payment-kit 1.29.1 → 1.29.3

package/cloudflare/migrations/0007_tenant_backfill_indexes.sql

@@ -0,0 +1,65 @@
+-- Payment Kit: tenant unique keys + indexes (Phase 2, W1-1b)
+-- Mirrors the index/unique-key part of api/src/store/migrations/20260611-tenant-backfill.ts.
+--
+-- IMPORTANT: the instance_did BACKFILL is NOT here. Static migration SQL
+-- cannot know the deployment app DID, so the backfill (and the table rebuilds
+-- that drop old inline single-column UNIQUE constraints) runs through the
+-- shared runtime routine `runTenantBackfill()` (api/src/store/tenant-backfill.ts),
+-- invoked idempotently from the worker's scheduled() handler.
+--
+-- Everything below is NULL-safe before that backfill runs: SQLite treats each
+-- NULL as distinct in unique indexes, and existing single-column uniqueness
+-- (identifier / did / key / idempotency_key) guarantees no composite dupes.
+
+-- composite tenant unique keys (W1 §2.1, decisions D1/D3)
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_customers_tenant_did` ON `customers` (`instance_did`, `did`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_meter_events_tenant_identifier` ON `meter_events` (`instance_did`, `identifier`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_meters_tenant_event_name` ON `meters` (`instance_did`, `event_name`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_entitlements_tenant_key` ON `entitlements` (`instance_did`, `key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_price_quotes_tenant_idem` ON `price_quotes` (`instance_did`, `idempotency_key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_promotion_codes_tenant_code` ON `promotion_codes` (`instance_did`, `livemode`, `code`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_product_vendors_tenant_key` ON `product_vendors` (`instance_did`, `vendor_key`);
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_revenue_snapshots_tenant` ON `revenue_snapshots` (`instance_did`, `timestamp`, `currency_id`, `livemode`, `period_type`);
+DROP INDEX IF EXISTS `idx_revenue_snapshots_unique`;
+DROP INDEX IF EXISTS `idx_entitlements_key`;
+DROP INDEX IF EXISTS `idx_pq_idempotency`;
+
+-- plain tenant indexes for scoped queries (Phase 3+); meter_events is served
+-- by its composite unique above (high-write table, avoid a second index)
+CREATE INDEX IF NOT EXISTS `idx_customers_instance_did` ON `customers` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_products_instance_did` ON `products` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_prices_instance_did` ON `prices` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_pricing_tables_instance_did` ON `pricing_tables` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_methods_instance_did` ON `payment_methods` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_checkout_sessions_instance_did` ON `checkout_sessions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_intents_instance_did` ON `payment_intents` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_links_instance_did` ON `payment_links` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_setup_intents_instance_did` ON `setup_intents` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_price_quotes_instance_did` ON `price_quotes` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscriptions_instance_did` ON `subscriptions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscription_items_instance_did` ON `subscription_items` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_subscription_schedules_instance_did` ON `subscription_schedules` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_invoices_instance_did` ON `invoices` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_invoice_items_instance_did` ON `invoice_items` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_refunds_instance_did` ON `refunds` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_credit_grants_instance_did` ON `credit_grants` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_credit_transactions_instance_did` ON `credit_transactions` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_meters_instance_did` ON `meters` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_usage_records_instance_did` ON `usage_records` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_coupons_instance_did` ON `coupons` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_promotion_codes_instance_did` ON `promotion_codes` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_discounts_instance_did` ON `discounts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlements_instance_did` ON `entitlements` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlement_grants_instance_did` ON `entitlement_grants` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_entitlement_products_instance_did` ON `entitlement_products` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_events_instance_did` ON `events` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_webhook_endpoints_instance_did` ON `webhook_endpoints` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_webhook_attempts_instance_did` ON `webhook_attempts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payouts_instance_did` ON `payouts` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_stats_instance_did` ON `payment_stats` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_revenue_snapshots_instance_did` ON `revenue_snapshots` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_auto_recharge_configs_instance_did` ON `auto_recharge_configs` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_tax_rates_instance_did` ON `tax_rates` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_settings_instance_did` ON `settings` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_payment_currencies_instance_did` ON `payment_currencies` (`instance_did`);
+CREATE INDEX IF NOT EXISTS `idx_product_vendors_instance_did` ON `product_vendors` (`instance_did`);

package/cloudflare/migrations/0008_schema_parity.sql

@@ -0,0 +1,16 @@
+-- Phase 11 (W2′) schema parity: close the D1-lineage gaps the schema-drift guard
+-- (scripts/schema-drift-guard.ts) found versus the Umzug canonical schema.
+-- Additive only — safe to apply on a deployed D1 (no drops, no rewrites).
+
+-- events: the Umzug genesis creates `events` with api_version (NOT NULL) and
+-- metadata (JSON); the D1 0001 events table predates both, so the worker could
+-- not write them. Backfill api_version with the app constant
+-- (api/src/libs/audit.ts API_VERSION = '2023-09-05'); new rows carry the same.
+ALTER TABLE `events` ADD COLUMN `api_version` VARCHAR(16) NOT NULL DEFAULT '2023-09-05';
+ALTER TABLE `events` ADD COLUMN `metadata` JSON;
+
+-- Indexes present in the canonical but missing in the D1 lineage (perf parity;
+-- names match the Umzug migrations 20250904-discount / 20251007-relate-tax-rate).
+CREATE INDEX IF NOT EXISTS `idx_discounts_customer_id` ON `discounts` (`customer_id`);
+CREATE INDEX IF NOT EXISTS `idx_invoice_items_tax_rate_id` ON `invoice_items` (`tax_rate_id`);
+CREATE INDEX IF NOT EXISTS `idx_promotion_codes_verification_type_coupon_id` ON `promotion_codes` (`verification_type`, `coupon_id`);

package/cloudflare/migrations/0009_remove_did_space_jobs.sql

@@ -0,0 +1,5 @@
+-- The DID Space billing-mirror integration was removed (libs/did-space.ts,
+-- queues/space.ts). Rows in `jobs` with queue='did-space' can never be picked
+-- up again (the scheduled scan only matches registered queue names), so they
+-- would sit in the table forever. Delete them. Idempotent.
+DELETE FROM jobs WHERE queue = 'did-space';

package/cloudflare/queue-runtime-mode.ts

@@ -0,0 +1,13 @@
+// Phase 12b (W2′): pin the core queue engine to 'workerd' mode.
+//
+// This MUST be imported before any business queue module (api/src/queues/*),
+// because createQueue runs at import time and reads the mode to decide whether
+// to start the node background poll loop(). A frozen CF isolate cannot run a
+// background timer, so the worker disables the loop and drives due-job
+// re-dispatch from scheduled() via the core dispatchDueJobs() surface instead.
+//
+// ESM executes imported module bodies in source order, so importing this first
+// in worker.ts guarantees the mode is set before the engine is constructed.
+import { setQueueRuntimeMode } from '../api/src/libs/queue/runtime';
+
+setQueueRuntimeMode('workerd');

package/cloudflare/run-build.js

@@ -1,412 +1,42 @@
 const { build } = require("esbuild");
 const path = require("path");
+const { buildCfEsbuildOptions } = require("./esbuild-cf-config.cjs");
+
 const cfDir = __dirname;
 const s = (f) => path.resolve(cfDir, f);
 
-// Resolve the absolute path of the original queue module so we can intercept it
-const queueModulePath = path.resolve(cfDir, "../api/src/libs/queue/index.ts");
-const queueShimPath = s("shims/queue.ts");
-
-// Resolve the absolute path of the original lock module so we can intercept it
-const lockModulePath = path.resolve(cfDir, "../api/src/libs/lock.ts");
-const lockShimPath = s("shims/lock.ts");
-
-// Plugin to redirect libs/queue to our CF Workers shim
-const queueNormalizedTarget = queueModulePath.replace(/\/index\.ts$/, '').replace(/\/index$/, '');
-const queueShimPlugin = {
-  name: 'queue-shim',
-  setup(build) {
-    // Intercept any import that resolves to the original queue module
-    build.onResolve({ filter: /libs\/queue/ }, (args) => {
-      const resolveDir = args.resolveDir;
-      if (!resolveDir) return undefined;
-
-      // Resolve the relative import to an absolute path
-      const resolved = path.resolve(resolveDir, args.path).replace(/\/index(\.ts)?$/, '');
-      const match = resolved === queueNormalizedTarget;
-      if (args.path.includes('queue')) {
-        console.log(`[queue-shim] ${match ? 'MATCH' : 'skip'}: ${args.path} -> ${resolved} (target: ${queueNormalizedTarget})`);
-      }
-      if (match) {
-        return { path: queueShimPath };
-      }
-      return undefined;
-    });
-  },
-};
-
-// Plugin to redirect libs/lock to our CF Workers D1-based lock shim
-const lockNormalizedTarget = lockModulePath.replace(/\.ts$/, '');
-const lockShimPlugin = {
-  name: 'lock-shim',
-  setup(build) {
-    build.onResolve({ filter: /libs\/lock/ }, (args) => {
-      const resolveDir = args.resolveDir;
-      if (!resolveDir) return undefined;
-
-      const resolved = path.resolve(resolveDir, args.path).replace(/\.ts$/, '');
-      const match = resolved === lockNormalizedTarget;
-      if (args.path.includes('lock')) {
-        console.log(`[lock-shim] ${match ? 'MATCH' : 'skip'}: ${args.path} -> ${resolved} (target: ${lockNormalizedTarget})`);
-      }
-      if (match) {
-        return { path: lockShimPath };
-      }
-      return undefined;
-    });
-  },
-};
-
-// Plugin to neutralize rolldown-generated `__require(import.meta.url)` helpers
-// that ship inside npm packages built with rolldown (e.g. @ocap/message,
-// @arcblock/did-connect-js). These helpers use `createRequire(import.meta.url)`
-// at module init to pull in CJS deps like `google-protobuf`, `debug`, etc. —
-// which neither resolve nor work in the CF Workers runtime.
-//
-// The downstream patches/shims that use these require calls are all either:
-//   - monkey-patches for edge cases Payment Kit doesn't exercise, or
-//   - debug()/logger() factories that Payment Kit doesn't need on CF.
-//
-// Replace every `_virtual/rolldown_runtime.mjs` with a stub whose `__require`
-// returns a Proxy that swallows further property accesses + function calls,
-// and whose `__commonJSMin` returns an empty-module factory. This lets the
-// importing modules finish loading without crashing the worker at startup.
-const rolldownRuntimeStub = `
-// After the Phase 2 CBOR switch (payment-method.ts + did-connect-auth.ts
-// moved off @ocap/client/legacy), no codepath in the worker calls
-// __require('google-protobuf') at runtime. The CBOR-only @ocap/client
-// default entry + @ocap/client/encode use plain ESM imports for their
-// deps. Any remaining __require calls in Rolldown-compiled packages
-// (debug, @arcblock/event-hub, etc.) are handled by the __noop Proxy
-// below — they don't need real modules for payment-kit's flows.
-const __requireMap = {};
-const __noopTarget = function(){};
-const __noopHandler = {
-  get(t, p) {
-    if (p === Symbol.toPrimitive || p === 'toString') return () => '';
-    if (p === 'default') return new Proxy(__noopTarget, __noopHandler);
-    return new Proxy(__noopTarget, __noopHandler);
-  },
-  apply() { return new Proxy(__noopTarget, __noopHandler); },
-  construct() { return new Proxy(__noopTarget, __noopHandler); },
-};
-const __noop = new Proxy(__noopTarget, __noopHandler);
-export const __commonJSMin = function(cb){
-  return function(){
-    var m = { exports: {} };
-    try { cb(m.exports, m); } catch (_) {}
-    return m.exports;
-  };
-};
-export const __require = function(id){
-  if (__requireMap[id]) return __requireMap[id];
-  return __noop;
-};
-export const __exportAll = function(target, source){
-  if (source) {
-    try {
-      for (var key in source) {
-        if (key !== 'default' && !Object.prototype.hasOwnProperty.call(target, key)) {
-          Object.defineProperty(target, key, {
-            get: function() { return source[key]; },
-            enumerable: true,
-            configurable: true,
-          });
-        }
-      }
-    } catch (_) {}
-  }
-  return target;
-};
-export const __toESM = function(mod){ return mod && mod.__esModule ? mod : { default: mod }; };
-export const __toCommonJS = function(mod){ return mod; };
-export const __copyProps = function(target){ return target; };
-export default { __commonJSMin, __require, __exportAll, __toESM, __toCommonJS, __copyProps };
-`;
-const rolldownRuntimeNoopPlugin = {
-  name: 'rolldown-runtime-noop',
-  setup(build) {
-    // Catch any import that resolves to a `_virtual/rolldown_runtime.mjs`
-    // file, regardless of which package it comes from.
-    build.onResolve({ filter: /_virtual\/rolldown_runtime\.mjs$/ }, (args) => {
-      return { path: args.path, namespace: 'rolldown-runtime-noop' };
-    });
-    build.onLoad({ filter: /.*/, namespace: 'rolldown-runtime-noop' }, () => ({
-      contents: rolldownRuntimeStub,
-      loader: 'js',
-      // Need a resolveDir so the virtual stub's `import "google-protobuf"` resolves
-      // against the workspace's node_modules. Pointing at cfDir is sufficient since
-      // pnpm hoists google-protobuf up to the repo root node_modules.
-      resolveDir: cfDir,
-    }));
-  },
-};
-
-// Plugin: fix lodash sub-path CJS/ESM interop
-// The "lodash" → "lodash-es" alias also redirects require('lodash/camelCase')
-// to lodash-es/camelCase (ESM). CJS consumers get { __esModule, default: fn }
-// instead of the function itself, causing "_m is not a function" at runtime.
-// Fix: intercept lodash-es sub-path imports from CJS contexts and generate a
-// virtual wrapper that re-exports the default as module.exports.
-const lodashSubpathPlugin = {
-  name: 'lodash-subpath-interop',
-  setup(build) {
-    // Intercept resolved lodash-es sub-path imports that come from require() calls
-    // Intercept CJS require('lodash/xxx') — the alias hasn't applied yet at this stage
-    build.onResolve({ filter: /^lodash\/.+/ }, (args) => {
-      if (args.kind === 'require-call') {
-        // Convert lodash/xxx → lodash-es/xxx and wrap for CJS compat
-        const esPath = args.path.replace(/^lodash\//, 'lodash-es/');
-        return {
-          path: esPath,
-          namespace: 'lodash-cjs-compat',
-        };
+// S3-CF Phase 2: the worker-safe alias / shim / plugin / banner table now lives in
+// esbuild-cf-config.cjs, shared with packages/payment-core/build-cf.mjs (the
+// re-bundleable @arcblock/payment-service/cf library) so the standalone Worker and
+// the embedded ./cf artifact can never drift. This script only adds the bits unique
+// to the standalone Worker bundle: the worker.ts entry point (with a default
+// export) and the dist/meta.json + size report.
+
+build(
+  buildCfEsbuildOptions({
+    entryPoints: [s("worker.ts")],
+    outdir: s("dist"),
+  })
+)
+  .then((result) => {
+    require("fs").writeFileSync(s("dist/meta.json"), JSON.stringify(result.metafile));
+    Object.entries(result.metafile.outputs).forEach(function (entry) {
+      var k = entry[0],
+        v = entry[1];
+      if (k.indexOf(".map") === -1) {
+        console.log(k + ": " + (v.bytes / 1024).toFixed(1) + "KB");
       }
     });
-    build.onLoad({ filter: /.*/, namespace: 'lodash-cjs-compat' }, (args) => {
-      // Resolve the actual file path, then read and re-export as CJS.
-      // By loading the original ESM source as 'js' with CJS-style wrapping,
-      // esbuild treats the result as CJS, avoiding the __toModule interop.
-      const subPath = args.path.replace('lodash-es/', '');
-      const filePath = require.resolve(`lodash-es/${subPath}`);
-      const source = require('fs').readFileSync(filePath, 'utf8');
-      // Transform: replace ESM export default with module.exports
-      // lodash-es modules all follow: import deps... ; function fn(...){...}; export default fn;
-      const transformed = source
-        .replace(/^export default /m, 'module.exports = ')
-        .replace(/^export\s*\{[^}]*\}\s*;?\s*$/m, '');
-      return {
-        contents: transformed,
-        loader: 'js',
-        resolveDir: require('path').dirname(filePath),
-      };
-    });
-  },
-};
-
-// Plugin: redirect bare `@arcblock/did-util` and `@ocap/message` imports to their
-// CBOR-only subpath entries, and noop `@arcblock/did-util/protobuf`. This strips
-// the protobuf runtime (`@ocap/proto/runtime`, `google-protobuf`, `*_pb.js`) out
-// of the CF Workers bundle. Only matches EXACT bare specifiers — subpath imports
-// (e.g. `@arcblock/did-util/cbor`) pass through untouched.
-const cborOnlyPlugin = {
-  name: 'cbor-only-redirect',
-  setup(build) {
-    build.onResolve({ filter: /^@arcblock\/did-util$/ }, () => ({
-      path: path.resolve(__dirname, '../../..', 'node_modules/@arcblock/did-util/esm/cbor.mjs'),
-    }));
-    build.onResolve({ filter: /^@ocap\/message$/ }, () => ({
-      path: path.resolve(__dirname, '../../..', 'node_modules/@ocap/message/esm/cbor.mjs'),
-    }));
-    build.onResolve({ filter: /^@arcblock\/did-util\/protobuf$/ }, () => ({
-      path: s('shims/noop.ts'),
-    }));
-  },
-};
-
-// Plugin: noop entire package trees that have sub-path imports (alias alone
-// doesn't work because esbuild treats "axon" alias as prefix, breaking
-// "axon/lib/plugins/queue"). This plugin intercepts bare + sub-path imports.
-const noopPackagesPlugin = {
-  name: 'noop-packages',
-  setup(build) {
-    const packages = ['axon', '@arcblock/ws', '@arcblock/event-hub', 'graphql', 'follow-redirects', 'proxy-from-env'];
-    const filter = new RegExp('^(' + packages.join('|') + ')(\\/|$)');
-    build.onResolve({ filter }, () => ({ path: s('shims/noop.ts') }));
-  },
-};
-
-// Plugin: drop ethers' non-English BIP39 wordlists (~70K dead weight). The payment
-// worker never uses Mnemonic/HD wallets (0 source refs to Mnemonic/HDNode/wordlist),
-// so the 8 non-English word tables never execute. ethers' own /dist build strips
-// these too (~80kb). Keep LangEn (Mnemonic default). Stub the rest with a static
-// wordlist() returning null so wordlists.js's top-level LangXx.wordlist() calls
-// (run at module init) don't crash.
-const dropEthersWordlistsPlugin = {
-  name: 'drop-ethers-wordlists',
-  setup(build) {
-    build.onLoad({ filter: /ethers\/lib\.esm\/wordlists\/lang-(cz|es|fr|ja|ko|it|pt|zh)\.js$/ }, (args) => {
-      const lang = /lang-(\w+)\.js$/.exec(args.path)[1];
-      const cls = 'Lang' + lang.charAt(0).toUpperCase() + lang.slice(1);
-      return { contents: `export class ${cls} { static wordlist() { return null; } }`, loader: 'js' };
-    });
-  },
-};
-
-build({
-  entryPoints: [s("worker.ts")],
-  bundle: true, format: "esm", platform: "node", target: "esnext",
-  outdir: s("dist"), minify: true, sourcemap: true, metafile: true,
-  mainFields: ["module", "main"],
-  plugins: [
-    noopPackagesPlugin, queueShimPlugin, lockShimPlugin, rolldownRuntimeNoopPlugin, lodashSubpathPlugin, dropEthersWordlistsPlugin,
-  ],
-  external: ["cloudflare:*", "__STATIC_CONTENT_MANIFEST"],
-  // Give import.meta.url a stable fallback so bundled deps that call
-  // createRequire(import.meta.url) at module init don't throw at worker
-  // startup. The polyfill in banner handles any legitimate require() lookups.
-  define: {
-    "import.meta.url": '"file:///worker.js"',
-  },
-  banner: {
-    js: [
-      '// Polyfill require() for CJS modules that dynamically require Node builtins',
-      'import __nodeCrypto from "node:crypto";',
-      'import __nodeBuffer from "node:buffer";',
-      'import __nodeEvents from "node:events";',
-      'import __nodeStream from "node:stream";',
-      'import __nodeUtil from "node:util";',
-      'import __nodeAssert from "node:assert";',
-      'import __nodePath from "node:path";',
-      'import __nodeUrl from "node:url";',
-      'import __nodeProcess from "node:process";',
-      'const __qsShim = { stringify: function(o) { return new URLSearchParams(o).toString(); }, parse: function(s) { return Object.fromEntries(new URLSearchParams(s).entries()); } };',
-      'const __nodeModules = { crypto: __nodeCrypto, buffer: __nodeBuffer, events: __nodeEvents, stream: __nodeStream, util: __nodeUtil, assert: __nodeAssert, path: __nodePath, url: __nodeUrl, process: __nodeProcess, querystring: __qsShim };',
-      '// Accept both "xxx" and "node:xxx" specifier forms; return empty stub for unknown modules',
-      '// (some deps tree-shake to nothing but still call require() at init — a hard throw crashes the worker).',
-      'globalThis.require = globalThis.require || function(m) { var key = typeof m === "string" && m.indexOf("node:") === 0 ? m.slice(5) : m; if (__nodeModules[key]) return __nodeModules[key]; console.warn("[require shim] unknown module: " + m); return {}; };',
-      '// Ensure process.stderr.fd exists for debug/supports-color',
-      'if (typeof process !== "undefined") { if (!process.stderr) process.stderr = { fd: 2, write: function(){} }; else if (process.stderr.fd === undefined) process.stderr.fd = 2; if (!process.stdout) process.stdout = { fd: 1, write: function(){} }; else if (process.stdout.fd === undefined) process.stdout.fd = 1; }',
-      '// Polyfill process.on/process.exit for modules that use them at init',
-      'if (typeof process !== "undefined" && !process.on) { process.on = function(){}; process.once = function(){}; process.off = function(){}; process.removeListener = function(){}; process.emit = function(){}; process.exit = function(){}; }',
-      '// CF Workers: defer timers called during global scope init until first request',
-      'var __deferredTimers = []; var __timersReady = false;',
-      'globalThis.__flushDeferredTimers = function() { if (__timersReady) return; __timersReady = true; var q = __deferredTimers; __deferredTimers = []; q.forEach(function(entry) { try { entry.fn.apply(null, entry.args); } catch(e) { console.error("deferred timer error:", e); } }); };',
-      'var _origSetTimeout = globalThis.setTimeout; globalThis.setTimeout = function() { if (!__timersReady) { var args = arguments; var fn = args[0]; __deferredTimers.push({fn: function(){ _origSetTimeout.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetTimeout.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
-      'var _origSetInterval = globalThis.setInterval; globalThis.setInterval = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetInterval.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetInterval.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
-      'var _origSetImmediate = globalThis.setImmediate; if (_origSetImmediate) { globalThis.setImmediate = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetImmediate.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetImmediate.apply(this, arguments); }; } else { globalThis.setImmediate = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetTimeout(fn, 0); }; }',
-      'if (typeof process !== "undefined") { var _origNextTick = process.nextTick; if (_origNextTick) { process.nextTick = function() { if (!__timersReady) { var args = Array.prototype.slice.call(arguments); var fn = args.shift(); __deferredTimers.push({fn: function(){ _origNextTick.apply(process, [fn].concat(args)); }, args: []}); return; } return _origNextTick.apply(process, arguments); }; } else { process.nextTick = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return; } _origSetTimeout(fn, 0); }; } }',
-    ].join('\n'),
-  },
-  alias: {
-    // axios → lightweight fetch-based shim (115KB → ~2KB)
-    "axios": s("shims/axios-lite.ts"),
-
-    // node-fetch → native fetch (drops encoding/tr46/whatwg-url polyfill ~754KB
-    // pulled in by @apple/app-store-server-library; dead weight on CF Workers)
-    "node-fetch": s("shims/node-fetch.ts"),
-
-    // Stripe — wrap constructor to use fetch HTTP client in CF Workers
-    "stripe": s("shims/stripe-cf.ts"),
-    "__real_stripe__": require.resolve("stripe"),
-
-    // @ocap/message ships a patch.mjs that monkey-patches google-protobuf at
-    // module init. google-protobuf isn't available in CF Workers (no filesystem
-    // for createRequire to resolve), and Payment Kit doesn't use the features
-    // that patch touches. Replace with a noop so the import chain stays alive
-    // but the patch is skipped. Same for the rolldown_runtime helper that
-    // relies on createRequire(import.meta.url).
-    "@ocap/message/esm/patch.mjs": s("shims/noop.ts"),
-    "@ocap/message/esm/_virtual/rolldown_runtime.mjs": s("shims/noop.ts"),
-
-    "sequelize": s("shims/sequelize-d1/index.ts"),
-    "sqlite3": s("shims/noop.ts"),
-    "cls-hooked": s("shims/noop.ts"),
-    "express-async-errors": s("shims/noop.ts"),
-    "express": s("shims/express-compat/index.ts"),
-    "cors": s("shims/cors.ts"),
-    "cookie-parser": s("shims/cookie-parser.ts"),
-    "@blocklet/sdk/lib/middlewares/fallback": s("shims/blocklet-sdk/fallback.ts"),
-    "@blocklet/sdk/lib/middlewares/cdn": s("shims/blocklet-sdk/cdn.ts"),
-    "@blocklet/sdk/lib/middlewares/session": s("shims/blocklet-sdk/session.ts"),
-    "@blocklet/sdk/lib/middlewares": s("shims/blocklet-sdk/middlewares.ts"),
-    "@blocklet/sdk/lib/env": s("shims/blocklet-sdk/env.ts"),
-    "@blocklet/sdk/lib/config": s("shims/blocklet-sdk/config.ts"),
-    "@blocklet/sdk/lib/component": s("shims/blocklet-sdk/component.ts"),
-    "@blocklet/sdk/lib/wallet": s("shims/blocklet-sdk/wallet.ts"),
-    "@blocklet/sdk/lib/wallet-authenticator": s("shims/blocklet-sdk/wallet-authenticator.ts"),
-    "@blocklet/sdk/lib/wallet-handler": s("shims/blocklet-sdk/wallet-handler.ts"),
-    "@blocklet/sdk/lib/security": s("shims/blocklet-sdk/security.ts"),
-    "@blocklet/sdk/lib/util/verify-sign": s("shims/blocklet-sdk/verify-sign.ts"),
-    "@blocklet/sdk/lib/util/verify-session": s("shims/blocklet-sdk/verify-session.ts"),
-    "@blocklet/sdk/lib/util/component-api": s("shims/blocklet-sdk/component-api.ts"),
-    "@blocklet/sdk/lib/error-handler": s("shims/noop.ts"),
-    "@blocklet/sdk/lib/did": s("shims/blocklet-sdk/did.ts"),
-    "@blocklet/sdk/lib/types/notification": s("shims/noop.ts"),
-    "@blocklet/sdk/service/notification": s("shims/blocklet-sdk/notification.ts"),
-    "@blocklet/sdk/service/eventbus": s("shims/blocklet-sdk/eventbus.ts"),
-    "@blocklet/sdk/service/auth": s("shims/blocklet-sdk/auth-service.ts"),
-    "@blocklet/sdk/service/blocklet": s("shims/blocklet-sdk/auth-service.ts"),
-    "@blocklet/sdk": s("shims/blocklet-sdk/index.ts"),
-    "@blocklet/xss": s("shims/xss.ts"),
-    "@blocklet/error": s("shims/error.ts"),
-    "@blocklet/logger": s("shims/blocklet-sdk/logger.ts"),
-    "@blocklet/did-space-js": s("shims/did-space.ts"),
-    "@blocklet/payment-vendor": s("shims/payment-vendor.ts"),
-    "@arcblock/did-connect-storage-nedb": s("shims/nedb-storage.ts"),
-    "@abtnode/cron": s("shims/cron.ts"),
-    "dotenv-flow": s("shims/noop.ts"),
-    "fastq": s("shims/fastq.ts"),
-
-    // Bundle size optimizations — lodash base import aliased to lodash-es for tree-shaking.
-    // Sub-path imports (lodash/camelCase etc.) handled by lodashSubpathPlugin below.
-    "lodash": "lodash-es",                   // 357KB CJS → tree-shakeable ESM
-    "esprima": s("shims/noop.ts"),           // 215KB — only used by @ocap/contract, not called in payment-kit
-    "mustache": s("shims/noop.ts"),          //  16KB — template engine, not used in payment-kit
-    "mime-types": s("shims/mime-types.ts"),   // 150KB — lightweight shim with common MIME types
-    "mime-db": s("shims/noop.ts"),
-    "ws": s("shims/ws-lite.ts"),             //  66KB — native WebSocket wrapper for CF Workers
-    "crypto-js": s("shims/crypto-js-warn.ts"),  // 115KB — AES legacy not used, warns if called
-    "crypto-js/aes": s("shims/crypto-js-warn.ts"),
-    "crypto-js/enc-base64": s("shims/noop.ts"),
-    "crypto-js/enc-hex": s("shims/noop.ts"),
-    "crypto-js/enc-latin1": s("shims/noop.ts"),
-    "crypto-js/enc-utf8": s("shims/noop.ts"),
-    "crypto-js/enc-utf16": s("shims/noop.ts"),
-
-    // Force ESM-only to avoid CJS+ESM double-bundling
-    "valibot": path.resolve(__dirname, "../../..", "node_modules/valibot/dist/index.mjs"), // 396KB → ~200KB
-    // CF Workers: noop modules not useful in Workers environment
-    "phoenix": s("shims/noop.ts"),                // 36KB — Phoenix channels, only used by @arcblock/ws
-    "numbro": s("shims/noop.ts"),                 // 49KB — number formatting, replaced inline in util.ts
-
-    // Node built-in shims (not fully supported in CF Workers nodejs_compat)
-    "os": s("shims/node-os.ts"),
-    "node:os": s("shims/node-os.ts"),
-    "tty": s("shims/node-tty.ts"),
-    "node:tty": s("shims/node-tty.ts"),
-    "http": s("shims/node-http.ts"),
-    "node:http": s("shims/node-http.ts"),
-    "https": s("shims/node-https.ts"),
-    "node:https": s("shims/node-https.ts"),
-    "http2": s("shims/node-http.ts"),
-    "node:http2": s("shims/node-http.ts"),
-    "net": s("shims/node-net.ts"),
-    "node:net": s("shims/node-net.ts"),
-    "tls": s("shims/node-misc.ts"),
-    "node:tls": s("shims/node-misc.ts"),
-    "fs": s("shims/node-fs.ts"),
-    "node:fs": s("shims/node-fs.ts"),
-    "cluster": s("shims/node-misc.ts"),
-    "node:cluster": s("shims/node-misc.ts"),
-    "zlib": s("shims/node-zlib.ts"),
-    "node:zlib": s("shims/node-zlib.ts"),
-    "child_process": s("shims/node-child-process.ts"),
-    "node:child_process": s("shims/node-child-process.ts"),
-    "bufferutil": s("shims/noop.ts"),
-    "utf-8-validate": s("shims/noop.ts"),
-    "dns": s("shims/noop.ts"),
-    "node:dns": s("shims/noop.ts"),
-    "pg": s("shims/noop.ts"),
-    "postgres": s("shims/noop.ts"),
-  },
-  logLevel: "warning",
-}).then(result => {
-  require('fs').writeFileSync(s('dist/meta.json'), JSON.stringify(result.metafile));
-  Object.entries(result.metafile.outputs).forEach(function(entry) {
-    var k = entry[0], v = entry[1];
-    if (k.indexOf(".map") === -1) {
-      console.log(k + ": " + (v.bytes / 1024).toFixed(1) + "KB");
+    console.log("BUILD SUCCESS");
+  })
+  .catch((err) => {
+    console.error("BUILD FAILED: " + (err.errors ? err.errors.length + " errors" : err.message));
+    if (err.errors) {
+      err.errors.slice(0, 20).forEach(function (e) {
+        var loc = e.location ? " at " + e.location.file + ":" + e.location.line : "";
+        console.error("  " + e.text + loc);
+      });
+      if (err.errors.length > 20) console.error("  ... and " + (err.errors.length - 20) + " more");
     }
+    process.exitCode = 1;
   });
-  console.log("BUILD SUCCESS");
-}).catch(err => {
-  console.error("BUILD FAILED: " + (err.errors ? err.errors.length + " errors" : err.message));
-  if (err.errors) {
-    err.errors.slice(0, 20).forEach(function(e) {
-      var loc = e.location ? " at " + e.location.file + ":" + e.location.line : "";
-      console.error("  " + e.text + loc);
-    });
-    if (err.errors.length > 20) console.error("  ... and " + (err.errors.length - 20) + " more");
-  }
-});

package/cloudflare/scripts/cf-package-import-probe.mjs

@@ -0,0 +1,90 @@
+// S3-CF Phase 2 命门 acceptance gate — the tiny-worker dynamic import probe.
+//
+// Builds a throwaway Worker whose ONLY payment touchpoint is
+//   import { createCloudflarePaymentAdapter } from "@arcblock/payment-service/cf";
+// and runs `wrangler deploy --dry-run` with a CLEAN wrangler config: NO alias, NO
+// define, NO external rules of its own — only `nodejs_compat`. If the published
+// `./cf` artifact is genuinely self-contained + re-bundleable, this succeeds. If
+// the consumer would need ANY alias/define/external, wrangler reports an unresolved
+// import and the probe fails (命门 RED → architecture §3 service-binding fallback).
+//
+//   node blocklets/core/cloudflare/scripts/cf-package-import-probe.mjs
+//
+// Reproducible: a fixed temp dir, the local payment-core symlinked as
+// @arcblock/payment-service so the package `exports` map ("./cf" → dist/cf.js) is
+// what resolves — exactly what arc sees from the published tarball.
+
+import { mkdirSync, writeFileSync, rmSync, symlinkSync, existsSync } from 'fs';
+import { dirname, join, resolve } from 'path';
+import { fileURLToPath } from 'url';
+import { execFileSync } from 'child_process';
+import { tmpdir } from 'os';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const paymentCoreDir = resolve(here, '../../../../packages/payment-core');
+const cfDist = join(paymentCoreDir, 'dist', 'cf.js');
+
+if (!existsSync(cfDist)) {
+  console.error(`probe RED — ${cfDist} missing. Run \`node packages/payment-core/build-cf.mjs\` first.`);
+  process.exit(1);
+}
+
+const probeDir = join(tmpdir(), 'cf-import-probe');
+rmSync(probeDir, { recursive: true, force: true });
+mkdirSync(join(probeDir, 'src'), { recursive: true });
+mkdirSync(join(probeDir, 'node_modules', '@arcblock'), { recursive: true });
+
+// Symlink the local payment-core as @arcblock/payment-service so the import
+// resolves through the real package `exports` map — NOT a bypass path.
+symlinkSync(paymentCoreDir, join(probeDir, 'node_modules', '@arcblock', 'payment-service'), 'dir');
+
+// The tiny worker. Reference the imported symbol so esbuild can't tree-shake the
+// import away (the whole point is to force the ./cf graph into the bundle).
+writeFileSync(
+  join(probeDir, 'src', 'index.ts'),
+  `import { createCloudflarePaymentAdapter, PAYMENT_PREFIX } from "@arcblock/payment-service/cf";
+export default {
+  async fetch() {
+    // touch the import so it is retained; never actually called in --dry-run
+    if (typeof createCloudflarePaymentAdapter !== "function") throw new Error("not a function");
+    return new Response("ok:" + PAYMENT_PREFIX);
+  },
+};
+`,
+);
+
+// CLEAN wrangler config — the load-bearing part of the gate: zero alias / zero
+// define / zero external rules. Only nodejs_compat (a platform flag every Workers
+// host sets), the same the standalone worker uses.
+writeFileSync(
+  join(probeDir, 'wrangler.jsonc'),
+  JSON.stringify(
+    {
+      name: 'cf-import-probe',
+      main: 'src/index.ts',
+      compatibility_date: '2026-01-01',
+      compatibility_flags: ['nodejs_compat'],
+    },
+    null,
+    2,
+  ),
+);
+
+writeFileSync(join(probeDir, 'package.json'), JSON.stringify({ name: 'cf-import-probe', private: true }, null, 2));
+
+const outDir = join(probeDir, 'out');
+console.log(`[probe] wrangler deploy --dry-run in ${probeDir} (clean config: nodejs_compat only)`);
+try {
+  const stdout = execFileSync(
+    'npx',
+    ['wrangler', 'deploy', '--dry-run', '--outdir', outDir],
+    { cwd: probeDir, encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] },
+  );
+  console.log(stdout);
+  console.log('\n命门 GREEN — tiny worker built + dry-run deployed with ZERO consumer-side alias/define/external ✓');
+} catch (err) {
+  console.error('\n命门 RED — tiny worker dry-run FAILED. Consumer would need alias/define/external:');
+  console.error(err.stdout || '');
+  console.error(err.stderr || err.message);
+  process.exit(1);
+}