payment-kit 1.28.0 → 1.29.1

package/cloudflare/shims/sequelize-d1/model.ts

@@ -312,6 +312,25 @@ export class Model {
     return this.findOne({ ...options, where: { ...(options?.where || {}), id } });
   }
 
+  /**
+   * Sequelize-compatible `findOrCreate`: find a row matching `where`, otherwise
+   * insert a new one using `defaults` merged over `where`. Returns the
+   * Sequelize tuple `[instance, wasCreated]`.
+   *
+   * D1 doesn't expose row-level locks, so this is racy at the storage layer —
+   * two concurrent calls with the same `where` can both miss and both insert.
+   * For our IAP / customer flows that's acceptable because primary-key
+   * collisions (or unique-index constraints) catch the second writer, and the
+   * IAP entry path already de-dupes by purchase token upstream. Mirrors the
+   * single-node Sequelize behavior of "not strictly atomic" under SQLite.
+   */
+  static async findOrCreate(options: { where: any; defaults?: any }): Promise<[any, boolean]> {
+    const existing = await this.findOne({ where: options.where });
+    if (existing) return [existing, false];
+    const created = await this.create({ ...(options.where || {}), ...(options.defaults || {}) });
+    return [created, true];
+  }
+
   static async findAndCountAll(options?: any): Promise<{ rows: any[]; count: number }> {
     // Batch SELECT + COUNT into a single D1 round-trip
     const { sql: selectSql, values: selectValues } = buildSelectSQL(this.tableName, options, (this as any)._attributes);

package/cloudflare/shims/sequelize-d1/operators.ts

@@ -213,10 +213,23 @@ export function buildWhereClause(where: any): { sql: string; values: any[] } {
 
   return {
     sql: conditions.length > 0 ? conditions.join(' AND ') : '',
-    values,
+    values: values.map(coerceBindValue),
   };
 }
 
+/**
+ * D1 only accepts primitive bind values (string, number, boolean, null,
+ * BigInt, ArrayBuffer). Sequelize APIs commonly pass `Date` objects in WHERE
+ * clauses (e.g. `{ updated_at: { [Op.lt]: new Date(...) } }`); coerce them to
+ * ISO strings to match how dates are stored. Without this iap-reconcile and
+ * any other time-window query throws `D1_TYPE_ERROR: Type 'object' not
+ * supported for value 'Tue Jun 02 2026 …'`.
+ */
+export function coerceBindValue(v: any): any {
+  if (v instanceof Date) return v.toISOString();
+  return v;
+}
+
 function processWhereEntry(key: string, value: any, conditions: string[], values: any[]): void {
   const fieldSQL = fieldToSQL(key);
 

