payment-kit 1.27.2 → 1.29.0

package/__blocklet__.js

@@ -0,0 +1,37 @@
+// Polyfill global for browser
+if (typeof globalThis !== 'undefined' && typeof global === 'undefined') {
+  window.global = globalThis;
+}
+if (typeof globalThis !== 'undefined' && typeof Buffer === 'undefined') {
+  // Buffer polyfill will be loaded by vite-plugin-node-polyfills if configured
+}
+
+// CF Workers shim for window.blocklet
+// This file replaces the auto-generated __blocklet__.js from Blocklet Server
+window.blocklet = window.blocklet || {};
+Object.assign(window.blocklet, {
+  prefix: '',
+  groupPrefix: '',
+  did: 'did:abt:test',
+  componentId: null,
+  serverVersion: '3.0.0',
+  languages: [
+    { code: 'en', name: 'English' },
+    { code: 'zh', name: '简体中文' }
+  ],
+  appPid: 'payment-kit-cf',
+  appId: 'payment-kit-cf',
+  appName: 'Payment Kit',
+  appLogo: '',
+  appDescription: 'Decentralized Payment System',
+  appUrl: window.location.origin,
+  GA_MEASUREMENT_ID: '',
+  theme: { prefer: 'light' },
+  navigation: [{ title: 'Home', link: '/', icon: '' }],
+  webWalletUrl: '',
+  componentMountPoints: [],
+  sessionPermissions: { canReadAll: true, canWriteAll: true },
+  settings: {
+    session: { cacheTtl: 3600 },
+  },
+});

package/api/ocap-1.30-subpath-shims.d.ts

@@ -0,0 +1,35 @@
+// Type shims for @ocap/* / @arcblock/* 1.30.x CBOR-only subpath entries.
+//
+// These packages ship runtime + `.d.mts` type files under the package.json
+// `exports` map. tsc under `moduleResolution: node` cannot resolve `.d.mts`
+// through the exports map, producing:
+//   error TS2307: Cannot find module '@arcblock/did-util/cbor' or its
+//     corresponding type declarations.
+//
+// Switching moduleResolution to `bundler`/`node16` would fix resolution but
+// require matching `module: esnext`, which changes the emitted JS format for
+// api/dist runtime. Not worth the blast radius.
+//
+// Instead: declare loose types here so tsc is satisfied. Runtime resolution
+// still uses the real packages via Node/esbuild's own module loader (they
+// handle .cjs + exports map correctly).
+
+declare module '@arcblock/did-util/cbor' {
+  // biome-ignore lint/suspicious/noExplicitAny: loose shim; real types live in .d.mts
+  type AnyFn = (...args: any[]) => any;
+  export const toAssetAddress: AnyFn;
+  export const toDelegateAddress: AnyFn;
+  export const toFactoryAddress: AnyFn;
+  export const toItxAddress: AnyFn;
+  export const toRollupAddress: AnyFn;
+  export const toStakeAddress: AnyFn;
+  export const toTokenAddress: AnyFn;
+  export const toTokenFactoryAddress: AnyFn;
+}
+
+declare module '@ocap/asset/mint/client' {
+  // biome-ignore lint/suspicious/noExplicitAny: loose shim; real types live in .d.mts
+  type AnyFn = (...args: any[]) => any;
+  export const formatFactoryState: AnyFn;
+  export const preMintFromFactory: AnyFn;
+}

package/api/src/crons/index.ts

@@ -1,6 +1,7 @@
 import Cron from '@abtnode/cron';
 
 import { checkStakeRevokeTx } from '../integrations/arcblock/stake';
+import { runIapReconcile } from '../integrations/iap-reconcile';
 import {
   batchHandleStripeInvoices,
   batchHandleStripePayments,
@@ -9,7 +10,9 @@ import {
 import {
   creditConsumptionCronTime,
   depositVaultCronTime,
+  eventRetryCronTime,
   expiredSessionCleanupCronTime,
+  iapReconcileCronTime,
   notificationCronTime,
   overdueDetectionCronTime,
   paymentStatCronTime,
@@ -24,11 +27,13 @@ import {
 import logger from '../libs/logger';
 import { startCreditConsumeQueue } from '../queues/credit-consume';
 import { startDepositVaultQueue } from '../queues/payment';
+import { startRefundQueue } from '../queues/refund';
 import { startSubscriptionQueue } from '../queues/subscription';
 import { startVendorStatusCheckSchedule } from '../queues/vendors/status-check';
 import { CheckoutSession } from '../store/models';
 import { createOverdueDetection } from './overdue-detection';
 import { createPaymentStat } from './payment-stat';
+import { retryPendingEvents } from './retry-pending-events';
 import { SubscriptionTrialWillEndSchedule } from './subscription-trial-will-end';
 import { SubscriptionWillCanceledSchedule } from './subscription-will-canceled';
 import { SubscriptionWillRenewSchedule } from './subscription-will-renew';
@@ -85,6 +90,15 @@ function init() {
         fn: startSubscriptionQueue,
         options: { runOnInit: false },
       },
+      {
+        // Recover pending refunds that were missed (e.g. after deploy or failed dispatch).
+        // Previously invoked unconditionally on every CF scheduled tick; now throttled
+        // to every 5 minutes to stay within CF Queue free-tier ops budget.
+        name: 'refund.recovery',
+        time: '0 */5 * * * *',
+        fn: startRefundQueue,
+        options: { runOnInit: false },
+      },
       {
         name: 'checkoutSession.cleanup.expired',
         time: expiredSessionCleanupCronTime,
@@ -118,6 +132,24 @@ function init() {
         fn: checkStakeRevokeTx,
         options: { runOnInit: false },
       },
+      {
+        // Backup for App Store / Google Play webhooks — pulls authoritative
+        // subscription state and patches local drift (refunds/renewals the
+        // webhook missed). See blocklets/core/api/src/integrations/iap-reconcile.ts.
+        name: 'iap.reconcile',
+        time: iapReconcileCronTime,
+        fn: () => runIapReconcile(),
+        options: { runOnInit: false },
+      },
+      {
+        // Backstop for the fire-and-forget event → webhook path. Rescans events
+        // with pending_webhooks>0 older than 60s and re-invokes handleEvent.
+        // See blocklets/core/api/src/crons/retry-pending-events.ts.
+        name: 'event.retry',
+        time: eventRetryCronTime,
+        fn: () => retryPendingEvents(),
+        options: { runOnInit: false },
+      },
       {
         name: 'payment.stat',
         time: paymentStatCronTime,

package/api/src/crons/metering-subscription-detection.ts

@@ -119,20 +119,18 @@ export class MeteringSubscriptionDetectionTemplate implements BaseEmailTemplate<
     });
 
     const meteringInvoices: any[] = [];
-    await Promise.all(
-      invoices.map(async (invoice) => {
-        const invoiceJson = invoice.toJSON();
-        const prices = (await Price.findAll()).map((x) => x.toJSON());
-        // @ts-ignore
-        (invoiceJson.lines || []).forEach((item) => {
-          item.price = prices.find((x) => x.id === item.price_id);
-        });
-        // @ts-ignore
-        if ((invoiceJson.lines || []).some((line) => line.price?.recurring?.usage_type === 'metered')) {
-          meteringInvoices.push(invoice);
-        }
-      })
-    );
+    const prices = (await Price.findAll()).map((x) => x.toJSON());
+    for (const invoice of invoices) {
+      const invoiceJson = invoice.toJSON();
+      // @ts-ignore
+      (invoiceJson.lines || []).forEach((item) => {
+        item.price = prices.find((x) => x.id === item.price_id);
+      });
+      // @ts-ignore
+      if ((invoiceJson.lines || []).some((line) => line.price?.recurring?.usage_type === 'metered')) {
+        meteringInvoices.push(invoice);
+      }
+    }
     const meteringInvoiceIds = Array.from(new Set(meteringInvoices.map((invoice) => invoice.id)));
     const meteringSubscriptionIds = Array.from(
       new Set(meteringInvoices.map((invoice) => invoice?.subscription_id).filter(Boolean) as string[])

package/api/src/crons/overdue-detection.ts

@@ -102,19 +102,19 @@ export class HealthReportTemplate implements BaseEmailTemplate<HealthReportConte
     const startTime = dayjs.unix(start).toISOString();
     const endTime = dayjs.unix(end).toISOString();
 
-    // 1. Get all currency configurations
-    const allCurrencies = await PaymentCurrency.findAll();
-    const currencyMap = new Map(allCurrencies.map((c) => [c.id, c]));
-
-    // 2. Fetch all pending meter events in the last 24 hours
-    const events = await MeterEvent.findAll({
-      where: {
-        status: ['pending', 'requires_capture', 'requires_action'],
-        created_at: {
-          [Op.between]: [startTime, endTime],
+    // 1. Get all currency configurations + pending meter events in parallel
+    const [allCurrencies, events] = await Promise.all([
+      PaymentCurrency.findAll(),
+      MeterEvent.findAll({
+        where: {
+          status: ['pending', 'requires_capture', 'requires_action'],
+          created_at: {
+            [Op.between]: [startTime, endTime],
+          },
         },
-      },
-    });
+      }),
+    ]);
+    const currencyMap = new Map(allCurrencies.map((c) => [c.id, c]));
 
     if (events.length === 0) {
       return { customerCount: 0, pendingAmounts: '0', exceedsThreshold: false };
@@ -209,25 +209,21 @@ export class HealthReportTemplate implements BaseEmailTemplate<HealthReportConte
     const startTime = dayjs.unix(start).toISOString();
     const endTime = dayjs.unix(end).toISOString();
 
-    // Get all successful payments in the last 24 hours
-    const payments = await PaymentIntent.findAll({
-      where: {
-        status: 'succeeded',
-        created_at: {
-          [Op.between]: [startTime, endTime],
+    // Get all successful payments + refunds in parallel
+    const [payments, refunds] = await Promise.all([
+      PaymentIntent.findAll({
+        where: {
+          status: 'succeeded',
+          created_at: { [Op.between]: [startTime, endTime] },
         },
-      },
-    });
-
-    // Get all refunds in the last 24 hours
-    const refunds = await Refund.findAll({
-      where: {
-        status: 'succeeded',
-        created_at: {
-          [Op.between]: [startTime, endTime],
+      }),
+      Refund.findAll({
+        where: {
+          status: 'succeeded',
+          created_at: { [Op.between]: [startTime, endTime] },
         },
-      },
-    });
+      }),
+    ]);
 
     // Aggregate total revenue by currency
     const revenueByCurrency = new Map<string, BN>();
@@ -282,33 +278,18 @@ export class HealthReportTemplate implements BaseEmailTemplate<HealthReportConte
     const startTime = dayjs.unix(start).toISOString();
     const endTime = dayjs.unix(end).toISOString();
 
-    // New subscriptions created in the last 24 hours
-    const newSubscriptions = await Subscription.count({
-      where: {
-        created_at: {
-          [Op.between]: [startTime, endTime],
-        },
-      },
-    });
-
-    // Subscriptions canceled in the last 24 hours
-    const canceledSubscriptions = await Subscription.count({
-      where: {
-        canceled_at: {
-          [Op.between]: [start, end],
-        },
-      },
-    });
-
-    // Subscriptions that became past_due in the last 24 hours
-    const pastDueSubscriptions = await Subscription.count({
-      where: {
-        status: 'past_due',
-        updated_at: {
-          [Op.between]: [startTime, endTime],
-        },
-      },
-    });
+    // All 3 counts are independent — run in parallel
+    const [newSubscriptions, canceledSubscriptions, pastDueSubscriptions] = await Promise.all([
+      Subscription.count({
+        where: { created_at: { [Op.between]: [startTime, endTime] } },
+      }),
+      Subscription.count({
+        where: { canceled_at: { [Op.between]: [start, end] } },
+      }),
+      Subscription.count({
+        where: { status: 'past_due', updated_at: { [Op.between]: [startTime, endTime] } },
+      }),
+    ]);
 
     return {
       newSubscriptions,
@@ -405,26 +386,22 @@ export class HealthReportTemplate implements BaseEmailTemplate<HealthReportConte
     const startTime = dayjs.unix(start).toISOString();
     const endTime = dayjs.unix(end).toISOString();
 
-    // Successful payments
-    const succeededPayments = await PaymentIntent.findAll({
-      where: {
-        status: 'succeeded',
-        created_at: {
-          [Op.between]: [startTime, endTime],
-        },
-      },
-    });
-
-    // Failed payments (canceled status)
+    // Successful + failed payments in parallel
     const failedStatuses = ['canceled', 'requires_payment_method', 'requires_action'];
-    const failedPayments = await PaymentIntent.findAll({
-      where: {
-        status: { [Op.in]: failedStatuses },
-        created_at: {
-          [Op.between]: [startTime, endTime],
+    const [succeededPayments, failedPayments] = await Promise.all([
+      PaymentIntent.findAll({
+        where: {
+          status: 'succeeded',
+          created_at: { [Op.between]: [startTime, endTime] },
         },
-      },
-    });
+      }),
+      PaymentIntent.findAll({
+        where: {
+          status: { [Op.in]: failedStatuses },
+          created_at: { [Op.between]: [startTime, endTime] },
+        },
+      }),
+    ]);
 
     const succeededCount = succeededPayments.length;
     const failedCount = failedPayments.length;

package/api/src/crons/retry-pending-events.ts

@@ -0,0 +1,58 @@
+// Backstop for the event → webhook fire-and-forget path.
+//
+// createEvent emits 'event.created' (sync) → an async listener calls
+// handleEvent → schedules HTTP webhook delivery. On CF Workers the listener's
+// microtask can lose the worker before its waitUntil registers if it fires
+// from the last line of an HTTP handler (e.g. ingestVerifiedGooglePlayPurchase
+// ends with `createEvent('subscription.started', ...).catch(...)` right before
+// returning — the response flushes and runtime may stop draining new
+// waitUntils). Result: events row exists with pending_webhooks>0 but no
+// webhook_attempt is ever written, so downstream apps silently miss the
+// notification.
+//
+// This cron rescans for pending events older than the realtime grace window
+// and re-invokes handleEvent. Stripe et al ship the same belt-and-suspenders.
+
+import { Op } from 'sequelize';
+
+import logger from '../libs/logger';
+import { eventQueue } from '../queues/event';
+import { Event } from '../store/models/event';
+
+const REALTIME_GRACE_SECONDS = 60;
+// Each cron tick only enqueues, does NOT inline await handleEvent. CF Workers
+// scheduled handler has a tight CPU budget (~30s) — inline handling N events
+// blew past it after ~7 iterations and was cut off mid-batch, so the tail
+// never got processed. Pushing to eventQueue lets the consumer (which has a
+// looser per-message budget) work through them asynchronously.
+//
+// BATCH_LIMIT must stay small: even push-only, the scheduled handler awaits
+// flushPendingJobs() at the end which await's each push's enqueue promise
+// (D1 addJob + CF Queue send). 50 was too many — pushes never finished
+// sending, jobs table never got rows, handleEvent never ran. 5 leaves
+// generous headroom and we still drain the backlog over a few minutes.
+const BATCH_LIMIT = 5;
+
+export async function retryPendingEvents(): Promise<void> {
+  const threshold = new Date(Date.now() - REALTIME_GRACE_SECONDS * 1000);
+  const docs = await Event.findAll({
+    where: {
+      pending_webhooks: { [Op.gt]: 0 },
+      created_at: { [Op.lt]: threshold },
+    },
+    attributes: ['id'],
+    order: [['created_at', 'ASC']],
+    limit: BATCH_LIMIT,
+  });
+
+  if (docs.length === 0) return;
+  logger.info(`event.retry: enqueuing ${docs.length} pending events older than ${REALTIME_GRACE_SECONDS}s`);
+
+  for (const doc of docs) {
+    try {
+      eventQueue.push({ id: doc.id, job: { eventId: doc.id }, persist: false });
+    } catch (err: any) {
+      logger.error('event.retry enqueue failed', { eventId: doc.id, error: err?.message });
+    }
+  }
+}

package/api/src/integrations/app-store/apple-root-certs.ts

@@ -0,0 +1,26 @@
+// Apple Root Certificates for App Store JWS verification.
+//
+// Vendored as base64 constants so `tsc` compiles cleanly without copying
+// non-ts assets into dist/. Source files (DER-encoded `.cer`) live under
+// `./certs/` and were downloaded from https://www.apple.com/certificateauthority/
+//
+// Apple's IAP JWS signing chain currently terminates at one of these roots.
+// Apple rotates roots roughly every 25 years — refresh when they do.
+//   - Apple Inc. Root Certificate (RSA 2048, valid 2006-04 → 2035-02)
+//   - Apple Root CA - G2          (RSA 4096, valid 2014-04 → 2039-04)
+//   - Apple Root CA - G3          (ECC P-384, valid 2014-04 → 2039-04)
+
+const APPLE_INC_ROOT_B64 =
+  'MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg++FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9wtj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IWq6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKMaLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAEggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMA0GCSqGSIb3DQEBBQUAA4IBAQBcNplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQPy3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4FgxhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oPIQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AXUKqK1drk/NAJBzewdXUh';
+
+const APPLE_ROOT_CA_G2_B64 =
+  'MIIFkjCCA3qgAwIBAgIIAeDltYNno+AwDQYJKoZIhvcNAQEMBQAwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEcyMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNDMwMTgxMDA5WhcNMzkwNDMwMTgxMDA5WjBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzIxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANgREkhI2imKScUcx+xuM23+TfvgHN6sXuI2pyT5f1BrTM65MFQn5bPW7SXmMLYFN14UIhHF6Kob0vuy0gmVOKTvKkmMXT5xZgM4+xb1hYjkWpIMBDLyyED7Ul+f9sDx47pFoFDVEovy3d6RhiPw9bZyLgHaC/YuOQhfGaFjQQscp5TBhsRTL3b2CtcM0YM/GlMZ81fVJ3/8E7j4ko380yhDPLVoACVdJ2LT3VXdRCCQgzWTxb+4Gftr49wIQuavbfqeQMpOhYV4SbHXw8EwOTKrfl+q04tvny0aIWhwZ7Oj8ZhBbZF8+NfbqOdfIRqMM78xdLe40fTgIvS/cjTf94FNcX1RoeKz8NMoFnNvzcytN31O661A4T+B/fc9Cj6i8b0xlilZ3MIZgIxbdMYs0xBTJh0UT8TUgWY8h2czJxQI6bR3hDRSj4n4aJgXv8O7qhOTH11UL6jHfPsNFL4VPSQ08prcdUFmIrQB1guvkJ4M6mL4m1k8COKWNORj3rw31OsMiANDC1CvoDTdUE0V+1ok2Az6DGOeHwOx4e7hqkP0ZmUoNwIx7wHHHtHMn23KVDpA287PT0aLSmWaasZobNfMmRtHsHLDd4/E92GcdB/O/WuhwpyUgquUoue9G7q5cDmVF8Up8zlYNPXEpMZ7YLlmQ1A/bmH8DvmGqmAMQ0uVAgMBAAGjQjBAMB0GA1UdDgQWBBTEmRNsGAPCe8CjoA1/coB6HHcmjTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQwFAAOCAgEAUabz4vS4PZO/Lc4Pu1vhVRROTtHlznldgX/+tvCHM/jvlOV+3Gp5pxy+8JS3ptEwnMgNCnWefZKVfhidfsJxaXwU6s+DDuQUQp50DhDNqxq6EWGBeNjxtUVAeKuowM77fWM3aPbn+6/Gw0vsHzYmE1SGlHKy6gLti23kDKaQwFd1z4xCfVzmMX3zybKSaUYOiPjjLUKyOKimGY3xn83uamW8GrAlvacp/fQ+onVJv57byfenHmOZ4VxG/5IFjPoeIPmGlFYl5bRXOJ3riGQUIUkhOb9iZqmxospvPyFgxYnURTbImHy99v6ZSYA7LNKmp4gDBDEZt7Y6YUX6yfIjyGNzv1aJMbDZfGKnexWoiIqrOEDCzBL/FePwN983csvMmOa/orz6JopxVtfnJBtIRD6e/J/JzBrsQzwBvDR4yGn1xuZW7AYJNpDrFEobXsmII9oDMJELuDY++ee1KG++P+w8j2Ud5cAeh6Squpj9kuNsJnfdBrRkBof0Tta6SqoWqPQFZ2aWuuJVecMsXUmPgEkrihLHdoBR37q9ZV0+N0djMenl9MU/S60EinpxLK8JQzcPqOMyT/RFtm2XNuyE9QoB6he7hY1Ck3DDUOUUi78/w0EP3SIEIwiKum1xRKtzCTrJ+VKACd+66eYWyi4uTLLT3OUEVLLUNIAytbwPF+E=';
+
+const APPLE_ROOT_CA_G3_B64 =
+  'MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtfTjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySrMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM6BgD56KyKA==';
+
+export const APPLE_ROOT_CERTS: Buffer[] = [
+  Buffer.from(APPLE_INC_ROOT_B64, 'base64'),
+  Buffer.from(APPLE_ROOT_CA_G2_B64, 'base64'),
+  Buffer.from(APPLE_ROOT_CA_G3_B64, 'base64'),
+];