@blamejs/blamejs-shop 0.0.129 → 0.1.0

package/lib/storefront.js

@@ -1510,9 +1510,9 @@ var CART_LINE =
   "      </span>\n" +
   "    </a>\n" +
   "  </td>\n" +
-  "  <td>{{qty}}</td>\n" +
-  "  <td class=\"price\">{{unit}}</td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td data-label=\"Qty\">{{qty}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Unit\">{{unit}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "</tr>\n";
 
 // Editable cart line — shown on the /cart page. Includes an inline
@@ -1536,14 +1536,14 @@ var CART_LINE_EDITABLE =
   "      </span>\n" +
   "    </a>\n" +
   "  </td>\n" +
-  "  <td class=\"cart-line__qty\">\n" +
+  "  <td class=\"cart-line__qty\" data-label=\"Qty\">\n" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/update\" class=\"cart-line__update\">\n" +
-  "      <input type=\"number\" name=\"qty\" value=\"{{qty}}\" min=\"1\" max=\"99\" class=\"cart-line__qty-input\" aria-label=\"Quantity\">\n" +
-  "      <button type=\"submit\" class=\"cart-line__btn\">Update</button>\n" +
+  "      <input type=\"number\" name=\"qty\" value=\"{{qty}}\" min=\"1\" max=\"99999\" class=\"cart-line__qty-input\" aria-label=\"Quantity\">\n" +
+  "      <button type=\"submit\" class=\"cart-line__btn cart-line__btn--update\">Update</button>\n" +
   "    </form>\n" +
   "  </td>\n" +
-  "  <td class=\"price\">{{unit}}</td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Price\">{{unit}}</td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "  <td class=\"cart-line__remove-cell\">\n" +
   "    RAW_CART_LINE_SAVE" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/remove\">\n" +
@@ -1691,7 +1691,7 @@ var ORDER_PAGE =
   "    <div class=\"order-page__items\">\n" +
   "      <h2 class=\"pdp__variants-title\">Items</h2>\n" +
   "      <div class=\"table-scroll\">\n" +
-  "        <table>\n" +
+  "        <table class=\"cart-table\">\n" +
   "          <thead><tr><th>Product</th><th>Qty</th><th>Unit</th><th>Total</th></tr></thead>\n" +
   "          <tbody>{{line_rows}}</tbody>\n" +
   "        </table>\n" +
@@ -2082,7 +2082,6 @@ function renderNotFound(opts) {
 // — it's a routing key, not an authentication token. The cart itself
 // transitions to `customer_id` on login via cart.setCustomer.
 var SESSION_COOKIE_NAME = "shop_sid";
-var SESSION_COOKIE_MAX  = 60 * 60 * 24 * 30;   // 30 days
 
 // Authenticated-customer cookie — carries an opaque sealed envelope
 // `{ customer_id, exp }`, AEAD-encrypted via b.vault.seal so the
@@ -2092,79 +2091,85 @@ var SESSION_COOKIE_MAX  = 60 * 60 * 24 * 30;   // 30 days
 // rotated vault invalidates every outstanding auth cookie (operator-
 // initiated logout-everywhere).
 var AUTH_COOKIE_NAME    = "shop_auth";
-var AUTH_COOKIE_MAX     = 60 * 60 * 24 * 14;       // 14 days
-var AUTH_TTL_MS         = 14 * 24 * 60 * 60 * 1000;
 
 // WebAuthn ceremony state cookie — short-lived envelope holding the
 // random challenge + the ceremony-scoped metadata so register-finish /
 // login-finish can verify the same challenge the browser was sent.
 // Path-scoped to /account so it never leaks to other routes.
 var CHALLENGE_COOKIE_NAME = "shop_auth_chal";
-var CHALLENGE_COOKIE_MAX  = 5 * 60;                // 5 minutes
 
-function _readSidCookie(req) {
-  var raw = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-  if (!raw) return null;
-  var parts = raw.split(";");
-  for (var i = 0; i < parts.length; i += 1) {
-    var p = parts[i].trim();
-    var eq = p.indexOf("=");
-    if (eq <= 0) continue;
-    if (p.slice(0, eq) === SESSION_COOKIE_NAME) {
-      var v = p.slice(eq + 1);
-      // Cookie values are URL-encoded.
-      try { return decodeURIComponent(v); } catch (_e) { return null; }
-    }
+// Short-lived cookie carrying the Stripe PaymentIntent client_secret
+// from POST /checkout to GET /pay/:order_id. Path-scoped to /pay/ +
+// SameSite=Strict so it's only ever sent to the pay route.
+var PAY_COOKIE_NAME = "shop_pay";
+
+// Shape of a valid session id — mirrors cart.js's SESSION_ID_RE.
+var SID_SHAPE_RE = /^[A-Za-z0-9_-]{16,64}$/;
+
+// All cookie transport composes the framework's cookie primitive
+// (`b.cookies`) — RFC 6265 parse/serialize, prefix invariants, and the
+// vault-sealed read/write helpers — rather than hand-built Set-Cookie
+// strings and manual header splitting. The jar is memoized; it only
+// captures the vault reference (seal/unseal run lazily per call), so
+// building it before vault.init() has completed is safe.
+var _jar = null;
+function _cookieJar() {
+  if (!_jar) {
+    _jar = _b().cookies.create({
+      vault:    _b().vault,
+      defaults: { httpOnly: true, secure: true, sameSite: "Lax", path: "/" },
+    });
   }
-  return null;
-}
-
-function _setSidCookie(res, sid) {
-  var attrs = "Max-Age=" + SESSION_COOKIE_MAX + "; Path=/; HttpOnly; Secure; SameSite=Lax";
-  var header = SESSION_COOKIE_NAME + "=" + encodeURIComponent(sid) + "; " + attrs;
-  if (typeof res.appendHeader === "function") res.appendHeader("Set-Cookie", header);
-  else if (typeof res.setHeader === "function") res.setHeader("Set-Cookie", header);
+  return _jar;
 }
 
 function _readCookie(req, name) {
-  var raw = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-  if (!raw) return null;
-  var parts = raw.split(";");
-  for (var i = 0; i < parts.length; i += 1) {
-    var p = parts[i].trim();
-    var eq = p.indexOf("=");
-    if (eq <= 0) continue;
-    if (p.slice(0, eq) === name) {
-      try { return decodeURIComponent(p.slice(eq + 1)); }
-      catch (_e) { return null; }
-    }
-  }
-  return null;
+  return _cookieJar().read(req, name);
 }
 
-function _appendCookie(res, header) {
-  if (typeof res.appendHeader === "function") res.appendHeader("Set-Cookie", header);
-  else if (typeof res.setHeader === "function") res.setHeader("Set-Cookie", header);
+function _readSidCookie(req) {
+  // A cookie carrying anything but a well-shaped session id (a stale
+  // value from an old deploy, a tampered cookie, garbage) reads as "no
+  // session" rather than reaching cart.bySession — which throws on a
+  // malformed id and would turn every page that renders the cart count
+  // into a 500. The cookie grants zero authority, so dropping a
+  // malformed one silently is safe.
+  var v = _cookieJar().read(req, SESSION_COOKIE_NAME);
+  return v && SID_SHAPE_RE.test(v) ? v : null;
 }
 
-function _setAuthCookie(res, sealed) {
-  var attrs = "Max-Age=" + AUTH_COOKIE_MAX + "; Path=/; HttpOnly; Secure; SameSite=Lax";
-  _appendCookie(res, AUTH_COOKIE_NAME + "=" + encodeURIComponent(sealed) + "; " + attrs);
+function _setSidCookie(res, sid) {
+  var T = _b().constants.TIME;
+  _cookieJar().write(res, SESSION_COOKIE_NAME, sid, { expires: new Date(Date.now() + T.days(30)) });
 }
 
+// Auth + WebAuthn-challenge cookies carry a vault-sealed JSON envelope.
+// writeSealed/readSealed handle the seal + the on-wire prefix; the
+// caller works in plain objects.
+function _setAuthCookie(res, env) {
+  var T = _b().constants.TIME;
+  _cookieJar().writeSealed(res, AUTH_COOKIE_NAME, JSON.stringify(env), { expires: new Date(Date.now() + T.days(14)) });
+}
 function _clearAuthCookie(res) {
-  _appendCookie(res,
-    AUTH_COOKIE_NAME + "=; Max-Age=0; Path=/; HttpOnly; Secure; SameSite=Lax");
+  _cookieJar().clear(res, AUTH_COOKIE_NAME);
 }
-
-function _setChallengeCookie(res, sealed) {
-  var attrs = "Max-Age=" + CHALLENGE_COOKIE_MAX + "; Path=/account; HttpOnly; Secure; SameSite=Lax";
-  _appendCookie(res, CHALLENGE_COOKIE_NAME + "=" + encodeURIComponent(sealed) + "; " + attrs);
+function _readAuthEnv(req) {
+  var raw = _cookieJar().readSealed(req, AUTH_COOKIE_NAME);
+  if (raw === null) return null;
+  try { return JSON.parse(raw); } catch (_e) { return null; }
 }
 
+function _setChallengeCookie(res, env) {
+  var T = _b().constants.TIME;
+  _cookieJar().writeSealed(res, CHALLENGE_COOKIE_NAME, JSON.stringify(env), { expires: new Date(Date.now() + T.minutes(5)), path: "/account" });
+}
 function _clearChallengeCookie(res) {
-  _appendCookie(res,
-    CHALLENGE_COOKIE_NAME + "=; Max-Age=0; Path=/account; HttpOnly; Secure; SameSite=Lax");
+  _cookieJar().clear(res, CHALLENGE_COOKIE_NAME, { path: "/account" });
+}
+function _readChallengeEnv(req) {
+  var raw = _cookieJar().readSealed(req, CHALLENGE_COOKIE_NAME);
+  if (raw === null) return null;
+  try { return JSON.parse(raw); } catch (_e) { return null; }
 }
 
 // ---- account-page renderers --------------------------------------------
@@ -2303,10 +2308,10 @@ var ACCOUNT_DASH_PAGE =
 
 var ACCOUNT_DASH_ORDER_ROW =
   "<tr>\n" +
-  "  <td><a href=\"/orders/{{order_id}}\" class=\"account-order__id\"><code>{{order_id_short}}</code></a></td>\n" +
-  "  <td class=\"account-order__items\">RAW_ACCOUNT_ORDER_THUMBS</td>\n" +
-  "  <td><span class=\"pdp__badge {{status_class}}\">{{status}}</span></td>\n" +
-  "  <td class=\"price\">{{total}}</td>\n" +
+  "  <td data-label=\"Order\"><a href=\"/orders/{{order_id}}\" class=\"account-order__id\"><code>{{order_id_short}}</code></a></td>\n" +
+  "  <td class=\"account-order__items\" data-label=\"Items\">RAW_ACCOUNT_ORDER_THUMBS</td>\n" +
+  "  <td data-label=\"Status\"><span class=\"pdp__badge {{status_class}}\">{{status}}</span></td>\n" +
+  "  <td class=\"price\" data-label=\"Total\">{{total}}</td>\n" +
   "</tr>\n";
 
 function renderAccount(opts) {
@@ -2407,7 +2412,7 @@ function mount(router, deps) {
   // so the /admin landing + the onNotFound 404 handler (mounted
   // outside the `if (deps.customers)` block below) can reach it.
   async function _cartCountForReq(req) {
-    var sid = _readCookie(req, SESSION_COOKIE_NAME);
+    var sid = _readSidCookie(req);
     if (!sid) return 0;
     var c = await deps.cart.bySession(sid);
     if (!c) return 0;
@@ -2421,10 +2426,7 @@ function mount(router, deps) {
   // reader rather than a copy per call site. A missing / malformed /
   // expired cookie returns null — never throws.
   function _currentCustomerEnv(req) {
-    var raw = _readCookie(req, AUTH_COOKIE_NAME);
-    if (!raw) return null;
-    var env;
-    try { env = JSON.parse(_b().vault.unseal(raw)); } catch (_e) { return null; }
+    var env = _readAuthEnv(req);
     if (!env || !env.customer_id || !env.exp || env.exp < Date.now()) return null;
     return env;
   }
@@ -2775,11 +2777,11 @@ function mount(router, deps) {
           idempotency_key:      "checkout:" + c.id + ":" + _b().uuid.v7(),
         });
         // Set a short-lived pay cookie so /pay/:order_id can serve the
-        // client_secret without re-running confirm.
-        var payCookie = "shop_pay=" + encodeURIComponent(result.payment_intent.client_secret) +
-          "; Max-Age=900; Path=/pay/; HttpOnly; Secure; SameSite=Strict";
-        if (res.appendHeader)      res.appendHeader("Set-Cookie", payCookie);
-        else if (res.setHeader)    res.setHeader("Set-Cookie", payCookie);
+        // client_secret without re-running confirm. Scoped to /pay/ +
+        // SameSite=Strict so it's only ever sent to the pay route.
+        _cookieJar().write(res, PAY_COOKIE_NAME, result.payment_intent.client_secret, {
+          expires: new Date(Date.now() + _b().constants.TIME.minutes(15)), path: "/pay/", sameSite: "Strict",
+        });
         res.status(303);
         res.setHeader && res.setHeader("location", "/pay/" + result.order.id);
         return res.end ? res.end() : res.send("");
@@ -2798,14 +2800,7 @@ function mount(router, deps) {
       // Read the client_secret from the shop_pay cookie set on POST
       // /checkout. The cookie is scoped Path=/pay/ + SameSite=Strict
       // so it's only sent to the pay route and never cross-origin.
-      var rawCookies = (req.headers && (req.headers.cookie || req.headers.Cookie)) || "";
-      var clientSecret = null;
-      rawCookies.split(";").forEach(function (p) {
-        var t = p.trim();
-        if (t.indexOf("shop_pay=") === 0) {
-          try { clientSecret = decodeURIComponent(t.slice("shop_pay=".length)); } catch (_e) { /* drop */ }
-        }
-      });
+      var clientSecret = _readCookie(req, PAY_COOKIE_NAME);
       if (!clientSecret) {
         res.status(303); res.setHeader && res.setHeader("location", "/cart");
         return res.end ? res.end() : res.send("");
@@ -2871,16 +2866,6 @@ function mount(router, deps) {
       return _b().crypto.toBase64Url(buf);
     }
 
-    function _sealEnvelope(obj) {
-      return _b().vault.seal(JSON.stringify(obj));
-    }
-    function _unsealEnvelope(s) {
-      try {
-        var raw = _b().vault.unseal(s);
-        return JSON.parse(raw);
-      } catch (_e) { return null; }
-    }
-
     function _currentCustomer(req) {
       return _currentCustomerEnv(req);
     }
@@ -2940,13 +2925,12 @@ function mount(router, deps) {
         // Seal the ceremony state (challenge + customer_id) into the
         // shop_auth_chal cookie so register-finish verifies against
         // the same challenge without server-side state.
-        var sealed = _sealEnvelope({
+        _setChallengeCookie(res, {
           kind:           "register",
           customer_id:    customer.id,
           challenge:      startOpts.challenge,
           created_at:     Date.now(),
         });
-        _setChallengeCookie(res, sealed);
         res.status(200);
         res.setHeader && res.setHeader("content-type", "application/json");
         return res.end ? res.end(JSON.stringify(startOpts)) : res.send(JSON.stringify(startOpts));
@@ -2959,10 +2943,9 @@ function mount(router, deps) {
 
     router.post("/account/passkey/register-finish", async function (req, res) {
       try {
-        var rawCookie = _readCookie(req, CHALLENGE_COOKIE_NAME);
-        if (!rawCookie) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
-        var env = _unsealEnvelope(rawCookie);
-        if (!env || env.kind !== "register") {
+        var env = _readChallengeEnv(req);
+        if (!env) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
+        if (env.kind !== "register") {
           res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge");
         }
         var att = _readJsonBody(req);
@@ -2991,10 +2974,10 @@ function mount(router, deps) {
           transports:    transports,
         });
         _clearChallengeCookie(res);
-        _setAuthCookie(res, _sealEnvelope({
+        _setAuthCookie(res, {
           customer_id: env.customer_id,
-          exp:         Date.now() + AUTH_TTL_MS,
-        }));
+          exp:         Date.now() + _b().constants.TIME.days(14),
+        });
         res.status(200);
         return res.end ? res.end("ok") : res.send("ok");
       } catch (e) {
@@ -3029,13 +3012,12 @@ function mount(router, deps) {
           allowCredentials:     allow,
           userVerification:     "preferred",
         });
-        var sealed = _sealEnvelope({
+        _setChallengeCookie(res, {
           kind:        "login",
           email_hash:  hash,
           challenge:   startOpts.challenge,
           created_at:  Date.now(),
         });
-        _setChallengeCookie(res, sealed);
         res.status(200);
         res.setHeader && res.setHeader("content-type", "application/json");
         return res.end ? res.end(JSON.stringify(startOpts)) : res.send(JSON.stringify(startOpts));
@@ -3048,10 +3030,9 @@ function mount(router, deps) {
 
     router.post("/account/passkey/login-finish", async function (req, res) {
       try {
-        var rawCookie = _readCookie(req, CHALLENGE_COOKIE_NAME);
-        if (!rawCookie) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
-        var env = _unsealEnvelope(rawCookie);
-        if (!env || env.kind !== "login") { res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge"); }
+        var env = _readChallengeEnv(req);
+        if (!env) { res.status(400); return res.end ? res.end("missing challenge") : res.send("missing challenge"); }
+        if (env.kind !== "login") { res.status(400); return res.end ? res.end("bad challenge") : res.send("bad challenge"); }
         var assertion = _readJsonBody(req);
         var credentialId = assertion.id || assertion.rawId;
         if (!credentialId) { res.status(400); return res.end ? res.end("missing credential id") : res.send("missing credential id"); }
@@ -3090,7 +3071,7 @@ function mount(router, deps) {
         }
         // Merge the anonymous cart into a customer-owned cart so
         // the shopper doesn't lose items on sign-in.
-        var sid = _readCookie(req, SESSION_COOKIE_NAME);
+        var sid = _readSidCookie(req);
         if (sid) {
           try {
             var anonCart = await deps.cart.bySession(sid);
@@ -3098,10 +3079,10 @@ function mount(router, deps) {
           } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
         }
         _clearChallengeCookie(res);
-        _setAuthCookie(res, _sealEnvelope({
+        _setAuthCookie(res, {
           customer_id: customer.id,
-          exp:         Date.now() + AUTH_TTL_MS,
-        }));
+          exp:         Date.now() + _b().constants.TIME.days(14),
+        });
         res.status(200);
         return res.end ? res.end("ok") : res.send("ok");
       } catch (e) {

package/lib/subscription-analytics.js

@@ -162,10 +162,15 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var CACHE_NAMESPACE = "subscription-analytics-cache";
 
-var DEFAULT_TTL_MS  = 5 * 60 * 1000;            // 5 minutes
-var ONE_DAY_MS      = 24 * 60 * 60 * 1000;
+var DEFAULT_TTL_MS  = C.TIME.minutes(5);        // 5 minutes
+var ONE_DAY_MS      = C.TIME.days(1);
 var ONE_YEAR_MS     = 365 * ONE_DAY_MS;
 var DEFAULT_LTV_WINDOW_MS = 90 * ONE_DAY_MS;
 

package/lib/subscription-controls.js

@@ -55,6 +55,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -89,12 +90,12 @@ var FREQUENCIES = [
 // step skipNext / changeFrequency surface; a calendar-accurate
 // scheduler is out of scope for v1.
 var PERIOD_MS = Object.freeze({
-  weekly:      7  * 24 * 60 * 60 * 1000,
-  biweekly:    14 * 24 * 60 * 60 * 1000,
-  monthly:     30 * 24 * 60 * 60 * 1000,
-  quarterly:   90 * 24 * 60 * 60 * 1000,
-  semiannual:  182 * 24 * 60 * 60 * 1000,
-  annual:      365 * 24 * 60 * 60 * 1000,
+  weekly:      C.TIME.days(7),
+  biweekly:    C.TIME.days(14),
+  monthly:     C.TIME.days(30),
+  quarterly:   C.TIME.days(90),
+  semiannual:  C.TIME.days(182),
+  annual:      C.TIME.days(365),
 });
 
 // Plan-interval → frequency fallback. When the row has no `frequency`
@@ -115,7 +116,7 @@ function _frequencyFromPlan(plan) {
   return "monthly";
 }
 
-var REACTIVATE_GRACE_MS  = 90 * 24 * 60 * 60 * 1000;
+var REACTIVATE_GRACE_MS  = C.TIME.days(90);
 var MAX_REASON_LEN       = 280;
 var MAX_SKIP_COUNT       = 12;
 var MAX_QUANTITY         = 1000000;
@@ -599,7 +600,7 @@ function create(opts) {
       if (now - row.cancelled_at > REACTIVATE_GRACE_MS) {
         var gErr = new Error(
           "subscriptionControls.reactivate: refused — cancellation is older than the " +
-          (REACTIVATE_GRACE_MS / (24 * 60 * 60 * 1000)) + "-day grace window"
+          (REACTIVATE_GRACE_MS / C.TIME.days(1)) + "-day grace window"
         );
         gErr.code = "SUBSCRIPTION_REACTIVATE_GRACE_EXPIRED";
         throw gErr;

package/lib/subscription-gifts.js

@@ -72,6 +72,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -94,7 +95,7 @@ var MAX_LIST_LIMIT     = 200;
 var DEFAULT_LIST_LIMIT = 50;
 // Default redemption window: 365 days. Operators wanting a different
 // horizon pass `expires_at_ms` (absolute) at purchase time.
-var DEFAULT_EXPIRY_MS  = 365 * 86400 * 1000;
+var DEFAULT_EXPIRY_MS  = C.TIME.days(365);
 
 // ---- validators ---------------------------------------------------------
 

package/lib/subscriptions.js

@@ -214,7 +214,9 @@ function _extractFromStripeObject(obj) {
   // Stripe nests current_period_start/_end at the top level when the
   // event is `customer.subscription.*`. Both are unix seconds; we
   // store epoch ms.
+  // allow:raw-time-literal — Stripe sends unix SECONDS; the * 1000 converts a runtime field to epoch ms, not a fixed duration
   var periodStart = obj && obj.current_period_start != null ? obj.current_period_start * 1000 : null;
+  // allow:raw-time-literal — Stripe sends unix SECONDS; the * 1000 converts a runtime field to epoch ms, not a fixed duration
   var periodEnd   = obj && obj.current_period_end   != null ? obj.current_period_end   * 1000 : null;
   return {
     stripe_subscription_id: obj && obj.id,

package/lib/support-tickets.js

@@ -75,10 +75,10 @@ var ALLOWED_STATUSES   = [
 // ticket is considered breached. Closed / resolved tickets never
 // breach. Drives `slaCheck()` for the scheduler.
 var SLA_MS = {
-  urgent: 1   * 3600 * 1000,
-  high:   4   * 3600 * 1000,
-  normal: 24  * 3600 * 1000,
-  low:    72  * 3600 * 1000,
+  urgent: _b().constants.TIME.hours(1),
+  high:   _b().constants.TIME.hours(4),
+  normal: _b().constants.TIME.hours(24),
+  low:    _b().constants.TIME.hours(72),
 };
 
 // FSM. Encoded as an explicit allow-list keyed by from-state. Every

package/lib/tax-cert-renewals.js

@@ -71,6 +71,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var JURISDICTION_RE = /^[A-Z]{2}(-[A-Z0-9]{1,3})?$/;
 var SLUG_RE         = /^[a-z0-9](?:[a-z0-9._-]{0,126}[a-z0-9])?$/;
@@ -81,7 +82,7 @@ var MAX_ESCALATE_DAYS     = 365;
 var MAX_ESCALATED_TO_LEN  = 256;
 var DEFAULT_CHANNELS      = Object.freeze(["email"]);
 
-var DAY_MS = 86400000;
+var DAY_MS = C.TIME.days(1);
 
 var STATUSES = Object.freeze(["queued", "sent", "escalated", "renewed", "expired"]);
 

package/lib/tax-remittance.js

@@ -90,6 +90,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -107,7 +108,7 @@ var MAX_PENALTY_REASON_LEN  = 1000;
 
 var DEFAULT_DAYS_LATE_MIN   = 1;
 var MAX_DAYS_LATE_MIN       = 3650;            // ~10 years
-var MS_PER_DAY              = 24 * 60 * 60 * 1000;
+var MS_PER_DAY              = C.TIME.days(1);
 
 var CONTROL_BYTE_RE         = /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
 

package/lib/theme-assets.js

@@ -137,7 +137,7 @@ var ZERO_WIDTH_RE = new RegExp(
   "[\\u200B-\\u200F\\u202A-\\u202E\\u2060-\\u2064\\u2066-\\u2069\\uFEFF\\u061C]"
 );
 
-var MS_PER_DAY = 86400000;
+var MS_PER_DAY = _b().constants.TIME.days(1);
 
 var bShop;
 function _b() {

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.40",
-      "tag": "v0.12.40",
+      "version": "0.12.41",
+      "tag": "v0.12.41",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.41 (2026-05-24) — **`b.did` — W3C DID resolution (did:key + did:web) feeding the credential verifiers.** Resolve W3C Decentralized Identifiers (DID Core 1.0) to verification keys — the link that lets a credential's issuer be named by a DID rather than a raw key. Resolve the issuer DID of a b.vc / b.mdoc / b.scitt credential to a node:crypto KeyObject and hand it to the verifier. did:key encodes the public key in the identifier (multicodec + base58btc), so resolution is deterministic and offline — Ed25519, P-256, P-384, and secp256k1 round-trip; did:web places the DID document at an HTTPS URL derived from the identifier, with the network fetch left to the operator (the framework parses the operator-fetched document and extracts its verification methods, as publicKeyMultibase or publicKeyJwk). b.did.keyToDid encodes a KeyObject as a did:key (an issuer naming itself), b.did.parse splits the identifier (and returns the did:web URL to fetch), and b.did.resolve returns the document and verification keys. DID Core 1.0 is a W3C Recommendation; the method specs (did:key W3C CCG report, did:web DID method registry — EUDI-mandated) are deployed-stable. Composes node:crypto; no new runtime dependency. **Added:** *`b.did.resolve(did, opts?)` / `b.did.keyToDid(publicKey)` / `b.did.parse(did)`* — `resolve` returns `{ didDocument, verificationMethods: [{ id, controller, type, publicKey }] }` with each `publicKey` a `node:crypto` KeyObject ready for `b.vc.verify` / `b.mdoc.verifyIssuerSigned` / `b.scitt.verifyStatement`. did:key resolves deterministically and offline (base58btc + multicodec → Ed25519 raw key or EC compressed point, rebuilt via SPKI); did:web requires the operator to pass the fetched DID document as `opts.document` (the URL to GET is on `b.did.parse(did).url`) and the document `id` must match the requested DID. A publicKeyJwk in a DID document is imported only after its `kty`/`crv` is allowlisted (Ed25519 / P-256 / P-384 / secp256k1) — an unexpected key type from an untrusted document is refused, not blindly imported. `keyToDid` encodes an Ed25519 / P-256 / P-384 / secp256k1 KeyObject as a did:key; `parse` derives the did:web HTTPS URL (`host[:port][:path]` → `https://host/path/did.json`, or `/.well-known/did.json`). Unknown methods, malformed base58, unsupported multicodec codes, and unsupported key types are each refused.
+
 - v0.12.40 (2026-05-24) — **`b.mdoc` — ISO 18013-5 mdoc / mDL issuer-data verification.** Verify the issuer-signed data of an ISO/IEC 18013-5 mdoc — the credential format behind mobile driving licences (mDL) and the ISO track of the EU Digital Identity Wallet. This is the relying-party side: confirm that the data elements a holder presents were signed by the issuer and have not been altered. An mdoc's IssuerSigned carries the disclosed data elements and an issuerAuth that is a COSE_Sign1 (b.cose) over a Mobile Security Object (MSO) holding a per-element digest. b.mdoc.verifyIssuerSigned verifies the COSE signature with the issuer certificate from the COSE x5chain header, parses the MSO, enforces its validityInfo window, and recomputes each disclosed element's digest (the full Tag-24 IssuerSignedItemBytes) to match it against the MSO constant-time — the integrity check that makes selective disclosure trustworthy. An absent or mismatched digest is refused. Signing algorithms follow b.cose verification (the classical ES256/384/512 + EdDSA that real mDL issuers use; the caller names the allowlist); opts.trustAnchorsPem additionally verifies the issuer certificate chain. This completes the credential trio alongside W3C VCDM (b.vc) and IETF SD-JWT VC (b.auth.sdJwtVc). Composes b.cose + b.cbor; no new runtime dependency. **Added:** *`b.mdoc.verifyIssuerSigned(issuerSigned, opts)`* — Takes the CBOR `IssuerSigned` map (the operator extracts it from the device response / QR) and returns `{ docType, version, digestAlgorithm, validityInfo, namespaces, signerCert, alg }`. Verifies the COSE_Sign1 `issuerAuth` against the mandatory `opts.algorithms` allowlist using the issuer certificate from its `x5chain` (label 33) header; parses the Tag-24 Mobile Security Object; enforces the MSO `validityInfo` window against `opts.at` (default now; must be a valid Date; malformed dates fail closed); and recomputes the digest of every disclosed `IssuerSignedItem` (over the full Tag-24 bytes, with the MSO `digestAlgorithm` — SHA-256/384/512) to match the MSO `valueDigests` constant-time — an absent or mismatched digest is refused with `mdoc/digest-mismatch`. `opts.expectedDocType` pins the document type; `opts.trustAnchorsPem` (a PEM string or array) additionally verifies the issuer certificate chain and validity at the asserted time. A malformed `x5chain` certificate is refused with a clean `mdoc/bad-cert`. The mdoc device-authentication half (the SessionTranscript-bound holder-binding proof) is a presentation-protocol concern and is not part of issuer-data verification.
 
 - v0.12.39 (2026-05-24) — **`b.vc` — W3C Verifiable Credentials 2.0 (issue / verify, JOSE + COSE securing).** Issue and verify W3C Verifiable Credentials (VC Data Model 2.0, a W3C Recommendation) secured per Securing Verifiable Credentials using JOSE and COSE (VC-JOSE-COSE, also a W3C Recommendation, May 2025). A verifiable credential is a tamper-evident, signed set of claims an issuer makes about a subject — a diploma, a membership, a license, an age assertion. Two securing mechanisms are supported, both signing the credential itself (no JWT/CWT claims wrapper): JOSE produces a compact JWS with the vc+jwt media type, signed with ES256/384/512 or EdDSA; COSE produces a COSE_Sign1 (application/vc+cose) over b.cose, which also accepts ML-DSA-87 for PQC-forward deployments. b.vc.verify auto-detects the form from the input, requires an algorithm allowlist, always refuses the JOSE none algorithm, re-checks the VCDM 2.0 structural rules, and enforces the validFrom / validUntil window. This is the W3C credential model, distinct from the IETF SD-JWT VC already at b.auth.sdJwtVc. Composes b.cose; no new runtime dependency. **Added:** *`b.vc.issue(credential, opts)` / `b.vc.verify(secured, opts)`* — `issue` validates the credential against the VCDM 2.0 structural rules (the `credentials/v2` context first, a `VerifiableCredential` type, an issuer, a credential subject) and signs it: `securing: "jose"` returns a compact JWS string (`typ` header `vc+jwt`), `securing: "cose"` returns COSE_Sign1 bytes (`typ` header `application/vc+cose`, content type `application/vc`) via `b.cose`. The credential is the exact signed payload — no JWT/CWT claims are injected. `verify` auto-detects the securing form from the input (compact-JWS string vs. COSE_Sign1 bytes), verifies the signature against the mandatory `opts.algorithms` allowlist (the JOSE `none` algorithm is always refused), re-checks the structural rules, enforces the `validFrom` / `validUntil` window against `opts.at` (default now; must be a valid Date), and optionally matches `opts.expectedIssuer` against the credential issuer id. Returns `{ credential, securing, alg, issuer }`.

package/lib/vendor/blamejs/README.md

@@ -133,6 +133,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Trusted timestamping** — `b.tsa` RFC 3161 timestamp client: `buildRequest` a TimeStampReq, `parseResponse`, and `verifyToken` against your data — the message imprint, sent nonce, critical/sole `id-kp-timeStamping` EKU, and CMS signature are all checked, with optional certificate-chain verification. Timestamp a release artifact, audit checkpoint, or signed statement against any RFC 3161 TSA. Composes `b.cms` + the in-tree ASN.1 DER codec
 - **Verifiable Credentials** — `b.vc` W3C Verifiable Credentials Data Model 2.0 (VC-JOSE-COSE): `issue` / `verify` a signed credential as a compact JWS (`vc+jwt`, ES256/384/512 + EdDSA) or a COSE_Sign1 (`vc+cose`, + ML-DSA-87) over `b.cose`. VCDM structural + `validFrom`/`validUntil` checks; the JOSE `none` algorithm is always refused. The W3C model, distinct from the IETF SD-JWT VC at `b.auth.sdJwtVc`
 - **Mobile credentials (mDL)** — `b.mdoc` ISO/IEC 18013-5 issuer-data verification: `verifyIssuerSigned` checks the COSE_Sign1 IssuerAuth (issuer cert from the `x5chain` header), the Mobile Security Object validity window, and every disclosed element's digest against the MSO `valueDigests` (the selective-disclosure integrity check), with optional issuer-chain verification. The ISO credential ecosystem alongside `b.vc` and `b.auth.sdJwtVc`. Composes `b.cose` + `b.cbor`
+- **Decentralized Identifiers** — `b.did` W3C DID resolution (DID Core 1.0): `resolve` a `did:key` (deterministic, offline — Ed25519 / P-256 / P-384 / secp256k1) or `did:web` (operator-fetched document) to `node:crypto` verification keys, so a credential's issuer DID resolves to the key that verifies it (`b.vc` / `b.mdoc` / `b.scitt`). `keyToDid` names a key as a `did:key`; document JWKs are kty/crv-allowlisted before import
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates