payment-kit 1.29.1 → 1.29.3

package/cloudflare/worker.ts

@@ -14,15 +14,30 @@ import { setDB } from './shims/sequelize-d1/model';
 import { initialize } from '../api/src/store/models';
 import { Sequelize } from './shims/sequelize-d1/sequelize-class';
 
-// Import the original Express routes (esbuild aliases handle all deps)
-import expressRoutes from '../api/src/routes/index';
-import type { RouteEntry } from './shims/express-compat/index';
+// Phase 12b: pin the core queue engine to 'workerd' mode BEFORE any business
+// queue module loads (createQueue reads it at import to disable the node poll
+// loop). Side-effect import — keep it ahead of service/crons/queues below.
+import './queue-runtime-mode';
+
+// Phase 12a (Option 3 seam) + S3-CF Phase 1B: the worker's /api surface comes from
+// the embedded payment service factory. The factory performs assembly (config slot
+// authoritative via setCoreConfig + model initialize). Phase 1B: the worker forwards
+// every payment /api/* (business resource routes + DID payment actions) through the
+// runtime-neutral `http.fetch` (the core full app + full pipeline) — a SINGLE
+// surface. The factory's lazy `handler` getter is never touched here (hard-gated),
+// so the worker only ever drives the core via `http.fetch`.
+import { createEmbeddedPaymentService } from '../api/src/service';
+import type { PaymentCoreService } from '../api/src/service';
 
 // Import cron instance for scheduled handler
 import { cronInstance } from './shims/cron';
 
-// Import queue utilities
-import { setWaitUntil, setCFQueue, flushPendingJobs, runAllScheduledJobs, getHandler } from './shims/queue';
+// Phase 12b: drive the SAME core queue engine (api/src/libs/queue) through its
+// host-facing runtime surface instead of the legacy cloudflare/shims/queue.ts
+// duplicate engine (dead under the canonical build — its registry is never
+// populated). scheduled() → dispatchDueJobs(); queue() → getQueueHandler();
+// HTTP/scheduled/queue flush → flushQueueWork().
+import { dispatchDueJobs, getQueueHandler, getAllQueueNames, flushQueueWork } from '../api/src/libs/queue/runtime';
 
 // Import crons init to register all cron jobs
 import crons from '../api/src/crons/index';
@@ -51,7 +66,10 @@ import { resetD1Timing, getD1Timing } from './shims/sequelize-d1/timing';
 import { withD1Retry } from './shims/sequelize-d1/retry';
 
 // DID Connect: login routes proxied to blocklet-service, business actions (pay/subscribe) handled locally
-import { attachDIDConnectRoutes } from './did-connect-auth';
+import { createCloudflareDidConnectRuntime, createCloudflareIdentityDriver } from './did-connect-runtime';
+
+// Phase 7: tenant-context middleware — resolves Host -> tenant (single point)
+// and wraps the request chain in context.withTenant (multi-mode fail-closed).
 
 FetchRequest.registerGetUrl(async (req: FetchRequest) => {
   const resp = await fetch(req.url, {
@@ -81,7 +99,6 @@ interface CallerIdentityDTO {
 
 interface Env {
   DB: D1Database;
-  DID_CONNECT_KV: KVNamespace;
   JOB_QUEUE: Queue;
   ASSETS: { fetch: (request: Request | string) => Promise<Response> };
   APP_SK: string;
@@ -109,6 +126,17 @@ interface Env {
       role?: string;
       approved?: number;
     } | null>;
+    // S3-CF (DID convergence): did-connect-service@4.0.3 — the per-instance app
+    // signing identity for the DID-Connect authenticator. The RPC resolves the arc
+    // run-mode internally (instance app:sk → instance identity; else auth-service
+    // root APP_SK/APP_PSK; else fail-closed), so payment-core never reimplements it.
+    getInstanceAppIdentity: (instanceDid: string) => Promise<{
+      appSk: string;
+      appPsk?: string;
+      appInfo?: { name?: string; description?: string; icon?: string; link?: string };
+    }>;
+    getAppEk?: (instanceDid: string) => Promise<string | null>;
+    resolveInstanceDidForHost?: (host: string) => Promise<string | null>;
   };
   HYPERDRIVE: { connectionString: string };
   [key: string]: any;
@@ -204,6 +232,101 @@ function ensureModelsInit() {
   }
 }
 
+// Phase 12a/12c: build the explicit PaymentCoreConfig from CF env. These keys are
+// read only by the core (via the libs/env.ts readConfig boundary), never by a
+// worker shim, so the factory config slot carries them. Phase 12c removed the
+// last `process.env` mirror: the HTTP path (buildApp) and the scheduled()/queue()
+// path (setupEnv) both call ensurePaymentService(env) -> setCoreConfig, so the
+// config slot is authoritative on every path and no process.env fallback remains.
+function envToPaymentCoreConfig(env: Env): Record<string, any> {
+  const config: Record<string, any> = { BLOCKLET_MODE: 'production' };
+  if (env.APP_PID) {
+    config.BLOCKLET_APP_PID = env.APP_PID;
+    config.BLOCKLET_APP_ID = env.APP_PID;
+  }
+  if (env.APP_URL) {
+    config.APP_URL = env.APP_URL;
+    config.BLOCKLET_APP_URL = env.APP_URL;
+  }
+  if (env.APP_NAME) config.BLOCKLET_APP_NAME = env.APP_NAME;
+  // Stripe webhook secret: env override for signature verification (DB value may
+  // be empty if not configured in the original Blocklet Server).
+  if (env.STRIPE_WEBHOOK_SECRET) config.STRIPE_WEBHOOK_SECRET = env.STRIPE_WEBHOOK_SECRET;
+  if (env.PAYMENT_CHANGE_LOCKED_PRICE) config.PAYMENT_CHANGE_LOCKED_PRICE = env.PAYMENT_CHANGE_LOCKED_PRICE;
+  if (env.SHORT_URL_DOMAIN) config.SHORT_URL_DOMAIN = env.SHORT_URL_DOMAIN;
+  // Audience for the Pub/Sub OIDC JWT wrapping Google Play RTDN webhooks; without
+  // it googlePlayEndpoint() falls back to the workers.dev origin -> audience mismatch.
+  if (env.GOOGLE_PLAY_WEBHOOK_URL) config.GOOGLE_PLAY_WEBHOOK_URL = env.GOOGLE_PLAY_WEBHOOK_URL;
+  // Pub/Sub sender binding — without it the google_play webhook can't enforce the
+  // push service account on CF and would fail open (PR #1381 P1).
+  if (env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT)
+    config.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
+  if (env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER)
+    config.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
+  return config;
+}
+
+// Phase 12a: assemble the embedded payment service once per isolate. The factory
+// performs config/db assembly (setCoreConfig + initialize), so models are bound
+// here and ensureModelsInit() becomes a no-op on the HTTP path. Slots beyond
+// config/db are intentionally omitted in 12a (defaults preserve current worker
+// behavior: single-mode default tenant resolved from BLOCKLET_APP_PID); richer
+// slot bridging is 12b/12c.
+let paymentService: PaymentCoreService | null = null;
+function ensurePaymentService(env: Env): PaymentCoreService {
+  if (paymentService) return paymentService;
+  const sequelize = new Sequelize();
+  const svc = createEmbeddedPaymentService({
+    config: envToPaymentCoreConfig(env),
+    db: { sequelize },
+    // S3-CF (DID convergence): inject the CF DID-Connect runtime (real
+    // @arcblock/did-connect-js + CF chain/txEncoder/timeout + tenant-aware D1 token
+    // store) and the AUTH_SERVICE-backed identity driver (getInstanceAppIdentity).
+    // The core buildConnectRoutesHono then registers the 14 payment DID actions with
+    // a per-tenant signing identity — the worker no longer owns a private DID surface.
+    identity: createCloudflareIdentityDriver(),
+    didConnectRuntime: createCloudflareDidConnectRuntime(),
+  });
+  // Phase 12c HARD GATE (updated S3-CF Phase 1B): the CF worker is a host adapter
+  // that drives the core via the runtime-neutral `svc.http.fetch`. It must NEVER
+  // read `svc.handler` directly — that lazy getter is the node-host convenience
+  // entry (it would wire the node staticHandler if one were injected). The worker
+  // forwards through `svc.http.fetch`, which builds the same full hono app but is
+  // the sanctioned runtime-neutral seam. Trap `handler` so a future regression
+  // fails loud instead of silently taking the node-convenience path.
+  paymentService = new Proxy(svc, {
+    get(target, prop, receiver) {
+      if (prop === 'handler') {
+        throw new Error(
+          '[worker hard-gate] svc.handler is forbidden in the CF worker — use svc.http.fetch instead'
+        );
+      }
+      return Reflect.get(target, prop, receiver);
+    },
+  });
+  modelsInitialized = true; // the factory called initialize(sequelize)
+  return paymentService;
+}
+
+// Phase 2 (W1-1b): static D1 migration SQL cannot know the deployment app
+// DID, so the instance_did backfill + unique-key rebuilds run through the
+// shared runtime routine. Idempotent (NULL-only updates, DDL checks), so a
+// once-per-isolate guard just avoids 38 no-op UPDATEs on every cron tick.
+let tenantBackfillDone = false;
+async function ensureTenantBackfill() {
+  if (tenantBackfillDone) return;
+  try {
+    const { runTenantBackfill } = await import('../api/src/store/tenant-backfill');
+    const result = await runTenantBackfill(new Sequelize() as any);
+    const touched = Object.entries(result.backfilled).filter(([, n]) => n > 0);
+    if (touched.length) console.log('[tenant-backfill] backfilled:', JSON.stringify(Object.fromEntries(touched)));
+    tenantBackfillDone = true;
+  } catch (e: any) {
+    // fail-loud but non-fatal: crons still run; next tick retries
+    console.error('[tenant-backfill] failed:', e?.message || e);
+  }
+}
+
 function ensureCronsInit() {
   if (!cronsInitialized) {
     try {
@@ -234,10 +357,19 @@ function buildApp(env: Env): Hono<HonoEnv> {
     return cachedApp;
   }
 
+  // Phase 12a + S3-CF Phase 1B: assemble the embedded payment service
+  // (config/db/slots incl. the injected CF DID-Connect runtime). The worker drives
+  // it through `service.http.fetch` (the single runtime-neutral surface); the
+  // node-only `handler` getter is hard-gated and never touched.
+  const service = ensurePaymentService(env);
+
   const app = new Hono<HonoEnv>();
 
   // CORS
-  app.use('/api/*', cors());
+  // S3-CF Phase 1B: payment `/api/*` CORS is owned by the CORE full pipeline
+  // (cors/xss/csrf/i18n/cdn/context), reached via service.http.fetch. The worker no
+  // longer pre-applies cors() to /api/* — that would double the CORS headers on
+  // every payment route. Worker-owned cross-origin surfaces keep their own cors:
   app.use('/.well-known/*', cors());
   // /__blocklet__.js is fetched by external wallets (e.g. abtwallet.io, localhost
   // dev wallets) to resolve app metadata + chain info before starting DID Connect.
@@ -255,43 +387,17 @@ function buildApp(env: Env): Hono<HonoEnv> {
     // In queue consumer/cron, this flag is absent — createEvent uses __cfPendingJobs__ (blocking).
     (globalThis as any).__cfHttpContext__ = true;
     setDB(withD1Retry(c.env.DB.withSession('first-primary')));
-    if (c.env.JOB_QUEUE) setCFQueue(c.env.JOB_QUEUE);
     ensureModelsInit();
 
-    // Sync CF env vars to process.env for source code compatibility
-    if (typeof process !== 'undefined' && process.env) {
-      // Stripe webhook secret: kept as env var override for webhook signature verification
-      // (DB value may be empty if not configured in original Blocklet Server)
-      if (c.env.STRIPE_WEBHOOK_SECRET) process.env.STRIPE_WEBHOOK_SECRET = c.env.STRIPE_WEBHOOK_SECRET;
-      if (c.env.APP_URL) {
-        process.env.APP_URL = c.env.APP_URL;
-        process.env.BLOCKLET_APP_URL = c.env.APP_URL;
-      }
-      if (c.env.APP_PID) {
-        process.env.BLOCKLET_APP_PID = c.env.APP_PID;
-        process.env.BLOCKLET_APP_ID = c.env.APP_PID;
-      }
-      if (c.env.APP_NAME) process.env.BLOCKLET_APP_NAME = c.env.APP_NAME;
-      if (c.env.PAYMENT_CHANGE_LOCKED_PRICE) process.env.PAYMENT_CHANGE_LOCKED_PRICE = c.env.PAYMENT_CHANGE_LOCKED_PRICE;
-      if (c.env.SHORT_URL_DOMAIN) process.env.SHORT_URL_DOMAIN = c.env.SHORT_URL_DOMAIN;
-      // Audience for the Pub/Sub OIDC JWT that wraps Google Play RTDN webhooks.
-      // Without this mirror, libs/util.ts googlePlayEndpoint() falls back to
-      // getUrl('/api/integrations/google-play/webhook') — which resolves to
-      // the *.workers.dev origin, not the custom domain Pub/Sub actually
-      // POSTs to. Every webhook then dies with "audience mismatch".
-      if (c.env.GOOGLE_PLAY_WEBHOOK_URL) {
-        process.env.GOOGLE_PLAY_WEBHOOK_URL = c.env.GOOGLE_PLAY_WEBHOOK_URL;
-      }
-      // Pub/Sub sender binding — without mirroring these, the google_play webhook
-      // can't enforce the push service account on CF and would fail open (PR #1381 P1).
-      if (c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT) {
-        process.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
-      }
-      if (c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER) {
-        process.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
-      }
-      process.env.BLOCKLET_MODE = 'production';
-    }
+    // Phase 12a: CF env now flows through the factory config slot (assembled in
+    // ensurePaymentService -> setCoreConfig, made authoritative via the
+    // libs/env.ts readConfig boundary). The per-request process.env mirror that
+    // lived here is gone. This defensive idempotent call guarantees the config is
+    // wired for this isolate regardless of Hono app-cache state; it is a no-op
+    // after the first call. (Phase 12c: scheduled()/queue() call the same
+    // ensurePaymentService via setupEnv, so the config slot is authoritative
+    // there too — no process.env mirror on any path.)
+    ensurePaymentService(c.env);
 
     // Register Stripe key decrypt overrides from env vars
     // Fetch EK from AUTH_SERVICE and initialize decrypt capability (first request only)
@@ -327,7 +433,23 @@ function buildApp(env: Env): Hono<HonoEnv> {
         if (caller) {
           authSource = 'cache';
         } else {
-          caller = await authService.resolveIdentity(jwt, authHeader, c.env.APP_PID);
+          // S3-CF Phase 1B: parameterize the caller RPC with the request's actual
+          // tenant via the SAME Host→tenant resolver the core uses — not a fixed
+          // env.APP_PID — so a multi-tenant embed verifies the caller against the
+          // right instance. Non-throwing: an unresolved host (multi) keeps the
+          // APP_PID fallback. Lazily required (NOT a top-level import) to avoid
+          // pulling the identity module into the worker's eager startup graph. This
+          // does NOT wrap the business handler's ALS context (the core owns that).
+          let callerInstanceDid: string | undefined = c.env.APP_PID;
+          try {
+            // eslint-disable-next-line global-require
+            const { resolveTenantForHost } = require('../api/src/libs/drivers/identity');
+            const resolved = await resolveTenantForHost(c.req.header('host'));
+            if (resolved) callerInstanceDid = resolved;
+          } catch {
+            /* unresolved host → keep the APP_PID fallback for the caller RPC param */
+          }
+          caller = await authService.resolveIdentity(jwt, authHeader, callerInstanceDid);
           authSource = 'rpc';
           if (caller && cacheKey) {
             cacheIdentity(cacheKey, caller);
@@ -351,10 +473,7 @@ function buildApp(env: Env): Hono<HonoEnv> {
     // --- Append Server-Timing header ---
     const totalDur = Math.round(performance.now() - t0);
     const d1 = getD1Timing();
-    const timings = [
-      `total;dur=${totalDur}`,
-      `auth;dur=${authDur};desc="${authSource}"`,
-    ];
+    const timings = [`total;dur=${totalDur}`, `auth;dur=${authDur};desc="${authSource}"`];
     if (d1.queries > 0) {
       timings.push(`db;dur=${Math.round(d1.wallMs)};desc="${d1.queries}q ${d1.rowsRead}r"`);
       if (d1.sqlMs > 0) timings.push(`db_sql;dur=${Math.round(d1.sqlMs)}`);
@@ -366,6 +485,14 @@ function buildApp(env: Env): Hono<HonoEnv> {
     c.res.headers.append('Server-Timing', timings.join(', '));
   });
 
+  // S3-CF Phase 1B: the ALS tenant context for payment `/api/*` business requests
+  // is owned by the CORE full pipeline (contextMiddleware), reached via
+  // service.http.fetch. The worker no longer wraps /api/* in tenantMiddleware() —
+  // that would double-resolve + double-wrap the tenant. The few worker-owned /api/*
+  // endpoints (dev/debug/proxies) run in single-mode default and never query under
+  // a per-request tenant. (DID payment actions get their context from the core
+  // buildConnectRoutesHono tenant middleware, also via http.fetch.)
+
   // Health check
   app.get('/health', (c) => c.json({ status: 'ok' }));
 
@@ -567,8 +694,9 @@ function buildApp(env: Env): Hono<HonoEnv> {
 
   // === DID Auth Login routes ===
   // Only proxy login-related /api/did/* paths to blocklet-service.
-  // Other /api/did/* paths (subscription, pay, collect, etc.) are Payment Kit's
-  // own DID Connect actions handled by attachDIDConnectRoutes below.
+  // Other /api/did/* paths (subscription, pay, collect, etc.) are Payment Kit's own
+  // DID Connect payment actions — they fall through to the /api/* → service.http.fetch
+  // dispatcher (the core full app's DID payment actions).
   const DID_AUTH_PROXY_PATHS = [
     '/api/did/login/',
     '/api/did/session',
@@ -579,7 +707,10 @@ function buildApp(env: Env): Hono<HonoEnv> {
   app.all('/api/did/*', async (c, next) => {
     const path = new URL(c.req.url).pathname;
     const shouldProxy = DID_AUTH_PROXY_PATHS.some((p) => path.startsWith(p) || path === p);
-    if (!shouldProxy) return next(); // Fall through to attachDIDConnectRoutes or Express routes
+    // S3-CF Phase 1B: non-proxy payment DID actions fall through to the /api/*
+    // dispatcher below → service.http.fetch (the core full app includes the DID
+    // payment actions via buildConnectRoutesHono).
+    if (!shouldProxy) return next();
 
     if (!c.env.AUTH_SERVICE) {
       return c.json({ error: 'AUTH_SERVICE not configured' }, 503);
@@ -596,22 +727,19 @@ function buildApp(env: Env): Hono<HonoEnv> {
   });
 
   // === DID Connect business actions (subscription, pay, collect, etc.) ===
-  if (env.APP_SK && env.DID_CONNECT_KV) {
-    try {
-      attachDIDConnectRoutes(app, env.DID_CONNECT_KV, env.APP_SK);
-      console.log('[CF Worker] DID Connect routes attached');
-    } catch (e: any) {
-      console.error('DID Connect init error:', e?.message || e);
-    }
-  }
+  // S3-CF Phase 1B: the 14 payment DID actions are part of the CORE full app and
+  // are reached through the /api/* → service.http.fetch dispatcher below (they were
+  // converged onto buildConnectRoutesHono in Phase 1A, backed by the CF DID-Connect
+  // runtime injected into the service above). No separate worker mount — one surface.
 
   // Notification unread count
   app.get('/api/notifications/unread-count', (c) => c.json({ unReadCount: 0 }));
 
-  // Manually trigger job dispatch (same as cron's runAllScheduledJobs)
+  // Manually trigger job dispatch (same as cron's scheduled() due-dispatch)
   app.post('/api/__dev__/dispatch-jobs', async (c) => {
-    const names = getAllHandlerNames();
-    const result = await runAllScheduledJobs();
+    const names = getAllQueueNames();
+    const result = await dispatchDueJobs();
+    await flushQueueWork();
     return c.json({ handlers: names, ...result });
   });
 
@@ -640,8 +768,9 @@ function buildApp(env: Env): Hono<HonoEnv> {
   // for creating PaymentMethods is owner-gated, and staging has no owner yet
   // (Pengfei's blocklet-service role is `member`). Gated by PAYMENT_LIVEMODE
   // === 'false' so this only ever touches testmode data.
-  // === Express-to-Hono Route Adapter ===
-  mountExpressRoutes(app, '/api', expressRoutes);
+  // S3-CF Phase 1B: payment business routes (and DID payment actions) are served by
+  // the core full app via the /api/* → service.http.fetch dispatcher, registered
+  // AFTER the worker's own /api/__dev__ routes so those match first.
 
   // Dev endpoint: D1 admin operations
   // Test CF Queue send directly
@@ -986,9 +1115,39 @@ function buildApp(env: Env): Hono<HonoEnv> {
     }
   });
 
-  // Catch-all for unimplemented API routes
-  app.all('/api/*', (c) => {
-    return c.json({ error: `Not yet implemented: ${c.req.method} ${c.req.path}` }, 501);
+  // S3-CF Phase 1B: the single payment HTTP surface. Every payment `/api/*` request
+  // (business resource routes + non-proxy DID payment actions) that wasn't handled
+  // by a worker-owned route above is forwarded to the CORE full app via
+  // service.http.fetch. The core full pipeline owns cors/xss/csrf/i18n/cdn/context
+  // + the resource routes + the DID payment actions — there is no more LITE
+  // resourceRoutes dispatcher and no second surface.
+  //
+  // The worker stays the HOST GLUE: it injects the caller identity it resolved
+  // (caller RPC) as canonical x-user-* request headers — the core authenticate()
+  // reads those — and STRIPS any client-supplied x-user-* first so it can never be
+  // forged (component auth via x-component-sig is verified cryptographically
+  // downstream and left intact). Raw body bytes are forwarded unconsumed (the
+  // worker never reads the body here), preserving Stripe webhook signature fidelity
+  // through to the core webhook route. flushQueueWork() drains the workerd deferred
+  // queue work before responding.
+  const USER_HEADERS = ['x-user-did', 'x-user-role', 'x-user-provider', 'x-user-fullname', 'x-user-wallet-os'];
+  app.all('/api/*', async (c) => {
+    const headers = new Headers(c.req.raw.headers);
+    for (const h of USER_HEADERS) headers.delete(h); // never trust a client-supplied identity header
+    const caller: CallerIdentityDTO | null = c.get('caller');
+    if (caller) {
+      const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
+      headers.set('x-user-did', canonicalDid);
+      headers.set('x-user-role', `blocklet-${caller.role || 'guest'}`);
+      headers.set('x-user-provider', caller.authMethod === 'access-key' ? 'access-key' : caller.authMethod || 'wallet');
+      headers.set('x-user-fullname', encodeURIComponent(caller.displayName || ''));
+      headers.set('x-user-wallet-os', '');
+    }
+    // No basePath: the standalone worker serves payment routes at the root /api/*,
+    // so the core full app matches them directly (raw bytes/headers carried verbatim).
+    const res = await service.http.fetch(new Request(c.req.raw, { headers }));
+    await flushQueueWork(); // drain workerd deferred queue work before responding
+    return res;
   });
 
   // === Media Kit Proxy ===
@@ -1158,347 +1317,6 @@ function buildApp(env: Env): Hono<HonoEnv> {
   return app;
 }
 
-// === Express-to-Hono Route Adapter ===
-
-function normalizeRoutePath(prefix: string, routePath: string): string {
-  let full = (prefix + routePath).replace(/\/+/g, '/');
-  if (!full.startsWith('/')) full = `/${full}`;
-  if (full.length > 1 && full.endsWith('/')) full = full.slice(0, -1);
-  return full;
-}
-
-function createExpressReq(c: any, routeParams: Record<string, string>): any {
-  const url = new URL(c.req.url);
-  const query: Record<string, any> = {};
-  url.searchParams.forEach((v, k) => {
-    query[k] = v;
-  });
-
-  const headers: Record<string, string> = {};
-  c.req.raw.headers.forEach((v: string, k: string) => {
-    headers[k.toLowerCase()] = v;
-  });
-
-  const req: any = {
-    method: c.req.method,
-    url: url.pathname + url.search,
-    path: url.pathname,
-    originalUrl: url.pathname + url.search,
-    query,
-    params: { ...routeParams },
-    body: null,
-    headers,
-    user: null,
-    // Worker-wide livemode is driven by the PAYMENT_LIVEMODE env var (set on
-    // each deployment). Routes that filter PaymentMethod by livemode rely on
-    // this value matching what we stored when bootstrapping the methods.
-    livemode: c.env?.PAYMENT_LIVEMODE !== 'false',
-    baseCurrency: null,
-    ip: headers['cf-connecting-ip'] || headers['x-forwarded-for'] || '127.0.0.1',
-    get(name: string) {
-      return headers[name.toLowerCase()];
-    },
-    header(name: string) {
-      return headers[name.toLowerCase()];
-    },
-  };
-
-  return req;
-}
-
-function createExpressRes(): any {
-  const res: any = {
-    _statusCode: 200,
-    _headers: {} as Record<string, string>,
-    _body: null as any,
-    _sent: false,
-    _redirectUrl: null as string | null,
-    headersSent: false,
-
-    status(code: number) {
-      res._statusCode = code;
-      return res;
-    },
-    json(data: any) {
-      if (res._sent) return res;
-      res._sent = true;
-      res.headersSent = true;
-      res._body = data;
-      res._headers['content-type'] = 'application/json';
-      return res;
-    },
-    send(data: any) {
-      if (res._sent) return res;
-      res._sent = true;
-      res.headersSent = true;
-      res._body = data;
-      return res;
-    },
-    redirect(urlOrStatus: any, url?: string) {
-      res._sent = true;
-      res.headersSent = true;
-      if (typeof urlOrStatus === 'number') {
-        res._statusCode = urlOrStatus;
-        res._redirectUrl = url;
-      } else {
-        res._statusCode = 302;
-        res._redirectUrl = urlOrStatus;
-      }
-      return res;
-    },
-    set(key: string, value: string) {
-      res._headers[key.toLowerCase()] = value;
-      return res;
-    },
-    setHeader(key: string, value: string) {
-      res._headers[key.toLowerCase()] = value;
-      return res;
-    },
-    cookie(_name: string, _value: string, _options?: any) {
-      return res;
-    },
-    end() {
-      if (!res._sent) {
-        res._sent = true;
-        res.headersSent = true;
-      }
-    },
-    type(t: string) {
-      res._headers['content-type'] = t;
-      return res;
-    },
-  };
-
-  Object.defineProperty(res, 'statusCode', {
-    get() {
-      return res._statusCode;
-    },
-    set(v: number) {
-      res._statusCode = v;
-    },
-  });
-
-  return res;
-}
-
-function expressResToResponse(res: any): Response {
-  if (res._redirectUrl) {
-    return Response.redirect(res._redirectUrl, res._statusCode || 302);
-  }
-
-  const headers = new Headers(res._headers);
-
-  if (res._body === null || res._body === undefined) {
-    return new Response(null, { status: res._statusCode, headers });
-  }
-
-  if (typeof res._body === 'string') {
-    return new Response(res._body, { status: res._statusCode, headers });
-  }
-
-  if (res._body instanceof ArrayBuffer || res._body instanceof Uint8Array) {
-    return new Response(res._body, { status: res._statusCode, headers });
-  }
-
-  if (!headers.has('content-type')) {
-    headers.set('content-type', 'application/json');
-  }
-  let jsonStr = JSON.stringify(res._body);
-  // Rewrite legacy blocklet server URLs to CF Workers domain
-  // Old format: https://old-domain/payment/methods/x.png -> https://cf-domain/methods/x.png
-  const cfAppUrl = ((globalThis as any).__CF_ENV__?.APP_URL || '').replace(/\/$/, '');
-  if (cfAppUrl) {
-    jsonStr = jsonStr
-      .split('https://bbqa7swuuaze4l2y5salvngyjyohlhq5fs5j42eokni.did.abtnet.io/payment/')
-      .join(`${cfAppUrl}/`);
-    jsonStr = jsonStr.split('https://bbqa7swuuaze4l2y5salvngyjyohlhq5fs5j42eokni.did.abtnet.io').join(cfAppUrl);
-  }
-  return new Response(jsonStr, { status: res._statusCode, headers });
-}
-
-async function runExpressHandlers(handlers: Function[], req: any, res: any): Promise<void> {
-  let idx = 0;
-
-  async function runNext(err?: any): Promise<void> {
-    if (err) {
-      console.error('[CF Worker] Express middleware error:', err?.message || err);
-      if (!res._sent) {
-        res.status(500).json({ error: err?.message || 'Internal Server Error' });
-      }
-      return;
-    }
-    if (idx >= handlers.length || res._sent) return;
-
-    const handler = handlers[idx++];
-    if (!handler) return runNext();
-
-    if (handler.length === 4) {
-      return runNext();
-    }
-
-    return new Promise<void>((resolve) => {
-      let nextCalled = false;
-
-      try {
-        const result = handler(req, res, (nextErr?: any) => {
-          nextCalled = true;
-          runNext(nextErr)
-            .then(resolve)
-            .catch((e: any) => {
-              if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-              resolve();
-            });
-        });
-
-        if (result && typeof result.then === 'function') {
-          result
-            .then(() => {
-              if (!nextCalled) {
-                resolve();
-              }
-            })
-            .catch((e: any) => {
-              console.error('[CF Worker] Async handler error:', e?.message || e);
-              if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-              resolve();
-            });
-        } else if (!nextCalled) {
-          resolve();
-        }
-      } catch (e: any) {
-        console.error('[CF Worker] Sync handler error:', e?.message || e);
-        if (!res._sent) res.status(500).json({ error: e?.message || 'Internal Server Error' });
-        resolve();
-      }
-    });
-  }
-
-  await runNext();
-}
-
-function mountExpressRoutes(honoApp: Hono<HonoEnv>, prefix: string, expressRouter: any) {
-  const routes: RouteEntry[] = expressRouter._routes || [];
-
-  console.log(`[CF Worker] Mounting ${routes.length} Express routes under ${prefix}`);
-
-  for (const route of routes) {
-    const fullPath = normalizeRoutePath(prefix, route.path);
-    const method = route.method.toLowerCase() as 'get' | 'post' | 'put' | 'patch' | 'delete';
-
-    if (!['get', 'post', 'put', 'patch', 'delete'].includes(method)) {
-      console.warn(`[CF Worker] Skipping unsupported method: ${route.method} ${fullPath}`);
-      continue;
-    }
-
-    honoApp[method](fullPath, async (c) => {
-      const req = createExpressReq(c, c.req.param());
-      const res = createExpressRes();
-
-      if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(c.req.method)) {
-        try {
-          const contentType = c.req.header('content-type') || '';
-          const isStripeWebhook = fullPath.includes('/integrations/stripe/webhook');
-
-          if (isStripeWebhook) {
-            const rawBody = await c.req.arrayBuffer();
-            req.body = Buffer.from(rawBody);
-            req.rawBody = req.body;
-          } else if (contentType.includes('application/json')) {
-            req.body = await c.req.json();
-          } else if (contentType.includes('application/x-www-form-urlencoded')) {
-            const text = await c.req.text();
-            req.body = Object.fromEntries(new URLSearchParams(text));
-          } else if (contentType.includes('text/')) {
-            req.body = await c.req.text();
-          } else {
-            try {
-              req.body = await c.req.json();
-            } catch {
-              try {
-                req.body = await c.req.text();
-              } catch {
-                req.body = null;
-              }
-            }
-          }
-        } catch {
-          req.body = {};
-        }
-      }
-
-      // Debug logging for webhook
-      if (fullPath.includes('stripe/webhook')) {
-        console.log('[CF Worker] Stripe webhook request received:', {
-          method: c.req.method,
-          path: fullPath,
-          hasSignature: !!req.headers['stripe-signature'],
-          bodyType: typeof req.body,
-          bodyLength: req.body?.length || 0,
-          isBuffer: Buffer.isBuffer(req.body),
-          handlersCount: route.handlers.length,
-        });
-      }
-
-      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback).
-      // AUTH_SERVICE returns the bare base58 address; Customer/Subscription queries
-      // and entitlement lookups expect the canonical `did:abt:…` form, so we
-      // normalize once here at the boundary instead of in every downstream call site.
-      const caller: CallerIdentityDTO | null = c.get('caller');
-      if (caller) {
-        const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
-        req.user = {
-          did: canonicalDid,
-          role: caller.role || 'guest',
-          provider: caller.authMethod === 'access-key' ? 'access-key' : 'wallet',
-          fullName: caller.displayName || '',
-          walletOS: '',
-          via: 'dashboard',
-        };
-        req.headers['x-user-did'] = canonicalDid;
-        req.headers['x-user-role'] = `blocklet-${caller.role || 'guest'}`;
-        req.headers['x-user-provider'] = caller.authMethod || 'wallet';
-        req.headers['x-user-fullname'] = encodeURIComponent(caller.displayName || '');
-        req.headers['x-user-wallet-os'] = '';
-      } else {
-        req.user = { did: '', role: 'guest', provider: '', fullName: '', walletOS: '', via: '' };
-      }
-
-      try {
-        await runExpressHandlers(route.handlers, req, res);
-      } catch (e: any) {
-        console.error(
-          `[CF Worker] Unhandled error in ${route.method} ${fullPath}:`,
-          e?.message || e,
-          '\n',
-          e?.stack?.split('\n').slice(0, 8).join('\n')
-        );
-        if (!res._sent) {
-          res.status(500).json({ error: e?.message || 'Internal Server Error' });
-        }
-      }
-
-      // Debug logging for webhook response
-      if (fullPath.includes('stripe/webhook')) {
-        console.log('[CF Worker] Stripe webhook handler result:', {
-          sent: res._sent,
-          statusCode: res._statusCode,
-          body:
-            typeof res._body === 'string' ? res._body.substring(0, 200) : JSON.stringify(res._body)?.substring(0, 200),
-        });
-      }
-
-      // Ensure all async push() jobs complete before returning
-      await flushPendingJobs();
-
-      if (!res._sent) {
-        console.warn(`[CF Worker] No response sent for ${route.method} ${fullPath}`);
-        return c.json({ error: 'No response from handler' }, 500);
-      }
-
-      return expressResToResponse(res);
-    });
-  }
-}
 
 // === Shared env setup for scheduled/queue handlers ===
 function setupEnv(env: Env) {
@@ -1509,21 +1327,13 @@ function setupEnv(env: Env) {
   // Queue consumer and cron: NOT HTTP context — createEvent must block (listeners complete before ack/return)
   (globalThis as any).__cfHttpContext__ = false;
   setDB(env.DB.withSession('first-primary'));
-  if (env.JOB_QUEUE) setCFQueue(env.JOB_QUEUE);
-  ensureModelsInit();
-
-  if (typeof process !== 'undefined' && process.env) {
-    if (env.APP_URL) {
-      process.env.APP_URL = env.APP_URL;
-      process.env.BLOCKLET_APP_URL = env.APP_URL;
-    }
-    if (env.APP_PID) {
-      process.env.BLOCKLET_APP_PID = env.APP_PID;
-      process.env.BLOCKLET_APP_ID = env.APP_PID;
-    }
-    if (env.APP_NAME) process.env.BLOCKLET_APP_NAME = env.APP_NAME;
-    process.env.BLOCKLET_MODE = 'production';
-  }
+  // Phase 12c: assemble the service so the CONFIG SLOT (setCoreConfig) is
+  // authoritative on the scheduled()/queue() paths too. envToPaymentCoreConfig
+  // carries BLOCKLET_MODE + every key the old setupEnv process.env mirror set,
+  // and the core reads them only through libs/env.ts readConfig — so the worker
+  // env mirror is deleted (no more process.env fallback). Idempotent + cached;
+  // also binds models, so ensureModelsInit() is subsumed.
+  ensurePaymentService(env);
 
   // Security init is handled in the per-request middleware (first request only)
 }
@@ -1531,7 +1341,6 @@ function setupEnv(env: Env) {
 // === Export ===
 export default {
   async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
-    setWaitUntil((p) => ctx.waitUntil(p));
     // Expose waitUntil globally for createEvent to use in HTTP context
     (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
@@ -1542,7 +1351,8 @@ export default {
   async scheduled(event: ScheduledEvent, env: Env, ctx: ExecutionContext) {
     setupEnv(env);
     ensureCronsInit();
-    setWaitUntil((p) => ctx.waitUntil(p));
+    await ensureTenantBackfill();
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
     console.log('Scheduled event:', event.cron, 'scheduledTime:', event.scheduledTime);
 
@@ -1555,54 +1365,57 @@ export default {
     // execution crosses a minute boundary, matching on wall-clock would miss
     // exact-minute crons like "0 1 * * * *".
     await cronInstance.runAll(new Date(event.scheduledTime));
-    await runAllScheduledJobs();
-    await flushPendingJobs();
+    // Phase 12b: the workerd trigger for the node queue engine's due-job
+    // re-dispatch. dispatchDueJobs() runs each scheduled queue's redispatchDue()
+    // (the same cancel-then-replay-from-store body the node loop() runs on a
+    // timer), then flushQueueWork() drains the re-pushed executions before the
+    // isolate freezes.
+    await dispatchDueJobs();
+    await flushQueueWork();
   },
 
-  // CF Queue consumer — processes jobs sent by push() in the queue shim
+  // CF Queue consumer — resolves the SAME core queue handle by name and runs
+  // the job through the engine's runJobWithTenant/onJob/retry/cancel path. Under
+  // the canonical node-engine model immediate jobs execute in-isolate via fastq
+  // (nothing is sent to CF Queue), so this consumer is the back-compat path for
+  // any message still on JOB_QUEUE — it must never fork the engine.
   async queue(
     batch: MessageBatch<{ queueName: string; jobId: string; job: any; persist?: boolean }>,
     env: Env,
-    ctx: ExecutionContext,
+    ctx: ExecutionContext
   ) {
     setupEnv(env);
-    setWaitUntil((p) => ctx.waitUntil(p));
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => ctx.waitUntil(p);
 
     console.log(`[queue:consumer] Received batch of ${batch.messages.length} messages`);
 
     for (const msg of batch.messages) {
-      const { queueName, jobId, job, persist } = msg.body;
+      const { queueName, jobId, job } = msg.body;
 
-      const handler = getHandler(queueName);
+      const handle = getQueueHandler(queueName);
 
-      if (!handler) {
-        console.error(`[queue:consumer] No handler registered for queue "${queueName}", acking message`);
+      if (!handle) {
+        console.error(`[queue:consumer] No core queue registered for "${queueName}", acking message`);
         msg.ack();
         continue;
       }
 
-      // persist defaults to true for backward compatibility and for direct
-      // push() immediate jobs (where addJob wrote the row, so we must delete
-      // it after onJob succeeds).
-      //
-      // Scheduled dispatches from runAllScheduledJobs set persist=false —
-      // the dispatcher already deleted the D1 row before sending, and
-      // onJob may have re-pushed a fresh row with the same id; deleting
-      // again would wipe out that new row.
-      const shouldPersist = persist !== false;
-
       try {
-        console.log(`[queue:consumer] Processing ${queueName}:${jobId} (persist=${shouldPersist})`);
-        await handler.executeJob(jobId, job, shouldPersist);
+        console.log(`[queue:consumer] Processing ${queueName}:${jobId}`);
+        // persist:false — the row already exists in D1 (the original push wrote
+        // it); re-running inline through pushAndWait executes onJob and clears
+        // the row on success without a duplicate-addJob that would hang.
+        // eslint-disable-next-line no-await-in-loop
+        await handle.pushAndWait({ job, id: jobId, persist: false });
         console.log(`[queue:consumer] Completed ${queueName}:${jobId}`);
         msg.ack();
       } catch (err: any) {
         console.error(`[queue:consumer] Failed ${queueName}:${jobId}:`, err?.message || err);
-        // Don't retry via CF Queue — job is in D1, cron will re-dispatch
+        // Don't retry via CF Queue — job is in D1, scheduled() will re-dispatch
         msg.ack();
       }
     }
 
-    await flushPendingJobs();
+    await flushQueueWork();
   },
 };