package/cloudflare/tests/shims/queue-delayed-persist.spec.ts

@@ -0,0 +1,87 @@
+// Regression guard for PR #1381 review P1: on Cloudflare the queue shim only
+// writes a DELAYED job to D1 (with will_run_at, later dispatched by the cron)
+// when it is persisted. A delayed job pushed with persist:false is silently
+// dropped — which is exactly how the webhook retry ladder lost deliveries after
+// the first failure. These tests pin that invariant so callers always persist
+// delayed retries.
+
+// A single shared store mock so we can assert what the shim wrote.
+const mockStore = {
+  addJob: jest.fn().mockResolvedValue(undefined),
+  deleteJob: jest.fn().mockResolvedValue(true),
+  getJob: jest.fn(),
+  getJobs: jest.fn(),
+  getScheduledJobs: jest.fn(),
+  updateJob: jest.fn(),
+  isCancelled: jest.fn().mockResolvedValue(false),
+  findJobs: jest.fn(),
+};
+
+jest.mock('../../../api/src/store/models/job', () => ({ Job: { findAll: jest.fn() } }));
+jest.mock('../../../api/src/libs/queue/store', () => ({
+  __esModule: true,
+  default: jest.fn(() => mockStore),
+}));
+
+import createQueue, { setCFQueue, flushPendingJobs } from '../../shims/queue';
+
+const futureRunAt = () => Math.floor(Date.now() / 1000) + 600; // +10 min → delayed
+
+describe('shim queue — delayed job persistence (PR #1381 P1)', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    setCFQueue(null); // no CF Queue binding; delayed path is independent of it anyway
+  });
+
+  it('persists a delayed job to D1 (with will_run_at) when persist=true', async () => {
+    const q = createQueue({ name: 'webhook-persist-true', onJob: jest.fn() });
+    q.push({ id: 'j1', job: { v: 1 }, runAt: futureRunAt(), persist: true });
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).toHaveBeenCalledTimes(1);
+    const attrs = mockStore.addJob.mock.calls[0]![2];
+    expect(attrs.will_run_at).toBeGreaterThan(Date.now());
+    expect(attrs.delay).toBeGreaterThan(0);
+  });
+
+  it('DROPS a delayed job (no D1 write) when persist=false — the lost-retry bug class', async () => {
+    const q = createQueue({ name: 'webhook-persist-false', onJob: jest.fn() });
+    q.push({ id: 'j2', job: { v: 2 }, runAt: futureRunAt(), persist: false });
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).not.toHaveBeenCalled();
+  });
+});
+
+describe('shim queue — inline fallback keeps the D1 backup on failure (PR #1381 re-review P1)', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('does NOT delete the persisted row when CF Queue send fails AND the inline handler fails', async () => {
+    setCFQueue({ send: jest.fn().mockRejectedValue(new Error('429 Too Many Requests')) } as any);
+    const onJob = jest.fn().mockRejectedValue(new Error('handler boom'));
+    const q = createQueue({ name: 'webhook-fallback-fail', onJob, options: { maxRetries: 1 } });
+
+    q.push({ id: 'wj1', job: { v: 1 }, persist: true }); // immediate
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).toHaveBeenCalledTimes(1); // durable backup written
+    expect(onJob).toHaveBeenCalled(); // inline attempt ran
+    expect(mockStore.deleteJob).not.toHaveBeenCalled(); // backup retained → cron can retry
+    setCFQueue(null);
+  });
+
+  it('deletes the persisted row when the inline fallback SUCCEEDS', async () => {
+    setCFQueue({ send: jest.fn().mockRejectedValue(new Error('429')) } as any);
+    const onJob = jest.fn().mockResolvedValue(undefined);
+    const q = createQueue({ name: 'webhook-fallback-ok', onJob, options: { maxRetries: 1 } });
+
+    q.push({ id: 'wj2', job: { v: 2 }, persist: true });
+    await flushPendingJobs();
+
+    expect(onJob).toHaveBeenCalled();
+    expect(mockStore.deleteJob).toHaveBeenCalledWith('wj2'); // deleted only on success
+    setCFQueue(null);
+  });
+});

package/cloudflare/worker.ts

@@ -33,6 +33,13 @@ import '../api/src/queues/refund';
 import '../api/src/queues/checkout-session';
 import '../api/src/queues/discount-status';
 import '../api/src/queues/exchange-rate-health';
+// Event + webhook queues turn createEvent rows into actual HTTP POSTs to
+// registered WebhookEndpoints. Without these, every subscription state change
+// writes an Event row with pending_webhooks=99 that no one ever consumes —
+// downstream apps (aistro etc.) silently never get notified of purchase /
+// renewal / cancel events.
+import '../api/src/queues/event';
+import '../api/src/queues/webhook';
 
 // Import security shim — initFromAuthService fetches EK from AUTH_SERVICE
 import { initFromAuthService } from './shims/blocklet-sdk/security';
@@ -267,6 +274,22 @@ function buildApp(env: Env): Hono<HonoEnv> {
       if (c.env.APP_NAME) process.env.BLOCKLET_APP_NAME = c.env.APP_NAME;
       if (c.env.PAYMENT_CHANGE_LOCKED_PRICE) process.env.PAYMENT_CHANGE_LOCKED_PRICE = c.env.PAYMENT_CHANGE_LOCKED_PRICE;
       if (c.env.SHORT_URL_DOMAIN) process.env.SHORT_URL_DOMAIN = c.env.SHORT_URL_DOMAIN;
+      // Audience for the Pub/Sub OIDC JWT that wraps Google Play RTDN webhooks.
+      // Without this mirror, libs/util.ts googlePlayEndpoint() falls back to
+      // getUrl('/api/integrations/google-play/webhook') — which resolves to
+      // the *.workers.dev origin, not the custom domain Pub/Sub actually
+      // POSTs to. Every webhook then dies with "audience mismatch".
+      if (c.env.GOOGLE_PLAY_WEBHOOK_URL) {
+        process.env.GOOGLE_PLAY_WEBHOOK_URL = c.env.GOOGLE_PLAY_WEBHOOK_URL;
+      }
+      // Pub/Sub sender binding — without mirroring these, the google_play webhook
+      // can't enforce the push service account on CF and would fail open (PR #1381 P1).
+      if (c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT) {
+        process.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
+      }
+      if (c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER) {
+        process.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
+      }
       process.env.BLOCKLET_MODE = 'production';
     }
 
@@ -592,6 +615,31 @@ function buildApp(env: Env): Hono<HonoEnv> {
     return c.json({ handlers: names, ...result });
   });
 
+  // Debug: pass through Google Play Developer API for an arbitrary subscription
+  // purchase token. Returns the *raw* Google response so we can see if Google
+  // itself considers the purchase valid / acknowledged / expired.
+  app.get('/api/__dev__/google-play-info', async (c) => {
+    const token = c.req.query('token');
+    const subId = c.req.query('sub') || 'pk_demo_monthly';
+    if (!token) return c.json({ error: 'token query param required' }, 400);
+    const { PaymentMethod } = await import('../api/src/store/models/payment-method');
+    const method = await PaymentMethod.findOne({
+      where: { type: 'google_play', active: true, livemode: false } as any,
+    });
+    if (!method) return c.json({ error: 'no google_play PaymentMethod' }, 503);
+    try {
+      const client = method.getGooglePlayClient();
+      const purchase = await client.getSubscription(subId, token);
+      return c.json({ ok: true, sub: subId, purchase });
+    } catch (err: any) {
+      return c.json({ ok: false, error: err?.message || String(err) }, 500);
+    }
+  });
+
+  // Bootstrap google_play PaymentMethod in staging D1 — the admin UI flow
+  // for creating PaymentMethods is owner-gated, and staging has no owner yet
+  // (Pengfei's blocklet-service role is `member`). Gated by PAYMENT_LIVEMODE
+  // === 'false' so this only ever touches testmode data.
   // === Express-to-Hono Route Adapter ===
   mountExpressRoutes(app, '/api', expressRoutes);
 
@@ -1141,7 +1189,10 @@ function createExpressReq(c: any, routeParams: Record<string, string>): any {
     body: null,
     headers,
     user: null,
-    livemode: true,
+    // Worker-wide livemode is driven by the PAYMENT_LIVEMODE env var (set on
+    // each deployment). Routes that filter PaymentMethod by livemode rely on
+    // this value matching what we stored when bootstrapping the methods.
+    livemode: c.env?.PAYMENT_LIVEMODE !== 'false',
     baseCurrency: null,
     ip: headers['cf-connecting-ip'] || headers['x-forwarded-for'] || '127.0.0.1',
     get(name: string) {
@@ -1388,18 +1439,22 @@ function mountExpressRoutes(honoApp: Hono<HonoEnv>, prefix: string, expressRoute
         });
       }
 
-      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback)
+      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback).
+      // AUTH_SERVICE returns the bare base58 address; Customer/Subscription queries
+      // and entitlement lookups expect the canonical `did:abt:…` form, so we
+      // normalize once here at the boundary instead of in every downstream call site.
       const caller: CallerIdentityDTO | null = c.get('caller');
       if (caller) {
+        const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
         req.user = {
-          did: caller.did,
+          did: canonicalDid,
           role: caller.role || 'guest',
           provider: caller.authMethod === 'access-key' ? 'access-key' : 'wallet',
           fullName: caller.displayName || '',
           walletOS: '',
           via: 'dashboard',
         };
-        req.headers['x-user-did'] = caller.did;
+        req.headers['x-user-did'] = canonicalDid;
         req.headers['x-user-role'] = `blocklet-${caller.role || 'guest'}`;
         req.headers['x-user-provider'] = caller.authMethod || 'wallet';
         req.headers['x-user-fullname'] = encodeURIComponent(caller.displayName || '');

package/cloudflare/wrangler.jsonc

@@ -65,5 +65,11 @@
   },
   "triggers": {
     "crons": ["* * * * *"]
-  }
+  },
+  // Batch crons (subscription scans, queue dispatch, retry backstops) all run in
+  // one scheduled() invocation each minute; raise the per-invocation CPU ceiling
+  // so they aren't killed mid-run ("Exceeded CPU Limit") on Workers Paid. The
+  // structural fix (offload to a Consumer Worker / Paid Queue throughput) is
+  // tracked in task-44. No effect on Workers Free (CPU limit is fixed there).
+  "limits": { "cpu_ms": 300000 }
 }

package/cloudflare/wrangler.staging.json

@@ -62,5 +62,6 @@
   },
   "triggers": {
     "crons": ["* * * * *"]
-  }
+  },
+  "limits": { "cpu_ms": 300000 }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "payment-kit",
-  "version": "1.28.0",
+  "version": "1.29.1",
   "scripts": {
     "dev": "blocklet dev --open",
     "prelint": "npm run types",
@@ -47,6 +47,7 @@
   },
   "dependencies": {
     "@abtnode/cron": "^1.17.12",
+    "@apple/app-store-server-library": "^3.1.0",
     "@arcblock/did": "^1.30.9",
     "@arcblock/did-connect-js": "4.0.0",
     "@arcblock/did-connect-react": "^3.5.2",
@@ -61,9 +62,9 @@
     "@blocklet/error": "^0.3.5",
     "@blocklet/js-sdk": "^1.17.12",
     "@blocklet/logger": "^1.17.12",
-    "@blocklet/payment-broker-client": "1.28.0",
-    "@blocklet/payment-react": "1.28.0",
-    "@blocklet/payment-vendor": "1.28.0",
+    "@blocklet/payment-broker-client": "1.29.1",
+    "@blocklet/payment-react": "1.29.1",
+    "@blocklet/payment-vendor": "1.29.1",
     "@blocklet/sdk": "^1.17.12",
     "@blocklet/ui-react": "^3.5.2",
     "@blocklet/uploader": "^0.3.20",
@@ -98,6 +99,7 @@
     "fastq": "^1.19.1",
     "flat": "^5.0.2",
     "google-libphonenumber": "^3.2.42",
+    "google-play-billing-validator": "^2.1.3",
     "html2canvas": "^1.4.1",
     "iframe-resizer-react": "^1.1.1",
     "joi": "17.12.2",
@@ -108,6 +110,7 @@
     "morgan": "^1.10.0",
     "mui-daterange-picker": "^1.0.5",
     "nanoid": "^3.3.11",
+    "node-apple-receipt-verify": "^1.15.0",
     "numbro": "^2.5.0",
     "p-all": "3.0.0",
     "p-wait-for": "^3.2.0",
@@ -137,13 +140,14 @@
   "devDependencies": {
     "@abtnode/types": "^1.17.12",
     "@arcblock/eslint-config-ts": "^0.3.3",
-    "@blocklet/payment-types": "1.28.0",
+    "@blocklet/payment-types": "1.29.1",
     "@types/cookie-parser": "^1.4.9",
     "@types/cors": "^2.8.19",
     "@types/debug": "^4.1.12",
     "@types/dotenv-flow": "^3.3.3",
     "@types/express": "^4.17.23",
     "@types/node": "^18.19.112",
+    "@types/node-apple-receipt-verify": "^1.7.5",
     "@types/react": "^18.3.23",
     "@types/react-dom": "^18.3.7",
     "@vitejs/plugin-react": "^4.6.0",
@@ -184,5 +188,5 @@
       "parser": "typescript"
     }
   },
-  "gitHead": "1486b54f913b83fb42323a89cce7503814d0685a"
+  "gitHead": "e66e469df2a1ed80e15b17fd8511c2ce01a0a54e"
 }

package/scripts/seed-google-play.ts

@@ -0,0 +1,79 @@
+#!/usr/bin/env tsx
+/* eslint-disable no-console */
+//
+// Seed a `google_play` PaymentMethod from a service account JSON file.
+//
+// Usage:
+//   GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH=/path/to/sa.json \
+//   GOOGLE_PLAY_PACKAGE_NAME=io.arcblock.aistro \
+//   tsx scripts/seed-google-play.ts
+//
+// Optional:
+//   PAYMENT_METHOD_ID            existing id to update; otherwise a new one is created
+//   PAYMENT_METHOD_LIVEMODE      "true" (default) | "false"
+//
+// The JSON contents are stored encrypted via PaymentMethod.encryptSettings.
+
+import 'dotenv-flow/config';
+import { readFileSync } from 'fs';
+
+import { PaymentMethod } from '../api/src/store/models';
+import { sequelize } from '../api/src/store/sequelize';
+import migrate from '../api/src/store/migrate';
+import { initialize } from '../api/src/store/models';
+
+async function main(): Promise<void> {
+  const jsonPath = process.env.GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH;
+  const packageName = process.env.GOOGLE_PLAY_PACKAGE_NAME;
+  if (!jsonPath || !packageName) {
+    console.error('Missing GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH or GOOGLE_PLAY_PACKAGE_NAME');
+    process.exit(1);
+  }
+  const livemode = process.env.PAYMENT_METHOD_LIVEMODE !== 'false';
+  const existingId = process.env.PAYMENT_METHOD_ID;
+
+  const raw = readFileSync(jsonPath, 'utf8');
+  // Validate JSON shape early
+  const parsed = JSON.parse(raw);
+  if (!parsed.client_email || !parsed.private_key) {
+    throw new Error('service account JSON missing client_email or private_key');
+  }
+
+  initialize(sequelize);
+  await migrate();
+
+  const settings = PaymentMethod.encryptSettings({
+    google_play: {
+      package_name: packageName,
+      service_account_json: raw,
+      pubsub_topic_name: '',
+    },
+  });
+
+  if (existingId) {
+    const method = await PaymentMethod.findByPk(existingId);
+    if (!method) throw new Error(`PaymentMethod ${existingId} not found`);
+    await method.update({ settings, active: true, livemode });
+    console.log('updated PaymentMethod', method.id);
+  } else {
+    const method = await PaymentMethod.create({
+      type: 'google_play',
+      name: `Google Play (${packageName})`,
+      description: 'In-App Billing via Google Play Console',
+      logo: '',
+      active: true,
+      livemode,
+      confirmation: { type: 'callback' },
+      settings,
+      features: { recurring: true, refund: true, dispute: false },
+    } as any);
+    console.log('created PaymentMethod', method.id, `client_email=${parsed.client_email}`);
+  }
+
+  await sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/src/components/payment-method/app-store.tsx

@@ -0,0 +1,103 @@
+import { useLocaleContext } from '@arcblock/ux/lib/Locale/context';
+import { FormInput } from '@blocklet/payment-react';
+import { Stack, ToggleButton, ToggleButtonGroup, Typography } from '@mui/material';
+import { Controller, useFormContext } from 'react-hook-form';
+
+export default function AppStoreMethodForm({ checkDisabled }: { checkDisabled: (key: string) => boolean }) {
+  const { t } = useLocaleContext();
+  const { control } = useFormContext();
+
+  return (
+    <>
+      <FormInput
+        name="name"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.name.label')}
+        placeholder={t('admin.paymentMethod.name.tip')}
+        disabled={checkDisabled('name')}
+        inputProps={{ maxLength: 32 }}
+      />
+      <FormInput
+        name="description"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.description.label')}
+        placeholder={t('admin.paymentMethod.description.tip')}
+        inputProps={{ maxLength: 255 }}
+      />
+      <FormInput
+        name="settings.app_store.bundle_id"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.app_store.bundle_id.label')}
+        placeholder={t('admin.paymentMethod.app_store.bundle_id.tip')}
+        disabled={checkDisabled('settings.app_store.bundle_id')}
+      />
+
+      <Stack spacing={0.5}>
+        <Typography variant="body2">{t('admin.paymentMethod.app_store.environment.label')}</Typography>
+        <Controller
+          name="settings.app_store.environment"
+          control={control}
+          rules={{ required: true }}
+          render={({ field }) => (
+            <ToggleButtonGroup
+              {...field}
+              exclusive
+              disabled={checkDisabled('settings.app_store.environment')}
+              onChange={(_, value: string | null) => {
+                if (value !== null) field.onChange(value);
+              }}>
+              <ToggleButton value="production">
+                {t('admin.paymentMethod.app_store.environment.production')}
+              </ToggleButton>
+              <ToggleButton value="sandbox">{t('admin.paymentMethod.app_store.environment.sandbox')}</ToggleButton>
+            </ToggleButtonGroup>
+          )}
+        />
+        <Typography variant="caption" color="text.secondary">
+          {t('admin.paymentMethod.app_store.environment.tip')}
+        </Typography>
+      </Stack>
+
+      <FormInput
+        name="settings.app_store.shared_secret"
+        type="password"
+        label={t('admin.paymentMethod.app_store.shared_secret.label')}
+        placeholder={t('admin.paymentMethod.app_store.shared_secret.tip')}
+        disabled={checkDisabled('settings.app_store.shared_secret')}
+      />
+
+      <Typography variant="subtitle2" sx={{ mt: 2 }}>
+        {t('admin.paymentMethod.app_store.serverApi.heading')}
+      </Typography>
+      <Typography variant="caption" color="text.secondary" sx={{ mt: -1, display: 'block' }}>
+        {t('admin.paymentMethod.app_store.serverApi.tip')}
+      </Typography>
+      <FormInput
+        name="settings.app_store.issuer_id"
+        type="text"
+        label={t('admin.paymentMethod.app_store.issuer_id.label')}
+        placeholder={t('admin.paymentMethod.app_store.issuer_id.tip')}
+        disabled={checkDisabled('settings.app_store.issuer_id')}
+      />
+      <FormInput
+        name="settings.app_store.key_id"
+        type="text"
+        label={t('admin.paymentMethod.app_store.key_id.label')}
+        placeholder={t('admin.paymentMethod.app_store.key_id.tip')}
+        disabled={checkDisabled('settings.app_store.key_id')}
+      />
+      <FormInput
+        name="settings.app_store.private_key_pem"
+        type="text"
+        multiline
+        rows={5}
+        label={t('admin.paymentMethod.app_store.private_key_pem.label')}
+        placeholder={t('admin.paymentMethod.app_store.private_key_pem.tip')}
+        disabled={checkDisabled('settings.app_store.private_key_pem')}
+      />
+    </>
+  );
+}

package/src/components/payment-method/form.tsx

@@ -3,11 +3,13 @@ import { Stack, ToggleButton, ToggleButtonGroup, Typography } from '@mui/materia
 import { styled } from '@mui/system';
 import { Controller, useFormContext, useWatch } from 'react-hook-form';
 
+import AppStoreMethodForm from './app-store';
 import ArcBlockMethodForm from './arcblock';
+import BaseMethodForm from './base';
 import BitcoinMethodForm from './bitcoin';
 import EthereumMethodForm from './ethereum';
+import GooglePlayMethodForm from './google-play';
 import StripeMethodForm from './stripe';
-import BaseMethodForm from './base';
 
 export default function PaymentMethodForm({
   action = 'create',
@@ -47,6 +49,8 @@ export default function PaymentMethodForm({
             <ToggleButton value="stripe">Stripe</ToggleButton>
             <ToggleButton value="ethereum">Ethereum</ToggleButton>
             <ToggleButton value="base">Base</ToggleButton>
+            <ToggleButton value="google_play">Google Play</ToggleButton>
+            <ToggleButton value="app_store">App Store</ToggleButton>
             <ToggleButton value="bitcoin" disabled>
               Bitcoin
             </ToggleButton>
@@ -60,6 +64,8 @@ export default function PaymentMethodForm({
       {type === 'arcblock' && <ArcBlockMethodForm checkDisabled={checkDisabled} />}
       {type === 'ethereum' && <EthereumMethodForm checkDisabled={checkDisabled} />}
       {type === 'base' && <BaseMethodForm checkDisabled={checkDisabled} />}
+      {type === 'google_play' && <GooglePlayMethodForm checkDisabled={checkDisabled} />}
+      {type === 'app_store' && <AppStoreMethodForm checkDisabled={checkDisabled} />}
       {type === 'bitcoin' && <BitcoinMethodForm checkDisabled={checkDisabled} />}
     </Root>
   );

package/src/components/payment-method/google-play.tsx

@@ -0,0 +1,85 @@
+import { useLocaleContext } from '@arcblock/ux/lib/Locale/context';
+import { FormInput } from '@blocklet/payment-react';
+import { useFormContext, useWatch } from 'react-hook-form';
+import { Alert, Typography } from '@mui/material';
+
+export default function GooglePlayMethodForm({ checkDisabled }: { checkDisabled: (key: string) => boolean }) {
+  const { t } = useLocaleContext();
+  const { control } = useFormContext();
+  const serviceAccountJson = useWatch({ control, name: 'settings.google_play.service_account_json' }) as
+    | string
+    | undefined;
+
+  // Quick client-side JSON sanity check — the server re-validates and decrypts.
+  let parseError: string | null = null;
+  let clientEmail: string | null = null;
+  if (serviceAccountJson) {
+    try {
+      const parsed = JSON.parse(serviceAccountJson);
+      if (!parsed.client_email || !parsed.private_key) {
+        parseError = t('admin.paymentMethod.google_play.service_account_json.missingFields');
+      } else {
+        clientEmail = parsed.client_email;
+      }
+    } catch {
+      parseError = t('admin.paymentMethod.google_play.service_account_json.invalidJson');
+    }
+  }
+
+  return (
+    <>
+      <FormInput
+        name="name"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.name.label')}
+        placeholder={t('admin.paymentMethod.name.tip')}
+        disabled={checkDisabled('name')}
+        inputProps={{ maxLength: 32 }}
+      />
+      <FormInput
+        name="description"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.description.label')}
+        placeholder={t('admin.paymentMethod.description.tip')}
+        inputProps={{ maxLength: 255 }}
+      />
+      <FormInput
+        name="settings.google_play.package_name"
+        type="text"
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.google_play.package_name.label')}
+        placeholder={t('admin.paymentMethod.google_play.package_name.tip')}
+        disabled={checkDisabled('settings.google_play.package_name')}
+      />
+      <FormInput
+        name="settings.google_play.service_account_json"
+        type="text"
+        multiline
+        rows={6}
+        rules={{ required: true }}
+        label={t('admin.paymentMethod.google_play.service_account_json.label')}
+        placeholder={t('admin.paymentMethod.google_play.service_account_json.tip')}
+        disabled={checkDisabled('settings.google_play.service_account_json')}
+      />
+      {parseError && (
+        <Alert severity="error" sx={{ mt: -1 }}>
+          {parseError}
+        </Alert>
+      )}
+      {clientEmail && (
+        <Typography variant="caption" color="text.secondary" sx={{ mt: -1, display: 'block' }}>
+          {t('admin.paymentMethod.google_play.service_account_json.detectedClient')}: {clientEmail}
+        </Typography>
+      )}
+      <FormInput
+        name="settings.google_play.pubsub_topic_name"
+        type="text"
+        label={t('admin.paymentMethod.google_play.pubsub_topic_name.label')}
+        placeholder={t('admin.paymentMethod.google_play.pubsub_topic_name.tip')}
+        disabled={checkDisabled('settings.google_play.pubsub_topic_name')}
+      />
+    </>
+  );
+}

package/src/components/subscription/list.tsx

@@ -152,6 +152,26 @@ export default function SubscriptionList({
         },
       },
     },
+    {
+      label: t('admin.subscription.channel'),
+      name: 'channel',
+      options: {
+        filter: true,
+        customBodyRenderLite: (_: string, index: number) => {
+          const item = data.list[index] as TSubscriptionExpanded;
+          const channel = (item as any).channel || (item as any).paymentMethod?.type;
+          if (!channel) return null;
+          let color: 'primary' | 'secondary' | 'default' = 'default';
+          if (channel === 'google_play' || channel === 'app_store') color = 'primary';
+          else if (channel === 'stripe') color = 'secondary';
+          return (
+            <Link to={`/admin/billing/${item.id}`}>
+              <Status label={channel} color={color as any} />
+            </Link>
+          );
+        },
+      },
+    },
     {
       label: t('common.createdAt'),
       name: 'created_at',