API early March 2026 improvements

API changes, improvements and fixes that shipped to production in March 2026, on top of the earlier late February 2026 release.

• Changed admin-user handling across add-user, get-user, alter-user, and delete-user so admin operations are strictly scoped to the requested chain: existing admin users can be granted permissions for an additional chain via a cross-chain upsert, duplicate adds for the same chain return user_already_exists, chain-scoped super-users can only see and alter other admins within the requested chain, and delete-user removes only the requested chain's permissions before fully deleting an account once no permissions remain.
• Changed alter-user admin handling so admins cannot alter their own permission fields or login_2fa_exempt flag (self-escalation protection).
• Changed chain endpoints (including alter-chain) so image_url, receipt_logo_url, and password_reset_url can be cleared by passing an empty string or null.
• Improved basket campaign reward-exclusion performance by caching and reusing campaign-type information, reducing repeated campaign lookups during reward calculation on larger baskets.
• Fixed a Shopify integration issue where an empty username in an alter-user request could null out the customer's Shopify email address and disable the Shopify customer account.