payment-kit 1.29.1 → 1.29.2

package/api/src/integrations/app-store/signed-data-verifier.ts

@@ -26,6 +26,7 @@ import type {
 } from '@apple/app-store-server-library';
 
 import logger from '../../libs/logger';
+import { appStoreSkipSignatureVerify, isProduction } from '../../libs/env';
 import { APPLE_ROOT_CERTS } from './apple-root-certs';
 
 const verifierCache = new Map<string, SignedDataVerifier>();
@@ -46,13 +47,13 @@ async function getVerifier(bundleId: string, environment: 'production' | 'sandbo
 }
 
 export function isSignatureVerificationSkipped(): boolean {
-  if (process.env.APP_STORE_SKIP_SIGNATURE_VERIFY !== 'true') return false;
+  if (!appStoreSkipSignatureVerify()) return false;
   // Production fail-closed: even when the bypass flag is set we refuse to
   // honor it in production, and log loudly so the misconfiguration is
   // visible. The flag exists for unit tests / local sandbox debugging where
   // the synthetic JWS isn't signed by Apple; in production it would silently
   // downgrade a critical trust boundary to decode-only (CWE-347).
-  if (process.env.BLOCKLET_MODE === 'production') {
+  if (isProduction()) {
     logger.error(
       'app_store: APP_STORE_SKIP_SIGNATURE_VERIFY=true ignored in production — JWS signature verification stays enabled'
     );

package/api/src/integrations/arcblock/token.ts

@@ -5,16 +5,30 @@ import { BN, fromTokenToUnit, fromUnitToToken, toBN, toBase58, toBase64 } from '
 import { types } from '@ocap/mcrypto';
 import { verify as verifyVC } from '@arcblock/vc';
 import { BlockletService } from '@blocklet/sdk/service/blocklet';
+import env, { blockletAppHost } from '../../libs/env';
 
 import { PaymentMethod } from '../../store/models';
 import type { TPaymentCurrency } from '../../store/models';
 import { wallet } from '../../libs/auth';
 import logger from '../../libs/logger';
-import env from '../../libs/env';
 import { sleep } from '../../libs/util';
 import { getGasPayerExtra } from '../../libs/payment';
 
-const blockletService = new BlockletService();
+// Lazy singleton: `new BlockletService()` runs `checkBlockletEnvironment()`,
+// which throws unless BLOCKLET_APP_ID/DID/EK/ABT_NODE_* are present. Those env
+// vars only exist inside a blocklet runtime — when payment-core is embedded in
+// a host like arc, constructing this at module-init crashes the whole graph on
+// import. Defer to first use so the import is environment-agnostic; the routing
+// -rule feature (the only consumer) simply requires the host to supply that env
+// when it is actually exercised.
+// eslint-disable-next-line @typescript-eslint/naming-convention -- intentional _-prefixed module singleton
+let _blockletService: InstanceType<typeof BlockletService> | undefined;
+function getBlockletService(): InstanceType<typeof BlockletService> {
+  if (!_blockletService) {
+    _blockletService = new BlockletService();
+  }
+  return _blockletService;
+}
 
 export function isOnchainCredit(paymentCurrency: TPaymentCurrency) {
   return paymentCurrency.type === 'credit' && !!paymentCurrency.token_config;
@@ -154,7 +168,7 @@ async function createTokenVC(data: { tokenAddress: string; symbol: string; websi
  * Step 2: Publish VC (Verifiable Credential) for token via routing rule
  */
 async function publishTokenVC(vc: any) {
-  const { blocklet: blockletInfo } = await blockletService.getBlocklet();
+  const { blocklet: blockletInfo } = await getBlockletService().getBlocklet();
   const site = blockletInfo?.site;
 
   if (!site?.id) {
@@ -226,7 +240,7 @@ async function publishTokenVC(vc: any) {
   try {
     let result;
     if (isUpdate) {
-      result = await blockletService.updateRoutingRule({
+      result = await getBlockletService().updateRoutingRule({
         id: site.id,
         rule: {
           id: existingRule.id,
@@ -234,7 +248,7 @@ async function publishTokenVC(vc: any) {
         },
       });
     } else {
-      result = await blockletService.addRoutingRule({
+      result = await getBlockletService().addRoutingRule({
         id: site.id,
         rule,
       });
@@ -279,7 +293,7 @@ export async function createToken(data: { name: string; symbol: string; decimal?
         name: data.name,
         symbol: data.symbol,
         description: `Token created by ${env.appName || 'Payment Kit'}`,
-        website: env.appUrl || process.env.BLOCKLET_APP_HOST,
+        website: env.appUrl || blockletAppHost(),
         icon: '',
         maxTotalSupply: null,
         decimal: data.decimal ?? 10,
@@ -307,7 +321,7 @@ export async function createToken(data: { name: string; symbol: string; decimal?
     const vc = await createTokenVC({
       tokenAddress: factoryItx.token.address,
       symbol: data.symbol,
-      website: env.appUrl || process.env.BLOCKLET_APP_HOST!,
+      website: env.appUrl || blockletAppHost()!,
       chainId,
     });
 

package/api/src/integrations/google-play/handlers/subscription.ts

@@ -7,7 +7,7 @@
 
 import { Op } from 'sequelize';
 
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Customer, PaymentMethod, Price, Subscription, SubscriptionItem } from '../../../store/models';
 import { GooglePlayClient, GooglePlaySubscriptionPurchase } from '../client';
@@ -268,12 +268,12 @@ async function handleRenewedOrDeferred({
       },
     },
   });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 
 async function handleResumed(subscription: Subscription): Promise<void> {
   await subscription.update({ status: 'active' });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 
 async function markPastDue(subscription: Subscription): Promise<void> {
@@ -293,7 +293,7 @@ async function scheduleCancelAtPeriodEnd(subscription: Subscription): Promise<vo
 async function markExpired(subscription: Subscription): Promise<void> {
   if (['canceled', 'incomplete_expired'].includes(subscription.status as string)) return;
   await subscription.update({ status: 'canceled', canceled_at: Math.floor(Date.now() / 1000) });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }
 
 /**
@@ -526,7 +526,7 @@ export async function ingestVerifiedGooglePlayPurchase({
     return { subscription: winner, isFirstSubscribe: false, purchase };
   }
 
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('google_play verify: subscription created', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -561,5 +561,5 @@ async function handleRevoked(subscription: Subscription): Promise<void> {
     subscriptionId: subscription.id,
   });
 
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }

package/api/src/integrations/google-play/handlers/voided.ts

@@ -11,7 +11,7 @@
 //     refundType:  1 = FULL,     2 = QUANTITY_BASED
 //   }
 
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Subscription } from '../../../store/models';
 
@@ -91,7 +91,7 @@ export async function handleGooglePlayVoidedPurchase({
         google_play_voided_refund_type: refundType,
       },
     });
-    createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
   }
 
   // TODO: create a Refund row for audit. Blocked on payment_intent_id schema —

package/api/src/integrations/google-play/verify.ts

@@ -9,6 +9,7 @@
 // Cloudflare Workers（payment-kit 是统一代码）。
 
 import logger from '../../libs/logger';
+import { googlePubsubSkipSignatureVerify, isProduction } from '../../libs/env';
 
 export type PubSubJwtClaims = {
   iss: string;
@@ -80,7 +81,7 @@ export type VerifyOptions = {
 };
 
 function defaultSkipSignature(): boolean {
-  return process.env.GOOGLE_PUBSUB_SKIP_SIGNATURE_VERIFY === 'true';
+  return googlePubsubSkipSignatureVerify();
 }
 
 /**
@@ -93,7 +94,7 @@ function defaultSkipSignature(): boolean {
  */
 function effectiveSkipSignature(requested: boolean): boolean {
   if (!requested) return false;
-  if (process.env.BLOCKLET_MODE === 'production') {
+  if (isProduction()) {
     logger.error(
       'google_play: signature verification skip refused in production — Pub/Sub JWT signature verification stays enabled'
     );

package/api/src/integrations/iap-reconcile.ts

@@ -20,6 +20,7 @@
 // every 5 minutes by default; tuneable via `IAP_RECONCILE_CRON_TIME`.
 
 import { Op } from 'sequelize';
+import { iapReconcileBatchSize } from '../libs/env';
 
 import { createEvent } from '../libs/audit';
 import logger from '../libs/logger';
@@ -30,9 +31,6 @@ import { GooglePlayClient, GooglePlaySubscriptionPurchase } from './google-play/
 /** Don't re-check subs that were updated by a webhook within the last 5 minutes. */
 const RECENT_UPDATE_GUARD_MS = 5 * 60 * 1000;
 
-/** Per-channel batch cap so a single cron tick can't stall on Apple/Google rate limits. */
-const DEFAULT_BATCH_SIZE = Number(process.env.IAP_RECONCILE_BATCH_SIZE ?? '100');
-
 type ReconcileStats = { checked: number; updated: number; errors: number };
 
 const emptyStats = (): ReconcileStats => ({ checked: 0, updated: 0, errors: 0 });
@@ -149,7 +147,7 @@ async function backfillMissingSubscriptionItems(): Promise<void> {
 // App Store
 // ---------------------------------------------------------------------------
 
-export async function reconcileAppStore(batchSize = DEFAULT_BATCH_SIZE): Promise<ReconcileStats> {
+export async function reconcileAppStore(batchSize = iapReconcileBatchSize()): Promise<ReconcileStats> {
   const stats = emptyStats();
   const methods = await PaymentMethod.findAll({ where: { type: 'app_store' } });
   if (methods.length === 0) return stats;
@@ -293,7 +291,7 @@ export async function applyAppStoreTransactionDrift(
 // Google Play
 // ---------------------------------------------------------------------------
 
-export async function reconcileGooglePlay(batchSize = DEFAULT_BATCH_SIZE): Promise<ReconcileStats> {
+export async function reconcileGooglePlay(batchSize = iapReconcileBatchSize()): Promise<ReconcileStats> {
   const stats = emptyStats();
   const methods = await PaymentMethod.findAll({ where: { type: 'google_play' } });
   if (methods.length === 0) return stats;

package/api/src/integrations/stripe/handlers/invoice.ts

@@ -6,7 +6,7 @@ import type Stripe from 'stripe';
 
 import type { WhereOptions } from 'sequelize';
 import { checkUsageReportEmpty } from '../../../libs/subscription';
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import { getLock } from '../../../libs/lock';
 import logger from '../../../libs/logger';
 import {
@@ -361,7 +361,7 @@ export async function handleStripeInvoiceCreated(event: TEventExpanded, client:
       createEvent('Subscription', 'usage.report.empty', subscription, {
         usageReportStart,
         usageReportEnd,
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
       logger.info('create usage report empty event', {
         subscriptionId: subscription.id,
         usageReportStart,

package/api/src/integrations/stripe/handlers/subscription.ts

@@ -12,7 +12,7 @@ import {
 } from '../../../libs/subscription';
 import { CheckoutSession, PaymentMethod, Subscription, TEventExpanded } from '../../../store/models';
 import { getCheckoutSessionSubscriptionIds } from '../../../libs/session';
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 
 export async function handleStripeSubscriptionSucceed(subscription: Subscription, status: string) {
   if (!subscription.payment_details?.stripe?.subscription_id) {
@@ -51,9 +51,9 @@ export async function handleStripeSubscriptionSucceed(subscription: Subscription
 
   await subscription.update({ status });
   if (subscription.trial_end && subscription.trial_end > Date.now() / 1000 && subscription.status === 'trialing') {
-    createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(reportAuditFailure);
   } else if (subscription.status === 'active') {
-    createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   }
   logger.info('subscription become active on stripe event', { id: subscription.id, status: subscription.status });
 

package/api/src/libs/archive/query.ts

@@ -5,9 +5,14 @@ import path from 'path';
 import { QueryTypes, Op } from 'sequelize';
 
 import logger from '../logger';
+import { getInstanceDid } from '../context';
+import { getTenantMode } from '../tenant';
+import { TENANT_TABLES } from '../../store/tenant-tables';
 import { ArchiveMetadata } from '../../store/models/archive-metadata';
 import { listArchiveFiles, openArchiveSequelize } from './store';
 
+const TENANT_TABLE_SET: ReadonlySet<string> = new Set(TENANT_TABLES);
+
 type ArchiveQueryParams = {
   table: string;
   id?: string;
@@ -52,6 +57,20 @@ function buildWhereClause(params: ArchiveQueryParams) {
     replacements.customerId = params.customer_id;
   }
 
