@blamejs/blamejs-shop 0.0.129 → 0.1.1

package/lib/clickstream.js

@@ -98,6 +98,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -124,8 +125,8 @@ var MAX_FUNNEL_STEPS    = 16;
 var MAX_CLEANUP_DAYS    = 365 * 5;
 var MIN_CLEANUP_DAYS    = 1;
 
-var ONE_YEAR_MS         = 365 * 24 * 60 * 60 * 1000;
-var DEFAULT_WINDOW_MS   = 30  * 24 * 60 * 60 * 1000;
+var ONE_YEAR_MS         = C.TIME.days(365);
+var DEFAULT_WINDOW_MS   = C.TIME.days(30);
 
 // Raw-PII shapes refused at every write site (mirrors the analytics
 // guard). A hashed identifier is hex / base64url and never trips
@@ -679,7 +680,7 @@ function create(opts) {
         throw new TypeError("clickstream.cleanupOlderThan: days must be an integer in [" +
                             MIN_CLEANUP_DAYS + ", " + MAX_CLEANUP_DAYS + "]");
       }
-      var cutoff = Date.now() - (days * 24 * 60 * 60 * 1000);
+      var cutoff = Date.now() - (days * C.TIME.days(1));
       var pv = await query(
         "DELETE FROM clickstream_pageviews WHERE occurred_at < ?1",
         [cutoff],

package/lib/config.js

@@ -31,9 +31,10 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var KEY_RE         = /^[a-z][a-z0-9._]{0,63}$/;
-var CACHE_TTL_MS   = 30 * 1000;
+var CACHE_TTL_MS   = C.TIME.seconds(30);
 var MAX_VALUE_LEN  = 64 * 1024;       // 64 KiB — fits even a long jurisdiction table
 
 function _validateKey(k) {

package/lib/cookie-consent.js

@@ -149,6 +149,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- validators --------------------------------------------------------
 
@@ -572,7 +573,7 @@ function create(opts) {
     // out the same way an active one does.
     cleanupOlderThan: async function (days) {
       _positiveInt(days, "days");
-      var cutoff = _now() - (days * 86400 * 1000);
+      var cutoff = _now() - (days * C.TIME.days(1));
       // The subquery picks the freshest row for each
       // `session_id_hash`; the outer DELETE removes every row older
       // than the cutoff that isn't on that survivor list.

package/lib/credit-limits.js

@@ -95,6 +95,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var BILLING_CYCLES = ["weekly", "biweekly", "monthly"];
 var STATUSES       = ["active", "suspended", "closed"];
@@ -106,7 +107,7 @@ var MAX_REF_LEN = 128;
 // injection cover has no legitimate place in a one-line column.
 var PRINTABLE_RE = /^[^\x00-\x1f\x7f]*$/;
 
-var MS_PER_DAY = 86400 * 1000;
+var MS_PER_DAY = C.TIME.days(1);
 
 // Aging buckets. The boundary days are reported as part of the
 // agingReport return shape so downstream invoice rendering doesn't

package/lib/currency-display.js

@@ -56,9 +56,10 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var CURRENCY_RE = /^[A-Z]{3}$/;
-var DEFAULT_TTL_MS = 24 * 60 * 60 * 1000;
+var DEFAULT_TTL_MS = C.TIME.days(1);
 var DEFAULT_SUPPORTED = [
   "USD", "EUR", "GBP", "JPY", "CAD", "AUD", "CHF",
   "SEK", "NOK", "DKK", "NZD", "INR", "BRL", "MXN",

package/lib/customer-activity.js

@@ -95,6 +95,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -103,7 +104,7 @@ var DEFAULT_LIMIT     = 50;
 var MAX_INACTIVE_LIMIT = 500;
 var DEFAULT_INACTIVE_LIMIT = 100;
 
-var MS_PER_DAY = 86400000;
+var MS_PER_DAY = C.TIME.days(1);
 var WINDOW_30D  = 30 * MS_PER_DAY;
 var WINDOW_90D  = 90 * MS_PER_DAY;
 var WINDOW_365D = 365 * MS_PER_DAY;
@@ -111,7 +112,7 @@ var WINDOW_365D = 365 * MS_PER_DAY;
 // Cache freshness window. summarize() returns the cached row when
 // computed_at is within this window AND no source has a newer event
 // than last_activity_at. Same posture as order-timeline's cache.
-var CACHE_TTL_MS = 5 * 60 * 1000;
+var CACHE_TTL_MS = C.TIME.minutes(5);
 
 // Order-FSM events → canonical English titles. Events not in this
 // map fall through with the raw event name as the title.

package/lib/customer-impersonation.js

@@ -137,9 +137,9 @@
 
 var TOKEN_NAMESPACE         = "customer-impersonation-token";
 var TOKEN_BYTES             = 32;
-var DEFAULT_TTL_SECONDS     = 60 * 60;                  // 60-minute default
+var DEFAULT_TTL_SECONDS     = 60 * 60;                  // allow:raw-time-literal — seconds value; C.TIME returns ms (60-minute default)
 var MIN_TTL_SECONDS         = 60;                       // refuse sub-minute
-var MAX_TTL_SECONDS         = 8 * 60 * 60;              // hard ceiling — eight hours
+var MAX_TTL_SECONDS         = 8 * 60 * 60;              // allow:raw-time-literal — seconds value; C.TIME returns ms (hard ceiling — eight hours)
 var MAX_REASON_LEN          = 280;
 var MAX_END_REASON_LEN      = 280;
 var MAX_ENDED_BY_LEN        = 64;
@@ -348,7 +348,7 @@ function create(opts) {
       var tokenHash = _b().crypto.namespaceHash(TOKEN_NAMESPACE, plaintext);
       var id        = _b().uuid.v7();
       var now       = _now();
-      var expiresAt = now + (ttl * 1000);
+      var expiresAt = now + (ttl * 1000); // allow:raw-time-literal — ttl is a runtime seconds value; *1000 converts to ms
 
       await query(
         "INSERT INTO impersonations " +

package/lib/customer-merge.js

@@ -158,7 +158,7 @@ var DEFAULT_LIST_LIMIT   = 50;
 var MAX_CANDIDATE_LIMIT  = 200;
 var DEFAULT_CAND_LIMIT   = 25;
 var MAX_REASON_LEN       = 280;
-var ROLLBACK_WINDOW_MS   = 7 * 24 * 60 * 60 * 1000;
+var ROLLBACK_WINDOW_MS   = _b().constants.TIME.days(7);
 var DEFAULT_SIMILARITY   = 0.85;
 var MIN_SIMILARITY       = 0.50;
 var MAX_SIMILARITY       = 1.00;
@@ -187,6 +187,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- monotonic clock ---------------------------------------------------
 //
@@ -747,8 +748,8 @@ function create(opts) {
       var now = _now();
       if (now - Number(row.executed_at) > ROLLBACK_WINDOW_MS) {
         var winErr = new Error("customerMerge.rollbackMerge: merge_id " + mergeId +
-          " executed " + Math.floor((now - Number(row.executed_at)) / (24 * 60 * 60 * 1000)) +
-          " days ago, past the " + (ROLLBACK_WINDOW_MS / (24 * 60 * 60 * 1000)) +
+          " executed " + Math.floor((now - Number(row.executed_at)) / C.TIME.days(1)) +
+          " days ago, past the " + (ROLLBACK_WINDOW_MS / C.TIME.days(1)) +
           "-day rollback window");
         winErr.code = "CUSTOMER_MERGE_ROLLBACK_WINDOW_EXPIRED";
         throw winErr;

package/lib/customer-portal.js

@@ -75,8 +75,8 @@
 
 var TOKEN_NAMESPACE      = "customer-portal-token";
 var TOKEN_BYTES          = 32;
-var DEFAULT_TTL_SECONDS  = 15 * 60;
-var MAX_TTL_SECONDS      = 60 * 60 * 24;            // hard ceiling — one day
+var DEFAULT_TTL_SECONDS  = 15 * 60;                 // allow:raw-time-literal — seconds value; C.TIME returns ms
+var MAX_TTL_SECONDS      = 60 * 60 * 24;            // allow:raw-time-literal — seconds value; C.TIME returns ms (hard ceiling — one day)
 var MIN_TTL_SECONDS      = 30;                       // refuse zero / negative / sub-30s
 var MAX_REASON_LEN       = 64;
 var MAX_UA_CLASS_LEN     = 64;
@@ -196,7 +196,7 @@ function create(opts) {
       var tokenHash = _b().crypto.namespaceHash(TOKEN_NAMESPACE, plaintext);
       var id        = _b().uuid.v7();
       var now       = _now();
-      var expiresAt = now + (ttl * 1000);
+      var expiresAt = now + (ttl * 1000); // allow:raw-time-literal — ttl is a runtime seconds value; *1000 converts to ms
 
       await query(
         "INSERT INTO customer_portal_sessions " +
@@ -338,7 +338,7 @@ function create(opts) {
     //   worker layer can emit a metric.
     expireOlderThan: async function (seconds) {
       _seconds(seconds, "seconds");
-      var threshold = _now() - (seconds * 1000);
+      var threshold = _now() - (seconds * 1000); // allow:raw-time-literal — seconds is a runtime seconds value; *1000 converts to ms
       var r = await query(
         "UPDATE customer_portal_sessions " +
         "SET status = 'expired' " +

package/lib/customer-risk-profile.js

@@ -120,6 +120,7 @@ function _b() {
   }
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -149,7 +150,7 @@ var BANDS = Object.freeze({
 // score (their lifetime count still reflects them). 90 days matches
 // the typical card-network chargeback-evidence cycle: anything older
 // has already gone through dispute and is settled.
-var RECENT_WINDOW_MS = 90 * 86400 * 1000;
+var RECENT_WINDOW_MS = C.TIME.days(90);
 
 // detail_json byte ceiling. Operators routinely embed order ids,
 // amounts, a few human-readable notes — 8 KiB after JSON-encoding

package/lib/customer-segments.js

@@ -113,6 +113,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var DEFAULT_LIMIT = 100;
 var MAX_LIMIT     = 1000;
@@ -398,7 +399,7 @@ function create(opts) {
       var lastAt = Number(row.last_order_at || 0);
       var aov = orderCount > 0 ? Math.floor(gross / orderCount) : 0;
       var refundBps = orderCount > 0 ? Math.floor((refunded * 10000) / orderCount) : 0;
-      var recencyDays = lastAt > 0 ? Math.floor((nowTs - lastAt) / (24 * 60 * 60 * 1000)) : null;
+      var recencyDays = lastAt > 0 ? Math.floor((nowTs - lastAt) / C.TIME.days(1)) : null;
       out.push({
         customer_id:    row.customer_id,
         order_count:    orderCount,

package/lib/customer-surveys.js

@@ -73,6 +73,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -579,7 +580,7 @@ function create(opts) {
     var plaintext   = _generateToken();
     var tokenHash   = _hashToken(plaintext);
     var issuedAt    = _now();
-    var expiresAt   = issuedAt + (expiresHours * 60 * 60 * 1000);
+    var expiresAt   = issuedAt + (expiresHours * C.TIME.hours(1));
 
     await query(
       "INSERT INTO survey_invitations " +
@@ -904,7 +905,8 @@ function create(opts) {
       out.csat = csatTotal === 0
         ? { positive_pct: 0, mean: 0, positives: 0, neutrals: 0, negatives: 0 }
         : {
-            positive_pct: Math.round((pos / csatTotal) * 1000) / 10,
+            positive_pct: Math.round((pos / csatTotal) * 1000) / 10, // allow:raw-time-literal — percentage scaling factor, not a duration
+
             mean:         Math.round(primary.mean * 100) / 100,
             positives:    pos,
             neutrals:     neu,
@@ -923,7 +925,8 @@ function create(opts) {
         ? { mean: 0, agree_pct: 0, agree: 0 }
         : {
             mean:      Math.round(primary.mean * 100) / 100,
-            agree_pct: Math.round((cesAgree / primary.count) * 1000) / 10,
+            agree_pct: Math.round((cesAgree / primary.count) * 1000) / 10, // allow:raw-time-literal — percentage scaling factor, not a duration
+
             agree:     cesAgree,
           };
     }

package/lib/delivery-estimate.js

@@ -124,9 +124,9 @@ var POSTAL_RE             = /^[A-Za-z0-9][A-Za-z0-9 -]{0,15}$/;
 
 var COUNTRY_RE            = /^[A-Z]{2}$/;
 
-var MAX_WEIGHT_GRAMS      = 1000 * 1000;
+var MAX_WEIGHT_GRAMS      = 1000 * 1000; // allow:raw-time-literal — grams (1000 kg), not a duration
 
-var DAY_MS                = 24 * 60 * 60 * 1000;
+var DAY_MS                = _b().constants.TIME.days(1);
 
 // Lazy framework handle — matches the convention every other shop
 // primitive uses; avoids the require cycle that would arise from

package/lib/demand-forecast.js

@@ -104,6 +104,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -127,7 +128,7 @@ var MAX_UNITS_SOLD      = 1000000000;
 var DEFAULT_WINDOW_DAYS = 30;
 var DEFAULT_ALPHA       = 0.3;
 
-var DAY_MS              = 24 * 60 * 60 * 1000;
+var DAY_MS              = C.TIME.days(1);
 
 // Weekly-seasonality needs at least two full weeks of history to
 // avoid claiming a pattern from one cycle. Monthly-seasonality needs

package/lib/discount-analytics.js

@@ -124,8 +124,8 @@ var MAX_SESSION_LEN  = 256;
 var MAX_TIER_ID_LEN  = 128;
 var MAX_LIMIT        = 200;
 
-var ONE_YEAR_MS       = 365 * 24 * 60 * 60 * 1000;
-var DEFAULT_WINDOW_MS = 30 * 24 * 60 * 60 * 1000;
+var ONE_YEAR_MS       = _b().constants.TIME.days(365);
+var DEFAULT_WINDOW_MS = _b().constants.TIME.days(30);
 
 // Coupon-code shape — alnum + dot/dash/underscore plus a `:` to
 // admit the `tier:<id>` convention. Length-capped so a giant string

package/lib/dunning.js

@@ -109,6 +109,9 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+// Framework constants (C.TIME duration helpers). Safe at module-eval —
+// the index entry point exposes `framework` before the require cascade.
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -123,7 +126,7 @@ var MAX_SCHEDULE_STEPS    = 64;
 var MAX_CANCEL_ATTEMPTS   = 64;
 var MAX_LIST_LIMIT        = 500;
 var DEFAULT_LIST_LIMIT    = 100;
-var MS_PER_HOUR           = 60 * 60 * 1000;
+var MS_PER_HOUR           = C.TIME.hours(1);
 
 var SLUG_RE          = /^[a-z](?:[a-z0-9-]*[a-z0-9])?$/;
 var CONTROL_BYTE_RE  = /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;

package/lib/email-warmup.js

@@ -92,6 +92,11 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var MAX_SLUG_LEN          = 80;
 var MAX_DAILY_TARGETS     = 365;          // a year of ramp ceiling — operator schedule, not framework
 var MAX_DAILY_TARGET      = 10000000;     // 10M sends in one day — well above any reasonable IP ceiling
@@ -100,7 +105,7 @@ var MAX_REASON_LEN        = 280;
 var MAX_LIST_LIMIT        = 500;
 var MAX_DOMAIN_LEN        = 253;          // DNS hostname cap
 var MAX_IP_LEN            = 45;           // IPv6 max textual length
-var MS_PER_DAY            = 24 * 60 * 60 * 1000;
+var MS_PER_DAY            = C.TIME.days(1);
 
 var SLUG_RE          = /^[a-z0-9][a-z0-9._-]{0,79}$/;
 // Lowercase domain — IDN punycode + alnum + hyphen + dot, ending in a

package/lib/email.js

@@ -32,16 +32,9 @@ function _b() {
   return bShop.framework;
 }
 
-var HTML_ESCAPE_MAP = {
-  "&": "&",
-  "<": "&lt;",
-  ">": "&gt;",
-  "\"": "&quot;",
-  "'": "&#39;",
-};
 function _htmlEscape(s) {
   if (s == null) return "";
-  return String(s).replace(/[&<>"']/g, function (c) { return HTML_ESCAPE_MAP[c]; });
+  return _b().template.escapeHtml(String(s));
 }
 
 // Strict {{var}} renderer. Refuses unrecognized placeholders so a

package/lib/error-log.js

@@ -71,9 +71,10 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
-var ONE_YEAR_MS      = 365 * 24 * 60 * 60 * 1000;
-var DEFAULT_WINDOW_MS = 24 * 60 * 60 * 1000;        // 24h — the dashboard's default
+var ONE_YEAR_MS      = C.TIME.days(365);
+var DEFAULT_WINDOW_MS = C.TIME.days(1);             // 24h — the dashboard's default
 
 var SESSION_NAMESPACE = "error-log-session";
 

package/lib/event-log.js

@@ -92,6 +92,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ---------------------------------------------------------
 
@@ -115,7 +116,7 @@ var MAX_TAIL_EVENTS    = 500;
 var DEFAULT_TAIL_EVENTS = 50;
 var MIN_POLL_MS        = 250;
 var DEFAULT_POLL_MS    = 2000;
-var MAX_POLL_MS        = 60000;
+var MAX_POLL_MS        = C.TIME.minutes(1);
 var MAX_PURGE_DAYS     = 3650;
 
 // Identifier shapes — kind / subject_kind / actor_kind / source share
@@ -650,7 +651,7 @@ function create(opts) {
       throw new TypeError("eventLog.purgeOlderThan: days must be an integer in [1, " + MAX_PURGE_DAYS + "]");
     }
     var excludeCritical = !!input.exclude_critical;
-    var cutoff = _now() - days * 86400000;
+    var cutoff = _now() - C.TIME.days(days);
 
     var sql, params;
     if (excludeCritical) {

package/lib/fraud-screen.js

@@ -101,6 +101,7 @@ function _b() {
   }
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -137,10 +138,11 @@ var WEIGHTS = Object.freeze({
 });
 
 // Thresholds for the heuristic dials.
-var VELOCITY_WINDOW_MS      = 24 * 60 * 60 * 1000;   // 24h lookback
+var VELOCITY_WINDOW_MS      = C.TIME.days(1);        // 24h lookback
 var VELOCITY_MAX_OK         = 3;                      // > N triggers
 var HIGH_VALUE_NEW_THRESH   = 50000;                 // 500.00 minor units
 var SESSION_FAST_MAX_SEC    = 15;
+// allow:raw-time-literal — session-age ceiling in SECONDS (24h); compared against session_age_seconds, C.TIME returns ms
 var SESSION_OLD_MAX_SEC     = 24 * 60 * 60;
 var LARGE_LINE_COUNT_THRESH = 25;
 var SCORE_MAX               = 100;

package/lib/fulfillment-sla.js

@@ -107,6 +107,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -124,7 +125,7 @@ var SLUG_RE              = /^[a-z0-9][a-z0-9._-]{0,63}$/;
 var CUTOFF_RE            = /^([01][0-9]|2[0-3]):([0-5][0-9])$/;
 var TIMEZONE_RE          = /^[A-Za-z][A-Za-z0-9+_\-/]{0,63}$/;
 
-var MS_PER_HOUR          = 60 * 60 * 1000;
+var MS_PER_HOUR          = C.TIME.hours(1);
 var MS_PER_DAY           = 24 * MS_PER_HOUR;
 
 var SEVERITY_MINOR_MAX   = 24;
@@ -296,6 +297,7 @@ function _clockStart(placedAt, cutoffLocalTime, timezone) {
   var nextHour   = Number(nextByType.hour);
   var nextMinute = Number(nextByType.minute);
   var nextSecond = Number(nextByType.second);
+  // allow:raw-time-literal — converts a runtime-computed local time-of-day (h/m/s) to ms; not a fixed duration C.TIME can express
   var localOffsetMs = (nextHour * 3600 + nextMinute * 60 + nextSecond) * 1000;
   return nextDayMs - localOffsetMs;
 }

package/lib/index.js

@@ -30,8 +30,16 @@ try {
   throw e;
 }
 
-module.exports = {
-  framework:    framework,
+// Expose the framework on the exports object up front — before the
+// require cascade below — so a shop module that composes a framework
+// primitive at module-eval time (e.g. `var C = require("./index")
+// .framework.constants` via the `_b()` lazy accessor, used for
+// duration constants) resolves `framework` cleanly while it is itself
+// being required. Without this, `_b()` mid-cascade would see a
+// half-built exports object with no `framework` field.
+module.exports.framework = framework;
+
+Object.assign(module.exports, {
   externaldbD1: require("./externaldb-d1"),
   r2Bridge:     require("./r2-bridge"),
   catalog:      require("./catalog"),
@@ -242,4 +250,4 @@ module.exports = {
   winbackCampaigns:      require("./winback-campaigns"),
   wishlistDigest:        require("./wishlist-digest"),
   operatorHelpCenter:    require("./operator-help-center"),
-};
+});

package/lib/inventory-allocations.js

@@ -84,6 +84,7 @@ var ORDER_ID_RE    = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 var HOLD_ID_RE     = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
 var REASON_RE      = /^[\S\s]{1,256}$/;
 var DEFAULT_TTL    = 900;          // 15 minutes by default
+// allow:raw-time-literal — TTL ceiling in SECONDS (not ms); C.TIME returns ms
 var MAX_TTL        = 24 * 60 * 60; // 24h ceiling — anything longer is a usage-error smell
 var MIN_TTL        = 1;
 
@@ -284,6 +285,7 @@ function create(opts) {
     }
 
     var ts        = _monotonicTs();
+    // allow:raw-time-literal — seconds→ms conversion of a variable TTL count; C.TIME helpers take a fixed duration, not a runtime value
     var expiresAt = ts + ttlSeconds * 1000;
     var id        = _b().uuid.v7();
     await query(
@@ -415,6 +417,7 @@ function create(opts) {
         ", expected 'held'");
     }
 
+    // allow:raw-time-literal — seconds→ms conversion of a variable TTL count; C.TIME helpers take a fixed duration, not a runtime value
     var nextExpires = Number(existing.expires_at) + input.additional_ttl_seconds * 1000;
     await query(
       "UPDATE inventory_holds SET expires_at = ?1 WHERE id = ?2 AND status = 'held'",

package/lib/inventory-snapshots.js

@@ -90,6 +90,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -660,7 +661,7 @@ function create(opts) {
     // to wipe the snapshot history wholesale call with 0.
     purgeOlderThan: async function (days) {
       _days(days);
-      var cutoff = _now() - (days * 86400000);
+      var cutoff = _now() - C.TIME.days(days);
       // Read the ids first so the return shape can carry both the
       // count and the ids that were removed (operators occasionally
       // want to log "purged snapshots: a, b, c" for a compliance

package/lib/invoice-renderer.js

@@ -88,6 +88,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -503,7 +504,7 @@ function create(opts) {
       var issuer = await _resolveIssuer();
 
       var generatedAt = Date.now();
-      var dueAt = generatedAt + dueDays * 24 * 60 * 60 * 1000;
+      var dueAt = generatedAt + C.TIME.days(dueDays);
 
       var seq = await _advanceSeries(series);
       var invoiceNumber = _formatInvoiceNumber(seq, generatedAt);

package/lib/line-gift-wrap.js

@@ -68,9 +68,14 @@
 
 // ---- constants ----------------------------------------------------------
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var MAX_MESSAGE_LEN   = 500;
 var MAX_RECIPIENT_LEN = 120;
-var MAX_FROM_TO_SPAN  = 366 * 24 * 3600 * 1000; // analytics window cap
+var MAX_FROM_TO_SPAN  = C.TIME.days(366); // analytics window cap
 
 // SKU shape mirrors catalog.js + gift-options.js — alnum + . _ -, ≤
 // 128 chars, leading char must be alnum so a wrap_sku can never

package/lib/live-chat.js

@@ -114,6 +114,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- validators ---------------------------------------------------------
 
@@ -673,7 +674,7 @@ function create(opts) {
       }
       var idleMinutes = _idleMinutes(input.idle_minutes);
       var ts        = _now();
-      var threshold = ts - idleMinutes * 60 * 1000;
+      var threshold = ts - C.TIME.minutes(idleMinutes);
       var r = await query(
         "SELECT id FROM chat_sessions " +
         "WHERE status IN ('queued','assigned','active','waiting') " +

package/lib/loyalty-redemption.js

@@ -68,6 +68,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -82,7 +83,7 @@ var MAX_REDEMPTIONS_LIMIT = 200;
 var MAX_POINT_COST = 100000000;
 var MAX_PER_CUSTOMER = 100000;
 var MAX_EXPIRES_DAYS = 3650;
-var MS_PER_DAY = 86400000;
+var MS_PER_DAY = C.TIME.days(1);
 
 // Slug shape matches the catalog / promo-banners convention — alnum +
 // hyphen + underscore + dot, leading char alnum, capped length.

package/lib/newsletter.js

@@ -48,10 +48,15 @@
 
 "use strict";
 
+// `_b()` is a hoisted function declaration (defined below); resolving the
+// framework constants here at module-eval is safe — the index entry point
+// exposes `framework` before the require cascade.
+var C = _b().constants;
+
 var EMAIL_NAMESPACE         = "newsletter-email";
 var UNSUBSCRIBE_NAMESPACE   = "newsletter-unsubscribe";
 var UNSUBSCRIBE_TOKEN_BYTES = 24;
-var UNSUBSCRIBE_TTL_MS      = 365 * 24 * 60 * 60 * 1000;
+var UNSUBSCRIBE_TTL_MS      = C.TIME.days(365);
 var MAX_SOURCE_LEN          = 64;
 var SOURCE_RE               = /^[a-z0-9][a-z0-9._-]{0,62}[a-z0-9]$/;
 

package/lib/operator-activity-feed.js

@@ -106,19 +106,20 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
 var MAX_LIMIT       = 200;
 var DEFAULT_LIMIT   = 50;
 var MAX_RECENT_LOGINS = 10;
-var ONLINE_WINDOW_MS = 5 * 60 * 1000;
-var MS_PER_DAY = 86400000;
+var ONLINE_WINDOW_MS = C.TIME.minutes(5);
+var MS_PER_DAY = C.TIME.days(1);
 
 // Cache freshness window. summarizeForOperator returns the cached row
 // when computed_at is within this window AND no source has a newer
 // event than last_activity_at. Same posture as customer-activity uses.
-var CACHE_TTL_MS = 5 * 60 * 1000;
+var CACHE_TTL_MS = C.TIME.minutes(5);
 
 // Order-key for the forOperator() pagination cursor — (occurred_at
 // DESC, kind DESC). Tuple keeps the cursor monotonic even when two