit",
         amount_minor:        amount,
         source:              source,
         source_ref:          sourceRef,
         expires_at:          expiresAt,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -234,24 +267,24 @@ function create(opts) {
       var requested  = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      if (amount > latest.balance) {
+      // The balance gate lives INSIDE the insert — a refused write covers
+      // both "always insufficient" and "a concurrent debit drained it
+      // first", with no window between check and write.
+      var w = await _writeRowAtomic("debit", customerId, amount, null, null, orderId, null, requested);
+      if (!w) {
         var insufficient = new Error("storeCredit.debit: amount exceeds available balance");
         insufficient.code = "STORE_CREDIT_INSUFFICIENT_BALANCE";
         throw insufficient;
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - amount;
-      var id = await _writeRow(customerId, "debit", amount, null, null, orderId, after, null, ts);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "debit",
         amount_minor:        amount,
         order_id:            orderId,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
       };
     },
 
@@ -272,18 +305,15 @@ function create(opts) {
       var requested = _epochMs(input.occurred_at, "occurred_at");
       if (requested == null) requested = _now();
 
-      var latest = await _readLatest(customerId);
-      // Expire caps at the current balance — operators running a
-      // scheduled sweep over computed "expiring before X" amounts
-      // should degrade gracefully rather than refusing when an
-      // interim debit has already drained the wallet.
-      var toBurn = amount > latest.balance ? latest.balance : amount;
-      if (toBurn === 0) {
-        // No-op write: persisting a zero-amount row would violate
-        // the CHECK(amount_minor > 0) constraint. Surface a
-        // structured refusal so the caller can distinguish "already
-        // empty" from "actually burned N". A no-op expire is a
-        // valid outcome of a bulk sweep — don't throw.
+      // Expire caps at the current balance INSIDE the insert — operators
+      // running a scheduled sweep over computed "expiring before X"
+      // amounts degrade gracefully rather than refusing when an interim
+      // debit has already drained the wallet. A refused write (wallet
+      // already at zero) is the structured no-op below, never a throw —
+      // by design: a no-op expire is a valid outcome of a bulk sweep,
+      // and a zero-amount row would violate CHECK(amount_minor > 0).
+      var w = await _writeRowAtomic("expire", customerId, amount, null, reason, null, null, requested);
+      if (!w) {
         return {
           id:                  null,
           customer_id:         customerId,
@@ -291,24 +321,21 @@ function create(opts) {
           amount_minor:        0,
           requested_minor:     amount,
           reason:              reason,
-          balance_after_minor: latest.balance,
+          balance_after_minor: await _currentBalance(customerId),
           occurred_at:         requested,
           noop:                true,
         };
       }
-      var ts    = _resolveOccurredAt(requested, latest.occurred_at);
-      var after = latest.balance - toBurn;
-      var id = await _writeRow(customerId, "expire", toBurn, null, reason, null, after, null, ts);
 
       return {
-        id:                  id,
+        id:                  w.id,
         customer_id:         customerId,
         kind:                "expire",
-        amount_minor:        toBurn,
+        amount_minor:        w.amount_minor,
         requested_minor:     amount,
         reason:              reason,
-        balance_after_minor: after,
-        occurred_at:         ts,
+        balance_after_minor: w.balance_after_minor,
+        occurred_at:         w.occurred_at,
         noop:                false,
       };
     },
@@ -585,29 +612,22 @@ function create(opts) {
           continue;
         }
 
-        var latest = await _readLatest(customerId);
-        // Cap the burn at the wallet's current balance.
-        // Debits between the credit and the sweep may have spent
-        // the expired amount already; we never drive the balance
-        // negative. The expired credits were "first-out" from the
-        // operator's POV — but the schema doesn't track FIFO at
-        // row-level, so cap by current balance and let the audit
-        // trail reflect what was actually burned.
-        var toBurn = pendingBurn > latest.balance ? latest.balance : pendingBurn;
-        if (toBurn <= 0) {
-          // Wallet already empty — record nothing (no CHECK > 0
-          // violation). Operator can reconcile via history.
-          continue;
-        }
-        var ts    = _resolveOccurredAt(now, latest.occurred_at);
-        var after = latest.balance - toBurn;
-        var id    = await _writeRow(customerId, "expire", toBurn, null, SWEEP_SOURCE_REF, null, after, null, ts);
+        // The burn caps at the wallet's current balance INSIDE the
+        // guarded insert. Debits between the credit and the sweep may
+        // have spent the expired amount already; the write never drives
+        // the balance negative, and a wallet already at zero refuses the
+        // write entirely (no CHECK > 0 violation; operator reconciles
+        // via history). The expired credits were "first-out" from the
+        // operator's POV — the schema doesn't track FIFO at row level,
+        // so the audit trail reflects what was actually burned.
+        var w = await _writeRowAtomic("expire", customerId, pendingBurn, null, SWEEP_SOURCE_REF, null, null, now);
+        if (!w) continue;
         processed.push({
-          id:                  id,
+          id:                  w.id,
           customer_id:         customerId,
-          amount_minor:        toBurn,
-          balance_after_minor: after,
-          occurred_at:         ts,
+          amount_minor:        w.amount_minor,
+          balance_after_minor: w.balance_after_minor,
+          occurred_at:         w.occurred_at,
         });
       }
       return { processed: processed, swept_at: now };

package/lib/storefront.js

@@ -14864,7 +14864,7 @@ function mount(router, deps) {
         // the buyer must lower a quantity or drop a line; nothing was
         // charged and any holds placed mid-confirm were already released.
         if (code.indexOf("GIFTCARD_") === 0 || code.indexOf("LOYALTY_") === 0 ||
-            code === "INSUFFICIENT_STOCK") {
+            code === "INSUFFICIENT_STOCK" || code === "AUTO_DISCOUNT_EXHAUSTED") {
           try {
             var coLines = await _repriceCartLines(await deps.cart.listLines(c.id));
             if (coLines.length) {
@@ -14998,7 +14998,7 @@ function mount(router, deps) {
           // Customer-correctable credit errors (bad gift-card code,
           // insufficient loyalty balance, points on a guest cart) are 400s
           // whose message the button surfaces inline.
-          var gcErr = ecode.indexOf("GIFTCARD_") === 0 || ecode.indexOf("LOYALTY_") === 0;
+          var gcErr = ecode.indexOf("GIFTCARD_") === 0 || ecode.indexOf("LOYALTY_") === 0 || ecode === "AUTO_DISCOUNT_EXHAUSTED";
           // Out-of-stock is a 409 (conflict) carrying the friendly per-line
           // message so the PayPal button surfaces it; nothing was charged
           // and the mid-confirm holds were already released.
@@ -21025,11 +21025,22 @@ function mount(router, deps) {
       var body = req.body || {};
       var cartCount = 0;
       try { cartCount = await _cartCountForReq(req); } catch (_e) { /* drop-silent — empty cart fallback */ }
+      // Link the subscription to the signed-in customer when there is one,
+      // so the row joins the account's privacy export / erasure scope. A
+      // missing, stale, or revoked auth cookie reads as signed-out and the
+      // anonymous subscribe (the primary, edge-served PDP flow — this route
+      // stays in EDGE_POST_PATHS, no auth required) is unchanged.
+      var saCustomerId = null;
+      try {
+        var saEnv = _currentCustomerEnv(req);
+        if (saEnv && !(await _sessionRevoked(saEnv))) saCustomerId = saEnv.customer_id;
+      } catch (_e) { saCustomerId = null; }
       try {
         var result = await deps.stockAlerts.subscribe({
-          email:      body.email,
-          sku:        body.sku,
-          variant_id: (body.variant_id != null && body.variant_id !== "") ? body.variant_id : null,
+          email:       body.email,
+          sku:         body.sku,
+          variant_id:  (body.variant_id != null && body.variant_id !== "") ? body.variant_id : null,
+          customer_id: saCustomerId,
         });
         // Only a brand-new subscription carries a plaintext token. Send the
         // confirmation email best-effort; a mailer hiccup must not 500 the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.28",
+  "version": "0.4.30",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {