@tagadapay/plugin-sdk 3.1.25 → 4.0.2

package/dist/v2/core/utils/clickIdResolver.js

@@ -0,0 +1,169 @@
+/**
+ * Click-ID resolver — pure, runtime-agnostic utility.
+ *
+ * Many ad-trackers (ClickFlare, Voluum, Binom, RedTrack, ClickMagick, …) all
+ * follow the same pattern: assign a `click_id` on the visitor's first ad-click
+ * on the lander, then expect that id to flow end-to-end (lander → checkout →
+ * thank-you) so they can match a server postback to the original visit.
+ *
+ * This module:
+ *   - Resolves the click id from URL query params (preferred — survives the
+ *     redirect chain) and first-party cookies (fallback — set by the tracker's
+ *     lander script).
+ *   - Publishes the resolved value to `window.TagadaPay.tracking` so merchant-
+ *     authored postback snippets in `stepConfig.scripts` can read it without
+ *     re-implementing URL/cookie scraping.
+ *
+ * No React, no SDK class dependencies — works from React provider, standalone
+ * SDK, the studio builder, the external-tracker bundle, or a raw <script>.
+ *
+ * The lists are intentionally explicit (not regexes) so we never accidentally
+ * promote a random param to a "click id" — they are the exact identifiers
+ * documented by each tracker / ad platform.
+ */
+// -----------------------------------------------------------------------------
+// Configuration — explicit allow-lists
+// -----------------------------------------------------------------------------
+/** URL query-param names ad trackers / ad platforms use for click ids.
+ *
+ * Order matters — the resolver returns the FIRST matching entry, so put
+ * tracker-specific canonical names BEFORE generic fallbacks like
+ * `click_id` or `clickid`. This is why ClickFlare's `cf_click_id` comes
+ * before `click_id`, and why the per-tracker canonical token (`cid` for
+ * Voluum, `rtkclickid` for RedTrack, `cmc_tid` for ClickMagick) comes
+ * first within its own block.
+ */
+export const CLICK_ID_URL_PARAMS = Object.freeze([
+    // Postback ad-trackers (most specific first)
+    'cf_click_id', // ClickFlare canonical
+    'cid', // Voluum canonical (also: ClickFlare receiving-side)
+    'rtkclickid', // RedTrack canonical
+    'cmc_tid', // ClickMagick canonical (replaces legacy #S2#)
+    'cmc_id', // ClickMagick legacy
+    'cmcid', // ClickMagick alt
+    'clickid', // Generic affiliate-network token (Binom, RedTrack, Voluum, …)
+    'click_id', // Generic snake_case (ClickFlare, ClickMagick, …)
+    // Ad-platform native click ids
+    'gclid', // Google Ads
+    'gbraid', // Google Ads (iOS app)
+    'wbraid', // Google Ads (web→app)
+    'fbclid', // Meta
+    'msclkid', // Microsoft Ads
+    'ttclid', // TikTok
+    'twclid', // X / Twitter
+    'li_fat_id', // LinkedIn
+    'epik', // Pinterest
+    'dclid', // Display & Video 360
+    'yclid', // Yandex
+    'irclickid', // Impact
+]);
+/** Cookie names ad trackers store their click ids under.
+ *
+ * Same ordering rule as URL params: canonical first-party cookies first
+ * (e.g. `rtkclickid-store` for RedTrack), legacy fallbacks last.
+ */
+export const CLICK_ID_COOKIES = Object.freeze([
+    // ClickFlare
+    'cf_click_id',
+    'cfclid',
+    // RedTrack — `rtkclickid-store` is the canonical first-party cookie
+    // set by RedTrack's Universal Tracking Script.
+    'rtkclickid-store',
+    '_rtkclickid',
+    'rtkclickid',
+    // Voluum
+    '_voluum',
+    '_voluumclickid',
+    // Binom
+    '_binom',
+    '_binomclickid',
+    // ClickMagick
+    '_mck',
+    'cmcid',
+    // Other
+    'skro-click-id', // Skro
+    'click_id', // generic catch-all (last)
+]);
+// -----------------------------------------------------------------------------
+// Pure resolution
+// -----------------------------------------------------------------------------
+function readCookie(name) {
+    if (typeof document === 'undefined' || !document.cookie)
+        return null;
+    const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const m = document.cookie.match(new RegExp('(?:^|; )' + escaped + '=([^;]*)'));
+    if (!m)
+        return null;
+    try {
+        return decodeURIComponent(m[1]);
+    }
+    catch {
+        return m[1];
+    }
+}
+function readUrlParam(search, name) {
+    if (!search)
+        return null;
+    try {
+        return new URLSearchParams(search).get(name);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve the visitor's click id. Pure — no side effects, safe in SSR.
+ *
+ * Resolution order:
+ *   1. URL params (in CLICK_ID_URL_PARAMS order) — most authoritative.
+ *   2. Cookies   (in CLICK_ID_COOKIES order)     — fallback.
+ */
+export function resolveClickId() {
+    const all = {};
+    let clickId = null;
+    let source = null;
+    let key = null;
+    const search = typeof window !== 'undefined' ? window.location?.search ?? '' : '';
+    for (const name of CLICK_ID_URL_PARAMS) {
+        const v = readUrlParam(search, name);
+        if (v) {
+            all[`url:${name}`] = v;
+            if (clickId === null) {
+                clickId = v;
+                source = 'url';
+                key = name;
+            }
+        }
+    }
+    for (const name of CLICK_ID_COOKIES) {
+        const v = readCookie(name);
+        if (v) {
+            all[`cookie:${name}`] = v;
+            if (clickId === null) {
+                clickId = v;
+                source = 'cookie';
+                key = name;
+            }
+        }
+    }
+    return { clickId, source, key, all };
+}
+// -----------------------------------------------------------------------------
+// Browser-side publication
+// -----------------------------------------------------------------------------
+/**
+ * Resolve and merge tracking metadata into `window.TagadaPay.tracking`.
+ *
+ * Idempotent and namespace-safe: we only ever touch the `tracking` key, never
+ * other namespaces (e.g. `order` set by the thank-you page).
+ *
+ * Returns the published value, or `null` when called outside a browser.
+ */
+export function publishTrackingGlobal() {
+    if (typeof window === 'undefined')
+        return null;
+    const resolved = resolveClickId();
+    const tracking = { ...resolved, resolvedAt: Date.now() };
+    window.TagadaPay = { ...(window.TagadaPay ?? {}), tracking };
+    return tracking;
+}

package/dist/v2/core/utils/index.d.ts

@@ -13,3 +13,5 @@ export * from './orderBump';
 export * from './sessionStorage';
 export * from './funnelQueryKeys';
 export * from './configHotReload';
+export * from './metaEventId';
+export * from './clickIdResolver';

package/dist/v2/core/utils/index.js

@@ -14,3 +14,7 @@ export * from './sessionStorage';
 export * from './funnelQueryKeys';
 // Config hot reload for live preview editing
 export * from './configHotReload';
+// Meta CAPI / browser pixel deduplication helper.
+export * from './metaEventId';
+// Click-id resolver for ad-tracker integrations (ClickFlare, Voluum, Binom, …)
+export * from './clickIdResolver';

package/dist/v2/core/utils/metaEventId.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Stable event_id helper for Meta CAPI / browser pixel deduplication.
+ *
+ * The browser side (`fbq('track', name, params, { eventID })`) and the server
+ * side (`ServerEvent.setEventId(...)`) must publish the same value to let Meta
+ * dedup. This helper is the single source of truth for the formula, mirrored
+ * on the server in `src/app/services/meta/meta-event-id.ts`. A parity test in
+ * the server package keeps them byte-identical.
+ *
+ * Convention: `${eventName}_${entityId}`. Different event names get different
+ * IDs even when fired for the same entity (e.g. a Purchase + Subscribe pair on
+ * the same order), so each dedups independently.
+ */
+export declare function makeMetaEventId(eventName: string, entityId: string): string;

package/dist/v2/core/utils/metaEventId.js

@@ -0,0 +1,16 @@
+/**
+ * Stable event_id helper for Meta CAPI / browser pixel deduplication.
+ *
+ * The browser side (`fbq('track', name, params, { eventID })`) and the server
+ * side (`ServerEvent.setEventId(...)`) must publish the same value to let Meta
+ * dedup. This helper is the single source of truth for the formula, mirrored
+ * on the server in `src/app/services/meta/meta-event-id.ts`. A parity test in
+ * the server package keeps them byte-identical.
+ *
+ * Convention: `${eventName}_${entityId}`. Different event names get different
+ * IDs even when fired for the same entity (e.g. a Purchase + Subscribe pair on
+ * the same order), so each dedups independently.
+ */
+export function makeMetaEventId(eventName, entityId) {
+    return `${eventName}_${entityId}`;
+}

package/dist/v2/index.d.ts

@@ -9,6 +9,7 @@ export * from './core/googleAutocomplete';
 export * from './core/isoData';
 export * from './core/utils/configHotReload';
 export * from './core/utils/currency';
+export * from './core/utils/metaEventId';
 export * from './core/utils/pluginConfig';
 export * from './core/utils/previewMode';
 export { injectPreviewModeIndicator, isIndicatorInjected, removePreviewModeIndicator } from './core/utils/previewModeIndicator';
@@ -16,6 +17,10 @@ export * from './core/utils/products';
 export { getAssignedPaymentFlowId, getAssignedScripts, getAssignedStaticResources, getAssignedResources, getAssignedStepConfig, getAssignedOrderBumpOfferIds, getAssignedUpsellOfferIds, getLocalFunnelConfig, getEnabledMethods, getExpressMethods, getExpressMethodsByProcessor, findMethod, isMethodEnabled, loadLocalFunnelConfig } from './core/funnelClient';
 export type { LocalFunnelConfig, PaymentMethodConfig, PaymentSetupConfig, PaymentSetupMethod, PixelsConfig, RuntimeStepConfig } from './core/funnelClient';
 export * from './core/pathRemapping';
+export { bootstrapPixelTrackerFromWindow, createPixelTracker, } from './core/pixelTracker';
+export type { PixelTracker, TrackOptions } from './core/pixelTracker';
+export type { PixelProviderKey } from './core/pixelMapping';
+export { makeMetaEventId } from './core/utils/metaEventId';
 export type { CheckoutData, CheckoutInitParams, CheckoutLineItem, CheckoutSession, CheckoutSessionPreview, Promotion } from './core/resources/checkout';
 export type { Order, OrderLineItem } from './core/utils/order';
 export type { PostPurchaseOffer, PostPurchaseOfferItem, PostPurchaseOfferSummary } from './core/resources/postPurchases';
@@ -31,6 +36,8 @@ export type { BackNavigationActionData, CartUpdatedActionData, DirectNavigationA
 export { ApplePayButton, StripeExpressButton, ExpressPaymentMethodsProvider, formatMoney, getAvailableLanguages, GooglePayButton, PreviewModeIndicator, queryKeys, TagadaProvider, useApiMutation, useApiQuery, useApplePayCheckout, useAuth, useCheckout, useCheckoutToken, useClubOffers, useCountryOptions, useCredits, useCurrency, useCustomer, useCustomerInfos, useCustomerOrders, useCustomerSubscriptions, useDiscounts, useExpressPaymentMethods, useFunnel, useFunnelLegacy, useGeoLocation, useGoogleAutocomplete, useGooglePayCheckout, useInvalidateQuery, useISOData, useLanguageImport, useLogin, useOffer, useOrder, useOrderBump, usePayment, usePaymentRetrieve, usePixelTracking, usePluginConfig, usePostPurchases, usePreloadQuery, usePreviewOffer, useProducts, usePromotions, useRegionOptions, useRemappableParams, useShippingRates, useSimpleFunnel, useStepConfig, useStoreConfig, useTagadaContext, useThreeds, useThreedsModal, useTranslation, useVipOffers, useSetPaymentMethod, WhopCheckout, useWhopPaymentPolling } from './react';
 export type { DebugScript } from './react';
 export type { PaymentMethodName } from './react';
+export { resolveClickId, publishTrackingGlobal, CLICK_ID_URL_PARAMS, CLICK_ID_COOKIES, } from './core/utils/clickIdResolver';
+export type { ResolvedClickId, TagadaTrackingGlobal, ClickIdSource, } from './core/utils/clickIdResolver';
 export type { TranslateFunction, TranslationText, UseTranslationOptions, UseTranslationResult } from './react/hooks/useTranslation';
 export type { FunnelContextValue } from './react/hooks/useFunnel';
 export type { UseApplePayCheckoutOptions } from './react/hooks/useApplePayCheckout';

package/dist/v2/index.js

@@ -10,6 +10,7 @@ export * from './core/googleAutocomplete';
 export * from './core/isoData';
 export * from './core/utils/configHotReload';
 export * from './core/utils/currency';
+export * from './core/utils/metaEventId';
 export * from './core/utils/pluginConfig';
 export * from './core/utils/previewMode';
 export { injectPreviewModeIndicator, isIndicatorInjected, removePreviewModeIndicator } from './core/utils/previewModeIndicator';
@@ -22,6 +23,15 @@ getEnabledMethods, getExpressMethods, getExpressMethodsByProcessor, findMethod,
 loadLocalFunnelConfig } from './core/funnelClient';
 // Path remapping helpers (framework-agnostic)
 export * from './core/pathRemapping';
+// Framework-agnostic pixel tracker (Studio entries bootstrap from this)
+export { bootstrapPixelTrackerFromWindow, createPixelTracker, } from './core/pixelTracker';
+// Stable event_id helper for Meta CAPI / browser pixel deduplication.
+// Re-exported here (already exposed via /v2/react) so framework-agnostic
+// Studio islands can import it from the same entry as bootstrapPixelTracker.
+export { makeMetaEventId } from './core/utils/metaEventId';
 export { FunnelActionType } from './core/resources/funnel';
 // React exports (hooks and components only, types are exported above)
 export { ApplePayButton, StripeExpressButton, ExpressPaymentMethodsProvider, formatMoney, getAvailableLanguages, GooglePayButton, PreviewModeIndicator, queryKeys, TagadaProvider, useApiMutation, useApiQuery, useApplePayCheckout, useAuth, useCheckout, useCheckoutToken, useClubOffers, useCountryOptions, useCredits, useCurrency, useCustomer, useCustomerInfos, useCustomerOrders, useCustomerSubscriptions, useDiscounts, useExpressPaymentMethods, useFunnel, useFunnelLegacy, useGeoLocation, useGoogleAutocomplete, useGooglePayCheckout, useInvalidateQuery, useISOData, useLanguageImport, useLogin, useOffer, useOrder, useOrderBump, usePayment, usePaymentRetrieve, usePixelTracking, usePluginConfig, usePostPurchases, usePreloadQuery, usePreviewOffer, useProducts, usePromotions, useRegionOptions, useRemappableParams, useShippingRates, useSimpleFunnel, useStepConfig, useStoreConfig, useTagadaContext, useThreeds, useThreedsModal, useTranslation, useVipOffers, useSetPaymentMethod, WhopCheckout, useWhopPaymentPolling } from './react';
+// Click-id resolver (ad-tracker integrations: ClickFlare, Voluum, Binom, …)
+// Re-exported from core so it's reachable from any entry point.
+export { resolveClickId, publishTrackingGlobal, CLICK_ID_URL_PARAMS, CLICK_ID_COOKIES, } from './core/utils/clickIdResolver';

package/dist/v2/react/components/ApplePayButton.js

@@ -9,6 +9,7 @@ import { getCurrencyInfo, minorUnitsToMajorUnits } from '../../../react/utils/mo
 import { useExpressPaymentMethods } from '../hooks/useExpressPaymentMethods';
 import { usePaymentQuery } from '../hooks/usePaymentQuery';
 import { useShippingRatesQuery } from '../hooks/useShippingRatesQuery';
+import { useStepConfig } from '../hooks/useStepConfig';
 // Helper function to convert Apple Pay contact to Address (matches CMS)
 const applePayContactToAddress = (contact) => {
     return {
@@ -52,6 +53,14 @@ export const ApplePayButton = ({ checkout, onSuccess, onError, onCancel }) => {
     const { applePayPaymentMethod, reComputeOrderSummary, shippingMethods, lineItems, handleAddExpressId, updateCheckoutSessionValues, updateCustomerEmail, setError: setContextError, } = useExpressPaymentMethods();
     const [processingPayment, setProcessingPayment] = useState(false);
     const [isApplePayAvailable, setIsApplePayAvailable] = useState(false);
+    // Per-step country allow-list (CRM-injected stepConfig). Empty/missing = all allowed.
+    const { stepConfig } = useStepConfig();
+    const countryAllowlist = useMemo(() => {
+        const list = stepConfig?.addressSettings?.countryAllowlist;
+        if (!list || list.length === 0)
+            return undefined;
+        return list.map((c) => c.toUpperCase());
+    }, [stepConfig]);
     // Get Basis Theory API key
     const basistheoryPublicKey = useMemo(() => getBasisTheoryApiKey(), []);
     // Use payment hook for proper payment processing
@@ -192,6 +201,7 @@ export const ApplePayButton = ({ checkout, onSuccess, onError, onCancel }) => {
             lineItems,
             requiredShippingContactFields: ['name', 'phone', 'email', 'postalAddress'],
             requiredBillingContactFields: ['postalAddress'],
+            ...(countryAllowlist ? { supportedCountries: countryAllowlist } : {}),
         };
         try {
             const session = new ApplePaySession(3, request);
@@ -216,6 +226,18 @@ export const ApplePayButton = ({ checkout, onSuccess, onError, onCancel }) => {
                         const billingContact = event.payment.billingContact;
                         const shippingAddress = applePayContactToAddress(shippingContact);
                         const billingAddress = applePayContactToAddress(billingContact);
+                        // Defense-in-depth: reject if wallet-returned country isn't in allowlist
+                        if (countryAllowlist &&
+                            shippingAddress.country &&
+                            !countryAllowlist.includes(shippingAddress.country.toUpperCase())) {
+                            console.error('[ApplePay] Shipping country not in allowlist:', shippingAddress.country);
+                            session.completePayment(ApplePaySession.STATUS_FAILURE);
+                            const errorMessage = 'Shipping to this country is not supported';
+                            setContextError(errorMessage);
+                            if (onError)
+                                onError(errorMessage);
+                            return;
+                        }
                         await updateCheckoutSessionValues({
                             data: {
                                 shippingAddress,
@@ -283,6 +305,33 @@ export const ApplePayButton = ({ checkout, onSuccess, onError, onCancel }) => {
             session.onshippingcontactselected = (event) => {
                 void (async () => {
                     const shippingContact = event.shippingContact;
+                    const contactCountry = (shippingContact?.countryCode || '').toUpperCase();
+                    // Defense-in-depth: surface an inline error in the Apple Pay sheet
+                    // when the selected shipping country isn't in the allow-list, so the
+                    // user can pick a valid address without restarting the flow.
+                    if (countryAllowlist && contactCountry && !countryAllowlist.includes(contactCountry)) {
+                        console.warn('[ApplePay] Selected shipping country not in allowlist:', contactCountry);
+                        const ApplePayErrorCtor = window.ApplePayError;
+                        const currentTotal = {
+                            label: checkout.checkoutSession.store?.name || 'Store',
+                            amount: minorUnitsToCurrencyString(checkout.summary?.totalAdjustedAmount ?? 0, checkout.summary?.currency),
+                            type: 'final',
+                        };
+                        const errors = ApplePayErrorCtor
+                            ? [new ApplePayErrorCtor('shippingContactInvalid', 'country', 'Shipping to this country is not supported')]
+                            : [{
+                                    code: 'shippingContactInvalid',
+                                    contactField: 'country',
+                                    message: 'Shipping to this country is not supported',
+                                }];
+                        session.completeShippingContactSelection({
+                            newTotal: currentTotal,
+                            newLineItems: lineItems,
+                            newShippingMethods: [],
+                            errors,
+                        });
+                        return;
+                    }
                     try {
                         await updateCheckoutSessionValues({
                             data: {
@@ -334,6 +383,7 @@ export const ApplePayButton = ({ checkout, onSuccess, onError, onCancel }) => {
         shippingMethods,
         lineItems,
         applePayPaymentMethod,
+        countryAllowlist,
         minorUnitsToCurrencyString,
         validateMerchant,
         tokenizeApplePay,

package/dist/v2/react/components/FunnelScriptInjector.js

@@ -1,6 +1,8 @@
 'use client';
 import { useCallback, useEffect, useMemo, useRef } from 'react';
 import { getAssignedStepConfig } from '../../core';
+import { useCheckoutQuery } from '../hooks/useCheckoutQuery';
+import { useOrderQuery } from '../hooks/useOrderQuery';
 /**
  * Parse script content that may contain multiple <script> and <noscript> tags.
  * Handles: external scripts (<script src="...">), inline scripts, noscript blocks,
@@ -110,6 +112,62 @@ export function FunnelScriptInjector({ context, isInitialized }) {
     // Track last injected scripts to prevent duplicate execution
     const lastInjectedScriptRef = useRef(null);
     const lastInjectedStepConfigScriptsRef = useRef(null);
+    // ─── Rich data bridging for window.Tagada (V1 parity) ───────────────
+    // The funnel context's resources only hold thin references. The rich
+    // checkout session (customer, items, amounts) and order data live in
+    // the shared React Query cache via useCheckoutQuery / useOrderQuery.
+    // Subscribe here and push onto window.Tagada so legacy scripts see the
+    // full shape they got in V1. useCheckoutQuery needs an explicit
+    // checkoutToken — read it from URL first, then fall back to the
+    // funnel-context resources.
+    const checkoutTokenFromUrlOrResources = useMemo(() => {
+        if (typeof window !== 'undefined') {
+            const fromUrl = new URLSearchParams(window.location.search).get('checkoutToken');
+            if (fromUrl)
+                return fromUrl;
+        }
+        const fromResources = context?.resources?.checkoutToken;
+        return typeof fromResources === 'string' ? fromResources : undefined;
+    }, [context?.resources]);
+    const { checkout: richCheckoutData } = useCheckoutQuery({
+        checkoutToken: checkoutTokenFromUrlOrResources,
+        enabled: !!checkoutTokenFromUrlOrResources,
+    });
+    const orderIdFromUrl = useMemo(() => {
+        if (typeof window === 'undefined')
+            return undefined;
+        const fromUrl = new URLSearchParams(window.location.search).get('orderId');
+        if (fromUrl)
+            return fromUrl;
+        // native-checkout v2 puts orderId in path /thankyou/<id>, not query.
+        // Funnel context resources already carry it — use that as fallback.
+        const fromResources = context?.resources?.order;
+        return fromResources?.id;
+    }, [context?.resources]);
+    const { order: richOrderData } = useOrderQuery({ orderId: orderIdFromUrl, enabled: !!orderIdFromUrl });
+    useEffect(() => {
+        if (typeof window === 'undefined')
+            return;
+        // @ts-expect-error - accessing window property
+        const T = window.Tagada;
+        if (!T)
+            return;
+        const prevRichCheckoutSession = T._richCheckoutSession || null;
+        const prevRichSummary = T._richOrderSummary || null;
+        const prevRichOrder = T._richOrder || null;
+        T._richCheckoutSession = richCheckoutData?.checkoutSession || null;
+        T._richOrderSummary = richCheckoutData?.summary || null;
+        T._richOrder = richOrderData || null;
+        if (T._richCheckoutSession !== prevRichCheckoutSession) {
+            T._fireCheckoutSessionUpdate?.({ checkoutSession: T._richCheckoutSession });
+        }
+        if (T._richOrderSummary !== prevRichSummary) {
+            T._fireOrderSummaryUpdate?.({ orderSummary: T._richOrderSummary });
+        }
+        if (T._richOrder !== prevRichOrder) {
+            T._fireOrderUpdate?.({ order: T._richOrder });
+        }
+    }, [richCheckoutData, richOrderData]);
     // Get stepConfig scripts from HTML injection or local config
     // Re-compute when initialized (local config loads async, so we need to re-check)
     const stepConfigScripts = useMemo(() => {
@@ -127,17 +185,47 @@ export function FunnelScriptInjector({ context, isInitialized }) {
             return;
         // @ts-expect-error - Adding utilities to window
         if (window.Tagada) {
+            // @ts-expect-error - Accessing window property
+            const prev = window.Tagada;
+            const prevResources = (prev.ressources || null);
+            const nextResources = (context?.resources || null);
             // Update properties if Tagada already exists
-            if (context?.currentStepId) {
-                // @ts-expect-error - Updating window property
-                window.Tagada.pageType = context.currentStepId;
+            prev.pageType = context?.currentStepId || null;
+            prev.isInitialized = isInitialized;
+            prev.ressources = nextResources;
+            prev.stepConfig = getAssignedStepConfig() || null;
+            prev.funnel = context
+                ? {
+                    sessionId: context.sessionId,
+                    funnelId: context.funnelId,
+                    currentStepId: context.currentStepId,
+                    previousStepId: context.previousStepId,
+                    ressources: context.resources,
+                }
+                : null;
+            // Fire V1-compat listeners when specific resources change.
+            // Support both V1 ("checkout") and native V2 ("checkoutSession") keys.
+            const prevCheckout = prevResources?.checkoutSession || prevResources?.checkout;
+            const nextCheckout = nextResources?.checkoutSession || nextResources?.checkout;
+            if (prevCheckout !== nextCheckout) {
+                prev._fireCheckoutSessionUpdate?.({ checkoutSession: nextCheckout || null });
+            }
+            const prevSummary = prevResources?.orderSummary || prevResources?.summary;
+            const nextSummary = nextResources?.orderSummary || nextResources?.summary;
+            if (prevSummary !== nextSummary) {
+                prev._fireOrderSummaryUpdate?.({ orderSummary: nextSummary || null });
+            }
+            const prevOrder = prevResources?.order;
+            const nextOrder = nextResources?.order;
+            if (prevOrder !== nextOrder) {
+                prev._fireOrderUpdate?.({ order: nextOrder || null });
             }
-            // @ts-expect-error - Updating window property
-            window.Tagada.isInitialized = isInitialized;
-            // @ts-expect-error - Updating window property
-            window.Tagada.ressources = context?.resources || null;
             return;
         }
+        // Listener registries (captured via closures — outlive re-renders on window.Tagada)
+        const checkoutSessionListeners = new Set();
+        const orderSummaryListeners = new Set();
+        const orderListeners = new Set();
         // @ts-expect-error - Adding utilities to window
         window.Tagada = {
             // Wait for DOM to be ready
@@ -261,9 +349,36 @@ export function FunnelScriptInjector({ context, isInitialized }) {
             pageType: context?.currentStepId || null,
             isInitialized: isInitialized,
             ressources: context?.resources || null,
-            // Convenience getters so scripts can use Tagada.order / Tagada.checkout
-            get order() { return this.ressources?.order || null; },
-            get checkout() { return this.ressources?.checkout || null; },
+            // Rich data caches bridged from React Query (useCheckoutQuery / useOrderQuery).
+            // Populated by the useEffect above. Prefer these over thin funnel-context refs.
+            _richCheckoutSession: null,
+            _richOrderSummary: null,
+            _richOrder: null,
+            // V1-compat: Tagada.order and Tagada.checkout.session return full data.
+            // Prefer React-Query-fetched data, fall back to funnel context resources.
+            get order() {
+                return this._richOrder || this.ressources?.order || null;
+            },
+            get checkout() {
+                const ressources = this.ressources;
+                const richSession = this._richCheckoutSession;
+                const richSummary = this._richOrderSummary;
+                const resource = richSession ||
+                    ressources?.checkoutSession ||
+                    ressources?.checkout ||
+                    null;
+                const orderSummary = richSummary ||
+                    ressources?.orderSummary ||
+                    ressources?.summary ||
+                    null;
+                if (!resource && !orderSummary)
+                    return null;
+                return {
+                    ...(resource || {}),
+                    session: resource,
+                    orderSummary,
+                };
+            },
             funnel: context
                 ? {
                     sessionId: context.sessionId,
@@ -274,6 +389,39 @@ export function FunnelScriptInjector({ context, isInitialized }) {
                 }
                 : null,
             stepConfig: getAssignedStepConfig() || null,
+            // V1-compat reactive listeners. Fire when the corresponding resource
+            // reference changes in the funnel context (see update branch above).
+            onCheckoutSessionUpdate: (cb) => {
+                checkoutSessionListeners.add(cb);
+                return () => checkoutSessionListeners.delete(cb);
+            },
+            onOrderSummaryUpdate: (cb) => {
+                orderSummaryListeners.add(cb);
+                return () => orderSummaryListeners.delete(cb);
+            },
+            onOrderUpdate: (cb) => {
+                orderListeners.add(cb);
+                return () => orderListeners.delete(cb);
+            },
+            // Internal fire hooks used by the update branch
+            _fireCheckoutSessionUpdate: (data) => checkoutSessionListeners.forEach(cb => { try {
+                cb(data);
+            }
+            catch (e) {
+                console.error('[Tagada] onCheckoutSessionUpdate listener threw:', e);
+            } }),
+            _fireOrderSummaryUpdate: (data) => orderSummaryListeners.forEach(cb => { try {
+                cb(data);
+            }
+            catch (e) {
+                console.error('[Tagada] onOrderSummaryUpdate listener threw:', e);
+            } }),
+            _fireOrderUpdate: (data) => orderListeners.forEach(cb => { try {
+                cb(data);
+            }
+            catch (e) {
+                console.error('[Tagada] onOrderUpdate listener threw:', e);
+            } }),
         };
     }, [context, isInitialized]);
     useEffect(() => {

package/dist/v2/react/components/GooglePayButton.js

@@ -8,6 +8,7 @@ import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useExpressPaymentMethods } from '../hooks/useExpressPaymentMethods';
 import { usePaymentQuery } from '../hooks/usePaymentQuery';
 import { useShippingRatesQuery } from '../hooks/useShippingRatesQuery';
+import { useStepConfig } from '../hooks/useStepConfig';
 import { getBasisTheoryKeys } from '../../../config/basisTheory';
 export const GooglePayButton = ({ className = '', disabled = false, onSuccess, onError, onCancel, checkout, size = 'lg', buttonColor = 'black', buttonType = 'plain', requiresShipping: requiresShippingProp, }) => {
     const { googlePayPaymentMethod, shippingMethods, lineItems, handleAddExpressId, updateCheckoutSessionValues, updateCustomerEmail, reComputeOrderSummary, setError: setContextError, } = useExpressPaymentMethods();
@@ -33,6 +34,14 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
     const [processingPayment, setProcessingPayment] = useState(false);
     const [pendingPaymentData, setPendingPaymentData] = useState(null);
     const [googlePayError, setGooglePayError] = useState(null);
+    // Per-step country allow-list (CRM-injected stepConfig). Empty/missing = all allowed.
+    const { stepConfig } = useStepConfig();
+    const countryAllowlist = useMemo(() => {
+        const list = stepConfig?.addressSettings?.countryAllowlist;
+        if (!list || list.length === 0)
+            return undefined;
+        return list.map((c) => c.toUpperCase());
+    }, [stepConfig]);
     // Don't render if no Google Pay payment method is enabled
     if (!googlePayPaymentMethod) {
         return null;
@@ -124,6 +133,19 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
             if (paymentData.shippingAddress) {
                 shippingAddress = googlePayAddressToAddress(paymentData.shippingAddress);
             }
+            // Defense-in-depth: reject if wallet-returned country isn't in allowlist
+            if (countryAllowlist &&
+                shippingAddress?.country &&
+                !countryAllowlist.includes(shippingAddress.country.toUpperCase())) {
+                const msg = 'Shipping to this country is not supported';
+                console.error('[GooglePay] Shipping country not in allowlist:', shippingAddress.country);
+                setProcessingPayment(false);
+                setGooglePayError(msg);
+                setContextError(msg);
+                if (onError)
+                    onError(msg);
+                return;
+            }
             // Update checkout session with addresses before processing payment
             if (shippingAddress) {
                 await updateCheckoutSessionValues({
@@ -164,6 +186,7 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
         updateCustomerEmail,
         tokenizeGooglePayTokenWithBasisTheory,
         handleGooglePayPayment,
+        countryAllowlist,
         onSuccess,
         onError,
         setContextError,
@@ -193,6 +216,18 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
                     const paymentDataRequestUpdate = {};
                     if (intermediatePaymentData.callbackTrigger === 'SHIPPING_ADDRESS') {
                         const address = intermediatePaymentData.shippingAddress;
+                        const addressCountry = (address?.countryCode || '').toUpperCase();
+                        // Defense-in-depth: reject if selected country isn't in allowlist
+                        if (countryAllowlist && addressCountry && !countryAllowlist.includes(addressCountry)) {
+                            resolve({
+                                error: {
+                                    reason: 'SHIPPING_ADDRESS_UNSERVICEABLE',
+                                    message: 'Shipping to this country is not supported',
+                                    intent: 'SHIPPING_ADDRESS',
+                                },
+                            });
+                            return;
+                        }
                         const shippingAddress = {
                             address1: address?.addressLines?.[0] || '',
                             address2: address?.addressLines?.[1] || '',
@@ -270,7 +305,7 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
             };
             void processCallback();
         });
-    }, [updateCheckoutSessionValues, reComputeOrderSummary, checkout, selectRate]);
+    }, [updateCheckoutSessionValues, reComputeOrderSummary, checkout, selectRate, countryAllowlist]);
     // Handle payment authorization
     const handleGooglePayAuthorized = useCallback((paymentData) => {
         setPendingPaymentData(paymentData);
@@ -336,6 +371,9 @@ export const GooglePayButton = ({ className = '', disabled = false, onSuccess, o
             ? ['SHIPPING_OPTION', 'SHIPPING_ADDRESS', 'PAYMENT_AUTHORIZATION']
             : ['PAYMENT_AUTHORIZATION'],
         ...(requiresShipping && {
+            shippingAddressParameters: countryAllowlist
+                ? { allowedCountryCodes: countryAllowlist }
+                : undefined,
             shippingOptionParameters: {
                 defaultSelectedOptionId: checkout.checkoutSession?.shippingRate?.id ||
                     (shippingMethods.length > 0 ? shippingMethods[0].identifier : ''),