+  // 洞 G (Phase 4): archived rows are snapshots of tenant tables — scope the
+  // read by instance_did so an admin can't query another tenant's archive.
+  // multi mode is strict (fail-closed); single mode also accepts legacy
+  // pre-backfill snapshots (instance_did NULL), which all belong to the one
+  // deployment tenant (mirrors the resolveRowTenant single-mode default).
+  if (TENANT_TABLE_SET.has(params.table)) {
+    replacements.instance_did = getInstanceDid();
+    if (getTenantMode() === 'single') {
+      conditions.push('(instance_did = :instance_did OR instance_did IS NULL)');
+    } else {
+      conditions.push('instance_did = :instance_did');
+    }
+  }
+
   return { clause: conditions.join(' AND '), replacements };
 }
 

package/api/src/libs/audit.ts

@@ -5,9 +5,58 @@ import type { EventType } from '../store/models';
 import { Event } from '../store/models/event';
 import { events } from './event';
 import { context } from './context';
+import logger from './logger';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH, TenantError } from './tenant';
 
 const API_VERSION = '2023-09-05';
 
+/**
+ * Phase 4 (W1-3): tenant of an event, fail-closed.
+ * Order: model.instance_did, then TenantContext. Both missing or mutually
+ * contradictory -> reject. The rejection only kills the EVENT (the business
+ * transaction that triggered the hook is never blocked — see
+ * reportAuditFailure and the fire-and-forget catch sites in store/models).
+ */
+function resolveEventTenant(model?: { instance_did?: string | null } | null): string {
+  const fromModel = model?.instance_did || undefined;
+  // the EXPLICIT context tenant (withTenant), not the single-mode default
+  // fill — otherwise every model row of a non-default tenant would falsely
+  // conflict with the deployment app DID in single mode
+  const explicitContext = context.getContext().instanceDid || undefined;
+  if (fromModel && explicitContext && fromModel !== explicitContext) {
+    throw new TenantError(
+      TENANT_MISMATCH,
+      `event tenant conflict: model carries ${fromModel} but context is ${explicitContext}`
+    );
+  }
+  const tenant = fromModel || explicitContext;
+  if (tenant) return tenant;
+  // neither source explicit: single mode falls back to the app DID,
+  // multi mode fails closed
+  return context.getInstanceDid();
+}
+
+/**
+ * Create an event row under its resolved tenant. The event belongs to the
+ * model's tenant, which may differ from the ambient context (e.g. a system /
+ * cross-tenant path acting on another tenant's row). Now that Event extends
+ * TenantModel, the create must run under that tenant so stampTenant stamps the
+ * matching instance_did instead of rejecting the explicit one as a conflict.
+ */
+function createEventUnderTenant(instanceDid: string, values: any): Promise<any> {
+  return context.withTenant(instanceDid, () => Event.create(values));
+}
+
+/**
+ * Structured fire-and-forget alert for failed event creation. Tenant
+ * rejections keep their dedicated codes so monitoring/tests can assert them;
+ * everything else is EVENT_CREATE_FAILED. Mode-independent and never throws.
+ */
+export function reportAuditFailure(err: any): void {
+  const code = err?.code === TENANT_MISMATCH || err?.code === TENANT_CONTEXT_MISSING ? err.code : 'EVENT_CREATE_FAILED';
+  logger.error('[audit] event creation failed', { code, message: err?.message || String(err) });
+}
+
 /**
  * Invoke every registered listener for `eventName` and await any Promise
  * results. EventEmitter.emit() returns sync — listener async work would
@@ -58,6 +107,7 @@ export function createEvent(
 }
 
 async function doCreateEvent(scope: string, type: LiteralUnion<EventType, string>, model: any, options: any = {}) {
+  const instanceDid = resolveEventTenant(model);
   const data: any = {
     object: model.dataValues,
   };
@@ -65,8 +115,9 @@ async function doCreateEvent(scope: string, type: LiteralUnion<EventType, string
     data.previous_attributes = pick(model._previousDataValues, options.fields);
   }
 
-  const event = await Event.create({
+  const event = await createEventUnderTenant(instanceDid, {
     type,
+    instance_did: instanceDid,
     api_version: API_VERSION,
     livemode: !!model.livemode,
     object_id: model.id,
@@ -113,8 +164,10 @@ export async function createStatusEvent(
   }
 
   const suffix = config[data.object.status];
-  const event = await Event.create({
+  const instanceDid = resolveEventTenant(model);
+  const event = await createEventUnderTenant(instanceDid, {
     type: [prefix, suffix].join('.'),
+    instance_did: instanceDid,
     api_version: API_VERSION,
     livemode: !!model.livemode,
     object_id: model.id,
@@ -150,8 +203,10 @@ export async function createCustomEvent(
     return;
   }
 
-  const event = await Event.create({
+  const instanceDid = resolveEventTenant(model);
+  const event = await createEventUnderTenant(instanceDid, {
     type: [prefix, suffix].join('.'),
+    instance_did: instanceDid,
     api_version: API_VERSION,
     livemode: !!model.livemode,
     object_id: model.id,
@@ -185,9 +240,11 @@ export async function createFlexibleEvent(
   } = {}
 ) {
   const { livemode = false, requestedBy, metadata = {} } = options;
+  const instanceDid = resolveEventTenant(null);
 
-  const event = await Event.create({
+  const event = await createEventUnderTenant(instanceDid, {
     type,
+    instance_did: instanceDid,
     api_version: API_VERSION,
     livemode,
     object_id: objectId,

package/api/src/libs/auth.ts

@@ -1,18 +1,51 @@
 import path from 'path';
 
-import AuthStorage from '@arcblock/did-connect-storage-nedb';
-// @ts-ignore
-import { BlockletService } from '@blocklet/sdk/service/auth';
-import { getWallet, getAccessWallet } from '@blocklet/sdk/lib/wallet';
-import { WalletAuthenticator } from '@blocklet/sdk/lib/wallet-authenticator';
-import { WalletHandlers } from '@blocklet/sdk/lib/wallet-handler';
-import type { Request } from 'express';
 import type { LiteralUnion } from 'type-fest';
 import type { WalletObject } from '@ocap/wallet';
+import env, { blockletAppId } from './env';
 
-import env from './env';
 import logger from './logger';
 
+// Phase 13b: every blocklet-runtime binding below is constructed LAZILY, on first
+// property access, instead of at module import. Importing this module — and the
+// modules that transitively pull it in (libs/util, libs/payment, the models) —
+// therefore runs NO blocklet side effects, so createEmbeddedPaymentService +
+// rpc.entitlements.check work in a bare host with only the explicit config/db/
+// tenancy slots: no BLOCKLET_APP_SK/PK, no BLOCKLET_DATA_DIR, no ABT_NODE_*, no
+// notification patch. The node/full-handler and background-lifecycle paths still
+// materialize the real bindings on first use — transparently, through the proxies —
+// so every existing consumer (`wallet`, `ethWallet`, `blocklet`, `handlers`,
+// `authenticator`) keeps working unchanged.
+
+/** Transparent lazy proxy: defer factory() until the first property access. */
+function lazyProxy<T extends object>(factory: () => T): T {
+  let instance: T | undefined;
+  const resolve = (): T => {
+    instance ??= factory();
+    return instance;
+  };
+  return new Proxy({} as T, {
+    get(_t, prop) {
+      const obj = resolve();
+      const value: any = (obj as any)[prop];
+      if (typeof value !== 'function') return value;
+      // Don't re-bind jest mock functions: binding returns a plain wrapper that
+      // strips jest's mock helpers (.mockImplementation / .mockResolvedValue),
+      // which would make `jest.spyOn(blocklet, 'method')` unusable. Mocks ignore
+      // `this`, so leaving them unbound is safe. No-op in production (no mocks).
+      if (value._isMockFunction) return value;
+      return value.bind(obj);
+    },
+    set(_t, prop, value) {
+      (resolve() as any)[prop] = value;
+      return true;
+    },
+    has(_t, prop) {
+      return prop in (resolve() as any);
+    },
+  });
+}
+
 // Workaround #2: @blocklet/sdk's notification.getSender() uses
 // `getWallet().address` (BLOCKLET_APP_SK derived) as the sender appDid for
 // relay/EventBus broadcasts. On migrated blocklets that address (e.g. zNKti3…)
@@ -28,25 +61,38 @@ import logger from './logger';
 // Path must be `@blocklet/sdk/service/notification` (no `lib/`) — in Node it
 // is a thin re-export that resolves via the module cache to the same object
 // as `@blocklet/sdk/lib/service/notification`; in CF Workers the esbuild
-// config aliases it to a no-op shim (patching a no-op is harmless). Using
-// the `lib/` path breaks the CF build because it does not have an alias
-// and falls through to `@blocklet/sdk` → `shims/blocklet-sdk/index.ts/lib/...`.
-// Same root cause as the WalletAuthenticator override below — remove once the
-// upstream sdk is patched.
-// eslint-disable-next-line @typescript-eslint/no-var-requires, global-require, import/no-extraneous-dependencies
-const notificationExports = require('@blocklet/sdk/service/notification');
+// config aliases it to a no-op shim (patching a no-op is harmless).
+//
+// Phase 13b: applied LAZILY (once) the first time a blocklet binding is
+// materialized, instead of at module import — so a bare host that never touches a
+// binding never requires the wallet/notification modules. The override closure
+// still reads getWallet()/getAccessWallet() at send time, exactly as before.
+let notificationPatched = false;
+function ensureNotificationPatch(): void {
+  if (notificationPatched) return;
+  notificationPatched = true;
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const { getWallet, getAccessWallet } = require('@blocklet/sdk/lib/wallet');
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const notificationExports = require('@blocklet/sdk/service/notification');
+  notificationExports.getSender = () => ({
+    appDid: blockletAppId() || getWallet(undefined, '', 'sk').address,
+    wallet: getAccessWallet(),
+  });
+  // Note: do NOT invoke getSender() here — that would force a wallet read at patch
+  // time. Log only the expected appId (config-derived, env-free).
+  logger.info('[sdk-patch] notification.getSender overridden', { expectedAppId: blockletAppId() });
+}
 
-notificationExports.getSender = () => ({
-  appDid: process.env.BLOCKLET_APP_ID || getWallet(undefined, '', 'sk').address,
-  wallet: getAccessWallet(),
-});
-logger.info('[sdk-patch] notification.getSender overridden', {
-  appDid: notificationExports.getSender().appDid,
-  expectedAppId: process.env.BLOCKLET_APP_ID,
-});
+function makeWallet(...args: any[]): WalletObject {
+  ensureNotificationPatch();
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const { getWallet } = require('@blocklet/sdk/lib/wallet');
+  return getWallet(...args);
+}
 
-export const wallet: WalletObject = getWallet();
-export const ethWallet: WalletObject = getWallet('ethereum');
+export const wallet: WalletObject = lazyProxy(() => makeWallet());
+export const ethWallet: WalletObject = lazyProxy(() => makeWallet('ethereum'));
 
 // Workaround for migrated blocklets where `BLOCKLET_APP_SK` is a rotating session
 // key whose derived address ≠ appId. Upstream @blocklet/sdk's WalletAuthenticator
@@ -58,21 +104,34 @@ export const ethWallet: WalletObject = getWallet('ethereum');
 //
 // Force the authenticator to derive its signing wallet from BLOCKLET_APP_PK
 // (permanent app pk → address = appId), aligning with the fix in
-// @blocklet/sdk PR #12810 that already corrected getDelegatee. Remove once the
-// upstream wallet-authenticator.ts is patched accordingly.
-export const authenticator = new WalletAuthenticator({
-  wallet: getWallet(undefined, '', 'sk'),
+// @blocklet/sdk PR #12810 that already corrected getDelegatee.
+export const authenticator: any = lazyProxy(() => {
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const { WalletAuthenticator } = require('@blocklet/sdk/lib/wallet-authenticator');
+  return new WalletAuthenticator({ wallet: makeWallet(undefined, '', 'sk') });
 });
-export const handlers = new WalletHandlers({
-  authenticator,
-  tokenStorage: new AuthStorage({
-    dbPath: path.join(env.dataDir, 'auth.db'),
-    // @ts-ignore
-    onload: console.warn,
-  }),
+
+export const handlers: any = lazyProxy(() => {
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const AuthStorage = require('@arcblock/did-connect-storage-nedb');
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const { WalletHandlers } = require('@blocklet/sdk/lib/wallet-handler');
+  return new WalletHandlers({
+    authenticator,
+    tokenStorage: new AuthStorage({
+      dbPath: path.join(env.dataDir, 'auth.db'),
+      // @ts-ignore
+      onload: console.warn,
+    }),
+  });
 });
 
-export const blocklet = new BlockletService();
+export const blocklet: any = lazyProxy(() => {
+  ensureNotificationPatch();
+  // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+  const { BlockletService } = require('@blocklet/sdk/service/auth');
+  return new BlockletService();
+});
 
 export async function getVaultAddress() {
   try {
@@ -88,7 +147,9 @@ export async function getVaultAddress() {
 }
 
 export type CallbackArgs = {
-  request: Request & { context: Record<string, any> };
+  // did-connect-js passes its framework-adapted request to handler callbacks
+  // (createHonoRequest under attachHono); only `.context` is read here.
+  request: { context: Record<string, any>; [key: string]: any };
   userDid: string;
   userPk: string;
   didwallet: {