@blamejs/blamejs-shop 0.4.66 → 0.4.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.4.x
10
10
 
11
+ - v0.4.67 (2026-06-20) — **Subject-access exports now carry the customer's complete record, not just the first page.** A data-subject access export assembled each domain by reading a single page from that domain's reader. A customer with more than one page in any paginated domain — orders, the loyalty points ledger, product reviews, wishlist entries, survey invitations, or support tickets — silently received a truncated export, which is an incomplete response to a GDPR Article 15 request. Each of those domains is now drained to the end by following the reader's own cursor, so the export carries every row. Readers that already return the whole set in one read (addresses, the consent ledger, subscriptions) were already complete and are unchanged. As part of this, the support-ticket reader keyed on customer id (the one the export uses, since it holds no plaintext email) gained cursor pagination so it can be paged to completion. **Changed:** *supportTickets.listByCustomerId and customerSurveys.invitationsForCustomer return { rows, next_cursor }* — Both customer-scoped readers that the export uses now return a paginated envelope — { rows, next_cursor } — instead of a bare array, so a caller can page a customer's full history to the end. listByCustomerId pages on the (opened_at desc, id desc) tuple (matching the email-keyed listForCustomer); invitationsForCustomer pages on the invitation id. If you call either directly, read the rows off the .rows field and pass the previous next_cursor as the cursor option to continue where the last page ended. **Fixed:** *Access exports drain every paginated domain to completion* — The export now follows each reader's cursor to the end for orders, the loyalty points ledger, product reviews, wishlist entries, survey invitations, and support tickets, concatenating every page. A customer with hundreds of orders or ledger entries receives all of them rather than the most recent hundred. A page-count backstop far above any real per-customer record guards against a misbehaving cursor without ever truncating a genuine export.
12
+
11
13
  - v0.4.66 (2026-06-20) — **Inventory-audit finalization can no longer double-apply its stock adjustments.** Finalizing an inventory audit with apply_adjustments writes one shelf adjustment per counted line, then marks the audit finalized. Two failure modes could move a shelf twice. First, if a later line was refused mid-loop — most commonly a negative variance that would have pushed the shelf below its outstanding paid holds — the audit stayed open, but the lines already adjusted had moved; re-running the finalize re-applied those earlier adjustments on top of themselves. Second, two finalize calls overlapping on the same audit both applied every adjustment before either marked the audit finalized. Finalization now claims the audit's transition to finalized in a single conditional write BEFORE touching any shelf, so exactly one finalize applies the adjustments and a concurrent or duplicate call applies nothing. Each adjustment is applied as the difference between the counted variance and what this audit has already moved, so a retry lands only the not-yet-applied remainder and a recount made before the retry is reflected exactly. A finalize that is refused part-way re-opens the audit so the operator can clear the blocker and retry. No API change. **Fixed:** *Finalization claims the audit before moving any shelf* — The transition that marks an audit finalized now lands in one conditional write, gated on the audit still being open or in progress, BEFORE any stock adjustment is written. Two finalize calls racing the same audit — or a duplicate retry overlapping a still-running finalize — resolve to a single winner that applies the adjustments; the loser writes nothing and returns the computed totals. The claim also freezes the audit's scan lines, so the variances being applied can't change underneath the writer. · *Adjustments reconcile against what already landed* — Each shelf adjustment is applied as the counted variance minus what this audit has already moved for that SKU and location. A finalize refused part-way (a respect-holds floor on one line) re-opens the audit; the retry then applies only the remaining difference instead of re-applying lines that already succeeded, and a recount that changed a line's variance before the retry is corrected to the new value rather than left at the old one.
12
14
 
13
15
  - v0.4.65 (2026-06-19) — **Dropship-forwarding and scheduled-export status transitions are now claimed atomically.** Closes two status-transition races in modules that validated the transition with the state-machine primitive but then persisted it with an unconditional update keyed only on the row id. Because the state-machine validation runs in process (each request rebuilds the machine from a fresh row), two concurrent transitions on the same row both passed validation and the second write silently clobbered the first — for example a dropship forwarding being marked shipped while a retry marks it failed, or a scheduled export being cancelled while a worker marks it running. Both now gate the write on the row still being in the state that was validated against (the same single-statement compare-and-swap the order and inventory-receipt lifecycles already use), so exactly one transition lands and a concurrent loser is refused rather than overwriting it. No API change. **Fixed:** *Dropship-forwarding transitions claim the from-state* — Every dropship-forwarding lifecycle edge routes through one helper that validated the transition against the state machine and then wrote UPDATE … WHERE id = ?. The write now also requires the row to still be in the state the transition was validated against (… AND status = <from>) and treats a zero-row result as a lost race (a typed refusal), so two concurrent vendor callbacks (e.g. accept racing ship, or a retry) can't both advance the row and silently overwrite each other. · *Scheduled-export status writers claim the from-state* — The four scheduled-export transitions (cancel, mark-running, mark-complete, mark-failed) validated against the export state machine and then wrote keyed only on the export id. Each now gates the write on the observed from-state and refuses on a zero-row result, so a cancel racing a mark-running (or a duplicate worker callback) no longer last-writer-wins into an illegal state. The state machine still enforces the legal-edge validation; the conditional update is the atomic claim.
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "0.4.66",
2
+ "version": "0.4.67",
3
3
  "assets": {
4
4
  "css/admin.css": {
5
5
  "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",
@@ -651,14 +651,30 @@ function create(opts) {
651
651
  var custId = _uuid(customerId, "customer_id");
652
652
  listOpts = listOpts || {};
653
653
  var limit = _limit(listOpts.limit);
654
- var r = await query(
655
- "SELECT * FROM survey_invitations WHERE customer_id = ?1 " +
656
- "ORDER BY issued_at DESC, id DESC LIMIT ?2",
657
- [custId, limit],
658
- );
654
+ var cursor = listOpts.cursor;
655
+ if (cursor != null && (typeof cursor !== "string" || !cursor.length)) {
656
+ throw new TypeError("customerSurveys.invitationsForCustomer: cursor must be a non-empty string when provided");
657
+ }
658
+ var sql = "SELECT * FROM survey_invitations WHERE customer_id = ?1";
659
+ var params = [custId];
660
+ var idx = 2;
661
+ if (cursor != null) {
662
+ // Cursor is the last-seen invitation id; v7 ids are lexicographically
663
+ // monotonic (issued_at sits in the prefix), so a single `id < cursor`
664
+ // over (id DESC) preserves total ordering — the same idiom
665
+ // responsesForSurvey uses. Returning { rows, next_cursor } lets a
666
+ // caller that needs the customer's COMPLETE invitation set — the
667
+ // subject-access export — page to the end instead of stopping at the
668
+ // first `limit`.
669
+ sql += " AND id < ?" + idx; params.push(cursor); idx += 1;
670
+ }
671
+ sql += " ORDER BY id DESC LIMIT ?" + idx;
672
+ params.push(limit);
673
+ var r = await query(sql, params);
659
674
  var out = [];
660
675
  for (var i = 0; i < r.rows.length; i += 1) out.push(_decodeInvitation(r.rows[i]));
661
- return out;
676
+ var nextCursor = out.length === limit ? out[out.length - 1].id : null;
677
+ return { rows: out, next_cursor: nextCursor };
662
678
  }
663
679
 
664
680
  // ---- submitResponse ---------------------------------------------------
package/lib/storefront.js CHANGED
@@ -19684,7 +19684,9 @@ function mount(router, deps) {
19684
19684
  // The customer's own ticket list, scoped to their session customer_id.
19685
19685
  router.get("/account/support", async function (req, res) {
19686
19686
  var auth = await _supportAuth(req, res); if (!auth) return;
19687
- var tickets = await support.listByCustomerId(auth.customer_id, { limit: 100 });
19687
+ // First page only the account list shows the customer's most
19688
+ // recent tickets; listByCustomerId now returns { rows, next_cursor }.
19689
+ var tickets = (await support.listByCustomerId(auth.customer_id, { limit: 100 })).rows;
19688
19690
  var cartCount = await _cartCountForReq(req);
19689
19691
  var url = req.url ? new URL(req.url, "http://localhost") : null;
19690
19692
  _send(res, 200, renderSupportList({
@@ -821,11 +821,17 @@ function create(opts) {
821
821
  // storefront, which holds only the session customer id (the raw
822
822
  // email is never on disk), can list + ownership-gate a signed-in
823
823
  // shopper's tickets without re-deriving the email hash. Composes the
824
- // same id / status / limit validators as the rest of the surface.
824
+ // same id / status / limit validators as the rest of the surface, and
825
+ // (like listForCustomer) returns `{ rows, next_cursor }` on the
826
+ // (opened_at DESC, id DESC) tuple so a caller that needs the customer's
827
+ // COMPLETE ticket set — e.g. the subject-access export, which keys on
828
+ // customer_id and has no email to drive listForCustomer — can page to
829
+ // the end instead of stopping at the first `limit`.
825
830
  listByCustomerId: async function (customerId, listOpts) {
826
831
  customerId = _uuid(customerId, "customer_id");
827
832
  listOpts = listOpts || {};
828
833
  var limit = _limit(listOpts.limit);
834
+ var cursorVals = _decodeCursor(listOpts.cursor, "listByCustomerId");
829
835
  var where = ["customer_id = ?1"];
830
836
  var params = [customerId];
831
837
  var idx = 2;
@@ -834,11 +840,20 @@ function create(opts) {
834
840
  params.push(_status(listOpts.status_filter, "status_filter"));
835
841
  idx += 1;
836
842
  }
843
+ if (cursorVals) {
844
+ where.push(
845
+ "(opened_at < ?" + idx + " OR " +
846
+ "(opened_at = ?" + idx + " AND id < ?" + (idx + 1) + "))"
847
+ );
848
+ params.push(cursorVals[0], cursorVals[1]);
849
+ idx += 2;
850
+ }
837
851
  params.push(limit);
838
852
  var sql = "SELECT * FROM support_tickets WHERE " + where.join(" AND ") +
839
853
  " ORDER BY opened_at DESC, id DESC LIMIT ?" + idx;
840
854
  var r = await query(sql, params);
841
- return r.rows.map(_hydrate);
855
+ var rows = r.rows.map(_hydrate);
856
+ return { rows: rows, next_cursor: _encodeNext(rows, limit) };
842
857
  },
843
858
 
844
859
  // Operator queue across every assignment state — newest-stale first
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.4.66",
3
+ "version": "0.4.67",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {