@blamejs/blamejs-shop 0.0.128 → 0.1.0

package/lib/storefront.js

@@ -1199,6 +1199,40 @@ function renderCollection(opts) {
   });
 }
 
+// Account "Recently viewed" page — a newest-first grid of products the
+// signed-in customer has opened, reusing the standard product card.
+// `opts.products` is a resolved [{ slug, title, price, image_url,
+// image_alt }] list (archived products are dropped before render, so
+// the grid is orphan-tolerant). A "Clear history" control renders only
+// when the list is non-empty.
+function renderRecentlyViewed(opts) {
+  var products = opts.products || [];
+  var cards = products.map(function (p) { return _buildProductCard(p); }).join("");
+  var grid = cards
+    ? "<div class=\"catalog-grid recently-viewed-grid\">" + cards + "</div>"
+    : "<p class=\"recently-viewed-empty\">You haven't viewed any products yet. As you browse the shop, the products you open show up here.</p>";
+  var clear = cards
+    ? "<form class=\"recently-viewed__clear\" method=\"post\" action=\"/account/recently-viewed/clear\">" +
+        "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Clear history</button></form>"
+    : "";
+  var body =
+    "<section class=\"account-recently-viewed\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Recently viewed</li>" +
+      "</ol></nav>" +
+      "<header class=\"account-recently-viewed__head\">" +
+        "<h1 class=\"account-recently-viewed__title\">Recently viewed</h1>" +
+        clear +
+      "</header>" +
+      grid +
+    "</section>";
+  return _wrap({
+    title: "Recently viewed", shop_name: opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count, theme_css: opts.theme_css, body: body,
+  });
+}
+
 var RETURN_REASONS = [
   ["defective", "Defective / doesn't work"],
   ["wrong-item", "Wrong item received"],
@@ -1476,9 +1510,9 @@ var CART_LINE =
   "      </span>\n" +
   "    </a>\n" +
   "  </td>\n" +
-  "  <td>{{qty}}</td>\n" +
-  "  <td class=\"price\">{{unit}}</td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td data-label=\"Qty\">{{qty}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Unit\">{{unit}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "</tr>\n";
 
 // Editable cart line — shown on the /cart page. Includes an inline
@@ -1502,14 +1536,14 @@ var CART_LINE_EDITABLE =
   "      </span>\n" +
   "    </a>\n" +
   "  </td>\n" +
-  "  <td class=\"cart-line__qty\">\n" +
+  "  <td class=\"cart-line__qty\" data-label=\"Qty\">\n" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/update\" class=\"cart-line__update\">\n" +
-  "      <input type=\"number\" name=\"qty\" value=\"{{qty}}\" min=\"1\" max=\"99\" class=\"cart-line__qty-input\" aria-label=\"Quantity\">\n" +
-  "      <button type=\"submit\" class=\"cart-line__btn\">Update</button>\n" +
+  "      <input type=\"number\" name=\"qty\" value=\"{{qty}}\" min=\"1\" max=\"99999\" class=\"cart-line__qty-input\" aria-label=\"Quantity\">\n" +
+  "      <button type=\"submit\" class=\"cart-line__btn cart-line__btn--update\">Update</button>\n" +
   "    </form>\n" +
   "  </td>\n" +
-  "  <td class=\"price\">{{unit}}</td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Price\">{{unit}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "  <td class=\"cart-line__remove-cell\">\n" +
   "    RAW_CART_LINE_SAVE" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/remove\">\n" +
@@ -1657,7 +1691,7 @@ var ORDER_PAGE =
   "    <div class=\"order-page__items\">\n" +
   "      <h2 class=\"pdp__variants-title\">Items</h2>\n" +
   "      <div class=\"table-scroll\">\n" +
-  "        <table>\n" +
+  "        <table class=\"cart-table\">\n" +
   "          <thead><tr><th>Product</th><th>Qty</th><th>Unit</th><th>Total</th></tr></thead>\n" +
   "          <tbody>{{line_rows}}</tbody>\n" +
   "        </table>\n" +
@@ -2048,7 +2082,6 @@ function renderNotFound(opts) {
 // — it's a routing key, not an authentication token. The cart itself
 // transitions to `customer_id` on login via cart.setCustomer.
 var SESSION_COOKIE_NAME = "shop_sid";
-var SESSION_COOKIE_MAX  = 60 * 60 * 24 * 30;   // 30 days
 
 // Authenticated-customer cookie — carries an opaque sealed envelope
 // `{ customer_id, exp }`, AEAD-encrypted via b.vault.seal so the
@@ -2058,79 +2091,85 @@ var SESSION_COOKIE_MAX  = 60 * 60 * 24 * 30;   // 30 days
 // rotated vault invalidates every outstanding auth cookie (operator-
 // initiated logout-everywhere).
 var AUTH_COOKIE_NAME    = "shop_auth";
-var AUTH_COOKIE_MAX     = 60 * 60 * 24 * 14;       // 14 days
-var AUTH_TTL_MS         = 14 * 24 * 60 * 60 * 1000;
 
 // WebAuthn ceremony state cookie — short-lived envelope holding the
 // random challenge + the ceremony-scoped metadata so register-finish /
 // login-finish can verify the same challenge the browser was sent.
 // Path-scoped to /account so it never leaks to other routes.
 var CHALLENGE_COOKIE_NAME = "shop_auth_chal";
-var CHALLENGE_COOKIE_MAX  = 5 * 60;                // 5 minutes
 
-function _readSidCookie(req) {
-  var raw = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-  if (!raw) return null;
-  var parts = raw.split(";");
-  for (var i = 0; i < parts.length; i += 1) {
-    var p = parts[i].trim();
-    var eq = p.indexOf("=");
-    if (eq <= 0) continue;
-    if (p.slice(0, eq) === SESSION_COOKIE_NAME) {
-      var v = p.slice(eq + 1);
-      // Cookie values are URL-encoded.
-      try { return decodeURIComponent(v); } catch (_e) { return null; }
-    }
+// Short-lived cookie carrying the Stripe PaymentIntent client_secret
+// from POST /checkout to GET /pay/:order_id. Path-scoped to /pay/ +
+// SameSite=Strict so it's only ever sent to the pay route.
+var PAY_COOKIE_NAME = "shop_pay";
+
+// Shape of a valid session id — mirrors cart.js's SESSION_ID_RE.
+var SID_SHAPE_RE = /^[A-Za-z0-9_-]{16,64}$/;
+
+// All cookie transport composes the framework's cookie primitive
+// (`b.cookies`) — RFC 6265 parse/serialize, prefix invariants, and the
+// vault-sealed read/write helpers — rather than hand-built Set-Cookie
+// strings and manual header splitting. The jar is memoized; it only
+// captures the vault reference (seal/unseal run lazily per call), so
+// building it before vault.init() has completed is safe.
+var _jar = null;
+function _cookieJar() {
+  if (!_jar) {
+    _jar = _b().cookies.create({
+      vault:    _b().vault,
+      defaults: { httpOnly: true, secure: true, sameSite: "Lax", path: "/" },
+    });
   }
-  return null;
-}
-
-function _setSidCookie(res, sid) {
-  var attrs = "Max-Age=" + SESSION_COOKIE_MAX + "; Path=/; HttpOnly; Secure; SameSite=Lax";
-  var header = SESSION_COOKIE_NAME + "=" + encodeURIComponent(sid) + "; " + attrs;
-  if (typeof res.appendHeader === "function") res.appendHeader("Set-Cookie", header);
-  else if (typeof res.setHeader === "function") res.setHeader("Set-Cookie", header);
+  return _jar;
 }
 
 function _readCookie(req, name) {
-  var raw = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-  if (!raw) return null;
-  var parts = raw.split(";");
-  for (var i = 0; i < parts.length; i += 1) {
-    var p = parts[i].trim();
-    var eq = p.indexOf("=");
-    if (eq <= 0) continue;
-    if (p.slice(0, eq) === name) {
-      try { return decodeURIComponent(p.slice(eq + 1)); }
-      catch (_e) { return null; }
-    }
-  }
-  return null;
+  return _cookieJar().read(req, name);
 }
 
-function _appendCookie(res, header) {
-  if (typeof res.appendHeader === "function") res.appendHeader("Set-Cookie", header);
-  else if (typeof res.setHeader === "function") res.setHeader("Set-Cookie", header);
+function _readSidCookie(req) {
+  // A cookie carrying anything but a well-shaped session id (a stale
+  // value from an old deploy, a tampered cookie, garbage) reads as "no
+  // session" rather than reaching cart.bySession — which throws on a
+  // malformed id and would turn every page that renders the cart count
+  // into a 500. The cookie grants zero authority, so dropping a
+  // malformed one silently is safe.
+  var v = _cookieJar().read(req, SESSION_COOKIE_NAME);
+  return v && SID_SHAPE_RE.test(v) ? v : null;
 }
 
-function _setAuthCookie(res, sealed) {
-  var attrs = "Max-Age=" + AUTH_COOKIE_MAX + "; Path=/; HttpOnly; Secure; SameSite=Lax";
-  _appendCookie(res, AUTH_COOKIE_NAME + "=" + encodeURIComponent(sealed) + "; " + attrs);
+function _setSidCookie(res, sid) {
+  var T = _b().constants.TIME;
+  _cookieJar().write(res, SESSION_COOKIE_NAME, sid, { expires: new Date(Date.now() + T.days(30)) });
 }
 
+// Auth + WebAuthn-challenge cookies carry a vault-sealed JSON envelope.
+// writeSealed/readSealed handle the seal + the on-wire prefix; the
+// caller works in plain objects.
+function _setAuthCookie(res, env) {
+  var T = _b().constants.TIME;
+  _cookieJar().writeSealed(res, AUTH_COOKIE_NAME, JSON.stringify(env), { expires: new Date(Date.now() + T.days(14)) });
+}
 function _clearAuthCookie(res) {
-  _appendCookie(res,
-    AUTH_COOKIE_NAME + "=; Max-Age=0; Path=/; HttpOnly; Secure; SameSite=Lax");
+  _cookieJar().clear(res, AUTH_COOKIE_NAME);
 }
-
-function _setChallengeCookie(res, sealed) {
-  var attrs = "Max-Age=" + CHALLENGE_COOKIE_MAX + "; Path=/account; HttpOnly; Secure; SameSite=Lax";
-  _appendCookie(res, CHALLENGE_COOKIE_NAME + "=" + encodeURIComponent(sealed) + "; " + attrs);
+function _readAuthEnv(req) {
+  var raw = _cookieJar().readSealed(req, AUTH_COOKIE_NAME);
+  if (raw === null) return null;
+  try { return JSON.parse(raw); } catch (_e) { return null; }
 }
 
+function _setChallengeCookie(res, env) {
+  var T = _b().constants.TIME;
+  _cookieJar().writeSealed(res, CHALLENGE_COOKIE_NAME, JSON.stringify(env), { expires: new Date(Date.now() + T.minutes(5)), path: "/account" });
+}
 function _clearChallengeCookie(res) {
-  _appendCookie(res,
-    CHALLENGE_COOKIE_NAME + "=; Max-Age=0; Path=/account; HttpOnly; Secure; SameSite=Lax");
+  _cookieJar().clear(res, CHALLENGE_COOKIE_NAME, { path: "/account" });
+}
+function _readChallengeEnv(req) {
+  var raw = _cookieJar().readSealed(req, CHALLENGE_COOKIE_NAME);
+  if (raw === null) return null;
+  try { return JSON.parse(raw); } catch (_e) { return null; }
 }
 
 // ---- account-page renderers --------------------------------------------
@@ -2244,6 +2283,7 @@ var ACCOUNT_DASH_PAGE =
   "    <div class=\"account-dash__actions\">\n" +
   "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Wishlist</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/saved\">Saved for later</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/recently-viewed\">Recently viewed</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/addresses\">Addresses</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/returns\">Returns</a>\n" +
   "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
@@ -2268,10 +2308,10 @@ var ACCOUNT_DASH_PAGE =
 
 var ACCOUNT_DASH_ORDER_ROW =
   "<tr>\n" +
-  "  <td><a href=\"/orders/{{order_id}}\" class=\"account-order__id\"><code>{{order_id_short}}</code></a></td>\n" +
-  "  <td class=\"account-order__items\">RAW_ACCOUNT_ORDER_THUMBS</td>\n" +
-  "  <td><span class=\"pdp__badge {{status_class}}\">{{status}}</span></td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td data-label=\"Order\"><a href=\"/orders/{{order_id}}\" class=\"account-order__id\"><code>{{order_id_short}}</code></a></td>\n" +
+  "  <td class=\"account-order__items\" data-label=\"Items\">RAW_ACCOUNT_ORDER_THUMBS</td>\n" +
+  "  <td data-label=\"Status\"><span class=\"pdp__badge {{status_class}}\">{{status}}</span></td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "</tr>\n";
 
 function renderAccount(opts) {
@@ -2372,7 +2412,7 @@ function mount(router, deps) {
   // so the /admin landing + the onNotFound 404 handler (mounted
   // outside the `if (deps.customers)` block below) can reach it.
   async function _cartCountForReq(req) {
-    var sid = _readCookie(req, SESSION_COOKIE_NAME);
+    var sid = _readSidCookie(req);
     if (!sid) return 0;
     var c = await deps.cart.bySession(sid);
     if (!c) return 0;
@@ -2380,6 +2420,42 @@ function mount(router, deps) {
     return lines.length;
   }
 
+  // The signed-in customer's sealed-cookie envelope, or null. Shared by
+  // the PDP view recorder (mounted outside the `if (deps.customers)`
+  // block) and the account routes inside it, so there's one auth-cookie
+  // reader rather than a copy per call site. A missing / malformed /
+  // expired cookie returns null — never throws.
+  function _currentCustomerEnv(req) {
+    var env = _readAuthEnv(req);
+    if (!env || !env.customer_id || !env.exp || env.exp < Date.now()) return null;
+    return env;
+  }
+
+  // Resolve a product id into the { slug, title, price, image_url,
+  // image_alt } shape `_buildProductCard` expects. Returns null for an
+  // archived / missing product so it drops out of any grid (collections,
+  // recently-viewed). Shared so the decoration rule lives in one place.
+  var _cardAssetPrefix = deps.asset_prefix || "/assets/";
+  async function _decorateProductCard(pid) {
+    var product = await deps.catalog.products.get(pid);
+    if (!product || product.status !== "active") return null;
+    var priceStr = "—";
+    var variants = await deps.catalog.variants.listForProduct(pid);
+    if (variants.length) {
+      var pr = await deps.catalog.prices.current(variants[0].id, "USD");
+      if (pr) priceStr = pricing.format(pr.amount_minor, pr.currency);
+    }
+    var media = await deps.catalog.media.listForProduct(pid);
+    var hero = media.length ? media[0] : null;
+    return {
+      slug:      product.slug,
+      title:     product.title,
+      price:     priceStr,
+      image_url: hero ? (_cardAssetPrefix + hero.r2_key) : null,
+      image_alt: hero ? (hero.alt_text || product.title) : null,
+    };
+  }
+
   // Resolve the cart for this request — read session_id from the
   // sealed cookie, create one (and the cart) if absent. Returns
   // the cart row OR null when the cart was just created (caller can
@@ -2520,6 +2596,19 @@ function mount(router, deps) {
       try { wishlistCount = await deps.wishlist.countForProduct(product.id); }
       catch (_e) { wishlistCount = 0; }
     }
+    // Log the view for a signed-in customer so it surfaces on their
+    // "Recently viewed" account page. Drop-silent — a recording failure
+    // (table not migrated, write contention) must never break the PDP
+    // render. Guests aren't recorded here: their PDP is edge-cached with
+    // no per-request container hop, so session-scoped guest history is a
+    // separate opt-in (a client beacon) the storefront doesn't ship yet.
+    if (deps.recentlyViewed && deps.customers) {
+      var rvEnv = _currentCustomerEnv(req);
+      if (rvEnv) {
+        try { await deps.recentlyViewed.recordView({ customer_id: rvEnv.customer_id, product_id: product.id }); }
+        catch (_e) { /* drop-silent — recently-viewed is supplementary to the buy path */ }
+      }
+    }
     var html = renderProduct({
       product:        product,
       variants:       variants,
@@ -2539,36 +2628,11 @@ function mount(router, deps) {
   // Collections — operator-curated + smart product lists. Public browse
   // pages; mounted when the collections primitive is wired.
   if (deps.collections) {
-    var _collAssetPrefix = deps.asset_prefix || "/assets/";
-
-    // Decorate a product id into the { slug, title, price, image_url }
-    // shape _buildProductCard expects. Returns null for an archived /
-    // missing product so it drops out of the grid.
-    async function _decorateCollectionProduct(pid) {
-      var product = await deps.catalog.products.get(pid);
-      if (!product || product.status !== "active") return null;
-      var priceStr = "—";
-      var variants = await deps.catalog.variants.listForProduct(pid);
-      if (variants.length) {
-        var pr = await deps.catalog.prices.current(variants[0].id, "USD");
-        if (pr) priceStr = pricing.format(pr.amount_minor, pr.currency);
-      }
-      var media = await deps.catalog.media.listForProduct(pid);
-      var hero = media.length ? media[0] : null;
-      return {
-        slug:      product.slug,
-        title:     product.title,
-        price:     priceStr,
-        image_url: hero ? (_collAssetPrefix + hero.r2_key) : null,
-        image_alt: hero ? (hero.alt_text || product.title) : null,
-      };
-    }
-
     router.get("/collections", async function (req, res) {
       var cols = await deps.collections.list({ active_only: true });
       var cartCount = await _cartCountForReq(req);
       _send(res, 200, renderCollectionList({
-        collections: cols, shop_name: shopName, cart_count: cartCount, asset_prefix: _collAssetPrefix,
+        collections: cols, shop_name: shopName, cart_count: cartCount, asset_prefix: _cardAssetPrefix,
       }));
     });
 
@@ -2589,7 +2653,7 @@ function mount(router, deps) {
       var products = [];
       for (var i = 0; i < result.rows.length; i += 1) {
         var pid = result.rows[i].product_id || result.rows[i].id;
-        var card = await _decorateCollectionProduct(pid);
+        var card = await _decorateProductCard(pid);
         if (card) products.push(card);
       }
       var cartCount = await _cartCountForReq(req);
@@ -2713,11 +2777,11 @@ function mount(router, deps) {
           idempotency_key:      "checkout:" + c.id + ":" + _b().uuid.v7(),
         });
         // Set a short-lived pay cookie so /pay/:order_id can serve the
-        // client_secret without re-running confirm.
-        var payCookie = "shop_pay=" + encodeURIComponent(result.payment_intent.client_secret) +
-          "; Max-Age=900; Path=/pay/; HttpOnly; Secure; SameSite=Strict";
-        if (res.appendHeader)      res.appendHeader("Set-Cookie", payCookie);
-        else if (res.setHeader)    res.setHeader("Set-Cookie", payCookie);
+        // client_secret without re-running confirm. Scoped to /pay/ +
+        // SameSite=Strict so it's only ever sent to the pay route.
+        _cookieJar().write(res, PAY_COOKIE_NAME, result.payment_intent.client_secret, {
+          expires: new Date(Date.now() + _b().constants.TIME.minutes(15)), path: "/pay/", sameSite: "Strict",
+        });
         res.status(303);
         res.setHeader && res.setHeader("location", "/pay/" + result.order.id);
         return res.end ? res.end() : res.send("");
@@ -2736,14 +2800,7 @@ function mount(router, deps) {
       // Read the client_secret from the shop_pay cookie set on POST
       // /checkout. The cookie is scoped Path=/pay/ + SameSite=Strict
       // so it's only sent to the pay route and never cross-origin.
-      var rawCookies = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-      var clientSecret = null;
-      rawCookies.split(";").forEach(function (p) {
-        var t = p.trim();
-        if (t.indexOf("shop_pay=") === 0) {
-          try { clientSecret = decodeURIComponent(t.slice("shop_pay=".length)); } catch (_e) { /* drop */ }
-        }
-      });
+      var clientSecret = _readCookie(req, PAY_COOKIE_NAME);
       if (!clientSecret) {
         res.status(303); res.setHeader && res.setHeader("location", "/cart");
         return res.end ? res.end() : res.send("");
@@ -2809,23 +2866,8 @@ function mount(router, deps) {
       return _b().crypto.toBase64Url(buf);
     }
 
-    function _sealEnvelope(obj) {
-      return _b().vault.seal(JSON.stringify(obj));
-    }
-    function _unsealEnvelope(s) {
-      try {
-        var raw = _b().vault.unseal(s);
-        return JSON.parse(raw);
-      } catch (_e) { return null; }
-    }
-
     function _currentCustomer(req) {
-      var raw = _readCookie(req, AUTH_COOKIE_NAME);
-      if (!raw) return null;
-      var env = _unsealEnvelope(raw);
-      if (!env || !env.customer_id || !env.exp) return null;
-      if (env.exp < Date.now()) return null;
-      return env;
+      return _currentCustomerEnv(req);
     }
 
     function _serviceUnavailable(res, msg) {
@@ -2883,13 +2925,12 @@ function mount(router, deps) {
         // Seal the ceremony state (challenge + customer_id) into the
         // shop_auth_chal cookie so register-finish verifies against
         // the same challenge without server-side state.
-        var sealed = _sealEnvelope({
+        _setChallengeCookie(res, {
           kind:           "register",
           customer_id:    customer.id,
           challenge:      startOpts.challenge,
           created_at:     Date.now(),
         });
-        _setChallengeCookie(res, sealed);
         res.status(200);
         res.setHeader && res.setHeader("content-type", "application/json");
         return res.end ? res.end(JSON.stringify(startOpts)) : res.send(JSON.stringify(startOpts));
@@ -2902,10 +2943,9 @@ function mount(router, deps) {
 
     router.post("/account/passkey/register-finish", async function (req, res) {
       try {
-        var rawCookie = _readCookie(req, CHALLENGE_COOKIE_NAME);
-        if (!rawCookie) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
-        var env = _unsealEnvelope(rawCookie);
-        if (!env || env.kind !== "register") {
+        var env = _readChallengeEnv(req);
+        if (!env) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
+        if (env.kind !== "register") {
           res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge");
         }
         var att = _readJsonBody(req);
@@ -2934,10 +2974,10 @@ function mount(router, deps) {
           transports:    transports,
         });
         _clearChallengeCookie(res);
-        _setAuthCookie(res, _sealEnvelope({
+        _setAuthCookie(res, {
           customer_id: env.customer_id,
-          exp:         Date.now() + AUTH_TTL_MS,
-        }));
+          exp:         Date.now() + _b().constants.TIME.days(14),
+        });
         res.status(200);
         return res.end ? res.end("ok") : res.send("ok");
       } catch (e) {
@@ -2972,13 +3012,12 @@ function mount(router, deps) {
           allowCredentials:     allow,
           userVerification:     "preferred",
         });
-        var sealed = _sealEnvelope({
+        _setChallengeCookie(res, {
           kind:        "login",
           email_hash:  hash,
           challenge:   startOpts.challenge,
           created_at:  Date.now(),
         });
-        _setChallengeCookie(res, sealed);
         res.status(200);
         res.setHeader && res.setHeader("content-type", "application/json");
         return res.end ? res.end(JSON.stringify(startOpts)) : res.send(JSON.stringify(startOpts));
@@ -2991,10 +3030,9 @@ function mount(router, deps) {
 
     router.post("/account/passkey/login-finish", async function (req, res) {
       try {
-        var rawCookie = _readCookie(req, CHALLENGE_COOKIE_NAME);
-        if (!rawCookie) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
-        var env = _unsealEnvelope(rawCookie);
-        if (!env || env.kind !== "login") { res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge"); }
+        var env = _readChallengeEnv(req);
+        if (!env) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
+        if (env.kind !== "login") { res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge"); }
         var assertion = _readJsonBody(req);
         var credentialId = assertion.id || assertion.rawId;
         if (!credentialId) { res.status(400); return res.end ? res.end("missing credential id") : res.send("missing credential id"); }
@@ -3033,7 +3071,7 @@ function mount(router, deps) {
         }
         // Merge the anonymous cart into a customer-owned cart so
         // the shopper doesn't lose items on sign-in.
-        var sid = _readCookie(req, SESSION_COOKIE_NAME);
+        var sid = _readSidCookie(req);
         if (sid) {
           try {
             var anonCart = await deps.cart.bySession(sid);
@@ -3041,10 +3079,10 @@ function mount(router, deps) {
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
         _clearChallengeCookie(res);
-        _setAuthCookie(res, _sealEnvelope({
+        _setAuthCookie(res, {
           customer_id: customer.id,
-          exp:         Date.now() + AUTH_TTL_MS,
-        }));
+          exp:         Date.now() + _b().constants.TIME.days(14),
+        });
         res.status(200);
         return res.end ? res.end("ok") : res.send("ok");
       } catch (e) {
@@ -3553,6 +3591,50 @@ function mount(router, deps) {
       });
     }
 
+    // Recently viewed — the signed-in customer's newest-first browse
+    // history. Views are recorded server-side on the (container-rendered)
+    // PDP; this surface lets the customer review + clear that history.
+    if (deps.recentlyViewed) {
+      function _rvAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+
+      router.get("/account/recently-viewed", async function (req, res) {
+        var auth = _rvAuth(req, res); if (!auth) return;
+        // A read failure (table not migrated) degrades to the empty
+        // state rather than 500-ing the account page.
+        var rows = [];
+        try { rows = await deps.recentlyViewed.forCustomer(auth.customer_id, { limit: 24 }); }
+        catch (_e) { rows = []; }
+        var products = [];
+        for (var i = 0; i < rows.length; i += 1) {
+          var card = await _decorateProductCard(rows[i].product_id);
+          if (card) products.push(card);
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderRecentlyViewed({ products: products, shop_name: shopName, cart_count: cartCount }));
+      });
+
+      router.post("/account/recently-viewed/clear", async function (req, res) {
+        var auth = _rvAuth(req, res); if (!auth) return;
+        try { await deps.recentlyViewed.purgeCustomer(auth.customer_id); }
+        catch (_e) { /* drop-silent — a failed clear leaves history intact, no error surface needed */ }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/recently-viewed");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     // Product reviews — submission requires a logged-in customer AND a
     // verified purchase of the product (the gate, not just a badge).
     // Only mounts when both the reviews primitive and an order handle

package/lib/subscription-analytics.js

@@ -162,10 +162,15 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var CACHE_NAMESPACE = "subscription-analytics-cache";
 
-var DEFAULT_TTL_MS  = 5 * 60 * 1000;            // 5 minutes
-var ONE_DAY_MS      = 24 * 60 * 60 * 1000;
+var DEFAULT_TTL_MS  = C.TIME.minutes(5);        // 5 minutes
+var ONE_DAY_MS      = C.TIME.days(1);
 var ONE_YEAR_MS     = 365 * ONE_DAY_MS;
 var DEFAULT_LTV_WINDOW_MS = 90 * ONE_DAY_MS;
 

package/lib/subscription-controls.js

@@ -55,6 +55,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -89,12 +90,12 @@ var FREQUENCIES = [
 // step skipNext / changeFrequency surface; a calendar-accurate
 // scheduler is out of scope for v1.
 var PERIOD_MS = Object.freeze({
-  weekly:      7  * 24 * 60 * 60 * 1000,
-  biweekly:    14 * 24 * 60 * 60 * 1000,
-  monthly:     30 * 24 * 60 * 60 * 1000,
-  quarterly:   90 * 24 * 60 * 60 * 1000,
-  semiannual:  182 * 24 * 60 * 60 * 1000,
-  annual:      365 * 24 * 60 * 60 * 1000,
+  weekly:      C.TIME.days(7),
+  biweekly:    C.TIME.days(14),
+  monthly:     C.TIME.days(30),
+  quarterly:   C.TIME.days(90),
+  semiannual:  C.TIME.days(182),
+  annual:      C.TIME.days(365),
 });
 
 // Plan-interval → frequency fallback. When the row has no `frequency`
@@ -115,7 +116,7 @@ function _frequencyFromPlan(plan) {
   return "monthly";
 }
 
-var REACTIVATE_GRACE_MS  = 90 * 24 * 60 * 60 * 1000;
+var REACTIVATE_GRACE_MS  = C.TIME.days(90);
 var MAX_REASON_LEN       = 280;
 var MAX_SKIP_COUNT       = 12;
 var MAX_QUANTITY         = 1000000;
@@ -599,7 +600,7 @@ function create(opts) {
       if (now - row.cancelled_at > REACTIVATE_GRACE_MS) {
         var gErr = new Error(
           "subscriptionControls.reactivate: refused — cancellation is older than the " +
-          (REACTIVATE_GRACE_MS / (24 * 60 * 60 * 1000)) + "-day grace window"
+          (REACTIVATE_GRACE_MS / C.TIME.days(1)) + "-day grace window"
         );
         gErr.code = "SUBSCRIPTION_REACTIVATE_GRACE_EXPIRED";
         throw gErr;

package/lib/subscription-gifts.js

@@ -72,6 +72,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -94,7 +95,7 @@ var MAX_LIST_LIMIT     = 200;
 var DEFAULT_LIST_LIMIT = 50;
 // Default redemption window: 365 days. Operators wanting a different
 // horizon pass `expires_at_ms` (absolute) at purchase time.
-var DEFAULT_EXPIRY_MS  = 365 * 86400 * 1000;
+var DEFAULT_EXPIRY_MS  = C.TIME.days(365);
 
 // ---- validators ---------------------------------------------------------