@blamejs/blamejs-shop 0.4.49 → 0.4.51

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.51 (2026-06-14) — **The order page now shows a dated activity timeline of the order's lifecycle.** A customer viewing their order now sees a chronological activity feed of what has happened to it — placed, payment received, shipped, delivered, cancelled, and refunds — newest first, each with its date and the relevant detail. A shipped event shows the carrier and tracking number when one was recorded; a refund shows its amount (and marks a partial refund as such); a click-and-collect delivery shows the pickup location. The feed is built from the order's own transition history and is scoped to the order being viewed, so it appears only to the order's owner or a guest holding the order's access link. Internal fulfillment bookkeeping and operator-process detail are not surfaced — only customer-meaningful milestones. The order page renders this server-side with no client JavaScript. No migration to apply. **Added:** *Order activity timeline on the order page* — The order detail page renders a dated, newest-first timeline of the order's lifecycle events: placed, payment received, shipped (with carrier and tracking number when present), delivered (with pickup location for click-and-collect), cancelled, and refunds (with the refunded amount, labelled partial when applicable). Events are drawn from the order's transition history and filtered to customer-meaningful milestones — internal fulfillment steps, raw state transitions, operator-process reasons, and payment-provider identifiers are never shown. Every rendered value is HTML-escaped, and the feed is shown only within the order's existing access scope (the signed-in owner or a guest order's access link).
+
+- v0.4.50 (2026-06-14) — **Refresh the vendored blamejs framework to 0.15.11.** Refreshes the vendored blamejs framework from 0.15.9 to 0.15.11 (through 0.15.10). 0.15.11 replaces a family of quadratic-time regexes that hostile input could exploit to stall a worker with linear-time scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when row-level security is enabled behind a non-native driver, and verifies the vendored crypto against a reviewed pin. 0.15.10 makes S3 Object-Lock versioned erasure reachable through the object store — a versioned delete that targets a specific object version (refused under an active retention rather than silently writing a delete-marker), plus version enumeration for right-to-erasure workflows — and pins the build toolchain's native bundler binary to a reviewed hash. This refresh carries no shop-facing API change and applies no migration; it keeps the bundled framework current and the security posture aligned with the latest release. **Changed:** *Vendored blamejs refreshed to 0.15.11* — The bundled framework is updated to blamejs 0.15.11. Across 0.15.10 and 0.15.11 it hardens a family of regular expressions against quadratic-time blow-up on hostile input (linear-time scans), refuses a relocatable sealed-cell downgrade when reading, fails closed when row-level security is enabled behind a driver that can't enforce it, adds versioned object erasure for S3 Object-Lock buckets (a versioned delete that refuses an active retention instead of leaving the data behind a delete-marker, plus version enumeration), and pins the build toolchain's native binary to a reviewed hash. Storefront and admin behaviour is unchanged by the refresh; the framework's PQC-first crypto, security middleware, and request lifecycle are carried forward as-is.
+
 - v0.4.49 (2026-06-14) — **A stock write-off or audit adjustment can no longer strand a paid hold by dropping on-hand below what's reserved.** An operator stock write-off and a cycle-count audit adjustment both debit on-hand stock through the location adjustment, which guarded only against the shelf going below zero — not below the quantity already reserved by outstanding held allocations. So a write-off (or an audit-applied negative variance) could drop a location's on-hand below its outstanding holds, and when one of those holds later committed at fulfillment its debit would fail, stranding a paid order that could no longer be picked. Write-offs and audit adjustments now refuse a debit that would push on-hand below the held quantity for that SKU at that location (un-pinned holds count against every location), enforced inside the write so concurrent debits can't slip past it. A hold's own commit debit is unaffected — that stock is already reserved to it. No migration to apply. **Fixed:** *Stock write-offs and audit adjustments respect reserved holds* — The location stock adjustment now takes a hold-respecting mode used by write-offs and audit variance application: a debit is refused when it would drop on-hand below the outstanding held quantity for the SKU at that location, evaluated atomically as part of the write (un-pinned holds count against every location, matching the availability rule). Previously these operator adjustments only prevented on-hand from going negative, so they could shrink the shelf below what paid/committed holds had reserved — and the hold's later commit would then fail at fulfillment. Committing a hold still debits normally, since that stock is already reserved to it.
 
 - v0.4.48 (2026-06-14) — **Hardening: pickup scheduling integrity, the save-for-later CSRF token, a store-credit expiry race, and gift-card ledger verification.** A batch of correctness and security hardening. A click-and-collect pickup already marked ready could be silently un-readied by re-scheduling it, which the pickup state machine has no transition for; re-scheduling in place is now restricted to a pending pickup. The pickup capacity gate counted bookings and then inserted in two steps, so two concurrent checkouts could over-book a full time slot; the cap is now enforced inside the write atomically. The authenticated Save-for-later cart action (POST /cart/lines/:line_id/save) inherited the edge cart forms' CSRF exemption by a path-prefix accident and shipped without requiring a token; it now demands the double-submit CSRF token like any other authenticated mutation, while the genuinely token-less edge cart forms stay exempt. Two concurrent store-credit expiry sweeps could over-burn still-valid credit; the sweep is now atomic and idempotent. And the gift-card ledger's chain verification accepted a populated ledger whose hash columns had all been cleared — a full-ledger rewrite read as verified; an unanchored populated chain now fails verification, while a genuinely empty ledger still passes. No migration to apply. **Fixed:** *A ready pickup can't be un-readied by re-scheduling* — Re-scheduling a click-and-collect pickup in place is now allowed only while it is still scheduled. A pickup already marked ready (its goods on the hold shelf) no longer regresses to scheduled and loses its ready timestamp when re-scheduled — the pickup state machine has no ready-to-scheduled transition, so the operator completes or escalates a ready pickup instead. · *Pickup time slots can't be over-booked under concurrency* — The pickup capacity limit is now enforced inside the booking write as a single conditional insert gated on the live count for the time slot, so two checkouts booking the same nearly-full slot at once can't both slip past the limit. Previously the count and the insert were separate steps, leaving a window where concurrent bookings over-filled a slot. · *Concurrent store-credit expiry sweeps can't over-burn valid credit* — The store-credit expiry sweep now burns expired credit atomically: the amount to expire is computed inside the write and conditioned on the credit still being unexpired, so a second sweep running at the same time finds nothing left to burn and can't dip into still-valid balance. Previously the sweep read the expirable total and then wrote in separate steps, so two concurrent sweeps could double-burn. **Security:** *The save-for-later cart action now requires its CSRF token* — POST /cart/lines/:line_id/save is a login-required cart mutation rendered only on the session-bound cart page, but it sat under the /cart/lines path prefix that exempts the cookie-less, token-less edge cart forms from CSRF — so it inherited that exemption and accepted state changes without a double-submit token. The exemption now carves this authenticated path back into CSRF protection from a single source shared by the request guard and the form renderer (so the set the guard enforces and the set the renderer tokenizes can't drift), while the legitimate edge cart forms remain exempt. · *A hash-cleared gift-card ledger no longer verifies as valid* — The gift-card ledger's chain verification reported a populated ledger whose hash-chain columns had all been nulled as verified — so an attacker who rewrote balances and cleared the chain hashes could pass verification undetected. A populated ledger with no chain anchor now fails verification; a genuinely empty ledger (no rows) still passes.

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.49",
+  "version": "0.4.51",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/storefront.js

@@ -7589,6 +7589,7 @@ var ORDER_PAGE =
   "    </div>\n" +
   "    <aside class=\"order-page__totals\">\n" +
   "      RAW_ORDER_TIMELINE" +
+  "      RAW_ORDER_EVENTS" +
   "      RAW_ORDER_TRACKING" +
   "      <h2 class=\"pdp__variants-title\">Totals</h2>\n" +
   "      <dl class=\"totals-list\">\n" +
@@ -7717,6 +7718,135 @@ function _orderTimelineBlock(status) {
     "<ol class=\"order-timeline__steps\">" + steps + "</ol></div>";
 }
 
+// The customer-facing rich event timeline reads the order's own
+// transition ledger (order.get() hydrates `order.transitions` from
+// `order_transitions`, oldest-first). Each row carries an `on_event`,
+// an `occurred_at`, and a `metadata_json` blob; this block flattens the
+// ledger into a readable, dated, chronological feed — placed, paid,
+// shipped, delivered, refunded (with amounts), cancelled — that the
+// customer sees alongside the status rail.
+//
+// Customer-meaningful events only. The FSM also records mid-fulfillment
+// bookkeeping (`start_fulfillment` — the warehouse picking the parcel)
+// and the `__init__` placeholder edge; neither is something a customer
+// acts on, so both stay out of the feed. The raw `from_state →
+// to_state` string, the internal `reason` (operator-process strings
+// like `admin:console` / `stale-pending-reap`), and the rest of the
+// metadata blob are NEVER rendered — only the per-event detail the
+// customer cares about (a refund amount, a tracking number) is pulled
+// out, by key, and escaped at the sink.
+var ORDER_EVENT_LABELS = {
+  "create":         "Order placed",
+  "mark_paid":      "Payment received",
+  "mark_shipped":   "Order shipped",
+  "mark_delivered": "Order delivered",
+  "cancel":         "Order cancelled",
+  // `refund` covers both a partial refund (a same-state self-loop row)
+  // and the terminal balance-clearing refund; the amount in metadata
+  // distinguishes them in the detail line.
+  "refund":         "Refund issued",
+};
+
+// Events the customer sees on their own order page. Everything not in
+// this set (start_fulfillment, any future internal-only FSM edge) is
+// dropped from the customer feed.
+var ORDER_EVENT_CUSTOMER_VISIBLE = {
+  "create":         true,
+  "mark_paid":      true,
+  "mark_shipped":   true,
+  "mark_delivered": true,
+  "cancel":         true,
+  "refund":         true,
+};
+
+// Format an order-transition `occurred_at` (epoch ms) the same way the
+// shipment timeline does — "YYYY-MM-DD HH:MM" UTC — so the two feeds
+// read consistently. Returns "" for an absent/garbage timestamp.
+function _orderEventWhen(occurredAt) {
+  if (occurredAt == null) return "";
+  var n = Number(occurredAt);
+  if (!isFinite(n)) return "";
+  return new Date(n).toISOString().slice(0, 16).replace("T", " ");
+}
+
+// Build the per-event customer-facing detail line from the transition's
+// metadata — by key, never the raw blob. A refund row surfaces its
+// amount (formatted in the order currency); a shipped row surfaces a
+// carrier + tracking number when the metadata carried one. Everything
+// returned here is escaped by the caller at the render sink. Returns ""
+// when there's no customer-relevant detail for the event.
+function _orderEventDetail(onEvent, meta, currency) {
+  if (!meta || typeof meta !== "object") return "";
+  if (onEvent === "refund") {
+    var amt = meta.amount_minor;
+    if (Number.isInteger(amt) && amt > 0) {
+      var label = meta.partial === true ? "Partial refund: " : "Amount: ";
+      return label + pricing.format(amt, currency || "USD");
+    }
+    return "";
+  }
+  if (onEvent === "mark_shipped") {
+    var parts = [];
+    if (meta.carrier) parts.push(String(meta.carrier));
+    if (meta.tracking_number) parts.push("Tracking " + String(meta.tracking_number));
+    return parts.join(" · ");
+  }
+  if (onEvent === "mark_delivered") {
+    // A click-and-collect delivery stamps a pickup location into the
+    // metadata; surface it as the delivered-detail when present.
+    if (meta.pickup_location_code) return "Picked up at " + String(meta.pickup_location_code);
+    return "";
+  }
+  return "";
+}
+
+// Render the rich, dated, chronological event timeline from the order's
+// transition ledger. Newest-first. Each event is a label + a UTC
+// timestamp + an optional customer-relevant detail (refund amount,
+// tracking number, pickup location). Internal-only transitions
+// (start_fulfillment, the __init__ placeholder, unknown future events)
+// are filtered out. Every data-derived value — label, detail, time — is
+// HTML-escaped at the sink, matching the escape-by-default convention of
+// the rest of this file. Returns "" when the order carries no
+// customer-visible transitions (the status rail above still renders), so
+// a brand-new order with a single placed event still shows that event.
+function _orderEventTimelineBlock(o) {
+  if (!o || !Array.isArray(o.transitions) || !o.transitions.length) return "";
+  var esc = b.template.escapeHtml;
+  var currency = o.currency || "USD";
+  var events = [];
+  for (var i = 0; i < o.transitions.length; i += 1) {
+    var t = o.transitions[i];
+    if (!t || !ORDER_EVENT_CUSTOMER_VISIBLE[t.on_event]) continue;
+    var meta = {};
+    try { meta = JSON.parse(t.metadata_json || "{}"); }
+    catch (_e) { meta = {}; }                  // drop-silent — bad JSON falls through to no-detail
+    events.push({
+      label:       ORDER_EVENT_LABELS[t.on_event] || t.on_event,
+      occurred_at: Number(t.occurred_at) || 0,
+      detail:      _orderEventDetail(t.on_event, meta, currency),
+    });
+  }
+  if (!events.length) return "";
+  // Newest-first for display. The ledger arrives oldest-first; sort a
+  // copy descending by occurred_at, stable on the original order for ties
+  // (same-ms events keep ledger sequence, reversed) so the feed is
+  // deterministic across runs.
+  events.reverse();
+  events.sort(function (a, c) { return c.occurred_at - a.occurred_at; });
+  var rows = events.map(function (e) {
+    var when = _orderEventWhen(e.occurred_at);
+    return "<li class=\"order-events__event\">" +
+      "<span class=\"order-events__label\">" + esc(e.label) + "</span>" +
+      (e.detail ? " <span class=\"order-events__detail\">" + esc(e.detail) + "</span>" : "") +
+      (when ? " <time class=\"order-events__when\" datetime=\"" + esc(when) + "\">" + esc(when) + "</time>" : "") +
+      "</li>";
+  }).join("");
+  return "<div class=\"order-events\">" +
+    "<h2 class=\"pdp__variants-title\">Order activity</h2>" +
+    "<ol class=\"order-events__list\">" + rows + "</ol></div>";
+}
+
 // Cap on how many carrier events the per-shipment timeline renders. A
 // long-haul international parcel can accumulate dozens of scans; the
 // customer-facing panel shows the most recent MAX_SHIPMENT_TIMELINE
@@ -8142,6 +8272,13 @@ function renderOrder(opts) {
   // the order status alone, so they render even without tracking wired.
   var shipments    = opts.shipments || [];
   var timelineHtml = _orderTimelineBlock(o.status);
+  // Rich, dated, chronological event feed from the order's own
+  // transition ledger (order.get() hydrates o.transitions). Read-only,
+  // customer-visible events only, every value escaped at the sink. Empty
+  // string for an order whose ledger wasn't hydrated (the status rail
+  // above still renders), so legacy callers that pass no transitions are
+  // unaffected.
+  var eventsHtml   = _orderEventTimelineBlock(o);
   var trackingHtml = _orderTrackingBlock(shipments);
   // The receipt-download link carries the guest order's ?k= access token when
   // the page was opened from the emailed capability link, so the download
@@ -8174,6 +8311,7 @@ function renderOrder(opts) {
       total:               total,
       ship_to:             o.ship_to || null,
       timeline_html:       timelineHtml,
+      events_html:         eventsHtml,
       tracking_html:       trackingHtml,
       pickup_html:         _orderPickupBlock(opts.pickup),
       gift_html:           _orderGiftBlock(opts.gift_options),
@@ -8229,9 +8367,16 @@ function renderOrder(opts) {
     .replace("RAW_REORDER_NOTICE", reorderNotice + cancelNotice)
     .replace("RAW_ORDER_TIMELINE", timelineHtml)
     .replace("RAW_ORDER_TRACKING", trackingHtml)
+    .replace("RAW_ORDER_EVENTS", "RAW_ORDER_EVENTS_PLACEHOLDER")
     .replace("RAW_ORDER_PICKUP", _orderPickupBlock(opts.pickup))
     .replace("RAW_ORDER_ACTIONS", actionsHtml)
     .replace("RAW_SHIP_TO", _shipToAddressBlock(o.ship_to));
+  // The event timeline carries operator-influenced free text (carrier
+  // names, tracking numbers — already escaped into the block, but a `$`
+  // in that escaped text would still trip String.replace's dollar
+  // substitution) — splice it via the replacer-function helper, never a
+  // replacement-string .replace.
+  body = _spliceRaw(body, "RAW_ORDER_EVENTS_PLACEHOLDER", eventsHtml);
   // The gift block carries customer free text (escaped, but a `$` in it would
   // still trip String.replace's dollar substitution) — splice it via the
   // replacer-function helper, never a replacement-string .replace.