payment-kit 1.29.1 → 1.29.2

package/cloudflare/worker.ts

@@ -14,15 +14,30 @@ import { setDB } from './shims/sequelize-d1/model';
 import { initialize } from '../api/src/store/models';
 import { Sequelize } from './shims/sequelize-d1/sequelize-class';
 
-// Import the original Express routes (esbuild aliases handle all deps)
-import expressRoutes from '../api/src/routes/index';
-import type { RouteEntry } from './shims/express-compat/index';
+// Phase 12b: pin the core queue engine to 'workerd' mode BEFORE any business
+// queue module loads (createQueue reads it at import to disable the node poll
+// loop). Side-effect import — keep it ahead of service/crons/queues below.
+import './queue-runtime-mode';
+
+// Phase 12a (Option 3 seam): the worker's /api business surface now comes from
+// the embedded payment service factory instead of a direct routes import. The
+// factory performs assembly (config slot authoritative via setCoreConfig + model
+// initialize), and exposes `http.resourceRoutes` — the resource routers only,
+// no node app shell, no DID-Connect handlers (the worker registers those through
+// its own Hono `attachDIDConnectRoutes`). The factory's lazy `handler` getter is
+// never touched here, so the node-only app shell never runs under the shim.
+import { createEmbeddedPaymentService } from '../api/src/service';
+import type { PaymentCoreService } from '../api/src/service';
 
 // Import cron instance for scheduled handler
 import { cronInstance } from './shims/cron';
 
-// Import queue utilities
-import { setWaitUntil, setCFQueue, flushPendingJobs, runAllScheduledJobs, getHandler } from './shims/queue';
+// Phase 12b: drive the SAME core queue engine (api/src/libs/queue) through its
+// host-facing runtime surface instead of the legacy cloudflare/shims/queue.ts
+// duplicate engine (dead under the canonical build — its registry is never
+// populated). scheduled() → dispatchDueJobs(); queue() → getQueueHandler();
+// HTTP/scheduled/queue flush → flushQueueWork().
+import { dispatchDueJobs, getQueueHandler, getAllQueueNames, flushQueueWork } from '../api/src/libs/queue/runtime';
 
 // Import crons init to register all cron jobs
 import crons from '../api/src/crons/index';
@@ -53,6 +68,10 @@ import { withD1Retry } from './shims/sequelize-d1/retry';
 // DID Connect: login routes proxied to blocklet-service, business actions (pay/subscribe) handled locally
 import { attachDIDConnectRoutes } from './did-connect-auth';
 
+// Phase 7: tenant-context middleware — resolves Host -> tenant (single point)
+// and wraps the request chain in context.withTenant (multi-mode fail-closed).
+import { tenantMiddleware } from './tenant-middleware';
+
 FetchRequest.registerGetUrl(async (req: FetchRequest) => {
   const resp = await fetch(req.url, {
     method: req.method || 'GET',
@@ -204,6 +223,93 @@ function ensureModelsInit() {
   }
 }
 
+// Phase 12a/12c: build the explicit PaymentCoreConfig from CF env. These keys are
+// read only by the core (via the libs/env.ts readConfig boundary), never by a
+// worker shim, so the factory config slot carries them. Phase 12c removed the
+// last `process.env` mirror: the HTTP path (buildApp) and the scheduled()/queue()
+// path (setupEnv) both call ensurePaymentService(env) -> setCoreConfig, so the
+// config slot is authoritative on every path and no process.env fallback remains.
+function envToPaymentCoreConfig(env: Env): Record<string, any> {
+  const config: Record<string, any> = { BLOCKLET_MODE: 'production' };
+  if (env.APP_PID) {
+    config.BLOCKLET_APP_PID = env.APP_PID;
+    config.BLOCKLET_APP_ID = env.APP_PID;
+  }
+  if (env.APP_URL) {
+    config.APP_URL = env.APP_URL;
+    config.BLOCKLET_APP_URL = env.APP_URL;
+  }
+  if (env.APP_NAME) config.BLOCKLET_APP_NAME = env.APP_NAME;
+  // Stripe webhook secret: env override for signature verification (DB value may
+  // be empty if not configured in the original Blocklet Server).
+  if (env.STRIPE_WEBHOOK_SECRET) config.STRIPE_WEBHOOK_SECRET = env.STRIPE_WEBHOOK_SECRET;
+  if (env.PAYMENT_CHANGE_LOCKED_PRICE) config.PAYMENT_CHANGE_LOCKED_PRICE = env.PAYMENT_CHANGE_LOCKED_PRICE;
+  if (env.SHORT_URL_DOMAIN) config.SHORT_URL_DOMAIN = env.SHORT_URL_DOMAIN;
+  // Audience for the Pub/Sub OIDC JWT wrapping Google Play RTDN webhooks; without
+  // it googlePlayEndpoint() falls back to the workers.dev origin -> audience mismatch.
+  if (env.GOOGLE_PLAY_WEBHOOK_URL) config.GOOGLE_PLAY_WEBHOOK_URL = env.GOOGLE_PLAY_WEBHOOK_URL;
+  // Pub/Sub sender binding — without it the google_play webhook can't enforce the
+  // push service account on CF and would fail open (PR #1381 P1).
+  if (env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT)
+    config.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
+  if (env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER)
+    config.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
+  return config;
+}
+
+// Phase 12a: assemble the embedded payment service once per isolate. The factory
+// performs config/db assembly (setCoreConfig + initialize), so models are bound
+// here and ensureModelsInit() becomes a no-op on the HTTP path. Slots beyond
+// config/db are intentionally omitted in 12a (defaults preserve current worker
+// behavior: single-mode default tenant resolved from BLOCKLET_APP_PID); richer
+// slot bridging is 12b/12c.
+let paymentService: PaymentCoreService | null = null;
+function ensurePaymentService(env: Env): PaymentCoreService {
+  if (paymentService) return paymentService;
+  const sequelize = new Sequelize();
+  const svc = createEmbeddedPaymentService({
+    config: envToPaymentCoreConfig(env),
+    db: { sequelize },
+  });
+  // Phase 12c HARD GATE: the CF worker is a host adapter. It mounts only
+  // svc.http.resourceRoutes and registers DID-Connect through its own Hono
+  // shell — it must NEVER touch svc.handler, whose lazy getter builds the
+  // node-only Express app shell (app.set / static / connect attach) that does
+  // not belong under workerd. Trap the access so a future regression fails loud
+  // at runtime instead of silently constructing the node app in the isolate.
+  paymentService = new Proxy(svc, {
+    get(target, prop, receiver) {
+      if (prop === 'handler') {
+        throw new Error(
+          '[worker hard-gate] svc.handler is forbidden in the CF worker — mount svc.http.resourceRoutes instead'
+        );
+      }
+      return Reflect.get(target, prop, receiver);
+    },
+  });
+  modelsInitialized = true; // the factory called initialize(sequelize)
+  return paymentService;
+}
+
+// Phase 2 (W1-1b): static D1 migration SQL cannot know the deployment app
+// DID, so the instance_did backfill + unique-key rebuilds run through the
+// shared runtime routine. Idempotent (NULL-only updates, DDL checks), so a
+// once-per-isolate guard just avoids 38 no-op UPDATEs on every cron tick.
+let tenantBackfillDone = false;
+async function ensureTenantBackfill() {
+  if (tenantBackfillDone) return;
+  try {
+    const { runTenantBackfill } = await import('../api/src/store/tenant-backfill');
+    const result = await runTenantBackfill(new Sequelize() as any);
+    const touched = Object.entries(result.backfilled).filter(([, n]) => n > 0);
+    if (touched.length) console.log('[tenant-backfill] backfilled:', JSON.stringify(Object.fromEntries(touched)));
+    tenantBackfillDone = true;
+  } catch (e: any) {
+    // fail-loud but non-fatal: crons still run; next tick retries
+    console.error('[tenant-backfill] failed:', e?.message || e);
+  }
+}
+
 function ensureCronsInit() {
   if (!cronsInitialized) {
     try {
@@ -234,6 +340,12 @@ function buildApp(env: Env): Hono<HonoEnv> {
     return cachedApp;
   }
 
+  // Phase 12a: assemble the embedded payment service (config/db/slots) and take
+  // its resource routes for mounting. Only `http.resourceRoutes` is read — the
+  // node-only `handler` getter is never touched, so the express app shell + the
+  // DID-Connect handlers it carries never run under the workerd shim.
+  const service = ensurePaymentService(env);
+
   const app = new Hono<HonoEnv>();
 
   // CORS
@@ -255,43 +367,17 @@ function buildApp(env: Env): Hono<HonoEnv> {
     // In queue consumer/cron, this flag is absent — createEvent uses __cfPendingJobs__ (blocking).
     (globalThis as any).__cfHttpContext__ = true;
     setDB(withD1Retry(c.env.DB.withSession('first-primary')));
-    if (c.env.JOB_QUEUE) setCFQueue(c.env.JOB_QUEUE);
     ensureModelsInit();
 
-    // Sync CF env vars to process.env for source code compatibility
-    if (typeof process !== 'undefined' && process.env) {
-      // Stripe webhook secret: kept as env var override for webhook signature verification
-      // (DB value may be empty if not configured in original Blocklet Server)
-      if (c.env.STRIPE_WEBHOOK_SECRET) process.env.STRIPE_WEBHOOK_SECRET = c.env.STRIPE_WEBHOOK_SECRET;
-      if (c.env.APP_URL) {
-        process.env.APP_URL = c.env.APP_URL;
-        process.env.BLOCKLET_APP_URL = c.env.APP_URL;
-      }
-      if (c.env.APP_PID) {
-        process.env.BLOCKLET_APP_PID = c.env.APP_PID;
-        process.env.BLOCKLET_APP_ID = c.env.APP_PID;
-      }
-      if (c.env.APP_NAME) process.env.BLOCKLET_APP_NAME = c.env.APP_NAME;
-      if (c.env.PAYMENT_CHANGE_LOCKED_PRICE) process.env.PAYMENT_CHANGE_LOCKED_PRICE = c.env.PAYMENT_CHANGE_LOCKED_PRICE;
-      if (c.env.SHORT_URL_DOMAIN) process.env.SHORT_URL_DOMAIN = c.env.SHORT_URL_DOMAIN;
-      // Audience for the Pub/Sub OIDC JWT that wraps Google Play RTDN webhooks.
-      // Without this mirror, libs/util.ts googlePlayEndpoint() falls back to
-      // getUrl('/api/integrations/google-play/webhook') — which resolves to
-      // the *.workers.dev origin, not the custom domain Pub/Sub actually
-      // POSTs to. Every webhook then dies with "audience mismatch".
-      if (c.env.GOOGLE_PLAY_WEBHOOK_URL) {
-        process.env.GOOGLE_PLAY_WEBHOOK_URL = c.env.GOOGLE_PLAY_WEBHOOK_URL;
-      }
-      // Pub/Sub sender binding — without mirroring these, the google_play webhook
-      // can't enforce the push service account on CF and would fail open (PR #1381 P1).
-      if (c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT) {
-        process.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
-      }
-      if (c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER) {
-        process.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
-      }
-      process.env.BLOCKLET_MODE = 'production';
-    }
+    // Phase 12a: CF env now flows through the factory config slot (assembled in
+    // ensurePaymentService -> setCoreConfig, made authoritative via the
+    // libs/env.ts readConfig boundary). The per-request process.env mirror that
+    // lived here is gone. This defensive idempotent call guarantees the config is
+    // wired for this isolate regardless of Hono app-cache state; it is a no-op
+    // after the first call. (Phase 12c: scheduled()/queue() call the same
+    // ensurePaymentService via setupEnv, so the config slot is authoritative
+    // there too — no process.env mirror on any path.)
+    ensurePaymentService(c.env);
 
     // Register Stripe key decrypt overrides from env vars
     // Fetch EK from AUTH_SERVICE and initialize decrypt capability (first request only)
@@ -351,10 +437,7 @@ function buildApp(env: Env): Hono<HonoEnv> {
     // --- Append Server-Timing header ---
     const totalDur = Math.round(performance.now() - t0);
     const d1 = getD1Timing();
-    const timings = [
-      `total;dur=${totalDur}`,
-      `auth;dur=${authDur};desc="${authSource}"`,
-    ];
+    const timings = [`total;dur=${totalDur}`, `auth;dur=${authDur};desc="${authSource}"`];
     if (d1.queries > 0) {
       timings.push(`db;dur=${Math.round(d1.wallMs)};desc="${d1.queries}q ${d1.rowsRead}r"`);
       if (d1.sqlMs > 0) timings.push(`db_sql;dur=${Math.round(d1.sqlMs)}`);
@@ -366,6 +449,12 @@ function buildApp(env: Env): Hono<HonoEnv> {
     c.res.headers.append('Server-Timing', timings.join(', '));
   });
 
+  // Tenant context: resolve Host -> tenant (single point) and wrap the request
+  // chain in context.withTenant so every TenantModel query is scoped. Scoped to
+  // /api/* so /health and static assets never require a tenant. multi mode:
+  // unknown/missing Host -> 400 fail-closed (no default-tenant fallback).
+  app.use('/api/*', tenantMiddleware());
+
   // Health check
   app.get('/health', (c) => c.json({ status: 'ok' }));
 
@@ -608,10 +697,11 @@ function buildApp(env: Env): Hono<HonoEnv> {
   // Notification unread count
   app.get('/api/notifications/unread-count', (c) => c.json({ unReadCount: 0 }));
 
-  // Manually trigger job dispatch (same as cron's runAllScheduledJobs)
+  // Manually trigger job dispatch (same as cron's scheduled() due-dispatch)
   app.post('/api/__dev__/dispatch-jobs', async (c) => {
-    const names = getAllHandlerNames();
-    const result = await runAllScheduledJobs();
+    const names = getAllQueueNames();
+    const result = await dispatchDueJobs();
+    await flushQueueWork();
     return c.json({ handlers: names, ...result });
   });
 
@@ -640,8 +730,11 @@ function buildApp(env: Env): Hono<HonoEnv> {
   // for creating PaymentMethods is owner-gated, and staging has no owner yet
   // (Pengfei's blocklet-service role is `member`). Gated by PAYMENT_LIVEMODE
   // === 'false' so this only ever touches testmode data.
-  // === Express-to-Hono Route Adapter ===
-  mountExpressRoutes(app, '/api', expressRoutes);
+  // Phase 4 (express→hono): the resource routes are a native hono app
+  // (service.http.resourceRoutes) mounted by the /api/* dispatcher registered
+  // AFTER the worker's own /api/__dev__ routes (see below, replacing the old
+  // "not implemented" catch-all). The old express-compat mountExpressRoutes shim
+  // is gone.
 
   // Dev endpoint: D1 admin operations
   // Test CF Queue send directly
@@ -986,9 +1079,33 @@ function buildApp(env: Env): Hono<HonoEnv> {
     }
   });
 
-  // Catch-all for unimplemented API routes
-  app.all('/api/*', (c) => {
-    return c.json({ error: `Not yet implemented: ${c.req.method} ${c.req.path}` }, 501);
+  // Phase 4 (express→hono): native hono resource routes. Registered AFTER the
+  // worker's own /api/__dev__ routes so those match first; this dispatcher then
+  // handles every other /api/* path (returning resourceRoutes' own 404 for an
+  // unknown route). The RPC-resolved caller identity is injected as x-user-*
+  // request headers — the native authenticate() reads those — and any
+  // client-supplied x-user-* is overwritten/stripped so it can never be forged
+  // (component auth via x-component-sig is left intact: it is verified
+  // cryptographically downstream). The worker already provides cors + tenant, so
+  // resourceRoutes uses a LITE app-shell (xss only); flushQueueWork() preserves
+  // the workerd flush-before-response the old shim ran after each handler.
+  const resourceRoutes = service.http.resourceRoutes as Hono;
+  const USER_HEADERS = ['x-user-did', 'x-user-role', 'x-user-provider', 'x-user-fullname', 'x-user-wallet-os'];
+  app.all('/api/*', async (c) => {
+    const headers = new Headers(c.req.raw.headers);
+    for (const h of USER_HEADERS) headers.delete(h); // never trust a client-supplied identity header
+    const caller: CallerIdentityDTO | null = c.get('caller');
+    if (caller) {
+      const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
+      headers.set('x-user-did', canonicalDid);
+      headers.set('x-user-role', `blocklet-${caller.role || 'guest'}`);
+      headers.set('x-user-provider', caller.authMethod === 'access-key' ? 'access-key' : caller.authMethod || 'wallet');
+      headers.set('x-user-fullname', encodeURIComponent(caller.displayName || ''));
+      headers.set('x-user-wallet-os', '');
+    }
+    const res = await resourceRoutes.fetch(new Request(c.req.raw, { headers }), c.env, c.executionCtx);
+    await flushQueueWork(); // drain workerd deferred queue work before responding
+    return res;
   });
 
   // === Media Kit Proxy ===
@@ -1158,347 +1275,6 @@ function buildApp(env: Env): Hono<HonoEnv> {
   return app;
 }
 
-// === Express-to-Hono Route Adapter ===
-
-function normalizeRoutePath(prefix: string, routePath: string): string {
-  let full = (prefix + routePath).replace(/\/+/g, '/');
-  if (!full.startsWith('/')) full = `/${full}`;
-  if (full.length > 1 && full.endsWith('/')) full = full.slice(0, -1);
-  return full;
-}
-
-function createExpressReq(c: any, routeParams: Record<string, string>): any {
-  const url = new URL(c.req.url);
-  const query: Record<string, any> = {};
-  url.searchParams.forEach((v, k) => {
-    query[k] = v;
-  });
-
-  const headers: Record<string, string> = {};
-  c.req.raw.headers.forEach((v: string, k: string) => {
-    headers[k.toLowerCase()] = v;
-  });
-
-  const req: any = {
-    method: c.req.method,
-    url: url.pathname + url.search,
-    path: url.pathname,
-    originalUrl: url.pathname + url.search,
-    query,
-    params: { ...routeParams },
-    body: null,
-    headers,
-    user: null,
-    // Worker-wide livemode is driven by the PAYMENT_LIVEMODE env var (set on
-    // each deployment). Routes that filter PaymentMethod by livemode rely on
-    // this value matching what we stored when bootstrapping the methods.
-    livemode: c.env?.PAYMENT_LIVEMODE !== 'false',
-    baseCurrency: null,
-    ip: headers['cf-connecting-ip'] || headers['x-forwarded-for'] || '127.0.0.1',
-    get(name: string) {
-      return headers[name.toLowerCase()];
-    },
-    header(name: string) {
-      return headers[name.toLowerCase()];
-    },
-  };
-
-  return req;
-}
-
-function createExpressRes(): any {
-  const res: any = {
-    _statusCode: 200,
-    _headers: {} as Record<string, string>,
-    _body: null as any,
-    _sent: false,
-    _redirectUrl: null as string | null,
-    headersSent: false,
-
-    status(code: number) {
-      res._statusCode = code;
-      return res;
-    },
-    json(data: any) {
-      if (res._sent) return res;
-      res._sent = true;
-      res.headersSent = true;
-      res._body = data;
-      res._headers['content-type'] = 'application/json';
-      return res;
-    },
-    send(data: any) {
-      if (res._sent) return res;
-      res._sent = true;
-      res.headersSent = true;
-      res._body = data;
-      return res;
-    },
-    redirect(urlOrStatus: any, url?: string) {
-      res._sent = true;
-      res.headersSent = true;
-      if (typeof urlOrStatus === 'number') {
-        res._statusCode = urlOrStatus;
-        res._redirectUrl = url;
-      } else {
-        res._statusCode = 302;
-        res._redirectUrl = urlOrStatus;
-      }
-      return res;
-    },
-    set(key: string, value: string) {
-      res._headers[key.toLowerCase()] = value;
-      return res;
-    },
-    setHeader(key: string, value: string) {
-      res._headers[key.toLowerCase()] = value;
-      return res;
-    },
-    cookie(_name: string, _value: string, _options?: any) {
-      return res;
-    },
-    end() {
-      if (!res._sent) {
-        res._sent = true;
-        res.headersSent = true;
-      }
-    },
-    type(t: string) {
-      res._headers['content-type'] = t;
-      return res;
-    },
-  };
-
-  Object.defineProperty(res, 'statusCode', {
-    get() {
-      return res._statusCode;
-    },
-    set(v: number) {
-      res._statusCode = v;
-    },
-  });
-
-  return res;
-}
-
-function expressResToResponse(res: any): Response {
-  if (res._redirectUrl) {
-    return Response.redirect(res._redirectUrl, res._statusCode || 302);
-  }
-
-  const headers = new Headers(res._headers);
-
-  if (res._body === null || res._body === undefined) {
-    return new Response(null, { status: res._statusCode, headers });
-  }
-
-  if (typeof res._body === 'string') {
-    return new Response(res._body, { status: res._statusCode, headers });
-  }
-
-  if (res._body instanceof ArrayBuffer || res._body instanceof Uint8Array) {
-    return new Response(res._body, { status: res._statusCode, headers });
-  }
-
-  if (!headers.has('content-type')) {
-    headers.set('content-type', 'application/json');
-  }
-  let jsonStr = JSON.stringify(res._body);
-  // Rewrite legacy blocklet server URLs to CF Workers domain
-  // Old format: https://old-domain/payment/methods/x.png -> https://cf-domain/methods/x.png
-  const cfAppUrl = ((globalThis as any).__CF_ENV__?.APP_URL || '').replace(/\/$/, '');
-  if (cfAppUrl) {
-    jsonStr = jsonStr
-      .split('https://bbqa7swuuaze4l2y5salvngyjyohlhq5fs5j42eokni.did.abtnet.io/payment/')
-      .join(`${cfAppUrl}/`);
-    jsonStr = jsonStr.split('https://bbqa7swuuaze4l2y5salvngyjyohlhq5fs5j42eokni.did.abtnet.io').join(cfAppUrl);
-  }
-  return new Response(jsonStr, { status: res._statusCode, headers });
-}
-
-async function runExpressHandlers(handlers: Function[], req: any, res: any): Promise<void> {
-  let idx = 0;
-
-  async function runNext(err?: any): Promise<void> {
-    if (err) {
-      console.error('[CF Worker] Express middleware error:', err?.message || err);
-      if (!res._sent) {
-        res.status(500).json({ error: err?.message || 'Internal Server Error' });
-      }
-      return;
-    }
-    if (idx >= handlers.length || res._sent) return;
-
-    const handler = handlers[idx++];
-    if (!handler) return runNext();
-
-    if (handler.length === 4) {
-      return runNext();
-    }
-
-    return new Promise<void>((resolve) => {
-      let nextCalled = false;
-
-      try {
-        const result = handler(req, res, (nextErr?: any) => {
-          nextCalled = true;
-          runNext(nextErr)
-            .then(resolve)
-            .catch((e: any) => {
-              if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-              resolve();
-            });
-        });
-
-        if (result && typeof result.then === 'function') {
-          result
-            .then(() => {
-              if (!nextCalled) {
-                resolve();
-              }
-            })
-            .catch((e: any) => {
-              console.error('[CF Worker] Async handler error:', e?.message || e);
-              if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-              resolve();
-            });
-        } else if (!nextCalled) {
-          resolve();
-        }
-      } catch (e: any) {
-        console.error('[CF Worker] Sync handler error:', e?.message || e);
-        if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-        resolve();
-      }
-    });
-  }
-
-  await runNext();
-}
-
-function mountExpressRoutes(honoApp: Hono<HonoEnv>, prefix: string, expressRouter: any) {
-  const routes: RouteEntry[] = expressRouter._routes || [];
-
-  console.log(`[CF Worker] Mounting ${routes.length} Express routes under ${prefix}`);
-
-  for (const route of routes) {
-    const fullPath = normalizeRoutePath(prefix, route.path);
-    const method = route.method.toLowerCase() as 'get' | 'post' | 'put' | 'patch' | 'delete';
-
-    if (!['get', 'post', 'put', 'patch', 'delete'].includes(method)) {
-      console.warn(`[CF Worker] Skipping unsupported method: ${route.method} ${fullPath}`);
-      continue;
-    }
-
-    honoApp[method](fullPath, async (c) => {
-      const req = createExpressReq(c, c.req.param());
-      const res = createExpressRes();
-
-      if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(c.req.method)) {
-        try {
-          const contentType = c.req.header('content-type') || '';
-          const isStripeWebhook = fullPath.includes('/integrations/stripe/webhook');
-
-          if (isStripeWebhook) {
-            const rawBody = await c.req.arrayBuffer();
-            req.body = Buffer.from(rawBody);
-            req.rawBody = req.body;
-          } else if (contentType.includes('application/json')) {
-            req.body = await c.req.json();
-          } else if (contentType.includes('application/x-www-form-urlencoded')) {
-            const text = await c.req.text();
-            req.body = Object.fromEntries(new URLSearchParams(text));
-          } else if (contentType.includes('text/')) {
-            req.body = await c.req.text();
-          } else {
-            try {
-              req.body = await c.req.json();
-            } catch {
-              try {
-                req.body = await c.req.text();
-              } catch {
-                req.body = null;
-              }
-            }
-          }
-        } catch {
-          req.body = {};
-        }
-      }
-
-      // Debug logging for webhook
-      if (fullPath.includes('stripe/webhook')) {
-        console.log('[CF Worker] Stripe webhook request received:', {
-          method: c.req.method,
-          path: fullPath,
-          hasSignature: !!req.headers['stripe-signature'],
-          bodyType: typeof req.body,
-          bodyLength: req.body?.length || 0,
-          isBuffer: Buffer.isBuffer(req.body),
-          handlersCount: route.handlers.length,
-        });
-      }
-
-      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback).
-      // AUTH_SERVICE returns the bare base58 address; Customer/Subscription queries
-      // and entitlement lookups expect the canonical `did:abt:…` form, so we
-      // normalize once here at the boundary instead of in every downstream call site.
-      const caller: CallerIdentityDTO | null = c.get('caller');
-      if (caller) {
-        const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
-        req.user = {
-          did: canonicalDid,
-          role: caller.role || 'guest',
-          provider: caller.authMethod === 'access-key' ? 'access-key' : 'wallet',
-          fullName: caller.displayName || '',
-          walletOS: '',
-          via: 'dashboard',
-        };
-        req.headers['x-user-did'] = canonicalDid;
-        req.headers['x-user-role'] = `blocklet-${caller.role || 'guest'}`;
-        req.headers['x-user-provider'] = caller.authMethod || 'wallet';
-        req.headers['x-user-fullname'] = encodeURIComponent(caller.displayName || '');
-        req.headers['x-user-wallet-os'] = '';
-      } else {
-        req.user = { did: '', role: 'guest', provider: '', fullName: '', walletOS: '', via: '' };
-      }
-
-      try {
-        await runExpressHandlers(route.handlers, req, res);
-      } catch (e: any) {
-        console.error(
-          `[CF Worker] Unhandled error in ${route.method} ${fullPath}:`,
-          e?.message || e,
-          '\n',
-          e?.stack?.split('\n').slice(0, 8).join('\n')
-        );
-        if (!res._sent) {
-          res.status(500).json({ error: e?.message || 'Internal Server Error' });
-        }
-      }
-
-      // Debug logging for webhook response
-      if (fullPath.includes('stripe/webhook')) {
-        console.log('[CF Worker] Stripe webhook handler result:', {
-          sent: res._sent,
-          statusCode: res._statusCode,
-          body:
-            typeof res._body === 'string' ? res._body.substring(0, 200) : JSON.stringify(res._body)?.substring(0, 200),
-        });
-      }
-
-      // Ensure all async push() jobs complete before returning
-      await flushPendingJobs();
-
-      if (!res._sent) {
-        console.warn(`[CF Worker] No response sent for ${route.method} ${fullPath}`);
-        return c.json({ error: 'No response from handler' }, 500);
-      }
-
-      return expressResToResponse(res);
-    });
-  }
-}
 
 // === Shared env setup for scheduled/queue handlers ===
 function setupEnv(env: Env) {
@@ -1509,21 +1285,13 @@ function setupEnv(env: Env) {
   // Queue consumer and cron: NOT HTTP context — createEvent must block (listeners complete before ack/return)
   (globalThis as any).__cfHttpContext__ = false;
   setDB(env.DB.withSession('first-primary'));
-  if (env.JOB_QUEUE) setCFQueue(env.JOB_QUEUE);
-  ensureModelsInit();
-
-  if (typeof process !== 'undefined' && process.env) {
-    if (env.APP_URL) {
-      process.env.APP_URL = env.APP_URL;
-      process.env.BLOCKLET_APP_URL = env.APP_URL;
-    }
-    if (env.APP_PID) {
-      process.env.BLOCKLET_APP_PID = env.APP_PID;
-      process.env.BLOCKLET_APP_ID = env.APP_PID;
-    }
-    if (env.APP_NAME) process.env.BLOCKLET_APP_NAME = env.APP_NAME;
-    process.env.BLOCKLET_MODE = 'production';
-  }
+  // Phase 12c: assemble the service so the CONFIG SLOT (setCoreConfig) is
+  // authoritative on the scheduled()/queue() paths too. envToPaymentCoreConfig
+  // carries BLOCKLET_MODE + every key the old setupEnv process.env mirror set,
+  // and the core reads them only through libs/env.ts readConfig — so the worker
+  // env mirror is deleted (no more process.env fallback). Idempotent + cached;
+  // also binds models, so ensureModelsInit() is subsumed.
+  ensurePaymentService(env);
 
   // Security init is handled in the per-request middleware (first request only)
 }
@@ -1531,7 +1299,6 @@ function setupEnv(env: Env) {
 // === Export ===
 export default {
   async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
-    setWaitUntil((p) => ctx.waitUntil(p));
     // Expose waitUntil globally for createEvent to use in HTTP context
     (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
@@ -1542,7 +1309,8 @@ export default {
   async scheduled(event: ScheduledEvent, env: Env, ctx: ExecutionContext) {
     setupEnv(env);
     ensureCronsInit();
-    setWaitUntil((p) => ctx.waitUntil(p));
+    await ensureTenantBackfill();
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
     console.log('Scheduled event:', event.cron, 'scheduledTime:', event.scheduledTime);
 
@@ -1555,54 +1323,57 @@ export default {
     // execution crosses a minute boundary, matching on wall-clock would miss
     // exact-minute crons like "0 1 * * * *".
     await cronInstance.runAll(new Date(event.scheduledTime));
-    await runAllScheduledJobs();
-    await flushPendingJobs();
+    // Phase 12b: the workerd trigger for the node queue engine's due-job
+    // re-dispatch. dispatchDueJobs() runs each scheduled queue's redispatchDue()
+    // (the same cancel-then-replay-from-store body the node loop() runs on a
+    // timer), then flushQueueWork() drains the re-pushed executions before the
+    // isolate freezes.
+    await dispatchDueJobs();
+    await flushQueueWork();
   },
 
-  // CF Queue consumer — processes jobs sent by push() in the queue shim
+  // CF Queue consumer — resolves the SAME core queue handle by name and runs
+  // the job through the engine's runJobWithTenant/onJob/retry/cancel path. Under
+  // the canonical node-engine model immediate jobs execute in-isolate via fastq
+  // (nothing is sent to CF Queue), so this consumer is the back-compat path for
+  // any message still on JOB_QUEUE — it must never fork the engine.
   async queue(
     batch: MessageBatch<{ queueName: string; jobId: string; job: any; persist?: boolean }>,
     env: Env,
-    ctx: ExecutionContext,
+    ctx: ExecutionContext
   ) {
     setupEnv(env);
-    setWaitUntil((p) => ctx.waitUntil(p));
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
     console.log(`[queue:consumer] Received batch of ${batch.messages.length} messages`);
 
     for (const msg of batch.messages) {
-      const { queueName, jobId, job, persist } = msg.body;
+      const { queueName, jobId, job } = msg.body;
 
-      const handler = getHandler(queueName);
+      const handle = getQueueHandler(queueName);
 
-      if (!handler) {
-        console.error(`[queue:consumer] No handler registered for queue "${queueName}", acking message`);
+      if (!handle) {
+        console.error(`[queue:consumer] No core queue registered for "${queueName}", acking message`);
         msg.ack();
         continue;
       }
 
-      // persist defaults to true for backward compatibility and for direct
-      // push() immediate jobs (where addJob wrote the row, so we must delete
-      // it after onJob succeeds).
-      //
-      // Scheduled dispatches from runAllScheduledJobs set persist=false —
-      // the dispatcher already deleted the D1 row before sending, and
-      // onJob may have re-pushed a fresh row with the same id; deleting
-      // again would wipe out that new row.
-      const shouldPersist = persist !== false;
-
       try {
-        console.log(`[queue:consumer] Processing ${queueName}:${jobId} (persist=${shouldPersist})`);
-        await handler.executeJob(jobId, job, shouldPersist);
+        console.log(`[queue:consumer] Processing ${queueName}:${jobId}`);
+        // persist:false — the row already exists in D1 (the original push wrote
+        // it); re-running inline through pushAndWait executes onJob and clears
+        // the row on success without a duplicate-addJob that would hang.
+        // eslint-disable-next-line no-await-in-loop
+        await handle.pushAndWait({ job, id: jobId, persist: false });
         console.log(`[queue:consumer] Completed ${queueName}:${jobId}`);
         msg.ack();
       } catch (err: any) {
         console.error(`[queue:consumer] Failed ${queueName}:${jobId}:`, err?.message || err);
-        // Don't retry via CF Queue — job is in D1, cron will re-dispatch
+        // Don't retry via CF Queue — job is in D1, scheduled() will re-dispatch
         msg.ack();
       }
     }
 
-    await flushPendingJobs();
+    await flushQueueWork();
   },
 };