payment-kit 1.29.1 → 1.29.3

package/cloudflare/shims/xss.ts

@@ -1,3 +1,11 @@
 export function xss(_opts?: any) {
   return (_req: any, _res: any, next: any) => next();
 }
+
+// Phase 4 (express→hono): the hono xss middleware (LITE app-shell on CF) calls
+// initSanitize(...)(body) to produce sanitizedBody. The old express-compat worker
+// path set req.body WITHOUT xss sanitization, so an identity sanitizer preserves
+// the worker's exact behavior (the node host uses the real @blocklet/xss).
+export function initSanitize(_opts?: any) {
+  return <T>(body: T): T => body;
+}

package/cloudflare/tenant-middleware.ts

@@ -0,0 +1,36 @@
+// Phase 7 (W1′): worker tenant-context wiring.
+//
+// The CF worker's `*` middleware only set up DB/env — it never established a
+// tenant context, so every TenantModel query in the worker fell back to the
+// single-mode default. This Hono middleware mirrors the Express
+// `contextMiddleware`: it resolves the request's raw Host to a tenant via the
+// SINGLE-POINT resolver (`resolveTenantForHost`) and wraps the downstream chain
+// in `context.withTenant` so the resolved tenant flows through AsyncLocalStorage
+// into every handler/query.
+//
+// single mode: resolves to the deployment app DID (standalone worker unchanged).
+// multi mode : unknown/missing Host -> 400 fail-closed, no default-tenant
+// fallback, and the handler never runs.
+
+import type { Context, Next } from 'hono';
+
+import { context } from '../api/src/libs/context';
+import { TenantError, TENANT_HOST_UNRESOLVED } from '../api/src/libs/tenant';
+import { resolveTenantForHost } from '../api/src/libs/drivers/identity';
+
+export function tenantMiddleware() {
+  return async (c: Context, next: Next) => {
+    let instanceDid: string;
+    try {
+      // raw Host header only — never a proxy header (X-Forwarded-Host); the CF
+      // route is responsible for ensuring it cannot be forged by the client.
+      instanceDid = await resolveTenantForHost(c.req.header('host'));
+    } catch (err) {
+      if (err instanceof TenantError && err.code === TENANT_HOST_UNRESOLVED) {
+        return c.json({ error: { code: err.code, message: err.message } }, 400);
+      }
+      throw err;
+    }
+    return context.withTenant(instanceDid, () => next());
+  };
+}

package/cloudflare/tests/cf-adapter.spec.ts

@@ -0,0 +1,244 @@
+// S3-CF Phase 3 — the CF payment adapter host glue. These unit-test the
+// request-path behavior (caller strip/inject, tenant context, raw-body fidelity,
+// lazy provision in-flight dedup, scheduled due-dispatch, queue demux) against the
+// REAL helpers with fake services — no Miniflare/D1 needed (the worker bundle
+// build is the integration gate; this is the behavior gate).
+
+import { injectCaller, createTenantProvisioner, buildFetch, buildScheduled, buildQueueConsumer } from '../cf-adapter';
+import type { CloudflareCallerIdentity } from '../cf-adapter';
+import { context as requestContext } from '../../api/src/libs/context';
+
+const noopBindEnv = () => undefined;
+const noopFlush = async () => undefined;
+
+describe('injectCaller — CF API gate caller header glue (decision #5)', () => {
+  it('happy: injects canonical x-user-* from the host-resolved caller', () => {
+    const h = new Headers();
+    injectCaller(h, { did: 'zUSER', role: 'admin', authMethod: 'passkey', displayName: 'Alice' });
+    expect(h.get('x-user-did')).toBe('did:abt:zUSER');
+    expect(h.get('x-user-role')).toBe('blocklet-admin');
+    expect(h.get('x-user-provider')).toBe('passkey');
+    expect(h.get('x-user-fullname')).toBe(encodeURIComponent('Alice'));
+  });
+
+  it('security: STRIPS a client-forged identity header (no caller = anonymous, not forged)', () => {
+    const h = new Headers({ 'x-user-did': 'did:abt:zEVIL', 'x-user-role': 'blocklet-owner' });
+    injectCaller(h, null);
+    expect(h.get('x-user-did')).toBeNull();
+    expect(h.get('x-user-role')).toBeNull();
+  });
+
+  it('security: a forged header cannot survive even WITH a real caller (strip-then-inject)', () => {
+    const h = new Headers({ 'x-user-did': 'did:abt:zEVIL' });
+    injectCaller(h, { did: 'zREAL', role: 'member' });
+    expect(h.get('x-user-did')).toBe('did:abt:zREAL'); // not zEVIL
+  });
+
+  it('keeps an already-canonical did:abt: prefix and prefixes a bare did', () => {
+    const a = new Headers();
+    injectCaller(a, { did: 'did:abt:zABC' });
+    expect(a.get('x-user-did')).toBe('did:abt:zABC');
+    const b = new Headers();
+    injectCaller(b, { did: 'zABC' });
+    expect(b.get('x-user-did')).toBe('did:abt:zABC');
+  });
+});
+
+describe('createTenantProvisioner — lazy first-request provisioning, in-flight dedup', () => {
+  it('data-loss: concurrent first-requests for the same tenant provision ONCE', async () => {
+    let calls = 0;
+    const provision = jest.fn(async () => {
+      calls += 1;
+      await new Promise((r) => setTimeout(r, 5));
+    });
+    const provisioner = createTenantProvisioner(provision);
+    await Promise.all([provisioner('zA'), provisioner('zA'), provisioner('zA'), provisioner('zA')]);
+    expect(calls).toBe(1);
+    expect(provision).toHaveBeenCalledTimes(1);
+  });
+
+  it('different tenants each provision once', async () => {
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    await Promise.all([provisioner('zA'), provisioner('zB'), provisioner('zA')]);
+    expect(provision).toHaveBeenCalledTimes(2);
+  });
+
+  it('a failed provision is dropped so the next request RETRIES (not cached as done)', async () => {
+    let n = 0;
+    const provision = jest.fn(async () => {
+      n += 1;
+      if (n === 1) throw new Error('transient');
+    });
+    const provisioner = createTenantProvisioner(provision);
+    await expect(provisioner('zA')).rejects.toThrow('transient');
+    await expect(provisioner('zA')).resolves.toBeUndefined(); // retried, now succeeds
+    expect(provision).toHaveBeenCalledTimes(2);
+  });
+
+  it('null tenant is a no-op (no provision attempt)', async () => {
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    await provisioner(null);
+    expect(provision).not.toHaveBeenCalled();
+  });
+});
+
+// A fake embedded service: captures what the adapter forwards (headers, raw body,
+// basePath) and the tenant context active at fetch time.
+function fakeSvc() {
+  const seen: { did?: string; role?: string; tenant?: string; basePath?: string; body?: string } = {};
+  return {
+    seen,
+    http: {
+      async fetch(req: Request, opts?: { basePath?: string }) {
+        seen.did = req.headers.get('x-user-did') ?? undefined;
+        seen.role = req.headers.get('x-user-role') ?? undefined;
+        seen.tenant = requestContext.peekInstanceDid();
+        seen.basePath = opts?.basePath;
+        seen.body = await req.text();
+        return new Response('ok', { status: 200 });
+      },
+    },
+  };
+}
+
+describe('buildFetch — drives the single http.fetch under the tenant context', () => {
+  it('happy: strips forged x-user-*, injects the real caller, runs under withTenant, passes basePath, flushes', async () => {
+    const svc = fakeSvc();
+    let flushed = 0;
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zTENANT',
+      resolveCaller: () => ({ did: 'zREAL', role: 'member' } as CloudflareCallerIdentity),
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: async () => {
+        flushed += 1;
+      },
+    });
+    const req = new Request('https://x/.well-known/payment/api/products', {
+      method: 'POST',
+      headers: { 'x-user-did': 'did:abt:zFORGED' },
+      body: 'raw-bytes',
+    });
+    const res = await fetch(req, {}, { waitUntil() {} } as any);
+    expect(res.status).toBe(200);
+    expect(svc.seen.did).toBe('did:abt:zREAL'); // forged stripped, real injected
+    expect(svc.seen.tenant).toBe('did:abt:zTENANT'); // ran under withTenant
+    expect(svc.seen.basePath).toBe('/.well-known/payment');
+    expect(svc.seen.body).toBe('raw-bytes'); // data-damage: raw body preserved
+    expect(flushed).toBe(1);
+  });
+
+  it('security: forged x-user-did with NO caller resolved → stripped, anonymous (fail-safe)', async () => {
+    const svc = fakeSvc();
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zT',
+      resolveCaller: () => null,
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    await fetch(new Request('https://x/api/x', { headers: { 'x-user-did': 'did:abt:zEVIL' } }), {}, { waitUntil() {} } as any);
+    expect(svc.seen.did).toBeUndefined();
+  });
+
+  it('data-leak: an unknown host (tenant null) is NOT wrapped — the core fail-closes tenant-scoped routes', async () => {
+    const svc = fakeSvc();
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => null,
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    await fetch(new Request('https://unknown/api/x'), {}, { waitUntil() {} } as any);
+    expect(svc.seen.tenant).toBeUndefined(); // no context leaked; core will reject tenant-scoped routes
+  });
+
+  it('data-loss: a first request triggers the lazy provisioner exactly once for its tenant', async () => {
+    const svc = fakeSvc();
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zP',
+      provision: provisioner,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    const ctx = { waitUntil() {} } as any;
+    await Promise.all([
+      fetch(new Request('https://x/api/a'), {}, ctx),
+      fetch(new Request('https://x/api/b'), {}, ctx),
+    ]);
+    expect(provision).toHaveBeenCalledTimes(1);
+    expect(provision).toHaveBeenCalledWith('did:abt:zP');
+  });
+});
+
+describe('buildScheduled — host-driven due dispatch', () => {
+  it('runs crons for the intended minute then dispatches due jobs then flushes (ordered)', async () => {
+    const order: string[] = [];
+    const scheduled = buildScheduled({
+      bindEnv: () => order.push('bind'),
+      runCrons: async (when: Date) => {
+        order.push(`crons:${when.toISOString()}`);
+      },
+      dispatchDue: async () => {
+        order.push('dispatch');
+      },
+      flush: async () => {
+        order.push('flush');
+      },
+    });
+    const t = Date.UTC(2026, 3, 17, 10, 0, 0);
+    await scheduled({ cron: '*/5 * * * *', scheduledTime: t } as any, {}, { waitUntil() {} } as any);
+    expect(order).toEqual(['bind', `crons:${new Date(t).toISOString()}`, 'dispatch', 'flush']);
+  });
+});
+
+describe('buildQueueConsumer — payment queue message demux', () => {
+  it('routes each message to its core queue handle by name, then acks; flushes once', async () => {
+    const ran: Array<{ name: string; id: string }> = [];
+    const acked: string[] = [];
+    let flushed = 0;
+    const handle = { pushAndWait: async (p: any) => ran.push({ name: 'refund', id: p.id }) };
+    const queue = buildQueueConsumer({
+      bindEnv: noopBindEnv,
+      getHandle: (name: string) => (name === 'refund' ? (handle as any) : undefined),
+      flush: async () => {
+        flushed += 1;
+      },
+    });
+    const batch = {
+      messages: [
+        { body: { queueName: 'refund', jobId: 'j1', job: {} }, ack: () => acked.push('j1') },
+        { body: { queueName: 'unknown', jobId: 'j2', job: {} }, ack: () => acked.push('j2') },
+      ],
+    };
+    await queue(batch as any, {}, { waitUntil() {} } as any);
+    expect(ran).toEqual([{ name: 'refund', id: 'j1' }]);
+    expect(acked).toEqual(['j1', 'j2']); // unknown handler still acked (no infinite redelivery)
+    expect(flushed).toBe(1);
+  });
+
+  it('a throwing handler is acked (not retried via CF Queue — D1 scheduled redispatch owns retries)', async () => {
+    const acked: string[] = [];
+    const handle = { pushAndWait: async () => { throw new Error('boom'); } };
+    const queue = buildQueueConsumer({
+      bindEnv: noopBindEnv,
+      getHandle: () => handle as any,
+      flush: noopFlush,
+    });
+    const batch = { messages: [{ body: { queueName: 'refund', jobId: 'j1', job: {} }, ack: () => acked.push('j1') }] };
+    await queue(batch as any, {}, { waitUntil() {} } as any);
+    expect(acked).toEqual(['j1']);
+  });
+});

package/cloudflare/tests/did-connect-token-storage.spec.ts

@@ -0,0 +1,105 @@
+// S3-CF (DID convergence) — CF DID-Connect token store: tenant isolation + waitUntil.
+//
+// Deterministic unit tests over a fake D1 (no chain, no AUTH_SERVICE):
+//   - a token minted under tenant A is invisible under tenant B (read/exist/
+//     update/delete all not-found) — the isolation the convergence requires.
+//   - the fire-and-forget `update` (did-connect-js onProcessError) still lands via
+//     __cfWaitUntil__ even when the caller never awaits — the "scanned → succeed"
+//     regression the standalone worker's waitUntil hack fixed.
+import { context } from '../../api/src/libs/context';
+import { CloudflareTenantTokenStorage } from '../did-connect-token-storage';
+
+const A = 'zMOCK_TENANT_A';
+const B = 'zMOCK_TENANT_B';
+
+/** Minimal in-memory D1 double covering the prepare/bind/run/first shape the store uses. */
+function fakeD1() {
+  const rows = new Map<string, { data: string; expires_at: number }>();
+  const db: any = {
+    withSession: () => db,
+    prepare(sql: string) {
+      const stmt: any = {
+        _args: [] as any[],
+        bind(...args: any[]) {
+          stmt._args = args;
+          return stmt;
+        },
+        async run() {
+          if (sql.startsWith('INSERT')) {
+            const [token, data, exp] = stmt._args;
+            rows.set(token, { data, expires_at: exp });
+          } else if (sql.startsWith('UPDATE')) {
+            const [data, exp, token] = stmt._args;
+            if (rows.has(token)) rows.set(token, { data, expires_at: exp });
+          } else if (sql.startsWith('DELETE')) {
+            rows.delete(stmt._args[0]);
+          }
+          return { success: true };
+        },
+        async first() {
+          const [token, now] = stmt._args;
+          const r = rows.get(token);
+          return r && r.expires_at > now ? { data: r.data } : null;
+        },
+      };
+      return stmt;
+    },
+  };
+  return { db, rows };
+}
+
+describe('S3-CF DID convergence — CloudflareTenantTokenStorage', () => {
+  let restoreEnv: any;
+  let restoreWaitUntil: any;
+
+  beforeEach(() => {
+    restoreEnv = (globalThis as any).__CF_ENV__;
+    restoreWaitUntil = (globalThis as any).__cfWaitUntil__;
+  });
+  afterEach(() => {
+    (globalThis as any).__CF_ENV__ = restoreEnv;
+    (globalThis as any).__cfWaitUntil__ = restoreWaitUntil;
+  });
+
+  it('isolates tokens by tenant — A token is not-found under tenant B', async () => {
+    const { db } = fakeD1();
+    (globalThis as any).__CF_ENV__ = { DB: db };
+    const store = new CloudflareTenantTokenStorage({ ttl: 300 });
+
+    // create + read under tenant A
+    await context.withTenant(A, () => store.create('tok-1', 'created'));
+    const underA = await context.withTenant(A, () => store.read('tok-1'));
+    expect(underA?.token).toBe('tok-1');
+    expect(underA?.instanceDid).toBe(A);
+    expect(await context.withTenant(A, () => store.exist('tok-1'))).toBe(true);
+
+    // the SAME token is invisible under tenant B
+    expect(await context.withTenant(B, () => store.read('tok-1'))).toBeNull();
+    expect(await context.withTenant(B, () => store.exist('tok-1'))).toBe(false);
+    // B cannot advance A's handshake
+    expect(await context.withTenant(B, () => store.update('tok-1', { status: 'hijacked' }))).toBeNull();
+    // and B's delete is a no-op (A's token survives)
+    await context.withTenant(B, () => store.delete('tok-1'));
+    expect((await context.withTenant(A, () => store.read('tok-1')))?.token).toBe('tok-1');
+  });
+
+  it('update lands via __cfWaitUntil__ even when the caller never awaits (waitUntil regression)', async () => {
+    const { db } = fakeD1();
+    (globalThis as any).__CF_ENV__ = { DB: db };
+    const pending: Promise<any>[] = [];
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => pending.push(p);
+
+    const store = new CloudflareTenantTokenStorage({ ttl: 300 });
+    await context.withTenant(A, async () => {
+      await store.create('tok-2', 'scanned');
+      // fire-and-forget, as did-connect-js's onProcessError does — NOT awaited
+      store.update('tok-2', { status: 'succeed' });
+    });
+
+    // before draining waitUntil, the write may not have landed; drain then assert
+    await Promise.all(pending);
+    const after = await context.withTenant(A, () => store.read('tok-2'));
+    expect(after?.status).toBe('succeed');
+    expect(after?.instanceDid).toBe(A); // owning tenant preserved through update
+  });
+});

package/cloudflare/tests/tenant-middleware.spec.ts

@@ -0,0 +1,160 @@
+// Phase 7 (W1′): worker `withTenant` wiring. The CF worker had no tenant
+// context — its `*` middleware only `setDB`. This drives the real Hono tenant
+// middleware (the same factory mounted in worker.ts) over a tiny Hono app so
+// the actual Host -> instanceDid resolution, multi-mode fail-closed 4xx, and
+// `context.withTenant` ALS wrapping are exercised end to end.
+
+import { Hono } from 'hono';
+
+import { tenantMiddleware } from '../tenant-middleware';
+import { getInstanceDid, context } from '../../api/src/libs/context';
+import { getDefaultInstanceDid } from '../../api/src/libs/tenant';
+import { setIdentityDriver, createDefaultIdentityDriver, type IdentityDriver } from '../../api/src/libs/drivers/identity';
+
+const TENANT_A = 'did:abt:zHOSTA';
+const TENANT_B = 'did:abt:zHOSTB';
+
+// Build a Hono app wired exactly like worker.ts: tenant middleware on /api/*,
+// then a handler that reports the tenant resolved from the ALS context.
+function buildApp() {
+  const app = new Hono();
+  app.use('/api/*', tenantMiddleware());
+  app.get('/api/whoami', (c) => c.json({ tenant: getInstanceDid() }));
+  // /health is OUTSIDE /api/* — must never require a tenant (infra health check)
+  app.get('/health', (c) => c.json({ status: 'ok' }));
+  return app;
+}
+
+async function get(app: Hono, path: string, headers: Record<string, string> = {}) {
+  const res = await app.request(path, { headers });
+  let body: any;
+  try {
+    body = await res.json();
+  } catch {
+    body = await res.text();
+  }
+  return { status: res.status, body };
+}
+
+const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+
+afterEach(() => {
+  if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+  else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+  setIdentityDriver(createDefaultIdentityDriver());
+});
+
+describe('single mode (standalone worker legacy) — unchanged', () => {
+  beforeEach(() => {
+    process.env.PAYMENT_TENANT_MODE = 'single';
+  });
+
+  it('any host resolves to the deployment app DID', async () => {
+    const expected = getDefaultInstanceDid();
+    const app = buildApp();
+    const r1 = await get(app, '/api/whoami', { Host: 'anything.example.com' });
+    expect(r1.status).toBe(200);
+    expect(r1.body.tenant).toBe(expected);
+    const r2 = await get(app, '/api/whoami', { Host: 'other.example.com' });
+    expect(r2.body.tenant).toBe(expected); // default regardless of host
+  });
+
+  it('a request with no Host still resolves (single-mode default, no crash)', async () => {
+    const expected = getDefaultInstanceDid();
+    const app = buildApp();
+    const r = await get(app, '/api/whoami');
+    expect(r.status).toBe(200);
+    expect(r.body.tenant).toBe(expected);
+  });
+});
+
+describe('multi mode — Host maps to tenant, fail-closed on unknown', () => {
+  const identity: IdentityDriver = {
+    resolveInstanceDidForHost(host) {
+      if (host === 'a.example.com') return TENANT_A;
+      if (host === 'b.example.com') return TENANT_B;
+      return null;
+    },
+  };
+
+  beforeEach(() => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+  });
+
+  // Happy path — two hosts see two tenants (data isolation)
+  it('two hosts resolve to two tenants', async () => {
+    const app = buildApp();
+    const a = await get(app, '/api/whoami', { Host: 'a.example.com' });
+    const b = await get(app, '/api/whoami', { Host: 'b.example.com' });
+    expect(a.body.tenant).toBe(TENANT_A);
+    expect(b.body.tenant).toBe(TENANT_B);
+    expect(a.body.tenant).not.toBe(b.body.tenant);
+  });
+
+  // Bad input — missing Host fails closed (no default-tenant fallback)
+  it('missing Host fails closed with 4xx (no APP_PID fallback)', async () => {
+    const app = buildApp();
+    const r = await get(app, '/api/whoami');
+    expect(r.status).toBe(400);
+    expect(r.body.error.code).toBe('TENANT_HOST_UNRESOLVED');
+    expect(r.body.tenant).toBeUndefined();
+  });
+
+  // Data leak — unknown (unregistered) host must never fall into a tenant
+  it('unknown host fails closed with 4xx + error code', async () => {
+    const app = buildApp();
+    const r = await get(app, '/api/whoami', { Host: 'unknown.example.com' });
+    expect(r.status).toBe(400);
+    expect(r.body.error.code).toBe('TENANT_HOST_UNRESOLVED');
+    expect(r.body.tenant).toBeUndefined();
+  });
+
+  // Security — a forged X-Forwarded-Host must not change resolution (raw Host only)
+  it('SECURITY: X-Forwarded-Host cannot override the raw Host', async () => {
+    const app = buildApp();
+    const r = await get(app, '/api/whoami', { Host: 'a.example.com', 'X-Forwarded-Host': 'b.example.com' });
+    expect(r.body.tenant).toBe(TENANT_A);
+  });
+
+  it('SECURITY: X-Forwarded-Host pointing at a known tenant cannot rescue an unknown raw Host', async () => {
+    const app = buildApp();
+    const r = await get(app, '/api/whoami', { Host: 'unknown.example.com', 'X-Forwarded-Host': 'a.example.com' });
+    expect(r.status).toBe(400);
+  });
+
+  // Data loss — a 4xx-rejected request must never reach the route handler
+  it('a 4xx-rejected request never runs the handler (no write)', async () => {
+    const app = new Hono();
+    app.use('/api/*', tenantMiddleware());
+    let handlerRuns = 0;
+    app.get('/api/whoami', (c) => {
+      handlerRuns += 1;
+      return c.json({ tenant: getInstanceDid() });
+    });
+    const r = await get(app, '/api/whoami', { Host: 'unknown.example.com' });
+    expect(r.status).toBe(400);
+    expect(handlerRuns).toBe(0);
+  });
+
+  // ALS propagation — the handler runs INSIDE the withTenant context
+  it('the handler observes the resolved tenant via context ALS', async () => {
+    const app = new Hono();
+    app.use('/api/*', tenantMiddleware());
+    let seen: string | undefined;
+    app.get('/api/whoami', (c) => {
+      seen = context.getInstanceDid();
+      return c.json({ ok: true });
+    });
+    await get(app, '/api/whoami', { Host: 'b.example.com' });
+    expect(seen).toBe(TENANT_B);
+  });
+
+  // /health is outside /api/* — tenant middleware must not gate it
+  it('/health is reachable without a Host even in multi mode', async () => {
+    const app = buildApp();
+    const r = await get(app, '/health');
+    expect(r.status).toBe(200);
+    expect(r.body.status).toBe('ok');
+  });
+});

package/cloudflare/tests/worker-handler-gate.spec.ts

@@ -0,0 +1,69 @@
+// Phase 12c HARD GATE + S3-CF Phase 1B (scan): the CF worker is a host adapter that
+// drives the core via the SINGLE runtime-neutral surface `svc.http.fetch`. It must
+// NOT read `svc.handler` (the node-convenience getter) and — post Phase 1B — must
+// NOT use the LITE `svc.http.resourceRoutes.fetch` dispatcher (the second surface is
+// gone), and must NOT double-own payment `/api/*` cors / tenant (the core full
+// pipeline owns those). This statically scans the worker source so a regression
+// fails the suite (the runtime Proxy in ensurePaymentService is the second defense).
+import fs from 'fs';
+import path from 'path';
+
+const workerSrc = fs.readFileSync(path.join(__dirname, '../worker.ts'), 'utf8');
+
+// non-comment code lines only
+const codeLines = workerSrc
+  .split('\n')
+  .map((line, n) => ({ line: line.trim(), n: n + 1 }))
+  .filter(({ line }) => !line.startsWith('//') && !line.startsWith('*') && !line.startsWith('/*'));
+
+describe('S3-CF Phase 1B — worker drives the single svc.http.fetch surface', () => {
+  it('forwards payment /api/* through svc.http.fetch', () => {
+    expect(workerSrc).toMatch(/service\.http\.fetch\(/);
+  });
+
+  it('no longer dispatches through the LITE svc.http.resourceRoutes surface', () => {
+    const offending = codeLines.filter(({ line }) => /service\.http\.resourceRoutes/.test(line));
+    expect(offending).toEqual([]);
+  });
+
+  it('does not double-own payment /api/* cors or tenant (core full pipeline owns them)', () => {
+    const doubleCors = codeLines.filter(({ line }) => /app\.use\(\s*['"]\/api\/\*['"]\s*,\s*cors\(\)/.test(line));
+    const doubleTenant = codeLines.filter(({ line }) => /app\.use\(\s*['"]\/api\/\*['"]\s*,\s*tenantMiddleware\(\)/.test(line));
+    expect(doubleCors).toEqual([]);
+    expect(doubleTenant).toEqual([]);
+  });
+
+  it('strips client-forged x-user-* before injecting the resolved caller identity', () => {
+    expect(workerSrc).toMatch(/for \(const h of USER_HEADERS\) headers\.delete\(h\)/);
+    expect(workerSrc).toMatch(/headers\.set\(['"]x-user-did['"]/);
+  });
+});
+
+describe('Phase 12c — worker host-adapter hard gate', () => {
+  it('never reads .handler on the payment service', () => {
+    const offending = workerSrc
+      .split('\n')
+      .map((line, n) => ({ line: line.trim(), n: n + 1 }))
+      // ignore comment lines — only actual code may not read svc.handler
+      .filter(({ line }) => !line.startsWith('//') && !line.startsWith('*') && !line.startsWith('/*'))
+      .filter(({ line }) => /\b(service|paymentService|svc)\.handler\b/.test(line))
+      // the hard-gate trap string + the Proxy guard line are the gate itself
+      .filter(({ line }) => !/forbidden in the CF worker/.test(line) && !/prop === 'handler'/.test(line));
+    expect(offending).toEqual([]);
+  });
+
+  it('installs the runtime hard-gate Proxy that throws on handler access', () => {
+    expect(workerSrc).toMatch(/new Proxy\(svc,/);
+    expect(workerSrc).toMatch(/svc\.handler is forbidden in the CF worker/);
+  });
+
+  it('does not import the deleted legacy shims/queue engine', () => {
+    expect(workerSrc).not.toMatch(/from '\.\/shims\/queue'/);
+  });
+
+  it('drives the core queue runtime surface instead', () => {
+    expect(workerSrc).toMatch(/from '\.\.\/api\/src\/libs\/queue\/runtime'/);
+    expect(workerSrc).toMatch(/dispatchDueJobs\(\)/);
+    expect(workerSrc).toMatch(/flushQueueWork\(\)/);
+  });
+});