@blamejs/blamejs-shop 0.1.12 → 0.1.14

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.14 (2026-05-25) — **PayPal payment adapter (Orders v2).** `payment.create({ adapter: "paypal", … })` is a new native PayPal adapter alongside the Stripe one — a from-scratch Orders-v2 client over the framework's SSRF-gated HTTP client, with no PayPal SDK dependency. It exchanges an OAuth2 client-credentials token (cached until it nears expiry), creates and captures orders, fetches and refunds them, and verifies inbound webhooks through PayPal's verify-webhook-signature API. This ships the adapter only; wiring it into the checkout flow and a storefront button comes next. Card / Stripe checkout is unchanged. **Added:** *PayPal Orders-v2 adapter* — `payment.create({ adapter: "paypal", clientId, secret, sandbox?, webhookId?, apiBase? })` returns `{ createOrder, captureOrder, getOrder, refund, verifyWebhook }`. `createOrder({ amount_minor, currency, order_id?, return_url?, cancel_url? })` opens a CAPTURE-intent order (amounts converted to PayPal's decimal-string major units, including 0-decimal currencies); `captureOrder(id)` finalizes it; `refund({ capture_id, amount_minor?, currency? })` refunds full or partial; `getOrder(id)` reads status. Every call carries an OAuth2 bearer token exchanged once and cached until ~2 minutes before expiry, and a `PayPal-Request-Id` for idempotency (plus the shared idempotency cache when a `query` handle is wired). `verifyWebhook(headers, rawBody, { webhookId })` confirms an inbound event through PayPal's verify-webhook-signature API and returns `{ ok, event }`. Outbound HTTP goes through `b.httpClient` — no `paypal` npm dependency. Off until the operator supplies credentials; the Stripe adapter and existing checkout are unchanged.
+
+- v0.1.13 (2026-05-25) — **Internal: uniform framework access across the library.** An internal consistency refactor with no API or behavior change. Every library module now captures the framework once at the top — straight from the vendored tree (`var b = require("./vendor/blamejs");`) — and uses `b.*` uniformly, replacing a per-module lazy accessor and its scattered call sites. Capturing the framework directly (rather than via the composing entry point) also avoids a circular-load edge case on leaf-first imports. Two source files that embedded a raw NUL byte as a map-key separator now use the `\u0000` escape, so the whole library is plain text. New lint rules lock all of this in place. Public APIs, runtime behavior, and the published surface are unchanged. **Added:** *Lint detectors for accessor uniformity and source hygiene* — Three repository lint rules now prevent drift: one rejects the reintroduction of the per-module lazy framework accessor (capture the framework once at module top); one rejects requiring the composing entry point from a leaf module (require the vendored framework directly — entry-point requires from a leaf create a circular-load hazard); and one rejects raw C0 control bytes in source files (write `\u0000` and friends as escapes so files stay plain text — grep / diff / editors handle them correctly). **Changed:** *Framework handle captured once per module* — Library modules previously reached the vendored framework through a lazy `_b()` accessor invoked at every call site. They now capture it once at module top — `var b = require("./vendor/blamejs");`, the same object the entry point re-exports as `.framework` — and reference `b.*` directly, matching how the edge worker already accesses it. Capturing it directly from the vendored tree (instead of through the composing entry point) keeps leaf-first module imports working — requiring a single module no longer pulls the entry point's whole assembly mid-initialization. No public API or runtime behavior changes.
+
 - v0.1.12 (2026-05-25) — **Card payments now finalize the order — the Stripe webhook is handled end to end.** A confirmed Stripe payment now advances the order from pending to paid. The container now serves the `POST /api/webhooks/stripe` route the edge worker forwards to: it re-verifies the event signature over the exact raw bytes, maps the event to the order's FSM transition, and is idempotent across Stripe's re-deliveries. Previously the edge verified the webhook but nothing consumed it on the container, so a paid PaymentIntent (card, Apple Pay, or Google Pay) left the order stuck in pending — no fulfillment, no paid status. Operators running checkout should upgrade and confirm their Stripe webhook points at `/api/webhooks/stripe`. **Added:** *Raw-body capture for payment webhooks* — A small middleware preserves the exact request bytes for the webhook path before the JSON body-parser runs, so signature verification (which is computed over the raw body) is reliable. It is scoped to the webhook routes and leaves every other request untouched. **Fixed:** *Stripe webhook completes the order* — `POST /api/webhooks/stripe` is now handled on the container: the event signature is re-verified against `STRIPE_WEBHOOK_SECRET` over the raw request body (a tampered or unsigned event is rejected with 400), then `payment_intent.succeeded` / `.canceled` / `charge.refunded` drive the order FSM (`mark_paid` / `cancel` / `refund`). Re-deliveries are idempotent — an event for an order already in the target state is acknowledged with 200 and skipped. A delivery for an unknown PaymentIntent is acknowledged without effect. This closes the gap where a confirmed payment never moved the order out of `pending`.
 
 - v0.1.11 (2026-05-25) — **Sign in with Apple.** Customers can now sign in with Apple, alongside passkeys and Google. A “Continue with Apple” button appears on the account login page once the operator wires the Apple credentials; the callback turns the verified Apple identity into a shop session, adopts the guest cart, and claims prior guest orders placed under the same verified email — the same way Google sign-in does. Apple's OAuth client secret is itself an ES256 JWT, which the shop mints from the team's Sign-in-with-Apple key. Sign in with Apple is off until the credentials are set, like every other integration. **Added:** *Sign in with Apple (OIDC)* — `GET /account/login/apple` starts the flow (sealed in-flight state cookie, PKCE, nonce); Apple posts the result back to `POST /account/auth/apple/callback` (response_mode=form_post). The callback verifies the state, exchanges the code, signs the customer in on `(provider=apple, subject)`, adopts the guest cart, and — when Apple reports the email as verified — claims prior guest orders under that email. The display name is captured from Apple's first-authorization `user` field (Apple sends it only once and never in the ID token). The button appears on `/account/login` only when the credentials are configured, and is listed on `/admin/integrations`. · *customers.mintAppleClientSecret* — Mints Apple's required ES256 client-secret JWT from a Services-ID `.p8` key (team id, key id, client id). This is the one signature the protocol forces to be classical ECDSA P-256 rather than the framework's post-quantum default — an external identity provider's wire format, not an application default. The secret is minted at boot with a 150-day life (inside Apple's six-month ceiling) and re-minted on each deploy. **Changed:** *Account login offers Apple when configured* — The login page shows Continue-with-Google and Continue-with-Apple buttons independently, each gated on its own credentials. Set `APPLE_TEAM_ID`, `APPLE_KEY_ID`, `APPLE_CLIENT_ID` (your Services ID), `APPLE_PRIVATE_KEY` (the `.p8` contents), and `SHOP_ORIGIN`, and add `<SHOP_ORIGIN>/account/auth/apple/callback` as a Return URL on the Services ID. Requires an Apple Developer Program membership. See the README “Optional integrations” section.

package/lib/address-validation.js

@@ -63,11 +63,7 @@
  * @related   b.crypto, b.safeJson, b.uuid, shop.addresses, shop.geolocation
  */
 
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
+var b = require("./vendor/blamejs");
 
 // ---- constants ----------------------------------------------------------
 
@@ -175,7 +171,7 @@ function _normalizedAddress(v) {
     );
   }
   var json;
-  try { json = _b().safeJson.canonical(v); }
+  try { json = b.safeJson.canonical(v); }
   catch (e) {
     throw new TypeError(
       "addressValidation: normalized_address must be JSON-serializable — " + e.message
@@ -210,7 +206,7 @@ function _suggestions(v) {
     throw new TypeError("addressValidation: suggestions must be an array");
   }
   var json;
-  try { json = _b().safeJson.canonical(v); }
+  try { json = b.safeJson.canonical(v); }
   catch (e) {
     throw new TypeError(
       "addressValidation: suggestions must be JSON-serializable — " + e.message
@@ -232,13 +228,13 @@ function _now() { return Date.now(); }
 function _signatureForInput(input) {
   _input(input, "input");
   var canonical;
-  try { canonical = _b().safeJson.canonical(input); }
+  try { canonical = b.safeJson.canonical(input); }
   catch (e) {
     throw new TypeError(
       "addressValidation: input must be JSON-serializable — " + e.message
     );
   }
-  return _b().crypto.namespaceHash(INPUT_NAMESPACE, canonical);
+  return b.crypto.namespaceHash(INPUT_NAMESPACE, canonical);
 }
 
 // ---- row -> wire conversions -------------------------------------------
@@ -292,7 +288,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
   async function _getValidationBySig(sig) {
@@ -354,7 +350,7 @@ function create(opts) {
         return _rowToValidation(await _getValidationBySig(sig));
       }
 
-      var id = _b().uuid.v7();
+      var id = b.uuid.v7();
       await query(
         "INSERT INTO address_validations " +
         "(id, input_signature, normalized_address_json, deliverable, classification, " +
@@ -413,7 +409,7 @@ function create(opts) {
         return _rowToSuggestion(await _getSuggestionByInput(partial));
       }
 
-      var id = _b().uuid.v7();
+      var id = b.uuid.v7();
       await query(
         "INSERT INTO address_suggestions_cache " +
         "(id, partial_input, suggestions_json, expires_at, occurred_at) " +

package/lib/addresses.js

@@ -50,11 +50,7 @@
  * @related  customers, checkout
  */
 
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
+var b = require("./vendor/blamejs");
 
 var MAX_LABEL_LEN          = 64;
 var MAX_RECIPIENT_NAME_LEN = 128;
@@ -72,7 +68,7 @@ var CONTROL_BYTE_RE = /[\x00-\x1f\x7f]/;
 // ---- validators ---------------------------------------------------------
 
 function _uuid(s, label) {
-  try { return _b().guardUuid.sanitize(s, { profile: "strict" }); }
+  try { return b.guardUuid.sanitize(s, { profile: "strict" }); }
   catch (e) { throw new TypeError("addresses: " + label + " — " + (e && e.message || "invalid UUID")); }
 }
 
@@ -137,7 +133,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
   // Clear the named default flag on every non-archived row for this
@@ -180,7 +176,7 @@ function create(opts) {
       var defShipping   = _bool(input.is_default_shipping, "is_default_shipping");
       var defBilling    = _bool(input.is_default_billing,  "is_default_billing");
 
-      var id = _b().uuid.v7();
+      var id = b.uuid.v7();
       var ts = _now();
 
       // Clear sibling defaults FIRST so the promotion lands cleanly.

package/lib/admin.js

@@ -32,11 +32,7 @@
 
 var pricing = require("./pricing");
 
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
+var b = require("./vendor/blamejs");
 
 var AUDIT_NAMESPACE = "shop_admin";
 
@@ -86,7 +82,7 @@ function _parseLimit(str, label, max, fallback) {
 
 function _htmlEscape(s) {
   if (s == null) return "";
-  return _b().template.escapeHtml(String(s));
+  return b.template.escapeHtml(String(s));
 }
 
 // ---- bearer auth --------------------------------------------------------
@@ -102,7 +98,7 @@ function _readBearer(req) {
 function _authOk(token, expected) {
   if (typeof token !== "string" || typeof expected !== "string") return false;
   if (token.length !== expected.length) return false;
-  return _b().crypto.timingSafeEqual(token, expected);
+  return b.crypto.timingSafeEqual(token, expected);
 }
 
 // ---- admin browser session (sealed cookie) ------------------------------
@@ -118,8 +114,8 @@ var ADMIN_COOKIE_NAME = "shop_admin";
 var _adminJarMemo = null;
 function _adminJar() {
   if (!_adminJarMemo) {
-    _adminJarMemo = _b().cookies.create({
-      vault:    _b().vault,
+    _adminJarMemo = b.cookies.create({
+      vault:    b.vault,
       defaults: { httpOnly: true, secure: true, sameSite: "Strict", path: "/admin" },
     });
   }
@@ -129,8 +125,8 @@ function _adminJar() {
 function _setAdminCookie(res) {
   _adminJar().writeSealed(res, ADMIN_COOKIE_NAME, JSON.stringify({
     admin: true,
-    exp:   Date.now() + _b().constants.TIME.hours(12),
-  }), { expires: new Date(Date.now() + _b().constants.TIME.hours(12)) });
+    exp:   Date.now() + b.constants.TIME.hours(12),
+  }), { expires: new Date(Date.now() + b.constants.TIME.hours(12)) });
 }
 function _clearAdminCookie(res) {
   _adminJar().clear(res, ADMIN_COOKIE_NAME);
@@ -153,7 +149,7 @@ function _htmlAuthed(req, expectedToken) {
 }
 
 function _problem(res, status, code, detail) {
-  return _b().problemDetails.send(res, {
+  return b.problemDetails.send(res, {
     type:   "/problems/" + code,
     title:  code.replace(/-/g, " "),
     status: status,
@@ -193,7 +189,7 @@ function _wrap(handler, opts) {
         // write path it observes. Equivalent to `try { audit.emit(...)
         // } catch (_e) {}` but composed via the framework primitive
         // instead of a local wrapper.
-        _b().audit.safeEmit({
+        b.audit.safeEmit({
           action:   AUDIT_NAMESPACE + "." + opts.audit,
           outcome:  "success",
           metadata: { id: result.id || null },
@@ -231,7 +227,7 @@ function mount(router, deps) {
   // into every authed render call as `nav_available`.
   var navAvailable = { returns: !!returns, reviews: !!reviews };
 
-  try { _b().audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
+  try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
 
   var W = function (auditAction, h) {
     return _wrap(h, { expectedToken: expectedToken, audit: auditAction });
@@ -288,7 +284,7 @@ function mount(router, deps) {
         }
         throw e;
       }
-      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".product.create", outcome: "success", metadata: {} });
+      b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".product.create", outcome: "success", metadata: {} });
       _redirect(res, "/admin/products?created=1");
     },
   ));
@@ -356,7 +352,7 @@ function mount(router, deps) {
         // failure must NOT be reported as success — let it surface.
         try { await op(req.params.id); }
         catch (e) { if (!(e instanceof TypeError)) throw e; }
-        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + "." + audit, outcome: "success", metadata: { id: req.params.id } });
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + audit, outcome: "success", metadata: { id: req.params.id } });
         _redirect(res, "/admin/products");
       },
     );
@@ -495,7 +491,7 @@ function mount(router, deps) {
       // smuggle internal data into the bucket.
       var fetched;
       try {
-        fetched = await _b().httpClient.request({
+        fetched = await b.httpClient.request({
           method:    "GET",
           url:       body.source_url,
           timeoutMs: 20000,
@@ -528,7 +524,7 @@ function mount(router, deps) {
       // declared content-type so the operator can preview the asset
       // without a content-disposition round-trip.
       var ext = _extFromContentType(declared);
-      var id  = _b().uuid.v7();
+      var id  = b.uuid.v7();
       var key = "media/" + id + (ext ? "." + ext : "");
       try {
         await r2.put(key, buf, body.content_type);
@@ -686,7 +682,7 @@ function mount(router, deps) {
         }
         throw e;
       }
-      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.transition", outcome: "success", metadata: { id: id, event: event } });
+      b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.transition", outcome: "success", metadata: { id: id, event: event } });
       _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?moved=1");
     },
   ));
@@ -699,7 +695,7 @@ function mount(router, deps) {
     // "Refund" moves the money first (never a bare state change — that
     // would mark an order refunded with the customer never paid back).
     async function _refundOrder(o, body) {
-      var refundIdempotencyKey = "refund:" + o.id + ":" + (body.idempotency_suffix || _b().uuid.v7());
+      var refundIdempotencyKey = "refund:" + o.id + ":" + (body.idempotency_suffix || b.uuid.v7());
       var refund = await payment.refund({
         payment_intent: o.payment_intent_id,
         amount_minor:   body.amount_minor || undefined,
@@ -747,7 +743,7 @@ function mount(router, deps) {
           // transition only runs after a successful refund).
           return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
         }
-        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.refund", outcome: "success", metadata: { id: id } });
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.refund", outcome: "success", metadata: { id: id } });
         _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?moved=1");
       },
     ));
@@ -816,7 +812,7 @@ function mount(router, deps) {
           }
           throw e;
         }
-        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditEvent, outcome: "success", metadata: { id: id } });
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditEvent, outcome: "success", metadata: { id: id } });
         _redirect(res, "/admin/reviews?moved=1");
       });
     }
@@ -957,7 +953,7 @@ function mount(router, deps) {
           }
           throw e;
         }
-        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditEvent, outcome: "success", metadata: { id: id } });
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditEvent, outcome: "success", metadata: { id: id } });
         _redirect(res, "/admin/returns/" + encodeURIComponent(id) + "?moved=1");
       });
     }
@@ -1385,11 +1381,11 @@ function mount(router, deps) {
       else if (values.shop_name.length > 80) notice = "Shop name is too long (max 80 characters).";
       else if (values.currency && !/^[A-Z]{3}$/.test(values.currency)) notice = "Currency must be a 3-letter ISO 4217 code (e.g. USD).";
       else if (values.contact_email) {
-        var emailReport = _b().guardEmail.validate(values.contact_email, { profile: "strict" });
+        var emailReport = b.guardEmail.validate(values.contact_email, { profile: "strict" });
         if (!emailReport || emailReport.ok === false) notice = "That contact email doesn't look valid.";
       }
       if (!notice && values.support_url) {
-        var u = _b().safeUrl.parse(values.support_url);
+        var u = b.safeUrl.parse(values.support_url);
         if (!u || (u.protocol !== "https:" && u.protocol !== "http:")) notice = "Support URL must be a valid http(s) URL.";
       }
       if (notice) {
@@ -1407,7 +1403,7 @@ function mount(router, deps) {
           notice: "Couldn't save — " + ((e && e.message) || "please try again."),
         }));
       }
-      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".setup.save", outcome: "success", metadata: {} });
+      b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".setup.save", outcome: "success", metadata: {} });
       _redirect(res, "/admin/setup?saved=1");
     });
   }

package/lib/affiliates.js

@@ -127,20 +127,14 @@ var ALLOWED_UPDATE_COLUMNS = Object.freeze([
   "commission_value", "attribution_window_days",
 ]);
 
-// Lazy framework handle — matches the pattern used by every other
-// shop primitive; avoids the require cycle that would arise from
-// importing `./index` at module-eval time.
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
-var C = _b().constants;
+// Framework handle (the vendored blamejs); index.js re-exports this as .framework.
+var b = require("./vendor/blamejs");
+var C = b.constants;
 
 // ---- validators ---------------------------------------------------------
 
 function _uuid(s, label) {
-  try { return _b().guardUuid.sanitize(s, { profile: "strict" }); }
+  try { return b.guardUuid.sanitize(s, { profile: "strict" }); }
   catch (e) { throw new TypeError("affiliates: " + label + " — " + (e && e.message || "invalid UUID")); }
 }
 
@@ -320,7 +314,7 @@ function _normalizeEmail(input) {
   if (typeof input !== "string" || !input.length) {
     throw new TypeError("affiliates: email must be a non-empty string");
   }
-  var guardEmail = _b().guardEmail;
+  var guardEmail = b.guardEmail;
   var report;
   try {
     report = guardEmail.validate(input, { profile: "strict" });
@@ -345,7 +339,7 @@ function _now() { return Date.now(); }
 // ---- code generation + canonicalization ---------------------------------
 
 function _generateCode() {
-  var buf = _b().crypto.generateBytes(CODE_LEN);
+  var buf = b.crypto.generateBytes(CODE_LEN);
   var out = "";
   for (var j = 0; j < CODE_LEN; j += 1) {
     out += CODE_ALPHABET.charAt(buf[j] & 31);
@@ -390,7 +384,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
   // Pagination cursors are HMAC-tagged via b.pagination so a caller
@@ -413,7 +407,7 @@ function create(opts) {
       throw new TypeError("affiliates." + label + ": cursor must be an opaque string or null");
     }
     try {
-      var state = _b().pagination.decodeCursor(cursor, cursorSecret);
+      var state = b.pagination.decodeCursor(cursor, cursorSecret);
       if (JSON.stringify(state.orderKey) !== JSON.stringify(LIST_ORDER_KEY)) {
         throw new TypeError("affiliates." + label + ": cursor orderKey mismatch");
       }
@@ -427,7 +421,7 @@ function create(opts) {
   function _encodeNext(rows, limit) {
     var last = rows[rows.length - 1];
     if (!last || rows.length < limit) return null;
-    return _b().pagination.encodeCursor({
+    return b.pagination.encodeCursor({
       orderKey: LIST_ORDER_KEY,
       vals:     [last.occurred_at, last.id],
       forward:  true,
@@ -435,11 +429,11 @@ function create(opts) {
   }
 
   function _hashEmail(canonicalEmail) {
-    return _b().crypto.namespaceHash(EMAIL_NAMESPACE, canonicalEmail);
+    return b.crypto.namespaceHash(EMAIL_NAMESPACE, canonicalEmail);
   }
 
   function _hashSession(sessionId) {
-    return _b().crypto.namespaceHash(SESSION_NAMESPACE, sessionId);
+    return b.crypto.namespaceHash(SESSION_NAMESPACE, sessionId);
   }
 
   async function _getAffiliateRaw(id) {
@@ -519,7 +513,7 @@ function create(opts) {
       var commissionValue  = _commissionValue(input.commission_value, commissionKind);
       var attributionDays  = _attributionWindow(input.attribution_window_days);
 
-      var id = _b().uuid.v7();
+      var id = b.uuid.v7();
       var ts = _now();
       var row = {
         id:                       id,
@@ -697,7 +691,7 @@ function create(opts) {
         };
       }
 
-      var visitId = _b().uuid.v7();
+      var visitId = b.uuid.v7();
       await query(
         "INSERT INTO affiliate_visits " +
         "(id, code, affiliate_id, visitor_session_id_hash, referrer, occurred_at) " +
@@ -801,7 +795,7 @@ function create(opts) {
         aff.commission_kind, Number(aff.commission_value), orderTotal
       );
 
-      var id = _b().uuid.v7();
+      var id = b.uuid.v7();
       await query(
         "INSERT INTO affiliate_commissions " +
         "(id, order_id, affiliate_id, order_total_minor, commission_minor, " +
@@ -848,11 +842,11 @@ function create(opts) {
         idx += 1;
       }
       if (cursorVals) {
-        var a = idx;
-        var b = idx + 1;
+        var pOccurred = idx;
+        var pId = idx + 1;
         where.push(
-          "(occurred_at < ?" + a + " OR " +
-          "(occurred_at = ?" + a + " AND id < ?" + b + "))"
+          "(occurred_at < ?" + pOccurred + " OR " +
+          "(occurred_at = ?" + pOccurred + " AND id < ?" + pId + "))"
         );
         params.push(cursorVals[0], cursorVals[1]);
         idx += 2;

package/lib/analytics.js

@@ -87,12 +87,8 @@
  *   discipline owns what goes inside.
  */
 
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
-var C = _b().constants;
+var b = require("./vendor/blamejs");
+var C = b.constants;
 
 var ONE_YEAR_MS = C.TIME.days(365);
 var DEFAULT_WINDOW_MS = C.TIME.days(30);
@@ -231,7 +227,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
   // Status buckets we always surface, even when zero. Aligned with
@@ -470,7 +466,6 @@ function create(opts) {
         occurredAt = input.occurred_at;
       }
 
-      var b = _b();
       var sessionHash  = sessionId  == null ? null : b.crypto.namespaceHash(SESSION_NAMESPACE,  sessionId);
       var customerHash = customerId == null ? null : b.crypto.namespaceHash(CUSTOMER_NAMESPACE, customerId);
       // `session_id_hash` is NOT NULL in the schema — fall back to
@@ -593,7 +588,7 @@ function create(opts) {
       _refuseRawPii("session_id", sessionId);
       var limit = (opts && opts.limit) == null ? 100 : opts.limit;
       _limit(limit, "limit", 500);
-      var hash = _b().crypto.namespaceHash(SESSION_NAMESPACE, sessionId);
+      var hash = b.crypto.namespaceHash(SESSION_NAMESPACE, sessionId);
       var r = await query(
         "SELECT id, event_type, session_id_hash, customer_id_hash, " +
         "       payload_json, product_id, search_q, page_url, " +

package/lib/announcement-bar.js

@@ -137,11 +137,7 @@ var ALLOWED_PATCH_COLUMNS = Object.freeze([
   "dismissible",
 ]);
 
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
+var b = require("./vendor/blamejs");
 
 // ---- monotonic clock ----------------------------------------------------
 //
@@ -275,7 +271,7 @@ function _linkUrl(s) {
     return s;
   }
   try {
-    _b().safeUrl.parse(s, { allowedProtocols: ["https:"] });
+    b.safeUrl.parse(s, { allowedProtocols: ["https:"] });
   } catch (e) {
     throw new TypeError("announcementBar: link_url — " + (e && e.message || "must be https:// or a /-rooted absolute path"));
   }
@@ -323,7 +319,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
   // customerSegments is optional — announcements with audience =
   // "segment" require it, but a deployment without segment-targeted
@@ -564,7 +560,7 @@ function create(opts) {
     var sessionHash = null;
     if (input.session_id != null) {
       var sid = _sessionId(input.session_id);
-      sessionHash = _b().crypto.namespaceHash(SESSION_HASH_NAMESPACE, sid);
+      sessionHash = b.crypto.namespaceHash(SESSION_HASH_NAMESPACE, sid);
     }
 
     // Pull every candidate row in the active window, ordered by
@@ -655,14 +651,14 @@ function create(opts) {
       throw new TypeError("announcementBar.recordDismissal: slug " + JSON.stringify(slug) + " not found");
     }
 
-    var hash = _b().crypto.namespaceHash(SESSION_HASH_NAMESPACE, sessionId);
+    var hash = b.crypto.namespaceHash(SESSION_HASH_NAMESPACE, sessionId);
 
     // Dedup is enforced by the UNIQUE(announcement_slug,
     // session_id_hash) index; a second dismissal from the same
     // session is a no-op (the existing row keeps its occurred_at).
     // INSERT OR IGNORE keeps the call idempotent without a separate
     // SELECT-then-INSERT round-trip.
-    var id = _b().uuid.v7();
+    var id = b.uuid.v7();
     var r = await query(
       "INSERT OR IGNORE INTO announcement_dismissals " +
       "(id, announcement_slug, session_id_hash, occurred_at) " +
@@ -695,7 +691,7 @@ function create(opts) {
         throw new TypeError("announcementBar.renderHtml: locale must be a BCP-47-shape string (e.g. 'en-US')");
       }
     }
-    var escapeHtml = _b().template.escapeHtml;
+    var escapeHtml = b.template.escapeHtml;
 
     var theme      = escapeHtml(announcement.theme || "info");
     var slug       = escapeHtml(announcement.slug);

package/lib/api-keys.js

@@ -76,7 +76,10 @@ var TOKEN_BYTE_LEN          = 32;
 var TOKEN_PLAINTEXT_LEN     = 43;
 var TOKEN_PLAINTEXT_RE      = /^[A-Za-z0-9_-]{43}$/;
 
-var ROTATION_GRACE_MS       = _b().constants.TIME.days(1);
+// Framework handle (the vendored blamejs); index.js re-exports this as .framework.
+var b = require("./vendor/blamejs");
+
+var ROTATION_GRACE_MS       = b.constants.TIME.days(1);
 
 var OWNER_TYPES             = ["operator", "app", "affiliate", "tenant"];
 var STATUSES                = ["active", "rotated", "revoked", "expired"];
@@ -112,19 +115,10 @@ var ALLOWED_UPDATE_COLUMNS  = Object.freeze([
   "name", "scopes", "rate_limit_per_minute",
 ]);
 
-// Lazy framework handle — matches the pattern used by every other
-// shop primitive; avoids the require cycle that would arise from
-// importing `./index` at module-eval time.
-var bShop;
-function _b() {
-  if (!bShop) bShop = require("./index");
-  return bShop.framework;
-}
-
 // ---- validators ---------------------------------------------------------
 
 function _uuid(s, label) {
-  try { return _b().guardUuid.sanitize(s, { profile: "strict" }); }
+  try { return b.guardUuid.sanitize(s, { profile: "strict" }); }
   catch (e) { throw new TypeError("apiKeys: " + label + " — " + (e && e.message || "invalid UUID")); }
 }
 
@@ -257,8 +251,8 @@ function _now() { return Date.now(); }
 // built-in `base64url` encoding runs in place of a polynomial-ReDoS-
 // shaped `.replace(/=+$/, "")` strip (CodeQL js/polynomial-redos).
 function _generateToken() {
-  var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  return _b().crypto.toBase64Url(buf);
+  var buf = b.crypto.generateBytes(TOKEN_BYTE_LEN);
+  return b.crypto.toBase64Url(buf);
 }
 
 function _canonicalToken(input) {
@@ -272,7 +266,7 @@ function _canonicalToken(input) {
 }
 
 function _hashToken(canonical) {
-  return _b().crypto.namespaceHash(TOKEN_NAMESPACE, canonical);
+  return b.crypto.namespaceHash(TOKEN_NAMESPACE, canonical);
 }
 
 // ---- factory ------------------------------------------------------------
@@ -281,7 +275,7 @@ function create(opts) {
   opts = opts || {};
   var query = opts.query;
   if (!query) {
-    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+    query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
   async function _getRaw(id) {
@@ -398,7 +392,7 @@ function create(opts) {
       var rateLimit  = _rateLimit(input.rate_limit_per_minute);
       var expiresAt  = _expiresAt(input.expires_at);
 
-      var id         = _b().uuid.v7();
+      var id         = b.uuid.v7();
       var plaintext  = _generateToken();
       var hash       = _hashToken(plaintext);
       var ts         = _now();
@@ -468,9 +462,9 @@ function create(opts) {
       var row = r.rows[0];
 
       // Constant-time equality on whichever column matched.
-      var matchedLive     = _b().crypto.timingSafeEqual(row.token_hash, hash);
+      var matchedLive     = b.crypto.timingSafeEqual(row.token_hash, hash);
       var matchedPrevious = row.token_hash_previous != null
-        && _b().crypto.timingSafeEqual(row.token_hash_previous, hash);
+        && b.crypto.timingSafeEqual(row.token_hash_previous, hash);
       if (!matchedLive && !matchedPrevious) return null;
 
       // expires_at takes precedence over everything else. A key whose
@@ -561,7 +555,7 @@ function create(opts) {
       // row can claim the UNIQUE column without colliding. We use a
       // placeholder hash (the row id under a rotate-marker namespace)
       // so the UNIQUE constraint stays honoured.
-      var placeholderHash = _b().crypto.namespaceHash(
+      var placeholderHash = b.crypto.namespaceHash(
         "api-key-rotated-placeholder", current.id + ":" + ts
       );
       await query(
@@ -572,7 +566,7 @@ function create(opts) {
 
       // Issue the replacement row. Scopes / rate-limit / expiry /
       // owner all carry forward verbatim — rotation is plaintext-only.
-      var newId        = _b().uuid.v7();
+      var newId        = b.uuid.v7();
       var plaintext    = _generateToken();
       var newHash      = _hashToken(plaintext);
       var row = {
@@ -704,7 +698,7 @@ function create(opts) {
         throw miss;
       }
 
-      var rowId = _b().uuid.v7();
+      var rowId = b.uuid.v7();
       await query(
         "INSERT INTO api_key_usage (id, key_id, endpoint, occurred_at) " +
         "VALUES (?1, ?2, ?3, ?4)",