payment-kit 1.29.1 → 1.29.2

package/cloudflare/wrangler.local-e2e.jsonc

@@ -0,0 +1,26 @@
+{
+  // Stripped LOCAL-ONLY config for the express→hono Phase 4 CF runtime E2E.
+  // Drops the external service bindings (AUTH_SERVICE / MEDIA_KIT — separate
+  // workers not in this repo), HYPERDRIVE, queues, assets, and crons so the worker
+  // boots under `wrangler dev` with just a local D1 + KV. Auth is therefore absent
+  // (caller resolves to null) — only PUBLIC read routes + the 404 path are testable.
+  "name": "payment-kit-local-e2e",
+  "main": "dist/worker.js",
+  "compatibility_date": "2024-12-01",
+  "compatibility_flags": ["nodejs_compat"],
+  "d1_databases": [
+    {
+      "binding": "DB",
+      "database_name": "payment-kit-prod",
+      "database_id": "ea6c75d0-39b8-40cd-a0ae-a2062e77c4b9",
+      "migrations_dir": "migrations"
+    }
+  ],
+  "kv_namespaces": [{ "binding": "DID_CONNECT_KV", "id": "local-e2e-kv" }],
+  "vars": {
+    "APP_NAME": "Payment Kit",
+    "APP_PID": "payment-kit-dev",
+    "APP_URL": "http://localhost:8787",
+    "PAYMENT_LIVEMODE": "false"
+  }
+}

package/jest.config.js

@@ -13,7 +13,9 @@ module.exports = {
     '^.+\\.js$': ['babel-jest', { presets: [['@babel/preset-env', { targets: { node: 'current' } }]] }],
   },
   transformIgnorePatterns: [
-    'node_modules/(?!.*(@noble|@scure|string-width|strip-ansi|ansi-regex)/)',
+    // `validator` ships an ESM build under validator/es/* that resource routes
+    // (customers) import directly; transform it so jest can load those routes.
+    'node_modules/(?!.*(@noble|@scure|string-width|strip-ansi|ansi-regex|p-retry|is-network-error|validator|uuid)/)',
   ],
   testMatch: ['**/tests/**/*.spec.ts'],
   collectCoverageFrom: ['api/src/**/*.ts'],

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "payment-kit",
-  "version": "1.29.1",
+  "version": "1.29.2",
   "scripts": {
     "dev": "blocklet dev --open",
     "prelint": "npm run types",
-    "lint": "tsc --noEmit && eslint src api/src --ext .mjs,.js,.jsx,.ts,.tsx",
+    "lint": "tsc --noEmit && eslint src api/src --ext .mjs,.js,.jsx,.ts,.tsx && node scripts/scan-tenant-queries.js && node scripts/scan-core-env.js",
     "lint:fix": "pnpm run lint --fix",
     "format": "prettier -w src",
     "test": "node scripts/jest.js",
@@ -46,60 +46,55 @@
     ]
   },
   "dependencies": {
-    "@abtnode/cron": "^1.17.12",
+    "@abtnode/cron": "^1.17.13-beta-20260613-094425-b81920c8",
     "@apple/app-store-server-library": "^3.1.0",
-    "@arcblock/did": "^1.30.9",
-    "@arcblock/did-connect-js": "4.0.0",
-    "@arcblock/did-connect-react": "^3.5.2",
+    "@arcblock/did": "^1.30.24",
+    "@arcblock/did-connect-js": "4.0.1-beta.6",
+    "@arcblock/did-connect-react": "^3.5.4",
     "@arcblock/did-connect-storage-nedb": "^1.8.0",
-    "@arcblock/did-util": "^1.30.9",
-    "@arcblock/jwt": "^1.30.9",
-    "@arcblock/react-hooks": "^3.5.2",
-    "@arcblock/ux": "^3.5.2",
-    "@arcblock/validator": "^1.30.9",
-    "@arcblock/vc": "^1.30.9",
-    "@blocklet/did-space-js": "^1.2.23",
+    "@arcblock/did-util": "^1.30.24",
+    "@arcblock/jwt": "^1.30.24",
+    "@arcblock/react-hooks": "^3.5.4",
+    "@arcblock/ux": "^3.5.4",
+    "@arcblock/validator": "^1.30.24",
+    "@arcblock/vc": "^1.30.24",
     "@blocklet/error": "^0.3.5",
-    "@blocklet/js-sdk": "^1.17.12",
-    "@blocklet/logger": "^1.17.12",
-    "@blocklet/payment-broker-client": "1.29.1",
-    "@blocklet/payment-react": "1.29.1",
-    "@blocklet/payment-vendor": "1.29.1",
-    "@blocklet/sdk": "^1.17.12",
-    "@blocklet/ui-react": "^3.5.2",
+    "@blocklet/js-sdk": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/logger": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/payment-broker-client": "1.29.2",
+    "@blocklet/payment-react": "1.29.2",
+    "@blocklet/payment-vendor": "1.29.2",
+    "@blocklet/sdk": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/ui-react": "^3.5.4",
     "@blocklet/uploader": "^0.3.20",
     "@blocklet/xss": "^0.3.16",
+    "@hono/node-server": "2.0.4",
     "@mui/icons-material": "^7.1.2",
     "@mui/lab": "7.0.0-beta.14",
     "@mui/material": "^7.1.2",
     "@mui/system": "^7.1.1",
-    "@ocap/asset": "^1.30.9",
-    "@ocap/client": "^1.30.9",
-    "@ocap/mcrypto": "^1.30.9",
-    "@ocap/util": "^1.30.9",
-    "@ocap/wallet": "^1.30.9",
+    "@ocap/asset": "^1.30.24",
+    "@ocap/client": "^1.30.24",
+    "@ocap/mcrypto": "^1.30.24",
+    "@ocap/util": "^1.30.24",
+    "@ocap/wallet": "^1.30.24",
     "@stripe/react-stripe-js": "^2.9.0",
     "@stripe/stripe-js": "^2.4.0",
     "ahooks": "^3.8.5",
     "axios": "^1.15.2",
     "bignumber.js": "^9.3.1",
-    "body-parser": "^1.20.3",
     "cls-hooked": "^4.2.2",
-    "cookie-parser": "^1.4.7",
     "copy-to-clipboard": "^3.3.3",
-    "cors": "^2.8.5",
     "date-fns": "^3.6.0",
     "dayjs": "^1.11.13",
     "debug": "^4.4.1",
     "dotenv-flow": "^3.3.0",
     "ethers": "^6.14.4",
-    "express": "^4.21.2",
-    "express-async-errors": "^3.1.1",
-    "express-history-api-fallback": "^2.2.1",
     "fastq": "^1.19.1",
     "flat": "^5.0.2",
     "google-libphonenumber": "^3.2.42",
     "google-play-billing-validator": "^2.1.3",
+    "hono": "4.12.12",
     "html2canvas": "^1.4.1",
     "iframe-resizer-react": "^1.1.1",
     "joi": "17.12.2",
@@ -125,7 +120,7 @@
     "react-router-dom": "^6.30.3",
     "recharts": "^2.15.4",
     "rimraf": "^3.0.2",
-    "sequelize": "^6.37.8",
+    "sequelize": "~6.37.8",
     "sql-where-parser": "^2.2.1",
     "sqlite3": "^5.1.7",
     "stripe": "^13.11.0",
@@ -138,14 +133,12 @@
     "web3": "^4.16.0"
   },
   "devDependencies": {
-    "@abtnode/types": "^1.17.12",
+    "@abtnode/types": "^1.17.13-beta-20260613-094425-b81920c8",
     "@arcblock/eslint-config-ts": "^0.3.3",
-    "@blocklet/payment-types": "1.29.1",
-    "@types/cookie-parser": "^1.4.9",
-    "@types/cors": "^2.8.19",
+    "@blocklet/payment-types": "1.29.2",
+    "@types/connect": "^3.4.38",
     "@types/debug": "^4.1.12",
     "@types/dotenv-flow": "^3.3.3",
-    "@types/express": "^4.17.23",
     "@types/node": "^18.19.112",
     "@types/node-apple-receipt-verify": "^1.7.5",
     "@types/react": "^18.3.23",
@@ -154,6 +147,7 @@
     "babel-plugin-lodash": "^3.3.4",
     "bumpp": "^8.2.1",
     "code-inspector-plugin": "^1.2.3",
+    "connect": "^3.7.0",
     "cross-env": "^7.0.3",
     "eslint": "^8.57.1",
     "import-sort-style-module": "^6.0.0",
@@ -176,6 +170,7 @@
     "vite-plugin-node-polyfills": "^0.23.0",
     "vite-plugin-svgr": "^4.3.0",
     "vite-tsconfig-paths": "^5.1.4",
+    "wrangler": "^4.100.0",
     "zx": "^8.8.5"
   },
   "importSort": {
@@ -188,5 +183,5 @@
       "parser": "typescript"
     }
   },
-  "gitHead": "e66e469df2a1ed80e15b17fd8511c2ce01a0a54e"
+  "gitHead": "b4f9a33207cb2341638efff848a900087a18e6cf"
 }

package/scripts/core-env-whitelist.json

@@ -0,0 +1 @@
+[]

package/scripts/e2e-12b-runtime.ts

@@ -0,0 +1,149 @@
+// Phase 12b E2E harness — drives the core queue RUNTIME surface against a real
+// sqlite DB (outside jest) and prints JSON-shaped results for the build-phases
+// E2E hard gate. Proves worker(workerd) ↔ node parity for delay/cancel and that
+// the host-driven dispatchDueJobs()/flushQueueWork() seam runs the SAME engine.
+//
+// Run: npx tsx scripts/e2e-12b-runtime.ts   (cwd = blocklets/core)
+/* eslint-disable no-console, global-require, @typescript-eslint/no-var-requires */
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+const TENANT_A = 'did:abt:zE2E12BA';
+
+async function main() {
+  const STORE_DIR = path.join(process.cwd(), 'api/src/store');
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-12b-'));
+  // store/migrate.ts eagerly builds a sequelize at module-load (needs a data
+  // dir). We bind models to our OWN sqlite below; this just satisfies the eager
+  // path. Set BEFORE any in-repo require.
+  process.env.BLOCKLET_DATA_DIR = dir;
+  process.env.NODE_ENV = process.env.NODE_ENV || 'test';
+  // single-mode default tenant for the tenant-backfill migration + config gate
+  process.env.BLOCKLET_APP_PID = process.env.BLOCKLET_APP_PID || TENANT_A;
+  process.env.BLOCKLET_APP_ID = process.env.BLOCKLET_APP_ID || TENANT_A;
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'e2e.db'), logging: false });
+  const qi = sequelize.getQueryInterface();
+  const migDir = path.join(STORE_DIR, 'migrations');
+  const migrations = fs
+    .readdirSync(migDir)
+    .filter((f) => f.endsWith('.ts'))
+    .sort()
+    .map((f) => {
+      const mod = require(path.join(migDir, f));
+      return { name: f, up: async () => mod.up({ context: qi }), down: async () => mod.down({ context: qi }) };
+    });
+  const umzug = new Umzug({ migrations, storage: new SequelizeStorage({ sequelize }), logger: undefined });
+  await umzug.up();
+  require('../api/src/store/models').initialize(sequelize);
+
+  const createQueue = require('../api/src/libs/queue').default;
+  const {
+    setQueueRuntimeMode,
+    getAllQueueNames,
+    dispatchDueJobs,
+    flushQueueWork,
+  } = require('../api/src/libs/queue/runtime');
+
+  const out: any[] = [];
+  const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+  // --- S12b.1 registry non-empty (canonical engine, not the dead shim) ---
+  setQueueRuntimeMode('workerd');
+  let ranDue = 0;
+  const q = createQueue({
+    name: 'e2e-due',
+    onJob: async () => {
+      ranDue += 1;
+    },
+    options: { enableScheduledJob: true },
+  });
+  out.push({ case: 'S12b.1 registry non-empty', input: 'createQueue(e2e-due)', output: { queues: getAllQueueNames() } });
+
+  // --- S12b.2 workerd disables the background loop (no auto-dispatch) ---
+  await q.store.addJob('due-1', { v: 1, instance_did: TENANT_A }, { delay: 5, will_run_at: Date.now() - 1000 });
+  await sleep(80);
+  out.push({ case: 'S12b.2 workerd loop disabled', input: 'due delayed row + wait 80ms', output: { ranBeforeDispatch: ranDue } });
+
+  // --- S12b.3 host-driven dispatchDueJobs executes the due delayed job once ---
+  const dispatchResult = await dispatchDueJobs();
+  await flushQueueWork();
+  out.push({
+    case: 'S12b.3 dispatchDueJobs executes due job once',
+    input: 'dispatchDueJobs() + flushQueueWork()',
+    output: { dispatched: dispatchResult.dispatched, ran: ranDue, rowCleared: (await q.store.getJob('due-1')) === null },
+  });
+
+  // --- S12b.4 NEGATIVE: cancel an in-flight delayed job — no half-execution ---
+  let ranCancel = 0;
+  const qc = createQueue({
+    name: 'e2e-cancel',
+    onJob: async () => {
+      ranCancel += 1;
+    },
+    options: { enableScheduledJob: true },
+  });
+  await qc.store.addJob('cancel-1', { v: 1, instance_did: TENANT_A }, { delay: 5, will_run_at: Date.now() - 1000 });
+  await qc.cancel('cancel-1');
+  const cancelDispatch = await dispatchDueJobs();
+  await flushQueueWork();
+  out.push({
+    case: 'S12b.4 cancel in-flight leaves no residue',
+    input: 'cancel(cancel-1) before dispatchDueJobs()',
+    output: { dispatched: cancelDispatch.dispatched, ran: ranCancel },
+  });
+
+  // --- S12b.5 node entry parity: same redispatchDue body runs on a node loop ---
+  setQueueRuntimeMode('node');
+  let ranNode = 0;
+  const qn = createQueue({
+    name: 'e2e-node',
+    onJob: async () => {
+      ranNode += 1;
+    },
+    options: { enableScheduledJob: true, retryDelay: 1 },
+  });
+  await qn.store.addJob('node-1', { v: 1, instance_did: TENANT_A }, { delay: 2, will_run_at: Date.now() - 1000 });
+  // node loop polls every minDelay/2 (~1s in test) — wait for one cycle
+  await sleep(1500);
+  out.push({
+    case: 'S12b.5 node loop dispatches the same way',
+    input: 'node-mode delayed row + wait one poll cycle',
+    output: { ran: ranNode, rowCleared: (await qn.store.getJob('node-1')) === null },
+  });
+
+  // --- S12b.6 retry parity (node engine): maxRetries attempts then failed ---
+  let attempts = 0;
+  const qr = createQueue({
+    name: 'e2e-retry',
+    onJob: async () => {
+      attempts += 1;
+      throw new Error('always');
+    },
+    options: { maxRetries: 3, retryDelay: 1 },
+  });
+  const settled: any = await new Promise((resolve) => {
+    const ev = qr.push({ job: { v: 1, instance_did: TENANT_A } });
+    ev.on('failed', (d: any) => resolve({ event: 'failed', id: d.id }));
+    ev.on('finished', (d: any) => resolve({ event: 'finished', id: d.id }));
+  });
+  out.push({
+    case: 'S12b.6 retry up to maxRetries then failed',
+    input: 'maxRetries:3 onJob always throws',
+    output: { event: settled.event, attempts },
+  });
+
+  console.log(JSON.stringify({ phase: '12b', success: true, cases: out }, null, 2));
+
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+  process.exit(0);
+}
+
+main().catch((err) => {
+  console.log(JSON.stringify({ phase: '12b', success: false, error: err?.message || String(err) }));
+  console.error(err?.stack || err);
+  process.exit(1);
+});

package/scripts/e2e-core-config.ts

@@ -0,0 +1,125 @@
+/* eslint-disable no-console */
+// Phase 8 (W2′) deterministic E2E: prove the injected config slot is authoritative
+// and fails closed on a missing required field. Emits raw JSON for each call.
+//
+//   npx tsx scripts/e2e-core-config.ts
+
+import { setCoreConfig, readConfig } from '../api/src/libs/env';
+import { getTenantMode, getDefaultInstanceDid, setDefaultInstanceDid } from '../api/src/libs/tenant';
+import { createEmbeddedPaymentService } from '../api/src/service';
+
+function emit(label: string, input: any, output: any) {
+  console.log(`=== ${label} ===`);
+  console.log(`input: ${JSON.stringify(input)}`);
+  console.log(`output: ${JSON.stringify(output)}`);
+  console.log('');
+}
+
+function tryFactory(slots: any): { threw: boolean; name?: string; code?: string; field?: string; message?: string } {
+  try {
+    createEmbeddedPaymentService(slots);
+    return { threw: false };
+  } catch (err: any) {
+    return { threw: true, name: err?.name, code: err?.code, field: err?.field, message: err?.message };
+  }
+}
+
+function main() {
+  const checks: Array<[string, boolean]> = [];
+
+  // ---- Happy: injected config is authoritative, env is the fallback ----
+  process.env.E2E_KEY = 'from-env';
+  setCoreConfig({ E2E_KEY: 'from-config', PAYMENT_TENANT_MODE: 'multi' });
+  const injected = readConfig('E2E_KEY');
+  emit('S8.1 injected config wins over process.env', { env: 'from-env', config: 'from-config' }, { read: injected });
+  checks.push(['injected config wins', injected === 'from-config']);
+
+  setCoreConfig({ ONLY: 'x' });
+  const fallback = readConfig('E2E_KEY');
+  emit('S8.2 fallback to process.env when key absent from config', { configKeys: ['ONLY'] }, { read: fallback });
+  checks.push(['fallback to env', fallback === 'from-env']);
+  delete process.env.E2E_KEY;
+
+  // ---- getTenantMode reads mode from injected config (single source of truth) ----
+  delete process.env.PAYMENT_TENANT_MODE;
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+  const modeMulti = getTenantMode();
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'single' });
+  const modeSingle = getTenantMode();
+  emit('S8.3 getTenantMode from injected config', { config: ['multi', 'single'] }, { modeMulti, modeSingle });
+  checks.push(['mode multi from config', modeMulti === 'multi']);
+  checks.push(['mode single from config', modeSingle === 'single']);
+
+  // injected config wins over a conflicting env mirror
+  process.env.PAYMENT_TENANT_MODE = 'single';
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+  const modeConflict = getTenantMode();
+  emit('S8.4 config wins over conflicting process.env', { env: 'single', config: 'multi' }, { mode: modeConflict });
+  checks.push(['config beats conflicting env', modeConflict === 'multi']);
+  delete process.env.PAYMENT_TENANT_MODE;
+
+  // app DID from injected config
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  setCoreConfig({ BLOCKLET_APP_PID: 'did:abt:zCONFIGAPP', PAYMENT_TENANT_MODE: 'single' });
+  const appDid = getDefaultInstanceDid();
+  emit('S8.5 getDefaultInstanceDid from injected config', { config: 'did:abt:zCONFIGAPP' }, { appDid });
+  checks.push(['app DID from config', appDid === 'did:abt:zCONFIGAPP']);
+
+  // ---- Negative: fail-fast on missing required field ----
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  const failFast = tryFactory({ config: {}, db: { sequelize: {} } });
+  emit('S8.6 single-mode factory missing BLOCKLET_APP_PID -> fail-fast', { config: {}, tenancy: 'single(default)' }, failFast);
+  checks.push([
+    'fail-fast MissingConfigError(BLOCKLET_APP_PID)',
+    failFast.threw && failFast.code === 'MISSING_CONFIG_FIELD' && failFast.field === 'BLOCKLET_APP_PID',
+  ]);
+
+  // multi mode does not require BLOCKLET_APP_PID (tenant resolved per request)
+  setCoreConfig(undefined);
+  const multiNoPid = tryFactory({ config: { PAYMENT_TENANT_MODE: 'multi' }, db: { sequelize: {} }, tenancy: { mode: 'multi' } });
+  emit('S8.7 multi mode does NOT require BLOCKLET_APP_PID', { tenancy: 'multi' }, multiNoPid);
+  checks.push(['multi mode skips the requirement', !(multiNoPid.code === 'MISSING_CONFIG_FIELD')]);
+
+  // ---- Layer 3: adversarial ----
+  console.log('##### LAYER 3: ADVERSARIAL #####\n');
+  // a) prototype-pollution key in config must not poison readConfig or globals
+  setCoreConfig(JSON.parse('{"__proto__": {"polluted": true}, "SAFE": "ok"}'));
+  const polluted = ({} as any).polluted === true;
+  const safeRead = readConfig('SAFE');
+  emit('S8.A1 prototype-pollution config key', { config: '{"__proto__":{"polluted":true},"SAFE":"ok"}' }, { globalPolluted: polluted, safeRead });
+  checks.push(['no prototype pollution from config', polluted === false]);
+  checks.push(['benign keys still readable', safeRead === 'ok']);
+
+  // b) the fail-fast error message must not echo secret values
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  const secretLeak = tryFactory({ config: { STRIPE_SECRET: 'sk_live_DEADBEEF_should_not_appear' }, db: { sequelize: {} } });
+  const leaks = (secretLeak.message || '').includes('sk_live_DEADBEEF');
+  emit('S8.A2 fail-fast error does not echo secret config values', { secretInConfig: 'sk_live_DEADBEEF...' }, { message: secretLeak.message, leaks });
+  checks.push(['error does not leak secret value', leaks === false]);
+
+  // c) numeric/garbage config coerced to string by the boundary (no crash)
+  setCoreConfig({ NUMERIC: 12345, BOOL: true });
+  const numeric = readConfig('NUMERIC');
+  const bool = readConfig('BOOL');
+  emit('S8.A3 non-string config values coerced safely', { NUMERIC: 12345, BOOL: true }, { numeric, bool });
+  checks.push(['non-string config coerced to string', numeric === '12345' && bool === 'true']);
+
+  // restore + report
+  setCoreConfig(undefined);
+
+  console.log('##### ASSERTIONS #####');
+  let allPass = true;
+  for (const [name, ok] of checks) {
+    if (!ok) allPass = false;
+    console.log(JSON.stringify({ check: name, pass: ok }));
+  }
+  console.log(JSON.stringify({ success: allPass, total: checks.length, passed: checks.filter(([, ok]) => ok).length }));
+  if (!allPass) process.exit(1);
+}
+
+main();

package/scripts/e2e-d1-tenancy.ts

@@ -0,0 +1,116 @@
+/* eslint-disable no-console */
+// D1 (S3.0) E2E harness — really runs the embedded factory with the three input
+// matrices and prints JSON-shaped results. Invoked by build-phases Layer 2; the
+// raw output is captured into planning/.../logs/sD1-e2e.log.
+//
+// Run: npx tsx scripts/e2e-d1-tenancy.ts
+import { Sequelize } from 'sequelize';
+import { setCoreConfig, getCoreConfig } from '../api/src/libs/env';
+import { getTenantMode, setDefaultInstanceDid } from '../api/src/libs/tenant';
+import {
+  createDefaultIdentityDriver,
+  setIdentityDriver,
+  createDefaultSecretsDriver,
+  setSecretsDriver,
+} from '../api/src/libs/drivers';
+import { createEmbeddedPaymentService } from '../api/src/service';
+
+const identity = { resolveInstanceDidForHost: () => null } as any;
+const secrets = createDefaultSecretsDriver();
+
+function freshDb() {
+  return { sequelize: new Sequelize({ dialect: 'sqlite', storage: ':memory:', logging: false }) as any };
+}
+function reset() {
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  setIdentityDriver(createDefaultIdentityDriver());
+  setSecretsDriver(createDefaultSecretsDriver());
+  delete process.env.PAYMENT_TENANT_MODE;
+}
+
+function emit(label: string, obj: unknown) {
+  console.log(`=== ${label} ===`);
+  console.log(JSON.stringify(obj, null, 2));
+}
+
+// matrix 1 — slot drives multi (no env)
+reset();
+createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, identity, secrets });
+emit('M1 slot-multi-no-env', { tenantMode: getTenantMode(), success: getTenantMode() === 'multi' });
+
+// matrix 2 — config carries multi, slot agrees
+reset();
+createEmbeddedPaymentService({
+  config: { PAYMENT_TENANT_MODE: 'multi' },
+  db: freshDb(),
+  tenancy: { mode: 'multi' },
+  identity,
+  secrets,
+});
+emit('M2 config-multi-slot-agrees', { tenantMode: getTenantMode(), success: getTenantMode() === 'multi' });
+
+// matrix 3 (NEGATIVE) — config single conflicts with slot multi -> must throw, no mode written
+reset();
+let conflictErr: any = null;
+try {
+  createEmbeddedPaymentService({
+    config: { PAYMENT_TENANT_MODE: 'single' },
+    db: freshDb(),
+    tenancy: { mode: 'multi' },
+    identity,
+    secrets,
+  });
+} catch (err: any) {
+  conflictErr = err;
+}
+emit('M3 conflict-negative', {
+  threw: conflictErr !== null,
+  name: conflictErr?.name,
+  code: conflictErr?.code,
+  message: conflictErr?.message,
+  coreConfigAfter: getCoreConfig() === undefined ? 'undefined (no half write)' : 'WRITTEN (bug!)',
+  success: conflictErr !== null && getCoreConfig() === undefined,
+});
+
+// matrix 4 (NEGATIVE) — multi without secrets -> fail-closed (no silent single)
+reset();
+let slotErr: any = null;
+try {
+  createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, identity });
+} catch (err: any) {
+  slotErr = err;
+}
+emit('M4 multi-missing-secrets-negative', {
+  threw: slotErr !== null,
+  name: slotErr?.name,
+  code: slotErr?.code,
+  slot: slotErr?.slot,
+  success: slotErr !== null && slotErr?.slot === 'secrets',
+});
+
+// matrix 4b (NEGATIVE) — multi without identity -> fail-closed (no silent single)
+reset();
+let identityErr: any = null;
+try {
+  createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, secrets } as any);
+} catch (err: any) {
+  identityErr = err;
+}
+emit('M4b multi-missing-identity-negative', {
+  threw: identityErr !== null,
+  name: identityErr?.name,
+  code: identityErr?.code,
+  slot: identityErr?.slot,
+  success: identityErr !== null && identityErr?.slot === 'identity',
+});
+
+// matrix 5 — legacy single compat (no tenancy + APP_PID)
+reset();
+process.env.BLOCKLET_APP_PID = 'did:abt:zLEGACYAPP';
+createEmbeddedPaymentService({ config: { BLOCKLET_APP_PID: 'did:abt:zLEGACYAPP' }, db: freshDb() });
+emit('M5 legacy-single-compat', { tenantMode: getTenantMode(), success: getTenantMode() === 'single' });
+delete process.env.BLOCKLET_APP_PID;
+
+console.log('=== DONE ===');
+process.exit(0);