npm - @blamejs/blamejs-shop - Versions diffs - 0.4.50 → 0.4.52 - Mend

@blamejs/blamejs-shop 0.4.50 → 0.4.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.4.x
+- v0.4.52 (2026-06-14) — **Consent records now carry the GDPR Article 6 lawful basis they rest on.** Each decision in the durable per-customer consent ledger now records the GDPR Article 6(1) lawful basis it is processed under — consent, contract, legal obligation, vital interests, public task, or legitimate interests — alongside what was decided and when. The basis defaults from the consent kind (cookie categories, marketing email/SMS, and data-sharing opt-ins are all consent-based), and a caller may pass an explicit, validated basis for a record that rests on another. The basis is surfaced in the subject-access and supervisory-authority exports, so a consent audit now shows not just the decision but the legal ground for it. A migration adds a nullable, constrained lawful_basis column; pre-existing rows keep a null basis rather than being assigned one retroactively. Apply the pending migration on upgrade. **Added:** *Lawful basis on consent-ledger records* — The consent ledger now stamps the GDPR Article 6(1) lawful basis on every recorded decision. The basis defaults from the consent kind — every category the ledger tracks (cookie functional/analytics/marketing/preferences, marketing email, marketing SMS, partner and analytics data-sharing, and general data processing) is consent-based — and an explicit basis can be supplied and is validated against the six Article 6(1) values. Withdrawal records carry the same basis as the grant they revoke. The basis is included in the subject-access export (CSV and JSON) and the jurisdiction bulk export, so a consent audit shows the legal ground each decision rests on. **Changed:** *Migration: lawful_basis column on consent_ledger* — A new migration adds a nullable lawful_basis column to consent_ledger, constrained to the six Article 6(1) bases. The column is nullable and the constraint applies only to rows written after the migration, so existing records keep a null basis (not retroactively assigned) while every new record carries one. Apply the pending migration on upgrade.
+- v0.4.51 (2026-06-14) — **The order page now shows a dated activity timeline of the order's lifecycle.** A customer viewing their order now sees a chronological activity feed of what has happened to it — placed, payment received, shipped, delivered, cancelled, and refunds — newest first, each with its date and the relevant detail. A shipped event shows the carrier and tracking number when one was recorded; a refund shows its amount (and marks a partial refund as such); a click-and-collect delivery shows the pickup location. The feed is built from the order's own transition history and is scoped to the order being viewed, so it appears only to the order's owner or a guest holding the order's access link. Internal fulfillment bookkeeping and operator-process detail are not surfaced — only customer-meaningful milestones. The order page renders this server-side with no client JavaScript. No migration to apply. **Added:** *Order activity timeline on the order page* — The order detail page renders a dated, newest-first timeline of the order's lifecycle events: placed, payment received, shipped (with carrier and tracking number when present), delivered (with pickup location for click-and-collect), cancelled, and refunds (with the refunded amount, labelled partial when applicable). Events are drawn from the order's transition history and filtered to customer-meaningful milestones — internal fulfillment steps, raw state transitions, operator-process reasons, and payment-provider identifiers are never shown. Every rendered value is HTML-escaped, and the feed is shown only within the order's existing access scope (the signed-in owner or a guest order's access link).
 - v0.4.50 (2026-06-14) — **Refresh the vendored blamejs framework to 0.15.11.** Refreshes the vendored blamejs framework from 0.15.9 to 0.15.11 (through 0.15.10). 0.15.11 replaces a family of quadratic-time regexes that hostile input could exploit to stall a worker with linear-time scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when row-level security is enabled behind a non-native driver, and verifies the vendored crypto against a reviewed pin. 0.15.10 makes S3 Object-Lock versioned erasure reachable through the object store — a versioned delete that targets a specific object version (refused under an active retention rather than silently writing a delete-marker), plus version enumeration for right-to-erasure workflows — and pins the build toolchain's native bundler binary to a reviewed hash. This refresh carries no shop-facing API change and applies no migration; it keeps the bundled framework current and the security posture aligned with the latest release. **Changed:** *Vendored blamejs refreshed to 0.15.11* — The bundled framework is updated to blamejs 0.15.11. Across 0.15.10 and 0.15.11 it hardens a family of regular expressions against quadratic-time blow-up on hostile input (linear-time scans), refuses a relocatable sealed-cell downgrade when reading, fails closed when row-level security is enabled behind a driver that can't enforce it, adds versioned object erasure for S3 Object-Lock buckets (a versioned delete that refuses an active retention instead of leaving the data behind a delete-marker, plus version enumeration), and pins the build toolchain's native binary to a reviewed hash. Storefront and admin behaviour is unchanged by the refresh; the framework's PQC-first crypto, security middleware, and request lifecycle are carried forward as-is.
 - v0.4.49 (2026-06-14) — **A stock write-off or audit adjustment can no longer strand a paid hold by dropping on-hand below what's reserved.** An operator stock write-off and a cycle-count audit adjustment both debit on-hand stock through the location adjustment, which guarded only against the shelf going below zero — not below the quantity already reserved by outstanding held allocations. So a write-off (or an audit-applied negative variance) could drop a location's on-hand below its outstanding holds, and when one of those holds later committed at fulfillment its debit would fail, stranding a paid order that could no longer be picked. Write-offs and audit adjustments now refuse a debit that would push on-hand below the held quantity for that SKU at that location (un-pinned holds count against every location), enforced inside the write so concurrent debits can't slip past it. A hold's own commit debit is unaffected — that stock is already reserved to it. No migration to apply. **Fixed:** *Stock write-offs and audit adjustments respect reserved holds* — The location stock adjustment now takes a hold-respecting mode used by write-offs and audit variance application: a debit is refused when it would drop on-hand below the outstanding held quantity for the SKU at that location, evaluated atomically as part of the write (un-pinned holds count against every location, matching the availability rule). Previously these operator adjustments only prevented on-hand from going negative, so they could shrink the shelf below what paid/committed holds had reserved — and the hold's later commit would then fail at fulfillment. Committing a hold still debits normally, since that stock is already reserved to it.

package/lib/asset-manifest.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.50",
+  "version": "0.4.52",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/consent-ledger.js CHANGED Viewed

@@ -131,6 +131,7 @@ var CSV_COLUMNS = Object.freeze([
   "consent_kind",
   "state",
   "source",
+  "lawful_basis",
   "jurisdiction",
   "evidence_ref",
   "occurred_at",
@@ -138,6 +139,32 @@ var CSV_COLUMNS = Object.freeze([
 var b = require("./vendor/blamejs");
+// The GDPR Art. 6(1) lawful bases, sourced from the framework's
+// consent primitive so this ledger's vocabulary tracks the
+// primitive's ground truth instead of re-listing the six strings.
+var LAWFUL_BASES = b.consent.LAWFUL_BASES;
+// Every consent kind this ledger records is consent-gated: cookies
+// are non-essential under ePrivacy Art. 5(3) (the strictly-necessary
+// set lives in cookieConsent, never here), marketing email / SMS rest
+// on Art. 6(1)(a), and third-party data sharing is not a contract
+// necessity. data_processing is the opt-in catch-all — contract /
+// legal-obligation processing is recorded by the domain table that
+// owns it, not by this opt-in ledger. So each kind maps to "consent".
+// A caller may still pass an explicit, validated lawful_basis to
+// override the default for a row that genuinely rests on another basis.
+var KIND_TO_LAWFUL_BASIS = Object.freeze({
+  cookies_functional:     "consent",
+  cookies_analytics:      "consent",
+  cookies_marketing:      "consent",
+  cookies_preferences:    "consent",
+  marketing_email:        "consent",
+  marketing_sms:          "consent",
+  data_sharing_partners:  "consent",
+  data_sharing_analytics: "consent",
+  data_processing:        "consent",
+});
 // ---- monotonic clock ----------------------------------------------------
 //
 // Operator-driven writes can land in the same millisecond on fast
@@ -195,6 +222,16 @@ function _source(s) {
   return s;
 }
+function _lawfulBasis(s) {
+  if (typeof s !== "string" || LAWFUL_BASES.indexOf(s) === -1) {
+    throw new TypeError(
+      "consentLedger: lawful_basis must be one of " + LAWFUL_BASES.join(", ") +
+      ", got " + JSON.stringify(s)
+    );
+  }
+  return s;
+}
 function _optJurisdiction(s) {
   if (s == null || s === "") return null;
   if (typeof s !== "string") {
@@ -282,6 +319,7 @@ function _rowToRecord(row) {
     consent_kind:  row.consent_kind,
     state:         row.state,
     source:        row.source,
+    lawful_basis:  row.lawful_basis == null ? null : row.lawful_basis,
     jurisdiction:  row.jurisdiction == null ? null : row.jurisdiction,
     evidence_ref:  row.evidence_ref == null ? null : row.evidence_ref,
     occurred_at:   Number(row.occurred_at),
@@ -327,15 +365,23 @@ function create(opts) {
     var source       = _source(input.source);
     var jurisdiction = _optJurisdiction(input.jurisdiction);
     var evidenceRef  = _optEvidenceRef(input.evidence_ref);
+    // Lawful basis defaults from the kind (every kind here is
+    // consent-gated; the basis is state-agnostic so a withdrawal row
+    // carries the same basis as its grant). An explicit lawful_basis is
+    // validated and overrides the default for a row that rests on a
+    // different Art. 6 basis.
+    var lawfulBasis  = input.lawful_basis == null
+      ? KIND_TO_LAWFUL_BASIS[consentKind]
+      : _lawfulBasis(input.lawful_basis);
     var id = b.uuid.v7();
     var ts = _now();
     await query(
       "INSERT INTO consent_ledger " +
-      "(id, customer_id, consent_kind, state, source, jurisdiction, evidence_ref, occurred_at) " +
-      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)",
-      [id, customerId, consentKind, state, source, jurisdiction, evidenceRef, ts],
+      "(id, customer_id, consent_kind, state, source, lawful_basis, jurisdiction, evidence_ref, occurred_at) " +
+      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9)",
+      [id, customerId, consentKind, state, source, lawfulBasis, jurisdiction, evidenceRef, ts],
     );
     return {
@@ -344,6 +390,7 @@ function create(opts) {
       consent_kind:  consentKind,
       state:         state,
       source:        source,
+      lawful_basis:  lawfulBasis,
       jurisdiction:  jurisdiction,
       evidence_ref:  evidenceRef,
       occurred_at:   ts,

package/lib/storefront.js CHANGED Viewed

@@ -7589,6 +7589,7 @@ var ORDER_PAGE =
   "    </div>\n" +
   "    <aside class=\"order-page__totals\">\n" +
   "      RAW_ORDER_TIMELINE" +
+  "      RAW_ORDER_EVENTS" +
   "      RAW_ORDER_TRACKING" +
   "      <h2 class=\"pdp__variants-title\">Totals</h2>\n" +
   "      <dl class=\"totals-list\">\n" +
@@ -7717,6 +7718,135 @@ function _orderTimelineBlock(status) {
     "<ol class=\"order-timeline__steps\">" + steps + "</ol></div>";
 }
+// The customer-facing rich event timeline reads the order's own
+// transition ledger (order.get() hydrates `order.transitions` from
+// `order_transitions`, oldest-first). Each row carries an `on_event`,
+// an `occurred_at`, and a `metadata_json` blob; this block flattens the
+// ledger into a readable, dated, chronological feed — placed, paid,
+// shipped, delivered, refunded (with amounts), cancelled — that the
+// customer sees alongside the status rail.
+//
+// Customer-meaningful events only. The FSM also records mid-fulfillment
+// bookkeeping (`start_fulfillment` — the warehouse picking the parcel)
+// and the `__init__` placeholder edge; neither is something a customer
+// acts on, so both stay out of the feed. The raw `from_state →
+// to_state` string, the internal `reason` (operator-process strings
+// like `admin:console` / `stale-pending-reap`), and the rest of the
+// metadata blob are NEVER rendered — only the per-event detail the
+// customer cares about (a refund amount, a tracking number) is pulled
+// out, by key, and escaped at the sink.
+var ORDER_EVENT_LABELS = {
+  "create":         "Order placed",
+  "mark_paid":      "Payment received",
+  "mark_shipped":   "Order shipped",
+  "mark_delivered": "Order delivered",
+  "cancel":         "Order cancelled",
+  // `refund` covers both a partial refund (a same-state self-loop row)
+  // and the terminal balance-clearing refund; the amount in metadata
+  // distinguishes them in the detail line.
+  "refund":         "Refund issued",
+};
+// Events the customer sees on their own order page. Everything not in
+// this set (start_fulfillment, any future internal-only FSM edge) is
+// dropped from the customer feed.
+var ORDER_EVENT_CUSTOMER_VISIBLE = {
+  "create":         true,
+  "mark_paid":      true,
+  "mark_shipped":   true,
+  "mark_delivered": true,
+  "cancel":         true,
+  "refund":         true,
+};
+// Format an order-transition `occurred_at` (epoch ms) the same way the
+// shipment timeline does — "YYYY-MM-DD HH:MM" UTC — so the two feeds
+// read consistently. Returns "" for an absent/garbage timestamp.
+function _orderEventWhen(occurredAt) {
+  if (occurredAt == null) return "";
+  var n = Number(occurredAt);
+  if (!isFinite(n)) return "";
+  return new Date(n).toISOString().slice(0, 16).replace("T", " ");
+}
+// Build the per-event customer-facing detail line from the transition's
+// metadata — by key, never the raw blob. A refund row surfaces its
+// amount (formatted in the order currency); a shipped row surfaces a
+// carrier + tracking number when the metadata carried one. Everything
+// returned here is escaped by the caller at the render sink. Returns ""
+// when there's no customer-relevant detail for the event.
+function _orderEventDetail(onEvent, meta, currency) {
+  if (!meta || typeof meta !== "object") return "";
+  if (onEvent === "refund") {
+    var amt = meta.amount_minor;
+    if (Number.isInteger(amt) && amt > 0) {
+      var label = meta.partial === true ? "Partial refund: " : "Amount: ";
+      return label + pricing.format(amt, currency || "USD");
+    }
+    return "";
+  }
+  if (onEvent === "mark_shipped") {
+    var parts = [];
+    if (meta.carrier) parts.push(String(meta.carrier));
+    if (meta.tracking_number) parts.push("Tracking " + String(meta.tracking_number));
+    return parts.join(" · ");
+  }
+  if (onEvent === "mark_delivered") {
+    // A click-and-collect delivery stamps a pickup location into the
+    // metadata; surface it as the delivered-detail when present.
+    if (meta.pickup_location_code) return "Picked up at " + String(meta.pickup_location_code);
+    return "";
+  }
+  return "";
+}
+// Render the rich, dated, chronological event timeline from the order's
+// transition ledger. Newest-first. Each event is a label + a UTC
+// timestamp + an optional customer-relevant detail (refund amount,
+// tracking number, pickup location). Internal-only transitions
+// (start_fulfillment, the __init__ placeholder, unknown future events)
+// are filtered out. Every data-derived value — label, detail, time — is
+// HTML-escaped at the sink, matching the escape-by-default convention of
+// the rest of this file. Returns "" when the order carries no
+// customer-visible transitions (the status rail above still renders), so
+// a brand-new order with a single placed event still shows that event.
+function _orderEventTimelineBlock(o) {
+  if (!o || !Array.isArray(o.transitions) || !o.transitions.length) return "";
+  var esc = b.template.escapeHtml;
+  var currency = o.currency || "USD";
+  var events = [];
+  for (var i = 0; i < o.transitions.length; i += 1) {
+    var t = o.transitions[i];
+    if (!t || !ORDER_EVENT_CUSTOMER_VISIBLE[t.on_event]) continue;
+    var meta = {};
+    try { meta = JSON.parse(t.metadata_json || "{}"); }
+    catch (_e) { meta = {}; }                  // drop-silent — bad JSON falls through to no-detail
+    events.push({
+      label:       ORDER_EVENT_LABELS[t.on_event] || t.on_event,
+      occurred_at: Number(t.occurred_at) || 0,
+      detail:      _orderEventDetail(t.on_event, meta, currency),
+    });
+  }
+  if (!events.length) return "";
+  // Newest-first for display. The ledger arrives oldest-first; sort a
+  // copy descending by occurred_at, stable on the original order for ties
+  // (same-ms events keep ledger sequence, reversed) so the feed is
+  // deterministic across runs.
+  events.reverse();
+  events.sort(function (a, c) { return c.occurred_at - a.occurred_at; });
+  var rows = events.map(function (e) {
+    var when = _orderEventWhen(e.occurred_at);
+    return "<li class=\"order-events__event\">" +
+      "<span class=\"order-events__label\">" + esc(e.label) + "</span>" +
+      (e.detail ? " <span class=\"order-events__detail\">" + esc(e.detail) + "</span>" : "") +
+      (when ? " <time class=\"order-events__when\" datetime=\"" + esc(when) + "\">" + esc(when) + "</time>" : "") +
+      "</li>";
+  }).join("");
+  return "<div class=\"order-events\">" +
+    "<h2 class=\"pdp__variants-title\">Order activity</h2>" +
+    "<ol class=\"order-events__list\">" + rows + "</ol></div>";
+}
 // Cap on how many carrier events the per-shipment timeline renders. A
 // long-haul international parcel can accumulate dozens of scans; the
 // customer-facing panel shows the most recent MAX_SHIPMENT_TIMELINE
@@ -8142,6 +8272,13 @@ function renderOrder(opts) {
   // the order status alone, so they render even without tracking wired.
   var shipments    = opts.shipments || [];
   var timelineHtml = _orderTimelineBlock(o.status);
+  // Rich, dated, chronological event feed from the order's own
+  // transition ledger (order.get() hydrates o.transitions). Read-only,
+  // customer-visible events only, every value escaped at the sink. Empty
+  // string for an order whose ledger wasn't hydrated (the status rail
+  // above still renders), so legacy callers that pass no transitions are
+  // unaffected.
+  var eventsHtml   = _orderEventTimelineBlock(o);
   var trackingHtml = _orderTrackingBlock(shipments);
   // The receipt-download link carries the guest order's ?k= access token when
   // the page was opened from the emailed capability link, so the download
@@ -8174,6 +8311,7 @@ function renderOrder(opts) {
       total:               total,
       ship_to:             o.ship_to || null,
       timeline_html:       timelineHtml,
+      events_html:         eventsHtml,
       tracking_html:       trackingHtml,
       pickup_html:         _orderPickupBlock(opts.pickup),
       gift_html:           _orderGiftBlock(opts.gift_options),
@@ -8229,9 +8367,16 @@ function renderOrder(opts) {
     .replace("RAW_REORDER_NOTICE", reorderNotice + cancelNotice)
     .replace("RAW_ORDER_TIMELINE", timelineHtml)
     .replace("RAW_ORDER_TRACKING", trackingHtml)
+    .replace("RAW_ORDER_EVENTS", "RAW_ORDER_EVENTS_PLACEHOLDER")
     .replace("RAW_ORDER_PICKUP", _orderPickupBlock(opts.pickup))
     .replace("RAW_ORDER_ACTIONS", actionsHtml)
     .replace("RAW_SHIP_TO", _shipToAddressBlock(o.ship_to));
+  // The event timeline carries operator-influenced free text (carrier
+  // names, tracking numbers — already escaped into the block, but a `$`
+  // in that escaped text would still trip String.replace's dollar
+  // substitution) — splice it via the replacer-function helper, never a
+  // replacement-string .replace.
+  body = _spliceRaw(body, "RAW_ORDER_EVENTS_PLACEHOLDER", eventsHtml);
   // The gift block carries customer free text (escaped, but a `$` in it would
   // still trip String.replace's dollar substitution) — splice it via the
   // replacer-function helper, never a replacement-string .replace.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.50",
+  "version": "0.4.52",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {