@arcblock/payment-service 1.29.8 → 1.29.10

package/dist/index.js

@@ -410,6 +410,7 @@ __export(env_exports, {
   stripePaymentCronTime: () => stripePaymentCronTime,
   stripeSubscriptionCronTime: () => stripeSubscriptionCronTime,
   stripeWebhookSecret: () => stripeWebhookSecret,
+  stripeWebhookUrl: () => stripeWebhookUrl,
   subscriptionCronTime: () => subscriptionCronTime,
   systemMaxPendingAmount: () => systemMaxPendingAmount,
   tenantModeRaw: () => tenantModeRaw,
@@ -436,7 +437,7 @@ function hasConfig(key) {
   const v = readConfig(key);
   return v !== void 0 && v !== "";
 }
-var import_env, activeConfig, numConfig, TRUTHY, FALSY, parseBool, readConfigAny, paymentStatCronTime, subscriptionCronTime, notificationCronTime, expiredSessionCleanupCronTime, notificationCronConcurrency, stripeInvoiceCronTime, stripePaymentCronTime, stripeSubscriptionCronTime, revokeStakeCronTime, meteringSubscriptionDetectionCronTime, overdueDetectionCronTime, overdueThreshold, depositVaultCronTime, creditConsumptionCronTime, vendorStatusCheckCronTime, vendorReturnScanCronTime, iapReconcileCronTime, eventRetryCronTime, quoteCleanupCronTime, vendorTimeoutMinutes, webhookAlertWindowMinutes, webhookAlertMinFailures, shortUrlApiKey, shortUrlDomain, sequelizeOptionsPoolMin, sequelizeOptionsPoolMax, sequelizeOptionsPoolIdle, updateDataConcurrency, stopAcceptingOrders, exchangeRateCacheTTLSeconds, systemMaxPendingAmount, allowChangeLockedPrice, blockletMode, isProduction, nodeEnv, isTestEnv, isDevelopmentEnv, enableDevFakeAuth, tenantModeRaw, blockletAppPid, blockletAppId, blockletAppName, blockletAppUrl, blockletAppHost, blockletAppDir, blockletPort, blockletMountPoints, appStoreWriteEnabled, appStoreSkipSignatureVerify, googlePubsubSkipSignatureVerify, googlePubsubPushServiceAccount, googlePubsubAllowUnverifiedSender, googlePlayWebhookUrl, stripeWebhookSecret, iapReconcileBatchSize, paymentBillingThreshold, paymentMinStakeAmount, paymentDaysUntilDue, paymentDaysUntilCancel, paymentReloadSubscriptionJobs, paymentRateVolatilityThreshold, paymentLivemode, creditLowBalanceThresholdPercentage, creditBatchSize, creditBatchWindowMs, creditQueueConcurrency, exchangeRateCacheTTLFromEnv, sqlLog, sqlBenchmark, cfEnv, isCfWorker, isBlockletServer, env_default;
+var import_env, activeConfig, numConfig, TRUTHY, FALSY, parseBool, readConfigAny, paymentStatCronTime, subscriptionCronTime, notificationCronTime, expiredSessionCleanupCronTime, notificationCronConcurrency, stripeInvoiceCronTime, stripePaymentCronTime, stripeSubscriptionCronTime, revokeStakeCronTime, meteringSubscriptionDetectionCronTime, overdueDetectionCronTime, overdueThreshold, depositVaultCronTime, creditConsumptionCronTime, vendorStatusCheckCronTime, vendorReturnScanCronTime, iapReconcileCronTime, eventRetryCronTime, quoteCleanupCronTime, vendorTimeoutMinutes, webhookAlertWindowMinutes, webhookAlertMinFailures, shortUrlApiKey, shortUrlDomain, sequelizeOptionsPoolMin, sequelizeOptionsPoolMax, sequelizeOptionsPoolIdle, updateDataConcurrency, stopAcceptingOrders, exchangeRateCacheTTLSeconds, systemMaxPendingAmount, allowChangeLockedPrice, blockletMode, isProduction, nodeEnv, isTestEnv, isDevelopmentEnv, enableDevFakeAuth, tenantModeRaw, blockletAppPid, blockletAppId, blockletAppName, blockletAppUrl, blockletAppHost, blockletAppDir, blockletPort, blockletMountPoints, appStoreWriteEnabled, appStoreSkipSignatureVerify, googlePubsubSkipSignatureVerify, googlePubsubPushServiceAccount, googlePubsubAllowUnverifiedSender, googlePlayWebhookUrl, stripeWebhookSecret, stripeWebhookUrl, iapReconcileBatchSize, paymentBillingThreshold, paymentMinStakeAmount, paymentDaysUntilDue, paymentDaysUntilCancel, paymentReloadSubscriptionJobs, paymentRateVolatilityThreshold, paymentLivemode, creditLowBalanceThresholdPercentage, creditBatchSize, creditBatchWindowMs, creditQueueConcurrency, exchangeRateCacheTTLFromEnv, sqlLog, sqlBenchmark, cfEnv, isCfWorker, isBlockletServer, env_default;
 var init_env = __esm({
   "../../blocklets/core/api/src/libs/env.ts"() {
     "use strict";
@@ -518,6 +519,7 @@ var init_env = __esm({
     googlePubsubAllowUnverifiedSender = () => parseBool(readConfig("GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER"));
     googlePlayWebhookUrl = () => readConfig("GOOGLE_PLAY_WEBHOOK_URL");
     stripeWebhookSecret = () => readConfig("STRIPE_WEBHOOK_SECRET");
+    stripeWebhookUrl = () => readConfig("STRIPE_WEBHOOK_URL");
     iapReconcileBatchSize = () => Number(readConfig("IAP_RECONCILE_BATCH_SIZE") ?? "100");
     paymentBillingThreshold = () => +readConfig("PAYMENT_BILLING_THRESHOLD");
     paymentMinStakeAmount = () => +readConfig("PAYMENT_MIN_STAKE_AMOUNT");
@@ -1132,6 +1134,10 @@ var init_context = __esm({
       peekInstanceDid() {
         return this.storage.getStore()?.instanceDid;
       }
+      /** Request-scoped externally reachable payment base URL, when supplied by an embedded host. */
+      peekPublicBaseUrl() {
+        return this.storage.getStore()?.publicBaseUrl;
+      }
       /**
        * Run fn as a system operation: TenantModel scoping is bypassed for the span
        * of fn so legitimate cross-tenant reads can load rows regardless of tenant.
@@ -1149,13 +1155,15 @@ var init_context = __esm({
       run(context2, fn3) {
         const requestId = context2.requestId || `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
         const instanceDid = context2.instanceDid ?? this.storage.getStore()?.instanceDid;
+        const publicBaseUrl = context2.publicBaseUrl ?? this.storage.getStore()?.publicBaseUrl;
         this.contexts.set(requestId, {
           ...context2,
           instanceDid,
+          publicBaseUrl,
           requestId
         });
         return new Promise((resolve, reject) => {
-          this.storage.run({ ...context2, instanceDid, requestId }, async () => {
+          this.storage.run({ ...context2, instanceDid, publicBaseUrl, requestId }, async () => {
             const resource = new import_async_hooks.AsyncResource("RequestContext");
             try {
               const result = await resource.runInAsyncScope(fn3);
@@ -1203,6 +1211,24 @@ var init_logger = __esm({
   }
 });
 
+// ../../blocklets/core/api/src/libs/secrets.ts
+function encryptSecret(value) {
+  return getSecretsDriver().encryptSync(getInstanceDid(), value);
+}
+function decryptSecret(value) {
+  return getSecretsDriver().decryptSync(getInstanceDid(), value);
+}
+function warmupSecrets(instanceDid) {
+  return getSecretsDriver().warmup(instanceDid ?? getInstanceDid());
+}
+var init_secrets2 = __esm({
+  "../../blocklets/core/api/src/libs/secrets.ts"() {
+    "use strict";
+    init_context();
+    init_secrets();
+  }
+});
+
 // ../../blocklets/core/api/src/libs/did-connect/tenant-identity.ts
 var tenant_identity_exports = {};
 __export(tenant_identity_exports, {
@@ -1274,7 +1300,14 @@ async function warmTenantIdentity(instanceDidArg) {
   try {
     await resolveTenantIdentity(instanceDidArg);
   } catch (err) {
-    logger_default.warn("[tenant-identity] warm failed \u2014 wallet access will fail-closed", {
+    logger_default.warn("[tenant-identity] wallet identity warm failed \u2014 wallet access will fail-closed", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+  }
+  try {
+    await warmupSecrets(instanceDidArg);
+  } catch (err) {
+    logger_default.warn("[tenant-identity] secrets warm failed \u2014 settings/Stripe decrypt will fail-closed", {
       error: err instanceof Error ? err.message : String(err)
     });
   }
@@ -1299,6 +1332,7 @@ var init_tenant_identity = __esm({
     init_context();
     init_drivers();
     init_logger();
+    init_secrets2();
     walletType = {
       role: Mcrypto.types.RoleType.ROLE_APPLICATION,
       pk: Mcrypto.types.KeyType.ED25519,
@@ -1773,6 +1807,13 @@ var init_auth = __esm({
 });
 
 // ../../blocklets/core/api/src/libs/util.ts
+function getPublicAssetUrl(assetUrl) {
+  if (!assetUrl || !assetUrl.startsWith("/") || assetUrl.startsWith("//")) return assetUrl;
+  const basePath = readConfig("PAYMENT_PUBLIC_BASE_PATH");
+  if (!basePath) return (0, import_component.getUrl)(assetUrl);
+  if (assetUrl === basePath || assetUrl.startsWith(`${basePath}/`)) return assetUrl;
+  return (0, import_ufo.joinURL)(basePath, assetUrl);
+}
 function md5(input) {
   return import_crypto2.default.createHash("md5").update(input).digest("hex");
 }
@@ -2197,7 +2238,7 @@ function formatLinkWithLocale(url, locale) {
     return `${url}${separator}locale=${locale}`;
   }
 }
-var import_crypto2, import_stream, import_consumers, import_component, import_env4, import_did, import_cbor, import_nanoid, import_ufo, import_axios, import_util, import_get, import_trimEnd, OCAP_PAYMENT_TX_TYPE, MAX_SUBSCRIPTION_ITEM_COUNT, MAX_RETRY_COUNT, MIN_RETRY_MAIL, CHECKOUT_SESSION_TTL, STRIPE_API_VERSION, STRIPE_ENDPOINT, googlePlayEndpoint, GOOGLE_PLAY_ENDPOINT, APP_STORE_ENDPOINT, STRIPE_EVENTS, api, getNextRetry, getWebhookJobId, cachedBlockletJsonResult, CACHE_TTL, CURRENCY_SYMBOLS;
+var import_crypto2, import_stream, import_consumers, import_component, import_env4, import_did, import_cbor, import_nanoid, import_ufo, import_axios, import_util, import_get, import_trimEnd, OCAP_PAYMENT_TX_TYPE, MAX_SUBSCRIPTION_ITEM_COUNT, MAX_RETRY_COUNT, MIN_RETRY_MAIL, CHECKOUT_SESSION_TTL, STRIPE_API_VERSION, stripeEndpoint, googlePlayEndpoint, GOOGLE_PLAY_ENDPOINT, APP_STORE_ENDPOINT, STRIPE_EVENTS, api, getNextRetry, getWebhookJobId, cachedBlockletJsonResult, CACHE_TTL, CURRENCY_SYMBOLS;
 var init_util = __esm({
   "../../blocklets/core/api/src/libs/util.ts"() {
     "use strict";
@@ -2215,6 +2256,7 @@ var init_util = __esm({
     import_get = __toESM(require("lodash/get"));
     import_trimEnd = __toESM(require("lodash/trimEnd"));
     init_env();
+    init_context();
     init_dayjs();
     init_auth();
     init_logger();
@@ -2224,7 +2266,13 @@ var init_util = __esm({
     MIN_RETRY_MAIL = 13;
     CHECKOUT_SESSION_TTL = 6 * 60 * 60;
     STRIPE_API_VERSION = "2023-08-16";
-    STRIPE_ENDPOINT = (0, import_component.getUrl)("/api/integrations/stripe/webhook");
+    stripeEndpoint = () => {
+      const override = stripeWebhookUrl();
+      if (override) return override;
+      const publicBaseUrl = context.peekPublicBaseUrl();
+      if (publicBaseUrl) return (0, import_ufo.joinURL)(publicBaseUrl, "/api/integrations/stripe/webhook");
+      return (0, import_component.getUrl)("/api/integrations/stripe/webhook");
+    };
     googlePlayEndpoint = () => googlePlayWebhookUrl() || (0, import_component.getUrl)("/api/integrations/google-play/webhook");
     GOOGLE_PLAY_ENDPOINT = googlePlayEndpoint();
     APP_STORE_ENDPOINT = (0, import_component.getUrl)("/api/integrations/app-store/webhook");
@@ -2314,6 +2362,11 @@ var init_payment_currency = __esm({
     init_util();
     nextId = createIdGenerator("pc", 12);
     PaymentCurrency = class _PaymentCurrency extends TenantModel {
+      toJSON() {
+        const data = super.toJSON();
+        if (data.logo) data.logo = getPublicAssetUrl(data.logo);
+        return data;
+      }
       static {
         this.GENESIS_ATTRIBUTES = {
           id: {
@@ -6589,6 +6642,23 @@ var init_customer = __esm({
 });
 
 // ../../blocklets/core/api/src/middlewares/hono/security.ts
+function stripDidPrefix(did) {
+  if (!did) return "";
+  return did.startsWith("did:abt:") ? did.slice("did:abt:".length) : did;
+}
+function isSameDid(a, b) {
+  const x = stripDidPrefix(a);
+  const y = stripDidPrefix(b);
+  return !!x && x === y;
+}
+async function findCustomerByEitherDid(did) {
+  if (!did) return null;
+  const bare = stripDidPrefix(did);
+  if (!bare) return null;
+  const prefixed = `did:abt:${bare}`;
+  const found = await Customer.findOne({ where: { did: [bare, prefixed] } });
+  return found;
+}
 function authenticate({
   component: component4,
   roles,
@@ -6704,7 +6774,7 @@ function authenticate({
         return next();
       }
       if (mine) {
-        const customer = await Customer.findOne({ where: { did: user4.did } });
+        const customer = await findCustomerByEitherDid(user4.did);
         if (customer) {
           c.set("customer", customer);
           c.set("customer_id", customer.id);
@@ -6716,7 +6786,7 @@ function authenticate({
         const id = c.req.param("id");
         const doc = findById && typeof findById === "function" ? await findById(id) : await model.findByPk(id);
         if (doc && doc[field]) {
-          const customer = await Customer.findOne({ where: { did: user4.did } });
+          const customer = await findCustomerByEitherDid(user4.did);
           c.set("doc", doc);
           c.set("customer", customer);
           if (customer && customer.id === doc[field]) {
@@ -9126,21 +9196,6 @@ var init_payment_link = __esm({
   }
 });
 
-// ../../blocklets/core/api/src/libs/secrets.ts
-function encryptSecret(value) {
-  return getSecretsDriver().encryptSync(getInstanceDid(), value);
-}
-function decryptSecret(value) {
-  return getSecretsDriver().decryptSync(getInstanceDid(), value);
-}
-var init_secrets2 = __esm({
-  "../../blocklets/core/api/src/libs/secrets.ts"() {
-    "use strict";
-    init_context();
-    init_secrets();
-  }
-});
-
 // ../../blocklets/core/api/src/integrations/app-store/apple-root-certs.ts
 var APPLE_INC_ROOT_B64, APPLE_ROOT_CA_G2_B64, APPLE_ROOT_CA_G3_B64, APPLE_ROOT_CERTS;
 var init_apple_root_certs = __esm({
@@ -9416,7 +9471,7 @@ function decodeUnsafe(jws) {
     throw new Error(`AppStore JWS payload not valid JSON: ${err.message}`);
   }
 }
-async function getAllSubscriptionStatuses(originalTransactionId, creds) {
+function getAllSubscriptionStatuses(originalTransactionId, creds) {
   return nativeGetAllSubscriptionStatuses(originalTransactionId, creds);
 }
 var init_signed_data_verifier = __esm({
@@ -9983,6 +10038,11 @@ var init_payment_method = __esm({
     googlePlayClients = /* @__PURE__ */ new Map();
     appStoreClients = /* @__PURE__ */ new Map();
     PaymentMethod = class _PaymentMethod extends TenantModel {
+      toJSON() {
+        const data = super.toJSON();
+        if (data.logo) data.logo = getPublicAssetUrl(data.logo);
+        return data;
+      }
       static {
         this.GENESIS_ATTRIBUTES = {
           id: {
@@ -10078,11 +10138,13 @@ var init_payment_method = __esm({
       }
       static encryptSettings(settings) {
         const tmp = (0, import_cloneDeep3.default)(settings);
-        if (tmp.stripe) {
+        if (tmp.stripe?.secret_key) {
           tmp.stripe.secret_key = encryptSecret(tmp.stripe.secret_key);
+        }
+        if (tmp.stripe?.webhook_signing_secret) {
           tmp.stripe.webhook_signing_secret = encryptSecret(tmp.stripe.webhook_signing_secret);
         }
-        if (tmp.google_play) {
+        if (tmp.google_play?.service_account_json) {
           tmp.google_play.service_account_json = encryptSecret(tmp.google_play.service_account_json);
         }
         if (tmp.app_store?.private_key_pem) {
@@ -10095,11 +10157,13 @@ var init_payment_method = __esm({
       }
       static decryptSettings(settings) {
         const tmp = (0, import_cloneDeep3.default)(settings);
-        if (tmp.stripe) {
+        if (tmp.stripe?.secret_key) {
           tmp.stripe.secret_key = decryptSecret(tmp.stripe.secret_key);
+        }
+        if (tmp.stripe?.webhook_signing_secret) {
           tmp.stripe.webhook_signing_secret = decryptSecret(tmp.stripe.webhook_signing_secret);
         }
-        if (tmp.google_play) {
+        if (tmp.google_play?.service_account_json) {
           tmp.google_play.service_account_json = decryptSecret(tmp.google_play.service_account_json);
         }
         if (tmp.app_store?.private_key_pem) {
@@ -10145,7 +10209,7 @@ var init_payment_method = __esm({
         const host = this.settings.arcblock?.api_host;
         const cached = ocapClients.has(host);
         if (!cached) {
-          const created = new import_client.default(host);
+          const created = new import_client.default(host, false);
           ocapClients.set(host, created);
           return created;
         }
@@ -15924,6 +15988,18 @@ function sessionMiddleware(options = {}) {
     } catch (err) {
       return c.json({ error: err.message }, 401);
     }
+    if (!result) {
+      const injectedDid = c.req.header("x-user-did");
+      if (injectedDid) {
+        result = {
+          did: injectedDid,
+          role: c.req.header("x-user-role"),
+          provider: c.req.header("x-user-provider"),
+          fullName: decodeURIComponent(c.req.header("x-user-fullname") || ""),
+          walletOS: c.req.header("x-user-wallet-os") || ""
+        };
+      }
+    }
     if (result) {
       c.set("user", result);
     }
@@ -22781,10 +22857,11 @@ __export(notification_exports, {
   ensureBlockletSdkTransportGuard: () => ensureBlockletSdkTransportGuard
 });
 function noopSdkTransport(mod, fns) {
-  const noop = async () => void 0;
+  const noop = () => Promise.resolve(void 0);
   for (const target of [mod, mod?.default]) {
-    if (!target) continue;
-    for (const fn3 of fns) target[fn3] = noop;
+    if (target) {
+      for (const fn3 of fns) target[fn3] = noop;
+    }
   }
 }
 function ensureBlockletSdkTransportGuard() {
@@ -33771,7 +33848,7 @@ async function handleSubscriptionEvent(event, _) {
     if (["incomplete", "incomplete_expired"].includes(subscription.status)) {
       logger_default.warn("subscription not ended on stripe event", { id: subscription.id });
     } else {
-      await subscription.update({ status: "canceled", ended_at: event.data.object.ended_at });
+      await subscription.update({ status: "canceled", end_at: event.data.object.ended_at });
       logger_default.info("subscription ended on stripe event", { id: subscription.id });
     }
   }
@@ -34424,7 +34501,8 @@ async function handleStripePaymentSucceed(paymentIntent, event) {
   await handlePaymentSucceed(paymentIntent, triggerRenew);
 }
 async function syncStripePayment(paymentIntent) {
-  if (!paymentIntent?.metadata?.stripe_id) {
+  const stripePaymentIntentId = paymentIntent?.payment_details?.stripe?.payment_intent_id || paymentIntent?.metadata?.stripe_id;
+  if (!stripePaymentIntentId) {
     return;
   }
   const method = await PaymentMethod.findByPk(paymentIntent.payment_method_id);
@@ -34433,7 +34511,7 @@ async function syncStripePayment(paymentIntent) {
   }
   const triggerRenew = paymentIntent.status !== "succeeded";
   const client = await method.getStripeClient();
-  const stripeIntent = await client.paymentIntents.retrieve(paymentIntent.metadata.stripe_id);
+  const stripeIntent = await client.paymentIntents.retrieve(stripePaymentIntentId);
   if (stripeIntent) {
     await paymentIntent.update({
       amount: String(stripeIntent.amount),
@@ -42576,6 +42654,85 @@ var init_url = __esm({
   }
 });
 
+// ../../blocklets/core/api/src/integrations/stripe/reconcile-checkout-core.ts
+async function reconcileStripeCheckoutSessionWithDeps(sessionId, deps) {
+  const checkoutSession = await deps.findCheckoutSession(sessionId);
+  if (!checkoutSession) {
+    throw new Error("Checkout session not found");
+  }
+  if (checkoutSession.status === "complete") {
+    return {
+      status: checkoutSession.status,
+      paymentStatus: checkoutSession.payment_status,
+      reconciled: false
+    };
+  }
+  let reconciled = false;
+  if (checkoutSession.payment_intent_id) {
+    const paymentIntent = await deps.findPaymentIntent(checkoutSession.payment_intent_id);
+    if (paymentIntent && paymentIntent.status !== "succeeded") {
+      await deps.syncPayment(paymentIntent);
+      reconciled = true;
+    }
+  }
+  const subscriptionIds = deps.getSubscriptionIds(checkoutSession);
+  if (subscriptionIds.length > 0) {
+    const subscriptions = await deps.findSubscriptions(subscriptionIds);
+    for (const subscription of subscriptions) {
+      if (subscription.status === "incomplete") {
+        await deps.syncSubscription(subscription);
+        reconciled = true;
+      }
+    }
+  }
+  await checkoutSession.reload();
+  return {
+    status: checkoutSession.status,
+    paymentStatus: checkoutSession.payment_status,
+    reconciled
+  };
+}
+var init_reconcile_checkout_core = __esm({
+  "../../blocklets/core/api/src/integrations/stripe/reconcile-checkout-core.ts"() {
+    "use strict";
+  }
+});
+
+// ../../blocklets/core/api/src/integrations/stripe/reconcile-checkout.ts
+async function syncSubscription(subscription) {
+  if (!subscription.payment_details?.stripe?.subscription_id) return;
+  const method = await PaymentMethod.findByPk(subscription.default_payment_method_id);
+  if (!method || method.type !== "stripe") return;
+  const remote = await method.getStripeClient().subscriptions.retrieve(subscription.payment_details.stripe.subscription_id, {
+    expand: ["latest_invoice.payment_intent", "pending_setup_intent"]
+  });
+  if (["active", "trialing"].includes(remote.status)) {
+    await handleStripeSubscriptionSucceed(subscription, remote.status);
+  }
+}
+function reconcileStripeCheckoutSession(sessionId, deps = defaultDeps) {
+  return reconcileStripeCheckoutSessionWithDeps(sessionId, deps);
+}
+var defaultDeps;
+var init_reconcile_checkout = __esm({
+  "../../blocklets/core/api/src/integrations/stripe/reconcile-checkout.ts"() {
+    "use strict";
+    init_session2();
+    init_models();
+    init_payment_intent2();
+    init_subscription3();
+    init_reconcile_checkout_core();
+    defaultDeps = {
+      findCheckoutSession: (id) => CheckoutSession.findByPk(id),
+      findPaymentIntent: (id) => PaymentIntent.findByPk(id),
+      getSubscriptionIds: getCheckoutSessionSubscriptionIds,
+      findSubscriptions: (ids) => Subscription.findAll({ where: { id: ids } }),
+      syncPayment: syncStripePayment,
+      syncSubscription
+    };
+  }
+});
+
 // ../../blocklets/core/api/src/routes/hono/checkout-sessions.ts
 async function validateInventory(line_items, includePendingQuantity = false) {
   const checks = line_items.map((item) => async () => {
@@ -43921,6 +44078,7 @@ var init_checkout_sessions = __esm({
     init_token_address_mapping();
     init_sequelize();
     init_session();
+    init_reconcile_checkout();
     app6 = new import_hono6.Hono();
     user2 = sessionMiddleware({ accessKey: true });
     auth6 = authenticate({ component: true, roles: ["owner", "admin"] });
@@ -44237,6 +44395,27 @@ var init_checkout_sessions = __esm({
         paymentIntent: piStatus
       });
     });
+    app6.post("/:id/stripe-reconcile", user2, async (c) => {
+      const currentUser = c.get("user");
+      if (!currentUser) {
+        return c.json({ error: "Unauthorized" }, 403);
+      }
+      const doc = await CheckoutSession.findByPk(c.req.param("id"), {
+        attributes: ["id", "customer_did"]
+      });
+      if (!doc) {
+        return c.json({ error: "Checkout session not found" }, 404);
+      }
+      if (!["owner", "admin"].includes(currentUser.role) && !isSameDid(doc.customer_did, currentUser.did)) {
+        return c.json({ error: "Not authorized to reconcile this checkout session" }, 403);
+      }
+      try {
+        return c.json(await reconcileStripeCheckoutSession(doc.id));
+      } catch (err) {
+        logger_default.error("stripe checkout reconciliation failed", { checkoutSessionId: doc.id, error: err });
+        return c.json({ error: err.message }, 502);
+      }
+    });
     app6.get("/retrieve/:id", user2, async (c) => {
       const doc = await CheckoutSession.findByPk(c.req.param("id"));
       if (!doc) {
@@ -44725,21 +44904,23 @@ var init_checkout_sessions = __esm({
             invoice_prefix: Customer.getInvoicePrefix()
           });
           logger_default.info("customer created on checkout session submit", { did: c.get("user").did, id: customer.id });
-          try {
-            await blocklet.updateUserAddress(
-              {
-                did: customer.did,
-                address: Customer.formatAddressFromCustomer(customer)
-              },
-              {
-                headers: {
-                  cookie: c.req.header("cookie") || ""
+          if (isBlockletServer()) {
+            try {
+              await blocklet.updateUserAddress(
+                {
+                  did: customer.did,
+                  address: Customer.formatAddressFromCustomer(customer)
+                },
+                {
+                  headers: {
+                    cookie: c.req.header("cookie") || ""
+                  }
                 }
-              }
-            );
-            logger_default.info("updateUserAddress success", { did: customer.did });
-          } catch (err) {
-            logger_default.error("updateUserAddress failed", { error: err, customerId: customer.id });
+              );
+              logger_default.info("updateUserAddress success", { did: customer.did });
+            } catch (err) {
+              logger_default.error("updateUserAddress failed", { error: err, customerId: customer.id });
+            }
           }
         } else {
           const updates = {};
@@ -44765,23 +44946,25 @@ var init_checkout_sessions = __esm({
           } else {
             await customer.update(updates);
             logger_default.info("customer updated", { did: customer.did });
-            try {
-              await blocklet.updateUserAddress(
-                {
-                  did: customer.did,
-                  address: Customer.formatAddressFromCustomer(customer),
-                  // @ts-ignore
-                  phone: customer.phone
-                },
-                {
-                  headers: {
-                    cookie: c.req.header("cookie") || ""
+            if (isBlockletServer()) {
+              try {
+                await blocklet.updateUserAddress(
+                  {
+                    did: customer.did,
+                    address: Customer.formatAddressFromCustomer(customer),
+                    // @ts-ignore
+                    phone: customer.phone
+                  },
+                  {
+                    headers: {
+                      cookie: c.req.header("cookie") || ""
+                    }
                   }
-                }
-              );
-              logger_default.info("updateUserAddress success", { did: customer.did });
-            } catch (err) {
-              logger_default.error("updateUserAddress failed", { error: err, customerId: customer.id });
+                );
+                logger_default.info("updateUserAddress success", { did: customer.did });
+              } catch (err) {
+                logger_default.error("updateUserAddress failed", { error: err, customerId: customer.id });
+              }
             }
           }
         }
@@ -47455,7 +47638,7 @@ async function ensureWebhookRegistered() {
     const exist = data.find((webhook) => webhook.metadata?.appPid === import_env29.env.appPid);
     if (exist) {
       await stripe.webhookEndpoints.update(exist.id, {
-        url: STRIPE_ENDPOINT,
+        url: stripeEndpoint(),
         description: import_env29.env.appName,
         enabled_events: STRIPE_EVENTS,
         disabled: false
@@ -47463,7 +47646,7 @@ async function ensureWebhookRegistered() {
       logger_default.info("stripe webhook updated");
     } else {
       const result = await stripe.webhookEndpoints.create({
-        url: STRIPE_ENDPOINT,
+        url: stripeEndpoint(),
         description: import_env29.env.appName,
         enabled_events: STRIPE_EVENTS,
         api_version: STRIPE_API_VERSION,
@@ -47609,7 +47792,9 @@ var init_payment_methods = __esm({
           metadata: {}
         });
         await method.update({ default_currency_id: currency.id });
-        ensureWebhookRegistered().catch(console.error);
+        ensureWebhookRegistered().catch(
+          (err) => logger_default.error("ensureWebhookRegistered failed (payments may not reconcile in real-time)", err)
+        );
         return c.json({ ...method.toJSON(), payment_currencies: [currency.toJSON()] });
       }
       if (EVM_CHAIN_TYPES.includes(raw.type)) {
@@ -47972,7 +48157,9 @@ var init_payment_methods = __esm({
         }
         const updatedMethod = await method.update(updateData);
         if (method.type === "stripe") {
-          ensureWebhookRegistered().catch(console.error);
+          ensureWebhookRegistered().catch(
+            (err) => logger_default.error("ensureWebhookRegistered failed (payments may not reconcile in real-time)", err)
+          );
         }
         return c.json(updatedMethod);
       } catch (err) {
@@ -58442,12 +58629,14 @@ async function ingestVerifiedAppStorePurchase({
     }
     const newExpiresAt = transaction.expiresDate ? Math.floor(Number(transaction.expiresDate) / 1e3) : 0;
     const newTxnValid = !!newExpiresAt && newExpiresAt * 1e3 > Date.now();
-    const lapsed = ["canceled", "incomplete_expired", "past_due"].includes(existing.status);
+    const storedExpiresAt = existing.current_period_end ?? 0;
+    const storedExpired = !!storedExpiresAt && storedExpiresAt * 1e3 < Date.now();
+    const lapsed = ["canceled", "incomplete_expired", "past_due"].includes(existing.status) || storedExpired;
     if (lapsed && newTxnValid) {
       const updatePatch = {
         status: "active",
         current_period_end: newExpiresAt,
-        ended_at: null,
+        end_at: null,
         cancel_at_period_end: false,
         payment_details: {
           ...existing.payment_details || {},
@@ -58483,6 +58672,31 @@ async function ingestVerifiedAppStorePurchase({
       });
       return { subscription: existing, isFirstSubscribe: false, transaction };
     }
+    if (lapsed && !newTxnValid) {
+      await existing.update({
+        status: "incomplete_expired",
+        end_at: Math.floor(Date.now() / 1e3),
+        cancel_at_period_end: false,
+        payment_details: {
+          ...existing.payment_details || {},
+          app_store: {
+            ...existing.payment_details?.app_store || {},
+            transaction_id: transaction.transactionId,
+            expires_at: newExpiresAt || existing.payment_details?.app_store?.expires_at
+          }
+        }
+      });
+      logger_default.info(
+        "app_store verify: subscription fully lapsed (stored + replay both expired) \u2014 marked incomplete_expired",
+        {
+          subscriptionId: existing.id,
+          originalTransactionId: transaction.originalTransactionId,
+          storedExpiresAt,
+          newExpiresAt
+        }
+      );
+      return { subscription: existing, isFirstSubscribe: false, transaction };
+    }
     const storedAppStoreSku = existing.payment_details?.app_store?.product_id;
     if (storedAppStoreSku && storedAppStoreSku !== transaction.productId) {
       const newPrice = await Price.findOne({
@@ -58800,7 +59014,7 @@ async function handleAppStoreRenewed(subscription, transaction) {
 }
 async function markAppStoreExpired(subscription) {
   if (["canceled", "incomplete_expired"].includes(subscription.status)) return;
-  await subscription.update({ status: "canceled", ended_at: Math.floor(Date.now() / 1e3) });
+  await subscription.update({ status: "canceled", end_at: Math.floor(Date.now() / 1e3) });
   createEvent("Subscription", "customer.subscription.deleted", subscription).catch(reportAuditFailure);
 }
 async function markAppStorePastDue(subscription) {
@@ -58820,7 +59034,7 @@ async function handleAppStoreRevoked(subscription, notificationType, subtype) {
   const now = Math.floor(Date.now() / 1e3);
   await subscription.update({
     status: "canceled",
-    ended_at: now,
+    end_at: now,
     cancelation_details: {
       ...subscription.cancelation_details ?? { comment: "", feedback: "other" },
       reason: "cancellation_requested"
@@ -59451,7 +59665,7 @@ async function handleRevoked(subscription) {
   const now = Math.floor(Date.now() / 1e3);
   await subscription.update({
     status: "canceled",
-    ended_at: now,
+    end_at: now,
     cancelation_details: {
       ...subscription.cancelation_details ?? { comment: "", feedback: "other" },
       reason: "cancellation_requested"
@@ -59527,7 +59741,7 @@ async function handleGooglePlayVoidedPurchase({
   if (subscription.status !== "canceled" && subscription.status !== "incomplete_expired") {
     await subscription.update({
       status: "canceled",
-      ended_at: Math.floor(Date.now() / 1e3),
+      end_at: Math.floor(Date.now() / 1e3),
       cancelation_details: {
         ...subscription.cancelation_details ?? { comment: "", feedback: "other" },
         reason: "cancellation_requested"
@@ -60682,7 +60896,8 @@ async function checkEntitlement({
       channel: await inferChannelFromSubscription(best),
       expires_at: best.current_period_end ?? null,
       subscription_id: best.id,
-      source: "subscription"
+      source: "subscription",
+      cancel_at_period_end: !!best.cancel_at_period_end
     };
   }
   const grant = await findGrantCoveringProduct(customer, product_id);
@@ -60764,7 +60979,8 @@ async function listEntitlements({
         channel: await inferChannelFromSubscription(best),
         expires_at: best.current_period_end ?? null,
         subscription_id: best.id,
-        source: "subscription"
+        source: "subscription",
+        cancel_at_period_end: !!best.cancel_at_period_end
       };
       return item;
     })
@@ -60846,7 +61062,7 @@ var init_entitlements = __esm({
     init_logger();
     init_security();
     app26 = new import_hono26.Hono();
-    auth18 = authenticate({ component: true, roles: ["owner", "admin"], ensureLogin: true });
+    auth18 = authenticate({ component: true, ensureLogin: true });
     checkQuerySchema = import_joi25.default.object({
       customer_did: import_joi25.default.string().required(),
       product_id: import_joi25.default.string().required(),
@@ -67618,6 +67834,29 @@ var init_collect_batch = __esm({
   }
 });
 
+// ../../blocklets/core/api/src/libs/arcblock-transfer.ts
+async function encodeArcblockTransfer({
+  chainHost,
+  tx,
+  wallet: wallet2
+}) {
+  const context2 = await (0, import_encode.fetchContext)(chainHost);
+  return (0, import_encode.encodeTx)({
+    type: "TransferV3Tx",
+    tx,
+    wallet: wallet2,
+    chainId: context2.chainId,
+    feeConfig: context2.txFee
+  });
+}
+var import_encode;
+var init_arcblock_transfer = __esm({
+  "../../blocklets/core/api/src/libs/arcblock-transfer.ts"() {
+    "use strict";
+    import_encode = require("@ocap/client/encode");
+  }
+});
+
 // ../../blocklets/core/api/src/libs/chain-error.ts
 function parseChainError(err) {
   const msg = err?.message ?? String(err);
@@ -67662,6 +67901,7 @@ var init_pay = __esm({
     init_token();
     init_tx();
     init_auth();
+    init_arcblock_transfer();
     init_logger();
     init_chain_error();
     init_payment();
@@ -67769,20 +68009,30 @@ var init_pay = __esm({
         }
         if (paymentMethod.type === "arcblock") {
           try {
-            await paymentIntent.update({ status: "processing" });
             const client = paymentMethod.getOcapClient();
             const claim = claims.find((x) => x.type === "prepareTx");
-            await client.getContext();
             const tx = client.decodeTx(claim.finalTx);
             if (claim.delegator && claim.from) {
               tx.delegator = claim.delegator;
               tx.from = claim.from;
             }
-            const { buffer: buffer2 } = await client.encodeTransferV3Tx({ tx });
+            const chainHost = paymentMethod.settings.arcblock?.api_host;
+            if (!chainHost) {
+              throw new Error("ArcBlock payment method API host is missing");
+            }
+            const signingWallet = (0, import_wallet5.fromAddress)(userDid);
+            const { object: encodedTx, buffer: buffer2 } = await encodeArcblockTransfer({
+              chainHost,
+              tx,
+              wallet: signingWallet
+            });
+            const gasPayerExtra = await getGasPayerExtra(buffer2, client.pickGasPayerHeaders(request), client);
+            await paymentIntent.update({ status: "processing" });
             const txHash = await client.sendTransferV3Tx(
-              // @ts-ignore
-              { tx, wallet: (0, import_wallet5.fromAddress)(userDid) },
-              await getGasPayerExtra(buffer2, client.pickGasPayerHeaders(request), client)
+              // Passing the already-encoded signature skips the client's timer-backed
+              // encodeTransferV3Tx/getContext path in Cloudflare Workers.
+              { tx: encodedTx, wallet: signingWallet, signature: encodedTx.signature },
+              gasPayerExtra
             );
             const quoteValidation = await validateQuoteForPayment({
               checkoutSessionId: checkoutSession?.id,
@@ -77304,6 +77554,7 @@ function csrfSecret() {
 }
 function csrf() {
   return async (c, next) => {
+    if (readConfig("PAYMENT_DISABLE_CSRF") === "true") return next();
     const method = c.req.method.toUpperCase();
     const loginToken = (0, import_cookie.getCookie)(c, "login_token");
     const existingCsrf = (0, import_cookie.getCookie)(c, "x-csrf-token");
@@ -77566,10 +77817,18 @@ function buildConnectRoutesHono() {
   const connectApp = new import_hono43.Hono();
   connectApp.use("*", async (c, next) => {
     const { context: requestCtx } = (init_context(), __toCommonJS(context_exports));
-    if (requestCtx.peekInstanceDid()) return next();
+    const { warmTenantIdentity: warmTenantIdentity2 } = (init_tenant_identity(), __toCommonJS(tenant_identity_exports));
+    const preResolved = requestCtx.peekInstanceDid();
+    if (preResolved) {
+      await warmTenantIdentity2(preResolved);
+      return next();
+    }
     const { resolveTenantForHost: resolveTenantForHost2 } = (init_identity(), __toCommonJS(identity_exports));
     const instanceDid = await resolveTenantForHost2(c.req.header("host"));
-    return requestCtx.withTenant(instanceDid, () => next());
+    return requestCtx.withTenant(instanceDid, async () => {
+      await warmTenantIdentity2(instanceDid);
+      return next();
+    });
   });
   for (const h of connectHandlerModules()) handlers2.attach(Object.assign({ app: connectApp }, h));
   return connectApp;
@@ -77661,8 +77920,20 @@ async function provisionTenant(instanceDid) {
   const { fromTokenToUnit: fromTokenToUnit31 } = require("@ocap/util");
   const { PaymentMethod: PaymentMethod3, PaymentCurrency: PaymentCurrency3 } = (init_models(), __toCommonJS(models_exports));
   const CHAINS = [
-    { chainId: "main", livemode: true, symbol: "ABT", label: "ArcBlock Main", contract: "z35nNRvYxBoHitx9yZ5ATS88psfShzPPBLxYD" },
-    { chainId: "beta", livemode: false, symbol: "TBA", label: "ArcBlock Beta", contract: "z35n6UoHSi9MED4uaQy6ozFgKPaZj2UKrurBG" }
+    {
+      chainId: "main",
+      livemode: true,
+      symbol: "ABT",
+      label: "ArcBlock Main",
+      contract: "z35nNRvYxBoHitx9yZ5ATS88psfShzPPBLxYD"
+    },
+    {
+      chainId: "beta",
+      livemode: false,
+      symbol: "TBA",
+      label: "ArcBlock Beta",
+      contract: "z35n6UoHSi9MED4uaQy6ozFgKPaZj2UKrurBG"
+    }
   ];
   await context.withTenant(instanceDid, async () => {
     const existing = await PaymentMethod3.findOne({ where: { type: "arcblock" } });