create-brainerce-store 1.43.0 → 1.43.2

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.43.0",
+      version: "1.43.2",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"
@@ -172,12 +172,12 @@ var ALLOWED_PACKAGE_MANAGERS = [
   "bun"
 ];
 var BRAINERCE_RUNTIME_DEPS = Object.freeze({
-  // 1.27 = first published cut with client.content namespace (FAQ / Footer /
-  // Header / Announcement / RichText / Page) + getDirectionForLocale helper.
-  // Scaffolded stores need this minimum to use the content components shipped
-  // under src/components/content/ and the homepage RichTextBlock mount-point.
-  // 1.26 had the namespace in source but was published before the cut.
-  brainerce: "^1.27.0",
+  // 1.28 = first cut after the PriceList API removal + the FX-driven display
+  // pricing rework (Product.displayPrice / displayCurrency / displaySalePrice
+  // attached additively when getProducts is called with a regionId). Older
+  // 1.27 had PriceList/Resolved* surface that no longer exists on the
+  // backend, so scaffolded stores must pin >=1.28 to compile.
+  brainerce: "^1.28.0",
   "isomorphic-dompurify": "^3.8.0"
 });
 
@@ -555,7 +555,10 @@ async function fetchStoreInfo(connectionId, baseUrl = KNOWN_API_URLS.production)
   const timeout = setTimeout(() => controller.abort(), 1e4);
   let res;
   try {
-    res = await fetch(url, { signal: controller.signal });
+    res = await fetch(url, {
+      signal: controller.signal,
+      headers: { Origin: "http://localhost" }
+    });
   } catch (err) {
     if (err.name === "AbortError") {
       throw new Error(`Request to ${baseUrl} timed out`);

package/messages/en.json

@@ -11,6 +11,7 @@
     "no": "No",
     "total": "Total",
     "subtotal": "Subtotal",
+    "subtotalExclTax": "Subtotal (excl. tax)",
     "discount": "Discount",
     "generalDiscount": "General Discount",
     "couponDiscount": "Coupon",

package/messages/he.json

@@ -11,6 +11,7 @@
     "no": "לא",
     "total": "סה\"כ",
     "subtotal": "סיכום ביניים",
+    "subtotalExclTax": "סיכום ביניים (לפני מע\"מ)",
     "discount": "הנחה",
     "generalDiscount": "הנחה כללית",
     "couponDiscount": "קופון",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-brainerce-store",
-  "version": "1.43.0",
+  "version": "1.43.2",
   "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
   "bin": {
     "create-brainerce-store": "dist/index.js"

package/templates/nextjs/base/next.config.ts

@@ -1,69 +1,68 @@
-import type { NextConfig } from 'next';
-
-// Build-time invariant — fail loud if NEXT_PUBLIC_STORE_CURRENCY is missing
-// for a production build. Next.js inlines NEXT_PUBLIC_* into the client
-// bundle at `next build` time; once inlined, the value cannot be patched at
-// deploy time. A missing env here is the root cause of non-USD stores ending
-// up with `$5,096` baked into their HTML (and indexed by Googlebot).
-//
-// In dev (`next dev`) we only warn, so local-only experiments don't break.
-if (!process.env.NEXT_PUBLIC_STORE_CURRENCY) {
-  const msg =
-    'NEXT_PUBLIC_STORE_CURRENCY is not set.\n' +
-    'Next.js inlines NEXT_PUBLIC_* vars into the client bundle at build time;\n' +
-    'a missing value will silently fall back to USD in storefront price displays\n' +
-    'and ship that to search-engine crawlers. Set it in .env.local (written by\n' +
-    'create-brainerce-store) or in your CI / hosting build env (Coolify / Vercel).';
-  if (process.env.NODE_ENV === 'production') {
-    throw new Error(`[next.config] ${msg}`);
-  } else {
-    // eslint-disable-next-line no-console
-    console.warn(`[next.config] warning: ${msg}`);
-  }
-}
-
-const nextConfig: NextConfig = {
-  // isomorphic-dompurify ships jsdom, which at runtime reads stylesheet files
-  // from its own package directory. Webpack bundling breaks those relative
-  // lookups — loading it externally from node_modules keeps the paths intact.
-  serverExternalPackages: ['isomorphic-dompurify'],
-  images: {
-    // The storefront is a consumer of the Brainerce API — it has to render
-    // whatever image URLs the API returns. In practice those URLs can be on
-    // cdn.brainerce.com OR on an upstream merchant host (WooCommerce, Shopify,
-    // self-hosted) depending on whether the product's image-import job has
-    // completed on the backend. Rather than hard-fail on unknown hosts, skip
-    // the server-side optimizer entirely and let the browser fetch each image
-    // directly from origin. No server-side fetching → no SSRF or DoS surface
-    // on this Next server. Trade-off: no webp/resize/lazy optimization, so
-    // LCP is marginally worse. Acceptable; the storefront is not the right
-    // layer to enforce a hostname policy.
-    unoptimized: true,
-  },
-  async headers() {
-    return [
-      {
-        source: '/(.*)',
-        headers: [
-          {
-            key: 'Strict-Transport-Security',
-            value: 'max-age=63072000; includeSubDomains; preload',
-          },
-          { key: 'X-Content-Type-Options', value: 'nosniff' },
-          // SAMEORIGIN (not DENY) so iframe-based payment providers (e.g. Cardcom)
-          // can redirect the iframe back to /payment-complete on the storefront
-          // itself after a successful charge — the postMessage relay needs the
-          // parent frame to be able to render our own same-origin page.
-          { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
-          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
-          {
-            key: 'Permissions-Policy',
-            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
-          },
-        ],
-      },
-    ];
-  },
-};
-
-export default nextConfig;
+import type { NextConfig } from 'next';
+
+// Build-time invariant — fail loud if NEXT_PUBLIC_STORE_CURRENCY is missing
+// for a production build. Next.js inlines NEXT_PUBLIC_* into the client
+// bundle at `next build` time; once inlined, the value cannot be patched at
+// deploy time. A missing env here is the root cause of non-USD stores ending
+// up with `$5,096` baked into their HTML (and indexed by Googlebot).
+//
+// In dev (`next dev`) we only warn, so local-only experiments don't break.
+if (!process.env.NEXT_PUBLIC_STORE_CURRENCY) {
+  const msg =
+    'NEXT_PUBLIC_STORE_CURRENCY is not set.\n' +
+    'Next.js inlines NEXT_PUBLIC_* vars into the client bundle at build time;\n' +
+    'a missing value will silently fall back to USD in storefront price displays\n' +
+    'and ship that to search-engine crawlers. Set it in .env.local (written by\n' +
+    'create-brainerce-store) or in your CI / hosting build env (Coolify / Vercel).';
+  if (process.env.NODE_ENV === 'production') {
+    throw new Error(`[next.config] ${msg}`);
+  } else {
+    console.warn(`[next.config] warning: ${msg}`);
+  }
+}
+
+const nextConfig: NextConfig = {
+  // isomorphic-dompurify ships jsdom, which at runtime reads stylesheet files
+  // from its own package directory. Webpack bundling breaks those relative
+  // lookups — loading it externally from node_modules keeps the paths intact.
+  serverExternalPackages: ['isomorphic-dompurify'],
+  images: {
+    // The storefront is a consumer of the Brainerce API — it has to render
+    // whatever image URLs the API returns. In practice those URLs can be on
+    // cdn.brainerce.com OR on an upstream merchant host (WooCommerce, Shopify,
+    // self-hosted) depending on whether the product's image-import job has
+    // completed on the backend. Rather than hard-fail on unknown hosts, skip
+    // the server-side optimizer entirely and let the browser fetch each image
+    // directly from origin. No server-side fetching → no SSRF or DoS surface
+    // on this Next server. Trade-off: no webp/resize/lazy optimization, so
+    // LCP is marginally worse. Acceptable; the storefront is not the right
+    // layer to enforce a hostname policy.
+    unoptimized: true,
+  },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=63072000; includeSubDomains; preload',
+          },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          // SAMEORIGIN (not DENY) so iframe-based payment providers (e.g. Cardcom)
+          // can redirect the iframe back to /payment-complete on the storefront
+          // itself after a successful charge — the postMessage relay needs the
+          // parent frame to be able to render our own same-origin page.
+          { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
+          },
+        ],
+      },
+    ];
+  },
+};
+
+export default nextConfig;

package/templates/nextjs/base/scripts/fetch-store-info.mjs

@@ -1,93 +1,98 @@
-/* global process, console, fetch */
-/* eslint-disable no-console */
-/**
- * Setup script: fetches store info from Brainerce using the connection ID
- * and saves NEXT_PUBLIC_STORE_NAME (and other public fields) to .env.local.
- *
- * Run: node scripts/fetch-store-info.mjs
- */
-
-import { readFileSync, writeFileSync, existsSync } from 'fs';
-import { join } from 'path';
-
-const envPath = join(process.cwd(), '.env.local');
-
-if (!existsSync(envPath)) {
-  console.error(
-    '❌  .env.local not found. Create it first with NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID set.'
-  );
-  process.exit(1);
-}
-
-const envContent = readFileSync(envPath, 'utf-8');
-
-function getVar(content, key) {
-  const match = content.match(new RegExp(`^${key}=(.*)$`, 'm'));
-  return match ? match[1].trim() : null;
-}
-
-function setVar(content, key, value) {
-  const regex = new RegExp(`^${key}=.*$`, 'm');
-  if (regex.test(content)) {
-    return content.replace(regex, `${key}=${value}`);
-  }
-  return content.trimEnd() + `\n${key}=${value}\n`;
-}
-
-// Read either env var name. The new one is preferred; the old one is a soft
-// alias kept for backwards compatibility — the SDK accepts both.
-const connectionId =
-  getVar(envContent, 'NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID') ||
-  getVar(envContent, 'NEXT_PUBLIC_BRAINERCE_CONNECTION_ID');
-const apiUrl = (getVar(envContent, 'BRAINERCE_API_URL') || 'https://api.brainerce.com').replace(
-  /\/$/,
-  ''
-);
-
-if (!connectionId) {
-  console.error(
-    '❌  NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID is not set in .env.local'
-  );
-  process.exit(1);
-}
-
-console.log(`Fetching store info for sales channel: ${connectionId} ...`);
-
-let storeInfo;
-try {
-  const res = await fetch(`${apiUrl}/api/vc/${connectionId}/info`);
-  if (!res.ok) {
-    console.error(`❌  API returned ${res.status}: ${await res.text()}`);
-    process.exit(1);
-  }
-  storeInfo = await res.json();
-} catch (err) {
-  console.error(`❌  Failed to reach ${apiUrl}: ${err.message}`);
-  process.exit(1);
-}
-
-const name = storeInfo.name;
-const currency = storeInfo.currency;
-
-if (!name) {
-  console.error('❌  Store info response has no `name` field:', storeInfo);
-  process.exit(1);
-}
-// Currency is NOT NULL in the backend schema — a response without it
-// is a real backend bug, not a "use the default" signal. Fail loud rather
-// than silently leaving the env stale (which would bake the previous
-// value into the next client bundle build).
-if (!currency) {
-  console.error('❌  Store info response has no `currency` field:', storeInfo);
-  process.exit(1);
-}
-
-let updated = envContent;
-updated = setVar(updated, 'NEXT_PUBLIC_STORE_NAME', name);
-updated = setVar(updated, 'NEXT_PUBLIC_STORE_CURRENCY', currency);
-
-writeFileSync(envPath, updated, 'utf-8');
-
-console.log(`✓ NEXT_PUBLIC_STORE_NAME=${name}`);
-console.log(`✓ NEXT_PUBLIC_STORE_CURRENCY=${currency}`);
-console.log('Done. Restart the dev server for changes to take effect.');
+/* global process, console, fetch */
+/* eslint-disable no-console */
+/**
+ * Setup script: fetches store info from Brainerce using the connection ID
+ * and saves NEXT_PUBLIC_STORE_NAME (and other public fields) to .env.local.
+ *
+ * Run: node scripts/fetch-store-info.mjs
+ */
+
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const envPath = join(process.cwd(), '.env.local');
+
+if (!existsSync(envPath)) {
+  console.error(
+    '❌  .env.local not found. Create it first with NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID set.'
+  );
+  process.exit(1);
+}
+
+const envContent = readFileSync(envPath, 'utf-8');
+
+function getVar(content, key) {
+  const match = content.match(new RegExp(`^${key}=(.*)$`, 'm'));
+  return match ? match[1].trim() : null;
+}
+
+function setVar(content, key, value) {
+  const regex = new RegExp(`^${key}=.*$`, 'm');
+  if (regex.test(content)) {
+    return content.replace(regex, `${key}=${value}`);
+  }
+  return content.trimEnd() + `\n${key}=${value}\n`;
+}
+
+// Read either env var name. The new one is preferred; the old one is a soft
+// alias kept for backwards compatibility — the SDK accepts both.
+const connectionId =
+  getVar(envContent, 'NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID') ||
+  getVar(envContent, 'NEXT_PUBLIC_BRAINERCE_CONNECTION_ID');
+const apiUrl = (getVar(envContent, 'BRAINERCE_API_URL') || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+
+if (!connectionId) {
+  console.error('❌  NEXT_PUBLIC_BRAINERCE_SALES_CHANNEL_ID is not set in .env.local');
+  process.exit(1);
+}
+
+console.log(`Fetching store info for sales channel: ${connectionId} ...`);
+
+let storeInfo;
+try {
+  // /api/vc/* enforces an Origin check: TEST channels accept local/tunnel
+  // hosts, LIVE channels require the configured domain. Prefer the project's
+  // own NEXT_PUBLIC_SITE_URL (the real domain for a LIVE store), falling back
+  // to localhost for local dev against a TEST channel.
+  const siteUrl = getVar(envContent, 'NEXT_PUBLIC_SITE_URL') || 'http://localhost:3000';
+  const res = await fetch(`${apiUrl}/api/vc/${connectionId}/info`, {
+    headers: { Origin: siteUrl },
+  });
+  if (!res.ok) {
+    console.error(`❌  API returned ${res.status}: ${await res.text()}`);
+    process.exit(1);
+  }
+  storeInfo = await res.json();
+} catch (err) {
+  console.error(`❌  Failed to reach ${apiUrl}: ${err.message}`);
+  process.exit(1);
+}
+
+const name = storeInfo.name;
+const currency = storeInfo.currency;
+
+if (!name) {
+  console.error('❌  Store info response has no `name` field:', storeInfo);
+  process.exit(1);
+}
+// Currency is NOT NULL in the backend schema — a response without it
+// is a real backend bug, not a "use the default" signal. Fail loud rather
+// than silently leaving the env stale (which would bake the previous
+// value into the next client bundle build).
+if (!currency) {
+  console.error('❌  Store info response has no `currency` field:', storeInfo);
+  process.exit(1);
+}
+
+let updated = envContent;
+updated = setVar(updated, 'NEXT_PUBLIC_STORE_NAME', name);
+updated = setVar(updated, 'NEXT_PUBLIC_STORE_CURRENCY', currency);
+
+writeFileSync(envPath, updated, 'utf-8');
+
+console.log(`✓ NEXT_PUBLIC_STORE_NAME=${name}`);
+console.log(`✓ NEXT_PUBLIC_STORE_CURRENCY=${currency}`);
+console.log('Done. Restart the dev server for changes to take effect.');