npm - @arcblock/payment-service - Versions diffs - 1.29.6 → 1.29.8 - Mend

@arcblock/payment-service 1.29.6 → 1.29.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -360,7 +360,6 @@ __export(env_exports, {
   creditConsumptionCronTime: () => creditConsumptionCronTime,
   creditLowBalanceThresholdPercentage: () => creditLowBalanceThresholdPercentage,
   creditQueueConcurrency: () => creditQueueConcurrency,
-  daysUntilCancel: () => daysUntilCancel,
   default: () => env_default,
   depositVaultCronTime: () => depositVaultCronTime,
   enableDevFakeAuth: () => enableDevFakeAuth,
@@ -437,7 +436,7 @@ function hasConfig(key) {
   const v = readConfig(key);
   return v !== void 0 && v !== "";
 }
-var import_env, activeConfig, numConfig, paymentStatCronTime, subscriptionCronTime, notificationCronTime, expiredSessionCleanupCronTime, notificationCronConcurrency, stripeInvoiceCronTime, stripePaymentCronTime, stripeSubscriptionCronTime, revokeStakeCronTime, daysUntilCancel, meteringSubscriptionDetectionCronTime, overdueDetectionCronTime, overdueThreshold, depositVaultCronTime, creditConsumptionCronTime, vendorStatusCheckCronTime, vendorReturnScanCronTime, iapReconcileCronTime, eventRetryCronTime, quoteCleanupCronTime, vendorTimeoutMinutes, webhookAlertWindowMinutes, webhookAlertMinFailures, shortUrlApiKey, shortUrlDomain, sequelizeOptionsPoolMin, sequelizeOptionsPoolMax, sequelizeOptionsPoolIdle, updateDataConcurrency, stopAcceptingOrders, exchangeRateCacheTTLSeconds, systemMaxPendingAmount, allowChangeLockedPrice, blockletMode, isProduction, nodeEnv, isTestEnv, isDevelopmentEnv, enableDevFakeAuth, tenantModeRaw, blockletAppPid, blockletAppId, blockletAppName, blockletAppUrl, blockletAppHost, blockletAppDir, blockletPort, blockletMountPoints, appStoreWriteEnabled, appStoreSkipSignatureVerify, googlePubsubSkipSignatureVerify, googlePubsubPushServiceAccount, googlePubsubAllowUnverifiedSender, googlePlayWebhookUrl, stripeWebhookSecret, iapReconcileBatchSize, paymentBillingThreshold, paymentMinStakeAmount, paymentDaysUntilDue, paymentDaysUntilCancel, paymentReloadSubscriptionJobs, paymentRateVolatilityThreshold, paymentLivemode, creditLowBalanceThresholdPercentage, creditBatchSize, creditBatchWindowMs, creditQueueConcurrency, exchangeRateCacheTTLFromEnv, sqlLog, sqlBenchmark, cfEnv, isCfWorker, isBlockletServer, env_default;
+var import_env, activeConfig, numConfig, TRUTHY, FALSY, parseBool, readConfigAny, paymentStatCronTime, subscriptionCronTime, notificationCronTime, expiredSessionCleanupCronTime, notificationCronConcurrency, stripeInvoiceCronTime, stripePaymentCronTime, stripeSubscriptionCronTime, revokeStakeCronTime, meteringSubscriptionDetectionCronTime, overdueDetectionCronTime, overdueThreshold, depositVaultCronTime, creditConsumptionCronTime, vendorStatusCheckCronTime, vendorReturnScanCronTime, iapReconcileCronTime, eventRetryCronTime, quoteCleanupCronTime, vendorTimeoutMinutes, webhookAlertWindowMinutes, webhookAlertMinFailures, shortUrlApiKey, shortUrlDomain, sequelizeOptionsPoolMin, sequelizeOptionsPoolMax, sequelizeOptionsPoolIdle, updateDataConcurrency, stopAcceptingOrders, exchangeRateCacheTTLSeconds, systemMaxPendingAmount, allowChangeLockedPrice, blockletMode, isProduction, nodeEnv, isTestEnv, isDevelopmentEnv, enableDevFakeAuth, tenantModeRaw, blockletAppPid, blockletAppId, blockletAppName, blockletAppUrl, blockletAppHost, blockletAppDir, blockletPort, blockletMountPoints, appStoreWriteEnabled, appStoreSkipSignatureVerify, googlePubsubSkipSignatureVerify, googlePubsubPushServiceAccount, googlePubsubAllowUnverifiedSender, googlePlayWebhookUrl, stripeWebhookSecret, iapReconcileBatchSize, paymentBillingThreshold, paymentMinStakeAmount, paymentDaysUntilDue, paymentDaysUntilCancel, paymentReloadSubscriptionJobs, paymentRateVolatilityThreshold, paymentLivemode, creditLowBalanceThresholdPercentage, creditBatchSize, creditBatchWindowMs, creditQueueConcurrency, exchangeRateCacheTTLFromEnv, sqlLog, sqlBenchmark, cfEnv, isCfWorker, isBlockletServer, env_default;
 var init_env = __esm({
   "../../blocklets/core/api/src/libs/env.ts"() {
     "use strict";
@@ -446,6 +445,22 @@ var init_env = __esm({
       const v = readConfig(key);
       return v ? +v : fallback;
     };
+    TRUTHY = /* @__PURE__ */ new Set(["1", "true", "yes", "on"]);
+    FALSY = /* @__PURE__ */ new Set(["0", "false", "no", "off"]);
+    parseBool = (value, fallback = false) => {
+      if (value === void 0 || value === "") return fallback;
+      const v = value.trim().toLowerCase();
+      if (TRUTHY.has(v)) return true;
+      if (FALSY.has(v)) return false;
+      return fallback;
+    };
+    readConfigAny = (...keys) => {
+      for (const key of keys) {
+        const v = readConfig(key);
+        if (v !== void 0 && v !== "") return v;
+      }
+      return void 0;
+    };
     paymentStatCronTime = () => "0 1 0 * * *";
     subscriptionCronTime = () => readConfig("SUBSCRIPTION_CRON_TIME") || "0 */30 * * * *";
     notificationCronTime = () => readConfig("NOTIFICATION_CRON_TIME") || "0 5 */6 * * *";
@@ -455,7 +470,6 @@ var init_env = __esm({
     stripePaymentCronTime = () => readConfig("STRIPE_PAYMENT_CRON_TIME") || "0 */20 * * * *";
     stripeSubscriptionCronTime = () => readConfig("STRIPE_SUBSCRIPTION_CRON_TIME") || "0 10 */8 * * *";
     revokeStakeCronTime = () => readConfig("REVOKE_STAKE_CRON_TIME") || "0 */5 * * * *";
-    daysUntilCancel = () => readConfig("DAYS_UNTIL_CANCEL");
     meteringSubscriptionDetectionCronTime = () => readConfig("METERING_SUBSCRIPTION_DETECTION_CRON_TIME") || "0 0 10 * * *";
     overdueDetectionCronTime = () => readConfig("OVERDUE_DETECTION_CRON_TIME") || "0 0 10 * * *";
     overdueThreshold = () => numConfig("OVERDUE_THRESHOLD", 5);
@@ -475,16 +489,19 @@ var init_env = __esm({
     sequelizeOptionsPoolMax = () => numConfig("SEQUELIZE_OPTIONS_POOL_MAX", 5);
     sequelizeOptionsPoolIdle = () => numConfig("SEQUELIZE_OPTIONS_POOL_IDLE", 10 * 1e3);
     updateDataConcurrency = () => numConfig("UPDATE_DATA_CONCURRENCY", 5);
-    stopAcceptingOrders = () => readConfig("PAYMENT_KIT_STOP_ACCEPTING_ORDERS") === "true" || readConfig("PAYMENT_KIT_STOP_ACCEPTING_ORDERS") === "1";
+    stopAcceptingOrders = () => parseBool(readConfigAny("PAYMENT_STOP_ACCEPTING_ORDERS", "PAYMENT_KIT_STOP_ACCEPTING_ORDERS"));
     exchangeRateCacheTTLSeconds = () => numConfig("EXCHANGE_RATE_CACHE_TTL_SECONDS", 10 * 60);
-    systemMaxPendingAmount = () => numConfig("PAYMENT_KIT_MAX_PENDING_AMOUNT", 5);
-    allowChangeLockedPrice = () => readConfig("PAYMENT_CHANGE_LOCKED_PRICE") === "1";
+    systemMaxPendingAmount = () => {
+      const v = readConfigAny("PAYMENT_MAX_PENDING_AMOUNT", "PAYMENT_KIT_MAX_PENDING_AMOUNT");
+      return v ? +v : 5;
+    };
+    allowChangeLockedPrice = () => parseBool(readConfig("PAYMENT_CHANGE_LOCKED_PRICE"));
     blockletMode = () => readConfig("BLOCKLET_MODE");
     isProduction = () => blockletMode() === "production";
     nodeEnv = () => readConfig("NODE_ENV");
     isTestEnv = () => nodeEnv() === "test";
     isDevelopmentEnv = () => nodeEnv() === "development";
-    enableDevFakeAuth = () => readConfig("ENABLE_DEV_FAKE_AUTH") === "1";
+    enableDevFakeAuth = () => parseBool(readConfig("ENABLE_DEV_FAKE_AUTH"));
     tenantModeRaw = () => readConfig("PAYMENT_TENANT_MODE");
     blockletAppPid = () => readConfig("BLOCKLET_APP_PID");
     blockletAppId = () => readConfig("BLOCKLET_APP_ID");
@@ -494,11 +511,11 @@ var init_env = __esm({
     blockletAppDir = () => readConfig("BLOCKLET_APP_DIR");
     blockletPort = () => readConfig("BLOCKLET_PORT");
     blockletMountPoints = () => readConfig("BLOCKLET_MOUNT_POINTS");
-    appStoreWriteEnabled = () => readConfig("APP_STORE_WRITE_ENABLED") === "true";
-    appStoreSkipSignatureVerify = () => readConfig("APP_STORE_SKIP_SIGNATURE_VERIFY") === "true";
-    googlePubsubSkipSignatureVerify = () => readConfig("GOOGLE_PUBSUB_SKIP_SIGNATURE_VERIFY") === "true";
+    appStoreWriteEnabled = () => parseBool(readConfig("APP_STORE_WRITE_ENABLED"));
+    appStoreSkipSignatureVerify = () => parseBool(readConfig("APP_STORE_SKIP_SIGNATURE_VERIFY"));
+    googlePubsubSkipSignatureVerify = () => parseBool(readConfig("GOOGLE_PUBSUB_SKIP_SIGNATURE_VERIFY"));
     googlePubsubPushServiceAccount = () => readConfig("GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT");
-    googlePubsubAllowUnverifiedSender = () => readConfig("GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER") === "true";
+    googlePubsubAllowUnverifiedSender = () => parseBool(readConfig("GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER"));
     googlePlayWebhookUrl = () => readConfig("GOOGLE_PLAY_WEBHOOK_URL");
     stripeWebhookSecret = () => readConfig("STRIPE_WEBHOOK_SECRET");
     iapReconcileBatchSize = () => Number(readConfig("IAP_RECONCILE_BATCH_SIZE") ?? "100");
@@ -506,19 +523,19 @@ var init_env = __esm({
     paymentMinStakeAmount = () => +readConfig("PAYMENT_MIN_STAKE_AMOUNT");
     paymentDaysUntilDue = () => readConfig("PAYMENT_DAYS_UNTIL_DUE");
     paymentDaysUntilCancel = () => readConfig("PAYMENT_DAYS_UNTIL_CANCEL");
-    paymentReloadSubscriptionJobs = () => readConfig("PAYMENT_RELOAD_SUBSCRIPTION_JOBS") === "1";
+    paymentReloadSubscriptionJobs = () => parseBool(readConfig("PAYMENT_RELOAD_SUBSCRIPTION_JOBS"));
     paymentRateVolatilityThreshold = () => readConfig("PAYMENT_RATE_VOLATILITY_THRESHOLD");
-    paymentLivemode = () => readConfig("PAYMENT_LIVEMODE") !== "false";
+    paymentLivemode = () => parseBool(readConfig("PAYMENT_LIVEMODE"), true);
     creditLowBalanceThresholdPercentage = () => parseInt(readConfig("CREDIT_LOW_BALANCE_THRESHOLD_PERCENTAGE") || "10", 10);
     creditBatchSize = () => Math.max(1, parseInt(readConfig("CREDIT_BATCH_SIZE") || "50", 10));
     creditBatchWindowMs = () => Math.max(10, parseInt(readConfig("CREDIT_BATCH_WINDOW_MS") || "3000", 10));
     creditQueueConcurrency = () => Math.max(1, Math.min(20, parseInt(readConfig("CREDIT_QUEUE_CONCURRENCY") || "5", 10) || 5));
     exchangeRateCacheTTLFromEnv = () => hasConfig("EXCHANGE_RATE_CACHE_TTL_SECONDS");
-    sqlLog = () => readConfig("SQL_LOG") === "1";
-    sqlBenchmark = () => readConfig("SQL_BENCHMARK") === "1";
+    sqlLog = () => parseBool(readConfig("SQL_LOG"));
+    sqlBenchmark = () => parseBool(readConfig("SQL_BENCHMARK"));
     cfEnv = () => globalThis.__CF_ENV__;
     isCfWorker = () => !!cfEnv();
-    isBlockletServer = () => hasConfig("BLOCKLET_APP_ID");
+    isBlockletServer = () => hasConfig("BLOCKLET_DID");
     env_default = {
       ...import_env.env
     };
@@ -9140,17 +9157,230 @@ var init_apple_root_certs = __esm({
   }
 });
-// ../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts
-async function getVerifier(bundleId, environment) {
-  const key = `${bundleId}:${environment}`;
-  const cached = verifierCache.get(key);
-  if (cached) return cached;
-  const mod = await import("@apple/app-store-server-library");
-  const env12 = environment === "production" ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  const verifier = new mod.SignedDataVerifier(APPLE_ROOT_CERTS, false, env12, bundleId);
-  verifierCache.set(key, verifier);
-  return verifier;
+// ../../blocklets/core/api/src/integrations/app-store/native-asn1.ts
+function oidToDerTag(oid) {
+  const parts = oid.split(".").map((p) => Number.parseInt(p, 10));
+  if (parts.length < 2 || parts.some((n) => !Number.isInteger(n) || n < 0)) {
+    throw new Error(`oidToDerTag: invalid OID "${oid}"`);
+  }
+  const content = [40 * parts[0] + parts[1]];
+  for (let i = 2; i < parts.length; i++) {
+    let v = parts[i];
+    const sevenBitGroups = [v & 127];
+    v = Math.floor(v / 128);
+    while (v > 0) {
+      sevenBitGroups.unshift(v & 127 | 128);
+      v = Math.floor(v / 128);
+    }
+    content.push(...sevenBitGroups);
+  }
+  if (content.length > 127) {
+    throw new Error(`oidToDerTag: OID "${oid}" content too long for single-byte length`);
+  }
+  return Buffer.from([6, content.length, ...content]);
+}
+function certHasOid(cert, oid) {
+  return Buffer.from(cert.raw).includes(oidToDerTag(oid));
+}
+var init_native_asn1 = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-asn1.ts"() {
+    "use strict";
+  }
+});
+// ../../blocklets/core/api/src/integrations/app-store/native-jws.ts
+function base64UrlToJson(segment, code) {
+  let text;
+  try {
+    text = Buffer.from(segment, "base64url").toString("utf8");
+  } catch {
+    throw new AppleJwsVerifyError(code, "segment is not valid base64url");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    throw new AppleJwsVerifyError(code, "segment is not valid JSON");
+  }
+  if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new AppleJwsVerifyError(code, "segment is not a JSON object");
+  }
+  const out = parsed;
+  for (const key of ["__proto__", "constructor", "prototype"]) {
+    if (Object.prototype.hasOwnProperty.call(out, key)) {
+      delete out[key];
+    }
+  }
+  return out;
+}
+function buildCert(b64, label) {
+  try {
+    return new import_node_crypto.X509Certificate(Buffer.from(b64, "base64"));
+  } catch {
+    throw new AppleJwsVerifyError("MALFORMED_CERT", `${label} cert is not valid DER`);
+  }
+}
+function assertCertValid(cert, effectiveDate, label) {
+  const validFrom = Date.parse(cert.validFrom);
+  const validTo = Date.parse(cert.validTo);
+  if (Number.isNaN(validFrom) || Number.isNaN(validTo)) {
+    throw new AppleJwsVerifyError("CERT_VALIDITY", `${label} cert has unparseable validity dates`);
+  }
+  if (validFrom > effectiveDate + MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError("CERT_NOT_YET_VALID", `${label} cert not valid until after signedDate`);
+  }
+  if (validTo < effectiveDate - MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError("CERT_EXPIRED", `${label} cert expired before signedDate`);
+  }
+}
+async function verifyAppleJws(jws, opts = {}) {
+  const trustedRoots = opts.trustedRoots ?? APPLE_ROOT_CERTS;
+  const parts = jws.split(".");
+  if (parts.length !== 3) {
+    throw new AppleJwsVerifyError("FORMAT", "expected 3 JWS segments");
+  }
+  const [headerSeg, payloadSeg, signatureSeg] = parts;
+  const header = base64UrlToJson(headerSeg, "HEADER");
+  if (header.alg !== "ES256") {
+    throw new AppleJwsVerifyError("ALG", "only ES256 is accepted");
+  }
+  if (!Array.isArray(header.x5c) || header.x5c.length !== 3) {
+    throw new AppleJwsVerifyError("INVALID_CHAIN_LENGTH", "x5c must contain exactly 3 certs");
+  }
+  const leaf = buildCert(header.x5c[0], "leaf");
+  const intermediate = buildCert(header.x5c[1], "intermediate");
+  const rootFromJws = buildCert(header.x5c[2], "root");
+  const rootDer = Buffer.from(rootFromJws.raw);
+  const anchored = trustedRoots.some((trusted) => trusted.equals(rootDer));
+  if (!anchored) {
+    throw new AppleJwsVerifyError("ANCHOR", "presented root is not a trusted Apple root");
+  }
+  if (!intermediate.verify(rootFromJws.publicKey) || intermediate.issuer !== rootFromJws.subject) {
+    throw new AppleJwsVerifyError("CHAIN", "intermediate does not chain to root");
+  }
+  if (!leaf.verify(intermediate.publicKey) || leaf.issuer !== intermediate.subject) {
+    throw new AppleJwsVerifyError("CHAIN", "leaf does not chain to intermediate");
+  }
+  if (intermediate.ca !== true || !certHasOid(intermediate, APPLE_INTERMEDIATE_OID)) {
+    throw new AppleJwsVerifyError("OID", "intermediate missing CA flag or Apple OID");
+  }
+  if (!certHasOid(leaf, APPLE_LEAF_OID)) {
+    throw new AppleJwsVerifyError("OID", "leaf missing Apple OID");
+  }
+  const payload = base64UrlToJson(payloadSeg, "PAYLOAD");
+  const effectiveDate = opts.signedDate ?? (typeof payload.signedDate === "number" ? payload.signedDate : void 0);
+  if (typeof effectiveDate !== "number") {
+    throw new AppleJwsVerifyError("NO_SIGNED_DATE", "payload has no numeric signedDate to validate against");
+  }
+  assertCertValid(leaf, effectiveDate, "leaf");
+  assertCertValid(intermediate, effectiveDate, "intermediate");
+  assertCertValid(rootFromJws, effectiveDate, "root");
+  const spki = leaf.publicKey.export({ type: "spki", format: "der" });
+  const key = await crypto.subtle.importKey(
+    "spki",
+    spki,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  const signature = Buffer.from(signatureSeg, "base64url");
+  const signingInput = Buffer.from(`${headerSeg}.${payloadSeg}`, "ascii");
+  const valid = await crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, signature, signingInput);
+  if (!valid) {
+    throw new AppleJwsVerifyError("SIGNATURE", "ES256 signature does not verify against the leaf key");
+  }
+  return payload;
+}
+var import_node_crypto, APPLE_LEAF_OID, APPLE_INTERMEDIATE_OID, MAX_SKEW_MS, AppleJwsVerifyError;
+var init_native_jws = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-jws.ts"() {
+    "use strict";
+    import_node_crypto = require("node:crypto");
+    init_apple_root_certs();
+    init_native_asn1();
+    APPLE_LEAF_OID = "1.2.840.113635.100.6.11.1";
+    APPLE_INTERMEDIATE_OID = "1.2.840.113635.100.6.2.1";
+    MAX_SKEW_MS = 6e4;
+    AppleJwsVerifyError = class extends Error {
+      constructor(code, detail) {
+        super(detail ? `AppStore JWS verify failed [${code}]: ${detail}` : `AppStore JWS verify failed [${code}]`);
+        this.name = "AppleJwsVerifyError";
+        this.code = code;
+      }
+    };
+  }
+});
+// ../../blocklets/core/api/src/integrations/app-store/native-api.ts
+function pemToDer(pem) {
+  const body = pem.replace(/-----BEGIN [^-]+-----/g, "").replace(/-----END [^-]+-----/g, "").replace(/\s+/g, "");
+  if (!body) {
+    throw new Error("AppStore API: private_key_pem is empty or not PEM-armored");
+  }
+  return Buffer.from(body, "base64");
+}
+async function signBearerJwt(creds) {
+  const header = { alg: "ES256", kid: creds.keyId, typ: "JWT" };
+  const iat = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: creds.issuerId,
+    iat,
+    exp: iat + JWT_TTL_SECONDS,
+    aud: "appstoreconnect-v1",
+    bid: creds.bundleId
+  };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signingInput = `${headerB64}.${payloadB64}`;
+  let key;
+  try {
+    key = await crypto.subtle.importKey(
+      "pkcs8",
+      pemToDer(creds.privateKeyPem),
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign"]
+    );
+  } catch {
+    throw new Error("AppStore API: private_key_pem is not a valid EC P-256 PKCS#8 key");
+  }
+  const signature = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    Buffer.from(signingInput, "ascii")
+  );
+  return `${signingInput}.${Buffer.from(signature).toString("base64url")}`;
+}
+async function nativeGetAllSubscriptionStatuses(originalTransactionId, creds) {
+  if (!creds.issuerId || !creds.keyId || !creds.privateKeyPem) {
+    throw new Error("AppStore API: issuer_id/key_id/private_key_pem are required");
+  }
+  const host = creds.environment === "production" ? API_HOST_PRODUCTION : API_HOST_SANDBOX;
+  const url = `${host}/inApps/v1/subscriptions/${encodeURIComponent(originalTransactionId)}`;
+  const jwt = await signBearerJwt(creds);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${jwt}`, Accept: "application/json" }
+  });
+  if (response.status === 404) {
+    return { data: [] };
+  }
+  if (!response.ok) {
+    throw new Error(`AppStore API: getAllSubscriptionStatuses failed with HTTP ${response.status}`);
+  }
+  return await response.json();
 }
+var API_HOST_PRODUCTION, API_HOST_SANDBOX, JWT_TTL_SECONDS;
+var init_native_api = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-api.ts"() {
+    "use strict";
+    API_HOST_PRODUCTION = "https://api.storekit.apple.com";
+    API_HOST_SANDBOX = "https://api.storekit-sandbox.apple.com";
+    JWT_TTL_SECONDS = 300;
+  }
+});
+// ../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts
 function isSignatureVerificationSkipped() {
   if (!appStoreSkipSignatureVerify()) return false;
   if (isProduction()) {
@@ -9161,21 +9391,19 @@ function isSignatureVerificationSkipped() {
   }
   return true;
 }
-async function verifySignedTransaction(signedTransaction, bundleId, environment) {
+async function verifySignedTransaction(signedTransaction, _bundleId, _environment) {
   if (isSignatureVerificationSkipped()) {
     logger_default.warn("app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY");
     return decodeUnsafe(signedTransaction);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeTransaction(signedTransaction);
+  return verifyAppleJws(signedTransaction);
 }
-async function verifySignedNotification(signedPayload, bundleId, environment) {
+async function verifySignedNotification(signedPayload, _bundleId, _environment) {
   if (isSignatureVerificationSkipped()) {
     logger_default.warn("app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY");
     return decodeUnsafe(signedPayload);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeNotification(signedPayload);
+  return verifyAppleJws(signedPayload);
 }
 function decodeUnsafe(jws) {
   const parts = jws.split(".");
@@ -9188,41 +9416,85 @@ function decodeUnsafe(jws) {
     throw new Error(`AppStore JWS payload not valid JSON: ${err.message}`);
   }
 }
-async function getApiClient(creds) {
-  const key = `${creds.bundleId}:${creds.environment}:${creds.keyId}`;
-  const cached = apiClientCache.get(key);
-  if (cached) return cached;
-  const mod = await import("@apple/app-store-server-library");
-  const env12 = creds.environment === "production" ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  const client = new mod.AppStoreServerAPIClient(creds.privateKeyPem, creds.keyId, creds.issuerId, creds.bundleId, env12);
-  apiClientCache.set(key, client);
-  return client;
-}
 async function getAllSubscriptionStatuses(originalTransactionId, creds) {
-  const client = await getApiClient(creds);
-  return client.getAllSubscriptionStatuses(originalTransactionId);
+  return nativeGetAllSubscriptionStatuses(originalTransactionId, creds);
 }
-var verifierCache, apiClientCache;
 var init_signed_data_verifier = __esm({
   "../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts"() {
     "use strict";
     init_logger();
     init_env();
-    init_apple_root_certs();
-    verifierCache = /* @__PURE__ */ new Map();
-    apiClientCache = /* @__PURE__ */ new Map();
+    init_native_jws();
+    init_native_api();
+  }
+});
+// ../../blocklets/core/api/src/integrations/app-store/native-receipt.ts
+function toMs(v) {
+  if (v === void 0 || v === null || v === "") return void 0;
+  const n = Number(v);
+  return Number.isNaN(n) ? void 0 : n;
+}
+async function postReceipt(host, body) {
+  const response = await fetch(host, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    throw new Error(`AppStore verifyReceipt: HTTP ${response.status}`);
+  }
+  return await response.json();
+}
+async function verifyAppleReceiptNative({
+  receipt,
+  sharedSecret
+}) {
+  const body = {
+    "receipt-data": receipt,
+    password: sharedSecret,
+    // Deliberate, result-equivalent: client.ts reduces to the latest-expiry item
+    // anyway, so trimming old transactions here changes nothing downstream.
+    "exclude-old-transactions": true
+  };
+  let data = await postReceipt(PRODUCTION_HOST, body);
+  if (RETRY_SANDBOX_STATUSES.has(data.status)) {
+    data = await postReceipt(SANDBOX_HOST, body);
+  }
+  if (data.status !== 0) {
+    throw new Error(`AppStore verifyReceipt: Apple returned status ${data.status}`);
+  }
+  const rawItems = data.latest_receipt_info ?? data.receipt?.in_app ?? [];
+  const bundleId = data.receipt?.bundle_id;
+  return rawItems.map((item) => ({
+    productId: item.product_id ?? "",
+    transactionId: item.transaction_id ?? "",
+    originalTransactionId: item.original_transaction_id,
+    purchaseDate: toMs(item.purchase_date_ms),
+    expirationDate: toMs(item.expires_date_ms),
+    bundleId,
+    webOrderLineItemId: item.web_order_line_item_id
+  }));
+}
+var PRODUCTION_HOST, SANDBOX_HOST, RETRY_SANDBOX_STATUSES;
+var init_native_receipt = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-receipt.ts"() {
+    "use strict";
+    PRODUCTION_HOST = "https://buy.itunes.apple.com/verifyReceipt";
+    SANDBOX_HOST = "https://sandbox.itunes.apple.com/verifyReceipt";
+    RETRY_SANDBOX_STATUSES = /* @__PURE__ */ new Set([21007, 21002]);
   }
 });
 // ../../blocklets/core/api/src/integrations/app-store/client.ts
-var import_node_apple_receipt_verify, AppStoreClient;
+var AppStoreClient;
 var init_client = __esm({
   "../../blocklets/core/api/src/integrations/app-store/client.ts"() {
     "use strict";
-    import_node_apple_receipt_verify = require("node-apple-receipt-verify");
     init_env();
     init_logger();
     init_signed_data_verifier();
+    init_native_receipt();
     AppStoreClient = class _AppStoreClient {
       constructor(settings, environment) {
         this.bundleId = settings.bundle_id;
@@ -9327,9 +9599,9 @@ var init_client = __esm({
       /**
        * Verify a StoreKit 1 (legacy) base64 receipt via Apple's verifyReceipt endpoint.
        *
-       * Calls `node-apple-receipt-verify` which POSTs to
+       * Calls the native `verifyAppleReceiptNative` which POSTs to
        *   https://buy.itunes.apple.com/verifyReceipt   (production)
-       *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback)
+       *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback on 21007/21002)
        *
        * Returns a payload shaped like a StoreKit 2 transaction so downstream code
        * (ingestVerifiedAppStorePurchase) can stay agnostic. Note: legacy receipts
@@ -9343,12 +9615,7 @@ var init_client = __esm({
         if (!this.sharedSecret) {
           throw new Error("AppStoreClient: shared_secret is required for legacy receipt verification");
         }
-        (0, import_node_apple_receipt_verify.config)({
-          secret: this.sharedSecret,
-          verbose: false,
-          environment: ["production", "sandbox"]
-        });
-        const items = await (0, import_node_apple_receipt_verify.validate)({ receipt });
+        const items = await verifyAppleReceiptNative({ receipt, sharedSecret: this.sharedSecret });
         const filtered = options.expectedProductIds ? items.filter((i) => options.expectedProductIds.includes(i.productId)) : items;
         if (!filtered.length) {
           throw new Error("AppStoreClient: verifyReceipt returned no matching purchases");
@@ -33564,10 +33831,10 @@ async function handleSubscriptionOnPaymentFailure(subscription, eventType, clien
   const { interval } = subscription.pending_invoice_item_interval;
   const dueUnit = getDueUnit(interval);
   const cancelUpdates = {};
-  const daysUntilCancel2 = getDaysUntilCancel(subscription);
+  const daysUntilCancel = getDaysUntilCancel(subscription);
   const cancelSubscription = shouldCancelSubscription(subscription);
-  if (daysUntilCancel2 > 0) {
-    cancelUpdates.cancel_at = subscription.current_period_start + daysUntilCancel2 * dueUnit;
+  if (daysUntilCancel > 0) {
+    cancelUpdates.cancel_at = subscription.current_period_start + daysUntilCancel * dueUnit;
   } else {
     cancelUpdates.cancel_at_period_end = true;
   }
@@ -40506,10 +40773,10 @@ var init_payment2 = __esm({
         return updates.terminate;
       }
       const dueUnit = getDueUnit(interval);
-      const daysUntilCancel2 = getDaysUntilCancel(subscription);
+      const daysUntilCancel = getDaysUntilCancel(subscription);
       const cancelUpdates = {};
-      if (daysUntilCancel2 > 0) {
-        cancelUpdates.cancel_at = subscription.current_period_start + daysUntilCancel2 * dueUnit;
+      if (daysUntilCancel > 0) {
+        cancelUpdates.cancel_at = subscription.current_period_start + daysUntilCancel * dueUnit;
       } else {
         cancelUpdates.cancel_at_period_end = true;
       }
@@ -48902,7 +49169,7 @@ var init_subscriptions = __esm({
           description,
           metadata = {},
           days_until_due: daysUntilDue,
-          days_until_cancel: daysUntilCancel2,
+          days_until_cancel: daysUntilCancel,
           billing_cycle_anchor: billingCycleAnchor,
           collection_method: collectionMethod,
           proration_behavior: prorationBehavior,
@@ -48994,7 +49261,7 @@ var init_subscriptions = __esm({
           proration_behavior: prorationBehavior,
           payment_behavior: "default_incomplete",
           days_until_due: daysUntilDue,
-          days_until_cancel: daysUntilCancel2,
+          days_until_cancel: daysUntilCancel,
           metadata: formatMetadata(metadata),
           service_actions: serviceActions || []
         });
@@ -51456,10 +51723,10 @@ var init_subscriptions = __esm({
         updates.default_payment_method_id = arcblockMethod.id;
         if (body.recalculate_cancel_at !== false) {
           if (subscription.cancelation_details && !subscription.cancel_at) {
-            const daysUntilCancel2 = subscription.days_until_cancel || 0;
-            if (daysUntilCancel2 > 0) {
+            const daysUntilCancel = subscription.days_until_cancel || 0;
+            if (daysUntilCancel > 0) {
               const dueUnit = 24 * 60 * 60;
-              updates.cancel_at = subscription.current_period_start + daysUntilCancel2 * dueUnit;
+              updates.cancel_at = subscription.current_period_start + daysUntilCancel * dueUnit;
             } else {
               updates.cancel_at_period_end = true;
               updates.cancel_at = subscription.current_period_end;
@@ -71452,9 +71719,9 @@ async function handlePostConsumptionEvents(context2, params) {
       const cancelUpdates = {};
       const { interval } = context2.subscription.pending_invoice_item_interval;
       const dueUnit = getDueUnit(interval);
-      const daysUntilCancel2 = getDaysUntilCancel(context2.subscription);
-      if (daysUntilCancel2 > 0) {
-        cancelUpdates.cancel_at = context2.subscription.current_period_start + daysUntilCancel2 * dueUnit;
+      const daysUntilCancel = getDaysUntilCancel(context2.subscription);
+      if (daysUntilCancel > 0) {
+        cancelUpdates.cancel_at = context2.subscription.current_period_start + daysUntilCancel * dueUnit;
       } else {
         cancelUpdates.cancel_at_period_end = true;
       }
@@ -77671,9 +77938,52 @@ var init_service2 = __esm({
   }
 });
+// ../../blocklets/core/api/src/host-glue.ts
+var host_glue_exports = {};
+__export(host_glue_exports, {
+  PAYMENT_PREFIX: () => PAYMENT_PREFIX,
+  USER_HEADERS: () => USER_HEADERS,
+  createTenantProvisioner: () => createTenantProvisioner,
+  injectCaller: () => injectCaller
+});
+function injectCaller(headers, caller) {
+  for (const h of USER_HEADERS) headers.delete(h);
+  if (!caller) return;
+  const canonicalDid2 = caller.did?.startsWith("did:abt:") ? caller.did : `did:abt:${caller.did}`;
+  headers.set("x-user-did", canonicalDid2);
+  headers.set("x-user-role", caller.role || "guest");
+  headers.set("x-user-provider", caller.authMethod === "access-key" ? "access-key" : caller.authMethod || "wallet");
+  headers.set("x-user-fullname", encodeURIComponent(caller.displayName || ""));
+  headers.set("x-user-wallet-os", "");
+}
+function createTenantProvisioner(provision) {
+  const inflight = /* @__PURE__ */ new Map();
+  return (instanceDid) => {
+    if (!instanceDid) return Promise.resolve();
+    let p = inflight.get(instanceDid);
+    if (!p) {
+      p = provision(instanceDid).catch((err) => {
+        inflight.delete(instanceDid);
+        throw err;
+      });
+      inflight.set(instanceDid, p);
+    }
+    return p;
+  };
+}
+var PAYMENT_PREFIX, USER_HEADERS;
+var init_host_glue = __esm({
+  "../../blocklets/core/api/src/host-glue.ts"() {
+    "use strict";
+    PAYMENT_PREFIX = "/.well-known/payment";
+    USER_HEADERS = ["x-user-did", "x-user-role", "x-user-provider", "x-user-fullname", "x-user-wallet-os"];
+  }
+});
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  PAYMENT_PREFIX: () => PAYMENT_PREFIX2,
   applyPaymentCoreMigrations: () => applyPaymentCoreMigrations2,
   applySqlMigrations: () => applySqlMigrations2,
   createAuthStorage: () => createAuthStorage2,
@@ -77689,11 +77999,13 @@ __export(src_exports, {
   createNodeDbDriver: () => createNodeDbDriver2,
   createNodeDidConnectRuntime: () => createNodeDidConnectRuntime2,
   createNodeStaticHandler: () => createNodeStaticHandler2,
+  createTenantProvisioner: () => createTenantProvisioner2,
   getCronDriver: () => getCronDriver2,
   getIdentityDriver: () => getIdentityDriver2,
   getPaymentCoreSqlMigrations: () => getPaymentCoreSqlMigrations,
   getQueueHostHooks: () => getQueueHostHooks2,
   getSecretsDriver: () => getSecretsDriver2,
+  injectCaller: () => injectCaller2,
   matchesCron: () => matchesCron2,
   nodeQueueHostHooks: () => nodeQueueHostHooks2,
   scopedLockName: () => scopedLockName2,
@@ -77800,8 +78112,16 @@ function createEmbeddedPaymentService2(slots) {
   const core = (init_service2(), __toCommonJS(service_exports));
   return core.createEmbeddedPaymentService(slots);
 }
+var PAYMENT_PREFIX2 = "/.well-known/payment";
+function injectCaller2(headers, caller) {
+  return (init_host_glue(), __toCommonJS(host_glue_exports)).injectCaller(headers, caller);
+}
+function createTenantProvisioner2(provision) {
+  return (init_host_glue(), __toCommonJS(host_glue_exports)).createTenantProvisioner(provision);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  PAYMENT_PREFIX,
   applyPaymentCoreMigrations,
   applySqlMigrations,
   createAuthStorage,
@@ -77817,11 +78137,13 @@ function createEmbeddedPaymentService2(slots) {
   createNodeDbDriver,
   createNodeDidConnectRuntime,
   createNodeStaticHandler,
+  createTenantProvisioner,
   getCronDriver,
   getIdentityDriver,
   getPaymentCoreSqlMigrations,
   getQueueHostHooks,
   getSecretsDriver,
+  injectCaller,
   matchesCron,
   nodeQueueHostHooks,
   scopedLockName,