@infuro/cms-core 1.0.12 → 1.0.14

package/dist/api.cjs

@@ -30,6 +30,23 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// src/plugins/erp/erp-config-enabled.ts
+async function isErpIntegrationEnabled(cms, dataSource, entityMap) {
+  if (!cms.getPlugin("erp")) return false;
+  const configRepo = dataSource.getRepository(entityMap.configs);
+  const cfgRows = await configRepo.find({ where: { settings: "erp", deleted: false } });
+  for (const row of cfgRows) {
+    const r = row;
+    if (r.key === "enabled" && r.value === "false") return false;
+  }
+  return true;
+}
+var init_erp_config_enabled = __esm({
+  "src/plugins/erp/erp-config-enabled.ts"() {
+    "use strict";
+  }
+});
+
 // src/plugins/email/email-queue.ts
 var email_queue_exports = {};
 __export(email_queue_exports, {
@@ -68,9 +85,9 @@ async function queueEmail(cms, payload) {
   }
 }
 async function queueOrderPlacedEmails(cms, payload) {
-  const { orderNumber: orderNumber2, total, currency, customerName, customerEmail, salesTeamEmails, companyDetails, lineItems } = payload;
+  const { orderNumber, total, currency, customerName, customerEmail, salesTeamEmails, companyDetails, lineItems } = payload;
   const base = {
-    orderNumber: orderNumber2,
+    orderNumber,
     total: total != null ? String(total) : void 0,
     currency,
     customerName,
@@ -118,6 +135,141 @@ var init_email_queue = __esm({
   }
 });
 
+// src/plugins/erp/erp-response-map.ts
+function pickString(o, keys) {
+  for (const k of keys) {
+    const v = o[k];
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+  return void 0;
+}
+function unwrapErpReadData(json) {
+  if (!json || typeof json !== "object") return null;
+  const o = json;
+  const d = o.data;
+  if (d && typeof d === "object" && !Array.isArray(d)) return d;
+  return o;
+}
+function firstObject(data, keys) {
+  for (const k of keys) {
+    const v = data[k];
+    if (v && typeof v === "object" && !Array.isArray(v)) return v;
+  }
+  return null;
+}
+function extractEvents(src) {
+  const timeline = src.timeline ?? src.events ?? src.history ?? src.trackingEvents;
+  if (!Array.isArray(timeline) || !timeline.length) return void 0;
+  const events = [];
+  for (const row of timeline) {
+    if (!row || typeof row !== "object") continue;
+    const r = row;
+    const at = pickString(r, ["at", "timestamp", "date", "occurredAt"]) ?? (r.at instanceof Date ? r.at.toISOString() : void 0);
+    const label = pickString(r, ["label", "status", "title", "message", "description"]);
+    const detail = pickString(r, ["detail", "notes", "description"]);
+    if (at || label || detail) events.push({ at, label, detail });
+  }
+  return events.length ? events : void 0;
+}
+function mapErpPayloadToFulfillment(data) {
+  const nested = firstObject(data, ["fulfillment", "packaging", "shipment", "shipping", "delivery"]);
+  const src = nested || data;
+  const status = pickString(src, ["status", "fulfillmentStatus", "state", "label", "packagingStatus"]);
+  const trackingId = pickString(src, ["trackingId", "tracking_id", "trackingNumber", "awb", "trackingUrl"]);
+  const events = extractEvents(src);
+  if (!status && !trackingId && !(events && events.length)) return void 0;
+  return { status, trackingId, events };
+}
+function mapErpPayloadToInvoiceNumber(data) {
+  const nested = firstObject(data, ["invoice", "latestInvoice", "postedInvoice"]);
+  const src = nested || data;
+  return pickString(src, ["invoiceNumber", "invoice_number", "number", "name", "id"]);
+}
+function extractChildOrderRefsFromSalePayload(data) {
+  const lists = [data.returns, data.returnOrders, data.relatedReturns, data.childOrders, data.children];
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const list of lists) {
+    if (!Array.isArray(list)) continue;
+    for (const item of list) {
+      if (!item || typeof item !== "object") continue;
+      const o = item;
+      const ref = pickString(o, ["platformReturnId", "platform_return_id", "refId", "ref_id"]) ?? (typeof o.id === "string" ? o.id : void 0);
+      if (!ref || seen.has(ref)) continue;
+      seen.add(ref);
+      const t = (pickString(o, ["kind", "type", "orderKind"]) || "").toLowerCase();
+      const orderKind = /replac/.test(t) ? "replacement" : "return";
+      out.push({ ref, orderKind });
+    }
+  }
+  return out;
+}
+var init_erp_response_map = __esm({
+  "src/plugins/erp/erp-response-map.ts"() {
+    "use strict";
+  }
+});
+
+// src/plugins/erp/erp-order-invoice.ts
+var erp_order_invoice_exports = {};
+__export(erp_order_invoice_exports, {
+  streamOrderInvoicePdf: () => streamOrderInvoicePdf
+});
+function pickInvoiceId(data) {
+  const nested = data.invoice && typeof data.invoice === "object" && !Array.isArray(data.invoice) ? data.invoice : null;
+  const src = nested || data;
+  for (const k of ["invoiceId", "invoice_id", "id"]) {
+    const v = src[k];
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+  return void 0;
+}
+async function streamOrderInvoicePdf(cms, dataSource, entityMap, orderId, options) {
+  const jsonErr = (msg, status) => new Response(JSON.stringify({ error: msg }), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+  const on = await isErpIntegrationEnabled(cms, dataSource, entityMap);
+  if (!on) return jsonErr("Invoice not available", 503);
+  const erp = cms.getPlugin("erp");
+  if (!erp?.submission) return jsonErr("Invoice not available", 503);
+  const orderRepo = dataSource.getRepository(entityMap.orders);
+  const order = await orderRepo.findOne({ where: { id: orderId, deleted: false } });
+  if (!order) return jsonErr("Not found", 404);
+  const kind = order.orderKind || "sale";
+  if (kind !== "sale") return jsonErr("Invoice only for sale orders", 400);
+  if (options.ownerContactId != null && order.contactId !== options.ownerContactId) {
+    return jsonErr("Not found", 404);
+  }
+  const meta = order.metadata && typeof order.metadata === "object" && !Array.isArray(order.metadata) ? order.metadata : {};
+  const inv = meta.invoice && typeof meta.invoice === "object" && !Array.isArray(meta.invoice) ? meta.invoice : {};
+  let invoiceId = typeof inv.invoiceId === "string" ? inv.invoiceId.trim() : "";
+  if (!invoiceId) {
+    const refId = String(order.orderNumber || "");
+    const r = await erp.submission.postErpReadAction("get-invoice", { platformOrderId: refId });
+    const d = r.ok ? unwrapErpReadData(r.json) : null;
+    invoiceId = d ? pickInvoiceId(d) || "" : "";
+  }
+  if (!invoiceId) return jsonErr("Invoice not ready", 404);
+  const pdf = await erp.submission.fetchInvoicePdf(invoiceId);
+  if (!pdf.ok || !pdf.buffer) return jsonErr(pdf.error || "PDF fetch failed", 502);
+  const filename = `invoice-${orderId}.pdf`;
+  return new Response(pdf.buffer, {
+    status: 200,
+    headers: {
+      "Content-Type": pdf.contentType || "application/pdf",
+      "Content-Disposition": `attachment; filename="${filename}"`
+    }
+  });
+}
+var init_erp_order_invoice = __esm({
+  "src/plugins/erp/erp-order-invoice.ts"() {
+    "use strict";
+    init_erp_response_map();
+    init_erp_config_enabled();
+  }
+});
+
 // src/api/index.ts
 var api_exports = {};
 __export(api_exports, {
@@ -145,6 +297,75 @@ module.exports = __toCommonJS(api_exports);
 
 // src/api/crud.ts
 var import_typeorm = require("typeorm");
+
+// src/plugins/erp/erp-queue.ts
+var ERP_QUEUE_NAME = "erp";
+async function queueErp(cms, payload) {
+  const queue = cms.getPlugin("queue");
+  if (!queue) return;
+  await queue.add(ERP_QUEUE_NAME, payload);
+}
+
+// src/plugins/erp/erp-contact-sync.ts
+function splitName(full) {
+  const t = (full || "").trim();
+  if (!t) return { firstName: "Contact", lastName: "" };
+  const parts = t.split(/\s+/);
+  if (parts.length === 1) return { firstName: parts[0], lastName: "" };
+  return { firstName: parts[0], lastName: parts.slice(1).join(" ") };
+}
+async function queueErpCreateContactIfEnabled(cms, dataSource, entityMap, input) {
+  try {
+    const configRepo = dataSource.getRepository(entityMap.configs);
+    const cfgRows = await configRepo.find({ where: { settings: "erp", deleted: false } });
+    for (const row of cfgRows) {
+      const r = row;
+      if (r.key === "enabled" && r.value === "false") return;
+    }
+    if (!cms.getPlugin("erp")) return;
+    const email = (input.email ?? "").trim();
+    if (!email) return;
+    const { firstName, lastName } = splitName(input.name);
+    await queueErp(cms, {
+      kind: "createContact",
+      contact: {
+        email,
+        firstName,
+        lastName,
+        phone: input.phone?.trim() || void 0,
+        companyName: input.company?.trim() || void 0,
+        type: input.type?.trim() || void 0,
+        notes: input.notes?.trim() || void 0,
+        tags: input.tags?.length ? [...input.tags] : void 0
+      }
+    });
+  } catch {
+  }
+}
+
+// src/plugins/erp/erp-product-sync.ts
+init_erp_config_enabled();
+async function queueErpProductUpsertIfEnabled(cms, dataSource, entityMap, product) {
+  try {
+    const sku = typeof product.sku === "string" ? product.sku.trim() : "";
+    if (!sku) return;
+    const on = await isErpIntegrationEnabled(cms, dataSource, entityMap);
+    if (!on) return;
+    const payload = {
+      sku,
+      title: product.name || sku,
+      name: product.name,
+      description: typeof product.metadata === "object" && product.metadata && "description" in product.metadata ? String(product.metadata.description ?? "") : void 0,
+      hsn_number: product.hsn,
+      is_active: product.status === "available",
+      metadata: product.metadata ?? void 0
+    };
+    await queueErp(cms, { kind: "productUpsert", product: payload });
+  } catch {
+  }
+}
+
+// src/api/crud.ts
 var DATE_COLUMN_TYPES = /* @__PURE__ */ new Set([
   "date",
   "datetime",
@@ -197,8 +418,27 @@ function buildSearchWhereClause(repo, search) {
   if (ors.length === 0) return {};
   return ors.length === 1 ? ors[0] : ors;
 }
+function makeContactErpSync(dataSource, entityMap, getCms) {
+  return async function syncContactRowToErp(row) {
+    if (!getCms) return;
+    try {
+      const cms = await getCms();
+      const c = row;
+      await queueErpCreateContactIfEnabled(cms, dataSource, entityMap, {
+        name: c.name,
+        email: c.email,
+        phone: c.phone,
+        type: c.type,
+        company: c.company,
+        notes: c.notes
+      });
+    } catch {
+    }
+  };
+}
 function createCrudHandler(dataSource, entityMap, options) {
-  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm, getCms } = options;
+  const syncContactRowToErp = makeContactErpSync(dataSource, entityMap, getCms);
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
@@ -400,6 +640,13 @@ function createCrudHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       sanitizeBodyForEntity(repo, body);
       const created = await repo.save(repo.create(body));
+      if (resource === "contacts") {
+        await syncContactRowToErp(created);
+      }
+      if (resource === "products" && getCms) {
+        const cms = await getCms();
+        await queueErpProductUpsertIfEnabled(cms, dataSource, entityMap, created);
+      }
       return json(created, { status: 201 });
     },
     async GET_METADATA(req, resource) {
@@ -506,7 +753,8 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json, requireEntityPermission: reqPerm } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm, getCms } = options;
+  const syncContactRowToErp = makeContactErpSync(dataSource, entityMap, getCms);
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
@@ -529,7 +777,11 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
           relations: ["contact", "billingAddress", "shippingAddress", "items", "items.product", "items.product.collection", "payments"]
         });
         if (!order) return json({ message: "Not found" }, { status: 404 });
-        return json(order);
+        const relatedOrders = await repo.find({
+          where: { parentOrderId: Number(id), deleted: false },
+          order: { id: "ASC" }
+        });
+        return json({ ...order, relatedOrders });
       }
       if (resource === "contacts") {
         const contact = await repo.findOne({
@@ -662,6 +914,13 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         await repo.update(numericId, updatePayload);
       }
       const updated = await repo.findOne({ where: { id: numericId } });
+      if (resource === "contacts" && updated) {
+        await syncContactRowToErp(updated);
+      }
+      if (resource === "products" && updated && getCms) {
+        const cms = await getCms();
+        await queueErpProductUpsertIfEnabled(cms, dataSource, entityMap, updated);
+      }
       return updated ? json(updated) : json({ message: "Not found" }, { status: 404 });
     },
     async DELETE(req, resource, id) {
@@ -826,6 +1085,24 @@ function createUserAuthApiRouter(config) {
 // src/api/cms-handlers.ts
 var import_typeorm3 = require("typeorm");
 init_email_queue();
+
+// src/plugins/captcha/assert.ts
+async function assertCaptchaOk(getCms, body, req, json) {
+  if (!getCms) return null;
+  let cms;
+  try {
+    cms = await getCms();
+  } catch {
+    return null;
+  }
+  const svc = cms.getPlugin("captcha");
+  if (!svc || typeof svc.verify !== "function") return null;
+  const result = await svc.verify(body, req);
+  if (result.ok) return null;
+  return json({ error: result.message }, { status: result.status });
+}
+
+// src/api/cms-handlers.ts
 function createDashboardStatsHandler(config) {
   const { dataSource, entityMap, json, requireAuth, requirePermission, requireEntityPermission } = config;
   return async function GET(req) {
@@ -1067,6 +1344,32 @@ function createFormSaveHandlers(config) {
     }
   };
 }
+async function isErpIntegrationEnabled2(dataSource, entityMap) {
+  const repo = dataSource.getRepository(entityMap.configs);
+  const rows = await repo.find({ where: { settings: "erp", deleted: false } });
+  for (const row of rows) {
+    const r = row;
+    if (r.key === "enabled") return r.value !== "false";
+  }
+  return true;
+}
+async function getErpOpportunityFormIds(dataSource, entityMap) {
+  const repo = dataSource.getRepository(entityMap.configs);
+  const row = await repo.findOne({
+    where: { settings: "erp", key: "opportunityFormIds", deleted: false }
+  });
+  if (!row) return null;
+  const raw = (row.value ?? "").trim();
+  if (!raw) return [];
+  try {
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    const ids = parsed.map((x) => typeof x === "number" ? x : Number(x)).filter((n) => Number.isInteger(n) && n > 0);
+    return [...new Set(ids)];
+  } catch {
+    return [];
+  }
+}
 function createFormSubmissionGetByIdHandler(config) {
   const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
   return async function GET(req, id) {
@@ -1155,13 +1458,15 @@ function pickContactFromSubmission(fields, data) {
   return { name: name || email, email, phone: phone || null };
 }
 function createFormSubmissionHandler(config) {
-  const { dataSource, entityMap, json } = config;
+  const { dataSource, entityMap, json, getCms } = config;
   return async function POST(req) {
     try {
       const body = await req.json();
       if (!body || typeof body !== "object") {
         return json({ error: "Invalid request payload" }, { status: 400 });
       }
+      const captchaErr = await assertCaptchaOk(getCms, body, req, json);
+      if (captchaErr) return captchaErr;
       const formId = typeof body.formId === "number" ? body.formId : Number(body.formId);
       if (!Number.isInteger(formId) || formId <= 0) {
         return json({ error: "formId is required and must be a positive integer" }, { status: 400 });
@@ -1228,28 +1533,44 @@ function createFormSubmissionHandler(config) {
           contactEmail = contactData.email;
         }
       }
-      if (config.getCms && config.getCompanyDetails && config.getRecipientForChannel) {
+      if (config.getCms) {
         try {
           const cms = await config.getCms();
-          const to = await config.getRecipientForChannel("crm");
-          if (to) {
-            const companyDetails = await config.getCompanyDetails();
-            const formFieldRows = activeFields.map((f) => ({
-              label: f.label && String(f.label).trim() || `Field ${f.id}`,
-              value: formatSubmissionFieldValue(data[String(f.id)])
-            }));
-            await queueEmail(cms, {
-              to,
-              templateName: "formSubmission",
-              ctx: {
-                formName,
-                contactName,
-                contactEmail,
-                formData: data,
-                formFieldRows,
-                companyDetails: companyDetails ?? {}
+          if (config.getCompanyDetails && config.getRecipientForChannel) {
+            const to = await config.getRecipientForChannel("crm");
+            if (to) {
+              const companyDetails = await config.getCompanyDetails();
+              const formFieldRows = activeFields.map((f) => ({
+                label: f.label && String(f.label).trim() || `Field ${f.id}`,
+                value: formatSubmissionFieldValue(data[String(f.id)])
+              }));
+              await queueEmail(cms, {
+                to,
+                templateName: "formSubmission",
+                ctx: {
+                  formName,
+                  contactName,
+                  contactEmail,
+                  formData: data,
+                  formFieldRows,
+                  companyDetails: companyDetails ?? {}
+                }
+              });
+            }
+          }
+          if (await isErpIntegrationEnabled2(dataSource, entityMap)) {
+            const erp = cms.getPlugin("erp");
+            if (erp) {
+              const contact = erp.submission.extractContactData(data, activeFields);
+              if (contact?.email?.trim()) {
+                const opportunityFormIds = await getErpOpportunityFormIds(dataSource, entityMap);
+                const asOpportunity = opportunityFormIds != null && opportunityFormIds.length > 0 && opportunityFormIds.includes(formId);
+                await queueErp(
+                  cms,
+                  asOpportunity ? { kind: "formOpportunity", contact } : { kind: "lead", contact }
+                );
               }
-            });
+            }
           }
         } catch {
         }
@@ -1695,6 +2016,125 @@ ${contextParts.join("\n\n")}` : "You are a helpful assistant for the company. If
   };
 }
 
+// src/message-templates/sms-defaults.ts
+var SMS_MESSAGE_TEMPLATE_DEFAULTS = [
+  {
+    templateKey: "auth.otp_login",
+    name: "Sign-in OTP (SMS)",
+    body: "Your sign-in code is {{code}}. Valid 10 minutes.",
+    providerMeta: { otpVarKey: "var1" }
+  },
+  {
+    templateKey: "auth.otp_verify_phone",
+    name: "Verify phone OTP (SMS)",
+    body: "Your verification code is {{code}}. Valid 10 minutes.",
+    providerMeta: { otpVarKey: "var1" }
+  }
+];
+function getSmsTemplateDefault(templateKey) {
+  return SMS_MESSAGE_TEMPLATE_DEFAULTS.find((d) => d.templateKey === templateKey);
+}
+
+// src/api/message-template-admin-handlers.ts
+function createSmsMessageTemplateHandlers(config) {
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
+  const repo = () => dataSource.getRepository(entityMap.message_templates);
+  async function requireSettingsRead(req) {
+    const a = await requireAuth(req);
+    if (a) return a;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "settings", "read");
+      if (pe) return pe;
+    }
+    return null;
+  }
+  async function requireSettingsUpdate(req) {
+    const a = await requireAuth(req);
+    if (a) return a;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "settings", "update");
+      if (pe) return pe;
+    }
+    return null;
+  }
+  return {
+    async GET(req) {
+      const err = await requireSettingsRead(req);
+      if (err) return err;
+      try {
+        const rows = await repo().find({ where: { channel: "sms", deleted: false } });
+        const byKey = new Map(rows.map((r) => [r.templateKey, r]));
+        const items = SMS_MESSAGE_TEMPLATE_DEFAULTS.map((def) => {
+          const row = byKey.get(def.templateKey);
+          return {
+            templateKey: def.templateKey,
+            name: def.name,
+            defaultBody: def.body,
+            body: row?.body?.trim() ? row.body : def.body,
+            externalTemplateRef: row?.externalTemplateRef?.trim() ?? "",
+            otpVarKey: row?.providerMeta && typeof row.providerMeta.otpVarKey === "string" ? String(row.providerMeta.otpVarKey) : def.providerMeta?.otpVarKey ?? "var1",
+            enabled: row ? row.enabled : false,
+            dbId: row?.id ?? null
+          };
+        });
+        return json({ items });
+      } catch {
+        return json({ error: "Failed to load templates" }, { status: 500 });
+      }
+    },
+    async PUT(req) {
+      const err = await requireSettingsUpdate(req);
+      if (err) return err;
+      try {
+        const raw = await req.json().catch(() => null);
+        if (!raw?.items || !Array.isArray(raw.items)) {
+          return json({ error: "Invalid payload" }, { status: 400 });
+        }
+        for (const item of raw.items) {
+          const templateKey = typeof item.templateKey === "string" ? item.templateKey.trim() : "";
+          if (!getSmsTemplateDefault(templateKey)) continue;
+          const body = typeof item.body === "string" ? item.body : "";
+          const externalTemplateRef = typeof item.externalTemplateRef === "string" ? item.externalTemplateRef.trim() : "";
+          const otpVarKey = typeof item.otpVarKey === "string" && item.otpVarKey.trim() ? item.otpVarKey.trim() : "var1";
+          const enabled = item.enabled !== false;
+          const existing = await repo().findOne({
+            where: { channel: "sms", templateKey, deleted: false }
+          });
+          const def = getSmsTemplateDefault(templateKey);
+          const providerMeta = { otpVarKey };
+          if (existing) {
+            await repo().update(existing.id, {
+              name: def.name,
+              body,
+              externalTemplateRef: externalTemplateRef || null,
+              providerMeta,
+              enabled,
+              updatedAt: /* @__PURE__ */ new Date()
+            });
+          } else {
+            await repo().save(
+              repo().create({
+                channel: "sms",
+                templateKey,
+                name: def.name,
+                subject: null,
+                body,
+                externalTemplateRef: externalTemplateRef || null,
+                providerMeta,
+                enabled,
+                deleted: false
+              })
+            );
+          }
+        }
+        return json({ ok: true });
+      } catch {
+        return json({ error: "Failed to save templates" }, { status: 500 });
+      }
+    }
+  };
+}
+
 // src/auth/permission-entities.ts
 var PERMISSION_ENTITY_INTERNAL_EXCLUDE = /* @__PURE__ */ new Set([
   "users",
@@ -1708,7 +2148,8 @@ var PERMISSION_ENTITY_INTERNAL_EXCLUDE = /* @__PURE__ */ new Set([
   "carts",
   "cart_items",
   "wishlists",
-  "wishlist_items"
+  "wishlist_items",
+  "message_templates"
 ]);
 var PERMISSION_LOGICAL_ENTITIES = [
   "users",
@@ -1894,7 +2335,8 @@ var DEFAULT_EXCLUDE = /* @__PURE__ */ new Set([
   "carts",
   "cart_items",
   "wishlists",
-  "wishlist_items"
+  "wishlist_items",
+  "message_templates"
 ]);
 function createCmsApiHandler(config) {
   const {
@@ -1957,7 +2399,8 @@ function createCmsApiHandler(config) {
   const crudOpts = {
     requireAuth: config.requireAuth,
     json: config.json,
-    requireEntityPermission: reqEntityPerm
+    requireEntityPermission: reqEntityPerm,
+    getCms
   };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
@@ -1987,6 +2430,13 @@ function createCmsApiHandler(config) {
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
   const profilePut = userProfile ? createUserProfileHandler(userProfile) : null;
   const settingsHandlers = settingsConfig ? createSettingsApiHandlers(settingsConfig) : null;
+  const smsMessageTemplateHandlers = createSmsMessageTemplateHandlers({
+    dataSource,
+    entityMap,
+    json: config.json,
+    requireAuth: config.requireAuth,
+    requireEntityPermission: reqEntityPerm
+  });
   const chatHandlers = chatConfig ? createChatHandlers(chatConfig) : null;
   function resolveResource(segment) {
     const model = pathToModel(segment);
@@ -2091,11 +2541,28 @@ function createCmsApiHandler(config) {
           return settingsHandlers.PUT(req, group);
         }
       }
+      if (path[0] === "message-templates" && path[1] === "sms" && path.length === 2) {
+        if (method === "GET") return smsMessageTemplateHandlers.GET(req);
+        if (method === "PUT") return smsMessageTemplateHandlers.PUT(req);
+      }
       if (path[0] === "chat" && chatHandlers) {
         if (path.length === 2 && path[1] === "identify" && method === "POST") return chatHandlers.identify(req);
         if (path.length === 4 && path[1] === "conversations" && path[3] === "messages" && method === "GET") return chatHandlers.getMessages(req, path[2]);
         if (path.length === 2 && path[1] === "messages" && method === "POST") return chatHandlers.postMessage(req);
       }
+      if (path[0] === "orders" && path.length === 3 && path[2] === "invoice" && method === "GET" && getCms) {
+        const a = await config.requireAuth(req);
+        if (a) return a;
+        if (perm) {
+          const pe = await perm(req, "orders", "read");
+          if (pe) return pe;
+        }
+        const cms = await getCms();
+        const { streamOrderInvoicePdf: streamOrderInvoicePdf2 } = await Promise.resolve().then(() => (init_erp_order_invoice(), erp_order_invoice_exports));
+        const oid = Number(path[1]);
+        if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
+        return streamOrderInvoicePdf2(cms, dataSource, entityMap, oid, {});
+      }
       if (path.length === 0) return config.json({ error: "Not found" }, { status: 404 });
       const resource = resolveResource(path[0]);
       if (!crudResources.includes(resource)) return config.json({ error: "Invalid resource" }, { status: 400 });
@@ -2128,7 +2595,7 @@ function createCmsApiHandler(config) {
 }
 
 // src/api/storefront-handlers.ts
-var import_typeorm4 = require("typeorm");
+var import_typeorm5 = require("typeorm");
 
 // src/lib/is-valid-signup-email.ts
 var MAX_EMAIL = 254;
@@ -2150,6 +2617,339 @@ function isValidSignupEmail(email) {
 
 // src/api/storefront-handlers.ts
 init_email_queue();
+
+// src/lib/order-number.ts
+var KIND_PREFIX = {
+  sale: "OSL",
+  return: "ORT",
+  replacement: "ORP"
+};
+function orderNumberYymmUtc(at) {
+  const yy = String(at.getUTCFullYear()).slice(-2);
+  const mm = String(at.getUTCMonth() + 1).padStart(2, "0");
+  return yy + mm;
+}
+function maskOrderIdSegment(id) {
+  let x = id >>> 0 ^ 2779096485;
+  x = Math.imul(x, 2654435761) >>> 0;
+  return x.toString(36).toUpperCase().padStart(8, "0").slice(-8);
+}
+function buildCanonicalOrderNumber(kind, id, at) {
+  return KIND_PREFIX[kind] + orderNumberYymmUtc(at) + maskOrderIdSegment(id);
+}
+function temporaryOrderNumberPlaceholder() {
+  return `TMP${Date.now().toString(36)}${Math.random().toString(36).slice(2, 10)}`.toUpperCase();
+}
+
+// src/lib/order-storefront-metadata.ts
+function mergeOrderMetadataPatch(existing, patch) {
+  const base = existing && typeof existing === "object" && !Array.isArray(existing) ? { ...existing } : {};
+  if (patch.fulfillment !== void 0) {
+    if (patch.fulfillment === null) delete base.fulfillment;
+    else base.fulfillment = patch.fulfillment;
+  }
+  if (patch.invoice !== void 0) {
+    if (patch.invoice === null) delete base.invoice;
+    else base.invoice = patch.invoice;
+  }
+  return base;
+}
+
+// src/plugins/erp/erp-order-status-map.ts
+function mapErpSaleStatusToOrderStatus(erpLabel) {
+  if (!erpLabel || typeof erpLabel !== "string") return void 0;
+  const k = erpLabel.trim().toLowerCase().replace(/\s+/g, "_");
+  const map = {
+    draft: "pending",
+    pending: "pending",
+    open: "pending",
+    new: "pending",
+    unconfirmed: "pending",
+    confirmed: "confirmed",
+    processing: "processing",
+    packed: "processing",
+    shipped: "processing",
+    in_transit: "processing",
+    out_for_delivery: "processing",
+    delivered: "completed",
+    completed: "completed",
+    closed: "completed",
+    fulfilled: "completed",
+    cancelled: "cancelled",
+    canceled: "cancelled",
+    void: "cancelled"
+  };
+  return map[k];
+}
+
+// src/plugins/erp/erp-order-sync.ts
+init_erp_response_map();
+init_erp_config_enabled();
+function pickInvoiceId2(data) {
+  const nested = data.invoice && typeof data.invoice === "object" && !Array.isArray(data.invoice) ? data.invoice : null;
+  const src = nested || data;
+  for (const k of ["invoiceId", "invoice_id", "id"]) {
+    const v = src[k];
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+  return void 0;
+}
+async function ensureChildOrdersFromRefs(orderRepo, parent, refs, contactId, currency) {
+  for (const { ref, orderKind } of refs) {
+    const existing = await orderRepo.createQueryBuilder("o").where("o.parentOrderId = :pid", { pid: parent.id }).andWhere("o.deleted = :d", { d: false }).andWhere("o.metadata->>'platformRef' = :ref", { ref }).getOne();
+    if (existing) continue;
+    const tmp = temporaryOrderNumberPlaceholder();
+    const row = await orderRepo.save(
+      orderRepo.create({
+        orderNumber: tmp,
+        orderKind,
+        parentOrderId: parent.id,
+        contactId,
+        billingAddressId: null,
+        shippingAddressId: null,
+        status: "pending",
+        subtotal: 0,
+        tax: 0,
+        discount: 0,
+        total: 0,
+        currency,
+        metadata: { platformRef: ref },
+        deleted: false
+      })
+    );
+    const r = row;
+    await orderRepo.update(r.id, {
+      orderNumber: buildCanonicalOrderNumber(orderKind, r.id, r.createdAt ?? /* @__PURE__ */ new Date())
+    });
+  }
+}
+function deepMergeFulfillment(a, b) {
+  if (!a) return b;
+  if (!b) return a;
+  return {
+    ...a,
+    ...b,
+    events: b.events?.length ? b.events : a.events
+  };
+}
+async function refreshOrderFromErp(cms, dataSource, entityMap, submission, order) {
+  const orderRepo = dataSource.getRepository(entityMap.orders);
+  const kind = order.orderKind || "sale";
+  const meta = order.metadata && typeof order.metadata === "object" && !Array.isArray(order.metadata) ? { ...order.metadata } : {};
+  if (kind === "sale") {
+    const refId = String(order.orderNumber || "");
+    let fulfillment;
+    let invoiceNumber;
+    let invoiceId;
+    let newStatus;
+    const r1 = await submission.postErpReadAction("get-order-status", { platformOrderId: refId });
+    const d1 = r1.ok ? unwrapErpReadData(r1.json) : null;
+    if (d1) {
+      const mapped = mapErpSaleStatusToOrderStatus(
+        typeof d1.status === "string" ? d1.status : typeof d1.orderStatus === "string" ? d1.orderStatus : typeof d1.state === "string" ? d1.state : void 0
+      );
+      if (mapped) newStatus = mapped;
+      fulfillment = mapErpPayloadToFulfillment(d1);
+      const refs = extractChildOrderRefsFromSalePayload(d1);
+      if (refs.length) {
+        await ensureChildOrdersFromRefs(
+          orderRepo,
+          order,
+          refs,
+          order.contactId,
+          String(order.currency || "INR")
+        );
+      }
+    }
+    const r2 = await submission.postErpReadAction("get-fulfillment-status", { platformOrderId: refId });
+    const d2 = r2.ok ? unwrapErpReadData(r2.json) : null;
+    if (d2) {
+      fulfillment = deepMergeFulfillment(fulfillment, mapErpPayloadToFulfillment(d2));
+    }
+    const r3 = await submission.postErpReadAction("get-invoice", { platformOrderId: refId });
+    const d3 = r3.ok ? unwrapErpReadData(r3.json) : null;
+    if (d3) {
+      invoiceNumber = mapErpPayloadToInvoiceNumber(d3);
+      invoiceId = pickInvoiceId2(d3);
+    }
+    const oid = order.id;
+    const prevInv = meta.invoice && typeof meta.invoice === "object" && !Array.isArray(meta.invoice) ? { ...meta.invoice } : {};
+    const nextInvoice = {
+      ...prevInv,
+      link: `/api/storefront/orders/${oid}/invoice`,
+      ...invoiceNumber ? { invoiceNumber } : {},
+      ...invoiceId ? { invoiceId } : {}
+    };
+    const patch = { invoice: nextInvoice };
+    if (fulfillment !== void 0) patch.fulfillment = fulfillment;
+    const nextMeta = mergeOrderMetadataPatch(meta, patch);
+    await orderRepo.update(oid, {
+      ...newStatus ? { status: newStatus } : {},
+      metadata: nextMeta,
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+    return;
+  }
+  if (kind === "return" || kind === "replacement") {
+    const platformReturnId = String(order.orderNumber || "");
+    const r = await submission.postErpReadAction("get-return-status", { platformReturnId });
+    const d = r.ok ? unwrapErpReadData(r.json) : null;
+    if (!d) return;
+    const mapped = mapErpSaleStatusToOrderStatus(
+      typeof d.status === "string" ? d.status : typeof d.returnStatus === "string" ? d.returnStatus : void 0
+    );
+    const fulfillment = mapErpPayloadToFulfillment(d);
+    const patch = {};
+    if (fulfillment !== void 0) patch.fulfillment = fulfillment;
+    const nextMeta = Object.keys(patch).length ? mergeOrderMetadataPatch(meta, patch) : meta;
+    await orderRepo.update(order.id, {
+      ...mapped ? { status: mapped } : {},
+      metadata: nextMeta,
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+  }
+}
+async function tryRefreshOrderFromErpForStorefront(cms, dataSource, entityMap, order) {
+  try {
+    const on = await isErpIntegrationEnabled(cms, dataSource, entityMap);
+    if (!on) return;
+    const erp = cms.getPlugin("erp");
+    if (!erp?.submission) return;
+    await refreshOrderFromErp(cms, dataSource, entityMap, erp.submission, order);
+  } catch {
+  }
+}
+
+// src/api/storefront-handlers.ts
+init_erp_order_invoice();
+
+// src/plugins/sms/sms-queue.ts
+var SMS_QUEUE_NAME = "sms";
+async function queueSms(cms, payload) {
+  const queue = cms.getPlugin("queue");
+  const sms = cms.getPlugin("sms");
+  if (queue) {
+    await queue.add(SMS_QUEUE_NAME, payload);
+    return;
+  }
+  if (sms && typeof sms.send === "function") {
+    if (payload.templateKey?.trim()) {
+      await sms.send({
+        to: payload.to,
+        templateKey: payload.templateKey.trim(),
+        variables: payload.variables,
+        otpCode: payload.otpCode
+      });
+      return;
+    }
+    if (payload.body?.trim()) {
+      await sms.send({
+        to: payload.to,
+        body: payload.body,
+        otpCode: payload.otpCode,
+        variables: payload.variables
+      });
+    }
+  }
+}
+
+// src/lib/otp-challenge.ts
+var import_crypto = require("crypto");
+var import_typeorm4 = require("typeorm");
+var OTP_TTL_MS = 10 * 60 * 1e3;
+var MAX_SENDS_PER_HOUR = 5;
+var MAX_VERIFY_ATTEMPTS = 8;
+function getPepper(explicit) {
+  return (explicit || process.env.OTP_PEPPER || process.env.NEXTAUTH_SECRET || "dev-otp-pepper").trim();
+}
+function hashOtpCode(code, purpose, identifier, pepper) {
+  return (0, import_crypto.createHmac)("sha256", getPepper(pepper)).update(`${purpose}|${identifier}|${code}`).digest("hex");
+}
+function verifyOtpCodeHash(code, storedHash, purpose, identifier, pepper) {
+  const h = hashOtpCode(code, purpose, identifier, pepper);
+  try {
+    return (0, import_crypto.timingSafeEqual)(Buffer.from(h, "utf8"), Buffer.from(storedHash, "utf8"));
+  } catch {
+    return false;
+  }
+}
+function generateNumericOtp(length = 6) {
+  const max = 10 ** length;
+  return (0, import_crypto.randomInt)(0, max).toString().padStart(length, "0");
+}
+function normalizePhoneE164(raw, defaultCountryCode) {
+  const t = raw.trim();
+  const digitsOnly = t.replace(/\D/g, "");
+  if (digitsOnly.length < 10) return null;
+  if (t.startsWith("+")) return `+${digitsOnly}`;
+  const cc = (defaultCountryCode || process.env.DEFAULT_PHONE_COUNTRY_CODE || "91").replace(/\D/g, "");
+  if (digitsOnly.length > 10) return `+${digitsOnly}`;
+  return `+${cc}${digitsOnly}`;
+}
+async function countRecentOtpSends(dataSource, entityMap, purpose, identifier, since) {
+  const repo = dataSource.getRepository(entityMap.otp_challenges);
+  return repo.count({
+    where: { purpose, identifier, createdAt: (0, import_typeorm4.MoreThan)(since) }
+  });
+}
+async function createOtpChallenge(dataSource, entityMap, input) {
+  const { purpose, channel, identifier, code, pepper } = input;
+  const since = new Date(Date.now() - 60 * 60 * 1e3);
+  const recent = await countRecentOtpSends(dataSource, entityMap, purpose, identifier, since);
+  if (recent >= MAX_SENDS_PER_HOUR) {
+    return { ok: false, error: "Too many codes sent. Try again later.", status: 429 };
+  }
+  const repo = dataSource.getRepository(entityMap.otp_challenges);
+  await repo.delete({
+    purpose,
+    identifier,
+    consumedAt: (0, import_typeorm4.IsNull)()
+  });
+  const expiresAt = new Date(Date.now() + OTP_TTL_MS);
+  const codeHash = hashOtpCode(code, purpose, identifier, pepper);
+  await repo.save(
+    repo.create({
+      purpose,
+      channel,
+      identifier,
+      codeHash,
+      expiresAt,
+      attempts: 0,
+      consumedAt: null
+    })
+  );
+  return { ok: true };
+}
+async function verifyAndConsumeOtpChallenge(dataSource, entityMap, input) {
+  const { purpose, identifier, code, pepper } = input;
+  const repo = dataSource.getRepository(entityMap.otp_challenges);
+  const row = await repo.findOne({
+    where: { purpose, identifier, consumedAt: (0, import_typeorm4.IsNull)() },
+    order: { id: "DESC" }
+  });
+  if (!row) {
+    return { ok: false, error: "Invalid or expired code", status: 400 };
+  }
+  const r = row;
+  if (new Date(r.expiresAt) < /* @__PURE__ */ new Date()) {
+    await repo.delete(row.id);
+    return { ok: false, error: "Invalid or expired code", status: 400 };
+  }
+  const attempts = r.attempts || 0;
+  if (attempts >= MAX_VERIFY_ATTEMPTS) {
+    await repo.delete(row.id);
+    return { ok: false, error: "Too many attempts", status: 400 };
+  }
+  const valid = verifyOtpCodeHash(code, r.codeHash, purpose, identifier, pepper);
+  if (!valid) {
+    await repo.update(row.id, { attempts: attempts + 1 });
+    return { ok: false, error: "Invalid or expired code", status: 400 };
+  }
+  await repo.update(row.id, { consumedAt: /* @__PURE__ */ new Date(), attempts: attempts + 1 });
+  return { ok: true };
+}
+
+// src/api/storefront-handlers.ts
 var GUEST_COOKIE = "guest_id";
 var ONE_YEAR = 60 * 60 * 24 * 365;
 function parseCookies(header) {
@@ -2167,13 +2967,17 @@ function parseCookies(header) {
 function guestCookieHeader(name, token) {
   return `${name}=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${ONE_YEAR}`;
 }
-function orderNumber() {
-  return `ORD-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
-}
 var SIGNUP_VERIFY_EXPIRY_HOURS = 72;
 function createStorefrontApiHandler(config) {
   const { dataSource, entityMap, json, getSessionUser, getCms, getCompanyDetails, publicSiteUrl } = config;
   const cookieName = config.guestCookieName ?? GUEST_COOKIE;
+  const otpFlags = config.otpFlags;
+  const otpPepper = config.otpPepper;
+  const defaultPhoneCc = config.defaultPhoneCountryCode;
+  const otpAllowPhoneLogin = config.otpAllowPhoneLogin !== false;
+  function otpOff(key) {
+    return !otpFlags || otpFlags[key] !== true;
+  }
   const cartRepo = () => dataSource.getRepository(entityMap.carts);
   const cartItemRepo = () => dataSource.getRepository(entityMap.cart_items);
   const productRepo = () => dataSource.getRepository(entityMap.products);
@@ -2187,13 +2991,28 @@ function createStorefrontApiHandler(config) {
   const tokenRepo = () => dataSource.getRepository(entityMap.password_reset_tokens);
   const collectionRepo = () => dataSource.getRepository(entityMap.collections);
   const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  async function syncContactToErp(contact) {
+    if (!getCms) return;
+    try {
+      const cms = await getCms();
+      await queueErpCreateContactIfEnabled(cms, dataSource, entityMap, {
+        name: String(contact.name ?? ""),
+        email: String(contact.email ?? "").trim(),
+        phone: contact.phone,
+        type: contact.type,
+        company: contact.company,
+        notes: contact.notes
+      });
+    } catch {
+    }
+  }
   async function ensureContactForUser(userId) {
     let c = await contactRepo().findOne({ where: { userId, deleted: false } });
     if (c) return c;
     const u = await userRepo().findOne({ where: { id: userId } });
     if (!u) return null;
     const unclaimed = await contactRepo().findOne({
-      where: { email: u.email, userId: (0, import_typeorm4.IsNull)(), deleted: false }
+      where: { email: u.email, userId: (0, import_typeorm5.IsNull)(), deleted: false }
     });
     if (unclaimed) {
       await contactRepo().update(unclaimed.id, { userId });
@@ -2208,6 +3027,7 @@ function createStorefrontApiHandler(config) {
         deleted: false
       })
     );
+    await syncContactToErp(created);
     return { id: created.id };
   }
   async function getOrCreateCart(req) {
@@ -2302,7 +3122,21 @@ function createStorefrontApiHandler(config) {
       })
     };
   }
+  function serializeSeo(seo) {
+    if (!seo || typeof seo !== "object") return void 0;
+    const s = seo;
+    return {
+      title: s.title ?? null,
+      description: s.description ?? null,
+      keywords: s.keywords ?? null,
+      ogTitle: s.ogTitle ?? null,
+      ogDescription: s.ogDescription ?? null,
+      ogImage: s.ogImage ?? null,
+      slug: s.slug ?? null
+    };
+  }
   function serializeProduct(p) {
+    const seo = serializeSeo(p.seo);
     return {
       id: p.id,
       name: p.name,
@@ -2313,7 +3147,8 @@ function createStorefrontApiHandler(config) {
       compareAtPrice: p.compareAtPrice,
       status: p.status,
       collectionId: p.collectionId,
-      metadata: p.metadata
+      metadata: p.metadata,
+      ...seo ? { seo } : {}
     };
   }
   return {
@@ -2380,7 +3215,7 @@ function createStorefrontApiHandler(config) {
           const byId = /^\d+$/.test(idOrSlug);
           const product = await productRepo().findOne({
             where: byId ? { id: parseInt(idOrSlug, 10), status: "available", deleted: false } : { slug: idOrSlug, status: "available", deleted: false },
-            relations: ["attributes", "attributes.attribute"]
+            relations: ["attributes", "attributes.attribute", "seo"]
           });
           if (!product) return json({ error: "Not found" }, { status: 404 });
           const p = product;
@@ -2424,7 +3259,8 @@ function createStorefrontApiHandler(config) {
           const idOrSlug = path[1];
           const byId = /^\d+$/.test(idOrSlug);
           const collection = await collectionRepo().findOne({
-            where: byId ? { id: parseInt(idOrSlug, 10), active: true, deleted: false } : { slug: idOrSlug, active: true, deleted: false }
+            where: byId ? { id: parseInt(idOrSlug, 10), active: true, deleted: false } : { slug: idOrSlug, active: true, deleted: false },
+            relations: ["seo"]
           });
           if (!collection) return json({ error: "Not found" }, { status: 404 });
           const col = collection;
@@ -2432,12 +3268,14 @@ function createStorefrontApiHandler(config) {
             where: { collectionId: col.id, status: "available", deleted: false },
             order: { id: "ASC" }
           });
+          const colSeo = serializeSeo(col.seo);
           return json({
             id: col.id,
             name: col.name,
             slug: col.slug,
             description: col.description,
             image: col.image,
+            ...colSeo ? { seo: colSeo } : {},
             products: products.map((p) => serializeProduct(p))
           });
         }
@@ -2475,6 +3313,7 @@ function createStorefrontApiHandler(config) {
             await userRepo().update(uid, { name: b.name.trim() });
           }
           const updatedContact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (updatedContact) await syncContactToErp(updatedContact);
           const updatedUser = await userRepo().findOne({ where: { id: uid }, select: ["id", "name", "email"] });
           return json({
             user: updatedUser ? { id: updatedUser.id, name: updatedUser.name, email: updatedUser.email } : null,
@@ -2562,13 +3401,155 @@ function createStorefrontApiHandler(config) {
           const email = record.email;
           const user = await userRepo().findOne({ where: { email }, select: ["id", "blocked"] });
           if (!user) return json({ error: "User not found" }, { status: 400 });
-          await userRepo().update(user.id, { blocked: false, updatedAt: /* @__PURE__ */ new Date() });
+          await userRepo().update(user.id, {
+            blocked: false,
+            emailVerifiedAt: /* @__PURE__ */ new Date(),
+            updatedAt: /* @__PURE__ */ new Date()
+          });
+          await tokenRepo().delete({ email });
+          return json({ success: true, message: "Email verified. You can sign in." });
+        }
+        if (path[0] === "auth" && path[1] === "otp" && path[2] === "send" && path.length === 3 && method === "POST") {
+          const b = await req.json().catch(() => ({}));
+          const purposeRaw = typeof b.purpose === "string" ? b.purpose.trim() : "";
+          const purpose = purposeRaw === "login" || purposeRaw === "verify_email" || purposeRaw === "verify_phone" ? purposeRaw : "";
+          if (!purpose) return json({ error: "purpose must be login, verify_email, or verify_phone" }, { status: 400 });
+          if (purpose === "login" && otpOff("login")) return json({ error: "otp_disabled" }, { status: 403 });
+          if (purpose === "verify_email" && otpOff("verifyEmail")) return json({ error: "otp_disabled" }, { status: 403 });
+          if (purpose === "verify_phone" && otpOff("verifyPhone")) return json({ error: "otp_disabled" }, { status: 403 });
+          const capOtp = await assertCaptchaOk(getCms, b, req, json);
+          if (capOtp) return capOtp;
+          const emailIn = typeof b.email === "string" ? b.email.trim().toLowerCase() : "";
+          const phoneIn = typeof b.phone === "string" ? b.phone.trim() : "";
+          let identifier;
+          let channel;
+          if (purpose === "login") {
+            if (emailIn) {
+              identifier = emailIn;
+              channel = "email";
+            } else if (phoneIn) {
+              if (!otpAllowPhoneLogin) {
+                return json({ error: "Phone sign-in is not enabled" }, { status: 403 });
+              }
+              const p = normalizePhoneE164(phoneIn, defaultPhoneCc);
+              if (!p) return json({ error: "Invalid phone" }, { status: 400 });
+              identifier = p;
+              channel = "sms";
+            } else {
+              return json({ error: "email or phone required" }, { status: 400 });
+            }
+            const user = channel === "email" ? await userRepo().findOne({ where: { email: identifier } }) : await userRepo().findOne({ where: { phone: identifier } });
+            if (!user || user.deleted || user.blocked) {
+              return json({ ok: true });
+            }
+          } else if (purpose === "verify_email") {
+            if (!emailIn || !isValidSignupEmail(emailIn)) return json({ error: "Valid email required" }, { status: 400 });
+            identifier = emailIn;
+            channel = "email";
+            const user = await userRepo().findOne({ where: { email: identifier } });
+            if (!user || user.deleted) return json({ ok: true });
+          } else {
+            const su = await getSessionUser();
+            const uid = su?.id ? parseInt(String(su.id), 10) : NaN;
+            if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+            const p = normalizePhoneE164(phoneIn, defaultPhoneCc);
+            if (!p) return json({ error: "Valid phone required" }, { status: 400 });
+            identifier = p;
+            channel = "sms";
+            const taken = await userRepo().findOne({
+              where: { phone: identifier },
+              select: ["id"]
+            });
+            if (taken && taken.id !== uid) {
+              return json({ error: "Phone already in use" }, { status: 400 });
+            }
+          }
+          const code = generateNumericOtp(6);
+          const created = await createOtpChallenge(dataSource, entityMap, {
+            purpose,
+            channel,
+            identifier,
+            code,
+            pepper: otpPepper
+          });
+          if (!created.ok) return json({ error: created.error }, { status: created.status });
+          if (!getCms) return json({ error: "OTP delivery not configured" }, { status: 503 });
+          try {
+            const cms = await getCms();
+            if (channel === "email") {
+              if (!cms.getPlugin("email")) return json({ error: "Email not configured" }, { status: 503 });
+              const companyDetails = getCompanyDetails ? await getCompanyDetails() : {};
+              await queueEmail(cms, {
+                to: identifier,
+                templateName: "otp",
+                ctx: { code, companyDetails: companyDetails ?? {} }
+              });
+            } else {
+              if (!cms.getPlugin("sms")) return json({ error: "SMS not configured" }, { status: 503 });
+              const templateKey = purpose === "verify_phone" ? "auth.otp_verify_phone" : "auth.otp_login";
+              await queueSms(cms, { to: identifier, templateKey, variables: { code } });
+            }
+          } catch {
+            return json({ error: "Failed to send code" }, { status: 500 });
+          }
+          return json({ ok: true });
+        }
+        if (path[0] === "auth" && path[1] === "otp" && path[2] === "verify-email" && path.length === 3 && method === "POST") {
+          if (otpOff("verifyEmail")) return json({ error: "otp_disabled" }, { status: 403 });
+          const b = await req.json().catch(() => ({}));
+          const email = typeof b.email === "string" ? b.email.trim().toLowerCase() : "";
+          const code = typeof b.code === "string" ? b.code.trim() : "";
+          if (!email || !code) return json({ error: "email and code required" }, { status: 400 });
+          const v = await verifyAndConsumeOtpChallenge(dataSource, entityMap, {
+            purpose: "verify_email",
+            identifier: email,
+            code,
+            pepper: otpPepper
+          });
+          if (!v.ok) return json({ error: v.error }, { status: v.status });
+          const user = await userRepo().findOne({ where: { email } });
+          if (!user) return json({ error: "User not found" }, { status: 400 });
+          await userRepo().update(user.id, {
+            blocked: false,
+            emailVerifiedAt: /* @__PURE__ */ new Date(),
+            updatedAt: /* @__PURE__ */ new Date()
+          });
           await tokenRepo().delete({ email });
           return json({ success: true, message: "Email verified. You can sign in." });
         }
+        if (path[0] === "auth" && path[1] === "otp" && path[2] === "verify-phone" && path.length === 3 && method === "POST") {
+          if (otpOff("verifyPhone")) return json({ error: "otp_disabled" }, { status: 403 });
+          const su = await getSessionUser();
+          const uid = su?.id ? parseInt(String(su.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          const b = await req.json().catch(() => ({}));
+          const phoneRaw = typeof b.phone === "string" ? b.phone.trim() : "";
+          const code = typeof b.code === "string" ? b.code.trim() : "";
+          const phone = normalizePhoneE164(phoneRaw, defaultPhoneCc);
+          if (!phone || !code) return json({ error: "phone and code required" }, { status: 400 });
+          const v = await verifyAndConsumeOtpChallenge(dataSource, entityMap, {
+            purpose: "verify_phone",
+            identifier: phone,
+            code,
+            pepper: otpPepper
+          });
+          if (!v.ok) return json({ error: v.error }, { status: v.status });
+          const taken = await userRepo().findOne({ where: { phone }, select: ["id"] });
+          if (taken && taken.id !== uid) {
+            return json({ error: "Phone already in use" }, { status: 400 });
+          }
+          await userRepo().update(uid, { phone, phoneVerifiedAt: /* @__PURE__ */ new Date(), updatedAt: /* @__PURE__ */ new Date() });
+          const contact = await ensureContactForUser(uid);
+          if (contact) {
+            await contactRepo().update(contact.id, { phone });
+          }
+          return json({ success: true });
+        }
         if (path[0] === "register" && path.length === 1 && method === "POST") {
           if (!config.hashPassword) return json({ error: "Registration not configured" }, { status: 501 });
           const b = await req.json().catch(() => ({}));
+          const capReg = await assertCaptchaOk(getCms, b, req, json);
+          if (capReg) return capReg;
           const name = typeof b.name === "string" ? b.name.trim() : "";
           const email = typeof b.email === "string" ? b.email.trim().toLowerCase() : "";
           const password = typeof b.password === "string" ? b.password : "";
@@ -2630,6 +3611,8 @@ function createStorefrontApiHandler(config) {
         }
         if (path[0] === "cart" && path[1] === "items" && path.length === 2 && method === "POST") {
           const body = await req.json().catch(() => ({}));
+          const capCart = await assertCaptchaOk(getCms, body, req, json);
+          if (capCart) return capCart;
           const productId = Number(body.productId);
           const quantity = Math.max(1, Number(body.quantity) || 1);
           if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
@@ -2829,6 +3812,8 @@ function createStorefrontApiHandler(config) {
           const { wishlist, setCookie, err } = await getOrCreateWishlist(req);
           if (err) return err;
           const b = await req.json().catch(() => ({}));
+          const capWl = await assertCaptchaOk(getCms, b, req, json);
+          if (capWl) return capWl;
           const productId = Number(b.productId);
           if (!Number.isFinite(productId)) return json({ error: "productId required" }, { status: 400 });
           const wid = wishlist.id;
@@ -2847,6 +3832,8 @@ function createStorefrontApiHandler(config) {
         }
         if (path[0] === "checkout" && path[1] === "order" && path.length === 2 && method === "POST") {
           const b = await req.json().catch(() => ({}));
+          const capOrd = await assertCaptchaOk(getCms, b, req, json);
+          if (capOrd) return capOrd;
           const u = await getSessionUser();
           const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
           let contactId;
@@ -2860,8 +3847,8 @@ function createStorefrontApiHandler(config) {
               relations: ["items", "items.product"]
             });
           } else {
-            const email = (b.email || "").trim();
-            const name = (b.name || "").trim();
+            const email = String(b.email ?? "").trim();
+            const name = String(b.name ?? "").trim();
             if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
             let contact = await contactRepo().findOne({ where: { email, deleted: false } });
             if (contact && contact.userId != null) {
@@ -2872,13 +3859,19 @@ function createStorefrontApiHandler(config) {
                 contactRepo().create({
                   name,
                   email,
-                  phone: b.phone || null,
+                  phone: b.phone != null && b.phone !== "" ? String(b.phone) : null,
                   userId: null,
                   deleted: false
                 })
               );
-            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            } else if (name)
+              await contactRepo().update(contact.id, {
+                name,
+                phone: b.phone != null && b.phone !== "" ? String(b.phone) : contact.phone
+              });
             contactId = contact.id;
+            const guestForErp = await contactRepo().findOne({ where: { id: contactId } });
+            if (guestForErp) await syncContactToErp(guestForErp);
             const cookies = parseCookies(req.headers.get("cookie"));
             const guestToken = cookies[cookieName];
             if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
@@ -2906,10 +3899,12 @@ function createStorefrontApiHandler(config) {
           const cartId = cart.id;
           const ord = await orderRepo().save(
             orderRepo().create({
-              orderNumber: orderNumber(),
+              orderNumber: temporaryOrderNumberPlaceholder(),
+              orderKind: "sale",
+              parentOrderId: null,
               contactId,
-              billingAddressId: b.billingAddressId ?? null,
-              shippingAddressId: b.shippingAddressId ?? null,
+              billingAddressId: typeof b.billingAddressId === "number" ? b.billingAddressId : null,
+              shippingAddressId: typeof b.shippingAddressId === "number" ? b.shippingAddressId : null,
               status: "pending",
               subtotal,
               tax: 0,
@@ -2920,6 +3915,9 @@ function createStorefrontApiHandler(config) {
             })
           );
           const oid = ord.id;
+          await orderRepo().update(oid, {
+            orderNumber: buildCanonicalOrderNumber("sale", oid, ord.createdAt ?? /* @__PURE__ */ new Date())
+          });
           for (const line of lines) {
             await orderItemRepo().save(
               orderItemRepo().create({
@@ -2941,6 +3939,8 @@ function createStorefrontApiHandler(config) {
         }
         if (path[0] === "checkout" && path.length === 1 && method === "POST") {
           const b = await req.json().catch(() => ({}));
+          const capChk = await assertCaptchaOk(getCms, b, req, json);
+          if (capChk) return capChk;
           const u = await getSessionUser();
           const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
           let contactId;
@@ -2954,8 +3954,8 @@ function createStorefrontApiHandler(config) {
               relations: ["items", "items.product"]
             });
           } else {
-            const email = (b.email || "").trim();
-            const name = (b.name || "").trim();
+            const email = String(b.email ?? "").trim();
+            const name = String(b.name ?? "").trim();
             if (!email || !name) return json({ error: "name and email required for guest checkout" }, { status: 400 });
             let contact = await contactRepo().findOne({ where: { email, deleted: false } });
             if (contact && contact.userId != null) {
@@ -2966,13 +3966,19 @@ function createStorefrontApiHandler(config) {
                 contactRepo().create({
                   name,
                   email,
-                  phone: b.phone || null,
+                  phone: b.phone != null && b.phone !== "" ? String(b.phone) : null,
                   userId: null,
                   deleted: false
                 })
               );
-            } else if (name) await contactRepo().update(contact.id, { name, phone: b.phone || contact.phone });
+            } else if (name)
+              await contactRepo().update(contact.id, {
+                name,
+                phone: b.phone != null && b.phone !== "" ? String(b.phone) : contact.phone
+              });
             contactId = contact.id;
+            const guestForErp2 = await contactRepo().findOne({ where: { id: contactId } });
+            if (guestForErp2) await syncContactToErp(guestForErp2);
             const cookies = parseCookies(req.headers.get("cookie"));
             const guestToken = cookies[cookieName];
             if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
@@ -2999,10 +4005,12 @@ function createStorefrontApiHandler(config) {
           const total = subtotal;
           const ord = await orderRepo().save(
             orderRepo().create({
-              orderNumber: orderNumber(),
+              orderNumber: temporaryOrderNumberPlaceholder(),
+              orderKind: "sale",
+              parentOrderId: null,
               contactId,
-              billingAddressId: b.billingAddressId ?? null,
-              shippingAddressId: b.shippingAddressId ?? null,
+              billingAddressId: typeof b.billingAddressId === "number" ? b.billingAddressId : null,
+              shippingAddressId: typeof b.shippingAddressId === "number" ? b.shippingAddressId : null,
               status: "pending",
               subtotal,
               tax: 0,
@@ -3012,6 +4020,9 @@ function createStorefrontApiHandler(config) {
             })
           );
           const oid = ord.id;
+          await orderRepo().update(oid, {
+            orderNumber: buildCanonicalOrderNumber("sale", oid, ord.createdAt ?? /* @__PURE__ */ new Date())
+          });
           for (const line of lines) {
             await orderItemRepo().save(
               orderItemRepo().create({
@@ -3039,7 +4050,7 @@ function createStorefrontApiHandler(config) {
           const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
           if (!contact) return json({ orders: [] });
           const orders = await orderRepo().find({
-            where: { contactId: contact.id, deleted: false },
+            where: { contactId: contact.id, deleted: false, orderKind: "sale" },
             order: { createdAt: "DESC" },
             take: 50
           });
@@ -3047,7 +4058,7 @@ function createStorefrontApiHandler(config) {
           const previewByOrder = {};
           if (orderIds.length) {
             const oItems = await orderItemRepo().find({
-              where: { orderId: (0, import_typeorm4.In)(orderIds) },
+              where: { orderId: (0, import_typeorm5.In)(orderIds) },
               relations: ["product"],
               order: { id: "ASC" }
             });
@@ -3074,6 +4085,20 @@ function createStorefrontApiHandler(config) {
             })
           });
         }
+        if (path[0] === "orders" && path.length === 3 && path[2] === "invoice" && method === "GET") {
+          const u = await getSessionUser();
+          const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
+          if (!Number.isFinite(uid)) return json({ error: "Unauthorized" }, { status: 401 });
+          if (!getCms) return json({ error: "Not found" }, { status: 404 });
+          const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
+          if (!contact) return json({ error: "Not found" }, { status: 404 });
+          const orderId = parseInt(path[1], 10);
+          if (!Number.isFinite(orderId)) return json({ error: "Invalid id" }, { status: 400 });
+          const cms = await getCms();
+          return streamOrderInvoicePdf(cms, dataSource, entityMap, orderId, {
+            ownerContactId: contact.id
+          });
+        }
         if (path[0] === "orders" && path.length === 2 && method === "GET") {
           const u = await getSessionUser();
           const uid = u?.id ? parseInt(String(u.id), 10) : NaN;
@@ -3081,11 +4106,20 @@ function createStorefrontApiHandler(config) {
           const contact = await contactRepo().findOne({ where: { userId: uid, deleted: false } });
           if (!contact) return json({ error: "Not found" }, { status: 404 });
           const orderId = parseInt(path[1], 10);
-          const order = await orderRepo().findOne({
+          let order = await orderRepo().findOne({
             where: { id: orderId, contactId: contact.id, deleted: false },
             relations: ["items", "items.product"]
           });
           if (!order) return json({ error: "Not found" }, { status: 404 });
+          if (getCms) {
+            const cms = await getCms();
+            await tryRefreshOrderFromErpForStorefront(cms, dataSource, entityMap, order);
+            order = await orderRepo().findOne({
+              where: { id: orderId, contactId: contact.id, deleted: false },
+              relations: ["items", "items.product"]
+            });
+          }
+          if (!order) return json({ error: "Not found" }, { status: 404 });
           const o = order;
           const lines = (o.items || []).map((line) => {
             const p = line.product;
@@ -3104,10 +4138,22 @@ function createStorefrontApiHandler(config) {
               } : null
             };
           });
+          const kind = o.orderKind || "sale";
+          let relatedOrders = [];
+          if (kind === "sale") {
+            relatedOrders = await orderRepo().find({
+              where: { parentOrderId: orderId, deleted: false },
+              order: { id: "ASC" }
+            });
+          }
+          const meta = o.metadata;
+          const fulfillmentPreview = meta && typeof meta.fulfillment === "object" && meta.fulfillment && "status" in meta.fulfillment ? String(meta.fulfillment.status ?? "") : "";
           return json({
             order: {
               id: o.id,
               orderNumber: o.orderNumber,
+              orderKind: kind,
+              parentOrderId: o.parentOrderId ?? null,
               status: o.status,
               subtotal: o.subtotal,
               tax: o.tax,
@@ -3115,8 +4161,18 @@ function createStorefrontApiHandler(config) {
               total: o.total,
               currency: o.currency,
               createdAt: o.createdAt,
+              metadata: o.metadata ?? null,
               items: lines
-            }
+            },
+            relatedOrders: relatedOrders.map((r) => ({
+              id: r.id,
+              orderNumber: r.orderNumber,
+              orderKind: r.orderKind ?? "return",
+              status: r.status,
+              createdAt: r.createdAt,
+              fulfillmentStatus: r.metadata && typeof r.metadata === "object" && r.metadata.fulfillment?.status
+            })),
+            fulfillmentPreview: fulfillmentPreview || void 0
           });
         }
         return json({ error: "Not found" }, { status: 404 });