payment-kit 1.27.2 → 1.28.0

package/cloudflare/build.ts

@@ -0,0 +1,151 @@
+import { build } from 'esbuild';
+import path from 'path';
+
+const cfDir = __dirname;
+
+async function main() {
+  const result = await build({
+    entryPoints: [path.resolve(cfDir, 'worker.ts')],
+    bundle: true,
+    format: 'esm',
+    platform: 'node', // Use node platform — CF Workers nodejs_compat handles Node built-ins
+    target: 'esnext',
+    outdir: path.resolve(cfDir, 'dist'),
+    minify: true,
+    sourcemap: true,
+    metafile: true,
+    mainFields: ['module', 'main'], // Resolve ESM first, then CJS
+    conditions: ['import', 'module', 'default'],
+    // CF Workers runtime provides these
+    external: [
+      'cloudflare:*',
+      '__STATIC_CONTENT_MANIFEST',
+    ],
+    alias: {
+      // === Sequelize → D1 shim ===
+      'sequelize': path.resolve(cfDir, 'shims/sequelize-d1/index.ts'),
+      'sqlite3': path.resolve(cfDir, 'shims/noop.ts'),
+      'cls-hooked': path.resolve(cfDir, 'shims/noop.ts'),
+      'express-async-errors': path.resolve(cfDir, 'shims/noop.ts'),
+
+      // === Express → shim ===
+      'express': path.resolve(cfDir, 'shims/express-compat/index.ts'),
+      'cors': path.resolve(cfDir, 'shims/cors.ts'),
+      'cookie-parser': path.resolve(cfDir, 'shims/cookie-parser.ts'),
+
+      // === @blocklet/sdk — each sub-path needs its own alias ===
+      // NOTE: more specific paths MUST come before less specific ones
+      '@blocklet/sdk/lib/middlewares/fallback': path.resolve(cfDir, 'shims/blocklet-sdk/fallback.ts'),
+      '@blocklet/sdk/lib/middlewares/cdn': path.resolve(cfDir, 'shims/blocklet-sdk/cdn.ts'),
+      '@blocklet/sdk/lib/middlewares/session': path.resolve(cfDir, 'shims/blocklet-sdk/session.ts'),
+      '@blocklet/sdk/lib/middlewares': path.resolve(cfDir, 'shims/blocklet-sdk/middlewares.ts'),
+      '@blocklet/sdk/lib/env': path.resolve(cfDir, 'shims/blocklet-sdk/env.ts'),
+      '@blocklet/sdk/lib/config': path.resolve(cfDir, 'shims/blocklet-sdk/config.ts'),
+      '@blocklet/sdk/lib/component': path.resolve(cfDir, 'shims/blocklet-sdk/component.ts'),
+      '@blocklet/sdk/lib/wallet': path.resolve(cfDir, 'shims/blocklet-sdk/wallet.ts'),
+      '@blocklet/sdk/lib/wallet-authenticator': path.resolve(cfDir, 'shims/blocklet-sdk/wallet-authenticator.ts'),
+      '@blocklet/sdk/lib/wallet-handler': path.resolve(cfDir, 'shims/blocklet-sdk/wallet-handler.ts'),
+      '@blocklet/sdk/lib/security': path.resolve(cfDir, 'shims/blocklet-sdk/security.ts'),
+      '@blocklet/sdk/lib/util/verify-sign': path.resolve(cfDir, 'shims/blocklet-sdk/verify-sign.ts'),
+      '@blocklet/sdk/lib/util/component-api': path.resolve(cfDir, 'shims/blocklet-sdk/component-api.ts'),
+      '@blocklet/sdk/lib/error-handler': path.resolve(cfDir, 'shims/noop.ts'),
+      '@blocklet/sdk/lib/did': path.resolve(cfDir, 'shims/blocklet-sdk/did.ts'),
+      '@blocklet/sdk/lib/types/notification': path.resolve(cfDir, 'shims/noop.ts'),
+      '@blocklet/sdk/service/notification': path.resolve(cfDir, 'shims/blocklet-sdk/notification.ts'),
+      '@blocklet/sdk/service/eventbus': path.resolve(cfDir, 'shims/blocklet-sdk/eventbus.ts'),
+      '@blocklet/sdk/service/auth': path.resolve(cfDir, 'shims/blocklet-sdk/auth-service.ts'),
+      '@blocklet/sdk/service/blocklet': path.resolve(cfDir, 'shims/blocklet-sdk/auth-service.ts'),
+      // Catch-all for any other @blocklet/sdk paths
+      '@blocklet/sdk': path.resolve(cfDir, 'shims/blocklet-sdk/index.ts'),
+
+      // === Other @blocklet packages ===
+      '@blocklet/xss': path.resolve(cfDir, 'shims/xss.ts'),
+      '@blocklet/error': path.resolve(cfDir, 'shims/error.ts'),
+      '@blocklet/logger': path.resolve(cfDir, 'shims/blocklet-sdk/logger.ts'),
+      '@blocklet/did-space-js': path.resolve(cfDir, 'shims/did-space-js.ts'),
+      '@blocklet/payment-vendor': path.resolve(cfDir, 'shims/payment-vendor.ts'),
+
+      // === ArcBlock / DID packages ===
+      '@arcblock/did-connect-storage-nedb': path.resolve(cfDir, 'shims/nedb-storage.ts'),
+
+      // === Other dependencies ===
+      'ws': path.resolve(cfDir, 'shims/ws-lite.ts'),
+      'pg': path.resolve(cfDir, 'shims/noop.ts'),
+      'follow-redirects': path.resolve(cfDir, 'shims/noop.ts'),
+      'crypto-js': path.resolve(cfDir, 'shims/crypto-js-warn.ts'),
+      'mime-types': path.resolve(cfDir, 'shims/mime-types.ts'),
+      '@abtnode/cron': path.resolve(cfDir, 'shims/cron.ts'),
+      'querystring': path.resolve(cfDir, 'shims/querystring.ts'),
+      'dotenv-flow': path.resolve(cfDir, 'shims/noop.ts'),
+      'fastq': path.resolve(cfDir, 'shims/fastq.ts'),
+    },
+    banner: {
+      js: [
+        // process polyfills
+        'if (typeof process !== "undefined") { if (!process.stderr) process.stderr = { fd: 2, write: function(){} }; else if (process.stderr.fd === undefined) process.stderr.fd = 2; if (!process.stdout) process.stdout = { fd: 1, write: function(){} }; else if (process.stdout.fd === undefined) process.stdout.fd = 1; }',
+        'if (typeof process !== "undefined" && !process.on) { process.on = function(){}; process.once = function(){}; process.off = function(){}; process.removeListener = function(){}; process.emit = function(){}; process.exit = function(){}; }',
+        // CF Workers: defer timers called during global scope init until first request
+        'var __deferredTimers = []; var __timersReady = false;',
+        'globalThis.__flushDeferredTimers = function() { if (__timersReady) return; __timersReady = true; var q = __deferredTimers; __deferredTimers = []; q.forEach(function(entry) { try { entry.fn.apply(null, entry.args); } catch(e) { console.error("deferred timer error:", e); } }); };',
+        'var _origSetTimeout = globalThis.setTimeout; globalThis.setTimeout = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetTimeout.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetTimeout.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
+        'var _origSetInterval = globalThis.setInterval; globalThis.setInterval = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetInterval.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetInterval.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
+        'var _origSetImmediate = globalThis.setImmediate; if (_origSetImmediate) { globalThis.setImmediate = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetImmediate.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetImmediate.apply(this, arguments); }; } else { globalThis.setImmediate = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetTimeout(fn, 0); }; }',
+        'if (typeof process !== "undefined") { var _origNextTick = process.nextTick; if (_origNextTick) { process.nextTick = function() { if (!__timersReady) { var args = Array.prototype.slice.call(arguments); var fn = args.shift(); __deferredTimers.push({fn: function(){ _origNextTick.apply(process, [fn].concat(args)); }, args: []}); return; } return _origNextTick.apply(process, arguments); }; } else { process.nextTick = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return; } _origSetTimeout(fn, 0); }; } }',
+        // require polyfill for Node built-ins
+        '(function() {',
+        '  var _origRequire = typeof globalThis.require === "function" ? globalThis.require : null;',
+        '  var _qsShim = { stringify: function(obj) { return new URLSearchParams(obj).toString(); }, parse: function(str) { return Object.fromEntries(new URLSearchParams(str).entries()); } };',
+        '  var _utilShim = { deprecate: function(fn) { return fn; }, inspect: function(obj) { return JSON.stringify(obj); }, inherits: function(ctor, superCtor) { if (superCtor) { ctor.super_ = superCtor; ctor.prototype = Object.create(superCtor.prototype, { constructor: { value: ctor } }); } }, format: function() { return Array.prototype.join.call(arguments, " "); } };',
+        '  var _ttyShim = { isatty: function() { return false; }, ReadStream: function(){}, WriteStream: function(){} };',
+        '  var _emptyMod = {};',
+        '  var _httpShim = (function() { var _noop = function(){}; _noop.prototype = {}; return { request: _noop, get: _noop, Agent: _noop, globalAgent: { options: {} }, STATUS_CODES: {}, METHODS: [], createServer: _noop }; })();',
+        '  globalThis.require = function(mod) {',
+        '    if (mod === "querystring") return _qsShim;',
+        '    if (mod === "util") return _utilShim;',
+        '    if (mod === "tty") return _ttyShim;',
+        '    if (mod === "http" || mod === "https") return _httpShim;',
+        '    if (mod === "crypto") return { randomBytes: function(n) { var b = new Uint8Array(n); crypto.getRandomValues(b); return Buffer.from(b); }, createHash: function() { return { update: function() { return this; }, digest: function() { return ""; } }; } };',
+        '    if (mod === "stream" || mod === "fs" || mod === "net" || mod === "os" || mod === "path" || mod === "zlib" || mod === "tls" || mod === "child_process" || mod === "worker_threads") return _emptyMod;',
+        '    if (_origRequire) return _origRequire(mod);',
+        '    console.warn("Cannot require: " + mod);',
+        '    return _emptyMod;',
+        '  };',
+        '})();',
+      ].join('\n'),
+    },
+    plugins: [
+      {
+        name: 'rolldown-runtime-shim',
+        setup(b: any) {
+          b.onResolve({ filter: /rolldown_runtime/ }, () => ({
+            path: path.resolve(cfDir, 'shims/rolldown-runtime.ts'),
+          }));
+        },
+      },
+    ],
+    logLevel: 'warning',
+  });
+
+  const outputs = Object.keys(result.metafile!.outputs);
+  for (const o of outputs) {
+    const size = result.metafile!.outputs[o].bytes;
+    if (!o.endsWith('.map')) {
+      console.log(`${o}: ${(size / 1024).toFixed(1)}KB`);
+    }
+  }
+  console.log('BUILD SUCCESS');
+}
+
+main().catch((err) => {
+  console.error('BUILD FAILED');
+  console.error(err.message);
+  if (err.errors) {
+    for (const e of err.errors.slice(0, 30)) {
+      console.error(`  ${e.text}`);
+      if (e.location) {
+        console.error(`    at ${e.location.file}:${e.location.line}`);
+      }
+    }
+  }
+  process.exit(1);
+});

package/cloudflare/did-connect-auth.ts

@@ -0,0 +1,527 @@
+/**
+ * DID Connect authentication for Cloudflare Workers.
+ *
+ * Since the published @arcblock/did-connect-js@1.28.0 does not include the Hono adapter,
+ * we port the adapter logic here. When a newer version with native Hono support ships,
+ * this file can be replaced by a direct import.
+ *
+ * Reference: blockchain/did/did-connect/src/adapters/hono.ts
+ */
+import { WalletAuthenticator, WalletHandlers } from '@arcblock/did-connect-js';
+// abt-wallet 4.20+ is dual-decode (both CBOR + protobuf), so we can go back
+// to @ocap/client/encode's CBOR-only txEncoder. Drops ~300KB google-protobuf
+// runtime from the worker bundle. Requires abt-wallet >= 4.20.
+// fetchContext is also exported so we can pre-warm the module-level cache
+// at isolate init time — avoids the first-request 8s merchant timeout that
+// comes from fetchContext hitting beta chain (2 GraphQL queries in parallel).
+import { createTxEncoder, fetchContext } from '@ocap/client/encode';
+import * as Mcrypto from '@ocap/mcrypto';
+import { fromSecretKey } from '@ocap/wallet';
+import { EventEmitter } from 'events';
+
+// Import original connect handlers — esbuild aliases handle all dependency replacements
+import collectHandlers from '../api/src/routes/connect/collect';
+import collectBatchHandlers from '../api/src/routes/connect/collect-batch';
+import payHandlers from '../api/src/routes/connect/pay';
+import setupHandlers from '../api/src/routes/connect/setup';
+import subscribeHandlers from '../api/src/routes/connect/subscribe';
+import changePaymentHandlers from '../api/src/routes/connect/change-payment';
+import changePlanHandlers from '../api/src/routes/connect/change-plan';
+import changePayerHandlers from '../api/src/routes/connect/change-payer';
+import rechargeHandlers from '../api/src/routes/connect/recharge';
+import rechargeAccountHandlers from '../api/src/routes/connect/recharge-account';
+import delegationHandlers from '../api/src/routes/connect/delegation';
+import overdraftProtectionHandlers from '../api/src/routes/connect/overdraft-protection';
+import reStakeHandlers from '../api/src/routes/connect/re-stake';
+import autoRechargeAuthHandlers from '../api/src/routes/connect/auto-recharge-auth';
+
+const walletType = {
+  role: Mcrypto.types.RoleType.ROLE_APPLICATION,
+  pk: Mcrypto.types.KeyType.ED25519,
+  hash: Mcrypto.types.HashType.SHA3,
+};
+
+// ---------------------------------------------------------------------------
+// CloudflareKVStorage – ported from blockchain/did/did-connect/src/storage/kv.ts
+// Not yet published in @arcblock/did-connect-js@1.28.0
+// ---------------------------------------------------------------------------
+
+// D1-based storage for DID Connect tokens.
+// Replaces KV which is eventually consistent across datacenters (up to 60s delay).
+// D1 is strongly consistent — writes are immediately visible to all readers.
+// This fixes mobile wallet scanning: wallet POST auth writes to datacenter A,
+// browser status polling reads from datacenter B, and sees the update immediately.
+class CloudflareD1Storage extends EventEmitter {
+  private ttl: number;
+
+  constructor(options: { ttl?: number } = {}) {
+    super();
+    this.ttl = options.ttl ?? 300;
+  }
+
+  private _getDB() {
+    const env = (globalThis as any).__CF_ENV__;
+    const db = env?.DB;
+    if (!db) {
+      console.error('[D1Storage] DB not available - __CF_ENV__ missing or no DB binding');
+      return db;
+    }
+    return db.withSession('first-primary');
+  }
+
+  async create(token: string, status = 'created') {
+    try {
+      const db = this._getDB();
+      if (!db) throw new Error('DB not available');
+      const record = { token, status };
+      const expiresAt = Math.floor(Date.now() / 1000) + this.ttl;
+      await db
+        .prepare('INSERT OR REPLACE INTO _did_connect_tokens (token, data, expires_at) VALUES (?, ?, ?)')
+        .bind(token, JSON.stringify(record), expiresAt)
+        .run();
+      this.emit('create', record);
+      return record;
+    } catch (err: any) {
+      console.error('[D1Storage] create failed:', token, err?.message || err);
+      throw err;
+    }
+  }
+
+  async read(token: string) {
+    try {
+      const db = this._getDB();
+      if (!db) return null;
+      const now = Math.floor(Date.now() / 1000);
+      const row = await db
+        .prepare('SELECT data FROM _did_connect_tokens WHERE token = ? AND expires_at > ?')
+        .bind(token, now)
+        .first();
+      if (!row) return null;
+      return JSON.parse(row.data as string);
+    } catch (err: any) {
+      console.error('[D1Storage] read failed:', token, err?.message || err);
+      return null;
+    }
+  }
+
+  update(token: string, updates: Record<string, any>) {
+    // did-connect-js's handlers/util.ts onProcessError calls tokenStorage.update
+    // without awaiting it (fire-and-forget). On CF Workers a non-awaited Promise
+    // is terminated when the request handler returns, so the UPDATE never hits
+    // D1 and the token stays at "scanned" forever — the wallet UI then loops on
+    // `status: scanned` and shows "validating..." indefinitely.
+    //
+    // We wrap the real write in a promise, and register it via the global
+    // ctx.waitUntil (exposed as __cfWaitUntil__ in worker.ts) so the runtime
+    // keeps the isolate alive until the D1 write finishes, regardless of
+    // whether the caller awaits us.
+    const promise = (async () => {
+      try {
+        const existing = await this.read(token);
+        if (!existing) return null;
+
+        delete updates.token;
+        const merged = { ...existing, ...updates };
+        const expiresAt = Math.floor(Date.now() / 1000) + this.ttl;
+        const db = this._getDB();
+        if (!db) throw new Error('DB not available');
+        await db
+          .prepare('UPDATE _did_connect_tokens SET data = ?, expires_at = ? WHERE token = ?')
+          .bind(JSON.stringify(merged), expiresAt, token)
+          .run();
+        this.emit('update', merged);
+        return merged;
+      } catch (err: any) {
+        console.error('[D1Storage] update failed:', token, err?.message || err);
+        throw err;
+      }
+    })();
+
+    const waitUntil = (globalThis as any).__cfWaitUntil__ as ((p: Promise<any>) => void) | undefined;
+    if (typeof waitUntil === 'function') {
+      // Swallow rejection in waitUntil — the inner promise will still reject
+      // for any caller that does await us.
+      waitUntil(promise.catch(() => {}));
+    }
+    return promise;
+  }
+
+  async delete(token: string) {
+    try {
+      const existing = await this.read(token);
+      if (existing) {
+        this.emit('destroy', existing);
+      }
+      const db = this._getDB();
+      if (!db) return;
+      await db.prepare('DELETE FROM _did_connect_tokens WHERE token = ?').bind(token).run();
+    } catch (err: any) {
+      console.error('[D1Storage] delete failed:', token, err?.message || err);
+    }
+  }
+
+  async exist(token: string, did?: string) {
+    const record = await this.read(token);
+    if (!record) return false;
+    if (did) return record.did === did;
+    return true;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Hono adapter – wraps Express-style (req, res, next) handlers for Hono
+// ---------------------------------------------------------------------------
+
+function parseCookieHeader(header: string): Record<string, string> {
+  const cookies: Record<string, string> = {};
+  if (!header) return cookies;
+  for (const pair of header.split(';')) {
+    const idx = pair.indexOf('=');
+    if (idx > 0) {
+      const key = pair.slice(0, idx).trim();
+      const val = pair.slice(idx + 1).trim();
+      cookies[key] = decodeURIComponent(val);
+    }
+  }
+  return cookies;
+}
+
+function negotiateLanguage(acceptHeader: string, ...langs: string[]): string | false {
+  if (!acceptHeader || langs.length === 0) return langs[0] || false;
+  const lower = acceptHeader.toLowerCase();
+  for (const lang of langs) {
+    const prefix = lang.toLowerCase().split('-')[0];
+    if (lower.includes(lang.toLowerCase()) || lower.includes(prefix)) {
+      return lang;
+    }
+  }
+  return langs[0] || false;
+}
+
+function createHonoRequest(c: any, bodyCache: any = {}): any {
+  const url = new URL(c.req.url);
+  const rawHeaders: Record<string, string> = {};
+  if (c.req.raw?.headers) {
+    c.req.raw.headers.forEach((value: string, key: string) => {
+      rawHeaders[key.toLowerCase()] = value;
+    });
+  }
+
+  return {
+    body: bodyCache,
+    query: Object.fromEntries(url.searchParams.entries()),
+    params: typeof c.req.param === 'function' ? c.req.param() : {},
+    headers: rawHeaders,
+    cookies: parseCookieHeader(rawHeaders.cookie || ''),
+    protocol: url.protocol.replace(':', ''),
+    originalUrl: url.pathname + url.search,
+    get(name: string) {
+      return rawHeaders[name.toLowerCase()];
+    },
+    header(name: string) {
+      return rawHeaders[name.toLowerCase()];
+    },
+    acceptsLanguages(...langs: string[]) {
+      return negotiateLanguage(rawHeaders['accept-language'] || '', ...langs);
+    },
+    raw: c,
+  };
+}
+
+function createHonoResponse(): any {
+  let result: { statusCode: number; body: any } | null = null;
+
+  return {
+    jsonp(data: any) {
+      result = { statusCode: 200, body: data };
+    },
+    json(data: any) {
+      result = { statusCode: 200, body: data };
+    },
+    status(code: number) {
+      return {
+        json(data: any) {
+          result = { statusCode: code, body: data };
+        },
+      };
+    },
+    _getResult() {
+      return result;
+    },
+  };
+}
+
+/**
+ * Wrap a chain of Express-style middlewares + handler into a single Hono handler.
+ */
+function wrapHandler(
+  middlewares: Array<(req: any, res: any, next: () => void) => any>,
+  handler: (req: any, res: any) => Promise<void>
+) {
+  return async (c: any) => {
+    // Ensure __CF_ENV__ is available for D1Storage
+    if (!(globalThis as any).__CF_ENV__) {
+      (globalThis as any).__CF_ENV__ = c.env;
+    }
+    let body = {};
+    try {
+      const text = await c.req.text();
+      if (text) {
+        const contentType = c.req.header('content-type') || '';
+        if (contentType.includes('json')) {
+          body = JSON.parse(text);
+        } else if (contentType.includes('urlencoded')) {
+          body = Object.fromEntries(new URLSearchParams(text).entries());
+        }
+      }
+    } catch {
+      // Body parsing failed
+    }
+
+    const req = createHonoRequest(c, body);
+    const res = createHonoResponse();
+
+    // Run middlewares
+    for (const mw of middlewares) {
+      let nextCalled = false;
+      await mw(req, res, () => {
+        nextCalled = true;
+      });
+      if (!nextCalled) {
+        const r = res._getResult();
+        if (r) return c.json(r.body, r.statusCode);
+        return c.json({ error: 'Unknown error' }, 500);
+      }
+    }
+
+    // Run handler
+    try {
+      await handler(req, res);
+    } catch (err: any) {
+      console.error(
+        '[DID Connect] handler error:',
+        err?.message || err,
+        err?.stack?.split('\n').slice(0, 5).join('\n')
+      );
+      // Write error to D1 for debugging (console.error may not be visible in tail)
+      try {
+        const db = (globalThis as any).__CF_ENV__?.DB;
+        if (db) {
+          await db
+            .prepare('INSERT OR REPLACE INTO _locks (name, owner, expires_at) VALUES (?, ?, 0)')
+            .bind('debug-did-error', `${err?.message || err}`.substring(0, 200))
+            .run();
+        }
+      } catch {
+        /* ignore */
+      }
+      return c.json({ error: err?.message || 'Internal server error' }, 500);
+    }
+    const r = res._getResult();
+    return c.json(r?.body ?? {}, r?.statusCode ?? 200);
+  };
+}
+
+/**
+ * Monkey-patch the WalletHandlers.attach method to support Hono apps.
+ *
+ * The published @arcblock/did-connect-js expects Express. We intercept attach()
+ * and register routes on the Hono app directly using wrapHandler().
+ */
+function createHonoCompatHandlers(opts: { tokenStorage: any; authenticator: any }): WalletHandlers {
+  const handlers = new WalletHandlers(opts);
+  const originalAttach = handlers.attach.bind(handlers);
+
+  // Override attach to use Hono-compatible route registration
+  (handlers as any).attach = function attachHono(config: any) {
+    const { app, action, ...rest } = config;
+
+    // Create a fake Express-like app that collects routes
+    const routes: Array<{
+      method: string;
+      path: string;
+      middlewares: Function[];
+      handler: Function;
+    }> = [];
+
+    const fakeApp: any = {
+      get(path: string, ...fns: Function[]) {
+        routes.push({ method: 'get', path, middlewares: fns.slice(0, -1), handler: fns[fns.length - 1] });
+      },
+      post(path: string, ...fns: Function[]) {
+        routes.push({ method: 'post', path, middlewares: fns.slice(0, -1), handler: fns[fns.length - 1] });
+      },
+      use(_path: string, _middleware: any) {
+        // CORS is handled by Hono's cors middleware already
+      },
+    };
+
+    // Call original attach with fake app to collect routes
+    originalAttach({ app: fakeApp, action, ...rest });
+
+    // Now register collected routes on the real Hono app
+    const prefix = (handlers as any).options?.prefix || '/api/did';
+
+    // Add CORS for DID Connect routes
+    app.use(`${prefix}/${action}/*`, async (c: any, next: () => Promise<void>) => {
+      c.header('Access-Control-Allow-Origin', '*');
+      c.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+      c.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+      if (c.req.method === 'OPTIONS') {
+        return c.text('', 204);
+      }
+      await next();
+    });
+
+    for (const route of routes) {
+      const wrapped = wrapHandler(route.middlewares as any[], route.handler as any);
+      if (route.method === 'get') {
+        app.get(route.path, wrapped);
+      } else if (route.method === 'post') {
+        app.post(route.path, wrapped);
+      }
+    }
+  };
+
+  return handlers;
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+export function initAuth(kv: KVNamespace, appSK: string) {
+  const wallet = fromSecretKey(appSK, walletType);
+  const tokenStorage = new CloudflareD1Storage({ ttl: 300 });
+  // Trailing slash is REQUIRED — without it the host 50% times out (verified 2026-04-20).
+  // Matches the format used by D1 payment_methods.settings.arcblock.api_host.
+  const chainHost = 'https://beta.abtnetwork.io/api/';
+
+  // Pre-warm @ocap/client/encode's module-level context cache. The first
+  // createTxEncoder()(...) call internally awaits fetchContext, which POSTs
+  // getChainInfo + getForgeState to beta — ~1-3s on warm isolates, more on
+  // cold. When `genRequestedClaims` is called by the merchant and triggers
+  // the encoder, merchant's did-connect-js aborts after 8s. Firing the fetch
+  // here at init (module load) lets the cache populate while the worker sets
+  // up the rest of the request pipeline.
+  fetchContext(chainHost).catch((err) => {
+    // Non-fatal: on failure the first real request will retry via the
+    // encoder's own fetchContext call.
+    console.warn('[initAuth] pre-warm chainInfo failed:', err?.message);
+  });
+
+  const authenticator = new WalletAuthenticator({
+    wallet: wallet.toJSON(),
+    appInfo: ({ baseUrl }: { baseUrl: string }) => ({
+      name: 'Payment Kit',
+      description: 'Payment Kit on Cloudflare Workers',
+      icon: 'https://www.arcblock.io/favicon.ico',
+      link: baseUrl,
+    }),
+    chainInfo: {
+      type: 'arcblock',
+      host: chainHost,
+      id: 'beta',
+    },
+    txEncoder: createTxEncoder(),
+    // CF Workers: chain RPC to beta.abtnetwork.io + getContext warm-up can exceed
+    // the default 8s. Extend to 30s to match Node.js payment-kit behavior.
+    timeout: 30000,
+  });
+
+  // did-connect-js 4.0.0 natively detects Hono apps via isHonoApp()
+  const handlers = new WalletHandlers({ tokenStorage, authenticator });
+
+  return { wallet, authenticator, handlers, tokenStorage };
+}
+
+/**
+ * Attach DID Connect routes to a Hono app.
+ *
+ * Registers the login action with full profile handling, and all payment-related
+ * DID Connect actions using the original handler implementations from
+ * api/src/routes/connect/*.ts. The handlers execute real on-chain operations
+ * (transfers, delegations, staking) via @ocap/client HTTP RPC calls, which
+ * work in CF Workers. If a handler fails to attach, it falls back to a stub.
+ *
+ * Payment actions registered:
+ *   collect, collect-batch, payment, subscription, setup,
+ *   change-payment, change-plan, change-payer,
+ *   recharge, recharge-account,
+ *   delegation, overdraft-protection, re-stake,
+ *   auto-recharge-auth
+ */
+export function attachDIDConnectRoutes(app: any, kv: KVNamespace, appSK: string) {
+  const { handlers, tokenStorage } = initAuth(kv, appSK);
+
+  // ---- Login action (full implementation) ----
+  handlers.attach({
+    app,
+    action: 'login',
+    claims: {
+      profile: () => ({
+        description: 'Please provide your profile to login',
+        fields: ['fullName', 'email', 'avatar'],
+      }),
+    },
+    onAuth: async ({ userDid, userPk, claims, updateSession }: any) => {
+      const claim = claims.find((x: any) => x.type === 'profile');
+      const { type: _type, signature: _sig, ...rest } = claim || {};
+      await updateSession({
+        result: {
+          ...rest,
+          did: userDid,
+          pk: userPk,
+        },
+      });
+    },
+  });
+
+  // ---- Payment DID Connect actions (real implementations) ----
+  // These use the original handlers from api/src/routes/connect/*.ts.
+  // esbuild aliases handle all dependency replacements (@blocklet/sdk, sequelize, etc.)
+  // so that @ocap/client HTTP-based RPC calls work in CF Workers.
+  const paymentHandlerList = [
+    collectHandlers,
+    collectBatchHandlers,
+    payHandlers,
+    setupHandlers,
+    subscribeHandlers,
+    changePaymentHandlers,
+    changePlanHandlers,
+    changePayerHandlers,
+    rechargeHandlers,
+    rechargeAccountHandlers,
+    delegationHandlers,
+    overdraftProtectionHandlers,
+    reStakeHandlers,
+    autoRechargeAuthHandlers,
+  ];
+
+  for (const handler of paymentHandlerList) {
+    try {
+      handlers.attach({ app, ...handler });
+      console.log(`[CF DID Connect] Attached real handler: ${handler.action}`);
+    } catch (err: any) {
+      console.error(`[CF DID Connect] Failed to attach handler ${handler.action}, using stub:`, err?.message);
+      // Fallback to stub if real handler fails to attach
+      handlers.attach({
+        app,
+        action: handler.action,
+        claims: {
+          profile: () => ({
+            description: `Please connect your wallet to proceed with ${handler.action}`,
+            fields: ['fullName', 'email'],
+          }),
+        },
+        onAuth: async ({ userDid, userPk, updateSession }: any) => {
+          await updateSession({
+            result: { did: userDid, pk: userPk },
+          });
+        },
+      });
+    }
+  }
+
+  return { handlers, tokenStorage };
+}