@blamejs/blamejs-shop 0.4.3 → 0.4.5

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.5 (2026-06-05) — **One sign-in screen: passkey first, email sign-in link as the built-in fallback.** The sign-in page previously offered the passkey ceremony with the email magic-link alternative a page away behind a link. Both now live on one screen: passkey stays the primary action, and an "Email me a sign-in link" form sits inline beneath it — a plain server-rendered form that works with JavaScript disabled. The page meets failure gracefully: a browser without WebAuthn support disables the passkey button and points to the email form, and a failed or cancelled passkey ceremony scrolls the shopper to the fallback with their typed email carried over, one tap from a sign-in link instead of a dead end. Responses are identical whether or not an account exists for the address, the trigger is rate-limited, and a visitor who is already signed in is redirected to their account instead of seeing a login form. **Changed:** *Sign-in page unifies passkey and email-link paths* — Passkey remains the primary action; the email sign-in link form renders inline on the same screen when transactional email is configured, works without JavaScript, and inherits the existing magic-link token semantics unchanged (single-use, expiring). Browsers without WebAuthn support are steered to the email form up front, and any passkey ceremony failure lands the shopper on the fallback with their email pre-filled. The email form's responses do not reveal whether an address has an account, the trigger endpoint is tightly rate-limited, and signed-in visitors are redirected away from the login form.
+
+- v0.4.4 (2026-06-05) — **Placement-targeted promo banners with scheduling, audiences, and click tracking.** Operators can now run placement-specific marketing banners alongside the existing sitewide announcement bar. A banner targets one of six placements — the top strip, the homepage hero, the product-page side, the cart side, the empty-search state, or the footer — with a schedule window, an audience (everyone, signed-in, or guests), one of four visual themes, a priority for choosing among overlapping banners, and a call-to-action whose clicks and impressions are counted. Banners are authored, edited, archived, and restored at /admin/promo-banners, render identically on edge-cached and container-rendered pages, and the click counter works on both. Separately, the edge's Permissions-Policy header now denies the same full directive set as the container's, closing a drift where nine newer denials were missing from edge-served pages, and a parity test keeps the two substrates locked together from here on. The vendored blamejs framework is refreshed from v0.14.21 to v0.14.22. **Added:** *Promo banners* — Define a banner with a slug, placement, headline, optional body, call-to-action, audience, schedule window, theme, and priority; the highest-priority active banner per placement renders. Operator-authored text is escaped at render on both substrates. Clicks route through a counting redirect that works whether the page came from the edge cache or the container; impressions count on container renders. The admin screen covers the full lifecycle including archive and restore, and the same operations are available as JSON under the admin bearer token. The sitewide announcement bar is unchanged and remains the simpler always-on notice strip — if you define a top-strip promo banner while an announcement is active, both render, so pick one for the top of the page. **Fixed:** *Edge pages deny the same Permissions-Policy directives as container pages* — The edge-served pages' Permissions-Policy was missing nine newer directives the container already denied (among them shared-storage, run-ad-auction, join-ad-interest-group, and smartcard). Both substrates now send the identical deny-all list, and a test fails the build if a framework update ever grows one list without the other.
+
 - v0.4.3 (2026-06-05) — **Passkey sign-in works again: WebAuthn is permitted on the pages that host it.** The framework's deny-all Permissions-Policy disabled the browser's WebAuthn API everywhere — including the sign-in page's own top-level document — so attempting a passkey sign-in failed with the browser reporting that publickey-credentials-get is not enabled. The policy now permits exactly the WebAuthn capability each ceremony page needs: credential assertion on the sign-in page, credential creation on the registration and passkey-management pages, both scoped to the page's own origin. Every other page keeps the strict deny-all policy, and every other feature (camera, microphone, geolocation, payment outside the payment page) remains denied on the ceremony pages too. **Fixed:** *Passkey ceremonies are no longer blocked by Permissions-Policy* — Sign-in carries publickey-credentials-get=(self); registration and passkey management carry publickey-credentials-create=(self). The allowance is scoped per route following the same pattern the payment page uses, grants apply only to the page's own origin (no cross-origin delegation), and unrecognized feature requests relax nothing. Tests assert the exact header tokens per route and that unrelated pages still deny both WebAuthn features.
 
 - v0.4.2 (2026-06-05) — **Abandoned checkouts release their stock holds, and five more inventory and admin hardening fixes.** The inventory enforcement introduced in 0.4.0 placed a stock hold at checkout but had no path to free it when a buyer abandoned without paying or cancelling — each abandoned checkout permanently subtracted from sellable stock until an operator intervened. A scheduled reaper now cancels pending orders older than a configurable age (default two hours), cancelling the payment intent first so a late payment can never complete against a reaped order, and releasing the held stock through the existing cancellation path. Around it, five more fixes harden the same surface: settlement failures during payment confirmation no longer strand holds silently (each item settles independently and failures land in the operator error log with the exact item and quantity), a rollback path no longer releases holds belonging to an order that was successfully created, pre-order campaigns whose launch date has passed now enforce real stock limits instead of remaining exempt, the admin activity timeline rejects protocol-relative link targets, and activity reads are bounded instead of scanning a customer's full history per page view. **Fixed:** *Stock holds from abandoned checkouts are reclaimed* — A pending order that never completes payment now has its stock hold released automatically. The scheduled reaper cancels pending orders older than CHECKOUT_PENDING_TTL_MINUTES (default 120, minimum 5; invalid values refuse to boot). For card payments the payment intent is cancelled at the processor before the order is touched — if the processor reports the payment already succeeded, the order is left alone for the webhook to settle. Each sweep reports counts of reaped, skipped, and errored orders. · *Payment settlement is crash-safe per item* — When an order is marked paid, each line's stock decrement now settles independently: one item's database failure no longer blocks the others, no longer fails the payment webhook, and is captured to the operator error log naming the item, quantity, and order so the operator can reconcile stock from the existing adjustment screen. · *Checkout rollback no longer releases holds it does not own* — If checkout fails after the order record was created, the error path previously released all of the attempt's stock holds — which could free units belonging to the order itself or, on a shared item, a concurrent shopper's reservation. Holds are now released on failure only when no order was created; once an order exists it owns its holds, and cancellation or the reaper frees them. The same correction applies to the PayPal order-creation path. · *Pre-order campaigns enforce stock after their launch date* — An active pre-order campaign exempts its product from stock holds by design — pre-orders sell beyond the shelf. That exemption now ends when the campaign's launch date passes: a launched product sells from real inventory even if the campaign has not yet been moved out of its pre-order state in the console. · *Admin activity links and reads hardened* — The customer activity timeline's internal-link guard now rejects protocol-relative targets, and each activity source is read with a bound matching the requested page instead of scanning the customer's entire history. Pagination, ordering, and the summary counts are unchanged.

package/README.md

@@ -67,6 +67,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/tax.js`** | Operator-table adapter. Country / state / postal_prefix → rate_bps. Most-specific-first match, banker's rounding. Pluggable adapter shape for future Stripe Tax / TaxJar / Avalara. |
 | **`lib/shipping.js`** | Operator-table adapter. Services with zones (flat or per-gram + base + min/max), free-over-threshold, `digital_only` flag. |
 | **`lib/delivery-estimate.js`** | "Get it by <date>" promises. Operators define carrier transit times, warehouse cutoffs, holidays, and postal-prefix zones at `/admin/delivery-estimates`; the product and cart pages then show a signed-in customer a delivery date computed against their saved shipping address and the configured origin (`SHOP_ESTIMATE_ORIGIN` or the `shop.estimate_origin` config row). Anonymous, edge-cached pages deliberately render no date — estimates are destination-specific and never bake into the shared cache. Unconfigured stores render nothing, never an error. |
+| **`lib/promo-banners.js`** | Placement-targeted marketing banners (top strip, homepage hero, PDP-side, cart-side, empty-search, footer) with schedule windows, audience targeting, themes, priorities, and click/impression counts. Authored at `/admin/promo-banners`; rendered on both substrates with edge-cache-safe resolution. |
 | **`lib/payment.js`** | Payment adapters — **Stripe** (verify webhook HMAC-SHA256 via upstream `b.webhook.verify`, create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains for Apple/Google Pay) and **PayPal** (`adapter: "paypal"` — OAuth2 client-credentials token, create / capture / get / refund Orders v2, webhook verify via PayPal's verify-webhook-signature API). No `stripe` / `paypal` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
 | **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` validates the ship-to address (real ISO 3166-1 country; US/CA state + ZIP/postal formats; lenient elsewhere) and the customer email shape, then creates a Stripe PaymentIntent + persists order pending; `handleStripeEvent()` verifies webhook + fires the FSM transition. PayPal path: `createPaypalOrder()` opens a PayPal order + persists pending, `capturePaypalOrder()` captures → paid, `handlePaypalEvent()` is the webhook backstop. All idempotent on re-delivery. |
@@ -235,13 +236,13 @@ variables. A signed-in operator can see the live on/off status of each at
   *Re-opens* as a real build (a `requires_age_check` product attribute + a
   server-enforced edge + container interstitial) if an age-restricted category
   enters the catalog.
-- **Placement-specific promo banners** — the sitewide promo/notice strip is the
-  **announcement bar** (managed at `/admin/announcements`); it is the single
-  source for the top-of-page strip. Additional marketing *placements*
-  (homepage hero, PDP-side, cart-side, empty-search, footer) are a future
-  additive surface. *Re-opens* when you want placement-specific marketing beyond
-  the sitewide strip; the top strip stays the announcement bar's (running two
-  competing sitewide strips is avoided by design).
+- **Placement-specific promo banners** — managed at `/admin/promo-banners`:
+  scheduled, audience-targeted banners per placement (top strip, homepage
+  hero, PDP-side, cart-side, empty-search, footer) with themes, priorities,
+  and click/impression counts. The sitewide **announcement bar**
+  (`/admin/announcements`) remains the simpler always-on notice strip; both
+  can target the top of the page, so pick one for the top strip — defining a
+  `top_strip` promo banner while an announcement is active stacks the two.
 
 ## Vendoring blamejs
 

package/lib/admin.js

@@ -6200,6 +6200,156 @@ function mount(router, deps) {
     ));
   }
 
+  // ---- promo banners --------------------------------------------------
+  // Operator-authored marketing banners at six fixed storefront placements.
+  // Content-negotiated like the other console screens: bearer → the JSON
+  // contract; signed-in browser → the HTML table + create form. The console
+  // exposes the all / guest / logged_in audiences; the primitive's segment
+  // audience needs an isMember handle that isn't wired (see server.js), so it
+  // isn't offered here. Lifecycle: define → list / detail → update → archive /
+  // unarchive (the primitive exposes unarchive, so the console offers a
+  // restore action alongside archive — matching the full lib surface).
+  if (deps.promoBanners) {
+    var promos = deps.promoBanners;
+
+    router.get("/admin/promo-banners", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var activeS = url && url.searchParams.get("active");
+        var rows = await promos.listAll(activeS === "1" ? { active_only: true } : {});
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var activeS = url && url.searchParams.get("active");
+        var rows = await promos.listAll(activeS === "1" ? { active_only: true } : {});
+        _sendHtml(res, 200, renderAdminPromoBanners({
+          shop_name: deps.shop_name, nav_available: navAvailable, banners: rows,
+          active_filter: activeS,
+          created:  url && url.searchParams.get("created"),
+          archived: url && url.searchParams.get("archived"),
+          restored: url && url.searchParams.get("restored"),
+          notice:   (url && url.searchParams.get("err")) ? "That action couldn't be completed for the banner." : null,
+        }));
+      },
+    ));
+
+    router.post("/admin/promo-banners", _pageOrApi(false,
+      W("promo_banner.define", async function (req, res) {
+        var row = await promos.defineBanner(req.body || {});
+        _json(res, 201, row);
+        return { id: row.slug };
+      }),
+      async function (req, res) {
+        try {
+          await promos.defineBanner(_promoBannerFromForm(req.body || {}));
+        } catch (e) {
+          var n = _safeNotice(e, "promo_banner.define");
+          var rows = await promos.listAll({});
+          return _sendHtml(res, n.status, renderAdminPromoBanners({
+            shop_name: deps.shop_name, nav_available: navAvailable, banners: rows,
+            notice: n.message.replace(/^promoBanners[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".promo_banner.define", outcome: "success" });
+        _redirect(res, "/admin/promo-banners?created=1");
+      },
+    ));
+
+    // Detail screen: the single banner + its edit form. Content-negotiates
+    // like the list — bearer → the JSON row; browser cookie → the rendered
+    // edit page. A bad / unknown slug is a 404 page (browser) or 404 problem
+    // (bearer), never a 500.
+    router.get("/admin/promo-banners/:slug", _pageOrApi(true,
+      R(async function (req, res) {
+        var row = await promos.getBanner(req.params.slug);
+        if (!row) return _problem(res, 404, "promo-banner-not-found");
+        _json(res, 200, row);
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var row = null;
+        try { row = await promos.getBanner(req.params.slug); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _sendHtml(res, 404, renderAdminPromoBanners({
+          shop_name: deps.shop_name, nav_available: navAvailable, banners: [], notice: "Banner not found.",
+        }));
+        _sendHtml(res, 200, renderAdminPromoBanner({
+          shop_name: deps.shop_name, nav_available: navAvailable, banner: row,
+          updated: url && url.searchParams.get("updated"),
+          notice:  (url && url.searchParams.get("err")) ? "That action couldn't be completed for the banner." : null,
+        }));
+      },
+    ));
+
+    // Edit content-negotiates: bearer POST /edit (JSON) + browser POST /edit
+    // (HTML forms can't PATCH). Both forward the full editable column set into
+    // updateBanner, preserving the slug + accumulated counters (archive-and-
+    // recreate would discard both). PRG to ?updated=1; a bad shape is a clean
+    // 400 (bearer) / err notice (browser).
+    router.post("/admin/promo-banners/:slug/edit", _pageOrApi(false,
+      W("promo_banner.update", async function (req, res) {
+        var row;
+        try { row = await promos.updateBanner(req.params.slug, _promoBannerPatchFromForm(req.body || {})); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "promo-banner-not-found");
+        _json(res, 200, row);
+        return { id: row.slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var enc = encodeURIComponent(slug);
+        try { await promos.updateBanner(slug, _promoBannerPatchFromForm(req.body || {})); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; return _redirect(res, "/admin/promo-banners/" + enc + "?err=1"); }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".promo_banner.update", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/promo-banners/" + enc + "?updated=1");
+      },
+    ));
+
+    router.post("/admin/promo-banners/:slug/archive", _pageOrApi(false,
+      W("promo_banner.archive", async function (req, res) {
+        var row;
+        try { row = await promos.archive(req.params.slug); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "promo-banner-not-found");
+        _json(res, 200, row);
+        return { id: row.slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var row = null;
+        try { row = await promos.archive(slug); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/promo-banners?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".promo_banner.archive", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/promo-banners?archived=1");
+      },
+    ));
+
+    // Restore an archived banner — the primitive exposes unarchive, so the
+    // console surfaces it (the announcement bar has no unarchive, so it has no
+    // restore action; here the full lifecycle is offered).
+    router.post("/admin/promo-banners/:slug/unarchive", _pageOrApi(false,
+      W("promo_banner.unarchive", async function (req, res) {
+        var row;
+        try { row = await promos.unarchive(req.params.slug); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "promo-banner-not-found");
+        _json(res, 200, row);
+        return { id: row.slug };
+      }),
+      async function (req, res) {
+        var slug = req.params.slug;
+        var row = null;
+        try { row = await promos.unarchive(slug); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/promo-banners?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".promo_banner.unarchive", outcome: "success", metadata: { slug: slug } });
+        _redirect(res, "/admin/promo-banners?restored=1");
+      },
+    ));
+  }
+
   // ---- search ranking -------------------------------------------------
   // Operator-tunable storefront search ranking: named weight sets (one
   // active at a time), per-query manual pins, and a per-set metrics rollup.
@@ -11724,6 +11874,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "shipping-labels", href: "/admin/shipping-labels", label: "Shipping labels", requires: "shippingLabels" },
   { key: "pick-lists",   href: "/admin/pick-lists",   label: "Pick lists",   requires: "pickLists" },
   { key: "announcements", href: "/admin/announcements", label: "Announcements", requires: "announcementBar" },
+  { key: "promo-banners", href: "/admin/promo-banners", label: "Promo banners", requires: "promoBanners" },
   { key: "blog",         href: "/admin/blog",         label: "Blog",         requires: "blog" },
   { key: "help",         href: "/admin/help",         label: "Help center",  requires: "knowledgeBase" },
   { key: "pages",        href: "/admin/pages",        label: "Pages",        requires: "storefrontPages" },
@@ -16752,6 +16903,231 @@ function renderAdminAnnouncements(opts) {
   return _renderAdminShell(opts.shop_name, "Announcements", bodyHtml, "announcements", opts.nav_available);
 }
 
+// ---- promo-banner form coercion -------------------------------------
+
+var _PROMO_PLACEMENT_LABELS = {
+  top_strip:     "Top strip (sitewide, above the nav)",
+  homepage_hero: "Homepage hero",
+  pdp_side:      "Product page sidebar",
+  cart_side:     "Cart page",
+  search_empty:  "Search — no results",
+  footer:        "Footer (sitewide)",
+};
+
+// A priority form field → integer, or NaN when blank/non-numeric so the
+// primitive's validator (not this coercion) is the one that reports it.
+function _promoPriorityField(v) {
+  if (v == null || v === "") return NaN;
+  var n = parseInt(v, 10);
+  return Number.isFinite(n) ? n : NaN;
+}
+
+// Coerce the create form into the shape promoBanners.defineBanner expects:
+// trimmed slug, the enum selects (placement / audience / theme), integer
+// priority, the optional body / image_url, and the two epoch schedule bounds.
+// defineBanner requires priority + starts_at + expires_at, so the form
+// collects all three; a blank optional (body / image_url) is dropped so the
+// primitive applies its own absence handling. The primitive is authoritative
+// on every field (URL scheme via safeUrl, slug/headline/label shape, window
+// monotonicity) and throws a TypeError on a bad shape, which both surfaces
+// degrade to a clean 400 / err notice.
+function _promoBannerFromForm(body) {
+  body = body || {};
+  var out = {
+    slug:       typeof body.slug === "string" ? body.slug.trim() : body.slug,
+    placement:  body.placement,
+    headline:   body.headline,
+    cta_label:  body.cta_label,
+    cta_url:    typeof body.cta_url === "string" ? body.cta_url.trim() : body.cta_url,
+    audience:   body.audience,
+    theme:      body.theme,
+    priority:   _promoPriorityField(body.priority),
+    starts_at:  _epochFromForm(body.starts_at),
+    expires_at: _epochFromForm(body.expires_at),
+  };
+  if (typeof body.body === "string" && body.body.length) out.body = body.body;
+  var img = typeof body.image_url === "string" ? body.image_url.trim() : "";
+  if (img) out.image_url = img;
+  return out;
+}
+
+// Coerce the edit form into an updateBanner patch. Each editable column rides
+// only when its hidden presence marker says so, so a partial edit doesn't
+// clear an unrelated column. The body / image_url presence markers map a
+// blank to null (clear it); the schedule markers map a blank bound to NaN so
+// the primitive (not this coercion) reports an invalid window. The primitive
+// validates the result and throws a TypeError on a bad shape, which both
+// surfaces degrade to a clean 400 / err notice.
+function _promoBannerPatchFromForm(body) {
+  body = body || {};
+  var patch = {};
+  if (body.placement != null && body.placement !== "") patch.placement = body.placement;
+  if (body.headline  != null && body.headline  !== "") patch.headline  = body.headline;
+  if (body.cta_label != null && body.cta_label !== "") patch.cta_label = body.cta_label;
+  if (body.audience  != null && body.audience  !== "") patch.audience  = body.audience;
+  if (body.theme     != null && body.theme     !== "") patch.theme     = body.theme;
+  if (body.cta_url   != null && body.cta_url   !== "") patch.cta_url   = String(body.cta_url).trim();
+  if (body.priority  != null && body.priority  !== "") patch.priority  = _promoPriorityField(body.priority);
+  if (body.body_present === "1") {
+    var bd = typeof body.body === "string" ? body.body : "";
+    patch.body = bd.length ? bd : null;
+  }
+  if (body.image_present === "1") {
+    var im = typeof body.image_url === "string" ? body.image_url.trim() : "";
+    patch.image_url = im.length ? im : null;
+  }
+  if (body.starts_present  === "1") patch.starts_at  = _epochFromForm(body.starts_at);
+  if (body.expires_present === "1") patch.expires_at = _epochFromForm(body.expires_at);
+  return patch;
+}
+
+// Single-banner detail + edit screen. Prefills every editable column and
+// posts to /edit; the hidden presence markers tell the patch coercion which
+// optional columns the form is authoritative for (so a blank body / image /
+// schedule clears rather than being ignored). The slug + placement are shown
+// but not re-editable here (placement IS editable via the select; the slug is
+// the stable id). An archived banner shows a restore action instead of the
+// edit form.
+function renderAdminPromoBanner(opts) {
+  opts = opts || {};
+  var p = opts.banner;
+  if (!p) {
+    var nf = "<section><h2>Promo banner</h2><p class=\"empty\">Banner not found.</p>" +
+      "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/promo-banners\">Back to banners</a></div></section>";
+    return _renderAdminShell(opts.shop_name, "Promo banner", nf, "promo-banners", opts.nav_available);
+  }
+  var updated = opts.updated ? "<div class=\"banner banner--ok\">Banner updated.</div>" : "";
+  var notice  = opts.notice  ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var isArchived = p.archived_at != null;
+
+  var placementOpts = Object.keys(_PROMO_PLACEMENT_LABELS).map(function (pl) {
+    return "<option value=\"" + pl + "\"" + (pl === p.placement ? " selected" : "") + ">" + _htmlEscape(_PROMO_PLACEMENT_LABELS[pl]) + "</option>";
+  }).join("");
+  var themeOpts = ["urgency", "promo", "info", "success"].map(function (t) {
+    return "<option value=\"" + t + "\"" + (t === p.theme ? " selected" : "") + ">" + t + "</option>";
+  }).join("");
+  // segment audience isn't offered (no isMember handle wired); an existing
+  // segment row keeps its value selected so an edit doesn't silently re-target.
+  var audValues = ["all", "guest", "logged_in"];
+  if (p.audience === "segment") audValues = ["segment"].concat(audValues);
+  var audienceOpts = audValues.map(function (au) {
+    return "<option value=\"" + au + "\"" + (au === p.audience ? " selected" : "") + ">" + au + "</option>";
+  }).join("");
+
+  var restoreForm =
+    "<form method=\"post\" action=\"/admin/promo-banners/" + _htmlEscape(encodeURIComponent(p.slug)) + "/unarchive\" class=\"form-inline\">" +
+      "<button class=\"btn\" type=\"submit\">Restore banner</button></form>";
+
+  var editForm = isArchived
+    ? "<p class=\"empty\">This banner is archived. Restore it to edit and show it again.</p>" + restoreForm
+    : "<div class=\"panel mw-40\">" +
+        "<h3 class=\"subhead\">Edit banner</h3>" +
+        "<form method=\"post\" action=\"/admin/promo-banners/" + _htmlEscape(encodeURIComponent(p.slug)) + "/edit\">" +
+          "<input type=\"hidden\" name=\"body_present\" value=\"1\">" +
+          "<input type=\"hidden\" name=\"image_present\" value=\"1\">" +
+          "<input type=\"hidden\" name=\"starts_present\" value=\"1\">" +
+          "<input type=\"hidden\" name=\"expires_present\" value=\"1\">" +
+          "<label class=\"form-field\"><span>Placement</span><select name=\"placement\">" + placementOpts + "</select></label>" +
+          "<label class=\"form-field\"><span>Headline</span><input type=\"text\" name=\"headline\" maxlength=\"200\" value=\"" + _htmlEscape(p.headline) + "\" required></label>" +
+          "<label class=\"form-field\"><span>Body (optional)</span><textarea name=\"body\" maxlength=\"1000\">" + _htmlEscape(p.body || "") + "</textarea></label>" +
+          _setupField("CTA label", "cta_label", p.cta_label || "", "text", "", " maxlength=\"80\" required") +
+          _setupField("CTA URL", "cta_url", p.cta_url || "", "text", "https:// or a /-rooted path.", " maxlength=\"2048\" required") +
+          _setupField("Image URL (optional)", "image_url", p.image_url || "", "text", "https:// or a /-rooted path. Clear to remove.", " maxlength=\"2048\"") +
+          "<label class=\"form-field\"><span>Theme</span><select name=\"theme\">" + themeOpts + "</select></label>" +
+          "<label class=\"form-field\"><span>Audience</span><select name=\"audience\">" + audienceOpts + "</select></label>" +
+          _setupField("Priority", "priority", String(p.priority), "number", "Higher wins when banners overlap a placement.", " min=\"0\" max=\"1000000\"") +
+          "<label class=\"form-field\"><span>Starts at</span><input type=\"datetime-local\" name=\"starts_at\" value=\"" + _htmlEscape(_datetimeLocalValue(p.starts_at)) + "\"></label>" +
+          "<label class=\"form-field\"><span>Expires at</span><input type=\"datetime-local\" name=\"expires_at\" value=\"" + _htmlEscape(_datetimeLocalValue(p.expires_at)) + "\"></label>" +
+          "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Save changes</button></div>" +
+        "</form>" +
+      "</div>";
+
+  var bodyHtml = "<section><h2>Promo banner</h2>" + updated + notice +
+    "<div class=\"panel\"><dl class=\"detail-grid\">" +
+      "<div><dt>Slug</dt><dd><code class=\"order-id\">" + _htmlEscape(p.slug) + "</code></dd></div>" +
+      "<div><dt>Status</dt><dd><span class=\"status-pill " + (isArchived ? "cancelled" : "paid") + "\">" + (isArchived ? "archived" : "active") + "</span></dd></div>" +
+      "<div><dt>Impressions</dt><dd>" + _htmlEscape(String(p.impression_count)) + "</dd></div>" +
+      "<div><dt>Clicks</dt><dd>" + _htmlEscape(String(p.click_count)) + "</dd></div>" +
+    "</dl></div>" +
+    editForm +
+    "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/promo-banners\">Back to banners</a></div>" +
+  "</section>";
+  return _renderAdminShell(opts.shop_name, "Promo banner", bodyHtml, "promo-banners", opts.nav_available);
+}
+
+function renderAdminPromoBanners(opts) {
+  opts = opts || {};
+  var rows = opts.banners || [];
+  var created  = opts.created  ? "<div class=\"banner banner--ok\">Banner saved.</div>" : "";
+  var archived = opts.archived ? "<div class=\"banner banner--ok\">Banner archived.</div>" : "";
+  var restored = opts.restored ? "<div class=\"banner banner--ok\">Banner restored.</div>" : "";
+  var notice   = opts.notice   ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  var af = opts.active_filter;
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (af == null ? " chip--on" : "") + "\" href=\"/admin/promo-banners\">All</a>" +
+    "<a class=\"chip" + (af === "1" ? " chip--on" : "") + "\" href=\"/admin/promo-banners?active=1\">Active now</a>" +
+    "</div>";
+
+  var bodyRows = rows.map(function (p) {
+    var isArchived = p.archived_at != null;
+    var restoreOrArchive = isArchived
+      ? "<form method=\"post\" action=\"/admin/promo-banners/" + _htmlEscape(encodeURIComponent(p.slug)) + "/unarchive\" class=\"form-inline\">" +
+          "<button class=\"btn\" type=\"submit\">Restore</button></form>"
+      : "<a class=\"btn btn--ghost\" href=\"/admin/promo-banners/" + _htmlEscape(encodeURIComponent(p.slug)) + "\">Edit</a> " +
+        "<form method=\"post\" action=\"/admin/promo-banners/" + _htmlEscape(encodeURIComponent(p.slug)) + "/archive\" class=\"form-inline\">" +
+          "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form>";
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(p.slug) + "</code></td>" +
+      "<td>" + _htmlEscape(p.headline) + "</td>" +
+      "<td>" + _htmlEscape(p.placement) + "</td>" +
+      "<td><span class=\"status-pill\">" + _htmlEscape(p.theme) + "</span></td>" +
+      "<td>" + _htmlEscape(p.audience) + "</td>" +
+      "<td>" + _htmlEscape(String(p.priority)) + "</td>" +
+      "<td><span class=\"status-pill " + (isArchived ? "cancelled" : "paid") + "\">" + (isArchived ? "archived" : "active") + "</span></td>" +
+      "<td><div class=\"actions-row\">" + restoreOrArchive + "</div></td>" +
+    "</tr>";
+  }).join("");
+
+  var table = rows.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Slug</th><th scope=\"col\">Headline</th><th scope=\"col\">Placement</th><th scope=\"col\">Theme</th><th scope=\"col\">Audience</th><th scope=\"col\">Priority</th><th scope=\"col\">Status</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No promo banners" + (af === "1" ? " active right now" : " yet") + ".</p>";
+
+  var placementOpts = Object.keys(_PROMO_PLACEMENT_LABELS).map(function (pl) {
+    return "<option value=\"" + pl + "\">" + _htmlEscape(_PROMO_PLACEMENT_LABELS[pl]) + "</option>";
+  }).join("");
+  var themeOpts = ["info", "promo", "urgency", "success"].map(function (t) {
+    return "<option value=\"" + t + "\"" + (t === "info" ? " selected" : "") + ">" + t + "</option>";
+  }).join("");
+  var audienceOpts = ["all", "guest", "logged_in"].map(function (au) {
+    return "<option value=\"" + au + "\">" + au + "</option>";
+  }).join("");
+
+  var createForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Create a promo banner</h3>" +
+      "<p class=\"meta\">The highest-priority active banner shows at each placement for a matching viewer. Top strip and footer appear on every page; the others appear on their named page.</p>" +
+      "<form method=\"post\" action=\"/admin/promo-banners\">" +
+        _setupField("Slug", "slug", "", "text", "Lowercase, hyphenated — a stable id.", " maxlength=\"80\" required") +
+        "<label class=\"form-field\"><span>Placement</span><select name=\"placement\" required>" + placementOpts + "</select></label>" +
+        _setupField("Headline", "headline", "", "text", "", " maxlength=\"200\" required") +
+        "<label class=\"form-field\"><span>Body (optional)</span><textarea name=\"body\" maxlength=\"1000\"></textarea></label>" +
+        _setupField("CTA label", "cta_label", "", "text", "", " maxlength=\"80\" required") +
+        _setupField("CTA URL", "cta_url", "", "text", "https:// or a /-rooted path.", " maxlength=\"2048\" required") +
+        _setupField("Image URL (optional)", "image_url", "", "text", "https:// or a /-rooted path.", " maxlength=\"2048\"") +
+        "<label class=\"form-field\"><span>Theme</span><select name=\"theme\">" + themeOpts + "</select></label>" +
+        "<label class=\"form-field\"><span>Audience</span><select name=\"audience\" required>" + audienceOpts + "</select></label>" +
+        _setupField("Priority", "priority", "100", "number", "Higher wins when banners overlap a placement.", " min=\"0\" max=\"1000000\" required") +
+        "<label class=\"form-field\"><span>Starts at</span><input type=\"datetime-local\" name=\"starts_at\" required></label>" +
+        "<label class=\"form-field\"><span>Expires at</span><input type=\"datetime-local\" name=\"expires_at\" required></label>" +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Create banner</button></div>" +
+      "</form>" +
+    "</div>";
+
+  var bodyHtml = "<section><h2>Promo banners</h2>" + created + archived + restored + notice + chips + table + createForm + "</section>";
+  return _renderAdminShell(opts.shop_name, "Promo banners", bodyHtml, "promo-banners", opts.nav_available);
+}
+
 // Search-ranking console — the weight-set list (active flag + activate /
 // archive actions), the create form (slug + name + JSON weight map), the
 // per-query pin manager, and an optional per-set metrics rollup. Every

package/lib/asset-manifest.json

@@ -1,13 +1,13 @@
 {
-  "version": "0.4.3",
+  "version": "0.4.5",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",
       "fingerprinted": "css/admin.44eb97700c660798.css"
     },
     "css/main.css": {
-      "integrity": "sha384-kjpDvd8TisWdb45G5S2FyHOo4plk5DiOMO0aTZWxKCJhAhBEo55yABnv5BbUpzS4",
-      "fingerprinted": "css/main.337a7be6244cd7c0.css"
+      "integrity": "sha384-fxUZj7xaROivK6yjixSJavibw/WXXmUgjxS4mSG2PXavX/j2GZrsi9uquxvcJjTa",
+      "fingerprinted": "css/main.0117fe12d12ac55b.css"
     },
     "js/announcement.js": {
       "integrity": "sha384-z4zcEMn+tScoVnYRE4nEf8N/oyvpxdpaxTNrT4QO/jURChid4+qjAvWkzatCaAPq",
@@ -30,8 +30,8 @@
       "fingerprinted": "js/passkey-add.b535e6a3eef4514e.js"
     },
     "js/passkey-login.js": {
-      "integrity": "sha384-AbMxT4s0paFnZsEfAHfcpbS2ZRSmZ9KPnttEBy9SvWErBX3U+LhoeYYN7Nm3Y8AX",
-      "fingerprinted": "js/passkey-login.90c13d7c0d8667e2.js"
+      "integrity": "sha384-YcFe/H5GiEIXJ3bvx4RMUKtKwW249rKWyOYbd6xRcDrlAhDeDpt7HGZYPs+R6yWO",
+      "fingerprinted": "js/passkey-login.41da9ad7da816e97.js"
     },
     "js/passkey-register.js": {
       "integrity": "sha384-BjuUhbPZ18pHFMyOwT+309BEXu+VAc54RSj8lvN93jfFGDydEgmapiAOKTQM1yma",