The researcher sees the vial. The operation makes it repeatable.

Inventory allocates first-expiry-first-out. One internal lot maps to one chemical-supplier lot — the lock is at the schema level, not a policy a clerk has to remember. Receiving runs through a lot_deliveries table so a single supplier lot can land across multiple shipments without collapsing into phantom stock. The lot lifecycle has five statuses: received, released, allocated, depleted, recalled. Every transition is auditable.

Refunds resolve at the line level. Full or partial, against the rail the order paid on, with restock back to the originating lot in one transaction. Return Material Authorization is its own workflow — an RMA can sit open while the material comes back, then close with or without an auto-issued refund. Five line categories cover product, shipping, tax, adjustment, and rounding. Nothing falls between two tables.

At order submission, the server stamps the exact policy version, the IP, the user agent, and a SHA-256 hash of every checkbox label shown. The row lands in order_assent and is append-only — there is no UPDATE path. A pre-commit hook on the repo blocks any policy text edit that ships without a policy-versions.json bump. The version a researcher acknowledged stays attached to the order forever.

Consent transitions, anon-id mappings, admin actions, refund issuances, lot status changes — all of it writes to append-only tables. No silent rewrites. If an event happened, there is a row that records it happened, and a row that records the next thing that happened to that record. Reading history backwards is a query, not a forensic exercise.

Every admin page renders through a shared shell with a live alert bar at the top. Flagged orders, email-send failures, webhook outbox failures, out-of-stock SKUs, refunds aging past 48 hours, adjustments aging past 24 hours — six feeds, every page. The operator does not have to go looking for what needs attention. It is already at the top of whatever screen they opened.

Per-researcher context lives in one record. Order history, shipping addresses, payment rail preferences, store credit ledger, magic-link audit, notes, tags, communications, and a nightly rollup for lifetime value and churn signals. Transactional email engagement events ingest from the mail provider and post against the same record. The view is the operator's read of who is actually on the other side of the orders.

The admin shell sits behind Cloudflare Access. Authentication is a signed JWT from CF Access — there is no operator password layer in the application code to forget, rotate badly, or leak. Localhost bypasses for dev. Production refuses requests that do not carry a valid Access JWT, full stop. The zero-trust posture lives one layer above the app, where it belongs.

Every night at 03:00, pg_dump writes the full database to independent on-prem storage. At 04:00, a watchdog checks the dump landed, the size is sane, and alerts if either is wrong. Retention runs 30 days. Disaster recovery is a copy-paste runbook against a file that exists, not a hope that a managed snapshot is where it should be when the day comes.

Sub-daily scheduled jobs route through a self-hosted n8n on independent infrastructure, because the storefront's hosting tier caps cron resolution at daily. The same lane runs the Venmo inbox watcher that auto-confirms payments. A bridge, not a workaround — it has been the lane long enough that the orchestration sits in n8n on purpose, not because the platform forced it.

The Venmo confirmation lane is automated. An n8n workflow watches the Venmo Gmail inbox, parses the payment confirmation email, and posts an HMAC-signed event back to the storefront. The order transitions from pending_venmo to paid without an operator opening an inbox or marking anything by hand. The signature stops anyone else from posting a payment that did not happen.

Logged-in product views post to an internal dashboard. Card impressions are gated by IntersectionObserver. Time-on-card is measured by a heartbeat tick, not by a clock that runs while a tab is in the background. Same-session cart attribution joins the view event to the line it became. The signal is gated by the analytics consent setting on the researcher's account — opt-out really opts out.

The catalog is checked in as JSON for source-of-truth scalars. Price overrides land in a database table — catalog_price_overrides — and merge on read, so an operator can bulk-update prices via a CSV import without a redeploy. The order line stores its own items_json snapshot at the moment of submission, so price changes the next day do not rewrite the receipt from yesterday.

The wall is not just a gate. The /account/access landing page carries its own funnel analytics — eight named events tracked through to acknowledgement, plus a sticky-cookie headline A/B for the entry copy. The admin shell has a tile that links straight to the GA4 and Clarity views for the funnel. The operator sees access-conversion as a measured surface, not a guess.

Transactional email runs on Resend with engagement webhooks landing back on the researcher record. Supplier and operator-to-researcher correspondence runs on Proton SMTP through a separate sending identity. Both senders are DMARC, DKIM, and SPF aligned. Two lanes on purpose — when the receipt and the personal reply do not have to share an inbox, neither one has to win.