@blamejs/blamejs-shop 0.3.67 → 0.3.68

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.3.x
 
+- v0.3.68 (2026-06-05) — **Delivery estimates: "Get it by" dates on the product and cart pages.** The product page and cart can now promise a delivery date. Operators configure the inputs at /admin/delivery-estimates — carrier transit times, warehouse cutoff hours, shipping holidays, and postal-prefix zones — and name the origin warehouse via the SHOP_ESTIMATE_ORIGIN environment variable or the shop.estimate_origin config row. A signed-in customer with a saved shipping address then sees "Get it by <date>" computed from the cutoff clock, transit days, and the holiday calendar. Anonymous visitors served from the edge cache deliberately see no date: an estimate is destination-specific, and a date baked into a shared cached page would show one visitor's delivery promise to everyone while going stale in the cache. The product and cart markup builders are byte-identical across the edge and container renderers with a deterministic date formatter, locked by a parity test. A store that has not configured estimates renders exactly what it does today — nothing — and a configuration gap can never produce a customer-facing error. **Added:** *Configurable delivery-date estimates* — The delivery-estimate primitive is wired end to end: an /admin/delivery-estimates console manages carrier transit times, order-cutoff hours per warehouse, shipping holidays, and postal-prefix zone mappings, with each mutation audited; the product and cart pages render "Get it by <date>" for signed-in customers with a saved shipping address once an origin warehouse is configured. Estimates render only where the destination is actually known — never on shared edge-cached pages — and every estimate read is fail-quiet: missing configuration, an unmatched destination, or a computation error renders no estimate rather than an error. Operators enable it by setting the origin (SHOP_ESTIMATE_ORIGIN or the shop.estimate_origin config row) and authoring at least one cutoff, transit time, and postal zone.
+
 - v0.3.67 (2026-06-05) — **Digital orders no longer require a shipping address, and search ranking shrugs off malformed weights.** A cart containing only digital goods completes checkout since 0.3.63, but the shipping form still demanded a street address and city the order would never use. For an all-digital cart, the form now marks the address fields optional with an honest note — email stays required for the receipt and country for tax — and the backend enforces exactly the same relaxed set, while any value the shopper does supply is still format-validated. Carts with any shippable item keep the full requirements. Separately, the search ranker now skips a non-numeric weight in a hand-edited weight set instead of letting it poison every score into NaN and garble the result order; the edge and container rankers apply the identical filter, keeping their orders locked together even on malformed configuration. **Fixed:** *Digital-only carts check out without a street address* — When no line in the cart requires shipping, the checkout form renders the address block as optional — the required markers move off street and city, a note explains that a digital order ships nothing and country is kept for tax, and the backend requires exactly email, name, and country. Values the shopper supplies anyway are still format-validated, including the per-field error rendering. A cart with any physical item keeps the full address requirements, and a missing variant record counts as physical, so the relaxation can never trigger on incomplete data. · *Search ranking ignores non-numeric weights instead of corrupting the order* — A weight set carrying a non-numeric value — possible through a hand-edited database row — multiplied into every product's score as NaN, making the result order effectively random on the container while the edge filtered the bad weight and produced a different order. Both rankers now skip non-numeric weights identically, so a malformed entry degrades to "that signal contributes nothing" with edge and container orders staying byte-identical.
 
 - v0.3.66 (2026-06-05) — **Production server errors are readable from the admin console and the CLI.** When a server-side failure was scrubbed to a clean customer-facing page — a payment-processor rejection at checkout, a public-API failure, an admin-action error — the underlying detail was only visible in the hosting dashboard's container log viewer. The error-log primitive now captures those failures into the database: route, method, status, a length-bounded message, and a timestamp, ring-buffered to the newest five hundred entries, written fire-and-forget so a logging failure can never affect a customer request, and carrying no customer or session data. A new Errors screen in the admin console lists them newest-first, and the same route answers a bearer-token request with JSON, so operators and tooling can read production errors with one curl. A schema migration adds the message column and applies on deploy. **Added:** *Server-error capture with an admin Errors screen and JSON API* — Scrubbed 500-class failures — the checkout confirm step, the public catalog API, and admin console actions — now also record route, method, status, and a truncated error message into the error-log table (newest five hundred kept; writes are drop-silent and never awaited in the request path; no customer, session, or header data is stored). GET /admin/errors renders the newest entries in the console with every cell escaped, and the same path with an Authorization: Bearer admin token returns JSON for command-line and tooling access. Migration 0208 adds the message column plus an index and applies with the normal deploy.

package/README.md

@@ -66,6 +66,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/pricing.js`** | Pure-function money math — `lineTotal`, `subtotal`, `totals`, `format`. Multi-currency refused, banker's-style rounding, locale-aware via `Intl.NumberFormat`. |
 | **`lib/tax.js`** | Operator-table adapter. Country / state / postal_prefix → rate_bps. Most-specific-first match, banker's rounding. Pluggable adapter shape for future Stripe Tax / TaxJar / Avalara. |
 | **`lib/shipping.js`** | Operator-table adapter. Services with zones (flat or per-gram + base + min/max), free-over-threshold, `digital_only` flag. |
+| **`lib/delivery-estimate.js`** | "Get it by <date>" promises. Operators define carrier transit times, warehouse cutoffs, holidays, and postal-prefix zones at `/admin/delivery-estimates`; the product and cart pages then show a signed-in customer a delivery date computed against their saved shipping address and the configured origin (`SHOP_ESTIMATE_ORIGIN` or the `shop.estimate_origin` config row). Anonymous, edge-cached pages deliberately render no date — estimates are destination-specific and never bake into the shared cache. Unconfigured stores render nothing, never an error. |
 | **`lib/payment.js`** | Payment adapters — **Stripe** (verify webhook HMAC-SHA256 via upstream `b.webhook.verify`, create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains for Apple/Google Pay) and **PayPal** (`adapter: "paypal"` — OAuth2 client-credentials token, create / capture / get / refund Orders v2, webhook verify via PayPal's verify-webhook-signature API). No `stripe` / `paypal` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
 | **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` validates the ship-to address (real ISO 3166-1 country; US/CA state + ZIP/postal formats; lenient elsewhere) and the customer email shape, then creates a Stripe PaymentIntent + persists order pending; `handleStripeEvent()` verifies webhook + fires the FSM transition. PayPal path: `createPaypalOrder()` opens a PayPal order + persists pending, `capturePaypalOrder()` captures → paid, `handlePaypalEvent()` is the webhook backstop. All idempotent on re-delivery. |
@@ -96,7 +97,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/giftcards.js`** | Prepaid bearer gift cards. `issue({ amount_minor, currency })` generates a 16-char code (32-glyph alphabet, no ambiguous letters) via `b.crypto.generateBytes`, stores only its `namespaceHash` digest + a 4-char hint, and returns the plaintext code once. `balance(code)` / `lookup(code)` resolve a code to its live balance (constant-time hash compare); `redeem({ code, order_id, amount_minor })` decrements the balance with an atomic `balance >= amount` SQL guard so concurrent spends can't overdraw. Redeemed at checkout as a credit against the order grand total: the amount due drops by the applied balance (never below zero), the order still records the full total it owed, and the debit is recorded once per order — a card that fully covers the order is marked paid with no Stripe charge. Customers check a balance at `GET /gift-cards`; the page is not a code-existence oracle (unknown / malformed / expired all return the same generic not-found). |
 | **`lib/gift-card-ledger.js`** | Append-only credit / debit / expire history per gift card, with a denormalized `balance_after_minor` snapshot for O(1) balance reads. `credit` / `debit` / `expire` write one row each; `history(id)` paginates a card's transactions; `transactionsForOrder(id)` lists a card's movements for one order. The audit trail behind the admin gift-card ledger console; overdraft is refused at the primitive layer. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores, and each product opens a management screen that edits its fields, adds / edits / removes variants, sets a variant's price and shows its price history, and attaches / uploads / removes images — the full path to a sellable product; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM, and attaches a shipment (carrier + tracking number) with recorded shipment events that surface a public tracking link to the customer; **Customers** (`/admin/customers`) is a read-only roster, newest first — display name, short id, join date, sign-in method (passkey count + linked OAuth providers), and order count, with the count and sign-in methods resolved by bounded aggregate queries so a page of customers costs no per-row trips (email addresses aren't stored in the clear, so they're not shown); **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Q&A** (`/admin/questions`) is the question moderation queue — filter by status, open a question to its full answer thread, approve / reject the question, post the seller answer, and approve / reject / pin individual answers; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale; **Collections** (`/admin/collections`) manages manual + smart product collections — filter active / archived, create a collection (manual or smart with a starter rule), and per collection edit title / description / sort strategy, manage manual members (add by product id, remove, reorder) or edit a smart collection's rule set with a live preview of the products the rules currently match, and archive; **Gift cards** (`/admin/gift-cards`) is the gift-card ledger — list issued cards (masked code, original + remaining balance, status, issued date) filtered by lifecycle status, issue a new card (the bearer code shown once, right after creation), open a card to see its full credit / debit / expire ledger, and void an active card through a confirmation step; **Webhooks** (`/admin/webhooks`) registers outbound endpoints (https:// only) with a one-time signing-secret reveal, enables / disables / deletes them, and opens an endpoint's delivery feed to retry a failed delivery — the signing secret is shown once on create and never in the list, and order transitions fan out signed deliveries to subscribed endpoints. **Tax** (`/admin/tax-rates`), **Shipping** (`/admin/shipping`), and **Discounts** (`/admin/discounts`) configure tax rates per jurisdiction, shipping zones + rates, and automatic-discount rules + coupon-stacking policies — create / edit / archive each. **Audit** (`/admin/audit`) is a read-only activity log of every privileged action — filtered by outcome (success / failure / denied) and paginated — composed on the framework's tamper-evident `b.audit` chain; opening it is itself recorded as an `audit.read` event. **Errors** (`/admin/errors`) lists captured server-error detail — time, status, route, and a truncated message for scrubbed 500-class failures (checkout confirm, public API, admin actions) — newest-first, with the same path answering a bearer-token request with JSON so the log is one `curl` away. The Customers, Returns, Reviews, Q&A, Subscriptions, Collections, Gift cards, Webhooks, Tax, Shipping, Discounts, Delivery estimates, and Errors links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. The console's styling is an external, integrity-pinned stylesheet (`themes/default/assets/css/admin.css`) with the same self-hosted typeface — no inline styles and no third-party font host, so it renders correctly under the strict `style-src 'self'` / `font-src 'self'` CSP that governs the route. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
 

package/lib/admin.js

@@ -573,7 +573,7 @@ function mount(router, deps) {
   // `reports` is always present in the nav (read-only sales summary needs no
   // extra dep); its route mounts unconditionally and renders an unconfigured
   // notice when the salesReports primitive isn't wired.
-  var navAvailable = { returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog };
+  var navAvailable = { returns: !!returns, reviews: !!reviews, productQa: !!productQa, subscriptions: !!deps.subscriptions, preorder: !!deps.preorder, webhooks: !!deps.webhooks, collections: !!deps.collections, customers: !!deps.customers, customerSegments: !!customerSegments, giftcards: !!deps.giftcards, announcementBar: !!deps.announcementBar, blog: !!deps.blog, knowledgeBase: !!deps.knowledgeBase, customerSurveys: !!deps.customerSurveys, storefrontPages: !!deps.storefrontPages, businessHours: !!deps.businessHours, taxRates: !!deps.taxRates, shippingZones: !!deps.shippingZones, deliveryEstimate: !!deps.deliveryEstimate, autoDiscount: !!deps.autoDiscount, discountAllocation: !!deps.discountAllocation, quantityDiscounts: !!deps.quantityDiscounts, loyalty: !!deps.loyalty, pickLists: !!pickLists, salesTaxFilings: !!salesTaxFilings, shippingLabels: !!shippingLabels, supportTickets: !!supportTickets, complianceExport: !!complianceExport, orderExchanges: !!orderExchanges, orderRatings: !!orderRatings, clickAndCollect: !!clickAndCollect, giftOptions: !!giftOptions, searchRanking: !!searchRanking, trustBadges: !!trustBadges, orderExport: !!orderExport, auditLog: auditLog, errorLog: !!errorLog };
 
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
 
@@ -8910,6 +8910,170 @@ function mount(router, deps) {
     ));
   }
 
+  // ---- delivery estimates ---------------------------------------------
+  //
+  // The "Get it by <date>" tables on one console screen: carrier transits
+  // (per from→to zone / carrier / service-level transit-day budget), origin
+  // cutoffs (the daily local-time ship-by per origin location + IANA tz),
+  // observed holidays (per region, dropped from the business-day count), and
+  // postal-prefix → zone mappings (destination lookup). Each is create +
+  // list + archive (transits + holidays archive by uuid; cutoffs + postal
+  // zones are upserts with no archive — re-author to change). The only free-
+  // text field is a holiday's `name`, escaped at render. Every date field
+  // validates against the primitive's DATE_RE (it re-validates server-side,
+  // so a bad date is a 400 notice, never a 500); carrier / service-level /
+  // zone / postal-prefix are enum/regex-bounded by the primitive.
+  var deliveryEstimate = deps.deliveryEstimate || null;
+  if (deliveryEstimate) {
+    // Re-read every table for the screen in one helper so create / archive
+    // re-renders all share the same shape. Drop-silent per table: an
+    // unmigrated table degrades to an empty list, never a 500.
+    async function _deliveryEstimateModel() {
+      var model = { transits: [], cutoffs: [], holidays: [], postal_zones: [] };
+      try { model.transits     = await deliveryEstimate.listTransits({}); }    catch (_e) { model.transits = []; }
+      try { model.cutoffs      = await deliveryEstimate.listCutoffs(); }       catch (_e) { model.cutoffs = []; }
+      try { model.holidays     = await deliveryEstimate.listHolidays({}); }    catch (_e) { model.holidays = []; }
+      try { model.postal_zones = await deliveryEstimate.listPostalZones({}); } catch (_e) { model.postal_zones = []; }
+      return model;
+    }
+
+    // One handler factory per create surface — each defines a row, then on
+    // the HTML path re-renders the screen with a 400 notice on a TypeError
+    // (the primitive's own validation throws carry operator-safe text) and
+    // routes everything else through the shared classifier so a raw
+    // constraint / unknown error can't reach the banner.
+    function _deCreate(kind, auditAction, define, transform) {
+      return _pageOrApi(false,
+        W(auditAction, async function (req, res) {
+          var row = await define(transform(req.body || {}));
+          _json(res, 201, row);
+          return { id: (row && (row.id || row.origin_location || row.postal_prefix)) || kind };
+        }),
+        async function (req, res) {
+          try {
+            await define(transform(req.body || {}));
+          } catch (e) {
+            var n = _safeNotice(e, auditAction);
+            var noticeMsg = n.message.replace(/^deliveryEstimate[.:]\s*/, "");
+            var model = await _deliveryEstimateModel();
+            return _sendHtml(res, n.status, renderAdminDeliveryEstimates(Object.assign({
+              shop_name: deps.shop_name, nav_available: navAvailable, notice: noticeMsg,
+            }, model)));
+          }
+          b.audit.safeEmit({ action: AUDIT_NAMESPACE + "." + auditAction, outcome: "success" });
+          _redirect(res, "/admin/delivery-estimates?created=" + kind);
+        },
+      );
+    }
+
+    router.post("/admin/delivery-estimates/transits", _deCreate(
+      "transit", "delivery_transit.create",
+      function (input) { return deliveryEstimate.defineCarrierTransit(input); },
+      function (body) {
+        return {
+          from_zone:     typeof body.from_zone === "string" ? body.from_zone.trim() : body.from_zone,
+          to_zone:       typeof body.to_zone   === "string" ? body.to_zone.trim()   : body.to_zone,
+          carrier:       typeof body.carrier   === "string" ? body.carrier.trim()   : body.carrier,
+          service_level: typeof body.service_level === "string" ? body.service_level.trim() : body.service_level,
+          transit_days:  _strictMinorInt(body.transit_days, "deliveryEstimate", "transit_days"),
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/cutoffs", _deCreate(
+      "cutoff", "delivery_cutoff.create",
+      function (input) { return deliveryEstimate.defineCutoff(input); },
+      function (body) {
+        return {
+          origin_location:         typeof body.origin_location === "string" ? body.origin_location.trim() : body.origin_location,
+          daily_cutoff_local_time: typeof body.daily_cutoff_local_time === "string" ? body.daily_cutoff_local_time.trim() : body.daily_cutoff_local_time,
+          timezone:                typeof body.timezone === "string" ? body.timezone.trim() : body.timezone,
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/holidays", _deCreate(
+      "holiday", "delivery_holiday.create",
+      function (input) { return deliveryEstimate.defineHoliday(input); },
+      function (body) {
+        return {
+          region: typeof body.region === "string" ? body.region.trim() : body.region,
+          date:   typeof body.date   === "string" ? body.date.trim()   : body.date,
+          name:   body.name,
+        };
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/postal-zones", _deCreate(
+      "postal_zone", "delivery_postal_zone.create",
+      function (input) { return deliveryEstimate.definePostalZone(input); },
+      function (body) {
+        return {
+          country:       typeof body.country === "string" ? body.country.trim().toUpperCase() : body.country,
+          postal_prefix: typeof body.postal_prefix === "string" ? body.postal_prefix.trim() : body.postal_prefix,
+          zone:          typeof body.zone === "string" ? body.zone.trim() : body.zone,
+        };
+      },
+    ));
+
+    router.get("/admin/delivery-estimates", _pageOrApi(true,
+      R(async function (req, res) {
+        _json(res, 200, await _deliveryEstimateModel());
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var model = await _deliveryEstimateModel();
+        _sendHtml(res, 200, renderAdminDeliveryEstimates(Object.assign({
+          shop_name: deps.shop_name, nav_available: navAvailable,
+          created:  url && url.searchParams.get("created"),
+          archived: url && url.searchParams.get("archived"),
+          notice:   (url && url.searchParams.get("err")) ? "That action couldn't be completed." : null,
+        }, model)));
+      },
+    ));
+
+    // Archive a transit / holiday by its uuid. Both archive surfaces share
+    // the same shape: a TypeError (bad uuid) is a 400; a null result (no
+    // such row) re-renders with a notice; success redirects with ?archived.
+    router.post("/admin/delivery-estimates/transits/:id/archive", _pageOrApi(false,
+      W("delivery_transit.archive", async function (req, res) {
+        var row;
+        try { row = await deliveryEstimate.archiveTransit(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "transit-not-found");
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var row = null;
+        try { row = await deliveryEstimate.archiveTransit(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/delivery-estimates?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".delivery_transit.archive", outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/delivery-estimates?archived=transit");
+      },
+    ));
+
+    router.post("/admin/delivery-estimates/holidays/:id/archive", _pageOrApi(false,
+      W("delivery_holiday.archive", async function (req, res) {
+        var row;
+        try { row = await deliveryEstimate.archiveHoliday(req.params.id); }
+        catch (e) { if (e instanceof TypeError) return _problem(res, 400, "bad-request", e.message); throw e; }
+        if (!row) return _problem(res, 404, "holiday-not-found");
+        _json(res, 200, row);
+        return { id: row.id };
+      }),
+      async function (req, res) {
+        var row = null;
+        try { row = await deliveryEstimate.archiveHoliday(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!row) return _redirect(res, "/admin/delivery-estimates?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".delivery_holiday.archive", outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/delivery-estimates?archived=holiday");
+      },
+    ));
+  }
+
   // Translate the create form / JSON body into a defineZone input. The
   // console form is the single-country, single-flat-rate shape; the
   // bearer JSON path can pass the full regions[]/rates[] arrays directly,
@@ -10710,6 +10874,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "tax",          href: "/admin/tax-rates",    label: "Tax",          requires: "taxRates" },
   { key: "tax-filings",  href: "/admin/tax-filings",  label: "Tax filings",  requires: "salesTaxFilings" },
   { key: "shipping",     href: "/admin/shipping",     label: "Shipping",     requires: "shippingZones" },
+  { key: "delivery-estimates", href: "/admin/delivery-estimates", label: "Delivery estimates", requires: "deliveryEstimate" },
   { key: "shipping-labels", href: "/admin/shipping-labels", label: "Shipping labels", requires: "shippingLabels" },
   { key: "pick-lists",   href: "/admin/pick-lists",   label: "Pick lists",   requires: "pickLists" },
   { key: "announcements", href: "/admin/announcements", label: "Announcements", requires: "announcementBar" },
@@ -14211,6 +14376,138 @@ function renderAdminShippingZone(opts) {
   return _renderAdminShell(opts.shop_name, "Zone " + z.slug, body, "shipping", opts.nav_available);
 }
 
+// Delivery-estimate console — the four "Get it by <date>" tables (carrier
+// transits, origin cutoffs, observed holidays, postal-prefix → zone) each
+// with a list + a create form, transits + holidays carrying an archive
+// button. The only operator free-text field is a holiday's `name`, escaped
+// on render. Carrier is a fixed <select> (the primitive's CARRIERS enum);
+// every other field is regex-bounded server-side, so a bad value is a 400
+// notice, never a 500.
+function renderAdminDeliveryEstimates(opts) {
+  opts = opts || {};
+  var transits = opts.transits || [];
+  var cutoffs  = opts.cutoffs  || [];
+  var holidays = opts.holidays || [];
+  var zones    = opts.postal_zones || [];
+
+  var created  = opts.created  ? "<div class=\"banner banner--ok\">Entry created.</div>" : "";
+  var archived = opts.archived ? "<div class=\"banner banner--ok\">Entry archived.</div>" : "";
+  var notice   = opts.notice   ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  var CARRIERS = ["ups", "fedex", "usps", "dhl", "flat_rate", "custom"];
+  var carrierOpts = CARRIERS.map(function (c) {
+    return "<option value=\"" + _htmlEscape(c) + "\">" + _htmlEscape(c) + "</option>";
+  }).join("");
+
+  // ---- carrier transits ----
+  var transitRows = transits.map(function (t) {
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(t.from_zone) + "</code> &rarr; <code class=\"order-id\">" + _htmlEscape(t.to_zone) + "</code></td>" +
+      "<td>" + _htmlEscape(t.carrier) + "</td>" +
+      "<td>" + _htmlEscape(t.service_level) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(String(t.transit_days)) + "</td>" +
+      "<td><form method=\"post\" action=\"/admin/delivery-estimates/transits/" + _htmlEscape(encodeURIComponent(t.id)) + "/archive\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form></td>" +
+    "</tr>";
+  }).join("");
+  var transitTable = transits.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Zone pair</th><th scope=\"col\">Carrier</th><th scope=\"col\">Service</th><th scope=\"col\" class=\"num\">Transit days</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + transitRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No carrier transits yet.</p>";
+  var transitForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add a carrier transit</h3>" +
+      "<p class=\"meta\">The carrier-declared business-day budget for one zone pair and service level.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/transits\">" +
+        _setupField("From zone", "from_zone", "", "text", "Origin zone slug, e.g. dc-east.", " maxlength=\"64\" class=\"input-code\" required") +
+        _setupField("To zone", "to_zone", "", "text", "Destination zone slug, e.g. us-west.", " maxlength=\"64\" class=\"input-code\" required") +
+        "<label class=\"form-field\"><span>Carrier</span><select name=\"carrier\" required>" + carrierOpts + "</select></label>" +
+        _setupField("Service level", "service_level", "", "text", "e.g. GROUND, TWO_DAY.", " maxlength=\"64\" class=\"input-code\" required") +
+        _setupField("Transit days", "transit_days", "", "number", "Business days in transit, 0–365.", " min=\"0\" max=\"365\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add transit</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- origin cutoffs ----
+  var cutoffRows = cutoffs.map(function (c) {
+    return "<tr>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(c.origin_location) + "</code></td>" +
+      "<td>" + _htmlEscape(c.daily_cutoff_local_time) + "</td>" +
+      "<td>" + _htmlEscape(c.timezone) + "</td>" +
+    "</tr>";
+  }).join("");
+  var cutoffTable = cutoffs.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Origin</th><th scope=\"col\">Cutoff (local)</th><th scope=\"col\">Timezone</th></tr></thead><tbody>" + cutoffRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No origin cutoffs yet.</p>";
+  var cutoffForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add an origin cutoff</h3>" +
+      "<p class=\"meta\">The daily local-time cutoff for an origin. Orders after it ship the next business day. Re-add to change.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/cutoffs\">" +
+        _setupField("Origin location", "origin_location", "", "text", "Origin slug, e.g. dc-east.", " maxlength=\"80\" class=\"input-code\" required") +
+        _setupField("Daily cutoff (HH:MM)", "daily_cutoff_local_time", "", "text", "24-hour local time, e.g. 14:00.", " maxlength=\"5\" class=\"input-code\" required") +
+        _setupField("Timezone", "timezone", "", "text", "IANA name, e.g. America/New_York.", " maxlength=\"64\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add cutoff</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- observed holidays ----
+  var holidayRows = holidays.map(function (h) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(h.region) + "</td>" +
+      "<td>" + _htmlEscape(h.date) + "</td>" +
+      "<td>" + _htmlEscape(h.name) + "</td>" +
+      "<td><form method=\"post\" action=\"/admin/delivery-estimates/holidays/" + _htmlEscape(encodeURIComponent(h.id)) + "/archive\" class=\"form-inline\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">Archive</button></form></td>" +
+    "</tr>";
+  }).join("");
+  var holidayTable = holidays.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Region</th><th scope=\"col\">Date</th><th scope=\"col\">Name</th><th scope=\"col\">Actions</th></tr></thead><tbody>" + holidayRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No holidays yet.</p>";
+  var holidayForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add an observed holiday</h3>" +
+      "<p class=\"meta\">A non-shipping date dropped from a region's business-day count.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/holidays\">" +
+        _setupField("Region", "region", "", "text", "Operator region slug, e.g. us or us-ca.", " maxlength=\"16\" class=\"input-code\" required") +
+        _setupField("Date", "date", "", "text", "YYYY-MM-DD.", " maxlength=\"10\" class=\"input-code\" required") +
+        _setupField("Name", "name", "", "text", "e.g. Independence Day.", " maxlength=\"200\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add holiday</button></div>" +
+      "</form>" +
+    "</div>";
+
+  // ---- postal-prefix → zone ----
+  var zoneRows = zones.map(function (z) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(z.country) + "</td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(z.postal_prefix) + "</code></td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(z.zone) + "</code></td>" +
+    "</tr>";
+  }).join("");
+  var zoneTable = zones.length
+    ? "<div class=\"panel\">" + _tableWrap("<table><thead><tr><th scope=\"col\">Country</th><th scope=\"col\">Postal prefix</th><th scope=\"col\">Zone</th></tr></thead><tbody>" + zoneRows + "</tbody></table>") + "</div>"
+    : "<p class=\"empty\">No postal zones yet.</p>";
+  var zoneForm =
+    "<div class=\"panel mt mw-40\">" +
+      "<h3 class=\"subhead\">Add a postal-prefix zone</h3>" +
+      "<p class=\"meta\">Map a destination postal-code prefix to a transit zone. Longest matching prefix wins. Re-add to change.</p>" +
+      "<form method=\"post\" action=\"/admin/delivery-estimates/postal-zones\">" +
+        _setupField("Country", "country", "", "text", "ISO 3166-1 alpha-2, e.g. US.", " maxlength=\"2\" class=\"input-code\" required") +
+        _setupField("Postal prefix", "postal_prefix", "", "text", "e.g. 902 for US 90xxx.", " maxlength=\"16\" class=\"input-code\" required") +
+        _setupField("Zone", "zone", "", "text", "Destination zone slug, e.g. us-west.", " maxlength=\"64\" class=\"input-code\" required") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Add postal zone</button></div>" +
+      "</form>" +
+    "</div>";
+
+  var body = "<section><h2>Delivery estimates</h2>" + created + archived + notice +
+    "<p class=\"meta\">These four tables compose the storefront's “Get it by &lt;date&gt;” window. A customer sees a date only once an origin cutoff is configured for the origin their order ships from.</p>" +
+    "<h3 class=\"subhead subhead--sp-lg\">Carrier transits</h3>" + transitTable + transitForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Origin cutoffs</h3>" + cutoffTable + cutoffForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Observed holidays</h3>" + holidayTable + holidayForm +
+    "<h3 class=\"subhead subhead--sp-lg\">Postal-prefix zones</h3>" + zoneTable + zoneForm +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Delivery estimates", body, "delivery-estimates", opts.nav_available);
+}
+
 // Human one-liner for a rule's trigger / value JSON.
 function _fmtTrigger(t) {
   if (!t || !t.kind) return "—";

package/lib/asset-manifest.json

@@ -1,13 +1,13 @@
 {
-  "version": "0.3.67",
+  "version": "0.3.68",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-6k53cvkRrxMgmeStLIoLjVXZQHqIJgTmv1Izd8TYhh1HOC4POgE6GCvx1bsalyEP",
       "fingerprinted": "css/admin.44eb97700c660798.css"
     },
     "css/main.css": {
-      "integrity": "sha384-fzlpYGSv30HHY+ir9ym4VxwwgwzXQ9Sn153QMXLVKOPJ02eDNO/cI6Ww3rPluQ8R",
-      "fingerprinted": "css/main.15dfd64f4536314d.css"
+      "integrity": "sha384-kjpDvd8TisWdb45G5S2FyHOo4plk5DiOMO0aTZWxKCJhAhBEo55yABnv5BbUpzS4",
+      "fingerprinted": "css/main.337a7be6244cd7c0.css"
     },
     "js/announcement.js": {
       "integrity": "sha384-z4zcEMn+tScoVnYRE4nEf8N/oyvpxdpaxTNrT4QO/jURChid4+qjAvWkzatCaAPq",

package/lib/storefront.js

@@ -2083,6 +2083,55 @@ function _pdpShippingNote(availability) {
          "See our <a href=\"/terms\">shipping &amp; returns policy</a>.</p>";
 }
 
+// "Get it by <date>" delivery-estimate line for the PDP + cart. Renders the
+// SHARED markup the dual-render parity gate pins — kept byte-for-byte in sync
+// with worker/render/product.js#_buildDeliveryEstimate (and the cart twin) so
+// the PDP/cart land identical across substrates.
+//
+// THE DESIGN RULE: the edge ALWAYS passes estimate=null. The arrival date is
+// destination-specific (it's derived from the signed-in customer's shipping
+// address) and edge pages are shared-cacheable across anonymous visitors, so
+// baking a date would serve one visitor's ZIP date to everyone — and a
+// computed date also goes stale in the cache. So estimate=null renders EMPTY
+// (the builder returns ""), keeping the edge output byte-stable; the real date
+// renders container-only when the route resolves a per-customer estimate.
+//
+// `estimate` (when present) is the resolved display shape the route builds:
+//   { deliver_by, latest_by?, service_label }
+// where deliver_by / latest_by are YYYY-MM-DD strings (origin-timezone) and
+// service_label is the carrier service the date is for. The date is formatted
+// here with a self-contained deterministic formatter (no toLocaleDateString —
+// its output is locale/runtime-dependent and would break the byte-parity gate)
+// so the same YYYY-MM-DD always yields the same "Thu, Jun 12" wherever it runs.
+function _formatDeliveryDate(ymd) {
+  // ymd is YYYY-MM-DD; format as "Thu, Jun 12" deterministically. Date.UTC
+  // gives a runtime-stable weekday (Sun=0..Sat=6) with no timezone drift.
+  var DOW = ["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"];
+  var MON = ["Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"];
+  var y = Number(ymd.slice(0, 4));
+  var m = Number(ymd.slice(5, 7));
+  var d = Number(ymd.slice(8, 10));
+  var wd = new Date(Date.UTC(y, m - 1, d)).getUTCDay();
+  return DOW[wd] + ", " + MON[m - 1] + " " + d;
+}
+function _buildDeliveryEstimate(estimate, esc) {
+  if (!estimate || typeof estimate !== "object" || !estimate.deliver_by) return "";
+  var by = _formatDeliveryDate(estimate.deliver_by);
+  // A range when the slowest service lands later than the fastest — "by Thu,
+  // Jun 12" becomes "Tue, Jun 10 – Thu, Jun 12" so the shopper sees the window,
+  // not just the optimistic edge.
+  var dateText = (estimate.latest_by && estimate.latest_by !== estimate.deliver_by)
+    ? _formatDeliveryDate(estimate.deliver_by) + " – " + _formatDeliveryDate(estimate.latest_by)
+    : "by " + by;
+  var svc = estimate.service_label
+    ? " <span class=\"delivery-est__svc\">via " + esc(estimate.service_label) + "</span>"
+    : "";
+  return "<p class=\"delivery-est\" role=\"status\">" +
+           "<span class=\"delivery-est__icon\" aria-hidden=\"true\">🚚</span> " +
+           "<span class=\"delivery-est__label\">Get it " + esc(dateText) + "</span>" + svc +
+         "</p>";
+}
+
 // Pre-order CTA — replaces the add-to-cart buy box on a PDP whose lead SKU
 // has an OPEN pre-order campaign (a SKU that isn't released yet, so it's not
 // normally purchasable). `preorder` is the resolved shape the route loads:
@@ -2271,6 +2320,7 @@ var PRODUCT_PAGE =
   "      RAW_AVAILABILITY_PLACEHOLDER\n" +
   "      RAW_BUYBOX_PLACEHOLDER\n" +
   "      RAW_SHIPPING_NOTE_PLACEHOLDER\n" +
+  "      RAW_DELIVERYESTIMATE_PLACEHOLDER\n" +
   "      RAW_QTYBREAK_PLACEHOLDER\n" +
   "      RAW_WISHLIST_PLACEHOLDER\n" +
   "      RAW_COMPARE_PLACEHOLDER\n" +
@@ -6229,6 +6279,13 @@ function renderProduct(opts) {
   buyboxHtml = _buildPreorderNotice(opts.preorder_notice) + buyboxHtml;
   var availabilityHtml = _buildAvailability(availability);
   var shippingNoteHtml = _pdpShippingNote(availability);
+  // "Get it by <date>" — container-only (the route resolves a per-customer
+  // estimate; the edge passes no `delivery_estimate`, so this renders empty
+  // and the edge PDP stays byte-stable). Suppressed on a digital-only product
+  // (nothing ships) and on a pre-order CTA (the release date is the headline).
+  var deliveryEstimateHtml = (availability.requires_shipping && !preorderShape)
+    ? _buildDeliveryEstimate(opts.delivery_estimate, b.template.escapeHtml)
+    : "";
   var galleryHtml = _buildPdpGallery(opts.product, opts.media || [], opts.asset_prefix || "/assets/");
   var reviewsHtml = _buildReviews(opts.review_summary, opts.reviews, opts.review_cta);
   var qaHtml = _buildProductQa(opts.qa_questions, opts.qa_cta);
@@ -6244,6 +6301,7 @@ function renderProduct(opts) {
     .replace("RAW_AVAILABILITY_PLACEHOLDER", availabilityHtml)
     .replace("RAW_BUYBOX_PLACEHOLDER", buyboxHtml)
     .replace("RAW_SHIPPING_NOTE_PLACEHOLDER", shippingNoteHtml)
+    .replace("RAW_DELIVERYESTIMATE_PLACEHOLDER", deliveryEstimateHtml)
     .replace("RAW_QTYBREAK_PLACEHOLDER", qtyBreaksHtml)
     .replace("RAW_WISHLIST_PLACEHOLDER", wishlistHtml)
     .replace("RAW_COMPARE_PLACEHOLDER", compareHtml)
@@ -7567,6 +7625,7 @@ var CART_PAGE =
   "      <dl class=\"totals-list\">\n" +
   "RAW_TOTALS_ROWS" +
   "      </dl>\n" +
+  "RAW_CART_DELIVERYESTIMATE_PLACEHOLDER" +
   "RAW_CHECKOUT_CTA" +
   "    </aside>\n" +
   "  </div>\n" +
@@ -7850,10 +7909,20 @@ function renderCart(opts) {
         "        <div><dt>Subtotal</dt><dd>" + subtotal + "</dd></div>\n" +
         "        <div class=\"totals-list__grand\"><dt>Total</dt><dd>" + total + "</dd></div>\n";
     }
+    // "Get it by <date>" for the whole cart — the slowest line's window, so
+    // the shopper sees when EVERYTHING arrives, not the optimistic item. The
+    // SAME shared builder the PDP uses (byte-identical across the dual render),
+    // spliced into the summary aside. Container-only: the route resolves a
+    // per-customer estimate (signed-in + saved address); absent that, or on
+    // any primitive failure, opts.delivery_estimate is null and this renders
+    // empty. Indented to match the aside's two-space block.
+    var cartEstimateHtml = _buildDeliveryEstimate(opts.delivery_estimate, b.template.escapeHtml);
+    cartEstimateHtml = cartEstimateHtml ? "      " + cartEstimateHtml + "\n" : "";
     body = _render(CART_PAGE, {
       line_rows: "RAW_LINES",
     }).replace("RAW_LINES", rows)
       .replace("RAW_TOTALS_ROWS", totalsRows)
+      .replace("RAW_CART_DELIVERYESTIMATE_PLACEHOLDER", cartEstimateHtml)
       .replace("RAW_CHECKOUT_CTA", checkoutCta)
       .replace("RAW_CART_NOTICE", notice);
     // CONTAINER-ONLY gift wrap disclosure, appended after the cart grid (a
@@ -11107,6 +11176,80 @@ function mount(router, deps) {
     return { ship_to: { country: "US" }, from_saved: false };
   }
 
+  // Resolve the "Get it by <date>" delivery estimate for the PDP / cart. This
+  // is a DROP-SILENT defensive reader (the storefront read tier): it returns
+  // null on ANYTHING short of a clean, dated estimate — no deliveryEstimate
+  // dep, no signed-in customer, no saved shipping address with a postal code,
+  // an unconfigured origin/cutoff (the primitive THROWS a config-state
+  // TypeError there), or a no-match `{ ok:false }`. The route renders no
+  // estimate in every one of those cases, never a 500.
+  //
+  // WHY signed-in + saved-address only: the arrival date is destination-
+  // specific. The edge serves a shared cache across anonymous visitors and
+  // must never bake a per-visitor date, so the date is a container-only
+  // enhancement for a customer whose destination we already know (their
+  // default shipping address). v1 ships no anonymous ZIP-entry widget — that's
+  // a separate slice; an anonymous shopper simply sees no date.
+  //
+  // `originLocation` comes from operator config (`shop.estimate_origin`); the
+  // primitive REFUSES to guess an origin (no defaultLocation resolver is
+  // wired), so without that config row no estimate renders — by design.
+  // `weightGrams` (optional) lets the primitive's weight-aware rows apply.
+  //
+  // Returns the display shape the dual-render builder consumes:
+  //   { deliver_by, latest_by, service_label }
+  // or null.
+  async function _resolveDeliveryEstimate(req, opts) {
+    opts = opts || {};
+    if (!deps.deliveryEstimate) return null;
+    try {
+      // Per-customer destination: only a SIGNED-IN customer with a saved
+      // shipping address that carries a postal code yields a date. _normalize
+      // (inside _estimateDestination) drops a garbage postal, so a saved
+      // address with no usable postal falls through to null here.
+      var coAuth = _currentCustomerEnv(req);
+      if (!coAuth) return null;
+      var dest = await _estimateDestination(req);
+      if (!dest || !dest.from_saved || !dest.ship_to || !dest.ship_to.postal) return null;
+      // Operator-configured origin — the primitive won't guess one. Resolved
+      // at boot into `deps.delivery_estimate_origin` (a plain slug string) from
+      // SHOP_ESTIMATE_ORIGIN / the config primitive, since the storefront's
+      // sfDeps.config is a bare { shop_name } stub with no live .get(). Falls
+      // back to a per-request config read if a future caller wires a real
+      // config handle. Absent any origin, no date renders — by design.
+      var origin = (typeof deps.delivery_estimate_origin === "string" && deps.delivery_estimate_origin)
+        ? deps.delivery_estimate_origin
+        : null;
+      if (!origin && deps.config && typeof deps.config.get === "function") {
+        try { origin = await deps.config.get("shop.estimate_origin", null); }
+        catch (_e) { origin = null; }
+      }
+      if (typeof origin !== "string" || !origin) return null;
+      var est = await deps.deliveryEstimate.estimate({
+        origin_location:     origin,
+        destination_postal:  dest.ship_to.postal,
+        destination_country: dest.ship_to.country,
+        destination_region:  dest.ship_to.state ? dest.ship_to.state.toLowerCase() : undefined,
+        weight_grams:        Number.isInteger(opts.weight_grams) ? opts.weight_grams : undefined,
+      });
+      if (!est || !est.ok || !est.est_min_delivery_date) return null;
+      // The fastest service is the headline date (service_levels are sorted
+      // ascending by transit_days inside the primitive); the slowest gives the
+      // range upper bound so the line reads as a window, not a promise.
+      var fastest = est.service_levels && est.service_levels.length ? est.service_levels[0] : null;
+      return {
+        deliver_by:    est.est_min_delivery_date,
+        latest_by:     est.est_max_delivery_date || est.est_min_delivery_date,
+        service_label: fastest ? fastest.label : null,
+      };
+    } catch (_e) {
+      // Drop-silent — every config-state / validation throw the primitive
+      // raises (no cutoff row, origin_location required, a malformed saved
+      // postal) collapses to "no estimate", never a broken page.
+      return null;
+    }
+  }
+
   // Compute the cart/checkout totals the shopper sees BEFORE paying.
   // Composes the SAME tax + shipping primitives the charge runs through
   // (via checkout.quote, which prices tax against the pre-discount
@@ -11593,10 +11736,17 @@ function mount(router, deps) {
     // to a banner; only meaningful when a campaign is present.
     var pdpUrl = req.url ? new URL(req.url, "http://localhost") : null;
     var preorderNotice = pdpUrl ? pdpUrl.searchParams.get("preorder") : null;
+    // "Get it by <date>" — container-only, per-customer (see
+    // _resolveDeliveryEstimate). Weighted by the lead variant so the
+    // primitive's weight-aware transit rows apply. Drop-silent → null.
+    var leadWeight = firstVariant && Number.isInteger(firstVariant.weight_grams)
+      ? firstVariant.weight_grams : undefined;
+    var deliveryEstimate = await _resolveDeliveryEstimate(req, { weight_grams: leadWeight });
     var html = renderProduct(Object.assign({
       product:        product,
       variants:       variants,
       prices:         prices,
+      delivery_estimate: deliveryEstimate,
       preorder_campaign: preorderCampaign,
       preorder_notice:   preorderNotice,
       media:          media,
@@ -12050,10 +12200,17 @@ function mount(router, deps) {
         }
       } catch (_e) { giftWraps = []; giftWrapInCart = null; }
     }
+    // "Get it by <date>" for the whole cart — container-only, per-customer
+    // (see _resolveDeliveryEstimate). No weight is summed across lines (the
+    // cart estimate is the destination window, not a per-parcel weight quote);
+    // the primitive falls back to its weight-agnostic transit rows. Drop-
+    // silent → null, and the summary renders no estimate.
+    var cartEstimate = await _resolveDeliveryEstimate(req, {});
     _send(res, 200, renderCart(Object.assign({
       lines:           lines,
       totals:          totals,
       totals_detail:   totalsDetail,
+      delivery_estimate: cartEstimate,
       line_stock:      lineStock,
       product_lookup:  productLookup,
       can_save:        !!(deps.saveForLater && deps.customers),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.3.67",
+  "version": "0.3.68",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {