@infuro/cms-core 1.0.14 → 1.0.16

package/dist/api.js

@@ -8,7 +8,25 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/plugins/erp/erp-queue.ts
+async function queueErp(cms, payload) {
+  const queue = cms.getPlugin("queue");
+  if (!queue) return;
+  await queue.add(ERP_QUEUE_NAME, payload);
+}
+var ERP_QUEUE_NAME;
+var init_erp_queue = __esm({
+  "src/plugins/erp/erp-queue.ts"() {
+    "use strict";
+    ERP_QUEUE_NAME = "erp";
+  }
+});
+
 // src/plugins/erp/erp-config-enabled.ts
+var erp_config_enabled_exports = {};
+__export(erp_config_enabled_exports, {
+  isErpIntegrationEnabled: () => isErpIntegrationEnabled
+});
 async function isErpIntegrationEnabled(cms, dataSource, entityMap) {
   if (!cms.getPlugin("erp")) return false;
   const configRepo = dataSource.getRepository(entityMap.configs);
@@ -63,14 +81,31 @@ async function queueEmail(cms, payload) {
   }
 }
 async function queueOrderPlacedEmails(cms, payload) {
-  const { orderNumber, total, currency, customerName, customerEmail, salesTeamEmails, companyDetails, lineItems } = payload;
+  const {
+    orderNumber,
+    total,
+    subtotal,
+    tax,
+    currency,
+    customerName,
+    customerEmail,
+    salesTeamEmails,
+    companyDetails,
+    lineItems,
+    billingAddress,
+    shippingAddress
+  } = payload;
   const base = {
     orderNumber,
     total: total != null ? String(total) : void 0,
+    subtotal: subtotal != null ? String(subtotal) : void 0,
+    tax: tax != null ? String(tax) : void 0,
     currency,
     customerName,
     companyDetails: companyDetails ?? {},
-    lineItems: lineItems ?? []
+    lineItems: lineItems ?? [],
+    billingAddress,
+    shippingAddress
   };
   const customerLower = customerEmail?.trim().toLowerCase() ?? "";
   const jobs = [];
@@ -248,18 +283,124 @@ var init_erp_order_invoice = __esm({
   }
 });
 
-// src/api/crud.ts
-import { ILike, Like, MoreThan } from "typeorm";
-
-// src/plugins/erp/erp-queue.ts
-var ERP_QUEUE_NAME = "erp";
-async function queueErp(cms, payload) {
-  const queue = cms.getPlugin("queue");
-  if (!queue) return;
-  await queue.add(ERP_QUEUE_NAME, payload);
+// src/plugins/erp/paid-order-erp.ts
+var paid_order_erp_exports = {};
+__export(paid_order_erp_exports, {
+  queueErpPaidOrderForOrderId: () => queueErpPaidOrderForOrderId
+});
+function roundMoney(major) {
+  return Math.round(major * 100) / 100;
+}
+function addressToWebhookDto(a) {
+  if (!a) return {};
+  return {
+    line1: a.line1 ?? "",
+    line2: a.line2 ?? "",
+    city: a.city ?? "",
+    state: a.state ?? "",
+    postalCode: a.postalCode ?? "",
+    country: a.country ?? ""
+  };
+}
+function orderStatusLabel(status) {
+  const s = (status || "").toLowerCase();
+  if (s === "confirmed") return "Confirmed";
+  if (s === "pending") return "Pending";
+  if (!status) return "Pending";
+  return status.charAt(0).toUpperCase() + status.slice(1);
 }
+function paymentRowToWebhookDto(p, amountMajorOverride) {
+  const currency = String(p.currency || "INR");
+  const amountMajor = amountMajorOverride != null && Number.isFinite(amountMajorOverride) ? amountMajorOverride : Number(p.amount);
+  const meta = { ...p.metadata || {} };
+  delete meta.amount;
+  delete meta.currency;
+  return {
+    id: String(p.externalReference || `payment_${p.id}`),
+    amount: roundMoney(amountMajor),
+    currency_code: currency,
+    captured_at: p.paidAt ? new Date(p.paidAt).toISOString() : (/* @__PURE__ */ new Date()).toISOString(),
+    provider_id: String(p.method || "unknown"),
+    data: { status: "captured", ...meta }
+  };
+}
+async function queueErpPaidOrderForOrderId(cms, dataSource, entityMap, orderId) {
+  try {
+    const configRepo = dataSource.getRepository(entityMap.configs);
+    const cfgRows = await configRepo.find({ where: { settings: "erp", deleted: false } });
+    for (const row of cfgRows) {
+      const r = row;
+      if (r.key === "enabled" && r.value === "false") return;
+    }
+    if (!cms.getPlugin("erp")) return;
+    const orderRepo = dataSource.getRepository(entityMap.orders);
+    const ord = await orderRepo.findOne({
+      where: { id: orderId },
+      relations: ["items", "items.product", "contact", "billingAddress", "shippingAddress", "payments"]
+    });
+    if (!ord) return;
+    const o = ord;
+    const okKind = o.orderKind === void 0 || o.orderKind === null || o.orderKind === "sale";
+    if (!okKind) return;
+    const rawPayments = o.payments ?? [];
+    const completedPayments = rawPayments.filter((pay) => pay.status === "completed" && pay.deleted !== true);
+    if (!completedPayments.length) return;
+    const rawItems = o.items ?? [];
+    const lines = rawItems.filter((it) => it.product).map((it) => {
+      const p = it.product;
+      const sku = p.sku || `SKU-${p.id}`;
+      const itemType = typeof it.productType === "string" && it.productType.trim() ? String(it.productType).trim() : p.type === "service" ? "service" : "product";
+      return {
+        sku,
+        quantity: Number(it.quantity) || 1,
+        unitPrice: Number(it.unitPrice),
+        title: p.name || sku,
+        discount: 0,
+        tax: Number(it.tax) || 0,
+        uom: (typeof it.uom === "string" && it.uom.trim() ? it.uom : p.uom) || void 0,
+        tax_code: typeof it.taxCode === "string" && it.taxCode.trim() ? String(it.taxCode).trim() : void 0,
+        hsn_number: (typeof it.hsn === "string" && it.hsn.trim() ? it.hsn : p.hsn) || void 0,
+        type: itemType
+      };
+    });
+    if (!lines.length) return;
+    const contact = o.contact;
+    const orderTotalMajor = Number(o.total);
+    const paymentDtos = completedPayments.length === 1 && Number.isFinite(orderTotalMajor) ? [paymentRowToWebhookDto(completedPayments[0], orderTotalMajor)] : completedPayments.map((pay) => paymentRowToWebhookDto(pay));
+    const baseMeta = o.metadata && typeof o.metadata === "object" && !Array.isArray(o.metadata) ? { ...o.metadata } : {};
+    const orderDto = {
+      platformType: "website",
+      platformOrderId: String(o.orderNumber),
+      platformOrderNumber: String(o.orderNumber),
+      order_date: o.createdAt ? new Date(o.createdAt).toISOString() : void 0,
+      status: orderStatusLabel(o.status),
+      customer: {
+        name: contact?.name || "",
+        email: contact?.email || "",
+        phone: contact?.phone || ""
+      },
+      shippingAddress: addressToWebhookDto(o.shippingAddress),
+      billingAddress: addressToWebhookDto(o.billingAddress),
+      items: lines,
+      payments: paymentDtos,
+      metadata: { ...baseMeta, source: "storefront" }
+    };
+    await queueErp(cms, { kind: "order", order: orderDto });
+  } catch {
+  }
+}
+var init_paid_order_erp = __esm({
+  "src/plugins/erp/paid-order-erp.ts"() {
+    "use strict";
+    init_erp_queue();
+  }
+});
+
+// src/api/crud.ts
+import { Brackets, ILike, MoreThan } from "typeorm";
 
 // src/plugins/erp/erp-contact-sync.ts
+init_erp_queue();
 function splitName(full) {
   const t = (full || "").trim();
   if (!t) return { firstName: "Contact", lastName: "" };
@@ -297,6 +438,7 @@ async function queueErpCreateContactIfEnabled(cms, dataSource, entityMap, input)
 }
 
 // src/plugins/erp/erp-product-sync.ts
+init_erp_queue();
 init_erp_config_enabled();
 async function queueErpProductUpsertIfEnabled(cms, dataSource, entityMap, product) {
   try {
@@ -304,14 +446,21 @@ async function queueErpProductUpsertIfEnabled(cms, dataSource, entityMap, produc
     if (!sku) return;
     const on = await isErpIntegrationEnabled(cms, dataSource, entityMap);
     if (!on) return;
+    const rawMeta = product.metadata;
+    let metadata;
+    if (rawMeta && typeof rawMeta === "object" && !Array.isArray(rawMeta)) {
+      const { description: _d, ...rest } = rawMeta;
+      metadata = Object.keys(rest).length ? rest : void 0;
+    }
     const payload = {
       sku,
       title: product.name || sku,
       name: product.name,
-      description: typeof product.metadata === "object" && product.metadata && "description" in product.metadata ? String(product.metadata.description ?? "") : void 0,
       hsn_number: product.hsn,
+      uom: product.uom != null && String(product.uom).trim() ? String(product.uom).trim() : void 0,
+      type: product.type === "service" ? "service" : "product",
       is_active: product.status === "available",
-      metadata: product.metadata ?? void 0
+      metadata
     };
     await queueErp(cms, { kind: "productUpsert", product: payload });
   } catch {
@@ -561,16 +710,58 @@ function createCrudHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       const typeFilter = searchParams.get("type");
       const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+      if (resource === "media") {
+        const qb = repo.createQueryBuilder("m");
+        const parentIdParam = searchParams.get("parentId");
+        if (parentIdParam != null && parentIdParam !== "") {
+          const n = Number(parentIdParam);
+          if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+          qb.where("m.parentId = :pid", { pid: n });
+        } else {
+          qb.where("m.parentId IS NULL");
+        }
+        if (search && typeof search === "string" && search.trim()) {
+          qb.andWhere("m.filename ILIKE :search", { search: `%${search.trim()}%` });
+        }
+        if (typeFilter) {
+          qb.andWhere(
+            new Brackets((sq) => {
+              sq.where("m.kind = :folderKind", { folderKind: "folder" }).orWhere("m.mimeType LIKE :mtp", {
+                mtp: `${typeFilter}/%`
+              });
+            })
+          );
+        }
+        const allowedSort = ["filename", "createdAt", "id"];
+        const sf = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "filename";
+        const so = sortOrder === "DESC" ? "DESC" : "ASC";
+        qb.orderBy("CASE WHEN m.kind = :fk THEN 0 ELSE 1 END", "ASC").addOrderBy(`m.${sf}`, so).setParameter("fk", "folder").skip(skip).take(limit);
+        const [data2, total2] = await qb.getManyAndCount();
+        return json({ total: total2, page, limit, totalPages: Math.ceil(total2 / limit), data: data2 });
+      }
       const sortField = columnNames.has(sortFieldRaw) ? sortFieldRaw : "createdAt";
       let where = {};
-      if (resource === "media") {
-        const mediaWhere = {};
-        if (search) mediaWhere.filename = ILike(`%${search}%`);
-        if (typeFilter) mediaWhere.mimeType = Like(`${typeFilter}/%`);
-        where = Object.keys(mediaWhere).length > 0 ? mediaWhere : {};
-      } else if (search) {
+      if (search) {
         where = buildSearchWhereClause(repo, search);
       }
+      const intFilterKeys = ["productId", "attributeId", "taxId"];
+      const extraWhere = {};
+      for (const key of intFilterKeys) {
+        const v = searchParams.get(key);
+        if (v != null && v !== "" && columnNames.has(key)) {
+          const n = Number(v);
+          if (Number.isFinite(n)) extraWhere[key] = n;
+        }
+      }
+      if (Object.keys(extraWhere).length > 0) {
+        if (Array.isArray(where)) {
+          where = where.map((w) => ({ ...w, ...extraWhere }));
+        } else if (where && typeof where === "object" && Object.keys(where).length > 0) {
+          where = { ...where, ...extraWhere };
+        } else {
+          where = extraWhere;
+        }
+      }
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
@@ -590,6 +781,38 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (!body || typeof body !== "object" || Object.keys(body).length === 0) {
         return json({ error: "Invalid request payload" }, { status: 400 });
       }
+      if (resource === "media") {
+        const b = body;
+        const kind = b.kind === "folder" ? "folder" : "file";
+        b.kind = kind;
+        const fn = String(b.filename ?? "").trim().slice(0, 255);
+        if (!fn) return json({ error: "filename required" }, { status: 400 });
+        b.filename = fn;
+        let pid = null;
+        if (b.parentId != null && b.parentId !== "") {
+          const n = Number(b.parentId);
+          if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+          pid = n;
+        }
+        b.parentId = pid;
+        const mediaRepo = dataSource.getRepository(entityMap.media);
+        if (pid != null) {
+          const parent = await mediaRepo.findOne({ where: { id: pid } });
+          if (!parent || parent.kind !== "folder") {
+            return json({ error: "parent must be a folder" }, { status: 400 });
+          }
+        }
+        if (kind === "folder") {
+          b.url = null;
+          b.mimeType = "inode/directory";
+          b.size = 0;
+        } else {
+          if (!b.url || typeof b.url !== "string") return json({ error: "url required for files" }, { status: 400 });
+          if (!b.mimeType || typeof b.mimeType !== "string") {
+            b.mimeType = "application/octet-stream";
+          }
+        }
+      }
       const repo = dataSource.getRepository(entity);
       sanitizeBodyForEntity(repo, body);
       const created = await repo.save(repo.create(body));
@@ -862,6 +1085,11 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
       }
       const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
+      if (resource === "media") {
+        const u = updatePayload;
+        delete u.parentId;
+        delete u.kind;
+      }
       if (Object.keys(updatePayload).length > 0) {
         sanitizeBodyForEntity(repo, updatePayload);
         await repo.update(numericId, updatePayload);
@@ -1037,7 +1265,8 @@ function createUserAuthApiRouter(config) {
 
 // src/api/cms-handlers.ts
 init_email_queue();
-import { MoreThanOrEqual, ILike as ILike2 } from "typeorm";
+init_erp_queue();
+import { MoreThanOrEqual, ILike as ILike2, In } from "typeorm";
 
 // src/plugins/captcha/assert.ts
 async function assertCaptchaOk(getCms, body, req, json) {
@@ -1055,6 +1284,194 @@ async function assertCaptchaOk(getCms, body, req, json) {
   return json({ error: result.message }, { status: result.status });
 }
 
+// src/lib/media-folder-path.ts
+function sanitizeMediaFolderPath(input) {
+  if (input == null) return "";
+  if (typeof input !== "string") return "";
+  const segments = input.replace(/\\/g, "/").split("/").map((s) => s.trim()).filter(Boolean).filter((s) => s !== ".." && s !== ".");
+  const joined = segments.join("/");
+  return joined.length > 512 ? joined.slice(0, 512) : joined;
+}
+function sanitizeStorageSegment(name) {
+  const s = name.replace(/[/\\]/g, "-").trim().slice(0, 255);
+  return s || "item";
+}
+
+// src/lib/media-parent-path.ts
+async function relativePathFromMediaParentId(dataSource, entityMap, parentId) {
+  if (parentId == null) return "";
+  const repo = dataSource.getRepository(entityMap.media);
+  const segments = [];
+  let id = parentId;
+  for (let d = 0; d < 64 && id != null; d++) {
+    const row = await repo.findOne({ where: { id } });
+    if (!row) break;
+    const m = row;
+    if (m.kind !== "folder") break;
+    segments.unshift(sanitizeStorageSegment(m.filename));
+    id = m.parentId ?? null;
+  }
+  return segments.join("/");
+}
+
+// src/lib/media-zip-extract.ts
+import { IsNull as IsNull2 } from "typeorm";
+var ZIP_MIME_TYPES = /* @__PURE__ */ new Set(["application/zip", "application/x-zip-compressed"]);
+var MAX_ENTRIES = 2e3;
+var MAX_TOTAL_UNCOMPRESSED = 80 * 1024 * 1024;
+function isZipMedia(mime, filename) {
+  if (mime && ZIP_MIME_TYPES.has(mime)) return true;
+  return filename.toLowerCase().endsWith(".zip");
+}
+async function readBufferFromPublicUrl(url) {
+  if (url.startsWith("http://") || url.startsWith("https://")) {
+    const r = await fetch(url);
+    if (!r.ok) throw new Error("Failed to download file");
+    return Buffer.from(await r.arrayBuffer());
+  }
+  if (url.startsWith("/")) {
+    const { readFile } = await import("fs/promises");
+    const { join } = await import("path");
+    const rel = url.replace(/^\/+/, "");
+    return readFile(join(process.cwd(), "public", rel));
+  }
+  throw new Error("Unsupported media URL");
+}
+function sanitizeZipPath(entryName) {
+  const norm = entryName.replace(/\\/g, "/").split("/").filter(Boolean);
+  for (const seg of norm) {
+    if (seg === ".." || seg === ".") return null;
+  }
+  return norm;
+}
+function shouldSkipEntry(parts) {
+  if (parts[0] === "__MACOSX") return true;
+  const last = parts[parts.length - 1];
+  if (last === ".DS_Store") return true;
+  return false;
+}
+function guessMimeType(fileName) {
+  const lower = fileName.toLowerCase();
+  if (lower.endsWith(".png")) return "image/png";
+  if (lower.endsWith(".jpg") || lower.endsWith(".jpeg")) return "image/jpeg";
+  if (lower.endsWith(".gif")) return "image/gif";
+  if (lower.endsWith(".webp")) return "image/webp";
+  if (lower.endsWith(".svg")) return "image/svg+xml";
+  if (lower.endsWith(".pdf")) return "application/pdf";
+  if (lower.endsWith(".txt")) return "text/plain";
+  if (lower.endsWith(".json")) return "application/json";
+  if (lower.endsWith(".zip")) return "application/zip";
+  return "application/octet-stream";
+}
+async function findOrCreateFolder(dataSource, entityMap, parentId, name) {
+  const safe = sanitizeStorageSegment(name);
+  const repo = dataSource.getRepository(entityMap.media);
+  const where = parentId == null ? { kind: "folder", filename: safe, parentId: IsNull2() } : { kind: "folder", filename: safe, parentId };
+  const existing = await repo.findOne({ where });
+  if (existing) return existing.id;
+  const row = await repo.save(
+    repo.create({
+      kind: "folder",
+      parentId,
+      filename: safe,
+      url: null,
+      mimeType: "inode/directory",
+      size: 0,
+      alt: null,
+      isPublic: false,
+      deleted: false
+    })
+  );
+  return row.id;
+}
+async function ensureFolderChain(dataSource, entityMap, rootParentId, pathSegments) {
+  let pid = rootParentId;
+  for (const seg of pathSegments) {
+    if (!seg) continue;
+    pid = await findOrCreateFolder(dataSource, entityMap, pid, seg);
+  }
+  return pid;
+}
+async function extractZipMediaIntoParentTree(opts) {
+  const { dataSource, entityMap, zipMediaRow } = opts;
+  const row = zipMediaRow;
+  if (row.kind !== "file" || !row.url) throw new Error("Not a file");
+  if (!isZipMedia(row.mimeType, row.filename)) throw new Error("Not a zip archive");
+  const buffer = await readBufferFromPublicUrl(row.url);
+  const { default: AdmZip } = await import("adm-zip");
+  const zip = new AdmZip(buffer);
+  const entries = zip.getEntries();
+  if (entries.length > MAX_ENTRIES) throw new Error(`Too many zip entries (max ${MAX_ENTRIES})`);
+  const rootParentId = row.parentId;
+  const items = [];
+  let totalUncompressed = 0;
+  for (const e of entries) {
+    const raw = e.entryName;
+    const parts = sanitizeZipPath(raw);
+    if (!parts || shouldSkipEntry(parts)) continue;
+    const isDir = e.isDirectory || /\/$/.test(raw);
+    let data = null;
+    if (!isDir) {
+      data = e.getData();
+      totalUncompressed += data.length;
+      if (totalUncompressed > MAX_TOTAL_UNCOMPRESSED) {
+        throw new Error(`Uncompressed content exceeds limit (${MAX_TOTAL_UNCOMPRESSED} bytes)`);
+      }
+    }
+    items.push({ parts, isDir, data });
+  }
+  items.sort((a, b) => {
+    const da = a.parts.length;
+    const db = b.parts.length;
+    if (da !== db) return da - db;
+    return a.parts.join("/").localeCompare(b.parts.join("/"));
+  });
+  let files = 0;
+  let folderEntries = 0;
+  const repo = dataSource.getRepository(entityMap.media);
+  for (const it of items) {
+    if (it.isDir) {
+      await ensureFolderChain(dataSource, entityMap, rootParentId, it.parts);
+      folderEntries++;
+      continue;
+    }
+    const fileName = it.parts[it.parts.length - 1];
+    const dirParts = it.parts.slice(0, -1);
+    const parentFolderId = await ensureFolderChain(dataSource, entityMap, rootParentId, dirParts);
+    const buf = it.data;
+    const relBase = await relativePathFromMediaParentId(dataSource, entityMap, parentFolderId);
+    const relativeUnderUploads = relBase ? `${relBase}/${fileName}` : fileName;
+    const contentType = guessMimeType(fileName);
+    let publicUrl;
+    if (opts.storage) {
+      publicUrl = await opts.storage.upload(buf, `uploads/${relativeUnderUploads}`, contentType);
+    } else {
+      const fs = await import("fs/promises");
+      const pathMod = await import("path");
+      const dir = pathMod.join(process.cwd(), opts.localUploadDir);
+      const filePath = pathMod.join(dir, relativeUnderUploads);
+      await fs.mkdir(pathMod.dirname(filePath), { recursive: true });
+      await fs.writeFile(filePath, buf);
+      publicUrl = `/${opts.localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${relativeUnderUploads.replace(/\\/g, "/")}`;
+    }
+    await repo.save(
+      repo.create({
+        kind: "file",
+        parentId: parentFolderId,
+        filename: fileName,
+        url: publicUrl,
+        mimeType: contentType,
+        size: buf.length,
+        alt: null,
+        isPublic: false,
+        deleted: false
+      })
+    );
+    files++;
+  }
+  return { files, folderEntries };
+}
+
 // src/api/cms-handlers.ts
 function createDashboardStatsHandler(config) {
   const { dataSource, entityMap, json, requireAuth, requirePermission, requireEntityPermission } = config;
@@ -1072,26 +1489,209 @@ function createDashboardStatsHandler(config) {
     try {
       const sevenDaysAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1e3);
       const repo = (name) => entityMap[name] ? dataSource.getRepository(entityMap[name]) : void 0;
-      const [contactsCount, formsCount, formSubmissionsCount, usersCount, blogsCount, recentContacts, recentSubmissions] = await Promise.all([
+      const [contactsCount, formsCount, formSubmissionsCount, usersCount, blogsCount, recentContacts, recentSubmissions, contactTypeRows] = await Promise.all([
         repo("contacts")?.count() ?? 0,
         repo("forms")?.count({ where: { deleted: false } }) ?? 0,
         repo("form_submissions")?.count() ?? 0,
         repo("users")?.count({ where: { deleted: false } }) ?? 0,
         repo("blogs")?.count({ where: { deleted: false } }) ?? 0,
         repo("contacts")?.count({ where: { createdAt: MoreThanOrEqual(sevenDaysAgo) } }) ?? 0,
-        repo("form_submissions")?.count({ where: { createdAt: MoreThanOrEqual(sevenDaysAgo) } }) ?? 0
+        repo("form_submissions")?.count({ where: { createdAt: MoreThanOrEqual(sevenDaysAgo) } }) ?? 0,
+        repo("contacts")?.createQueryBuilder("c").select("COALESCE(NULLIF(TRIM(c.type), ''), 'unknown')", "type").addSelect("COUNT(*)", "count").where("c.deleted = :deleted", { deleted: false }).groupBy("COALESCE(NULLIF(TRIM(c.type), ''), 'unknown')").getRawMany() ?? []
       ]);
       return json({
         contacts: { total: contactsCount, recent: recentContacts },
         forms: { total: formsCount, submissions: formSubmissionsCount, recentSubmissions },
         users: usersCount,
-        blogs: blogsCount
+        blogs: blogsCount,
+        contactTypes: (contactTypeRows ?? []).map((row) => ({
+          type: row.type || "unknown",
+          count: Number(row.count || 0)
+        }))
       });
     } catch (err) {
       return json({ error: "Failed to fetch dashboard stats" }, { status: 500 });
     }
   };
 }
+function toNum(v) {
+  const n = typeof v === "number" ? v : Number(v ?? 0);
+  return Number.isFinite(n) ? n : 0;
+}
+function toIsoDate(d) {
+  return d.toISOString().slice(0, 10);
+}
+function createEcommerceAnalyticsHandler(config) {
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
+  return async function GET(req) {
+    const authErr = await requireAuth(req);
+    if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "analytics", "read");
+      if (pe) return pe;
+    }
+    if (!entityMap.orders || !entityMap.order_items || !entityMap.payments || !entityMap.products) {
+      return json({ error: "Store analytics unavailable" }, { status: 404 });
+    }
+    try {
+      const url = new URL(req.url);
+      const rawDays = parseInt(url.searchParams.get("days") || "30", 10);
+      const days = Number.isFinite(rawDays) ? Math.min(365, Math.max(7, rawDays)) : 30;
+      const end = /* @__PURE__ */ new Date();
+      const start = new Date(end.getTime() - days * 24 * 60 * 60 * 1e3);
+      const orderRepo = dataSource.getRepository(entityMap.orders);
+      const paymentRepo = dataSource.getRepository(entityMap.payments);
+      const itemRepo = dataSource.getRepository(entityMap.order_items);
+      const productRepo = dataSource.getRepository(entityMap.products);
+      const [salesOrders, returnOrders, replacementOrders, payments, products] = await Promise.all([
+        orderRepo.find({
+          where: { deleted: false, createdAt: MoreThanOrEqual(start), orderKind: "sale", status: In(["confirmed", "processing", "completed"]) },
+          select: ["id", "contactId", "createdAt", "subtotal", "discount", "tax", "total", "status"]
+        }),
+        orderRepo.find({
+          where: { deleted: false, createdAt: MoreThanOrEqual(start), orderKind: "return" },
+          select: ["id", "createdAt", "total"]
+        }),
+        orderRepo.find({
+          where: { deleted: false, createdAt: MoreThanOrEqual(start), orderKind: "replacement" },
+          select: ["id", "createdAt", "total"]
+        }),
+        paymentRepo.find({
+          where: { deleted: false, createdAt: MoreThanOrEqual(start) },
+          select: ["id", "status", "method", "amount", "createdAt"]
+        }),
+        productRepo.find({
+          where: { deleted: false },
+          select: ["id", "name", "quantity"]
+        })
+      ]);
+      const saleOrderIds = salesOrders.map((o) => o.id);
+      const orderItems = saleOrderIds.length ? await itemRepo.find({
+        where: { orderId: In(saleOrderIds) },
+        select: ["id", "orderId", "productId", "quantity", "total"]
+      }) : [];
+      const grossSales = salesOrders.reduce((sum, o) => sum + toNum(o.subtotal), 0);
+      const discounts = salesOrders.reduce((sum, o) => sum + toNum(o.discount), 0);
+      const taxes = salesOrders.reduce((sum, o) => sum + toNum(o.tax), 0);
+      const returnsValue = returnOrders.reduce((sum, o) => sum + toNum(o.total), 0);
+      const replacementsValue = replacementOrders.reduce((sum, o) => sum + toNum(o.total), 0);
+      const netSales = grossSales - discounts - returnsValue;
+      const ordersCount = salesOrders.length;
+      const aov = ordersCount > 0 ? netSales / ordersCount : 0;
+      const returnRate = ordersCount > 0 ? returnOrders.length / ordersCount * 100 : 0;
+      const salesByDate = /* @__PURE__ */ new Map();
+      const returnsByDate = /* @__PURE__ */ new Map();
+      for (const o of salesOrders) {
+        const key = toIsoDate(new Date(o.createdAt));
+        const row = salesByDate.get(key) ?? { value: 0, orders: 0 };
+        row.value += toNum(o.total);
+        row.orders += 1;
+        salesByDate.set(key, row);
+      }
+      for (const o of returnOrders) {
+        const key = toIsoDate(new Date(o.createdAt));
+        const row = returnsByDate.get(key) ?? { value: 0, count: 0 };
+        row.value += toNum(o.total);
+        row.count += 1;
+        returnsByDate.set(key, row);
+      }
+      const salesOverTime = [];
+      const returnsTrend = [];
+      for (let i = days - 1; i >= 0; i--) {
+        const d = new Date(end.getTime() - i * 24 * 60 * 60 * 1e3);
+        const key = toIsoDate(d);
+        const sales = salesByDate.get(key) ?? { value: 0, orders: 0 };
+        const returns = returnsByDate.get(key) ?? { value: 0, count: 0 };
+        salesOverTime.push({ date: key, value: Number(sales.value.toFixed(2)), orders: sales.orders });
+        returnsTrend.push({ date: key, value: Number(returns.value.toFixed(2)), count: returns.count });
+      }
+      const productNameMap = /* @__PURE__ */ new Map();
+      for (const p of products) productNameMap.set(Number(p.id), (p.name || `Product #${p.id}`).trim());
+      const productAgg = /* @__PURE__ */ new Map();
+      for (const item of orderItems) {
+        const productId = Number(item.productId);
+        const productName = productNameMap.get(productId) || `Product #${productId}`;
+        const row = productAgg.get(productId) ?? { name: productName, units: 0, sales: 0 };
+        row.units += toNum(item.quantity);
+        row.sales += toNum(item.total);
+        productAgg.set(productId, row);
+      }
+      const topProducts = Array.from(productAgg.values()).sort((a, b) => b.sales - a.sales).slice(0, 5).map((p) => ({ ...p, sales: Number(p.sales.toFixed(2)) }));
+      const allSaleOrderContactIds = Array.from(new Set(salesOrders.map((o) => Number(o.contactId)).filter((n) => Number.isInteger(n) && n > 0)));
+      const allTimeCounts = allSaleOrderContactIds.length ? await orderRepo.createQueryBuilder("o").select("o.contactId", "contactId").addSelect("COUNT(*)", "total").where("o.deleted = :deleted", { deleted: false }).andWhere("o.orderKind = :orderKind", { orderKind: "sale" }).andWhere("o.contactId IN (:...contactIds)", { contactIds: allSaleOrderContactIds }).groupBy("o.contactId").getRawMany() : [];
+      const countMap = /* @__PURE__ */ new Map();
+      for (const c of allTimeCounts) countMap.set(Number(c.contactId), Number(c.total));
+      const purchasingCustomers = allSaleOrderContactIds.length;
+      const returningCustomers = allSaleOrderContactIds.filter((id) => (countMap.get(id) ?? 0) > 1).length;
+      const newCustomers = Math.max(0, purchasingCustomers - returningCustomers);
+      const returningCustomerRate = purchasingCustomers > 0 ? returningCustomers / purchasingCustomers * 100 : 0;
+      const totalPayments = payments.length;
+      const completedPayments = payments.filter((p) => p.status === "completed").length;
+      const failedPayments = payments.filter((p) => p.status === "failed").length;
+      const paymentSuccessRate = totalPayments > 0 ? completedPayments / totalPayments * 100 : 0;
+      const paymentMethodMap = /* @__PURE__ */ new Map();
+      for (const p of payments) {
+        const method = (p.method || "unknown").toLowerCase();
+        const row = paymentMethodMap.get(method) ?? { method, count: 0, amount: 0 };
+        row.count += 1;
+        row.amount += toNum(p.amount);
+        paymentMethodMap.set(method, row);
+      }
+      const paymentMethods = Array.from(paymentMethodMap.values()).sort((a, b) => b.count - a.count).map((p) => ({ ...p, amount: Number(p.amount.toFixed(2)) }));
+      const totalInventory = products.reduce((sum, p) => sum + toNum(p.quantity), 0);
+      const outOfStockCount = products.filter((p) => toNum(p.quantity) <= 0).length;
+      const lowStockCount = products.filter((p) => toNum(p.quantity) > 0 && toNum(p.quantity) <= 5).length;
+      const inventoryRisk = {
+        outOfStockCount,
+        lowStockCount,
+        totalInventory
+      };
+      return json({
+        rangeDays: days,
+        kpis: {
+          netSales: Number(netSales.toFixed(2)),
+          grossSales: Number(grossSales.toFixed(2)),
+          ordersPlaced: ordersCount,
+          averageOrderValue: Number(aov.toFixed(2)),
+          returningCustomerRate: Number(returningCustomerRate.toFixed(2)),
+          returnRate: Number(returnRate.toFixed(2)),
+          returnValue: Number(returnsValue.toFixed(2)),
+          discounts: Number(discounts.toFixed(2)),
+          taxes: Number(taxes.toFixed(2)),
+          paymentSuccessRate: Number(paymentSuccessRate.toFixed(2))
+        },
+        salesOverTime,
+        topProducts,
+        customerMix: {
+          newCustomers,
+          returningCustomers,
+          repeatPurchaseRate: Number(returningCustomerRate.toFixed(2))
+        },
+        returnsTrend,
+        paymentPerformance: {
+          successCount: completedPayments,
+          failedCount: failedPayments,
+          successRate: Number(paymentSuccessRate.toFixed(2)),
+          methods: paymentMethods
+        },
+        conversionProxy: {
+          sessions: 0,
+          checkoutStarted: 0,
+          ordersPlaced: ordersCount
+        },
+        salesBreakdown: {
+          sales: { count: ordersCount, value: Number(grossSales.toFixed(2)) },
+          returns: { count: returnOrders.length, value: Number(returnsValue.toFixed(2)) },
+          replacements: { count: replacementOrders.length, value: Number(replacementsValue.toFixed(2)) }
+        },
+        geoPerformance: [],
+        inventoryRisk
+      });
+    } catch {
+      return json({ error: "Failed to fetch ecommerce analytics" }, { status: 500 });
+    }
+  };
+}
 function createAnalyticsHandlers(config) {
   const { json, getAnalyticsData, getPropertyId, getPermissions } = config;
   return {
@@ -1123,8 +1723,27 @@ function createAnalyticsHandlers(config) {
   };
 }
 function createUploadHandler(config) {
-  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
-  const allowed = allowedTypes ?? ["image/jpeg", "image/png", "image/gif", "image/webp", "application/pdf", "text/plain"];
+  const {
+    json,
+    requireAuth,
+    requireEntityPermission,
+    storage,
+    localUploadDir = "public/uploads",
+    allowedTypes,
+    maxSizeBytes = 10 * 1024 * 1024,
+    dataSource,
+    entityMap
+  } = config;
+  const allowed = allowedTypes ?? [
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/webp",
+    "application/pdf",
+    "text/plain",
+    "application/zip",
+    "application/x-zip-compressed"
+  ];
   return async function POST(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
@@ -1137,28 +1756,92 @@ function createUploadHandler(config) {
       const file = formData.get("file");
       if (!file) return json({ error: "No file uploaded" }, { status: 400 });
       if (!allowed.includes(file.type)) return json({ error: "File type not allowed" }, { status: 400 });
-      if (file.size > maxSizeBytes) return json({ error: "File size exceeds limit" }, { status: 400 });
+      const defaultMax = 10 * 1024 * 1024;
+      const maxZipBytes = 80 * 1024 * 1024;
+      const baseMax = maxSizeBytes ?? defaultMax;
+      const effectiveMax = file.type === "application/zip" || file.type === "application/x-zip-compressed" ? Math.max(baseMax, maxZipBytes) : baseMax;
+      if (file.size > effectiveMax) return json({ error: "File size exceeds limit" }, { status: 400 });
+      const parentRaw = formData.get("parentId");
+      let parentId = null;
+      if (parentRaw != null && String(parentRaw).trim() !== "") {
+        const n = Number(parentRaw);
+        if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+        parentId = n;
+      }
+      let folder = "";
+      if (parentId != null) {
+        if (!dataSource || !entityMap?.media) {
+          return json({ error: "Upload handler needs dataSource and entityMap for folder uploads" }, { status: 400 });
+        }
+        const repo = dataSource.getRepository(entityMap.media);
+        const p = await repo.findOne({ where: { id: parentId } });
+        if (!p || p.kind !== "folder") {
+          return json({ error: "parent must be a folder" }, { status: 400 });
+        }
+        folder = await relativePathFromMediaParentId(dataSource, entityMap, parentId);
+      } else {
+        const folderRawLegacy = formData.get("folder") ?? formData.get("folderPath");
+        if (folderRawLegacy && typeof folderRawLegacy === "string" && folderRawLegacy.trim()) {
+          folder = sanitizeMediaFolderPath(folderRawLegacy);
+        }
+      }
       const buffer = Buffer.from(await file.arrayBuffer());
       const fileName = `${Date.now()}-${file.name}`;
       const contentType = file.type || "application/octet-stream";
+      const relativeUnderUploads = folder ? `${folder}/${fileName}` : fileName;
       const raw = typeof storage === "function" ? storage() : storage;
       const storageService = raw instanceof Promise ? await raw : raw;
       if (storageService) {
-        const fileUrl = await storageService.upload(buffer, `uploads/${fileName}`, contentType);
-        return json({ filePath: fileUrl });
+        const fileUrl = await storageService.upload(buffer, `uploads/${relativeUnderUploads}`, contentType);
+        return json({ filePath: fileUrl, parentId });
       }
       const fs = await import("fs/promises");
       const path = await import("path");
       const dir = path.join(process.cwd(), localUploadDir);
-      await fs.mkdir(dir, { recursive: true });
-      const filePath = path.join(dir, fileName);
+      const filePath = path.join(dir, relativeUnderUploads);
+      await fs.mkdir(path.dirname(filePath), { recursive: true });
       await fs.writeFile(filePath, buffer);
-      return json({ filePath: `/${localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${fileName}` });
+      const urlRel = `${localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${relativeUnderUploads.replace(/\\/g, "/")}`;
+      return json({ filePath: `/${urlRel}`, parentId });
     } catch (err) {
       return json({ error: "File upload failed" }, { status: 500 });
     }
   };
 }
+function createMediaZipExtractHandler(config) {
+  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", dataSource, entityMap } = config;
+  return async function POST(_req, zipMediaId) {
+    const authErr = await requireAuth(_req);
+    if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(_req, "media", "create");
+      if (pe) return pe;
+    }
+    if (!dataSource || !entityMap?.media) {
+      return json({ error: "Media extract requires dataSource and entityMap" }, { status: 500 });
+    }
+    const id = Number(zipMediaId);
+    if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+    const repo = dataSource.getRepository(entityMap.media);
+    const row = await repo.findOne({ where: { id } });
+    if (!row) return json({ error: "Not found" }, { status: 404 });
+    try {
+      const raw = typeof storage === "function" ? storage() : storage;
+      const storageService = raw instanceof Promise ? await raw : raw;
+      const result = await extractZipMediaIntoParentTree({
+        dataSource,
+        entityMap,
+        zipMediaRow: row,
+        storage: storageService,
+        localUploadDir
+      });
+      return json({ ok: true, ...result });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Extract failed";
+      return json({ error: msg }, { status: 400 });
+    }
+  };
+}
 function createBlogBySlugHandler(config) {
   const { dataSource, entityMap, json } = config;
   return async function GET(_req, slug) {
@@ -2300,6 +2983,7 @@ function createCmsApiHandler(config) {
     getCms,
     userAuth: userAuthConfig,
     dashboard,
+    ecommerceAnalytics,
     analytics: analyticsConfig,
     upload,
     blogBySlug,
@@ -2366,8 +3050,28 @@ function createCmsApiHandler(config) {
   });
   const userAuthRouter = userAuth ? createUserAuthApiRouter(userAuth) : null;
   const dashboardGet = dashboard ? createDashboardStatsHandler(mergePerm(dashboard) ?? dashboard) : null;
+  const ecommerceAnalyticsResolved = mergePerm(
+    ecommerceAnalytics ?? {
+      dataSource,
+      entityMap,
+      json: config.json,
+      requireAuth: config.requireAuth
+    }
+  ) ?? {
+    dataSource,
+    entityMap,
+    json: config.json,
+    requireAuth: config.requireAuth
+  };
+  const ecommerceAnalyticsGet = createEcommerceAnalyticsHandler(ecommerceAnalyticsResolved);
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
-  const uploadPost = upload ? createUploadHandler(mergePerm(upload) ?? upload) : null;
+  const uploadMerged = upload ? {
+    ...mergePerm(upload) ?? upload,
+    dataSource: upload.dataSource ?? dataSource,
+    entityMap: upload.entityMap ?? entityMap
+  } : null;
+  const uploadPost = uploadMerged ? createUploadHandler(uploadMerged) : null;
+  const zipExtractPost = uploadMerged ? createMediaZipExtractHandler(uploadMerged) : null;
   const blogBySlugGet = blogBySlug ? createBlogBySlugHandler(blogBySlug) : null;
   const formBySlugGet = formBySlug ? createFormBySlugHandler(formBySlug) : null;
   const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(mergePerm(formSaveConfig) ?? formSaveConfig) : null;
@@ -2416,6 +3120,11 @@ function createCmsApiHandler(config) {
       if (path[0] === "dashboard" && path[1] === "stats" && path.length === 2 && method === "GET" && dashboardGet) {
         return dashboardGet(req);
       }
+      if (path[0] === "dashboard" && path[1] === "ecommerce" && path.length === 2 && method === "GET" && ecommerceAnalyticsGet) {
+        const g = await analyticsGate();
+        if (g) return g;
+        return ecommerceAnalyticsGet(req);
+      }
       if (path[0] === "analytics" && analyticsHandlers) {
         if (path.length === 1 && method === "GET") {
           const g = await analyticsGate();
@@ -2434,6 +3143,9 @@ function createCmsApiHandler(config) {
         }
       }
       if (path[0] === "upload" && path.length === 1 && method === "POST" && uploadPost) return uploadPost(req);
+      if (path[0] === "media" && path[1] === "extract" && path.length === 3 && method === "POST" && zipExtractPost) {
+        return zipExtractPost(req, path[2]);
+      }
       if (path[0] === "blogs" && path[1] === "slug" && path.length === 3 && method === "GET" && blogBySlugGet) {
         return blogBySlugGet(req, path[2]);
       }
@@ -2516,6 +3228,29 @@ function createCmsApiHandler(config) {
         if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
         return streamOrderInvoicePdf2(cms, dataSource, entityMap, oid, {});
       }
+      if (path[0] === "orders" && path.length === 3 && path[2] === "repost-erp" && getCms) {
+        const a = await config.requireAuth(req);
+        if (a) return a;
+        if (perm) {
+          const pe = await perm(req, "orders", method === "GET" ? "read" : "update");
+          if (pe) return pe;
+        }
+        const oid = Number(path[1]);
+        if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
+        const cms = await getCms();
+        const { isErpIntegrationEnabled: isErpIntegrationEnabled3 } = await Promise.resolve().then(() => (init_erp_config_enabled(), erp_config_enabled_exports));
+        const enabled = await isErpIntegrationEnabled3(cms, dataSource, entityMap);
+        if (method === "GET") {
+          return config.json({ enabled });
+        }
+        if (method === "POST") {
+          if (!enabled) return config.json({ error: "ERP integration is disabled" }, { status: 409 });
+          const { queueErpPaidOrderForOrderId: queueErpPaidOrderForOrderId2 } = await Promise.resolve().then(() => (init_paid_order_erp(), paid_order_erp_exports));
+          await queueErpPaidOrderForOrderId2(cms, dataSource, entityMap, oid);
+          return config.json({ ok: true });
+        }
+        return config.json({ error: "Method not allowed" }, { status: 405 });
+      }
       if (path.length === 0) return config.json({ error: "Not found" }, { status: 404 });
       const resource = resolveResource(path[0]);
       if (!crudResources.includes(resource)) return config.json({ error: "Invalid resource" }, { status: 400 });
@@ -2548,7 +3283,7 @@ function createCmsApiHandler(config) {
 }
 
 // src/api/storefront-handlers.ts
-import { In, IsNull as IsNull3 } from "typeorm";
+import { In as In2, IsNull as IsNull4 } from "typeorm";
 
 // src/lib/is-valid-signup-email.ts
 var MAX_EMAIL = 254;
@@ -2808,7 +3543,7 @@ async function queueSms(cms, payload) {
 
 // src/lib/otp-challenge.ts
 import { createHmac, randomInt, timingSafeEqual } from "crypto";
-import { IsNull as IsNull2, MoreThan as MoreThan2 } from "typeorm";
+import { IsNull as IsNull3, MoreThan as MoreThan2 } from "typeorm";
 var OTP_TTL_MS = 10 * 60 * 1e3;
 var MAX_SENDS_PER_HOUR = 5;
 var MAX_VERIFY_ATTEMPTS = 8;
@@ -2856,7 +3591,7 @@ async function createOtpChallenge(dataSource, entityMap, input) {
   await repo.delete({
     purpose,
     identifier,
-    consumedAt: IsNull2()
+    consumedAt: IsNull3()
   });
   const expiresAt = new Date(Date.now() + OTP_TTL_MS);
   const codeHash = hashOtpCode(code, purpose, identifier, pepper);
@@ -2877,7 +3612,7 @@ async function verifyAndConsumeOtpChallenge(dataSource, entityMap, input) {
   const { purpose, identifier, code, pepper } = input;
   const repo = dataSource.getRepository(entityMap.otp_challenges);
   const row = await repo.findOne({
-    where: { purpose, identifier, consumedAt: IsNull2() },
+    where: { purpose, identifier, consumedAt: IsNull3() },
     order: { id: "DESC" }
   });
   if (!row) {
@@ -2944,6 +3679,152 @@ function createStorefrontApiHandler(config) {
   const tokenRepo = () => dataSource.getRepository(entityMap.password_reset_tokens);
   const collectionRepo = () => dataSource.getRepository(entityMap.collections);
   const groupRepo = () => dataSource.getRepository(entityMap.user_groups);
+  const configRepo = () => dataSource.getRepository(entityMap.configs);
+  const CART_CHECKOUT_RELATIONS = ["items", "items.product", "items.product.taxes", "items.product.taxes.tax"];
+  function roundMoney2(n) {
+    return Math.round(n * 100) / 100;
+  }
+  async function getStoreDefaultTaxRate() {
+    const rows = await configRepo().find({ where: { settings: "store", deleted: false } });
+    for (const row of rows) {
+      const r = row;
+      if (r.key === "defaultTaxRate") {
+        const n = parseFloat(String(r.value ?? "").trim());
+        return Number.isFinite(n) && n >= 0 ? n : null;
+      }
+    }
+    return null;
+  }
+  function computeTaxForProductLine(p, lineSubtotal, defaultRate) {
+    const pts = p.taxes ?? [];
+    const activePts = pts.filter((pt) => {
+      const t = pt.tax;
+      return t != null && t.active !== false;
+    });
+    if (activePts.length) {
+      let sumRate = 0;
+      const slugs = [];
+      for (const pt of activePts) {
+        const t = pt.tax;
+        const r = Number(pt.rate != null && pt.rate !== "" ? pt.rate : t.rate ?? 0);
+        if (Number.isFinite(r)) sumRate += r;
+        const slug = String(t.slug ?? "").trim();
+        if (slug) slugs.push(slug);
+      }
+      const tax = roundMoney2(lineSubtotal * sumRate / 100);
+      return {
+        tax,
+        taxRate: sumRate > 0 ? roundMoney2(sumRate) : null,
+        taxCode: slugs.length ? [...new Set(slugs)].sort().join(",") : null
+      };
+    }
+    if (defaultRate != null && defaultRate > 0) {
+      return {
+        tax: roundMoney2(lineSubtotal * defaultRate / 100),
+        taxRate: roundMoney2(defaultRate),
+        taxCode: null
+      };
+    }
+    return { tax: 0, taxRate: null, taxCode: null };
+  }
+  function parseInlineAddress(raw) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) return null;
+    const o = raw;
+    const line1 = String(o.line1 ?? "").trim();
+    if (!line1) return null;
+    return {
+      line1,
+      line2: o.line2 != null ? String(o.line2) : "",
+      city: o.city != null ? String(o.city) : "",
+      state: o.state != null ? String(o.state) : "",
+      postalCode: o.postalCode != null ? String(o.postalCode) : "",
+      country: o.country != null ? String(o.country) : ""
+    };
+  }
+  function intFromBody(v) {
+    if (typeof v === "number" && Number.isInteger(v)) return v;
+    if (typeof v === "string" && /^\d+$/.test(v)) return parseInt(v, 10);
+    return void 0;
+  }
+  async function resolveCheckoutAddress(contactId, idVal, inlineVal) {
+    const aid = intFromBody(idVal);
+    if (aid != null) {
+      const existing = await addressRepo().findOne({
+        where: { id: aid, contactId }
+      });
+      if (!existing) return { id: null, error: "Address not found" };
+      return { id: aid };
+    }
+    const addr = parseInlineAddress(inlineVal);
+    if (addr) {
+      const saved = await addressRepo().save(
+        addressRepo().create({
+          contactId,
+          line1: addr.line1,
+          line2: addr.line2?.trim() ? addr.line2 : null,
+          city: addr.city?.trim() ? addr.city : null,
+          state: addr.state?.trim() ? addr.state : null,
+          postalCode: addr.postalCode?.trim() ? addr.postalCode : null,
+          country: addr.country?.trim() ? addr.country : null
+        })
+      );
+      return { id: saved.id };
+    }
+    return { id: null };
+  }
+  async function prepareCheckoutFromCart(b, cart, contactId) {
+    const defaultRate = await getStoreDefaultTaxRate();
+    const lines = [];
+    let subtotal = 0;
+    let orderTax = 0;
+    let needsShipping = false;
+    for (const it of cart.items || []) {
+      const p = it.product;
+      if (!p || p.deleted || p.status !== "available") continue;
+      const unit = Number(p.price);
+      const qty = it.quantity || 1;
+      const lineSubtotal = unit * qty;
+      const pType = p.type === "service" ? "service" : "product";
+      if (pType === "product") needsShipping = true;
+      const { tax, taxRate, taxCode } = computeTaxForProductLine(p, lineSubtotal, defaultRate);
+      const lineTotal = roundMoney2(lineSubtotal + tax);
+      subtotal = roundMoney2(subtotal + lineSubtotal);
+      orderTax = roundMoney2(orderTax + tax);
+      lines.push({
+        productId: p.id,
+        quantity: qty,
+        unitPrice: unit,
+        tax,
+        total: lineTotal,
+        hsn: p.hsn ?? null,
+        uom: p.uom ?? null,
+        productType: pType,
+        taxRate,
+        taxCode
+      });
+    }
+    if (!lines.length) return { ok: false, status: 400, message: "No available items in cart" };
+    const bill = await resolveCheckoutAddress(contactId, b.billingAddressId, b.billingAddress);
+    if (bill.error) return { ok: false, status: 400, message: bill.error };
+    if (bill.id == null) return { ok: false, status: 400, message: "Billing address required" };
+    const ship = await resolveCheckoutAddress(contactId, b.shippingAddressId, b.shippingAddress);
+    if (ship.error) return { ok: false, status: 400, message: ship.error };
+    let shippingAddressId = ship.id;
+    if (needsShipping && shippingAddressId == null) shippingAddressId = bill.id;
+    if (needsShipping && shippingAddressId == null) {
+      return { ok: false, status: 400, message: "Shipping address required" };
+    }
+    const orderTotal = roundMoney2(subtotal + orderTax);
+    return {
+      ok: true,
+      lines,
+      subtotal,
+      orderTax,
+      orderTotal,
+      billingAddressId: bill.id,
+      shippingAddressId
+    };
+  }
   async function syncContactToErp(contact) {
     if (!getCms) return;
     try {
@@ -2965,7 +3846,7 @@ function createStorefrontApiHandler(config) {
     const u = await userRepo().findOne({ where: { id: userId } });
     if (!u) return null;
     const unclaimed = await contactRepo().findOne({
-      where: { email: u.email, userId: IsNull3(), deleted: false }
+      where: { email: u.email, userId: IsNull4(), deleted: false }
     });
     if (unclaimed) {
       await contactRepo().update(unclaimed.id, { userId });
@@ -3069,6 +3950,7 @@ function createStorefrontApiHandler(config) {
             slug: p.slug,
             price: p.price,
             sku: p.sku,
+            type: p.type === "service" ? "service" : "product",
             image: primaryProductImageUrl(p.metadata)
           } : null
         };
@@ -3096,6 +3978,8 @@ function createStorefrontApiHandler(config) {
       slug: p.slug,
       sku: p.sku,
       hsn: p.hsn,
+      uom: p.uom ?? null,
+      type: p.type === "service" ? "service" : "product",
       price: p.price,
       compareAtPrice: p.compareAtPrice,
       status: p.status,
@@ -3797,7 +4681,7 @@ function createStorefrontApiHandler(config) {
             contactId = contact.id;
             cart = await cartRepo().findOne({
               where: { contactId },
-              relations: ["items", "items.product"]
+              relations: [...CART_CHECKOUT_RELATIONS]
             });
           } else {
             const email = String(b.email ?? "").trim();
@@ -3830,25 +4714,14 @@ function createStorefrontApiHandler(config) {
             if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
             cart = await cartRepo().findOne({
               where: { guestToken },
-              relations: ["items", "items.product"]
+              relations: [...CART_CHECKOUT_RELATIONS]
             });
           }
           if (!cart || !(cart.items || []).length) {
             return json({ error: "Cart is empty" }, { status: 400 });
           }
-          let subtotal = 0;
-          const lines = [];
-          for (const it of cart.items || []) {
