@blamejs/blamejs-shop 0.3.66 → 0.3.68

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.3.x
 
+- v0.3.68 (2026-06-05) — **Delivery estimates: "Get it by" dates on the product and cart pages.** The product page and cart can now promise a delivery date. Operators configure the inputs at /admin/delivery-estimates — carrier transit times, warehouse cutoff hours, shipping holidays, and postal-prefix zones — and name the origin warehouse via the SHOP_ESTIMATE_ORIGIN environment variable or the shop.estimate_origin config row. A signed-in customer with a saved shipping address then sees "Get it by <date>" computed from the cutoff clock, transit days, and the holiday calendar. Anonymous visitors served from the edge cache deliberately see no date: an estimate is destination-specific, and a date baked into a shared cached page would show one visitor's delivery promise to everyone while going stale in the cache. The product and cart markup builders are byte-identical across the edge and container renderers with a deterministic date formatter, locked by a parity test. A store that has not configured estimates renders exactly what it does today — nothing — and a configuration gap can never produce a customer-facing error. **Added:** *Configurable delivery-date estimates* — The delivery-estimate primitive is wired end to end: an /admin/delivery-estimates console manages carrier transit times, order-cutoff hours per warehouse, shipping holidays, and postal-prefix zone mappings, with each mutation audited; the product and cart pages render "Get it by <date>" for signed-in customers with a saved shipping address once an origin warehouse is configured. Estimates render only where the destination is actually known — never on shared edge-cached pages — and every estimate read is fail-quiet: missing configuration, an unmatched destination, or a computation error renders no estimate rather than an error. Operators enable it by setting the origin (SHOP_ESTIMATE_ORIGIN or the shop.estimate_origin config row) and authoring at least one cutoff, transit time, and postal zone.
+
+- v0.3.67 (2026-06-05) — **Digital orders no longer require a shipping address, and search ranking shrugs off malformed weights.** A cart containing only digital goods completes checkout since 0.3.63, but the shipping form still demanded a street address and city the order would never use. For an all-digital cart, the form now marks the address fields optional with an honest note — email stays required for the receipt and country for tax — and the backend enforces exactly the same relaxed set, while any value the shopper does supply is still format-validated. Carts with any shippable item keep the full requirements. Separately, the search ranker now skips a non-numeric weight in a hand-edited weight set instead of letting it poison every score into NaN and garble the result order; the edge and container rankers apply the identical filter, keeping their orders locked together even on malformed configuration. **Fixed:** *Digital-only carts check out without a street address* — When no line in the cart requires shipping, the checkout form renders the address block as optional — the required markers move off street and city, a note explains that a digital order ships nothing and country is kept for tax, and the backend requires exactly email, name, and country. Values the shopper supplies anyway are still format-validated, including the per-field error rendering. A cart with any physical item keeps the full address requirements, and a missing variant record counts as physical, so the relaxation can never trigger on incomplete data. · *Search ranking ignores non-numeric weights instead of corrupting the order* — A weight set carrying a non-numeric value — possible through a hand-edited database row — multiplied into every product's score as NaN, making the result order effectively random on the container while the edge filtered the bad weight and produced a different order. Both rankers now skip non-numeric weights identically, so a malformed entry degrades to "that signal contributes nothing" with edge and container orders staying byte-identical.
+
 - v0.3.66 (2026-06-05) — **Production server errors are readable from the admin console and the CLI.** When a server-side failure was scrubbed to a clean customer-facing page — a payment-processor rejection at checkout, a public-API failure, an admin-action error — the underlying detail was only visible in the hosting dashboard's container log viewer. The error-log primitive now captures those failures into the database: route, method, status, a length-bounded message, and a timestamp, ring-buffered to the newest five hundred entries, written fire-and-forget so a logging failure can never affect a customer request, and carrying no customer or session data. A new Errors screen in the admin console lists them newest-first, and the same route answers a bearer-token request with JSON, so operators and tooling can read production errors with one curl. A schema migration adds the message column and applies on deploy. **Added:** *Server-error capture with an admin Errors screen and JSON API* — Scrubbed 500-class failures — the checkout confirm step, the public catalog API, and admin console actions — now also record route, method, status, and a truncated error message into the error-log table (newest five hundred kept; writes are drop-silent and never awaited in the request path; no customer, session, or header data is stored). GET /admin/errors renders the newest entries in the console with every cell escaped, and the same path with an Authorization: Bearer admin token returns JSON for command-line and tooling access. Migration 0208 adds the message column plus an index and applies with the normal deploy.
 
 - v0.3.65 (2026-06-04) — **Operator-tuned search ranking applies to edge-served visitors.** Search-ranking weight sets and manual pins applied only on container-served search — anonymous visitors, who are served from the edge cache and make up most traffic, got unranked results no matter what the operator tuned. The edge search path now applies the identical ranking: pinned products lead in their configured positions, the rest order by the active weight set, with byte-identical scoring pinned by a parity test in the same style as the existing faceting and synonym parity guards. Ranking and pin changes reach edge visitors within the same sixty-second cache window as every other operator-tunable edge surface. If the ranking tables are absent or unconfigured, edge search degrades to its previous unranked order rather than failing. **Fixed:** *Edge search results honor ranking weights and manual pins* — The /search route served from the edge ordered results by filter match alone, ignoring the active search weight set and any merchandiser pins, so ranking tuning was visible only to signed-in (container-served) visitors. The edge now loads the active weight set and pins on each cache fill and applies the same scoring as the container — pins first in position order, then weighted score descending, with identical tie-breaking. The two implementations are locked together by a parity test that runs the same fixtures through both. Changes the operator makes take effect for edge visitors within the standard sixty-second cache freshness window; a missing or unconfigured ranking table degrades to the unranked order, never an error.

package/README.md

@@ -66,6 +66,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/pricing.js`** | Pure-function money math — `lineTotal`, `subtotal`, `totals`, `format`. Multi-currency refused, banker's-style rounding, locale-aware via `Intl.NumberFormat`. |
 | **`lib/tax.js`** | Operator-table adapter. Country / state / postal_prefix → rate_bps. Most-specific-first match, banker's rounding. Pluggable adapter shape for future Stripe Tax / TaxJar / Avalara. |
 | **`lib/shipping.js`** | Operator-table adapter. Services with zones (flat or per-gram + base + min/max), free-over-threshold, `digital_only` flag. |
+| **`lib/delivery-estimate.js`** | "Get it by <date>" promises. Operators define carrier transit times, warehouse cutoffs, holidays, and postal-prefix zones at `/admin/delivery-estimates`; the product and cart pages then show a signed-in customer a delivery date computed against their saved shipping address and the configured origin (`SHOP_ESTIMATE_ORIGIN` or the `shop.estimate_origin` config row). Anonymous, edge-cached pages deliberately render no date — estimates are destination-specific and never bake into the shared cache. Unconfigured stores render nothing, never an error. |
 | **`lib/payment.js`** | Payment adapters — **Stripe** (verify webhook HMAC-SHA256 via upstream `b.webhook.verify`, create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains for Apple/Google Pay) and **PayPal** (`adapter: "paypal"` — OAuth2 client-credentials token, create / capture / get / refund Orders v2, webhook verify via PayPal's verify-webhook-signature API). No `stripe` / `paypal` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
 | **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` validates the ship-to address (real ISO 3166-1 country; US/CA state + ZIP/postal formats; lenient elsewhere) and the customer email shape, then creates a Stripe PaymentIntent + persists order pending; `handleStripeEvent()` verifies webhook + fires the FSM transition. PayPal path: `createPaypalOrder()` opens a PayPal order + persists pending, `capturePaypalOrder()` captures → paid, `handlePaypalEvent()` is the webhook backstop. All idempotent on re-delivery. |
@@ -96,7 +97,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
 | **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, and Discounts links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
 

package/lib/admin.js

@@ -573,7 +573,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog };
+  var navAvailable = { returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog };
 
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
 
@@ -8910,6 +8910,170 @@ function mount(router, deps) {
     ));
   }
 
+  // ---- delivery estimates ---------------------------------------------
+  //
+  // The "Get it by <date>" tables on one console screen: carrier transits
+  // (per from→to zone / carrier / service-level transit-day budget), origin
+  // cutoffs (the daily local-time ship-by per origin location + IANA tz),
+  // observed holidays (per region, dropped from the business-day count), and
+  // postal-prefix → zone mappings (destination lookup). Each is create +
+  // list + archive (transits + holidays archive by uuid; cutoffs + postal
+  // zones are upserts with no archive — re-author to change). The only free-
+  // text field is a holiday's `name`, escaped at render. Every date field
+  // validates against the primitive's DATE_RE (it re-validates server-side,
+  // so a bad date is a 400 notice, never a 500); carrier / service-level /
+  // zone / postal-prefix are enum/regex-bounded by the primitive.
+  var deliveryEstimate = deps.deliveryEstimate || null;
+  if (deliveryEstimate) {
+    // Re-read every table for the screen in one helper so create / archive
+    // re-renders all share the same shape. Drop-silent per table: an
+    // unmigrated table degrades to an empty list, never a 500.
+    async function _deliveryEstimateModel() {
+      var model = { transits: [], cutoffs: [], holidays: [], postal_zones: [] };
+      try { model.transits     = await deliveryEstimate.listTransits({}); }    catch (_e) { model.transits = []; }
+      try { model.cutoffs      = await deliveryEstimate.listCutoffs(); }       catch (_e) { model.cutoffs = []; }
+      try { model.holidays     = await deliveryEstimate.listHolidays({}); }    catch (_e) { model.holidays = []; }
+      try { model.postal_zones = await deliveryEstimate.listPostalZones({}); } catch (_e) { model.postal_zones = []; }
+      return model;
+    }
+
+    // One handler factory per create surface — each defines a row, then on
+    // the HTML path re-renders the screen with a 400 notice on a TypeError
+    // (the primitive's own validation throws carry operator-safe text) and
+    // routes everything else through the shared classifier so a raw
+    // constraint / unknown error can't reach the banner.
+    function _deCreate(kind, auditAction, define, transform) {
+      return _pageOrApi(false,
+        W(auditAction, async function (req, res) {
+          var row = await define(transform(req.body || {}));
+          _json(res, 201, row);
+          return { id: (row && (row.id || row.origin_location || row.postal_prefix)) || kind };
+        }),
+        async function (req, res) {
+          try {
+            await define(transform(req.body || {}));
+          } catch (e) {
+            var n = _safeNotice(e, auditAction);
+            var noticeMsg = n.message.replace(/^deliveryEstimate[.:]\s*/, "");
+            var model = await _deliveryEstimateModel();
+            return _sendHtml(res, n.status, renderAdminDeliveryEstimates(Object.assign({
+              shop_name: deps.shop_name, nav_available: navAvailable, notice: noticeMsg,
+            }, model)));
+          }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditAction, outcome: "success" });
+          _redirect(res, "/admin/delivery-estimates?created=" + kind);
+        },
+      );
+    }
+
+    router.post("/admin/delivery-estimates/transits", _deCreate(
+      "transit", "delivery_transit.create",
+      function (input) { return deliveryEstimate.defineCarrierTransit(input); },
+      function (body) {
+        return {
+          from_zone:     typeof body.from_zone === "string" ? body.from_zone.trim() : body.from_zone,
+          to_zone:       typeof body.to_zone   === "string" ? body.to_zone.trim()   : body.to_zone,
+          carrier:       typeof body.carrier   === "string" ? body.carrier.trim()   : body.carrier,
+          service_level: typeof body.service_level === "string" ? body.service_level.trim() : body.service_level,
+          transit_days:  _strictMinorInt(body.transit_days, "deliveryEstimate", "transit_days"),
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/cutoffs", _deCreate(
+      "cutoff", "delivery_cutoff.create",
+      function (input) { return deliveryEstimate.defineCutoff(input); },
+      function (body) {
+        return {
+          origin_location:         typeof body.origin_location === "string" ? body.origin_location.trim() : body.origin_location,
+          daily_cutoff_local_time: typeof body.daily_cutoff_local_time === "string" ? body.daily_cutoff_local_time.trim() : body.daily_cutoff_local_time,
+          timezone:                typeof body.timezone === "string" ? body.timezone.trim() : body.timezone,
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/holidays", _deCreate(
+      "holiday", "delivery_holiday.create",
+      function (input) { return deliveryEstimate.defineHoliday(input); },
+      function (body) {
+        return {
+          region: typeof body.region === "string" ? body.region.trim() : body.region,
+          date:   typeof body.date   === "string" ? body.date.trim()   : body.date,
+          name:   body.name,
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/postal-zones", _deCreate(
+      "postal_zone", "delivery_postal_zone.create",
+      function (input) { return deliveryEstimate.definePostalZone(input); },
+      function (body) {
+        return {
+          country:       typeof body.country === "string" ? body.country.trim().toUpperCase() : body.country,
+          postal_prefix: typeof body.postal_prefix === "string" ? body.postal_prefix.trim() : body.postal_prefix,
+          zone:          typeof body.zone === "string" ? body.zone.trim() : body.zone,
+        };
+      },
+    ));
+
+    router.get("/admin/delivery-estimates", _pageOrApi(true,
+      R(async function (req, res) {
+        _json(res, 200, await _deliveryEstimateModel());
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var model = await _deliveryEstimateModel();
+        _sendHtml(res, 200, renderAdminDeliveryEstimates(Object.assign({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          created:  url && url.searchParams.get("created"),
+          archived: url && url.searchParams.get("archived"),
+          notice:   (url && url.searchParams.get("err")) ? "That action couldn't be completed." : null,
+        }, model)));
+      },
+    ));
+
+    // Archive a transit / holiday by its uuid. Both archive surfaces share
+    // the same shape: a TypeError (bad uuid) is a 400; a null result (no
+    // such row) re-renders with a notice; success redirects with ?archived.
+    router.post("/admin/delivery-estimates/transits/:id/archive", _pageOrApi(false,
+      W("delivery_transit.archive", async function (req, res) {
+        var row;
+        try { row = await deliveryEstimate.archiveTransit(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "transit-not-found");
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var row = null;
+        try { row = await deliveryEstimate.archiveTransit(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/delivery-estimates?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".delivery_transit.archive", outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/delivery-estimates?archived=transit");
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/holidays/:id/archive", _pageOrApi(false,
+      W("delivery_holiday.archive", async function (req, res) {
+        var row;
+        try { row = await deliveryEstimate.archiveHoliday(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "holiday-not-found");
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var row = null;
+        try { row = await deliveryEstimate.archiveHoliday(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/delivery-estimates?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".delivery_holiday.archive", outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/delivery-estimates?archived=holiday");
+      },
+    ));
+  }
+
   // Translate the create form / JSON body into a defineZone input. The
   // console form is the single-country, single-flat-rate shape; the
   // bearer JSON path can pass the full regions[]/rates[] arrays directly,
@@ -10710,6 +10874,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "tax",          href: "/admin/tax-rates",    label: "Tax",          requires: "taxRates" },
   { key: "tax-filings",  href: "/admin/tax-filings",  label: "Tax filings",  requires: "salesTaxFilings" },
   { key: "shipping",     href: "/admin/shipping",     label: "Shipping",     requires: "shippingZones" },
+  { key: "delivery-estimates", href: "/admin/delivery-estimates", label: "Delivery estimates", requires: "deliveryEstimate" },
   { key: "shipping-labels", href: "/admin/shipping-labels", label: "Shipping labels", requires: "shippingLabels" },
   { key: "pick-lists",   href: "/admin/pick-lists",   label: "Pick lists",   requires: "pickLists" },
   { key: "announcements", href: "/admin/announcements", label: "Announcements", requires: "announcementBar" },
@@ -14211,6 +14376,138 @@ function renderAdminShippingZone(opts) {
   return _renderAdminShell(opts.shop_name, "Zone " + z.slug, body, "shipping", opts.nav_available);
 }
 
+// Delivery-estimate console — the four "Get it by <date>" tables (carrier
+// transits, origin cutoffs, observed holidays, postal-prefix → zone) each
+// with a list + a create form, transits + holidays carrying an archive
+// button. The only operator free-text field is a holiday's `name`, escaped
+// on render. Carrier is a fixed <select> (the primitive's CARRIERS enum);
+// every other field is regex-bounded server-side, so a bad value is a 400
+// notice, never a 500.
+function renderAdminDeliveryEstimates(opts) {
+  opts = opts || {};
+  var transits = opts.transits || [];
+  var cutoffs  = opts.cutoffs  || [];
+  var holidays = opts.holidays || [];
+  var zones    = opts.postal_zones || [];
+
+  var created  = opts.created  ? "<div class=\"banner banner--ok\">Entry created.</div>" : "";
+  var archived = opts.archived ? "<div class=\"banner banner--ok\">Entry archived.</div>" : "";
+  var notice   = opts.notice   ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  var CARRIERS = ["ups", "fedex", "usps", "dhl", "flat_rate", "custom"];
+  var carrierOpts = CARRIERS.map(function (c) {
+    return "<option value=\"" + _htmlEscape(c) + "\">" + _htmlEscape(c) + "</option>";
+  }).join("");
+
+  // ---- carrier transits ----
+  var transitRows = transits.map(function (t) {
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(t.from_zone) + "</code> &rarr; <code class=\"order-id\">" + _htmlEscape(t.to_zone) + "</code></td>" +
+      "<td>" + _htmlEscape(t.carrier) + "</td>" +
+      "<td>" + _htmlEscape(t.service_level) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(String(t.transit_days)) + "</td>" +
+      "<td><form method=\"post\" action=\"/admin/delivery-estimates/transits/" + _htmlEscape(encodeURIComponent(t.id)) + "/archive\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form></td>" +
+    "</tr>";
+  }).join("");
+  var transitTable = transits.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Zone pair</th><th scope=\"col\">Carrier</th><th scope=\"col\">Service</th><th scope=\"col\" class=\"num\">Transit days</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + transitRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No carrier transits yet.</p>";
+  var transitForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add a carrier transit</h3>" +
+      "<p class=\"meta\">The carrier-declared business-day budget for one zone pair and service level.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/transits\">" +
+        _setupField("From zone", "from_zone", "", "text", "Origin zone slug, e.g. dc-east.", " maxlength=\"64\" class=\"input-code\" required") +
+        _setupField("To zone", "to_zone", "", "text", "Destination zone slug, e.g. us-west.", " maxlength=\"64\" class=\"input-code\" required") +
+        "<label class=\"form-field\"><span>Carrier</span><select name=\"carrier\" required>" + carrierOpts + "</select></label>" +
+        _setupField("Service level", "service_level", "", "text", "e.g. GROUND, TWO_DAY.", " maxlength=\"64\" class=\"input-code\" required") +
+        _setupField("Transit days", "transit_days", "", "number", "Business days in transit, 0–365.", " min=\"0\" max=\"365\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add transit</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- origin cutoffs ----
+  var cutoffRows = cutoffs.map(function (c) {
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(c.origin_location) + "</code></td>" +
+      "<td>" + _htmlEscape(c.daily_cutoff_local_time) + "</td>" +
+      "<td>" + _htmlEscape(c.timezone) + "</td>" +
+    "</tr>";
+  }).join("");
+  var cutoffTable = cutoffs.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Origin</th><th scope=\"col\">Cutoff (local)</th><th scope=\"col\">Timezone</th></tr></thead><tbody>" + cutoffRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No origin cutoffs yet.</p>";
+  var cutoffForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add an origin cutoff</h3>" +
+      "<p class=\"meta\">The daily local-time cutoff for an origin. Orders after it ship the next business day. Re-add to change.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/cutoffs\">" +
+        _setupField("Origin location", "origin_location", "", "text", "Origin slug, e.g. dc-east.", " maxlength=\"80\" class=\"input-code\" required") +
+        _setupField("Daily cutoff (HH:MM)", "daily_cutoff_local_time", "", "text", "24-hour local time, e.g. 14:00.", " maxlength=\"5\" class=\"input-code\" required") +
+        _setupField("Timezone", "timezone", "", "text", "IANA name, e.g. America/New_York.", " maxlength=\"64\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add cutoff</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- observed holidays ----
+  var holidayRows = holidays.map(function (h) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(h.region) + "</td>" +
+      "<td>" + _htmlEscape(h.date) + "</td>" +
+      "<td>" + _htmlEscape(h.name) + "</td>" +
+      "<td><form method=\"post\" action=\"/admin/delivery-estimates/holidays/" + _htmlEscape(encodeURIComponent(h.id)) + "/archive\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form></td>" +
+    "</tr>";
+  }).join("");
+  var holidayTable = holidays.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Region</th><th scope=\"col\">Date</th><th scope=\"col\">Name</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + holidayRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No holidays yet.</p>";
+  var holidayForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add an observed holiday</h3>" +
+      "<p class=\"meta\">A non-shipping date dropped from a region's business-day count.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/holidays\">" +
+        _setupField("Region", "region", "", "text", "Operator region slug, e.g. us or us-ca.", " maxlength=\"16\" class=\"input-code\" required") +
+        _setupField("Date", "date", "", "text", "YYYY-MM-DD.", " maxlength=\"10\" class=\"input-code\" required") +
+        _setupField("Name", "name", "", "text", "e.g. Independence Day.", " maxlength=\"200\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add holiday</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- postal-prefix → zone ----
+  var zoneRows = zones.map(function (z) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(z.country) + "</td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(z.postal_prefix) + "</code></td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(z.zone) + "</code></td>" +
+    "</tr>";
+  }).join("");
+  var zoneTable = zones.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Country</th><th scope=\"col\">Postal prefix</th><th scope=\"col\">Zone</th></tr></thead><tbody>" + zoneRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No postal zones yet.</p>";
+  var zoneForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add a postal-prefix zone</h3>" +
+      "<p class=\"meta\">Map a destination postal-code prefix to a transit zone. Longest matching prefix wins. Re-add to change.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/postal-zones\">" +
+        _setupField("Country", "country", "", "text", "ISO 3166-1 alpha-2, e.g. US.", " maxlength=\"2\" class=\"input-code\" required") +
+        _setupField("Postal prefix", "postal_prefix", "", "text", "e.g. 902 for US 90xxx.", " maxlength=\"16\" class=\"input-code\" required") +
+        _setupField("Zone", "zone", "", "text", "Destination zone slug, e.g. us-west.", " maxlength=\"64\" class=\"input-code\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add postal zone</button></div>" +
+      "</form>" +
+    "</div>";
+
+  var body = "<section><h2>Delivery estimates</h2>" + created + archived + notice +
+    "<p class=\"meta\">These four tables compose the storefront's “Get it by &lt;date&gt;” window. A customer sees a date only once an origin cutoff is configured for the origin their order ships from.</p>" +
+    "<h3 class=\"subhead subhead--sp-lg\">Carrier transits</h3>" + transitTable + transitForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Origin cutoffs</h3>" + cutoffTable + cutoffForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Observed holidays</h3>" + holidayTable + holidayForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Postal-prefix zones</h3>" + zoneTable + zoneForm +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Delivery estimates", body, "delivery-estimates", opts.nav_available);
+}
+
 // Human one-liner for a rule's trigger / value JSON.
 function _fmtTrigger(t) {
   if (!t || !t.kind) return "—";

package/lib/asset-manifest.json

@@ -1,13 +1,13 @@
 {
-  "version": "0.3.66",
+  "version": "0.3.68",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",
       "fingerprinted": "css/admin.44eb97700c660798.css"
     },
     "css/main.css": {
-      "integrity": "sha384-pEf1nxijlK9mXs8LacGqzNmr+WzjMR7c17Gsx24YS1PharS/BWa62RU/fUL8XSa6",
-      "fingerprinted": "css/main.bb97cd4c4b867440.css"
+      "integrity": "sha384-kjpDvd8TisWdb45G5S2FyHOo4plk5DiOMO0aTZWxKCJhAhBEo55yABnv5BbUpzS4",
+      "fingerprinted": "css/main.337a7be6244cd7c0.css"
     },
     "js/announcement.js": {
       "integrity": "sha384-z4zcEMn+tScoVnYRE4nEf8N/oyvpxdpaxTNrT4QO/jURChid4+qjAvWkzatCaAPq",

package/lib/search-ranking.js

@@ -401,7 +401,14 @@ function create(opts) {
       if (typeof raw === "boolean") n = raw ? 1 : 0;
       else if (typeof raw === "number" && isFinite(raw)) n = raw;
       else continue;
-      score += weights[k] * n;
+      // Defensive: a hand-edited weights_json row can carry a non-numeric
+      // weight; multiplying by it would NaN-poison the score and garble
+      // the sort. Skip it — the edge mirror (worker/data/search-ranking.js)
+      // applies the same filter, keeping the two rankers order-identical
+      // on malformed config.
+      var w = weights[k];
+      if (typeof w !== "number" || !isFinite(w)) continue;
+      score += w * n;
     }
     return score;
   }

package/lib/storefront.js

@@ -2083,6 +2083,55 @@ function _pdpShippingNote(availability) {
          "See our <a href=\"/terms\">shipping &amp; returns policy</a>.</p>";
 }
 
+// "Get it by <date>" delivery-estimate line for the PDP + cart. Renders the
+// SHARED markup the dual-render parity gate pins — kept byte-for-byte in sync
+// with worker/render/product.js#_buildDeliveryEstimate (and the cart twin) so
+// the PDP/cart land identical across substrates.
+//
+// THE DESIGN RULE: the edge ALWAYS passes estimate=null. The arrival date is
+// destination-specific (it's derived from the signed-in customer's shipping
+// address) and edge pages are shared-cacheable across anonymous visitors, so
+// baking a date would serve one visitor's ZIP date to everyone — and a
+// computed date also goes stale in the cache. So estimate=null renders EMPTY
+// (the builder returns ""), keeping the edge output byte-stable; the real date
+// renders container-only when the route resolves a per-customer estimate.
+//
+// `estimate` (when present) is the resolved display shape the route builds:
+//   { deliver_by, latest_by?, service_label }
+// where deliver_by / latest_by are YYYY-MM-DD strings (origin-timezone) and
+// service_label is the carrier service the date is for. The date is formatted
+// here with a self-contained deterministic formatter (no toLocaleDateString —
+// its output is locale/runtime-dependent and would break the byte-parity gate)
+// so the same YYYY-MM-DD always yields the same "Thu, Jun 12" wherever it runs.
+function _formatDeliveryDate(ymd) {
+  // ymd is YYYY-MM-DD; format as "Thu, Jun 12" deterministically. Date.UTC
+  // gives a runtime-stable weekday (Sun=0..Sat=6) with no timezone drift.
+  var DOW = ["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"];
+  var MON = ["Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"];
+  var y = Number(ymd.slice(0, 4));
+  var m = Number(ymd.slice(5, 7));
+  var d = Number(ymd.slice(8, 10));
+  var wd = new Date(Date.UTC(y, m - 1, d)).getUTCDay();
+  return DOW[wd] + ", " + MON[m - 1] + " " + d;
+}
+function _buildDeliveryEstimate(estimate, esc) {
+  if (!estimate || typeof estimate !== "object" || !estimate.deliver_by) return "";
+  var by = _formatDeliveryDate(estimate.deliver_by);
+  // A range when the slowest service lands later than the fastest — "by Thu,
+  // Jun 12" becomes "Tue, Jun 10 – Thu, Jun 12" so the shopper sees the window,
+  // not just the optimistic edge.
+  var dateText = (estimate.latest_by && estimate.latest_by !== estimate.deliver_by)
+    ? _formatDeliveryDate(estimate.deliver_by) + " – " + _formatDeliveryDate(estimate.latest_by)
+    : "by " + by;
+  var svc = estimate.service_label
+    ? " <span class=\"delivery-est__svc\">via " + esc(estimate.service_label) + "</span>"
+    : "";
+  return "<p class=\"delivery-est\" role=\"status\">" +
+           "<span class=\"delivery-est__icon\" aria-hidden=\"true\">🚚</span> " +
+           "<span class=\"delivery-est__label\">Get it " + esc(dateText) + "</span>" + svc +
+         "</p>";
+}
+
 // Pre-order CTA — replaces the add-to-cart buy box on a PDP whose lead SKU
 // has an OPEN pre-order campaign (a SKU that isn't released yet, so it's not
 // normally purchasable). `preorder` is the resolved shape the route loads:
@@ -2271,6 +2320,7 @@ var PRODUCT_PAGE =
   "      RAW_AVAILABILITY_PLACEHOLDER\n" +
   "      RAW_BUYBOX_PLACEHOLDER\n" +
   "      RAW_SHIPPING_NOTE_PLACEHOLDER\n" +
+  "      RAW_DELIVERYESTIMATE_PLACEHOLDER\n" +
   "      RAW_QTYBREAK_PLACEHOLDER\n" +
   "      RAW_WISHLIST_PLACEHOLDER\n" +
   "      RAW_COMPARE_PLACEHOLDER\n" +
@@ -6229,6 +6279,13 @@ function renderProduct(opts) {
   buyboxHtml = _buildPreorderNotice(opts.preorder_notice) + buyboxHtml;
   var availabilityHtml = _buildAvailability(availability);
   var shippingNoteHtml = _pdpShippingNote(availability);
+  // "Get it by <date>" — container-only (the route resolves a per-customer
+  // estimate; the edge passes no `delivery_estimate`, so this renders empty
+  // and the edge PDP stays byte-stable). Suppressed on a digital-only product
+  // (nothing ships) and on a pre-order CTA (the release date is the headline).
+  var deliveryEstimateHtml = (availability.requires_shipping && !preorderShape)
+    ? _buildDeliveryEstimate(opts.delivery_estimate, b.template.escapeHtml)
+    : "";
   var galleryHtml = _buildPdpGallery(opts.product, opts.media || [], opts.asset_prefix || "/assets/");
   var reviewsHtml = _buildReviews(opts.review_summary, opts.reviews, opts.review_cta);
   var qaHtml = _buildProductQa(opts.qa_questions, opts.qa_cta);
@@ -6244,6 +6301,7 @@ function renderProduct(opts) {
     .replace("RAW_AVAILABILITY_PLACEHOLDER", availabilityHtml)
     .replace("RAW_BUYBOX_PLACEHOLDER", buyboxHtml)
     .replace("RAW_SHIPPING_NOTE_PLACEHOLDER", shippingNoteHtml)
+    .replace("RAW_DELIVERYESTIMATE_PLACEHOLDER", deliveryEstimateHtml)
     .replace("RAW_QTYBREAK_PLACEHOLDER", qtyBreaksHtml)
     .replace("RAW_WISHLIST_PLACEHOLDER", wishlistHtml)
     .replace("RAW_COMPARE_PLACEHOLDER", compareHtml)
@@ -6412,12 +6470,19 @@ var CART_LINE_EDITABLE =
 // `p` pre-fills each field (from a signed-in customer's default shipping
 // address, or the shopper's own typed values on a validation re-render);
 // every value is escaped by `_addrField` / the email builder.
-// Street line 1 + city are marked required for the common physical-goods
-// path, and the POST handler enforces the same set server-side via
-// _requireCheckoutFields (backend validates, frontend displays). The
-// service tier (checkout._shipTo) stays presence-optional so a non-form
+//
+// `allDigital` flips the address block to optional: when every cart line
+// is a no-shipment good (variant requires_shipping = 0), street line 1 +
+// city drop their `required` attr + `*` marker and a short note explains
+// the order needs no shipping address. Country stays required because the
+// tax quote keys off it (checkout._shipTo validates a country on every
+// quote, digital included). For a cart with ANY shippable line, line1 +
+// city stay required for the common physical-goods path. The POST handler
+// enforces the SAME contract server-side via _requireCheckoutFields with
+// the same flag (backend validates, frontend displays). The service tier
+// (checkout._shipTo) stays presence-optional regardless so a non-form
 // caller can still complete a digital-only order with a bare country.
-function _checkoutShippingFields(p, inv) {
+function _checkoutShippingFields(p, inv, allDigital) {
   p = p || {};
   var esc = b.template.escapeHtml;
   // Merge the per-field invalid marker (a { field, message } from
@@ -6439,12 +6504,20 @@ function _checkoutShippingFields(p, inv) {
         _fieldAriaAttr("co-err-", "email", inv) + ">" +
       _fieldErrorSpan("co-err-", "email", inv) +
     "</label>";
+  // For an all-digital cart the address is optional — line1 + city lose
+  // the `required` attr/marker and a note says so. A mixed/physical cart
+  // keeps them required (the un-flagged default).
+  var addrRequired = !allDigital;
+  var digitalNote = allDigital
+    ? "<p class=\"checkout-page__digital-note\">This is a digital order — no shipping address needed. Just confirm your country below for tax.</p>"
+    : "";
   return email +
     _addrField("name",  "Full name",      p.name,  _mark("name",  { required: true, maxlength: 120, autocomplete: "name" })) +
-    _addrField("line1", "Street address", p.line1, _mark("line1", { required: true, maxlength: 200, autocomplete: "address-line1" })) +
+    digitalNote +
+    _addrField("line1", "Street address", p.line1, _mark("line1", { required: addrRequired, maxlength: 200, autocomplete: "address-line1" })) +
     _addrField("line2", "Apt / suite / unit (optional)", p.line2, _mark("line2", { maxlength: 200, autocomplete: "address-line2" })) +
     "<div class=\"form-row form-row--inline\">" +
-      _addrField("city",  "City", p.city, _mark("city", { required: true, maxlength: 120, autocomplete: "address-level2" })) +
+      _addrField("city",  "City", p.city, _mark("city", { required: addrRequired, maxlength: 120, autocomplete: "address-level2" })) +
       _addrField("state", "State / province code", p.state, _mark("state", { maxlength: 5, pattern: "[A-Za-z0-9]{1,5}", autocomplete: "address-level1" })) +
     "</div>" +
     "<div class=\"form-row form-row--inline\">" +
@@ -6483,13 +6556,23 @@ function _shipToFromBody(body) {
 // _checkoutFieldFromError maps each to its input. The PayPal create route
 // shares _shipToFromBody but not this gate — its format errors surface
 // through the same service-tier validators.
-function _requireCheckoutFields(body, shipTo) {
+//
+// `allDigital` (every cart line is a no-shipment good) drops the line1 +
+// city + region/postal presence gates: the order ships nothing, so only
+// email + name + a country (for the tax quote) are required. The country
+// itself is still validated for shape downstream by checkout._shipTo. Any
+// region/postal values the shopper DID supply still get format-validated
+// there — relaxing presence never relaxes format. A cart with ANY
+// shippable line keeps the full requirement set (the un-flagged default),
+// matching the form the GET path renders.
+function _requireCheckoutFields(body, shipTo, allDigital) {
   if (!body.email || !String(body.email).trim()) {
     throw new TypeError("checkout: customer.email — Enter your email address.");
   }
   if (!body.name || !String(body.name).trim()) {
     throw new TypeError("checkout: customer.name — Enter the recipient's full name.");
   }
+  if (allDigital) return;   // digital order — no shipping address required (country shape is validated downstream)
   if (!shipTo.line1) throw new TypeError("checkout: ship_to.line1 — Enter a street address.");
   if (!shipTo.city)  throw new TypeError("checkout: ship_to.city — Enter a city.");
   if (shipTo.country === "US" || shipTo.country === "CA") {
@@ -6712,7 +6795,7 @@ function renderCheckoutForm(opts) {
   body = _spliceRaw(body, "RAW_TOTALS_ROWS", totalsRows);
   body = _spliceRaw(body, "RAW_SUMMARY_NOTE", summaryNote);
   body = _spliceRaw(body, "RAW_INLINE_ERROR", inlineError);
-  body = _spliceRaw(body, "RAW_SHIPPING_FIELDS", _checkoutShippingFields(opts.prefill, opts.invalid_field));
+  body = _spliceRaw(body, "RAW_SHIPPING_FIELDS", _checkoutShippingFields(opts.prefill, opts.invalid_field, !!opts.all_digital));
   body = _spliceRaw(body, "RAW_SUMMARY_LINES", summaryLines);
   // Pick-up-in-store picker, gift personalization, loyalty redeem, and the
   // CAPTCHA widget are spliced in ABOVE the submit action row — inside the
@@ -7542,6 +7625,7 @@ var CART_PAGE =
   "      <dl class=\"totals-list\">\n" +
   "RAW_TOTALS_ROWS" +
   "      </dl>\n" +
+  "RAW_CART_DELIVERYESTIMATE_PLACEHOLDER" +
   "RAW_CHECKOUT_CTA" +
   "    </aside>\n" +
   "  </div>\n" +
@@ -7825,10 +7909,20 @@ function renderCart(opts) {
         "        <div><dt>Subtotal</dt><dd>" + subtotal + "</dd></div>\n" +
         "        <div class=\"totals-list__grand\"><dt>Total</dt><dd>" + total + "</dd></div>\n";
     }
+    // "Get it by <date>" for the whole cart — the slowest line's window, so
+    // the shopper sees when EVERYTHING arrives, not the optimistic item. The
+    // SAME shared builder the PDP uses (byte-identical across the dual render),
+    // spliced into the summary aside. Container-only: the route resolves a
+    // per-customer estimate (signed-in + saved address); absent that, or on
+    // any primitive failure, opts.delivery_estimate is null and this renders
+    // empty. Indented to match the aside's two-space block.
+    var cartEstimateHtml = _buildDeliveryEstimate(opts.delivery_estimate, b.template.escapeHtml);
+    cartEstimateHtml = cartEstimateHtml ? "      " + cartEstimateHtml + "\n" : "";
     body = _render(CART_PAGE, {
       line_rows: "RAW_LINES",
     }).replace("RAW_LINES", rows)
       .replace("RAW_TOTALS_ROWS", totalsRows)
+      .replace("RAW_CART_DELIVERYESTIMATE_PLACEHOLDER", cartEstimateHtml)
       .replace("RAW_CHECKOUT_CTA", checkoutCta)
       .replace("RAW_CART_NOTICE", notice);
     // CONTAINER-ONLY gift wrap disclosure, appended after the cart grid (a
@@ -11082,6 +11176,80 @@ function mount(router, deps) {
     return { ship_to: { country: "US" }, from_saved: false };
   }
 
+  // Resolve the "Get it by <date>" delivery estimate for the PDP / cart. This
+  // is a DROP-SILENT defensive reader (the storefront read tier): it returns
+  // null on ANYTHING short of a clean, dated estimate — no deliveryEstimate
+  // dep, no signed-in customer, no saved shipping address with a postal code,
+  // an unconfigured origin/cutoff (the primitive THROWS a config-state
+  // TypeError there), or a no-match `{ ok:false }`. The route renders no
+  // estimate in every one of those cases, never a 500.
+  //
+  // WHY signed-in + saved-address only: the arrival date is destination-
+  // specific. The edge serves a shared cache across anonymous visitors and
+  // must never bake a per-visitor date, so the date is a container-only
+  // enhancement for a customer whose destination we already know (their
+  // default shipping address). v1 ships no anonymous ZIP-entry widget — that's
+  // a separate slice; an anonymous shopper simply sees no date.
+  //
+  // `originLocation` comes from operator config (`shop.estimate_origin`); the
+  // primitive REFUSES to guess an origin (no defaultLocation resolver is
+  // wired), so without that config row no estimate renders — by design.
+  // `weightGrams` (optional) lets the primitive's weight-aware rows apply.
+  //
+  // Returns the display shape the dual-render builder consumes:
+  //   { deliver_by, latest_by, service_label }
+  // or null.
+  async function _resolveDeliveryEstimate(req, opts) {
+    opts = opts || {};
+    if (!deps.deliveryEstimate) return null;
+    try {
+      // Per-customer destination: only a SIGNED-IN customer with a saved
+      // shipping address that carries a postal code yields a date. _normalize
+      // (inside _estimateDestination) drops a garbage postal, so a saved
+      // address with no usable postal falls through to null here.
+      var coAuth = _currentCustomerEnv(req);
+      if (!coAuth) return null;
+      var dest = await _estimateDestination(req);
+      if (!dest || !dest.from_saved || !dest.ship_to || !dest.ship_to.postal) return null;
+      // Operator-configured origin — the primitive won't guess one. Resolved
+      // at boot into `deps.delivery_estimate_origin` (a plain slug string) from
+      // SHOP_ESTIMATE_ORIGIN / the config primitive, since the storefront's
+      // sfDeps.config is a bare { shop_name } stub with no live .get(). Falls
+      // back to a per-request config read if a future caller wires a real
+      // config handle. Absent any origin, no date renders — by design.
+      var origin = (typeof deps.delivery_estimate_origin === "string" && deps.delivery_estimate_origin)
+        ? deps.delivery_estimate_origin
+        : null;
+      if (!origin && deps.config && typeof deps.config.get === "function") {
+        try { origin = await deps.config.get("shop.estimate_origin", null); }
+        catch (_e) { origin = null; }
+      }
+      if (typeof origin !== "string" || !origin) return null;
+      var est = await deps.deliveryEstimate.estimate({
+        origin_location:     origin,
+        destination_postal:  dest.ship_to.postal,
+        destination_country: dest.ship_to.country,
+        destination_region:  dest.ship_to.state ? dest.ship_to.state.toLowerCase() : undefined,
+        weight_grams:        Number.isInteger(opts.weight_grams) ? opts.weight_grams : undefined,
+      });
+      if (!est || !est.ok || !est.est_min_delivery_date) return null;
+      // The fastest service is the headline date (service_levels are sorted
+      // ascending by transit_days inside the primitive); the slowest gives the
+      // range upper bound so the line reads as a window, not a promise.
+      var fastest = est.service_levels && est.service_levels.length ? est.service_levels[0] : null;
+      return {
+        deliver_by:    est.est_min_delivery_date,
+        latest_by:     est.est_max_delivery_date || est.est_min_delivery_date,
+        service_label: fastest ? fastest.label : null,
+      };
+    } catch (_e) {
+      // Drop-silent — every config-state / validation throw the primitive
+      // raises (no cutoff row, origin_location required, a malformed saved
+      // postal) collapses to "no estimate", never a broken page.
+      return null;
+    }
+  }
+
   // Compute the cart/checkout totals the shopper sees BEFORE paying.
   // Composes the SAME tax + shipping primitives the charge runs through
   // (via checkout.quote, which prices tax against the pre-discount
@@ -11568,10 +11736,17 @@ function mount(router, deps) {
     // to a banner; only meaningful when a campaign is present.
     var pdpUrl = req.url ? new URL(req.url, "http://localhost") : null;
     var preorderNotice = pdpUrl ? pdpUrl.searchParams.get("preorder") : null;
+    // "Get it by <date>" — container-only, per-customer (see
+    // _resolveDeliveryEstimate). Weighted by the lead variant so the
+    // primitive's weight-aware transit rows apply. Drop-silent → null.
+    var leadWeight = firstVariant && Number.isInteger(firstVariant.weight_grams)
+      ? firstVariant.weight_grams : undefined;
+    var deliveryEstimate = await _resolveDeliveryEstimate(req, { weight_grams: leadWeight });
     var html = renderProduct(Object.assign({
       product:        product,
       variants:       variants,
       prices:         prices,
+      delivery_estimate: deliveryEstimate,
       preorder_campaign: preorderCampaign,
       preorder_notice:   preorderNotice,
       media:          media,
@@ -12025,10 +12200,17 @@ function mount(router, deps) {
         }
       } catch (_e) { giftWraps = []; giftWrapInCart = null; }
     }
+    // "Get it by <date>" for the whole cart — container-only, per-customer
+    // (see _resolveDeliveryEstimate). No weight is summed across lines (the
+    // cart estimate is the destination window, not a per-parcel weight quote);
+    // the primitive falls back to its weight-agnostic transit rows. Drop-
+    // silent → null, and the summary renders no estimate.
+    var cartEstimate = await _resolveDeliveryEstimate(req, {});
     _send(res, 200, renderCart(Object.assign({
       lines:           lines,
       totals:          totals,
       totals_detail:   totalsDetail,
+      delivery_estimate: cartEstimate,
       line_stock:      lineStock,
       product_lookup:  productLookup,
       can_save:        !!(deps.saveForLater && deps.customers),
@@ -12077,6 +12259,35 @@ function mount(router, deps) {
   }
 
   if (deps.checkout && deps.order) {
+    // True when EVERY cart line is a no-shipment good (its variant's
+    // requires_shipping is 0) — the cart ships nothing, so the checkout
+    // form drops the address requirement and the POST gate requires only
+    // email + name + country (for the tax quote). A missing variant row,
+    // a null/absent column, or an empty cart all read as "needs an
+    // address" (shippable) — relaxing the gate is the exception, never the
+    // default, so a lookup gap can't hide a required field. Mirrors
+    // checkout._buildQuote's per-line `!!v.requires_shipping` enrichment.
+    // The GET render path computes this inline from the variant rows it
+    // already fetches for the order-summary lookup (no second query pass);
+    // the POST gate has no such lookup, so it resolves here.
+    async function _cartAllDigital(lines) {
+      if (!lines || !lines.length) return false;
+      if (!deps.catalog || !deps.catalog.variants || typeof deps.catalog.variants.get !== "function") {
+        return false;   // can't prove all-digital → keep the address gate
+      }
+      var shipByVariant = {};
+      for (var i = 0; i < lines.length; i += 1) {
+        var vid = lines[i].variant_id;
+        if (shipByVariant[vid] !== undefined) continue;
+        var v = await deps.catalog.variants.get(vid);
+        shipByVariant[vid] = !v || v.requires_shipping == null || Number(v.requires_shipping) === 1;
+      }
+      for (var j = 0; j < lines.length; j += 1) {
+        if (shipByVariant[lines[j].variant_id] !== false) return false;   // a shippable line
+      }
+      return true;
+    }
+
     // Build the renderCheckoutForm() opts for an active cart `c`: repriced
     // lines, totals, the thumbnail lookup, and the signed-in customer's
     // loyalty balance + prefill. Shared by the GET handler and the POST
@@ -12097,16 +12308,41 @@ function mount(router, deps) {
       var totals = totalsDetail.totals;
       // variant_id → { product, hero_media } lookup for the summary
       // thumbnails + titles — same shape (and caching) the cart route uses.
+      // The SAME variant row (catalog returns SELECT * — requires_shipping
+      // is on it) feeds the all-digital determination below, so the form
+      // can drop the address requirement on a no-shipment cart without a
+      // second query pass. `shipBySku` caches requires_shipping per variant
+      // so a duplicate cart line never re-fetches. A line whose variant row
+      // is missing is treated as shippable (the never-relax-on-missing-data
+      // stance), so a lookup gap can never accidentally hide a required
+      // address.
       var checkoutLookup = {};
+      var shipByVariant = {};
       for (var li = 0; li < lines.length; li += 1) {
         var lvId = lines[li].variant_id;
-        if (checkoutLookup[lvId]) continue;
+        if (checkoutLookup[lvId] !== undefined) continue;
         var lv = await deps.catalog.variants.get(lvId);
-        if (!lv) { checkoutLookup[lvId] = null; continue; }
+        if (!lv) {
+          checkoutLookup[lvId] = null;
+          shipByVariant[lvId] = true;   // missing variant → treat as shippable
+          continue;
+        }
         var lprod = await deps.catalog.products.get(lv.product_id);
         var lmedia = await deps.catalog.media.listForProduct(lv.product_id);
         checkoutLookup[lvId] = { product: lprod, hero_media: lmedia.length ? lmedia[0] : null };
+        // requires_shipping defaults to 1 (shippable) when the column is
+        // absent — mirrors checkout._buildQuote's `!!v.requires_shipping`
+        // with a null-safe default of shippable.
+        shipByVariant[lvId] = lv.requires_shipping == null || Number(lv.requires_shipping) === 1;
+      }
+      // All-digital = a non-empty cart where NO line needs shipping. The
+      // service tier already completes such an order (checkout's
+      // digital_none fallback); this lets the form drop the address gate.
+      var anyShippable = false;
+      for (var si = 0; si < lines.length; si += 1) {
+        if (shipByVariant[lines[si].variant_id] !== false) { anyShippable = true; break; }
       }
+      var allDigital = lines.length > 0 && !anyShippable;
       // A signed-in customer drives two best-effort lookups, both keyed
       // off the same auth env: the loyalty balance (for the redeem field)
       // and the default shipping address (to pre-fill the form). Either
@@ -12170,6 +12406,9 @@ function mount(router, deps) {
         lines: lines, totals: totals, totals_detail: totalsDetail,
         shop_name: shopName, theme: theme,
         product_lookup: checkoutLookup,
+        // Every cart line is a no-shipment good → the form drops the
+        // address requirement (and the POST gate mirrors the flag).
+        all_digital: allDigital,
         paypal_client_id: deps.paypal ? deps.paypal_client_id : null,
         loyalty_balance: loyaltyBalance,
         loyalty_points_per_usd: deps.loyalty ? deps.loyalty.REDEMPTION_POINTS_PER_USD : null,
@@ -12334,7 +12573,13 @@ function mount(router, deps) {
       }
       var shipTo = _shipToFromBody(body);
       try {
-        _requireCheckoutFields(body, shipTo);
+        // A cart whose every line is a no-shipment good needs no shipping
+        // address — only email + name + a country for the tax quote. The
+        // form rendered the address block optional (all_digital); the gate
+        // here mirrors that so the two never disagree. A mixed/physical
+        // cart keeps the full requirement set.
+        var coAllDigital = await _cartAllDigital(await deps.cart.listLines(c.id));
+        _requireCheckoutFields(body, shipTo, coAllDigital);
         // default_shipping_id may be a literal string or an
         // operator-supplied async resolver (e.g. backed by the
         // config primitive) so re-reads happen per request without

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.3.66",
+  "version": "0.3.68",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {