payment-kit 1.29.1 → 1.29.2

package/cloudflare/build.ts

@@ -17,20 +17,25 @@ async function main() {
     mainFields: ['module', 'main'], // Resolve ESM first, then CJS
     conditions: ['import', 'module', 'default'],
     // CF Workers runtime provides these
-    external: [
-      'cloudflare:*',
-      '__STATIC_CONTENT_MANIFEST',
-    ],
+    external: ['cloudflare:*', '__STATIC_CONTENT_MANIFEST'],
     alias: {
+      // === Node builtins the banner require-polyfill can't cover ===
+      // `events` is used via CJS `require('events')` in core drivers
+      // (locks.ts MemoryLock, auth-storage.ts DbAuthStorage). The banner's
+      // globalThis.require does not list it, so require('events') -> {} and
+      // `class extends EventEmitter` crashes at global init. Alias both the
+      // bare and node:-prefixed forms to one deterministic EventEmitter shim.
+      events: path.resolve(cfDir, 'shims/events.ts'),
+      'node:events': path.resolve(cfDir, 'shims/events.ts'),
+
       // === Sequelize → D1 shim ===
-      'sequelize': path.resolve(cfDir, 'shims/sequelize-d1/index.ts'),
-      'sqlite3': path.resolve(cfDir, 'shims/noop.ts'),
+      sequelize: path.resolve(cfDir, 'shims/sequelize-d1/index.ts'),
+      sqlite3: path.resolve(cfDir, 'shims/noop.ts'),
       'cls-hooked': path.resolve(cfDir, 'shims/noop.ts'),
       'express-async-errors': path.resolve(cfDir, 'shims/noop.ts'),
 
       // === Express → shim ===
-      'express': path.resolve(cfDir, 'shims/express-compat/index.ts'),
-      'cors': path.resolve(cfDir, 'shims/cors.ts'),
+      cors: path.resolve(cfDir, 'shims/cors.ts'),
       'cookie-parser': path.resolve(cfDir, 'shims/cookie-parser.ts'),
 
       // === @blocklet/sdk — each sub-path needs its own alias ===
@@ -46,8 +51,19 @@ async function main() {
       '@blocklet/sdk/lib/wallet-authenticator': path.resolve(cfDir, 'shims/blocklet-sdk/wallet-authenticator.ts'),
       '@blocklet/sdk/lib/wallet-handler': path.resolve(cfDir, 'shims/blocklet-sdk/wallet-handler.ts'),
       '@blocklet/sdk/lib/security': path.resolve(cfDir, 'shims/blocklet-sdk/security.ts'),
+      '@blocklet/sdk/lib/util/verify-session': path.resolve(cfDir, 'shims/blocklet-sdk/verify-session.ts'),
       '@blocklet/sdk/lib/util/verify-sign': path.resolve(cfDir, 'shims/blocklet-sdk/verify-sign.ts'),
       '@blocklet/sdk/lib/util/component-api': path.resolve(cfDir, 'shims/blocklet-sdk/component-api.ts'),
+      // Phase 4 (express→hono): the native hono resource routes pull in the forked
+      // app-shell middleware (session — LIVE on CF; csrf/cdn/fallback — node-shell
+      // only, bundled-but-unreachable on CF). Each needs a util subpath shim so the
+      // bare `@blocklet/sdk` catch-all below doesn't mangle the import.
+      '@blocklet/sdk/lib/util/login': path.resolve(cfDir, 'shims/blocklet-sdk/login.ts'),
+      '@blocklet/sdk/lib/util/service-api': path.resolve(cfDir, 'shims/blocklet-sdk/service-api.ts'),
+      '@blocklet/sdk/lib/util/csrf': path.resolve(cfDir, 'shims/blocklet-sdk/util-csrf.ts'),
+      '@blocklet/sdk/lib/util/wallet': path.resolve(cfDir, 'shims/blocklet-sdk/util-wallet.ts'),
+      '@blocklet/sdk/lib/util/asset-host-transformer': path.resolve(cfDir, 'shims/blocklet-sdk/asset-host-transformer.ts'),
+      '@blocklet/sdk/lib/util/constants': path.resolve(cfDir, 'shims/blocklet-sdk/util-constants.ts'),
       '@blocklet/sdk/lib/error-handler': path.resolve(cfDir, 'shims/noop.ts'),
       '@blocklet/sdk/lib/did': path.resolve(cfDir, 'shims/blocklet-sdk/did.ts'),
       '@blocklet/sdk/lib/types/notification': path.resolve(cfDir, 'shims/noop.ts'),
@@ -62,22 +78,21 @@ async function main() {
       '@blocklet/xss': path.resolve(cfDir, 'shims/xss.ts'),
       '@blocklet/error': path.resolve(cfDir, 'shims/error.ts'),
       '@blocklet/logger': path.resolve(cfDir, 'shims/blocklet-sdk/logger.ts'),
-      '@blocklet/did-space-js': path.resolve(cfDir, 'shims/did-space-js.ts'),
       '@blocklet/payment-vendor': path.resolve(cfDir, 'shims/payment-vendor.ts'),
 
       // === ArcBlock / DID packages ===
       '@arcblock/did-connect-storage-nedb': path.resolve(cfDir, 'shims/nedb-storage.ts'),
 
       // === Other dependencies ===
-      'ws': path.resolve(cfDir, 'shims/ws-lite.ts'),
-      'pg': path.resolve(cfDir, 'shims/noop.ts'),
+      ws: path.resolve(cfDir, 'shims/ws-lite.ts'),
+      pg: path.resolve(cfDir, 'shims/noop.ts'),
       'follow-redirects': path.resolve(cfDir, 'shims/noop.ts'),
       'crypto-js': path.resolve(cfDir, 'shims/crypto-js-warn.ts'),
       'mime-types': path.resolve(cfDir, 'shims/mime-types.ts'),
       '@abtnode/cron': path.resolve(cfDir, 'shims/cron.ts'),
-      'querystring': path.resolve(cfDir, 'shims/querystring.ts'),
+      querystring: path.resolve(cfDir, 'shims/querystring.ts'),
       'dotenv-flow': path.resolve(cfDir, 'shims/noop.ts'),
-      'fastq': path.resolve(cfDir, 'shims/fastq.ts'),
+      fastq: path.resolve(cfDir, 'shims/fastq.ts'),
     },
     banner: {
       js: [

package/cloudflare/did-connect-auth.ts

@@ -168,223 +168,6 @@ class CloudflareD1Storage extends EventEmitter {
   }
 }
 
-// ---------------------------------------------------------------------------
-// Hono adapter – wraps Express-style (req, res, next) handlers for Hono
-// ---------------------------------------------------------------------------
-
-function parseCookieHeader(header: string): Record<string, string> {
-  const cookies: Record<string, string> = {};
-  if (!header) return cookies;
-  for (const pair of header.split(';')) {
-    const idx = pair.indexOf('=');
-    if (idx > 0) {
-      const key = pair.slice(0, idx).trim();
-      const val = pair.slice(idx + 1).trim();
-      cookies[key] = decodeURIComponent(val);
-    }
-  }
-  return cookies;
-}
-
-function negotiateLanguage(acceptHeader: string, ...langs: string[]): string | false {
-  if (!acceptHeader || langs.length === 0) return langs[0] || false;
-  const lower = acceptHeader.toLowerCase();
-  for (const lang of langs) {
-    const prefix = lang.toLowerCase().split('-')[0];
-    if (lower.includes(lang.toLowerCase()) || lower.includes(prefix)) {
-      return lang;
-    }
-  }
-  return langs[0] || false;
-}
-
-function createHonoRequest(c: any, bodyCache: any = {}): any {
-  const url = new URL(c.req.url);
-  const rawHeaders: Record<string, string> = {};
-  if (c.req.raw?.headers) {
-    c.req.raw.headers.forEach((value: string, key: string) => {
-      rawHeaders[key.toLowerCase()] = value;
-    });
-  }
-
-  return {
-    body: bodyCache,
-    query: Object.fromEntries(url.searchParams.entries()),
-    params: typeof c.req.param === 'function' ? c.req.param() : {},
-    headers: rawHeaders,
-    cookies: parseCookieHeader(rawHeaders.cookie || ''),
-    protocol: url.protocol.replace(':', ''),
-    originalUrl: url.pathname + url.search,
-    get(name: string) {
-      return rawHeaders[name.toLowerCase()];
-    },
-    header(name: string) {
-      return rawHeaders[name.toLowerCase()];
-    },
-    acceptsLanguages(...langs: string[]) {
-      return negotiateLanguage(rawHeaders['accept-language'] || '', ...langs);
-    },
-    raw: c,
-  };
-}
-
-function createHonoResponse(): any {
-  let result: { statusCode: number; body: any } | null = null;
-
-  return {
-    jsonp(data: any) {
-      result = { statusCode: 200, body: data };
-    },
-    json(data: any) {
-      result = { statusCode: 200, body: data };
-    },
-    status(code: number) {
-      return {
-        json(data: any) {
-          result = { statusCode: code, body: data };
-        },
-      };
-    },
-    _getResult() {
-      return result;
-    },
-  };
-}
-
-/**
- * Wrap a chain of Express-style middlewares + handler into a single Hono handler.
- */
-function wrapHandler(
-  middlewares: Array<(req: any, res: any, next: () => void) => any>,
-  handler: (req: any, res: any) => Promise<void>
-) {
-  return async (c: any) => {
-    // Ensure __CF_ENV__ is available for D1Storage
-    if (!(globalThis as any).__CF_ENV__) {
-      (globalThis as any).__CF_ENV__ = c.env;
-    }
-    let body = {};
-    try {
-      const text = await c.req.text();
-      if (text) {
-        const contentType = c.req.header('content-type') || '';
-        if (contentType.includes('json')) {
-          body = JSON.parse(text);
-        } else if (contentType.includes('urlencoded')) {
-          body = Object.fromEntries(new URLSearchParams(text).entries());
-        }
-      }
-    } catch {
-      // Body parsing failed
-    }
-
-    const req = createHonoRequest(c, body);
-    const res = createHonoResponse();
-
-    // Run middlewares
-    for (const mw of middlewares) {
-      let nextCalled = false;
-      await mw(req, res, () => {
-        nextCalled = true;
-      });
-      if (!nextCalled) {
-        const r = res._getResult();
-        if (r) return c.json(r.body, r.statusCode);
-        return c.json({ error: 'Unknown error' }, 500);
-      }
-    }
-
-    // Run handler
-    try {
-      await handler(req, res);
-    } catch (err: any) {
-      console.error(
-        '[DID Connect] handler error:',
-        err?.message || err,
-        err?.stack?.split('\n').slice(0, 5).join('\n')
-      );
-      // Write error to D1 for debugging (console.error may not be visible in tail)
-      try {
-        const db = (globalThis as any).__CF_ENV__?.DB;
-        if (db) {
-          await db
-            .prepare('INSERT OR REPLACE INTO _locks (name, owner, expires_at) VALUES (?, ?, 0)')
-            .bind('debug-did-error', `${err?.message || err}`.substring(0, 200))
-            .run();
-        }
-      } catch {
-        /* ignore */
-      }
-      return c.json({ error: err?.message || 'Internal server error' }, 500);
-    }
-    const r = res._getResult();
-    return c.json(r?.body ?? {}, r?.statusCode ?? 200);
-  };
-}
-
-/**
- * Monkey-patch the WalletHandlers.attach method to support Hono apps.
- *
- * The published @arcblock/did-connect-js expects Express. We intercept attach()
- * and register routes on the Hono app directly using wrapHandler().
- */
-function createHonoCompatHandlers(opts: { tokenStorage: any; authenticator: any }): WalletHandlers {
-  const handlers = new WalletHandlers(opts);
-  const originalAttach = handlers.attach.bind(handlers);
-
-  // Override attach to use Hono-compatible route registration
-  (handlers as any).attach = function attachHono(config: any) {
-    const { app, action, ...rest } = config;
-
-    // Create a fake Express-like app that collects routes
-    const routes: Array<{
-      method: string;
-      path: string;
-      middlewares: Function[];
-      handler: Function;
-    }> = [];
-
-    const fakeApp: any = {
-      get(path: string, ...fns: Function[]) {
-        routes.push({ method: 'get', path, middlewares: fns.slice(0, -1), handler: fns[fns.length - 1] });
-      },
-      post(path: string, ...fns: Function[]) {
-        routes.push({ method: 'post', path, middlewares: fns.slice(0, -1), handler: fns[fns.length - 1] });
-      },
-      use(_path: string, _middleware: any) {
-        // CORS is handled by Hono's cors middleware already
-      },
-    };
-
-    // Call original attach with fake app to collect routes
-    originalAttach({ app: fakeApp, action, ...rest });
-
-    // Now register collected routes on the real Hono app
-    const prefix = (handlers as any).options?.prefix || '/api/did';
-
-    // Add CORS for DID Connect routes
-    app.use(`${prefix}/${action}/*`, async (c: any, next: () => Promise<void>) => {
-      c.header('Access-Control-Allow-Origin', '*');
-      c.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-      c.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
-      if (c.req.method === 'OPTIONS') {
-        return c.text('', 204);
-      }
-      await next();
-    });
-
-    for (const route of routes) {
-      const wrapped = wrapHandler(route.middlewares as any[], route.handler as any);
-      if (route.method === 'get') {
-        app.get(route.path, wrapped);
-      } else if (route.method === 'post') {
-        app.post(route.path, wrapped);
-      }
-    }
-  };
-
-  return handlers;
-}
 
 // ---------------------------------------------------------------------------
 // Public API

package/cloudflare/migrations/0006_tenant_columns.sql

@@ -0,0 +1,46 @@
+-- Payment Kit: tenant columns (Phase 1, W1-1a)
+-- Adds a nullable instance_did column to all 38 tenant tables.
+-- Mirrors blocklets/core/api/src/store/migrations/20260610-tenant-columns.ts.
+-- No constraints / indexes / backfill here — those land in 0007 (Phase 2).
+--
+-- NOTE: wrangler tracks applied migrations in `d1_migrations` by filename,
+-- so this file is applied exactly once via `wrangler d1 migrations apply`.
+
+ALTER TABLE customers ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE products ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE prices ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE pricing_tables ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payment_methods ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE checkout_sessions ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payment_intents ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payment_links ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE setup_intents ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE price_quotes ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE subscriptions ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE subscription_items ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE subscription_schedules ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE invoices ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE invoice_items ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE refunds ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE credit_grants ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE credit_transactions ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE meters ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE meter_events ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE usage_records ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE coupons ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE promotion_codes ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE discounts ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE entitlements ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE entitlement_grants ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE entitlement_products ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE events ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE webhook_endpoints ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE webhook_attempts ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payouts ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payment_stats ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE revenue_snapshots ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE auto_recharge_configs ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE tax_rates ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE settings ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE payment_currencies ADD COLUMN instance_did VARCHAR(64);
+ALTER TABLE product_vendors ADD COLUMN instance_did VARCHAR(64);

package/cloudflare/migrations/0007_tenant_backfill_indexes.sql

@@ -0,0 +1,65 @@
+-- Payment Kit: tenant unique keys + indexes (Phase 2, W1-1b)
+-- Mirrors the index/unique-key part of api/src/store/migrations/20260611-tenant-backfill.ts.
+--
+-- IMPORTANT: the instance_did BACKFILL is NOT here. Static migration SQL
+-- cannot know the deployment app DID, so the backfill (and the table rebuilds
+-- that drop old inline single-column UNIQUE constraints) runs through the
+-- shared runtime routine `runTenantBackfill()` (api/src/store/tenant-backfill.ts),
+-- invoked idempotently from the worker's scheduled() handler.
+--
+-- Everything below is NULL-safe before that backfill runs: SQLite treats each
+-- NULL as distinct in unique indexes, and existing single-column uniqueness
+-- (identifier / did / key / idempotency_key) guarantees no composite dupes.
+
+-- composite tenant unique keys (W1 §2.1, decisions D1/D3)
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_customers_tenant_did` ON `customers` (`instance_did`, `did`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_meter_events_tenant_identifier` ON `meter_events` (`instance_did`, `identifier`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_meters_tenant_event_name` ON `meters` (`instance_did`, `event_name`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_entitlements_tenant_key` ON `entitlements` (`instance_did`, `key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_price_quotes_tenant_idem` ON `price_quotes` (`instance_did`, `idempotency_key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_promotion_codes_tenant_code` ON `promotion_codes` (`instance_did`, `livemode`, `code`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_product_vendors_tenant_key` ON `product_vendors` (`instance_did`, `vendor_key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_revenue_snapshots_tenant` ON `revenue_snapshots` (`instance_did`, `timestamp`, `currency_id`, `livemode`, `period_type`);
+DROP INDEX IF EXISTS `idx_revenue_snapshots_unique`;
+DROP INDEX IF EXISTS `idx_entitlements_key`;
+DROP INDEX IF EXISTS `idx_pq_idempotency`;
+
+-- plain tenant indexes for scoped queries (Phase 3+); meter_events is served
+-- by its composite unique above (high-write table, avoid a second index)
+CREATE INDEX IF NOT EXISTS `idx_customers_instance_did` ON `customers` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_products_instance_did` ON `products` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_prices_instance_did` ON `prices` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_pricing_tables_instance_did` ON `pricing_tables` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_methods_instance_did` ON `payment_methods` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_checkout_sessions_instance_did` ON `checkout_sessions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_intents_instance_did` ON `payment_intents` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_links_instance_did` ON `payment_links` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_setup_intents_instance_did` ON `setup_intents` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_price_quotes_instance_did` ON `price_quotes` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscriptions_instance_did` ON `subscriptions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscription_items_instance_did` ON `subscription_items` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscription_schedules_instance_did` ON `subscription_schedules` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_invoices_instance_did` ON `invoices` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_invoice_items_instance_did` ON `invoice_items` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_refunds_instance_did` ON `refunds` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_credit_grants_instance_did` ON `credit_grants` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_credit_transactions_instance_did` ON `credit_transactions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_meters_instance_did` ON `meters` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_usage_records_instance_did` ON `usage_records` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_coupons_instance_did` ON `coupons` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_promotion_codes_instance_did` ON `promotion_codes` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_discounts_instance_did` ON `discounts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlements_instance_did` ON `entitlements` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlement_grants_instance_did` ON `entitlement_grants` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlement_products_instance_did` ON `entitlement_products` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_events_instance_did` ON `events` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_webhook_endpoints_instance_did` ON `webhook_endpoints` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_webhook_attempts_instance_did` ON `webhook_attempts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payouts_instance_did` ON `payouts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_stats_instance_did` ON `payment_stats` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_revenue_snapshots_instance_did` ON `revenue_snapshots` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_auto_recharge_configs_instance_did` ON `auto_recharge_configs` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_tax_rates_instance_did` ON `tax_rates` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_settings_instance_did` ON `settings` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_currencies_instance_did` ON `payment_currencies` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_product_vendors_instance_did` ON `product_vendors` (`instance_did`);

package/cloudflare/migrations/0008_schema_parity.sql

@@ -0,0 +1,16 @@
+-- Phase 11 (W2′) schema parity: close the D1-lineage gaps the schema-drift guard
+-- (scripts/schema-drift-guard.ts) found versus the Umzug canonical schema.
+-- Additive only — safe to apply on a deployed D1 (no drops, no rewrites).
+
+-- events: the Umzug genesis creates `events` with api_version (NOT NULL) and
+-- metadata (JSON); the D1 0001 events table predates both, so the worker could
+-- not write them. Backfill api_version with the app constant
+-- (api/src/libs/audit.ts API_VERSION = '2023-09-05'); new rows carry the same.
+ALTER TABLE `events` ADD COLUMN `api_version` VARCHAR(16) NOT NULL DEFAULT '2023-09-05';
+ALTER TABLE `events` ADD COLUMN `metadata` JSON;
+
+-- Indexes present in the canonical but missing in the D1 lineage (perf parity;
+-- names match the Umzug migrations 20250904-discount / 20251007-relate-tax-rate).
+CREATE INDEX IF NOT EXISTS `idx_discounts_customer_id` ON `discounts` (`customer_id`);
+CREATE INDEX IF NOT EXISTS `idx_invoice_items_tax_rate_id` ON `invoice_items` (`tax_rate_id`);
+CREATE INDEX IF NOT EXISTS `idx_promotion_codes_verification_type_coupon_id` ON `promotion_codes` (`verification_type`, `coupon_id`);

package/cloudflare/migrations/0009_remove_did_space_jobs.sql

@@ -0,0 +1,5 @@
+-- The DID Space billing-mirror integration was removed (libs/did-space.ts,
+-- queues/space.ts). Rows in `jobs` with queue='did-space' can never be picked
+-- up again (the scheduled scan only matches registered queue names), so they
+-- would sit in the table forever. Delete them. Idempotent.
+DELETE FROM jobs WHERE queue = 'did-space';

package/cloudflare/queue-runtime-mode.ts

@@ -0,0 +1,13 @@
+// Phase 12b (W2′): pin the core queue engine to 'workerd' mode.
+//
+// This MUST be imported before any business queue module (api/src/queues/*),
+// because createQueue runs at import time and reads the mode to decide whether
+// to start the node background poll loop(). A frozen CF isolate cannot run a
+// background timer, so the worker disables the loop and drives due-job
+// re-dispatch from scheduled() via the core dispatchDueJobs() surface instead.
+//
+// ESM executes imported module bodies in source order, so importing this first
+// in worker.ts guarantees the mode is set before the engine is constructed.
+import { setQueueRuntimeMode } from '../api/src/libs/queue/runtime';
+
+setQueueRuntimeMode('workerd');

package/cloudflare/run-build.js

@@ -3,59 +3,15 @@ const path = require("path");
 const cfDir = __dirname;
 const s = (f) => path.resolve(cfDir, f);
 
-// Resolve the absolute path of the original queue module so we can intercept it
-const queueModulePath = path.resolve(cfDir, "../api/src/libs/queue/index.ts");
-const queueShimPath = s("shims/queue.ts");
-
-// Resolve the absolute path of the original lock module so we can intercept it
-const lockModulePath = path.resolve(cfDir, "../api/src/libs/lock.ts");
-const lockShimPath = s("shims/lock.ts");
-
-// Plugin to redirect libs/queue to our CF Workers shim
-const queueNormalizedTarget = queueModulePath.replace(/\/index\.ts$/, '').replace(/\/index$/, '');
-const queueShimPlugin = {
-  name: 'queue-shim',
-  setup(build) {
-    // Intercept any import that resolves to the original queue module
-    build.onResolve({ filter: /libs\/queue/ }, (args) => {
-      const resolveDir = args.resolveDir;
-      if (!resolveDir) return undefined;
-
-      // Resolve the relative import to an absolute path
-      const resolved = path.resolve(resolveDir, args.path).replace(/\/index(\.ts)?$/, '');
-      const match = resolved === queueNormalizedTarget;
-      if (args.path.includes('queue')) {
-        console.log(`[queue-shim] ${match ? 'MATCH' : 'skip'}: ${args.path} -> ${resolved} (target: ${queueNormalizedTarget})`);
-      }
-      if (match) {
-        return { path: queueShimPath };
-      }
-      return undefined;
-    });
-  },
-};
-
-// Plugin to redirect libs/lock to our CF Workers D1-based lock shim
-const lockNormalizedTarget = lockModulePath.replace(/\.ts$/, '');
-const lockShimPlugin = {
-  name: 'lock-shim',
-  setup(build) {
-    build.onResolve({ filter: /libs\/lock/ }, (args) => {
-      const resolveDir = args.resolveDir;
-      if (!resolveDir) return undefined;
-
-      const resolved = path.resolve(resolveDir, args.path).replace(/\.ts$/, '');
-      const match = resolved === lockNormalizedTarget;
-      if (args.path.includes('lock')) {
-        console.log(`[lock-shim] ${match ? 'MATCH' : 'skip'}: ${args.path} -> ${resolved} (target: ${lockNormalizedTarget})`);
-      }
-      if (match) {
-        return { path: lockShimPath };
-      }
-      return undefined;
-    });
-  },
-};
+// Phase 12b/12c: the queue-shim (libs/queue -> shims/queue.ts) and lock-shim
+// (libs/lock -> shims/lock.ts) plugins were REMOVED.
+//   - queue-shim: option A makes api/src/libs/queue the ONE queue engine for all
+//     runtimes (the worker drives it via api/src/libs/queue/runtime.ts); the
+//     duplicate shims/queue.ts engine is deleted, so there is nothing to redirect.
+//   - lock-shim: lock became a Phase 8 driver (libs/drivers/locks) and the old
+//     shims/lock.ts no longer exists; the redirect pointed at a deleted file and
+//     was the only thing that broke this script.
+// Everything else below is the original CF deploy-build optimization config.
 
 // Plugin to neutralize rolldown-generated `__require(import.meta.url)` helpers
 // that ship inside npm packages built with rolldown (e.g. @ocap/message,
@@ -239,7 +195,7 @@ build({
   outdir: s("dist"), minify: true, sourcemap: true, metafile: true,
   mainFields: ["module", "main"],
   plugins: [
-    noopPackagesPlugin, queueShimPlugin, lockShimPlugin, rolldownRuntimeNoopPlugin, lodashSubpathPlugin, dropEthersWordlistsPlugin,
+    noopPackagesPlugin, rolldownRuntimeNoopPlugin, lodashSubpathPlugin, dropEthersWordlistsPlugin,
   ],
   external: ["cloudflare:*", "__STATIC_CONTENT_MANIFEST"],
   // Give import.meta.url a stable fallback so bundled deps that call
@@ -303,7 +259,6 @@ build({
     "sqlite3": s("shims/noop.ts"),
     "cls-hooked": s("shims/noop.ts"),
     "express-async-errors": s("shims/noop.ts"),
-    "express": s("shims/express-compat/index.ts"),
     "cors": s("shims/cors.ts"),
     "cookie-parser": s("shims/cookie-parser.ts"),
     "@blocklet/sdk/lib/middlewares/fallback": s("shims/blocklet-sdk/fallback.ts"),
@@ -331,7 +286,6 @@ build({
     "@blocklet/xss": s("shims/xss.ts"),
     "@blocklet/error": s("shims/error.ts"),
     "@blocklet/logger": s("shims/blocklet-sdk/logger.ts"),
-    "@blocklet/did-space-js": s("shims/did-space.ts"),
     "@blocklet/payment-vendor": s("shims/payment-vendor.ts"),
     "@arcblock/did-connect-storage-nedb": s("shims/nedb-storage.ts"),
     "@abtnode/cron": s("shims/cron.ts"),

package/cloudflare/shims/blocklet-sdk/asset-host-transformer.ts

@@ -0,0 +1,20 @@
+// CF shim for @blocklet/sdk/lib/util/asset-host-transformer.
+//
+// DEAD on the CF path: the only importer is the cdn middleware (node-shell only —
+// HTML CDN-URL rewriting on the full node app shell). The worker serves JSON API
+// routes through a LITE app-shell, so cdn never executes. A pass-through stub is
+// enough to resolve the bundled-but-unreachable node code.
+export class AssetHostTransformer {
+  // eslint-disable-next-line @typescript-eslint/no-useless-constructor, no-empty-function
+  constructor(_assetHost?: string) {}
+
+  transform(html: string, _assetHost?: string): string {
+    return html;
+  }
+
+  transformBuffer(body: Buffer | Uint8Array, _assetHost?: string): Buffer | Uint8Array {
+    return body;
+  }
+}
+
+export default { AssetHostTransformer };

package/cloudflare/shims/blocklet-sdk/config.ts

@@ -4,5 +4,12 @@ export { env };
 export const Events = {};
 export const events = { on: () => {}, emit: () => {} };
 
-const config = { env, Events, events };
+// Phase 4 (express→hono): the fallback middleware (SPA serving) reads these. It is
+// node-shell only — DEAD on the CF worker (which never serves the SPA) — so a
+// resolving stub is enough. getBlockletSettings also backs sessionMiddleware's
+// blacklist check, which is gated off on CF (enableBlacklist: false).
+export const getBlockletSettings = (): any => ({ enableBlacklist: false, theme: {} });
+export const getBlockletJs = (..._args: any[]): string => '';
+
+const config = { env, Events, events, getBlockletSettings, getBlockletJs };
 export default config;

package/cloudflare/shims/blocklet-sdk/login.ts

@@ -0,0 +1,12 @@
+// CF shim for @blocklet/sdk/lib/util/login.
+//
+// Reached on the LIVE CF path: sessionMiddleware (used by many resource routes)
+// calls isLoginToken/isAccessKey to classify the bearer token. These are pure
+// string-format checks — copied verbatim from the upstream so behavior matches.
+export const isLoginToken = (token: unknown): boolean =>
+  typeof token === 'string' && token.split('.').length === 3;
+
+export const isAccessKey = (token: unknown): boolean =>
+  typeof token === 'string' && token.split('.').length === 1 && token.startsWith('blocklet-');
+
+export default { isLoginToken, isAccessKey };

package/cloudflare/shims/blocklet-sdk/service-api.ts

@@ -0,0 +1,14 @@
+// CF shim for @blocklet/sdk/lib/util/service-api.
+//
+// The only caller on the CF path is sessionMiddleware's login-token blacklist
+// check, which is gated by `blockletSettings.enableBlacklist` (off on the CF
+// worker — the worker resolves identity via AUTH_SERVICE RPC, not the blacklist
+// endpoint). The old express-compat CF path never ran this check at all, so a
+// stub that reports "valid" preserves the worker's (no-blacklist) behavior and
+// never wrongly blocks a token if the setting is somehow on.
+const serviceApi = {
+  post: async (_url: string, _body?: unknown) => ({ data: { valid: true } }),
+  get: async (_url: string) => ({ data: {} }),
+};
+
+export default serviceApi;

package/cloudflare/shims/blocklet-sdk/session.ts

@@ -1,6 +1,8 @@
 // @blocklet/sdk/lib/middlewares/session shim
-// Auth is resolved in Hono middleware layer via AUTH_SERVICE RPC.
-// req.user is already populated by mountExpressRoutes().
+// Auth is resolved in the Hono middleware layer via AUTH_SERVICE RPC, then injected
+// as x-user-* request headers by the worker's /api/* dispatcher (worker.ts) — the
+// native authenticate()/sessionMiddleware read those. This express-middleware shim
+// is inert (the old express-compat mountExpressRoutes path it served is gone).
 export default function sessionMiddleware(_options?: any) {
   return (_req: any, _res: any, next: any) => next();
 }

package/cloudflare/shims/blocklet-sdk/util-constants.ts

@@ -0,0 +1,8 @@
+// CF shim for @blocklet/sdk/lib/util/constants.
+//
+// Reached via the fallback middleware (node-shell SPA serving — DEAD on the CF
+// worker, which never serves the SPA). SERVICE_PREFIX carries its real upstream
+// value so the bundled-but-unreachable node code is byte-faithful.
+export const SERVICE_PREFIX = '/.well-known/service';
+
+export default { SERVICE_PREFIX };

package/cloudflare/shims/blocklet-sdk/util-csrf.ts

@@ -0,0 +1,13 @@
+// CF shim for @blocklet/sdk/lib/util/csrf.
+//
+// DEAD on the CF path: the csrf middleware (middlewares/hono/csrf) lives only on
+// the NODE app-shell pipeline (service.ts buildHonoApp / configureNativePipeline,
+// reached via getHonoApp). The CF worker mounts a LITE app-shell (xss only) and
+// owns its own cors, so csrf never executes on the worker. These stubs exist only
+// so esbuild can resolve the import in the bundled-but-unreachable node code.
+export const getCsrfSecret = (): string => '';
+export const sign = (_secret: string, _value: string): string => '';
+export const verify = (_secret: string, _value: string, _token: string): boolean => false;
+export const hmac = (_secret: string, _value: string): string => '';
+
+export default { getCsrfSecret, sign, verify, hmac };