-            const p = it.product;
-            if (!p || p.deleted || p.status !== "available") continue;
-            const unit = Number(p.price);
-            const qty = it.quantity || 1;
-            const lineTotal = unit * qty;
-            subtotal += lineTotal;
-            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
-          }
-          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
-          const total = subtotal;
+          const prepOrd = await prepareCheckoutFromCart(b, cart, contactId);
+          if (!prepOrd.ok) return json({ error: prepOrd.message }, { status: prepOrd.status });
           const cartId = cart.id;
           const ord = await orderRepo().save(
             orderRepo().create({
@@ -3856,13 +4729,13 @@ function createStorefrontApiHandler(config) {
               orderKind: "sale",
               parentOrderId: null,
               contactId,
-              billingAddressId: typeof b.billingAddressId === "number" ? b.billingAddressId : null,
-              shippingAddressId: typeof b.shippingAddressId === "number" ? b.shippingAddressId : null,
+              billingAddressId: prepOrd.billingAddressId,
+              shippingAddressId: prepOrd.shippingAddressId,
               status: "pending",
-              subtotal,
-              tax: 0,
+              subtotal: prepOrd.subtotal,
+              tax: prepOrd.orderTax,
               discount: 0,
-              total,
+              total: prepOrd.orderTotal,
               currency: cart.currency || "INR",
               metadata: { cartId }
             })
@@ -3871,7 +4744,7 @@ function createStorefrontApiHandler(config) {
           await orderRepo().update(oid, {
             orderNumber: buildCanonicalOrderNumber("sale", oid, ord.createdAt ?? /* @__PURE__ */ new Date())
           });
-          for (const line of lines) {
+          for (const line of prepOrd.lines) {
             await orderItemRepo().save(
               orderItemRepo().create({
                 orderId: oid,
@@ -3879,14 +4752,21 @@ function createStorefrontApiHandler(config) {
                 quantity: line.quantity,
                 unitPrice: line.unitPrice,
                 tax: line.tax,
-                total: line.total
+                total: line.total,
+                hsn: line.hsn,
+                uom: line.uom,
+                productType: line.productType,
+                taxRate: line.taxRate,
+                taxCode: line.taxCode
               })
             );
           }
           return json({
             orderId: oid,
             orderNumber: ord.orderNumber,
-            total,
+            subtotal: prepOrd.subtotal,
+            tax: prepOrd.orderTax,
+            total: prepOrd.orderTotal,
             currency: cart.currency || "INR"
           });
         }
@@ -3904,7 +4784,7 @@ function createStorefrontApiHandler(config) {
             contactId = contact.id;
             cart = await cartRepo().findOne({
               where: { contactId },
-              relations: ["items", "items.product"]
+              relations: [...CART_CHECKOUT_RELATIONS]
             });
           } else {
             const email = String(b.email ?? "").trim();
@@ -3937,38 +4817,27 @@ function createStorefrontApiHandler(config) {
             if (!guestToken) return json({ error: "Cart not found" }, { status: 400 });
             cart = await cartRepo().findOne({
               where: { guestToken },
-              relations: ["items", "items.product"]
+              relations: [...CART_CHECKOUT_RELATIONS]
             });
           }
           if (!cart || !(cart.items || []).length) {
             return json({ error: "Cart is empty" }, { status: 400 });
           }
-          let subtotal = 0;
-          const lines = [];
-          for (const it of cart.items || []) {
-            const p = it.product;
-            if (!p || p.deleted || p.status !== "available") continue;
-            const unit = Number(p.price);
-            const qty = it.quantity || 1;
-            const lineTotal = unit * qty;
-            subtotal += lineTotal;
-            lines.push({ productId: p.id, quantity: qty, unitPrice: unit, tax: 0, total: lineTotal });
-          }
-          if (!lines.length) return json({ error: "No available items in cart" }, { status: 400 });
-          const total = subtotal;
+          const prepChk = await prepareCheckoutFromCart(b, cart, contactId);
+          if (!prepChk.ok) return json({ error: prepChk.message }, { status: prepChk.status });
           const ord = await orderRepo().save(
             orderRepo().create({
               orderNumber: temporaryOrderNumberPlaceholder(),
               orderKind: "sale",
               parentOrderId: null,
               contactId,
-              billingAddressId: typeof b.billingAddressId === "number" ? b.billingAddressId : null,
-              shippingAddressId: typeof b.shippingAddressId === "number" ? b.shippingAddressId : null,
+              billingAddressId: prepChk.billingAddressId,
+              shippingAddressId: prepChk.shippingAddressId,
               status: "pending",
-              subtotal,
-              tax: 0,
+              subtotal: prepChk.subtotal,
+              tax: prepChk.orderTax,
               discount: 0,
-              total,
+              total: prepChk.orderTotal,
               currency: cart.currency || "INR"
             })
           );
@@ -3976,7 +4845,7 @@ function createStorefrontApiHandler(config) {
           await orderRepo().update(oid, {
             orderNumber: buildCanonicalOrderNumber("sale", oid, ord.createdAt ?? /* @__PURE__ */ new Date())
           });
-          for (const line of lines) {
+          for (const line of prepChk.lines) {
             await orderItemRepo().save(
               orderItemRepo().create({
                 orderId: oid,
@@ -3984,7 +4853,12 @@ function createStorefrontApiHandler(config) {
                 quantity: line.quantity,
                 unitPrice: line.unitPrice,
                 tax: line.tax,
-                total: line.total
+                total: line.total,
+                hsn: line.hsn,
+                uom: line.uom,
+                productType: line.productType,
+                taxRate: line.taxRate,
+                taxCode: line.taxCode
               })
             );
           }
@@ -3993,7 +4867,9 @@ function createStorefrontApiHandler(config) {
           return json({
             orderId: oid,
             orderNumber: ord.orderNumber,
-            total
+            subtotal: prepChk.subtotal,
+            tax: prepChk.orderTax,
+            total: prepChk.orderTotal
           });
         }
         if (path[0] === "orders" && path.length === 1 && method === "GET") {
@@ -4011,7 +4887,7 @@ function createStorefrontApiHandler(config) {
           const previewByOrder = {};
           if (orderIds.length) {
             const oItems = await orderItemRepo().find({
-              where: { orderId: In(orderIds) },
+              where: { orderId: In2(orderIds) },
               relations: ["product"],
               order: { id: "ASC" }
             });
@@ -4143,9 +5019,11 @@ export {
   createCrudByIdHandler,
   createCrudHandler,
   createDashboardStatsHandler,
+  createEcommerceAnalyticsHandler,
   createForgotPasswordHandler,
   createFormBySlugHandler,
   createInviteAcceptHandler,
+  createMediaZipExtractHandler,
   createSetPasswordHandler,
   createSettingsApiHandlers,
   createStorefrontApiHandler,