payment-kit 1.27.2 → 1.28.0

package/cloudflare/shims/ws-lite.ts

@@ -0,0 +1,103 @@
+// Lightweight ws shim for CF Workers — uses native WebSocket
+// Avoids bundling the full 128KB ws package (pulled by ethers)
+
+class WebSocketShim {
+  static CONNECTING = 0;
+  static OPEN = 1;
+  static CLOSING = 2;
+  static CLOSED = 3;
+
+  CONNECTING = 0;
+  OPEN = 1;
+  CLOSING = 2;
+  CLOSED = 3;
+
+  _ws: WebSocket | null = null;
+  readyState = 0;
+
+  onopen: ((ev: any) => void) | null = null;
+  onclose: ((ev: any) => void) | null = null;
+  onmessage: ((ev: any) => void) | null = null;
+  onerror: ((ev: any) => void) | null = null;
+
+  constructor(url: string, protocols?: string | string[]) {
+    try {
+      this._ws = new WebSocket(url, protocols);
+      this._ws.addEventListener('open', (ev) => {
+        this.readyState = 1;
+        this.onopen?.(ev);
+      });
+      this._ws.addEventListener('close', (ev) => {
+        this.readyState = 3;
+        this.onclose?.(ev);
+      });
+      this._ws.addEventListener('message', (ev) => {
+        this.onmessage?.(ev);
+      });
+      this._ws.addEventListener('error', (ev) => {
+        this.onerror?.(ev);
+      });
+    } catch (e) {
+      this.readyState = 3;
+    }
+  }
+
+  send(data: any) {
+    this._ws?.send(data);
+  }
+
+  close(code?: number, reason?: string) {
+    this.readyState = 2;
+    this._ws?.close(code, reason);
+  }
+
+  addEventListener(type: string, listener: any) {
+    this._ws?.addEventListener(type, listener);
+  }
+
+  removeEventListener(type: string, listener: any) {
+    this._ws?.removeEventListener(type, listener);
+  }
+
+  on(event: string, listener: any) {
+    if (event === 'open') this.onopen = listener;
+    else if (event === 'close') this.onclose = listener;
+    else if (event === 'message') this.onmessage = listener;
+    else if (event === 'error') this.onerror = listener;
+    return this;
+  }
+
+  off(_event: string, _listener: any) {
+    return this;
+  }
+
+  once(event: string, listener: any) {
+    const wrapped = (...args: any[]) => {
+      this.off(event, wrapped);
+      listener(...args);
+    };
+    return this.on(event, wrapped);
+  }
+
+  terminate() {
+    this.close();
+  }
+
+  ping() {}
+  pong() {}
+}
+
+// WebSocket.Server stub — not used in CF Workers
+class ServerStub {
+  constructor(_opts?: any) {}
+  on() { return this; }
+  close() {}
+  address() { return { port: 0 }; }
+}
+
+(WebSocketShim as any).Server = ServerStub;
+(WebSocketShim as any).WebSocket = WebSocketShim;
+(WebSocketShim as any).WebSocketServer = ServerStub;
+(WebSocketShim as any).createWebSocketStream = () => { throw new Error('Not supported in CF Workers'); };
+
+export = WebSocketShim;

package/cloudflare/shims/xss.ts

@@ -0,0 +1,3 @@
+export function xss(_opts?: any) {
+  return (_req: any, _res: any, next: any) => next();
+}

package/cloudflare/tests/shims/cron.spec.ts

@@ -0,0 +1,210 @@
+import cronModule, { cronInstance, __test__ } from '../../shims/cron';
+
+const { matchesCron, shouldRunInWindow } = __test__;
+
+// Anchor date: 2026-04-17T10:00:00Z (a Friday, minute=0, hour=10)
+const at = (hh: number, mm: number, dayOffset = 0) =>
+  new Date(Date.UTC(2026, 3, 17 + dayOffset, hh, mm, 0));
+
+describe('matchesCron (reference correctness, not modified by this fix)', () => {
+  it.each([
+    ['0 * * * * *', 10, 0, true],
+    ['0 5 * * * *', 10, 5, true],
+    ['0 5 * * * *', 10, 4, false],
+    ['0 */5 * * * *', 10, 0, true],
+    ['0 */5 * * * *', 10, 5, true],
+    ['0 */5 * * * *', 10, 4, false],
+    ['0 */5 * * * *', 10, 7, false],
+    ['0 */10 * * * *', 10, 0, true],
+    ['0 */10 * * * *', 10, 5, false],
+    ['0 */10 * * * *', 10, 10, true],
+    ['0 */30 * * * *', 10, 0, true],
+    ['0 */30 * * * *', 10, 15, false],
+    ['0 */30 * * * *', 10, 30, true],
+    ['0 5 */6 * * *', 6, 5, true],
+    ['0 5 */6 * * *', 6, 6, false],
+    ['0 5 */6 * * *', 7, 5, false],
+    ['0 5 */6 * * *', 12, 5, true],
+    ['0 0 0 * * *', 0, 0, true],
+    ['0 0 0 * * *', 0, 1, false],
+    ['0 0 10 * * *', 10, 0, true],
+    ['0 0 10 * * *', 10, 1, false],
+  ])('matchesCron(%s) at %d:%d -> %s', (expr, h, m, expected) => {
+    expect(matchesCron(expr, at(h, m))).toBe(expected);
+  });
+});
+
+// These tests define the POST-FIX behavior: 1-minute window, not 5-minute.
+// Before fix: shouldRunInWindow("0 */5 * * * *", h:m) is true for any m in [0..59].
+// After  fix: shouldRunInWindow is true only at the exact matching minute.
+describe('shouldRunInWindow — 1 minute window (post-fix behavior)', () => {
+  describe('every-5-minute cron "0 */5 * * * *"', () => {
+    it('matches exactly at minute 0, 5, 10, ..., 55 within an hour (12 times)', () => {
+      const matches: number[] = [];
+      for (let m = 0; m < 60; m += 1) {
+        if (shouldRunInWindow('0 */5 * * * *', at(10, m))) matches.push(m);
+      }
+      expect(matches).toEqual([0, 5, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55]);
+      expect(matches).toHaveLength(12);
+    });
+
+    it('does NOT match at minutes 1-4, 6-9, 11-14, ... (the bug we are fixing)', () => {
+      for (const m of [1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14]) {
+        expect(shouldRunInWindow('0 */5 * * * *', at(10, m))).toBe(false);
+      }
+    });
+  });
+
+  describe('every-10-minute cron "0 */10 * * * *"', () => {
+    it('matches exactly 6 times per hour (minute 0, 10, 20, 30, 40, 50)', () => {
+      const matches: number[] = [];
+      for (let m = 0; m < 60; m += 1) {
+        if (shouldRunInWindow('0 */10 * * * *', at(10, m))) matches.push(m);
+      }
+      expect(matches).toEqual([0, 10, 20, 30, 40, 50]);
+    });
+  });
+
+  describe('every-30-minute cron "0 */30 * * * *"', () => {
+    it('matches exactly 2 times per hour', () => {
+      const matches: number[] = [];
+      for (let m = 0; m < 60; m += 1) {
+        if (shouldRunInWindow('0 */30 * * * *', at(10, m))) matches.push(m);
+      }
+      expect(matches).toEqual([0, 30]);
+    });
+  });
+
+  describe('every-minute cron "* * * * *"', () => {
+    it('matches every minute', () => {
+      for (let m = 0; m < 60; m += 1) {
+        expect(shouldRunInWindow('* * * * *', at(10, m))).toBe(true);
+      }
+    });
+  });
+
+  describe('single-minute cron "0 5 */6 * * *" (every 6 hours at minute 5)', () => {
+    it('matches exactly 4 times in a 24-hour window (hours 0, 6, 12, 18)', () => {
+      const matches: string[] = [];
+      for (let h = 0; h < 24; h += 1) {
+        for (let m = 0; m < 60; m += 1) {
+          if (shouldRunInWindow('0 5 */6 * * *', at(h, m))) matches.push(`${h}:${m}`);
+        }
+      }
+      expect(matches).toEqual(['0:5', '6:5', '12:5', '18:5']);
+    });
+  });
+
+  describe('daily cron "0 1 0 * * *" (00:01 every day)', () => {
+    it('matches exactly once per day', () => {
+      const matches: string[] = [];
+      for (let h = 0; h < 24; h += 1) {
+        for (let m = 0; m < 60; m += 1) {
+          if (shouldRunInWindow('0 1 0 * * *', at(h, m))) matches.push(`${h}:${m}`);
+        }
+      }
+      expect(matches).toEqual(['0:1']);
+    });
+  });
+
+  describe('5-field cron "*/5 * * * *" (no seconds column)', () => {
+    it('also supported — matches 12 times per hour', () => {
+      const matches: number[] = [];
+      for (let m = 0; m < 60; m += 1) {
+        if (shouldRunInWindow('*/5 * * * *', at(10, m))) matches.push(m);
+      }
+      expect(matches).toHaveLength(12);
+    });
+  });
+});
+
+// Invariant check: non-5-aligned cron expressions must still be reachable when
+// shim uses 1-minute window (post-fix). This guards against the review finding
+// that if CF trigger is "*/5" while shim uses 1-min matching, jobs at minute 1
+// (e.g. expiredSessionCleanupCronTime="0 1 * * * *") would never fire.
+describe('non-5-aligned cron expressions (review P1-1 regression guard)', () => {
+  it.each([
+    ['0 1 * * * *', 'expiredSessionCleanupCronTime (minute 1 every hour)', [1]],
+    ['0 1 0 * * *', 'paymentStatCronTime (00:01 daily)', [1]],
+    ['0 7 * * * *', 'hypothetical minute 7', [7]],
+    ['0 13 * * * *', 'hypothetical minute 13', [13]],
+  ])('matches %s (%s) at the expected minute', (expr, _label, expectedMinutes) => {
+    const matches: number[] = [];
+    for (let m = 0; m < 60; m += 1) {
+      // Check at hour 0 so the hour field "0" in '0 1 0 * * *' also aligns.
+      if (shouldRunInWindow(expr, at(0, m))) matches.push(m);
+    }
+    expect(matches).toEqual(expectedMinutes);
+  });
+});
+
+describe('regression guard — bug condition from 2026-04-17 incident', () => {
+  it('each minute in an hour produces the EXPECTED number of matches for payment-kit cron expressions', () => {
+    const expressions: Record<string, number> = {
+      '0 */5 * * * *': 12, // depositVault, revokeStake
+      '0 */10 * * * *': 6, // creditConsume, vendorStatusCheck, vendorReturnScan
+      '0 */20 * * * *': 3, // stripePayment
+      '0 */30 * * * *': 2, // subscription, stripeInvoice
+    };
+
+    for (const [expr, expected] of Object.entries(expressions)) {
+      let count = 0;
+      for (let m = 0; m < 60; m += 1) {
+        if (shouldRunInWindow(expr, at(10, m))) count += 1;
+      }
+      expect({ expr, count }).toEqual({ expr, count: expected });
+    }
+  });
+});
+
+// runAll(date) integration test — verifies the shim uses the passed date
+// (scheduledTime from CF) rather than wall-clock at execution time. This
+// addresses PR #1341 review P2-1: a scheduled event intended for 00:01 but
+// delivered late at 00:02 must still match "0 1 * * * *" jobs.
+describe('cronInstance.runAll(date) — scheduledTime integration (review P2-1)', () => {
+  afterEach(() => {
+    // cronModule.init({...}) mutates the singleton registry; reset between cases
+    cronModule.init({ jobs: [] });
+  });
+
+  it('passes the provided date to shouldRunInWindow, not wall clock', async () => {
+    const calls: string[] = [];
+    cronModule.init({
+      jobs: [
+        {
+          name: 'test.minute-1',
+          time: '0 1 * * * *',
+          fn: async () => { calls.push('minute-1'); },
+        },
+        {
+          name: 'test.minute-2',
+          time: '0 2 * * * *',
+          fn: async () => { calls.push('minute-2'); },
+        },
+      ],
+    });
+
+    // Scheduled intended at 00:01 but delivered late so wall-clock is in minute 2.
+    // Caller (worker.ts) should pass the intended time (new Date(event.scheduledTime)).
+    const intendedMinute1 = new Date(Date.UTC(2026, 3, 17, 0, 1, 0));
+    await cronInstance.runAll(intendedMinute1);
+
+    expect(calls).toEqual(['minute-1']);
+  });
+
+  it('defaults to new Date() when no arg is passed', async () => {
+    // Smoke check that the default-arg path still works (e.g. from manual dev endpoints).
+    let ran = false;
+    cronModule.init({
+      jobs: [
+        {
+          name: 'test.always',
+          time: '* * * * *',
+          fn: async () => { ran = true; },
+        },
+      ],
+    });
+    await cronInstance.runAll();
+    expect(ran).toBe(true);
+  });
+});

package/cloudflare/tests/shims/queue-scheduled.spec.ts

@@ -0,0 +1,186 @@
+// Tests for shims/queue.ts:runAllScheduledJobs aggregated D1 scan.
+//
+// Verifies the Plan 8 refactor: 16 × 2 per-queue queries collapse into a
+// single Job.findAll across all registered queues. Behavior invariants
+// preserved: due-delayed + stuck-immediate semantics, 2-minute created_at
+// filter for immediate jobs, per-queue dispatch order by created_at.
+
+// Mock the Job model before importing the shim — import order matters
+// because shims/queue.ts imports Job at module top.
+jest.mock('../../../api/src/store/models/job', () => ({
+  Job: {
+    findAll: jest.fn(),
+  },
+}));
+
+// Mock createQueueStore so registering a handler doesn't hit D1.
+jest.mock('../../../api/src/libs/queue/store', () => ({
+  __esModule: true,
+  default: jest.fn(() => ({
+    // Only the surface actually touched by dispatchJob / handler registration:
+    deleteJob: jest.fn().mockResolvedValue(true),
+    getJob: jest.fn(),
+    getJobs: jest.fn(),
+    getScheduledJobs: jest.fn(),
+    addJob: jest.fn(),
+    updateJob: jest.fn(),
+    isCancelled: jest.fn().mockResolvedValue(false),
+    findJobs: jest.fn(),
+  })),
+}));
+
+import { Op } from 'sequelize';
+import { Job } from '../../../api/src/store/models/job';
+import {
+  runAllScheduledJobs,
+  setCFQueue,
+  getAllHandlerNames,
+  __test__,
+} from '../../shims/queue';
+
+const mockedFindAll = Job.findAll as unknown as jest.Mock;
+
+describe('runAllScheduledJobs — aggregated D1 scan', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    __test__?.resetHandlers?.();
+    setCFQueue(null);
+  });
+
+  function registerQueue(name: string, executeJob = jest.fn().mockResolvedValue(undefined)) {
+    __test__!.registerForTest!(name, { executeJob });
+    return executeJob;
+  }
+
+  it('returns early with no query when no queues are registered', async () => {
+    const result = await runAllScheduledJobs();
+    expect(mockedFindAll).not.toHaveBeenCalled();
+    expect(result).toEqual({ dispatched: 0, failed: 0, queues: [] });
+  });
+
+  it('issues exactly ONE findAll across all registered queues (no per-queue loop)', async () => {
+    for (let i = 0; i < 16; i += 1) registerQueue(`q${i}`);
+    mockedFindAll.mockResolvedValue([]);
+
+    await runAllScheduledJobs();
+
+    expect(mockedFindAll).toHaveBeenCalledTimes(1);
+    const arg = mockedFindAll.mock.calls[0][0];
+    expect(arg.where.queue).toEqual({ [Op.in]: expect.arrayContaining(['q0', 'q15']) });
+    expect(arg.where.cancelled).toBe(false);
+    expect(arg.where[Op.or]).toHaveLength(2);
+    expect(arg.order).toEqual([['created_at', 'ASC']]);
+  });
+
+  it('groups rows by queue and dispatches via the registered handler', async () => {
+    const execA = registerQueue('qa');
+    const execB = registerQueue('qb');
+
+    mockedFindAll.mockResolvedValue([
+      { id: 'a1', queue: 'qa', job: { v: 1 }, created_at: new Date() },
+      { id: 'b1', queue: 'qb', job: { v: 2 }, created_at: new Date() },
+      { id: 'a2', queue: 'qa', job: { v: 3 }, created_at: new Date() },
+    ]);
+
+    const result = await runAllScheduledJobs();
+
+    expect(execA).toHaveBeenCalledTimes(2);
+    expect(execB).toHaveBeenCalledTimes(1);
+    expect(result.dispatched).toBe(3);
+    expect(result.failed).toBe(0);
+    expect(result.queues.sort()).toEqual(['qa', 'qb']);
+  });
+
+  it('filters out rows missing id or job payload', async () => {
+    const exec = registerQueue('qa');
+
+    mockedFindAll.mockResolvedValue([
+      { id: 'a1', queue: 'qa', job: { v: 1 }, created_at: new Date() },
+      { id: '', queue: 'qa', job: { v: 2 }, created_at: new Date() },
+      { id: 'a3', queue: 'qa', job: null, created_at: new Date() },
+    ]);
+
+    const result = await runAllScheduledJobs();
+
+    expect(exec).toHaveBeenCalledTimes(1);
+    expect(result.dispatched).toBe(1);
+  });
+
+  it('continues dispatching siblings when one job throws', async () => {
+    const exec = jest
+      .fn()
+      .mockRejectedValueOnce(new Error('boom'))
+      .mockResolvedValue(undefined);
+    registerQueue('qa', exec);
+
+    mockedFindAll.mockResolvedValue([
+      { id: 'a1', queue: 'qa', job: { v: 1 }, created_at: new Date() },
+      { id: 'a2', queue: 'qa', job: { v: 2 }, created_at: new Date() },
+    ]);
+
+    const result = await runAllScheduledJobs();
+
+    expect(exec).toHaveBeenCalledTimes(2);
+    expect(result.dispatched).toBe(1);
+    expect(result.failed).toBe(1);
+  });
+
+  it('returns empty result without throwing when D1 scan fails', async () => {
+    registerQueue('qa');
+    mockedFindAll.mockRejectedValue(new Error('D1 timeout'));
+
+    const result = await runAllScheduledJobs();
+
+    expect(result).toEqual({ dispatched: 0, failed: 0, queues: [] });
+  });
+
+  it('ignores rows for queues that are no longer registered', async () => {
+    const exec = registerQueue('qa');
+    mockedFindAll.mockResolvedValue([
+      { id: 'a1', queue: 'qa', job: { v: 1 }, created_at: new Date() },
+      { id: 'z1', queue: 'qzombie', job: { v: 2 }, created_at: new Date() },
+    ]);
+
+    const result = await runAllScheduledJobs();
+
+    expect(exec).toHaveBeenCalledTimes(1);
+    expect(result.dispatched).toBe(1);
+    expect(result.queues).toEqual(['qa']);
+  });
+
+  it('where clause covers due-delayed OR stuck-immediate jobs with 2-min cutoff', async () => {
+    registerQueue('qa');
+    mockedFindAll.mockResolvedValue([]);
+
+    const before = Date.now();
+    await runAllScheduledJobs();
+    const after = Date.now();
+
+    const arg = mockedFindAll.mock.calls[0][0];
+    const orClauses = arg.where[Op.or];
+    expect(orClauses).toHaveLength(2);
+
+    const delayedClause = orClauses.find((c: any) => c.delay && c.will_run_at);
+    expect(delayedClause).toBeDefined();
+    expect(delayedClause.delay).toEqual({ [Op.not]: -1 });
+    const dueCutoff = delayedClause.will_run_at[Op.lte];
+    expect(dueCutoff).toBeGreaterThanOrEqual(before);
+    expect(dueCutoff).toBeLessThanOrEqual(after);
+
+    const immediateClause = orClauses.find((c: any) => c.delay === -1);
+    expect(immediateClause).toBeDefined();
+    // D1 rejects Date objects at the bind layer, so the shim serializes to ISO string.
+    const cutoffValue: string = immediateClause.created_at[Op.lt];
+    expect(typeof cutoffValue).toBe('string');
+    const cutoffMs = new Date(cutoffValue).getTime();
+    // 2 minutes back from "now", allowing for small wall-clock drift.
+    expect(before - cutoffMs).toBeGreaterThanOrEqual(2 * 60 * 1000 - 50);
+    expect(before - cutoffMs).toBeLessThanOrEqual(2 * 60 * 1000 + 50);
+  });
+
+  it('registers handlers that show up in getAllHandlerNames', () => {
+    registerQueue('q1');
+    registerQueue('q2');
+    expect(getAllHandlerNames().sort()).toEqual(['q1', 'q2']);
+  });
+});

package/cloudflare/vite.config.ts

@@ -0,0 +1,162 @@
+import react from '@vitejs/plugin-react';
+import { defineConfig } from 'vite';
+import svgr from 'vite-plugin-svgr';
+import tsconfigPaths from 'vite-tsconfig-paths';
+import path from 'path';
+
+const coreDir = path.resolve(__dirname, '..');
+
+// Absolute path to the original session file we want to replace
+const originalSessionPath = path.resolve(coreDir, 'src/contexts/session');
+// Absolute path to our CF shim
+const cfSessionShimPath = path.resolve(__dirname, 'frontend-shims/session.ts');
+
+export default defineConfig({
+  root: coreDir, // blocklets/core/ — where index.html and src/ live
+  plugins: [
+    // Redirect contexts/session imports to CF shim (must be first plugin)
+    {
+      name: 'cf-session-redirect',
+      enforce: 'pre' as const,
+      resolveId(source: string, importer: string | undefined) {
+        if (!importer) return null;
+        // Match relative imports that resolve to src/contexts/session
+        if (source.endsWith('/contexts/session') || source.endsWith('/contexts/session.ts')) {
+          const resolved = path.resolve(path.dirname(importer), source).replace(/\.ts$/, '');
+          if (resolved === originalSessionPath) {
+            return cfSessionShimPath;
+          }
+        }
+        return null;
+      },
+    },
+    // Inject window.blocklet + global polyfills into HTML
+    {
+      name: 'cf-inject-blocklet',
+      transformIndexHtml(html: string) {
+        const injection = `<script>
+window.global = globalThis;
+// Minimal bootstrap — full config loaded from __blocklet__.js
+if (!window.blocklet) {
+  window.blocklet = {
+    prefix: '/',
+    groupPrefix: '/',
+    appUrl: window.location.origin,
+    componentMountPoints: [{did:'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',name:'Media Kit',mountPoint:'/media-kit',appId:'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',status:'running',capabilities:{component:true}}],
+    navigation: [
+      {id:'payments',title:{en:'Payments',zh:'支付管理'},icon:'ion:card-outline',link:'/admin',section:['dashboard','sessionManager'],role:['admin','owner']},
+      {id:'integrations',title:{en:'Integrations',zh:'快速集成'},icon:'ion:flash-outline',link:'/integrations',section:['dashboard','sessionManager'],role:['admin','owner']},
+      {id:'billing',title:{en:'Billing',zh:'我的账单'},icon:'ion:receipt-outline',link:'/customer',private:true,section:['userCenter','sessionManager'],role:['owner','admin','member','guest']},
+    ],
+  };
+}
+// Load full config from /__blocklet__.js?type=json (served by worker, includes auth/branding/theme from AUTH_SERVICE).
+// Using type=json lets us JSON.parse the response directly instead of slicing out a { } substring from a JS assignment.
+(function() {
+  try {
+    var xhr = new XMLHttpRequest();
+    var pfx = (window.blocklet && window.blocklet.prefix) || '/';
+    xhr.open('GET', pfx + '__blocklet__.js?type=json&_t=' + Date.now(), false);
+    xhr.send();
+    if (xhr.status === 200) {
+      var remote = JSON.parse(xhr.responseText);
+      // navigation / componentMountPoints are owned by this blocklet — AUTH_SERVICE
+      // doesn't know about them, so we never want remote values to clobber the
+      // ones the bootstrap above set.
+      var localOnly = ['navigation', 'componentMountPoints'];
+      Object.keys(remote).forEach(function(k) {
+        if (localOnly.indexOf(k) === -1) {
+          window.blocklet[k] = remote[k];
+        }
+      });
+      if (!window.blocklet.env) window.blocklet.env = {};
+      window.blocklet.env.appName = window.blocklet.appName || '';
+      window.blocklet.env.appDescription = window.blocklet.appDescription || '';
+      window.blocklet.env.appLogo = window.blocklet.appLogo || '';
+      window.blocklet.env.appUrl = window.blocklet.appUrl || '';
+    }
+  } catch(e) { /* ignore */ }
+})();
+</script>`;
+        return html.replace('<head>', '<head>' + injection);
+      },
+    },
+    // Inject Buffer polyfill at the top of the entry file
+    {
+      name: 'cf-buffer-polyfill',
+      enforce: 'pre' as const,
+      transform(code: string, id: string) {
+        if (id.endsWith('/src/index.tsx')) {
+          return `import '${path.resolve(__dirname, 'frontend-shims/buffer-polyfill.ts').replace(/\\/g, '/')}';\n` + code;
+        }
+        return undefined;
+      },
+    },
+    tsconfigPaths({ root: coreDir }),
+    react(),
+    svgr(),
+  ],
+  resolve: {
+    alias: {
+      // Point to source code (workspace packages)
+      '@blocklet/payment-react': path.resolve(coreDir, '../../packages/react/src'),
+      '@blocklet/payment-react-headless': path.resolve(coreDir, '../../packages/payment-react-headless/src'),
+      '@blocklet/payment-js': path.resolve(coreDir, '../../packages/client/src'),
+
+      // Replace @blocklet/js-sdk with a simple axios wrapper
+      '@blocklet/js-sdk': path.resolve(__dirname, 'frontend-shims/js-sdk.ts'),
+
+      // Fix mime-types CJS interop for @blocklet/uploader
+      'mime-types': path.resolve(__dirname, 'frontend-shims/mime-types.ts'),
+
+      // lodash aliases
+      'lodash.assign': 'lodash/assign',
+      'lodash.clonedeep': 'lodash/cloneDeep',
+      'lodash.isequal': 'lodash/isEqual',
+      'lodash.merge': 'lodash/merge',
+      'lodash.find': 'lodash/find',
+    },
+    dedupe: [
+      '@arcblock/ux',
+      '@arcblock/did-connect-react',
+      '@blocklet/ui-react',
+      '@mui/material',
+      '@mui/icons-material',
+      'react',
+      'react-dom',
+      'lodash',
+    ],
+  },
+  build: {
+    outDir: path.resolve(__dirname, 'public'),
+    emptyOutDir: true,
+    cssCodeSplit: false,
+    modulePreload: false,
+    commonjsOptions: {
+      include: [/node_modules/],
+      transformMixedEsModules: true,
+    },
+  },
+  define: {
+    'global': 'globalThis',
+  },
+  optimizeDeps: {
+    include: ['react', 'react-dom', 'react/jsx-runtime', 'buffer'],
+    esbuildOptions: {
+      mainFields: ['module', 'main'],
+      resolveExtensions: ['.ts', '.tsx', '.js', '.jsx'],
+    },
+  },
+  server: {
+    proxy: {
+      '/api': {
+        target: 'http://localhost:8800',
+        changeOrigin: true,
+      },
+      '/.well-known': {
+        target: 'http://localhost:8800',
+        changeOrigin: true,
+      },
+    },
+  },
+});