wiki-plugin-shoppe 0.0.35 → 0.0.37

package/CLAUDE.md

@@ -2,6 +2,8 @@
 
 Multi-tenant digital goods shoppe for Federated Wiki, powered by Sanora.
 
+**Current version**: 0.0.35
+
 ## Architecture
 
 Follows the Service-Bundling Plugin Pattern. Each tenant (seller/creator) gets their own Sanora user account, identified by a UUID and an 8-emoji emojicode (same format as BDO: 3 base + 5 unique from the EMOJI_PALETTE).
@@ -99,25 +101,16 @@ my-shoppe.zip
   "uuid": "your-uuid-from-registration",
   "emojicode": "🛍️🎨🎁🌟💎🐉📚🔥",
   "name": "My Shoppe",
-  "keywords": ["digital goods", "indie creator", "music", "books"]
+  "keywords": ["digital goods", "indie creator", "music", "books"],
+  "lightMode": false
 }
 ```
 
-`keywords` is optional. When present, it is stored in the tenant record and rendered as a `<meta name="keywords">` tag on the main shoppe page.
+`keywords` is optional. Stored in the tenant record and rendered as a `<meta name="keywords">` tag.
 
-`redirects` is optional. Each key is a content category (`books`, `music`, `posts`, `albums`, `products`, `appointments`, `subscriptions`) and the value is an external URL. When set, clicking any card in that category sends visitors to that URL instead of the plugin's built-in purchase/download pages. Example:
+`redirects` is optional. Each key is a content category and the value is an external URL. Clicking any card in that category sends visitors to that URL instead of the plugin's built-in pages.
 
-```json
-{
-  "uuid": "...",
-  "emojicode": "...",
-  "name": "My Shoppe",
-  "redirects": {
-    "books": "https://myauthorsite.com/books",
-    "music": "https://mybandcamp.com"
-  }
-}
-```
+`lightMode` is optional (default `false`). When `true`, the shoppe page uses light mode styling (white cards, `#f5f5f7` background, `#0066cc` accent). Default is dark mode (`#0f0f12` background, `#7ec8e3` accent). Stored in `tenants.json` and applied on every page load — no re-upload needed once set.
 
 ### books/*/info.json
 
@@ -183,6 +176,8 @@ preview = "ocean.jpg"
 
 The hero image is resolved automatically: `hero.jpg` or `hero.png` is used if present, otherwise the first image in the folder. Folder numeric prefix (`01-`, `02-`, …) sets display order.
 
+**Note:** If the image upload fails (e.g. 413 from nginx), the product metadata is still recorded in Sanora and the upload result still counts as a success with a warning. Re-uploading the archive will push the image without duplicating the product entry.
+
 ### appointments/*/info.json
 
 ```json
@@ -226,13 +221,15 @@ The hero image is resolved automatically: `hero.jpg` or `hero.png` is used if pr
 |--------|------|------|-------------|
 | `POST` | `/plugin/shoppe/register` | Owner | Register new tenant |
 | `GET`  | `/plugin/shoppe/tenants` | Owner | List all tenants |
-| `POST` | `/plugin/shoppe/upload` | UUID+emojicode in archive | Upload goods archive |
+| `POST` | `/plugin/shoppe/upload` | UUID+emojicode in archive | Upload goods archive (returns `{ jobId }` immediately) |
+| `GET`  | `/plugin/shoppe/upload/progress/:jobId` | Public | SSE stream of upload progress events |
 | `GET`  | `/plugin/shoppe/:id` | Public | Shoppe HTML page |
 | `GET`  | `/plugin/shoppe/:id/goods` | Public | Goods JSON |
 | `GET`  | `/plugin/shoppe/:id/goods?category=books` | Public | Filtered goods JSON |
-| `GET`  | `/plugin/shoppe/:id/book/:title` | Public | Appointment booking page |
+| `GET`  | `/plugin/shoppe/:id/music/feed` | Public | Music feed `{ albums, tracks }` built from Sanora products |
+| `GET`  | `/plugin/shoppe/:id/book/:title` | Public | Appointment booking page (standalone) |
 | `GET`  | `/plugin/shoppe/:id/book/:title/slots` | Public | Available slots JSON |
-| `GET`  | `/plugin/shoppe/:id/subscribe/:title` | Public | Subscription sign-up page |
+| `GET`  | `/plugin/shoppe/:id/subscribe/:title` | Public | Subscription sign-up page (standalone) |
 | `GET`  | `/plugin/shoppe/:id/membership` | Public | Membership portal |
 | `POST` | `/plugin/shoppe/:id/membership/check` | Public | Check subscription status |
 | `POST` | `/plugin/shoppe/:id/purchase/intent` | Public | Create Stripe payment intent |
@@ -245,12 +242,88 @@ The hero image is resolved automatically: `hero.jpg` or `hero.png` is used if pr
 
 `:id` accepts either UUID or emojicode.
 
+## Upload Flow (SSE Progress)
+
+The upload endpoint is non-blocking. The client POSTs the archive and immediately gets `{ jobId }`. It then opens an `EventSource` to `/plugin/shoppe/upload/progress/:jobId` and receives a stream of events:
+
+| Event | Data |
+|-------|------|
+| `start` | `{ total, name }` — total item count and shoppe name |
+| `progress` | `{ current, total, label }` — item number and human-readable label |
+| `warning` | `{ message }` — non-fatal issue (e.g. image upload failed) |
+| `complete` | `{ success, books, music, posts, … }` — final result counts |
+| `error` | `{ message }` — fatal upload failure |
+
+The progress stream is buffered for late-connecting clients. Jobs are cleaned up after 15 minutes.
+
+## Shoppe Page UI
+
+The shoppe page is a single-page app generated server-side by `generateShoppeHTML`. All tabs are lazy-initialized on first open.
+
+### Tabs and their UI patterns
+
+| Tab | Pattern |
+|-----|---------|
+| All | Card grid of everything |
+| Books | Card grid → buy page |
+| Music | Album grid → track list → fixed player bar |
+| Posts | Series cards → numbered parts list; standalones below |
+| Albums | Card grid |
+| Products | Card grid → buy page |
+| Videos | Card grid with inline player modal |
+| Appointments | Inline date strip → slot picker → booking form → Stripe |
+| Infuse | Inline tier cards with benefits → recovery key → Stripe |
+
+### Music Player
+
+The music tab fetches `/music/feed` on first open (lazy). The feed is built from Sanora products with `category: 'music'`. Products with multiple audio artifacts are treated as albums; single-artifact products are standalone tracks.
+
+The player bar is fixed at the bottom of the page and is always dark regardless of `lightMode`. Track titles default to "Track 1", "Track 2", etc. because Sanora stores artifacts by UUID (original filenames are not preserved).
+
+### Posts Hierarchy
+
+Post series are detected server-side by `category: 'post-series'` products. Parts are linked by `series:SeriesTitle` and `part:N` tags. The hierarchy is pre-computed in `generateShoppeHTML` and embedded as `_postsRaw` JSON so the client does no extra fetching.
+
+### Inline Subscriptions and Appointments
+
+Subscriptions and appointments are fully handled inline on the shoppe page — no navigation to separate pages. The full payment flow (recovery key → Stripe Elements → confirmation) runs inside expanding panels under each tier/appointment card. Data (`productId`, `renewalDays`, `benefits`, `timezone`, `duration`) is fetched from Sanora artifact JSON during `getShoppeGoods` and embedded in the page.
+
+## Theming
+
+The shoppe page is **dark mode by default**. All colors use CSS custom properties defined in `:root`:
+
+| Variable | Dark | Light |
+|----------|------|-------|
+| `--bg` | `#0f0f12` | `#f5f5f7` |
+| `--card-bg` | `#18181c` | `white` |
+| `--accent` | `#7ec8e3` | `#0066cc` |
+| `--text` | `#e8e8ea` | `#1d1d1f` |
+| `--border` | `#333` | `#ddd` |
+
+Set `"lightMode": true` in `manifest.json` and re-upload to switch a shoppe to light mode. The flag is stored in `tenants.json` so it persists across re-uploads. The music player bar is always dark in both modes.
+
+## UUID Alias / Redis Reset Recovery
+
+If Sanora's Redis is cleared, the tenant's UUID changes on the next `sanoraEnsureUser` call. The server handles this automatically:
+
+1. The old UUID is kept in `tenants.json` as a forwarding alias: `{ "old-uuid": "new-uuid-string", "new-uuid": { ...fullRecord } }`
+2. `getTenantByIdentifier` follows string values as aliases
+3. All subsequent uploads and page loads use the new UUID transparently
+
+If you encounter `Unknown UUID` errors after a Redis reset, manually add `"old-uuid": "new-uuid"` to `~/.shoppe/tenants.json`.
+
+## Resilience Features
+
+- **`sanoraCreateProductResilient`** — wraps `sanoraCreateProduct`. On 404/not-found mid-upload (Redis cleared), calls `sanoraEnsureUser`, updates `tenant.uuid`, and retries once.
+- **`fetchWithRetry`** — wraps `fetch`. On 429 Too Many Requests, backs off exponentially (1s → 2s → 4s) up to 3 retries.
+- **Image upload isolation** — product image upload failures are caught independently; the product entry is always recorded even if the image fails. A warning is emitted so the user can re-upload to fix just the image.
+
 ## Payment / Transfer Flow
 
 1. Buyer calls `POST /purchase/intent` → shoppe creates a buyer Addie user and calls `PUT /user/:buyerUuid/processor/stripe/intent` on Addie → returns `{ clientSecret, publishableKey }`
 2. Stripe.js confirms payment client-side (no redirect)
 3. Client extracts `paymentIntentId` from `clientSecret` (`clientSecret.split('_secret_')[0]`) and posts to `POST /purchase/complete` with `paymentIntentId`
-4. Server records the order in Sanora, then fires a **fire-and-forget** `POST ${addieUrl}/payment/${paymentIntentId}/process-transfers` — Addie splits the payment and routes it to the tenant's Stripe account (no auth required on this Addie endpoint)
+4. Server records the order in Sanora, then fires a **fire-and-forget** `POST ${addieUrl}/payment/${paymentIntentId}/process-transfers` — Addie splits the payment and routes it to the tenant's Stripe account
 
 **Important:** Transfers only flow to the owner after `node shoppe-sign.js payouts` has been run and Stripe Connect onboarding is complete.
 
@@ -264,6 +337,16 @@ export SHOPPE_BASE_EMOJI="🏪🎪🎁"
 export SANORA_PORT=7243
 ```
 
+## nginx Requirements
+
+The allyabase server's nginx must allow large uploads for books, audio, and images:
+
+```nginx
+client_max_body_size 50M;
+```
+
+Without this, epub/audio artifact uploads and large cover images will fail with 413. Apply to the relevant `server {}` block and reload: `sudo nginx -t && sudo systemctl reload nginx`.
+
 ## Supported File Types
 
 | Category | Extensions |
@@ -276,7 +359,9 @@ export SANORA_PORT=7243
 
 ## Storage
 
-Tenant registry: `.shoppe-tenants.json` (gitignored — contains private keys)
+- `~/.shoppe/tenants.json` — tenant registry (private keys + UUID aliases — gitignored)
+- `~/.shoppe/buyers.json` — buyer Addie keys, keyed by `recoveryKey + productId`
+- `~/.shoppe/config.json` — plugin config (sanoraUrl)
 
 Each tenant's goods are stored in Sanora under their own UUID.
 
@@ -288,6 +373,6 @@ Each tenant's goods are stored in Sanora under their own UUID.
   "form-data": "^4.0.0",
   "multer": "^1.4.5-lts.1",
   "node-fetch": "^2.6.1",
-  "sessionless-node": "^0.9.12"
+  "sessionless-node": "latest"
 }
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wiki-plugin-shoppe",
-  "version": "0.0.35",
+  "version": "0.0.37",
   "description": "Multi-tenant digital goods shoppe for federated wiki, powered by Sanora",
   "keywords": [
     "wiki",

package/server/server.js

@@ -107,6 +107,67 @@ async function getOrCreateBuyerAddieUser(recoveryKey, productId) {
   return buyer;
 }
 
+// ── Shoppere app: pubKey-based buyer auth ────────────────────────────────────
+
+// Verify a buyer-signed request from the Shoppere app.
+// Message convention: timestamp + pubKey  (mirrors Sessionless ecosystem standard)
+// Returns an error string on failure, null on success.
+function verifyBuyerSignature(pubKey, timestamp, signature, maxAgeMs = 5 * 60 * 1000) {
+  if (!pubKey || !timestamp || !signature) return 'pubKey, timestamp, and signature required';
+  const age = Date.now() - parseInt(timestamp, 10);
+  if (isNaN(age) || age < 0 || age > maxAgeMs) return 'Request expired';
+  if (!sessionless.verifySignature(signature, timestamp + pubKey, pubKey)) return 'Invalid signature';
+  return null;
+}
+
+// Like getOrCreateBuyerAddieUser but keyed by pubKey rather than a recoveryKey.
+// Prefixed 'pk:' in buyers.json to avoid collisions with legacy recovery-key entries.
+async function getOrCreateBuyerAddieUserByPubKey(pubKey, productId) {
+  const buyerKey = 'pk:' + pubKey + productId;
+  const buyers = loadBuyers();
+  if (buyers[buyerKey]) return buyers[buyerKey];
+
+  const addieKeys = await sessionless.generateKeys(() => {}, () => null);
+  sessionless.getKeys = () => addieKeys;
+  const timestamp = Date.now().toString();
+  const message = timestamp + addieKeys.pubKey;
+  const signature = await sessionless.sign(message);
+
+  const resp = await fetch(`${getAddieUrl()}/user/create`, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ timestamp, pubKey: addieKeys.pubKey, signature })
+  });
+
+  const addieUser = await resp.json();
+  if (addieUser.error) throw new Error(`Addie: ${addieUser.error}`);
+
+  const buyer = { uuid: addieUser.uuid, pubKey: addieKeys.pubKey, privateKey: addieKeys.privateKey };
+  buyers[buyerKey] = buyer;
+  saveBuyers(buyers);
+  return buyer;
+}
+
+// Check whether a pubKey has a completed purchase for a productId by looking
+// for an order whose orderKey === sha256(pubKey + productId) in Sanora.
+async function hasPurchasedByPubKey(tenant, pubKey, productId) {
+  const orderKey = crypto.createHash('sha256').update(pubKey + productId).digest('hex');
+  const sanoraUrl = getSanoraUrl();
+  sessionless.getKeys = () => tenant.keys;
+  const timestamp = Date.now().toString();
+  const signature = await sessionless.sign(timestamp + tenant.uuid);
+  try {
+    const resp = await fetch(
+      `${sanoraUrl}/user/${tenant.uuid}/orders/${encodeURIComponent(productId)}` +
+      `?timestamp=${timestamp}&signature=${encodeURIComponent(signature)}`
+    );
+    const json = await resp.json();
+    return (json.orders || []).some(o => o.orderKey === orderKey);
+  } catch {
+    return false;
+  }
+}
+
 // Same diverse palette as BDO emojicoding
 const EMOJI_PALETTE = [
   '🌟', '🌙', '🌍', '🌊', '🔥', '💎', '🎨', '🎭', '🎪', '🎯',
@@ -1434,13 +1495,27 @@ async function getShoppeGoods(tenant) {
                 ? lucillePlayerUrl
                 : `${getSanoraUrl()}/products/${tenant.uuid}/${encodeURIComponent(title)}`;
 
+    const resolvedUrl = (bucketName && redirects[bucketName]) || defaultUrl;
+
+    // Build clip URL for App Clip invocation — books and no-shipping products only.
+    // Appends product identity params so the App Clip can parse them from the URL.
+    const isClipBuyPage = !redirects[bucketName] && product.productId &&
+      (product.category === 'book' ||
+       (product.category === 'product' && !(product.shipping > 0)));
+    const clipUrl = isClipBuyPage
+      ? `${resolvedUrl}?productId=${encodeURIComponent(product.productId)}` +
+        `&price=${product.price || 0}` +
+        `&shopName=${encodeURIComponent(tenant.name || '')}`
+      : null;
+
     const item = {
       title: product.title || title,
       description: product.description || '',
       price: product.price || 0,
       shipping: product.shipping || 0,
       image: product.image ? `${getSanoraUrl()}/images/${product.image}` : null,
-      url: (bucketName && redirects[bucketName]) || defaultUrl,
+      url: resolvedUrl,
+      ...(clipUrl && { clipUrl }),
       ...(isPost && { category: product.category, tags: product.tags || '' }),
       ...(lucillePlayerUrl && { lucillePlayerUrl }),
       ...(product.category === 'video' && { shoppeId: tenant.uuid })
@@ -1778,9 +1853,12 @@ function renderCards(items, category) {
         </div>
       </div>`;
     }
+    // clipUrl is present for books and no-shipping products — it carries
+    // productId/price/shopName so the iOS App Clip can parse them on invocation.
+    const targetUrl = item.clipUrl || item.url;
     const clickHandler = isVideo
       ? `playVideo('${item.lucillePlayerUrl}')`
-      : `window.open('${item.url}','_blank')`;
+      : `window.open('${escHtml(targetUrl)}','_blank')`;
     return `
       <div class="card" onclick="${clickHandler}">
         ${imgHtml}
@@ -1819,6 +1897,9 @@ function generateShoppeHTML(tenant, goods, uploadAuth = null) {
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>${tenant.name}</title>
   ${tenant.keywords ? `<meta name="keywords" content="${escHtml(tenant.keywords)}">` : ''}
+  <!-- Shoppere App Clip — shown as a Smart App Banner on iOS Safari -->
+  <meta name="apple-itunes-app"
+        content="app-id=6760954663, app-clip-bundle-id=app.foures.shoppere.shoppere, app-clip-display=card">
   <script src="https://js.stripe.com/v3/"></script>
   <style>
     /* ── Theme variables (dark default) ── */
@@ -2964,6 +3045,29 @@ async function startServer(params) {
     }
   });
 
+  // Apple App Clip associated domain verification.
+  // Apple fetches this file from /.well-known/apple-app-site-association on the wiki domain
+  // to confirm the App Clip is authorized to handle URLs on this host.
+  // Replace TEAM_ID with the Apple Developer Team ID (RLJ2FY35FD).
+  app.get('/.well-known/apple-app-site-association', (req, res) => {
+    res.set('Content-Type', 'application/json');
+    res.json({
+      applinks: {
+        details: [
+          {
+            appIDs: ['RLJ2FY35FD.app.foures.shoppere'],
+            components: [
+              { '/': '/plugin/shoppe/*', comment: 'All shoppe pages' }
+            ]
+          }
+        ]
+      },
+      appclips: {
+        apps: ['RLJ2FY35FD.app.foures.shoppere.shoppere']
+      }
+    });
+  });
+
   // Public directory — name, emojicode, and shoppe URL only
   app.get('/plugin/shoppe/directory', (req, res) => {
     const tenants = loadTenants();
@@ -3065,6 +3169,19 @@ async function startServer(params) {
         ? JSON.stringify([{ pubKey: tenant.addieKeys.pubKey, amount: product.price || 0 }])
         : '[]';
 
+      // Forward Shoppere App Clip credentials if present in the query string
+      const buyerPubKey    = req.query.pubKey    || '';
+      const buyerTimestamp = req.query.timestamp || '';
+      const buyerSignature = req.query.signature || '';
+
+      // When a pubKey credential is present, the download page can verify access via
+      // a signed request — embed the credentials so the template can redirect there.
+      const ebookUrlWithCreds = buyerPubKey
+        ? `${ebookUrl}?pubKey=${encodeURIComponent(buyerPubKey)}&timestamp=${encodeURIComponent(buyerTimestamp)}&signature=${encodeURIComponent(buyerSignature)}`
+        : ebookUrl;
+
+      const clipUrl = `${wikiOrigin}${req.path}?${new URLSearchParams(req.query).toString()}`;
+
       const html = fillTemplate(templateHtml, {
         title:           product.title || title,
         description:     product.description || '',
@@ -3072,15 +3189,17 @@ async function startServer(params) {
         amount:          String(product.price || 0),
         formattedAmount: ((product.price || 0) / 100).toFixed(2),
         productId:       product.productId || '',
-        pubKey:          '',
-        signature:       '',
+        buyerPubKey,
+        buyerTimestamp,
+        buyerSignature,
         sanoraUrl,
         allyabaseOrigin: wikiOrigin,
-        ebookUrl,
+        ebookUrl:        ebookUrlWithCreds,
         shoppeUrl,
         payees,
         tenantUuid:      tenant.uuid,
-        keywords:        extractKeywords(product)
+        keywords:        extractKeywords(product),
+        clipUrl,
       });
 
       res.set('Content-Type', 'text/html');
@@ -3391,9 +3510,15 @@ async function startServer(params) {
       const tenant = getTenantByIdentifier(req.params.identifier);
       if (!tenant) return res.status(404).json({ error: 'Shoppe not found' });
 
-      const { recoveryKey, productId, title, slotDatetime, payees: clientPayees } = req.body;
+      const { recoveryKey, pubKey, timestamp: buyerTimestamp, signature: buyerSignature, productId, title, slotDatetime, payees: clientPayees } = req.body;
       if (!productId) return res.status(400).json({ error: 'productId required' });
-      if (!recoveryKey && !title) return res.status(400).json({ error: 'recoveryKey or title required' });
+      if (!pubKey && !recoveryKey && !title) return res.status(400).json({ error: 'pubKey (with timestamp+signature) or recoveryKey required' });
+
+      // Shoppere app path: verify the buyer's Sessionless signature before proceeding
+      if (pubKey) {
+        const sigErr = verifyBuyerSignature(pubKey, buyerTimestamp, buyerSignature);
+        if (sigErr) return res.status(401).json({ error: sigErr });
+      }
 
       const sanoraUrlInternal = getSanoraUrl();
 
@@ -3406,15 +3531,37 @@ async function startServer(params) {
       let buyer;
       let orderRef;
 
-      if (recoveryKey && product?.category === 'subscription') {
-        // Subscription flow — check if already actively subscribed
+      if (pubKey && product?.category === 'subscription') {
+        // Shoppere: subscription — check active status by pubKey orderKey
+        const alreadyPurchased = await hasPurchasedByPubKey(tenant, pubKey, productId);
+        if (alreadyPurchased) {
+          return res.json({ alreadySubscribed: true });
+        }
+        buyer = await getOrCreateBuyerAddieUserByPubKey(pubKey, productId);
+      } else if (pubKey && slotDatetime) {
+        // Shoppere: appointment — verify slot availability
+        const schedule = await getAppointmentSchedule(tenant, product);
+        if (schedule) {
+          const bookedSlots = await getBookedSlots(tenant, productId);
+          if (bookedSlots.includes(slotDatetime)) {
+            return res.status(409).json({ error: 'That time slot is no longer available.' });
+          }
+        }
+        buyer = await getOrCreateBuyerAddieUserByPubKey(pubKey, productId);
+      } else if (pubKey) {
+        // Shoppere: digital product — check if already purchased by pubKey
+        const alreadyPurchased = await hasPurchasedByPubKey(tenant, pubKey, productId);
+        if (alreadyPurchased) return res.json({ purchased: true });
+        buyer = await getOrCreateBuyerAddieUserByPubKey(pubKey, productId);
+      } else if (recoveryKey && product?.category === 'subscription') {
+        // Legacy recovery key: subscription flow — check if already actively subscribed
         const status = await getSubscriptionStatus(tenant, productId, recoveryKey);
         if (status.active) {
           return res.json({ alreadySubscribed: true, renewsAt: status.renewsAt, daysLeft: status.daysLeft });
         }
         buyer = await getOrCreateBuyerAddieUser(recoveryKey, productId);
       } else if (recoveryKey && slotDatetime) {
-        // Appointment flow — verify slot is still open before charging
+        // Legacy recovery key: appointment flow — verify slot is still open before charging
         const schedule = await getAppointmentSchedule(tenant, product);
         if (schedule) {
           const bookedSlots = await getBookedSlots(tenant, productId);
@@ -3424,7 +3571,7 @@ async function startServer(params) {
         }
         buyer = await getOrCreateBuyerAddieUser(recoveryKey, productId);
       } else if (recoveryKey) {
-        // Digital product flow — check if already purchased
+        // Legacy recovery key: digital product flow — check if already purchased
         const recoveryHash = recoveryKey + productId;
         const checkResp = await fetch(`${sanoraUrlInternal}/user/check-hash/${encodeURIComponent(recoveryHash)}/product/${encodeURIComponent(productId)}`);
         const checkJson = await checkResp.json();
@@ -3487,9 +3634,15 @@ async function startServer(params) {
       const tenant = getTenantByIdentifier(req.params.identifier);
       if (!tenant) return res.status(404).json({ error: 'Shoppe not found' });
 
-      const { recoveryKey, productId, orderRef, address, title, amount, slotDatetime, contactInfo, type, renewalDays, paymentIntentId } = req.body;
+      const { recoveryKey, pubKey, timestamp: buyerTimestamp, signature: buyerSignature, productId, orderRef, address, title, amount, slotDatetime, contactInfo, type, renewalDays, paymentIntentId } = req.body;
       const sanoraUrlInternal = getSanoraUrl();
 
+      // Verify Shoppere signature if pubKey path
+      if (pubKey) {
+        const sigErr = verifyBuyerSignature(pubKey, buyerTimestamp, buyerSignature);
+        if (sigErr) return res.status(401).json({ error: sigErr });
+      }
+
       // Fire transfer after successful payment — fire-and-forget, does not affect response
       function triggerTransfer() {
         if (!paymentIntentId || !tenant.addieKeys) return;
@@ -3499,6 +3652,69 @@ async function startServer(params) {
         }).catch(err => console.warn('[shoppe] transfer trigger failed:', err.message));
       }
 
+      // ── Shoppere app (pubKey) paths ───────────────────────────────────────
+
+      if (pubKey && type === 'subscription') {
+        // Shoppere subscription: orderKey = sha256(pubKey + productId)
+        const orderKey = crypto.createHash('sha256').update(pubKey + productId).digest('hex');
+        const tenantKeys = tenant.keys;
+        sessionless.getKeys = () => tenantKeys;
+        const ts  = Date.now().toString();
+        const sig = await sessionless.sign(ts + tenant.uuid);
+        const order = { orderKey, pubKey, paidAt: Date.now(), title, productId, renewalDays: renewalDays || 30, status: 'active' };
+        await fetch(`${sanoraUrlInternal}/user/${tenant.uuid}/orders`, {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ timestamp: ts, signature: sig, order })
+        });
+        triggerTransfer();
+        return res.json({ success: true });
+      }
+
+      if (pubKey && slotDatetime) {
+        // Shoppere appointment: record booking with pubKey credential
+        const orderKey = crypto.createHash('sha256').update(pubKey + productId).digest('hex');
+        const tenantKeys = tenant.keys;
+        sessionless.getKeys = () => tenantKeys;
+        const bookingTimestamp = Date.now().toString();
+        const bookingSignature = await sessionless.sign(bookingTimestamp + tenant.uuid);
+        const order = {
+          orderKey,
+          pubKey,
+          productId,
+          title,
+          slot: slotDatetime,
+          contactInfo: contactInfo || {},
+          status: 'booked'
+        };
+        await fetch(`${sanoraUrlInternal}/user/${tenant.uuid}/orders`, {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ timestamp: bookingTimestamp, signature: bookingSignature, order })
+        });
+        triggerTransfer();
+        return res.json({ success: true });
+      }
+
+      if (pubKey) {
+        // Shoppere digital product: record purchase with pubKey as credential
+        const orderKey = crypto.createHash('sha256').update(pubKey + productId).digest('hex');
+        const tenantKeys = tenant.keys;
+        sessionless.getKeys = () => tenantKeys;
+        const ts  = Date.now().toString();
+        const sig = await sessionless.sign(ts + tenant.uuid);
+        const order = { orderKey, pubKey, paidAt: Date.now(), title, productId, status: 'purchased' };
+        await fetch(`${sanoraUrlInternal}/user/${tenant.uuid}/orders`, {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ timestamp: ts, signature: sig, order })
+        });
+        triggerTransfer();
+        return res.json({ success: true });
+      }
+
+      // ── Legacy recovery key paths ─────────────────────────────────────────
+
       if (recoveryKey && type === 'subscription') {
         // Subscription payment — record an order with a hashed subscriber key + payment timestamp.
         // The recovery key itself is never stored; orderKey = sha256(recoveryKey + productId).
@@ -3599,12 +3815,23 @@ async function startServer(params) {
       if (!tenant) return res.status(404).send('<h1>Shoppe not found</h1>');
 
       const title = decodeURIComponent(req.params.title);
+      const { pubKey, timestamp: buyerTimestamp, signature: buyerSignature } = req.query;
       const sanoraUrl = getSanoraUrl();
       const productsResp = await fetch(`${sanoraUrl}/products/${tenant.uuid}`);
       const products = await productsResp.json();
       const product = products[title] || Object.values(products).find(p => p.title === title);
       if (!product) return res.status(404).send('<h1>Book not found</h1>');
 
+      // Verify access credential — either a valid Shoppere pubKey signature
+      // with a matching purchase record, or the legacy recovery hash (checked client-side
+      // in the download template itself via the existing hash endpoints).
+      if (pubKey) {
+        const sigErr = verifyBuyerSignature(pubKey, buyerTimestamp, buyerSignature);
+        if (sigErr) return res.status(401).send(`<h1>Access denied</h1><p>${sigErr}</p>`);
+        const purchased = await hasPurchasedByPubKey(tenant, pubKey, product.productId);
+        if (!purchased) return res.status(403).send('<h1>No purchase found for this key</h1>');
+      }
+
       const imageUrl = product.image ? `${sanoraUrl}/images/${product.image}` : '';
 
       // Map artifact UUIDs to download paths by extension
@@ -3620,8 +3847,8 @@ async function startServer(params) {
         description: product.description || '',
         image:       imageUrl,
         productId:   product.productId || '',
-        pubKey:      '',
-        signature:   '',
+        pubKey:      pubKey || '',
+        signature:   buyerSignature || '',
         epubPath,
         pdfPath,
         mobiPath
@@ -3697,6 +3924,64 @@ async function startServer(params) {
     }
   });
 
+  // Shoppere app: purchases for a pubKey across all products on this shoppe.
+  // Auth: pubKey + timestamp + signature (Sessionless, 5-min TTL)
+  // Returns the subset of Sanora orders whose orderKey === sha256(pubKey + productId).
+  app.get('/plugin/shoppe/:identifier/purchases', async (req, res) => {
+    try {
+      const tenant = getTenantByIdentifier(req.params.identifier);
+      if (!tenant) return res.status(404).json({ error: 'Shoppe not found' });
+
+      const { pubKey, timestamp, signature } = req.query;
+      const sigErr = verifyBuyerSignature(pubKey, timestamp, signature);
+      if (sigErr) return res.status(401).json({ error: sigErr });
+
+      const sanoraUrl = getSanoraUrl();
+      const productsResp = await fetch(`${sanoraUrl}/products/${tenant.uuid}`);
+      if (!productsResp.ok) return res.status(502).json({ error: 'Could not reach Sanora' });
+      const products = await productsResp.json();
+
+      sessionless.getKeys = () => tenant.keys;
+      const purchases = [];
+
+      for (const [, product] of Object.entries(products)) {
+        if (!product.productId) continue;
+        const orderKey = crypto.createHash('sha256').update(pubKey + product.productId).digest('hex');
+        const ts  = Date.now().toString();
+        const sig = await sessionless.sign(ts + tenant.uuid);
+        try {
+          const ordersResp = await fetch(
+            `${sanoraUrl}/user/${tenant.uuid}/orders/${encodeURIComponent(product.productId)}` +
+            `?timestamp=${ts}&signature=${encodeURIComponent(sig)}`
+          );
+          const json = await ordersResp.json();
+          const match = (json.orders || []).find(o => o.orderKey === orderKey);
+          if (match) {
+            purchases.push({
+              productId:    product.productId,
+              title:        product.title,
+              category:     product.category,
+              image:        product.image ? `${sanoraUrl}/images/${product.image}` : null,
+              price:        product.price,
+              paidAt:       match.paidAt,
+              status:       match.status,
+              slot:         match.slot || null,
+              renewalDays:  match.renewalDays || null,
+              downloadUrl:  ['book', 'post', 'video'].includes(product.category)
+                ? `${reqProto(req)}://${req.get('host')}/plugin/shoppe/${tenant.uuid}/download/${encodeURIComponent(product.title)}`
+                : null,
+            });
+          }
+        } catch { /* skip products whose orders can't be fetched */ }
+      }
+
+      res.json({ success: true, shopName: tenant.name, purchases });
+    } catch (err) {
+      console.error('[shoppe] purchases error:', err);
+      res.status(500).json({ error: err.message });
+    }
+  });
+
   // Goods JSON (public)
   app.get('/plugin/shoppe/:identifier/goods', async (req, res) => {
     try {