(SP: 3) [SHOP] audit-driven e2e purchase readiness hardening (events, notifications, consent, returns) (#378)

* (SP:3)[SHOP] add canonical payment/shipping/admin audit tables + dedupe helper with flagged atomic dual-write

* (SP: 2)[SHOP] add INTL quote flow (request/offer/accept/decline), payment-init gate, and quote expiry/timeout sweeps

* (SP: 3)[SHOP] introduce outbox-driven notifications with projector + worker (phase 3)

* (SP: 3)[SHOP] add minimal returns/RMA lifecycle with atomic audit + canonical events (phase 4)

* (SP: 3)[SHOP] enforce guest status-token lite-only access and audit token usage (phase 5)

* (SP: 3)[SHOP] centralize transition guards and enforce across admin/webhook/worker flows (phase 6)

:wq
n

* (SP:3)[SHOP]: enforce DATABASE_URL_LOCAL preflight + deterministic vitest config

* (SP:3)[SHOP]: require canonical events in prod (fail-fast)

* (SP:3)[SHOP]: implement notifications transport with retries + DLQ

* (SP:3)[SHOP]: persist checkout legal consent artifact

* (SP:1)[SHOP] add migration 0025 for consent + events + audit + prices

* (SP:1)[SHOP] emit shipping_events for shipment worker transitions

* (SP:2)[SHOP] audit admin product mutations (deduped)

* (SP:2)[SHOP] make Monobank webhook retryable on transient apply failures

* (SP:3) [SHOP] enforce guest status-token scopes across order actions

* (SP:1) [SHOP] make product_prices the only write authority

* (SP:1) [SHOP]  add Playwright e2e smoke suite (local DB only)

* (SP:3) [SHOP] explicitly reject exchanges (EXCHANGES_NOT_SUPPORTED)

* (SP: 3)[FIX] harden audit + workers/tests; fix transitions/restock + webhook perf

* (SP: 3)[FIX] harden local-db test safety and tighten shop reliability guards

* (SP: 3)[FIX] fail-closed admin audit, refine shipments-worker outcomes/metrics, tighten quote+tests

* (SP: 1)[FIX] harden shipments-worker claiming/leases and make audit+quote/test paths resilient

* (SP: 1)[FIX] harden quote request errors/logging and sanitize requestId; document best-effort delete audit

Author: liudmylasovetovs

frontend/.env.example

@@ -127,6 +127,8 @@ GMAIL_USER=
 # --- Shop / Internal
 # Optional public/base URL used by shop services/links
 SHOP_BASE_URL=
+SHOP_PRIVACY_VERSION=privacy-v1
+SHOP_TERMS_VERSION=terms-v1
 
 # Required for signed shop status tokens (if status endpoint/token flow is enabled)
 SHOP_STATUS_TOKEN_SECRET=
@@ -163,4 +165,4 @@ TRUST_FORWARDED_HEADERS=0
 # emergency switch
 RATE_LIMIT_DISABLED=0
 
-GROQ_API_KEY=
+GROQ_API_KEY=

frontend/.gitignore

@@ -13,6 +13,8 @@
 # testing
 /coverage
 /coverage-quiz
+/playwright-report
+/test-results
 
 # next.js
 /.next/

frontend/app/[locale]/shop/checkout/success/MonobankRedirectStatus.tsx

@@ -75,6 +75,7 @@ const POLL_BUSY_RETRY_DELAY_MS = 1_000;
 const POLL_STOP_ERROR_CODES = new Set([
   'STATUS_TOKEN_REQUIRED',
   'STATUS_TOKEN_INVALID',
+  'STATUS_TOKEN_SCOPE_FORBIDDEN',
   'UNAUTHORIZED',
   'FORBIDDEN',
 ]);

frontend/app/api/shop/admin/orders/[id]/quote/offer/route.ts

@@ -0,0 +1,167 @@
+import crypto from 'node:crypto';
+
+import { NextRequest, NextResponse } from 'next/server';
+
+import {
+  AdminApiDisabledError,
+  AdminForbiddenError,
+  AdminUnauthorizedError,
+  requireAdminApi,
+} from '@/lib/auth/admin';
+import { logError, logWarn } from '@/lib/logging';
+import { requireAdminCsrf } from '@/lib/security/admin-csrf';
+import { guardBrowserSameOrigin } from '@/lib/security/origin';
+import {
+  InvalidPayloadError,
+  OrderNotFoundError,
+} from '@/lib/services/errors';
+import { offerIntlQuote } from '@/lib/services/shop/quotes';
+import {
+  intlQuoteOfferPayloadSchema,
+  orderIdParamSchema,
+} from '@/lib/validation/shop';
+
+function noStoreJson(body: unknown, init?: { status?: number }) {
+  const res = NextResponse.json(body, { status: init?.status ?? 200 });
+  res.headers.set('Cache-Control', 'no-store');
+  return res;
+}
+
+function mapQuoteErrorStatus(code: string): number {
+  if (
+    code === 'QUOTE_VERSION_CONFLICT' ||
+    code === 'QUOTE_NOT_APPLICABLE' ||
+    code === 'QUOTE_ALREADY_ACCEPTED'
+  ) {
+    return 409;
+  }
+  if (code === 'QUOTE_INVALID_EXPIRY') return 422;
+  return 400;
+}
+
+export const runtime = 'nodejs';
+
+export async function POST(
+  request: NextRequest,
+  context: { params: Promise<{ id: string }> }
+) {
+  const requestId =
+    request.headers.get('x-request-id')?.trim() || crypto.randomUUID();
+  const baseMeta = {
+    requestId,
+    route: request.nextUrl.pathname,
+    method: request.method,
+  };
+  let orderIdForLog: string | null = null;
+
+  const blocked = guardBrowserSameOrigin(request);
+  if (blocked) {
+    blocked.headers.set('Cache-Control', 'no-store');
+    return blocked;
+  }
+
+  try {
+    const admin = await requireAdminApi(request);
+    const csrfRes = requireAdminCsrf(request, 'admin:orders:quote:offer');
+    if (csrfRes) {
+      csrfRes.headers.set('Cache-Control', 'no-store');
+      return csrfRes;
+    }
+
+    const parsedParams = orderIdParamSchema.safeParse(await context.params);
+    if (!parsedParams.success) {
+      return noStoreJson(
+        { code: 'INVALID_ORDER_ID', message: 'Invalid order id.' },
+        { status: 400 }
+      );
+    }
+    orderIdForLog = parsedParams.data.id;
+
+    let rawBody: unknown;
+    try {
+      rawBody = await request.json();
+    } catch {
+      return noStoreJson(
+        { code: 'INVALID_PAYLOAD', message: 'Invalid JSON body.' },
+        { status: 400 }
+      );
+    }
+
+    const parsedBody = intlQuoteOfferPayloadSchema.safeParse(rawBody);
+    if (!parsedBody.success) {
+      return noStoreJson(
+        { code: 'INVALID_PAYLOAD', message: 'Invalid payload.' },
+        { status: 400 }
+      );
+    }
+
+    const payload = parsedBody.data;
+    const result = await offerIntlQuote({
+      orderId: orderIdForLog,
+      requestId,
+      actorUserId: typeof admin.id === 'string' ? admin.id : null,
+      version: payload.version,
+      currency: payload.currency,
+      shippingQuoteMinor: payload.shippingQuoteMinor,
+      expiresAt: payload.expiresAt ?? null,
+      payload: payload.payload,
+    });
+
+    return noStoreJson(
+      {
+        success: true,
+        orderId: result.orderId,
+        version: result.version,
+        quoteStatus: result.quoteStatus,
+        shippingQuoteMinor: result.shippingQuoteMinor,
+        currency: result.currency,
+        expiresAt: result.expiresAt.toISOString(),
+      },
+      { status: 200 }
+    );
+  } catch (error) {
+    if (error instanceof AdminApiDisabledError) {
+      return noStoreJson(
+        { code: 'ADMIN_API_DISABLED', message: 'Admin API is disabled.' },
+        { status: 403 }
+      );
+    }
+    if (error instanceof AdminUnauthorizedError) {
+      return noStoreJson(
+        { code: error.code, message: 'Unauthorized.' },
+        { status: 401 }
+      );
+    }
+    if (error instanceof AdminForbiddenError) {
+      return noStoreJson({ code: error.code, message: 'Forbidden.' }, { status: 403 });
+    }
+    if (error instanceof OrderNotFoundError) {
+      return noStoreJson({ code: error.code }, { status: 404 });
+    }
+    if (error instanceof InvalidPayloadError) {
+      logWarn('admin_quote_offer_rejected', {
+        ...baseMeta,
+        orderId: orderIdForLog,
+        code: error.code,
+      });
+      return noStoreJson(
+        {
+          code: error.code,
+          message: error.message,
+          ...(error.details ? { details: error.details } : {}),
+        },
+        { status: mapQuoteErrorStatus(error.code) }
+      );
+    }
+
+    logError('admin_quote_offer_failed', error, {
+      ...baseMeta,
+      orderId: orderIdForLog,
+      code: 'ADMIN_QUOTE_OFFER_FAILED',
+    });
+    return noStoreJson(
+      { code: 'INTERNAL_ERROR', message: 'Unable to offer quote.' },
+      { status: 500 }
+    );
+  }
+}

frontend/app/api/shop/admin/products/[id]/route.ts

@@ -25,6 +25,7 @@ import {
   getAdminProductByIdWithPrices,
   updateProduct,
 } from '@/lib/services/products';
+import { writeAdminAudit } from '@/lib/services/shop/events/write-admin-audit';
 
 export const runtime = 'nodejs';
 
@@ -320,7 +321,9 @@ export async function PATCH(
   let productIdForLog: string | null = null;
 
   try {
-    await requireAdminApi(request);
+    const adminUser = await requireAdminApi(request);
+    const actorUserId =
+      adminUser && typeof adminUser.id === 'string' ? adminUser.id : null;
 
     const rawParams = await context.params;
     const parsedParams = productIdParamSchema.safeParse(rawParams);
@@ -457,6 +460,51 @@ export async function PATCH(
             : undefined,
       });
 
+      try {
+        await writeAdminAudit({
+          actorUserId,
+          action: 'product_admin_action.update',
+          targetType: 'product',
+          targetId: updated.id,
+          requestId,
+          payload: {
+            productId: updated.id,
+            slug: updated.slug,
+            title: updated.title,
+            badge: updated.badge,
+            isActive: updated.isActive,
+            isFeatured: updated.isFeatured,
+            stock: updated.stock,
+          },
+          dedupeSeed: {
+            domain: 'product_admin_action',
+            action: 'update',
+            requestId,
+            productId: updated.id,
+            slug: updated.slug,
+            toBadge: updated.badge,
+            toIsActive: updated.isActive,
+            toIsFeatured: updated.isFeatured,
+            toStock: updated.stock,
+          },
+        });
+      } catch (auditError) {
+        logWarn('admin_product_update_audit_failed', {
+          ...baseMeta,
+          code: 'AUDIT_WRITE_FAILED',
+          requestId,
+          actorUserId,
+          productId: updated.id,
+          action: 'product_admin_action.update',
+          message:
+            auditError instanceof Error
+              ? auditError.message
+              : String(auditError),
+          durationMs: Date.now() - startedAtMs,
+        });
+        throw auditError;
+      }
+
       return noStoreJson({ success: true, product: updated }, { status: 200 });
     } catch (error) {
       if (error instanceof PriceConfigError) {
@@ -643,7 +691,9 @@ export async function DELETE(
   let productIdForLog: string | null = null;
 
   try {
-    await requireAdminApi(request);
+    const adminUser = await requireAdminApi(request);
+    const actorUserId =
+      adminUser && typeof adminUser.id === 'string' ? adminUser.id : null;
 
     const csrfRes = requireAdminCsrf(request, 'admin:products:delete');
     if (csrfRes) {
@@ -704,6 +754,39 @@ export async function DELETE(
 
     await deleteProduct(productIdForLog);
 
+    try {
+      await writeAdminAudit({
+        actorUserId,
+        action: 'product_admin_action.delete',
+        targetType: 'product',
+        targetId: productIdForLog,
+        requestId,
+        payload: {
+          productId: productIdForLog,
+        },
+        dedupeSeed: {
+          domain: 'product_admin_action',
+          action: 'delete',
+          requestId,
+          productId: productIdForLog,
+        },
+      });
+    } catch (auditError) {
+      logWarn('admin_product_delete_audit_failed', {
+        ...baseMeta,
+        code: 'AUDIT_WRITE_FAILED',
+        requestId,
+        actorUserId,
+        productId: productIdForLog,
+        action: 'product_admin_action.delete',
+        message:
+          auditError instanceof Error ? auditError.message : String(auditError),
+        durationMs: Date.now() - startedAtMs,
+      });
+      // Delete is irreversible; keep success response to avoid misleading retries.
+      // Audit failure is logged and should be monitored/alerted separately.
+    }
+
     return noStoreJson({ success: true }, { status: 200 });
   } catch (error) {
     if (error instanceof AdminApiDisabledError) {

frontend/app/api/shop/admin/products/[id]/status/route.ts

@@ -14,6 +14,7 @@ import { logError, logWarn } from '@/lib/logging';
 import { requireAdminCsrf } from '@/lib/security/admin-csrf';
 import { guardBrowserSameOrigin } from '@/lib/security/origin';
 import { toggleProductStatus } from '@/lib/services/products';
+import { writeAdminAudit } from '@/lib/services/shop/events/write-admin-audit';
 
 export const runtime = 'nodejs';
 
@@ -55,7 +56,9 @@ export async function PATCH(
   let productIdForLog: string | null = null;
 
   try {
-    await requireAdminApi(request);
+    const adminUser = await requireAdminApi(request);
+    const actorUserId =
+      adminUser && typeof adminUser.id === 'string' ? adminUser.id : null;
     const csrfRes = requireAdminCsrf(request, 'admin:products:status');
     if (csrfRes) {
       logWarn('admin_product_status_csrf_rejected', {
@@ -92,6 +95,41 @@ export async function PATCH(
 
     const updated = await toggleProductStatus(productIdForLog);
 
+    try {
+      await writeAdminAudit({
+        actorUserId,
+        action: 'product_admin_action.toggle_status',
+        targetType: 'product',
+        targetId: updated.id,
+        requestId,
+        payload: {
+          productId: updated.id,
+          slug: updated.slug,
+          isActive: updated.isActive,
+        },
+        dedupeSeed: {
+          domain: 'product_admin_action',
+          action: 'toggle_status',
+          requestId,
+          productId: updated.id,
+          toIsActive: updated.isActive,
+        },
+      });
+    } catch (auditError) {
+      logWarn('admin_product_status_audit_failed', {
+        ...baseMeta,
+        code: 'AUDIT_WRITE_FAILED',
+        requestId,
+        actorUserId,
+        productId: updated.id,
+        action: 'product_admin_action.toggle_status',
+        isActive: updated.isActive,
+        message:
+          auditError instanceof Error ? auditError.message : String(auditError),
+        durationMs: Date.now() - startedAtMs,
+      });
+    }
+
     return noStoreJson({ success: true, product: updated }, { status: 200 });
   } catch (error) {
     if (error instanceof AdminApiDisabledError) {