@blamejs/blamejs-shop 0.0.129 → 0.1.0

package/lib/email-warmup.js

@@ -92,6 +92,11 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var MAX_SLUG_LEN          = 80;
 var MAX_DAILY_TARGETS     = 365;          // a year of ramp ceiling — operator schedule, not framework
 var MAX_DAILY_TARGET      = 10000000;     // 10M sends in one day — well above any reasonable IP ceiling
@@ -100,7 +105,7 @@ var MAX_REASON_LEN        = 280;
 var MAX_LIST_LIMIT        = 500;
 var MAX_DOMAIN_LEN        = 253;          // DNS hostname cap
 var MAX_IP_LEN            = 45;           // IPv6 max textual length
-var MS_PER_DAY            = 24 * 60 * 60 * 1000;
+var MS_PER_DAY            = C.TIME.days(1);
 
 var SLUG_RE          = /^[a-z0-9][a-z0-9._-]{0,79}$/;
 // Lowercase domain — IDN punycode + alnum + hyphen + dot, ending in a

package/lib/email.js

@@ -32,16 +32,9 @@ function _b() {
   return bShop.framework;
 }
 
-var HTML_ESCAPE_MAP = {
-  "&": "&",
-  "<": "&lt;",
-  ">": "&gt;",
-  "\"": "&quot;",
-  "'": "&#39;",
-};
 function _htmlEscape(s) {
   if (s == null) return "";
-  return String(s).replace(/[&<>"']/g, function (c) { return HTML_ESCAPE_MAP[c]; });
+  return _b().template.escapeHtml(String(s));
 }
 
 // Strict {{var}} renderer. Refuses unrecognized placeholders so a

package/lib/error-log.js

@@ -71,9 +71,10 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
-var ONE_YEAR_MS      = 365 * 24 * 60 * 60 * 1000;
-var DEFAULT_WINDOW_MS = 24 * 60 * 60 * 1000;        // 24h — the dashboard's default
+var ONE_YEAR_MS      = C.TIME.days(365);
+var DEFAULT_WINDOW_MS = C.TIME.days(1);             // 24h — the dashboard's default
 
 var SESSION_NAMESPACE = "error-log-session";
 

package/lib/event-log.js

@@ -92,6 +92,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ---------------------------------------------------------
 
@@ -115,7 +116,7 @@ var MAX_TAIL_EVENTS    = 500;
 var DEFAULT_TAIL_EVENTS = 50;
 var MIN_POLL_MS        = 250;
 var DEFAULT_POLL_MS    = 2000;
-var MAX_POLL_MS        = 60000;
+var MAX_POLL_MS        = C.TIME.minutes(1);
 var MAX_PURGE_DAYS     = 3650;
 
 // Identifier shapes — kind / subject_kind / actor_kind / source share
@@ -650,7 +651,7 @@ function create(opts) {
       throw new TypeError("eventLog.purgeOlderThan: days must be an integer in [1, " + MAX_PURGE_DAYS + "]");
     }
     var excludeCritical = !!input.exclude_critical;
-    var cutoff = _now() - days * 86400000;
+    var cutoff = _now() - C.TIME.days(days);
 
     var sql, params;
     if (excludeCritical) {

package/lib/fraud-screen.js

@@ -101,6 +101,7 @@ function _b() {
   }
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -137,10 +138,11 @@ var WEIGHTS = Object.freeze({
 });
 
 // Thresholds for the heuristic dials.
-var VELOCITY_WINDOW_MS      = 24 * 60 * 60 * 1000;   // 24h lookback
+var VELOCITY_WINDOW_MS      = C.TIME.days(1);        // 24h lookback
 var VELOCITY_MAX_OK         = 3;                      // > N triggers
 var HIGH_VALUE_NEW_THRESH   = 50000;                 // 500.00 minor units
 var SESSION_FAST_MAX_SEC    = 15;
+// allow:raw-time-literal — session-age ceiling in SECONDS (24h); compared against session_age_seconds, C.TIME returns ms
 var SESSION_OLD_MAX_SEC     = 24 * 60 * 60;
 var LARGE_LINE_COUNT_THRESH = 25;
 var SCORE_MAX               = 100;

package/lib/fulfillment-sla.js

@@ -107,6 +107,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -124,7 +125,7 @@ var SLUG_RE              = /^[a-z0-9][a-z0-9._-]{0,63}$/;
 var CUTOFF_RE            = /^([01][0-9]|2[0-3]):([0-5][0-9])$/;
 var TIMEZONE_RE          = /^[A-Za-z][A-Za-z0-9+_\-/]{0,63}$/;
 
-var MS_PER_HOUR          = 60 * 60 * 1000;
+var MS_PER_HOUR          = C.TIME.hours(1);
 var MS_PER_DAY           = 24 * MS_PER_HOUR;
 
 var SEVERITY_MINOR_MAX   = 24;
@@ -296,6 +297,7 @@ function _clockStart(placedAt, cutoffLocalTime, timezone) {
   var nextHour   = Number(nextByType.hour);
   var nextMinute = Number(nextByType.minute);
   var nextSecond = Number(nextByType.second);
+  // allow:raw-time-literal — converts a runtime-computed local time-of-day (h/m/s) to ms; not a fixed duration C.TIME can express
   var localOffsetMs = (nextHour * 3600 + nextMinute * 60 + nextSecond) * 1000;
   return nextDayMs - localOffsetMs;
 }

package/lib/index.js

@@ -30,8 +30,16 @@ try {
   throw e;
 }
 
-module.exports = {
-  framework:    framework,
+// Expose the framework on the exports object up front — before the
+// require cascade below — so a shop module that composes a framework
+// primitive at module-eval time (e.g. `var C = require("./index")
+// .framework.constants` via the `_b()` lazy accessor, used for
+// duration constants) resolves `framework` cleanly while it is itself
+// being required. Without this, `_b()` mid-cascade would see a
+// half-built exports object with no `framework` field.
+module.exports.framework = framework;
+
+Object.assign(module.exports, {
   externaldbD1: require("./externaldb-d1"),
   r2Bridge:     require("./r2-bridge"),
   catalog:      require("./catalog"),
@@ -242,4 +250,4 @@ module.exports = {
   winbackCampaigns:      require("./winback-campaigns"),
   wishlistDigest:        require("./wishlist-digest"),
   operatorHelpCenter:    require("./operator-help-center"),
-};
+});

package/lib/inventory-allocations.js

@@ -84,6 +84,7 @@ var ORDER_ID_RE    = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 var HOLD_ID_RE     = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
 var REASON_RE      = /^[\S\s]{1,256}$/;
 var DEFAULT_TTL    = 900;          // 15 minutes by default
+// allow:raw-time-literal — TTL ceiling in SECONDS (not ms); C.TIME returns ms
 var MAX_TTL        = 24 * 60 * 60; // 24h ceiling — anything longer is a usage-error smell
 var MIN_TTL        = 1;
 
@@ -284,6 +285,7 @@ function create(opts) {
     }
 
     var ts        = _monotonicTs();
+    // allow:raw-time-literal — seconds→ms conversion of a variable TTL count; C.TIME helpers take a fixed duration, not a runtime value
     var expiresAt = ts + ttlSeconds * 1000;
     var id        = _b().uuid.v7();
     await query(
@@ -415,6 +417,7 @@ function create(opts) {
         ", expected 'held'");
     }
 
+    // allow:raw-time-literal — seconds→ms conversion of a variable TTL count; C.TIME helpers take a fixed duration, not a runtime value
     var nextExpires = Number(existing.expires_at) + input.additional_ttl_seconds * 1000;
     await query(
       "UPDATE inventory_holds SET expires_at = ?1 WHERE id = ?2 AND status = 'held'",

package/lib/inventory-snapshots.js

@@ -90,6 +90,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -660,7 +661,7 @@ function create(opts) {
     // to wipe the snapshot history wholesale call with 0.
     purgeOlderThan: async function (days) {
       _days(days);
-      var cutoff = _now() - (days * 86400000);
+      var cutoff = _now() - C.TIME.days(days);
       // Read the ids first so the return shape can carry both the
       // count and the ids that were removed (operators occasionally
       // want to log "purged snapshots: a, b, c" for a compliance

package/lib/invoice-renderer.js

@@ -88,6 +88,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -503,7 +504,7 @@ function create(opts) {
       var issuer = await _resolveIssuer();
 
       var generatedAt = Date.now();
-      var dueAt = generatedAt + dueDays * 24 * 60 * 60 * 1000;
+      var dueAt = generatedAt + C.TIME.days(dueDays);
 
       var seq = await _advanceSeries(series);
       var invoiceNumber = _formatInvoiceNumber(seq, generatedAt);

package/lib/line-gift-wrap.js

@@ -68,9 +68,14 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var MAX_MESSAGE_LEN   = 500;
 var MAX_RECIPIENT_LEN = 120;
-var MAX_FROM_TO_SPAN  = 366 * 24 * 3600 * 1000; // analytics window cap
+var MAX_FROM_TO_SPAN  = C.TIME.days(366); // analytics window cap
 
 // SKU shape mirrors catalog.js + gift-options.js — alnum + . _ -, ≤
 // 128 chars, leading char must be alnum so a wrap_sku can never

package/lib/live-chat.js

@@ -114,6 +114,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- validators ---------------------------------------------------------
 
@@ -673,7 +674,7 @@ function create(opts) {
       }
       var idleMinutes = _idleMinutes(input.idle_minutes);
       var ts        = _now();
-      var threshold = ts - idleMinutes * 60 * 1000;
+      var threshold = ts - C.TIME.minutes(idleMinutes);
       var r = await query(
         "SELECT id FROM chat_sessions " +
         "WHERE status IN ('queued','assigned','active','waiting') " +

package/lib/loyalty-redemption.js

@@ -68,6 +68,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -82,7 +83,7 @@ var MAX_REDEMPTIONS_LIMIT = 200;
 var MAX_POINT_COST = 100000000;
 var MAX_PER_CUSTOMER = 100000;
 var MAX_EXPIRES_DAYS = 3650;
-var MS_PER_DAY = 86400000;
+var MS_PER_DAY = C.TIME.days(1);
 
 // Slug shape matches the catalog / promo-banners convention — alnum +
 // hyphen + underscore + dot, leading char alnum, capped length.

package/lib/newsletter.js

@@ -48,10 +48,15 @@
 
 "use strict";
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var EMAIL_NAMESPACE         = "newsletter-email";
 var UNSUBSCRIBE_NAMESPACE   = "newsletter-unsubscribe";
 var UNSUBSCRIBE_TOKEN_BYTES = 24;
-var UNSUBSCRIBE_TTL_MS      = 365 * 24 * 60 * 60 * 1000;
+var UNSUBSCRIBE_TTL_MS      = C.TIME.days(365);
 var MAX_SOURCE_LEN          = 64;
 var SOURCE_RE               = /^[a-z0-9][a-z0-9._-]{0,62}[a-z0-9]$/;
 

package/lib/operator-activity-feed.js

@@ -106,19 +106,20 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
 var MAX_LIMIT       = 200;
 var DEFAULT_LIMIT   = 50;
 var MAX_RECENT_LOGINS = 10;
-var ONLINE_WINDOW_MS = 5 * 60 * 1000;
-var MS_PER_DAY = 86400000;
+var ONLINE_WINDOW_MS = C.TIME.minutes(5);
+var MS_PER_DAY = C.TIME.days(1);
 
 // Cache freshness window. summarizeForOperator returns the cached row
 // when computed_at is within this window AND no source has a newer
 // event than last_activity_at. Same posture as customer-activity uses.
-var CACHE_TTL_MS = 5 * 60 * 1000;
+var CACHE_TTL_MS = C.TIME.minutes(5);
 
 // Order-key for the forOperator() pagination cursor — (occurred_at
 // DESC, kind DESC). Tuple keeps the cursor monotonic even when two

package/lib/operator-sessions.js

@@ -140,16 +140,16 @@
 
 var TOKEN_NAMESPACE         = "operator-session-token";
 var TOKEN_BYTES             = 32;
-var DEFAULT_TTL_SECONDS     = 8 * 60 * 60;             // 8-hour shift default
+var DEFAULT_TTL_SECONDS     = 8 * 60 * 60;             // allow:raw-time-literal — TTL stored in seconds; C.TIME returns ms (8-hour shift default)
 var MIN_TTL_SECONDS         = 60;                       // refuse zero / sub-minute
-var MAX_TTL_SECONDS         = 60 * 60 * 24;             // hard ceiling — one day
+var MAX_TTL_SECONDS         = 60 * 60 * 24;             // allow:raw-time-literal — TTL stored in seconds; C.TIME returns ms (hard ceiling — one day)
 var MAX_REASON_LEN          = 64;
 var MAX_UA_CLASS_LEN        = 64;
 var MAX_IP_HASH_LEN         = 256;
 var MIN_IP_HASH_LEN         = 1;
-var DEFAULT_LOCKOUT_WINDOW  = 15 * 60;                  // 15-minute rolling window
+var DEFAULT_LOCKOUT_WINDOW  = 15 * 60;                  // allow:raw-time-literal — lockout window stored in seconds; C.TIME returns ms (15-minute rolling window)
 var DEFAULT_LOCKOUT_THRESH  = 5;                        // 5 failures trips lockout
-var MAX_LOCKOUT_WINDOW      = 24 * 60 * 60;             // sanity cap — one day
+var MAX_LOCKOUT_WINDOW      = 24 * 60 * 60;             // allow:raw-time-literal — lockout window stored in seconds; C.TIME returns ms (sanity cap — one day)
 var MIN_LOCKOUT_THRESHOLD   = 1;
 var MAX_LOCKOUT_THRESHOLD   = 1000;
 
@@ -344,7 +344,7 @@ function create(opts) {
       var tokenHash = _b().crypto.namespaceHash(TOKEN_NAMESPACE, plaintext);
       var id        = _b().uuid.v7();
       var now       = _now();
-      var expiresAt = now + (ttl * 1000);
+      var expiresAt = now + (ttl * 1000);   // allow:raw-time-literal — ttl is in seconds; * 1000 converts to ms
 
       await query(
         "INSERT INTO operator_sessions " +
@@ -615,7 +615,7 @@ function create(opts) {
     // emit a metric.
     expireOlderThan: async function (seconds) {
       _seconds(seconds, "seconds");
-      var threshold = _now() - (seconds * 1000);
+      var threshold = _now() - (seconds * 1000);   // allow:raw-time-literal — seconds arg is in seconds; * 1000 converts to ms
       var r = await query(
         "UPDATE operator_sessions " +
         "SET status = 'expired' " +
@@ -646,7 +646,7 @@ function create(opts) {
       }
       var windowSec = _lockoutWindow(lopts.window_seconds);
       var threshold = _lockoutThreshold(lopts.threshold);
-      var since     = _now() - (windowSec * 1000);
+      var since     = _now() - (windowSec * 1000);   // allow:raw-time-literal — windowSec is in seconds; * 1000 converts to ms
       var r = await query(
         "SELECT COUNT(*) AS n FROM operator_failed_logins " +
         "WHERE ip_hash = ?1 AND occurred_at >= ?2",

package/lib/order-exchanges.js

@@ -301,6 +301,7 @@ function create(opts) {
           sku:        existing.replacement_sku,
           variant_id: existing.replacement_variant_id || null,
           quantity:   existing.replacement_qty,
+          // allow:raw-time-literal — hold TTL in SECONDS (passed to holdForCart's ttl_seconds); C.TIME returns ms
           ttl_seconds: input.hold_ttl_seconds || 86400,
         });
       }

package/lib/order-timeline.js

@@ -101,6 +101,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -113,7 +114,7 @@ var DEFAULT_RECENT_LIMIT = 20;
 // pathological "no new events but the cache is stale" case still
 // recomputes after a few minutes — gives the operator dashboard
 // fresh totals even when the underlying primitives are quiet.
-var CACHE_TTL_MS = 5 * 60 * 1000;
+var CACHE_TTL_MS = C.TIME.minutes(5);
 
 // BCP-47 shape: 2-3 alpha primary subtag, optional region/script
 // subtags. Matches the shape gift-options uses for the same purpose.

package/lib/payment-retries.js

@@ -133,6 +133,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -146,7 +147,7 @@ var MAX_SCHEDULE_STEPS    = 64;
 var MAX_ATTEMPTS_CAP      = 64;
 var MAX_LIST_LIMIT        = 500;
 var DEFAULT_LIST_LIMIT    = 100;
-var MS_PER_HOUR           = 60 * 60 * 1000;
+var MS_PER_HOUR           = C.TIME.hours(1);
 
 var SLUG_RE          = /^[a-z](?:[a-z0-9-]*[a-z0-9])?$/;
 var FAILURE_CODE_RE  = /^[a-z](?:[a-z0-9_]*[a-z0-9])?$/;

package/lib/payment.js

@@ -28,6 +28,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var STRIPE_API_BASE_DEFAULT  = "https://api.stripe.com/v1";
 var STRIPE_WEBHOOK_TOLERANCE = 300;   // ± 5 minutes (Stripe default)
@@ -38,7 +39,7 @@ var CURRENCY_RE              = /^[a-z]{3}$/;   // Stripe wants lowercase ISO 421
 // expires on the same window — operators who run `cleanupExpired()`
 // on a daily schedule keep the table small without ever shortening
 // the replay window below Stripe's own retention.
-var IDEMPOTENCY_TTL_MS       = 24 * 60 * 60 * 1000;
+var IDEMPOTENCY_TTL_MS       = C.TIME.days(1);
 var IDEMPOTENCY_NAMESPACE    = "payment-idempotency-body";
 var IDEMPOTENT_OPERATIONS    = {
   "payment_intent.create": true,
@@ -124,8 +125,8 @@ async function _verifyWebhook(headers, rawBody, secret, opts) {
   if (!headerVal) return { ok: false, reason: "no-signature" };
 
   var toleranceMs = opts.toleranceSeconds == null
-    ? STRIPE_WEBHOOK_TOLERANCE * 1000
-    : opts.toleranceSeconds * 1000;
+    ? STRIPE_WEBHOOK_TOLERANCE * 1000 // allow:raw-time-literal — seconds value; *1000 converts to ms
+    : opts.toleranceSeconds * 1000;   // allow:raw-time-literal — runtime seconds value; *1000 converts to ms
   if (typeof toleranceMs !== "number" || !isFinite(toleranceMs) || toleranceMs <= 0) {
     throw new TypeError("payment.verifyWebhook: toleranceSeconds must be a positive number");
   }
@@ -138,7 +139,7 @@ async function _verifyWebhook(headers, rawBody, secret, opts) {
       body:        rawBody,
       toleranceMs: toleranceMs,
       nonceStore:  opts.nonceStore || undefined,
-      _nowMs:      opts.now != null ? opts.now * 1000 : undefined,
+      _nowMs:      opts.now != null ? opts.now * 1000 : undefined, // allow:raw-time-literal — opts.now is a runtime seconds value; *1000 converts to ms
     });
   } catch (e) {
     var code = (e && e.code) || "";

package/lib/pixel-events.js

@@ -103,6 +103,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -159,11 +160,11 @@ var PHONE_RAW_RE    = /^\+?[0-9 ().\-]{7,32}$/;
 // request — runaway retries against a permanently-broken provider
 // credential would otherwise saturate the worker tick.
 var RETRY_BACKOFF_MS = [
-  60 * 1000,
-  5 * 60 * 1000,
-  30 * 60 * 1000,
-  2 * 60 * 60 * 1000,
-  12 * 60 * 60 * 1000,
+  C.TIME.minutes(1),
+  C.TIME.minutes(5),
+  C.TIME.minutes(30),
+  C.TIME.hours(2),
+  C.TIME.hours(12),
 ];
 
 // ---- monotonic clock ---------------------------------------------------

package/lib/preorder.js

@@ -108,6 +108,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -116,7 +117,7 @@ var SKU_RE          = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 var CURRENCY_RE     = /^[A-Z]{3}$/;
 var MAX_COPY_LEN    = 2000;
 var MAX_REASON_LEN  = 280;
-var DAY_MS          = 24 * 60 * 60 * 1000;
+var DAY_MS          = C.TIME.days(1);
 
 var CAMPAIGN_STATUSES    = Object.freeze(["active", "launched", "closed"]);
 var RESERVATION_STATUSES = Object.freeze(["active", "converted", "cancelled"]);

package/lib/print-queue.js

@@ -113,6 +113,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -573,7 +574,7 @@ function create(opts) {
         throw new TypeError("print-queue.cleanupCompleted: input object required");
       }
       _hours(input.older_than_hours, "older_than_hours");
-      var cutoff = _now() - Math.floor(input.older_than_hours * 60 * 60 * 1000);
+      var cutoff = _now() - Math.floor(C.TIME.hours(input.older_than_hours));
       var r = await query(
         "DELETE FROM print_jobs WHERE status IN ('complete', 'cancelled', 'failed') " +
         "AND COALESCE(completed_at, failed_at, created_at) < ?1",

package/lib/product-compare.js

@@ -80,6 +80,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -775,7 +776,7 @@ function create(opts) {
     // dashboard can render the sweep's footprint.
     cleanupOlderThan: async function (days) {
       _days(days);
-      var threshold = _now() - (days * 24 * 60 * 60 * 1000);
+      var threshold = _now() - C.TIME.days(days);
       var lists = await query(
         "DELETE FROM compare_lists WHERE updated_at < ?1",
         [threshold],

package/lib/product-qa.js

@@ -91,6 +91,7 @@ function _b() {
   if (!bShop) { bShop = require("./index"); }
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- monotonic clock ---------------------------------------------------
 //
@@ -689,7 +690,7 @@ function create(opts) {
   // attached to non-rejected questions.
   async function cleanupRejected(days) {
     var d = _cleanupDays(days);
-    var cutoff = _now() - (d * 24 * 60 * 60 * 1000);
+    var cutoff = _now() - C.TIME.days(d);
 
     var qDel = await query(
       "DELETE FROM product_qa_questions WHERE status = 'rejected' AND occurred_at < ?1",

package/lib/push-notifications.js

@@ -73,6 +73,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -108,11 +109,11 @@ var MAX_PROV_MSG_ID_LEN  = 256;
 // to compute `next_retry_at`; once the schedule is exhausted the row
 // terminates as failed regardless of the caller's `retry` request.
 var RETRY_BACKOFF_MS = [
-  60 * 1000,
-  5 * 60 * 1000,
-  30 * 60 * 1000,
-  2 * 60 * 60 * 1000,
-  12 * 60 * 60 * 1000,
+  C.TIME.minutes(1),
+  C.TIME.minutes(5),
+  C.TIME.minutes(30),
+  C.TIME.hours(2),
+  C.TIME.hours(12),
 ];
 
 var SLUG_RE         = /^[a-z](?:[a-z0-9-]*[a-z0-9])?$/;

package/lib/recently-viewed.js

@@ -76,10 +76,15 @@
  * @related   b.guardUuid, b.crypto.namespaceHash, b.uuid
  */
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var DEFAULT_LIMIT       = 20;
 var MAX_LIMIT           = 100;
 var PER_SUBJECT_CAP     = 20;
-var DEDUP_WINDOW_MS     = 5 * 60 * 1000;
+var DEDUP_WINDOW_MS     = C.TIME.minutes(5);
 var SESSION_NAMESPACE   = "recently-viewed-session";
 var SESSION_ID_RE       = /^[A-Za-z0-9_-]{16,64}$/;
 var RECOMMEND_LIMIT     = 10;
@@ -479,7 +484,7 @@ function create(opts) {
     // shopper population grows.
     cleanupOlderThan: async function (days) {
       _days(days);
-      var threshold = Date.now() - (days * 24 * 60 * 60 * 1000);
+      var threshold = Date.now() - C.TIME.days(days);
       var r = await query(
         "DELETE FROM recently_viewed WHERE last_viewed_at < ?1",
         [threshold],

package/lib/recommendations.js

@@ -106,13 +106,18 @@
  *            shop.recentlyViewed, shop.analytics, shop.catalog
  */
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var DEFAULT_LIMIT      = 8;
 var MAX_LIMIT          = 50;
 var MAX_CART_PRODUCTS  = 50;
 var DEFAULT_WEIGHT     = 100;
 var MAX_WEIGHT         = 1000000;
-var ONE_YEAR_MS        = 365 * 24 * 60 * 60 * 1000;
-var DEFAULT_WINDOW_MS  = 30 * 24 * 60 * 60 * 1000;
+var ONE_YEAR_MS        = C.TIME.days(365);
+var DEFAULT_WINDOW_MS  = C.TIME.days(30);
 var KINDS              = ["product", "cart", "customer", "category"];
 var EVENT_TYPES        = ["impression", "click", "conversion"];
 var SESSION_NAMESPACE  = "recommendations-session";

package/lib/referral-leaderboard.js

@@ -83,6 +83,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var TIERS = ["bronze", "silver", "gold", "platinum"];
 
@@ -100,7 +101,7 @@ var DEFAULT_TIER_BONUS_POINTS = {
   platinum: 10000,
 };
 
-var MS_PER_DAY = 24 * 60 * 60 * 1000;
+var MS_PER_DAY = C.TIME.days(1);
 var ROLLING_WINDOW_DAYS = 90;
 
 var MAX_LEADERBOARD_LIMIT = 100;

package/lib/refund-automation.js

@@ -122,7 +122,7 @@ var MAX_PRIORITY              = 1000000;
 var MAX_LIST_LIMIT            = 200;
 var MAX_REASONS_PER_RULE      = 32;
 var MAX_CURRENCIES_PER_RULE   = 32;
-var MS_PER_YEAR               = 365 * 24 * 60 * 60 * 1000;
+var MS_PER_YEAR               = _b().constants.TIME.days(365);
 
 // Slug shape matches coupon-stacking / refund-policy convention.
 var SLUG_RE       = /^[A-Za-z0-9][A-Za-z0-9._-]{0,79}$/;

package/lib/refund-policy.js

@@ -81,7 +81,7 @@ var MAX_STATUS_LEN        = 64;
 var MAX_WINDOW_DAYS       = 36500;          // ~100 years; refuses absurd values
 var MAX_PRIORITY          = 1000000;
 var MAX_LIST_LIMIT        = 200;
-var MS_PER_DAY            = 24 * 60 * 60 * 1000;
+var MS_PER_DAY            = _b().constants.TIME.days(1);
 
 // Slug shape matches coupon-stacking / promo-banners / customer-segments
 // convention — alnum + hyphen + underscore + dot, leading char alnum,