payment-kit 1.29.1 → 1.29.3

package/cloudflare/scripts/didconnect-mock-smoke.mjs

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+/**
+ * S3-CF (DID convergence) — local mock-AUTH_SERVICE smoke (TEST HARNESS ONLY).
+ *
+ * Runs the REAL built worker (dist/worker.js) in Miniflare with a MOCK AUTH_SERVICE
+ * that implements the production RPC contract (getInstanceAppIdentity) returning a
+ * deterministic TEST-ONLY appSk — no real secret, never in prod/wrangler config.
+ *
+ * The smoke goes through the REAL path (no handler/authenticator bypass):
+ *   Host → tenant context → CF IdentityDriver → AUTH_SERVICE.getInstanceAppIdentity
+ *   → resolveTenantIdentity → real @arcblock/did-connect-js authenticator
+ *   → core buildConnectRoutesHono → tokenStorage.create (CF D1).
+ *
+ * Asserts the locally-verifiable integration facts:
+ *   - /api/did/<action>/token is registered (not 404) and, WITH the mock, no longer
+ *     fail-closes on getInstanceAppIdentity (the mock RPC is reached + appSk used);
+ *   - a token row lands in the CF D1 _did_connect_tokens table, stamped with the
+ *     tenant instanceDid.
+ * (The full wallet scan/auth handshake against a REAL AUTH_SERVICE stays a
+ * deploy/staging gate — see cloudflare/README.md.)
+ *
+ *   node scripts/didconnect-mock-smoke.mjs
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { Miniflare } from "miniflare";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const cfDir = join(__dirname, "..");
+const workerPath = join(cfDir, "dist", "worker.js");
+
+if (!existsSync(workerPath)) {
+  console.error(`mock-smoke: ${workerPath} not found — run \`node run-build.js\` first.`);
+  process.exit(2);
+}
+
+// Deterministic TEST-ONLY app signing key (ROLE_APPLICATION/ED25519/SHA3). NOT a
+// real secret — generated once for the harness; isolation uses a second key.
+const TEST_APP_SK =
+  "0xe86ad1043f2de80374ea9eb2ca5a0cdf0111126804cfb128e9e658cc44ae47694497dddaacf925929a19e8bc84a5059569983f307a4c67a694cca79c2001e634";
+const INSTANCE_DID = "zMOCK_APP_INSTANCE";
+
+const mockAuthScript = `
+  import { WorkerEntrypoint } from 'cloudflare:workers';
+  // Mock of the did-connect-service@4.0.3 AUTH_SERVICE RPC surface used on the DID path.
+  export class MockAuth extends WorkerEntrypoint {
+    async getInstanceAppIdentity(instanceDid) {
+      return { appSk: ${JSON.stringify(TEST_APP_SK)}, appInfo: { name: 'Mock Tenant', description: 'mock', icon: 'https://x/i.png' } };
+    }
+    async resolveInstanceDidForHost(host) { return null; }
+    async getAppEk(instanceDid) { return null; }
+    async resolveIdentity() { return null; }
+  }
+  export default { fetch() { return new Response('mock-auth'); } };
+`;
+
+const mf = new Miniflare({
+  workers: [
+    {
+      name: "payment",
+      modules: true,
+      modulesRoot: join(cfDir, "dist"),
+      scriptPath: workerPath,
+      compatibilityDate: "2024-12-01",
+      compatibilityFlags: ["nodejs_compat"],
+      d1Databases: { DB: "payment-mock-smoke" },
+      serviceBindings: { AUTH_SERVICE: { name: "mock-auth", entrypoint: "MockAuth" } },
+      bindings: {
+        APP_NAME: "Payment Kit",
+        APP_PID: INSTANCE_DID,
+        APP_URL: "http://localhost",
+        PAYMENT_LIVEMODE: "false",
+      },
+    },
+    {
+      name: "mock-auth",
+      modules: true,
+      script: mockAuthScript,
+      compatibilityDate: "2024-12-01",
+      compatibilityFlags: ["nodejs_compat"],
+    },
+  ],
+});
+
+let failed = false;
+const log = (...a) => console.log(...a);
+
+try {
+  const db = await mf.getD1Database("DB", "payment");
+  await db.exec(
+    "CREATE TABLE IF NOT EXISTS _did_connect_tokens (token TEXT PRIMARY KEY, data TEXT NOT NULL, expires_at INTEGER NOT NULL)",
+  );
+
+  // 1) healthz
+  const health = await mf.dispatchFetch("http://localhost/api/healthz");
+  log("=== healthz ===", health.status, await health.text());
+
+  // 2) /api/did/payment/token through the mock AUTH_SERVICE
+  const res = await mf.dispatchFetch("http://localhost/api/did/payment/token", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: "{}",
+  });
+  const body = await res.text();
+  log("=== POST /api/did/payment/token ===", res.status);
+  log(body.slice(0, 800));
+
+  if (body.includes("getInstanceAppIdentity unavailable")) {
+    console.error("FAIL: still fail-closed — the mock AUTH_SERVICE RPC was not reached");
+    failed = true;
+  } else {
+    log("PASS: past the fail-closed gate — mock getInstanceAppIdentity reached + appSk resolved");
+  }
+
+  // 3) a token row landed in D1, stamped with the tenant instanceDid
+  const { results } = await db.prepare("SELECT token, data FROM _did_connect_tokens").all();
+  log("=== _did_connect_tokens rows ===", JSON.stringify(results, null, 2));
+  const tagged = (results || []).some((r) => {
+    try {
+      return JSON.parse(r.data).instanceDid === INSTANCE_DID;
+    } catch {
+      return false;
+    }
+  });
+  if (tagged) {
+    log(`PASS: a token row is stamped with instanceDid=${INSTANCE_DID}`);
+  } else {
+    console.error("FAIL: no token row stamped with the tenant instanceDid");
+    failed = true;
+  }
+} catch (err) {
+  console.error("mock-smoke error:", err?.stack || err?.message || err);
+  failed = true;
+} finally {
+  await mf.dispose();
+}
+
+process.exit(failed ? 1 : 0);

package/cloudflare/shims/blocklet-sdk/asset-host-transformer.ts

@@ -0,0 +1,20 @@
+// CF shim for @blocklet/sdk/lib/util/asset-host-transformer.
+//
+// DEAD on the CF path: the only importer is the cdn middleware (node-shell only —
+// HTML CDN-URL rewriting on the full node app shell). The worker serves JSON API
+// routes through a LITE app-shell, so cdn never executes. A pass-through stub is
+// enough to resolve the bundled-but-unreachable node code.
+export class AssetHostTransformer {
+  // eslint-disable-next-line @typescript-eslint/no-useless-constructor, no-empty-function
+  constructor(_assetHost?: string) {}
+
+  transform(html: string, _assetHost?: string): string {
+    return html;
+  }
+
+  transformBuffer(body: Buffer | Uint8Array, _assetHost?: string): Buffer | Uint8Array {
+    return body;
+  }
+}
+
+export default { AssetHostTransformer };

package/cloudflare/shims/blocklet-sdk/config.ts

@@ -4,5 +4,12 @@ export { env };
 export const Events = {};
 export const events = { on: () => {}, emit: () => {} };
 
-const config = { env, Events, events };
+// Phase 4 (express→hono): the fallback middleware (SPA serving) reads these. It is
+// node-shell only — DEAD on the CF worker (which never serves the SPA) — so a
+// resolving stub is enough. getBlockletSettings also backs sessionMiddleware's
+// blacklist check, which is gated off on CF (enableBlacklist: false).
+export const getBlockletSettings = (): any => ({ enableBlacklist: false, theme: {} });
+export const getBlockletJs = (..._args: any[]): string => '';
+
+const config = { env, Events, events, getBlockletSettings, getBlockletJs };
 export default config;

package/cloudflare/shims/blocklet-sdk/login.ts

@@ -0,0 +1,12 @@
+// CF shim for @blocklet/sdk/lib/util/login.
+//
+// Reached on the LIVE CF path: sessionMiddleware (used by many resource routes)
+// calls isLoginToken/isAccessKey to classify the bearer token. These are pure
+// string-format checks — copied verbatim from the upstream so behavior matches.
+export const isLoginToken = (token: unknown): boolean =>
+  typeof token === 'string' && token.split('.').length === 3;
+
+export const isAccessKey = (token: unknown): boolean =>
+  typeof token === 'string' && token.split('.').length === 1 && token.startsWith('blocklet-');
+
+export default { isLoginToken, isAccessKey };

package/cloudflare/shims/blocklet-sdk/service-api.ts

@@ -0,0 +1,14 @@
+// CF shim for @blocklet/sdk/lib/util/service-api.
+//
+// The only caller on the CF path is sessionMiddleware's login-token blacklist
+// check, which is gated by `blockletSettings.enableBlacklist` (off on the CF
+// worker — the worker resolves identity via AUTH_SERVICE RPC, not the blacklist
+// endpoint). The old express-compat CF path never ran this check at all, so a
+// stub that reports "valid" preserves the worker's (no-blacklist) behavior and
+// never wrongly blocks a token if the setting is somehow on.
+const serviceApi = {
+  post: async (_url: string, _body?: unknown) => ({ data: { valid: true } }),
+  get: async (_url: string) => ({ data: {} }),
+};
+
+export default serviceApi;

package/cloudflare/shims/blocklet-sdk/session.ts

@@ -1,6 +1,8 @@
 // @blocklet/sdk/lib/middlewares/session shim
-// Auth is resolved in Hono middleware layer via AUTH_SERVICE RPC.
-// req.user is already populated by mountExpressRoutes().
+// Auth is resolved in the Hono middleware layer via AUTH_SERVICE RPC, then injected
+// as x-user-* request headers by the worker's /api/* dispatcher (worker.ts) — the
+// native authenticate()/sessionMiddleware read those. This express-middleware shim
+// is inert (the old express-compat mountExpressRoutes path it served is gone).
 export default function sessionMiddleware(_options?: any) {
   return (_req: any, _res: any, next: any) => next();
 }

package/cloudflare/shims/blocklet-sdk/util-constants.ts

@@ -0,0 +1,8 @@
+// CF shim for @blocklet/sdk/lib/util/constants.
+//
+// Reached via the fallback middleware (node-shell SPA serving — DEAD on the CF
+// worker, which never serves the SPA). SERVICE_PREFIX carries its real upstream
+// value so the bundled-but-unreachable node code is byte-faithful.
+export const SERVICE_PREFIX = '/.well-known/service';
+
+export default { SERVICE_PREFIX };

package/cloudflare/shims/blocklet-sdk/wallet-authenticator.ts

@@ -1,3 +1,18 @@
+// CF FAIL-FAST shim for @blocklet/sdk/lib/wallet-authenticator.
+//
+// S3-CF (DID convergence): see wallet-handler.ts. On workerd the @blocklet/sdk
+// WalletAuthenticator is a no-op — it cannot sign DID-Connect sessions/certs. CF
+// (and arc-node embedded) MUST inject the real @arcblock/did-connect-js runtime.
+// Throw on construct so a host that forgot to inject fails loudly instead of
+// producing an authenticator that silently signs nothing.
+const FORBIDDEN =
+  'CF must inject a DID-Connect runtime via setDidConnectRuntime(createCloudflareDidConnectRuntime); ' +
+  'the @blocklet/sdk wallet-authenticator shim is forbidden on workerd';
+
 export class WalletAuthenticator {
-  constructor(_opts?: any) {}
+  constructor(_opts?: any) {
+    throw new Error(`[did-connect] WalletAuthenticator: ${FORBIDDEN}`);
+  }
 }
+
+export default { WalletAuthenticator };

package/cloudflare/shims/blocklet-sdk/wallet-handler.ts

@@ -1,6 +1,21 @@
+// CF FAIL-FAST shim for @blocklet/sdk/lib/wallet-handler.
+//
+// S3-CF (DID convergence): on workerd the @blocklet/sdk wallet wrapper is NOT a
+// working DID-Connect implementation. CF (and arc-node embedded) MUST inject the
+// real @arcblock/did-connect-js runtime via setDidConnectRuntime
+// (createCloudflareDidConnectRuntime). This used to be a silent no-op stub whose
+// `attach()` registered ZERO routes — a CF host that forgot to inject would serve
+// no DID-Connect routes and fail only at request time. It now throws on construct
+// so the misconfiguration fails loudly (a spec asserts the AUTH_SERVICE runtime
+// never reaches this path).
+const FORBIDDEN =
+  'CF must inject a DID-Connect runtime via setDidConnectRuntime(createCloudflareDidConnectRuntime); ' +
+  'the @blocklet/sdk wallet-handler shim is forbidden on workerd';
+
 export class WalletHandlers {
-  constructor(_opts?: any) {}
-  attach(_opts: any) {
-    // TODO: implement DID Connect for CF
+  constructor(_opts?: any) {
+    throw new Error(`[did-connect] WalletHandlers: ${FORBIDDEN}`);
   }
 }
+
+export default { WalletHandlers };

package/cloudflare/shims/cron.ts

@@ -1,182 +1,62 @@
-// @abtnode/cron shim for CF Cron Triggers
+// @abtnode/cron shim for CF Cron Triggers (Phase 9, W2-1b).
 //
-// The real @abtnode/cron exports { init } where init({ context, jobs, onError }) registers jobs.
-// In CF Workers, we store the jobs and execute them via the scheduled() handler.
-//
-// The shim parses 6-field cron expressions (sec min hour day month weekday)
-// and only runs jobs whose schedule matches the current 5-minute window.
-
-type CronJob = {
-  name: string;
-  time: string;
-  fn: () => Promise<any> | any;
-  options?: { runOnInit?: boolean };
-};
+// The real @abtnode/cron exports { init } where init({ jobs, onError }) registers
+// jobs. In CF Workers we store the jobs and execute due ones from scheduled().
+// The cron-expression matcher + registry now live in the shared cron driver
+// (api/src/libs/drivers/cron.ts) so embedded and worker agree on when a job is
+// due; this file is the thin worker adapter that keeps the @abtnode/cron API.
+
+import {
+  createCronRegistry,
+  setCronDriver,
+  getCronDriver,
+  matchesCron,
+  shouldRunInWindow,
+} from '../../api/src/libs/drivers/cron';
+
+// D2: crons/index.ts now registers through getCronDriver() instead of importing
+// @abtnode/cron directly. On CF this shim is the active cron driver, so make the
+// cf-cron registry the global driver at module load — BEFORE worker.ts calls
+// crons.init(). That keeps crons.init()'s register() and this shim's runAll() on
+// the SAME passive cf-cron registry (host drives runDue from scheduled(); no
+// @abtnode/cron self-scheduling timer is ever created in the frozen isolate).
+const registry = createCronRegistry('cf-cron');
+setCronDriver(registry);
 
 type InitOptions = {
   context?: any;
-  jobs: CronJob[];
+  jobs: Array<{ name: string; time: string; fn: () => Promise<any> | any; options?: { runOnInit?: boolean } }>;
   onError?: (error: Error, name: string) => void;
 };
 
-// Singleton storage for registered cron jobs
-const registeredJobs: CronJob[] = [];
-let onErrorHandler: ((error: Error, name: string) => void) | undefined;
-
-// --- Cron expression matcher ---
-// Supports 6-field format: second minute hour dayOfMonth month dayOfWeek
-// Supports: numbers, *, */N, ranges (1-5), lists (1,3,5)
-
-function parseField(field: string, min: number, max: number): number[] | null {
-  // null means "match all"
-  if (field === '*') return null;
-
-  const values = new Set<number>();
-
-  for (const part of field.split(',')) {
-    // */N — every N
-    const stepMatch = part.match(/^\*\/(\d+)$/);
-    if (stepMatch) {
-      const step = parseInt(stepMatch[1], 10);
-      for (let i = min; i <= max; i += step) {
-        values.add(i);
-      }
-      continue;
-    }
-
-    // N-M — range
-    const rangeMatch = part.match(/^(\d+)-(\d+)$/);
-    if (rangeMatch) {
-      const from = parseInt(rangeMatch[1], 10);
-      const to = parseInt(rangeMatch[2], 10);
-      for (let i = from; i <= to; i++) {
-        values.add(i);
-      }
-      continue;
-    }
-
-    // N — single value
-    const num = parseInt(part, 10);
-    if (!isNaN(num)) {
-      values.add(num);
-    }
-  }
-
-  return values.size > 0 ? Array.from(values) : null;
-}
-
-/**
- * Check if a date matches a 6-field cron expression.
- * Returns true if the date's minute/hour/day/month/weekday match.
- * Seconds field is ignored (CF triggers are minute-level).
- */
-function matchesCron(cronExpr: string, date: Date): boolean {
-  const fields = cronExpr.trim().split(/\s+/);
-  if (fields.length < 5) return true; // Can't parse — run it
-
-  // 6-field: sec min hour dom month dow
-  // 5-field: min hour dom month dow
-  const offset = fields.length >= 6 ? 1 : 0;
-
-  const minuteField = parseField(fields[offset], 0, 59);
-  const hourField = parseField(fields[offset + 1], 0, 23);
-  const domField = parseField(fields[offset + 2], 1, 31);
-  const monthField = parseField(fields[offset + 3], 0, 11); // cron months are 1-12, JS is 0-11
-  const dowField = parseField(fields[offset + 4], 0, 6);
-
-  const m = date.getUTCMinutes();
-  const h = date.getUTCHours();
-  const dom = date.getUTCDate();
-  const month = date.getUTCMonth() + 1; // JS 0-based → cron 1-based
-  const dow = date.getUTCDay(); // 0=Sunday
-
-  if (minuteField && !minuteField.includes(m)) return false;
-  if (hourField && !hourField.includes(h)) return false;
-  if (domField && !domField.includes(dom)) return false;
-  if (monthField && !monthField.includes(month)) return false;
-  if (dowField && !dowField.includes(dow)) return false;
-
-  return true;
-}
-
-// Check if a cron expression should fire at the given date (minute-level match).
-//
-// History: this helper previously used a 5-minute look-ahead window, under the
-// assumption that CF Cron Triggers fire every 5 minutes. Once the deploy config
-// switched to every-minute cron, that window made every stepped expression fire
-// 5x more often than intended, driving CF Queues past the free-tier daily cap
-// (2026-04-17 incident). With CF Scheduled firing every minute, we only check
-// the current minute — each cron expression triggers at its designed frequency.
-// See docs/cf-queues-ops-alert-analysis.md § 改动 B.
-function shouldRunInWindow(cronExpr: string, date: Date): boolean {
-  return matchesCron(cronExpr, date);
-}
-
-// --- Cron shim API ---
-
 function init(options: InitOptions) {
-  registeredJobs.length = 0;
-  onErrorHandler = options.onError;
-
-  for (const job of options.jobs || []) {
-    if (job.name && job.time && typeof job.fn === 'function') {
-      registeredJobs.push(job);
-    }
-  }
-
-  // Skip runOnInit jobs in CF Workers — they'll run on the next matching trigger
-  // (running them at module init time would block the request and may exceed CPU limits)
-
+  registry.register(options.jobs || [], options.onError);
+  // runOnInit jobs are skipped in CF Workers — they run on the next matching
+  // trigger (running them at module init would block the request / risk CPU limits)
   return {
     addJob(name: string, time: string, fn: Function, opts?: any) {
-      registeredJobs.push({ name, time, fn: fn as any, options: opts });
+      registry.addJob(name, time, fn as any, opts);
+    },
+    start() {
+      /* no-op — CF scheduled() drives runAll */
     },
-    start() { /* no-op */ },
   };
 }
 
-// Called by worker.ts scheduled handler — only runs jobs matching the trigger time.
-// Accepts an optional `now` so the caller can pass `event.scheduledTime` (the
-// intended trigger minute) instead of relying on wall-clock at execution time.
-// CF may deliver scheduled events with a small delay that crosses a minute
-// boundary; matching on `scheduledTime` keeps exact-minute cron reliable.
+// Called by worker.ts scheduled handler. Accepts an optional `now` so the caller
+// can pass `event.scheduledTime` (the intended trigger minute).
 async function runAll(now: Date = new Date()) {
-  const matched: string[] = [];
-  const skipped: string[] = [];
-
-  for (const job of registeredJobs) {
-    if (shouldRunInWindow(job.time, now)) {
-      matched.push(job.name);
-      try {
-        await job.fn();
-      } catch (err: any) {
-        console.error(`[Cron] ${job.name} failed:`, err?.message || err);
-        onErrorHandler?.(err, job.name);
-      }
-    } else {
-      skipped.push(job.name);
-    }
-  }
-
-  console.log(`[Cron] Ran ${matched.length} jobs: [${matched.join(', ')}]. Skipped ${skipped.length}.`);
+  const { ran, skipped } = await getCronDriver().runDue(now);
+  // eslint-disable-next-line no-console
+  console.log(`[Cron] Ran ${ran.length} jobs: [${ran.join(', ')}]. Skipped ${skipped.length}.`);
 }
 
 async function runJob(name: string) {
-  const job = registeredJobs.find((j) => j.name === name);
-  if (job) {
-    try {
-      await job.fn();
-    } catch (err: any) {
-      console.error(`[Cron] ${name} failed:`, err?.message || err);
-      onErrorHandler?.(err, name);
-    }
-  } else {
-    console.warn(`[Cron] Job ${name} not found`);
-  }
+  await getCronDriver().runJob(name);
 }
 
 function getJobNames(): string[] {
-  return registeredJobs.map((j) => `${j.name} (${j.time})`);
+  return getCronDriver().getJobNames();
 }
 
 // Export matching @abtnode/cron API: default export is { init }

package/cloudflare/shims/events.ts

@@ -0,0 +1,124 @@
+// EventEmitter shim for CF Workers.
+//
+// workerd's nodejs_compat provides `node:events` for ESM `import from 'events'`,
+// but the esbuild banner's globalThis.require polyfill (build.ts) does NOT list
+// `events`, so CJS `const { EventEmitter } = require('events')` resolves to an
+// empty object and `class X extends EventEmitter` throws at global init
+// ("Class extends value undefined"). Two core drivers hit this:
+//   - api/src/libs/drivers/locks.ts   (MemoryLock)
+//   - api/src/libs/drivers/auth-storage.ts (DbAuthStorage extends EventEmitter)
+//
+// Aliasing `events` to this shim (build.ts) makes BOTH the CJS-require and
+// ESM-import forms resolve to one deterministic implementation, removing the
+// fragile split between nodejs_compat (ESM) and the banner (CJS). Only the core
+// queue/lock/auth-storage event buses use it — emit / on / once / removeListener
+// are the methods exercised (verified by grep), so a compact but correct
+// implementation suffices.
+
+type Listener = (...args: any[]) => void;
+
+export class EventEmitter {
+  private _events: Map<string | symbol, Listener[]> = new Map();
+
+  private _maxListeners = 10;
+
+  addListener(event: string | symbol, listener: Listener): this {
+    return this.on(event, listener);
+  }
+
+  on(event: string | symbol, listener: Listener): this {
+    const list = this._events.get(event);
+    if (list) {
+      list.push(listener);
+    } else {
+      this._events.set(event, [listener]);
+    }
+    return this;
+  }
+
+  prependListener(event: string | symbol, listener: Listener): this {
+    const list = this._events.get(event);
+    if (list) {
+      list.unshift(listener);
+    } else {
+      this._events.set(event, [listener]);
+    }
+    return this;
+  }
+
+  once(event: string | symbol, listener: Listener): this {
+    const wrapper = (...args: any[]) => {
+      this.removeListener(event, wrapper);
+      listener.apply(this, args);
+    };
+    // keep a handle to the original so removeListener(event, listener) still works
+    (wrapper as any).listener = listener;
+    return this.on(event, wrapper);
+  }
+
+  prependOnceListener(event: string | symbol, listener: Listener): this {
+    const wrapper = (...args: any[]) => {
+      this.removeListener(event, wrapper);
+      listener.apply(this, args);
+    };
+    (wrapper as any).listener = listener;
+    return this.prependListener(event, wrapper);
+  }
+
+  removeListener(event: string | symbol, listener: Listener): this {
+    const list = this._events.get(event);
+    if (!list) return this;
+    const idx = list.findIndex((l) => l === listener || (l as any).listener === listener);
+    if (idx >= 0) {
+      list.splice(idx, 1);
+      if (list.length === 0) this._events.delete(event);
+    }
+    return this;
+  }
+
+  off(event: string | symbol, listener: Listener): this {
+    return this.removeListener(event, listener);
+  }
+
+  removeAllListeners(event?: string | symbol): this {
+    if (event === undefined) {
+      this._events.clear();
+    } else {
+      this._events.delete(event);
+    }
+    return this;
+  }
+
+  emit(event: string | symbol, ...args: any[]): boolean {
+    const list = this._events.get(event);
+    if (!list || list.length === 0) return false;
+    // copy so once()-removals during iteration don't skip listeners
+    for (const listener of [...list]) {
+      listener.apply(this, args);
+    }
+    return true;
+  }
+
+  listeners(event: string | symbol): Listener[] {
+    return [...(this._events.get(event) || [])];
+  }
+
+  listenerCount(event: string | symbol): number {
+    return this._events.get(event)?.length || 0;
+  }
+
+  eventNames(): (string | symbol)[] {
+    return [...this._events.keys()];
+  }
+
+  setMaxListeners(n: number): this {
+    this._maxListeners = n;
+    return this;
+  }
+
+  getMaxListeners(): number {
+    return this._maxListeners;
+  }
+}
+
+export default EventEmitter;

package/cloudflare/shims/fastq.ts

@@ -12,7 +12,21 @@
 
 type Task = { data: any; cb?: Function };
 
-export default function fastq(_context: any, worker: Function, _concurrency: number) {
+// Phase 9 (W2-1b): faithful fastq executor driver for the worker.
+//
+// Match the real fastq calling convention. The Node queue engine
+// (api/src/libs/queue) calls `fastq(workerFn, concurrency)` (2-arg form);
+// real fastq detects a function first arg and shifts (context => null). The
+// previous shim assumed the 3-arg `fastq(context, worker, concurrency)` form,
+// so the 2-arg call landed `worker` on `context` and every job execution threw
+// "worker is not a function". This shift makes the shim a drop-in executor so
+// the SAME engine runs identically on Node (real fastq) and the worker (shim).
+export default function fastq(context: any, worker: Function, concurrency: number) {
+  if (typeof context === 'function') {
+    concurrency = worker as unknown as number;
+    worker = context;
+    context = null;
+  }
   const pending: Task[] = [];
   let running = false;
   let drainFn: (() => void) | null = null;

package/cloudflare/shims/nedb-storage.ts

@@ -1,9 +1,17 @@
-// NeDB → D1 storage shim for DID Connect sessions
-export default class AuthStorage {
-  constructor(_opts?: any) {}
-  create(_id: string, _data: any) { return Promise.resolve(); }
-  read(_id: string) { return Promise.resolve(null); }
-  update(_id: string, _data: any) { return Promise.resolve(); }
-  delete(_id: string) { return Promise.resolve(); }
-  on(_event: string, _fn: Function) {}
+// NeDB → D1 storage shim for DID Connect sessions (Phase 8, W2-1a).
+//
+// Was a no-op stub (DID Connect state silently dropped in the worker). Now a
+// thin worker adapter: it builds a D1 db driver from the bound D1 database and
+// delegates to the real, contract-tested DbAuthStorage. The `{ dbPath }` option
+// is ignored — persistence is the D1 binding, not a disk file.
+
+import { createD1DbDriver, DbAuthStorage } from '../../api/src/libs/drivers';
+
+import { getDB } from './sequelize-d1/model';
+
+export default class AuthStorage extends DbAuthStorage {
+  constructor(_opts?: any) {
+    // lazy getter — the D1 binding is set per request, not at module import
+    super(createD1DbDriver(() => getDB()));
+  }
 }