payment-kit 1.29.1 → 1.29.3

package/cloudflare/wrangler.json

@@ -17,12 +17,6 @@
       "migrations_dir": "migrations"
     }
   ],
-  "kv_namespaces": [
-    {
-      "binding": "DID_CONNECT_KV",
-      "id": "ca0bd29c73864115b713e1db11d97cd2"
-    }
-  ],
   "services": [
     {
       "binding": "MEDIA_KIT",

package/cloudflare/wrangler.jsonc

@@ -17,12 +17,6 @@
       "database_id": "ea6c75d0-39b8-40cd-a0ae-a2062e77c4b9"
     }
   ],
-  "kv_namespaces": [
-    {
-      "binding": "DID_CONNECT_KV",
-      "id": "ca0bd29c73864115b713e1db11d97cd2"
-    }
-  ],
   "hyperdrive": [
     {
       "binding": "HYPERDRIVE",

package/cloudflare/wrangler.local-e2e.jsonc

@@ -0,0 +1,25 @@
+{
+  // Stripped LOCAL-ONLY config for the express→hono Phase 4 CF runtime E2E.
+  // Drops the external service bindings (AUTH_SERVICE / MEDIA_KIT — separate
+  // workers not in this repo), HYPERDRIVE, queues, assets, and crons so the worker
+  // boots under `wrangler dev` with just a local D1 + KV. Auth is therefore absent
+  // (caller resolves to null) — only PUBLIC read routes + the 404 path are testable.
+  "name": "payment-kit-local-e2e",
+  "main": "dist/worker.js",
+  "compatibility_date": "2024-12-01",
+  "compatibility_flags": ["nodejs_compat"],
+  "d1_databases": [
+    {
+      "binding": "DB",
+      "database_name": "payment-kit-prod",
+      "database_id": "ea6c75d0-39b8-40cd-a0ae-a2062e77c4b9",
+      "migrations_dir": "migrations"
+    }
+  ],
+  "vars": {
+    "APP_NAME": "Payment Kit",
+    "APP_PID": "payment-kit-dev",
+    "APP_URL": "http://localhost:8787",
+    "PAYMENT_LIVEMODE": "false"
+  }
+}

package/cloudflare/wrangler.staging.json

@@ -18,12 +18,6 @@
       "migrations_dir": "migrations"
     }
   ],
-  "kv_namespaces": [
-    {
-      "binding": "DID_CONNECT_KV",
-      "id": "a2c98f81bc974fcabc191766698d170f"
-    }
-  ],
   "services": [
     {
       "binding": "MEDIA_KIT",

package/jest.config.js

@@ -13,7 +13,9 @@ module.exports = {
     '^.+\\.js$': ['babel-jest', { presets: [['@babel/preset-env', { targets: { node: 'current' } }]] }],
   },
   transformIgnorePatterns: [
-    'node_modules/(?!.*(@noble|@scure|string-width|strip-ansi|ansi-regex)/)',
+    // `validator` ships an ESM build under validator/es/* that resource routes
+    // (customers) import directly; transform it so jest can load those routes.
+    'node_modules/(?!.*(@noble|@scure|string-width|strip-ansi|ansi-regex|p-retry|is-network-error|validator|uuid)/)',
   ],
   testMatch: ['**/tests/**/*.spec.ts'],
   collectCoverageFrom: ['api/src/**/*.ts'],

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "payment-kit",
-  "version": "1.29.1",
+  "version": "1.29.3",
   "scripts": {
     "dev": "blocklet dev --open",
     "prelint": "npm run types",
-    "lint": "tsc --noEmit && eslint src api/src --ext .mjs,.js,.jsx,.ts,.tsx",
+    "lint": "tsc --noEmit && eslint src api/src --ext .mjs,.js,.jsx,.ts,.tsx && node scripts/scan-tenant-queries.js && node scripts/scan-core-env.js",
     "lint:fix": "pnpm run lint --fix",
     "format": "prettier -w src",
     "test": "node scripts/jest.js",
@@ -46,60 +46,55 @@
     ]
   },
   "dependencies": {
-    "@abtnode/cron": "^1.17.12",
+    "@abtnode/cron": "^1.17.13-beta-20260613-094425-b81920c8",
     "@apple/app-store-server-library": "^3.1.0",
-    "@arcblock/did": "^1.30.9",
-    "@arcblock/did-connect-js": "4.0.0",
-    "@arcblock/did-connect-react": "^3.5.2",
+    "@arcblock/did": "^1.30.24",
+    "@arcblock/did-connect-js": "^4.0.5",
+    "@arcblock/did-connect-react": "^3.5.4",
     "@arcblock/did-connect-storage-nedb": "^1.8.0",
-    "@arcblock/did-util": "^1.30.9",
-    "@arcblock/jwt": "^1.30.9",
-    "@arcblock/react-hooks": "^3.5.2",
-    "@arcblock/ux": "^3.5.2",
-    "@arcblock/validator": "^1.30.9",
-    "@arcblock/vc": "^1.30.9",
-    "@blocklet/did-space-js": "^1.2.23",
+    "@arcblock/did-util": "^1.30.24",
+    "@arcblock/jwt": "^1.30.24",
+    "@arcblock/react-hooks": "^3.5.4",
+    "@arcblock/ux": "^3.5.4",
+    "@arcblock/validator": "^1.30.24",
+    "@arcblock/vc": "^1.30.24",
     "@blocklet/error": "^0.3.5",
-    "@blocklet/js-sdk": "^1.17.12",
-    "@blocklet/logger": "^1.17.12",
-    "@blocklet/payment-broker-client": "1.29.1",
-    "@blocklet/payment-react": "1.29.1",
-    "@blocklet/payment-vendor": "1.29.1",
-    "@blocklet/sdk": "^1.17.12",
-    "@blocklet/ui-react": "^3.5.2",
+    "@blocklet/js-sdk": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/logger": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/payment-broker-client": "1.29.3",
+    "@blocklet/payment-react": "1.29.3",
+    "@blocklet/payment-vendor": "1.29.3",
+    "@blocklet/sdk": "^1.17.13-beta-20260613-094425-b81920c8",
+    "@blocklet/ui-react": "^3.5.4",
     "@blocklet/uploader": "^0.3.20",
     "@blocklet/xss": "^0.3.16",
+    "@hono/node-server": "2.0.4",
     "@mui/icons-material": "^7.1.2",
     "@mui/lab": "7.0.0-beta.14",
     "@mui/material": "^7.1.2",
     "@mui/system": "^7.1.1",
-    "@ocap/asset": "^1.30.9",
-    "@ocap/client": "^1.30.9",
-    "@ocap/mcrypto": "^1.30.9",
-    "@ocap/util": "^1.30.9",
-    "@ocap/wallet": "^1.30.9",
+    "@ocap/asset": "^1.30.24",
+    "@ocap/client": "^1.30.24",
+    "@ocap/mcrypto": "^1.30.24",
+    "@ocap/util": "^1.30.24",
+    "@ocap/wallet": "^1.30.24",
     "@stripe/react-stripe-js": "^2.9.0",
     "@stripe/stripe-js": "^2.4.0",
     "ahooks": "^3.8.5",
     "axios": "^1.15.2",
     "bignumber.js": "^9.3.1",
-    "body-parser": "^1.20.3",
     "cls-hooked": "^4.2.2",
-    "cookie-parser": "^1.4.7",
     "copy-to-clipboard": "^3.3.3",
-    "cors": "^2.8.5",
     "date-fns": "^3.6.0",
     "dayjs": "^1.11.13",
     "debug": "^4.4.1",
     "dotenv-flow": "^3.3.0",
     "ethers": "^6.14.4",
-    "express": "^4.21.2",
-    "express-async-errors": "^3.1.1",
-    "express-history-api-fallback": "^2.2.1",
     "fastq": "^1.19.1",
     "flat": "^5.0.2",
     "google-libphonenumber": "^3.2.42",
     "google-play-billing-validator": "^2.1.3",
+    "hono": "4.12.12",
     "html2canvas": "^1.4.1",
     "iframe-resizer-react": "^1.1.1",
     "joi": "17.12.2",
@@ -125,7 +120,7 @@
     "react-router-dom": "^6.30.3",
     "recharts": "^2.15.4",
     "rimraf": "^3.0.2",
-    "sequelize": "^6.37.8",
+    "sequelize": "~6.37.8",
     "sql-where-parser": "^2.2.1",
     "sqlite3": "^5.1.7",
     "stripe": "^13.11.0",
@@ -138,14 +133,12 @@
     "web3": "^4.16.0"
   },
   "devDependencies": {
-    "@abtnode/types": "^1.17.12",
+    "@abtnode/types": "^1.17.13-beta-20260613-094425-b81920c8",
     "@arcblock/eslint-config-ts": "^0.3.3",
-    "@blocklet/payment-types": "1.29.1",
-    "@types/cookie-parser": "^1.4.9",
-    "@types/cors": "^2.8.19",
+    "@blocklet/payment-types": "1.29.3",
+    "@types/connect": "^3.4.38",
     "@types/debug": "^4.1.12",
     "@types/dotenv-flow": "^3.3.3",
-    "@types/express": "^4.17.23",
     "@types/node": "^18.19.112",
     "@types/node-apple-receipt-verify": "^1.7.5",
     "@types/react": "^18.3.23",
@@ -154,6 +147,7 @@
     "babel-plugin-lodash": "^3.3.4",
     "bumpp": "^8.2.1",
     "code-inspector-plugin": "^1.2.3",
+    "connect": "^3.7.0",
     "cross-env": "^7.0.3",
     "eslint": "^8.57.1",
     "import-sort-style-module": "^6.0.0",
@@ -176,6 +170,7 @@
     "vite-plugin-node-polyfills": "^0.23.0",
     "vite-plugin-svgr": "^4.3.0",
     "vite-tsconfig-paths": "^5.1.4",
+    "wrangler": "^4.100.0",
     "zx": "^8.8.5"
   },
   "importSort": {
@@ -188,5 +183,5 @@
       "parser": "typescript"
     }
   },
-  "gitHead": "e66e469df2a1ed80e15b17fd8511c2ce01a0a54e"
+  "gitHead": "0bd49f9b9586e307b51d1f5a6b042e82c39366ef"
 }

package/scripts/bootstrap-inject.ts

@@ -0,0 +1,166 @@
+// P2 (README D2 / F2) — runtime-neutral bootstrap helper.
+//
+// Parameterizes the formerly CF-only `cf-inject-blocklet` logic
+// (cloudflare/vite.config.ts) so the node arc build (vite.arc.config.ts) and the
+// CF build share ONE source for the build-time HTML bootstrap. The pure
+// functions `buildBootstrap` / `mergeRemote` are jest-assertable
+// (api/tests/bootstrap/bootstrap.spec.ts); `buildBootstrapScript` serializes
+// `mergeRemote` (via .toString()) into the inline <script> so the browser runs
+// the identical merge at runtime.
+//
+// D-3 (user-confirmed 2026-06-14) put this under blocklets/core/build/. That
+// path is .gitignored (`blocklets/core/.gitignore:13` — `build` = production
+// outputs), so the file could never be tracked there. It lives in scripts/
+// instead — same intent (under blocklets/core, adjacent to both vite configs,
+// zero cross-package dep, where build tooling already lives: jest.js,
+// build-clean.js) but tracked. Extension is `.ts` (not `.mjs`) so ts-jest can
+// unit-test the pure functions directly; both vite configs are `.ts` and import
+// it natively.
+
+// Source of truth: packages/react/src/libs/util.ts:33. Re-declared here to keep
+// this build helper free of the heavy browser util graph (the only thing the
+// build needs from it is the bare DID literal).
+export const PAYMENT_KIT_DID = 'z2qaCNvKMv5GjouKdcDWexv6WqtHbpNPQDnAk';
+
+export interface BootstrapOptions {
+  /** the host's UI mount prefix (node arc = '/.well-known/payment'; cf custom). */
+  uiPrefix: string;
+  /** PAYMENT_KIT_DID so getPrefix() (packages/react/src/libs/util.ts:87) takes
+   *  the `componentId === PAYMENT_KIT_DID` branch and resolves to uiPrefix. */
+  componentId: string;
+  /** root-exact `/__blocklet__.js?type=json` — NEVER under uiPrefix (T2.3). */
+  remoteBlockletUrl: string;
+  /** session service host (node arc = arc '/.well-known/service'); CF root-deploy
+   *  omits it so window.blocklet.serviceHost stays undefined (app.tsx falls back
+   *  to prefix — P5 T5.1). */
+  serviceHost?: string;
+  /** baked appUrl; defaults to window.location.origin at runtime when omitted. */
+  appUrl?: string;
+  /** keys the remote __blocklet__.js must NOT clobber (G3 — `prefix` included). */
+  localOnly?: string[];
+  /** host-owned extras merged into the base bootstrap (navigation, mountpoints). */
+  extra?: Record<string, any>;
+}
+
+// G3: `prefix` MUST be local-only so the app-root prefix from the remote
+// __blocklet__.js never overwrites the payment reserved prefix.
+const DEFAULT_LOCAL_ONLY = ['prefix', 'navigation', 'componentMountPoints'];
+
+/**
+ * Build the synchronous window.blocklet skeleton. Pure — no IO, no globals.
+ * Throws (T2.3 regression lock) when remoteBlockletUrl is not root-exact, so a
+ * misconfigured build fails loudly at build time instead of silently fetching
+ * `/.well-known/payment/__blocklet__.js` (inside the reserved prefix).
+ */
+export function buildBootstrap(opts: BootstrapOptions): Record<string, any> {
+  const { uiPrefix, componentId, remoteBlockletUrl, serviceHost, appUrl, extra } = opts;
+  const localOnly = opts.localOnly || DEFAULT_LOCAL_ONLY;
+
+  if (!remoteBlockletUrl.startsWith('/__blocklet__')) {
+    throw new Error(`remoteBlockletUrl must be root-exact (start with /__blocklet__), got: ${remoteBlockletUrl}`);
+  }
+  if (uiPrefix !== '/' && remoteBlockletUrl.startsWith(uiPrefix)) {
+    throw new Error(`remoteBlockletUrl must not fall under uiPrefix ${uiPrefix}: ${remoteBlockletUrl}`);
+  }
+
+  return {
+    prefix: uiPrefix,
+    groupPrefix: uiPrefix,
+    componentId,
+    serviceHost,
+    appUrl: appUrl || '',
+    remoteBlockletUrl,
+    localOnly,
+    // @blocklet/ui-react nav/dashboard iterate these with .forEach — default to []
+    // so a host that doesn't override via `extra` never crashes on undefined. They
+    // are in localOnly, so the remote __blocklet__.js merge can't clobber them
+    // (AUTH_SERVICE doesn't know this blocklet's nav / mount points).
+    navigation: [],
+    componentMountPoints: [],
+    ...(extra || {}),
+  };
+}
+
+/**
+ * Merge the remote per-app __blocklet__.js JSON onto the local bootstrap.
+ *
+ * SELF-CONTAINED (no module-scope refs) so `buildBootstrapScript` can embed it
+ * via `.toString()` and the browser runs the identical merge. Guards:
+ *   - localOnly keys (prefix/navigation/componentMountPoints) are never clobbered
+ *   - __proto__/constructor/prototype keys are dropped (prototype-pollution)
+ *   - string values are angle-bracket escaped (<,> → entities) — blocks tag
+ *     injection without corrupting URL query strings (& preserved)
+ *   - payloads > 256KB are refused (resource exhaustion)
+ */
+export function mergeRemote(
+  wb: Record<string, any>,
+  remote: Record<string, any>,
+  localOnlyArg?: string[]
+): Record<string, any> {
+  var localOnly = localOnlyArg || (wb && wb.localOnly) || ['prefix', 'navigation', 'componentMountPoints'];
+
+  if (remote && typeof remote === 'object') {
+    var size = 0;
+    try {
+      size = JSON.stringify(remote).length;
+    } catch (e) {
+      size = Infinity;
+    }
+    if (size > 256 * 1024) {
+      throw new Error('remote bootstrap payload too large (>256KB), refusing merge');
+    }
+  }
+
+  var out: Record<string, any> = {};
+  Object.keys(wb || {}).forEach(function (k) {
+    out[k] = wb[k];
+  });
+  Object.keys(remote || {}).forEach(function (k) {
+    if (k === '__proto__' || k === 'constructor' || k === 'prototype') return;
+    // componentId is a structural invariant (getPrefix's PAYMENT_KIT_DID branch),
+    // protected independently of the configurable localOnly list.
+    if (k === 'componentId') return;
+    if (localOnly.indexOf(k) !== -1) return;
+    var v = remote[k];
+    if (typeof v === 'string') {
+      v = v.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+    }
+    out[k] = v;
+  });
+  return out;
+}
+
+/**
+ * Produce the inline <script> for transformIndexHtml. Bakes the validated
+ * buildBootstrap() result as the synchronous window.blocklet, then embeds
+ * mergeRemote (serialized) so the runtime XHR merge is the same code jest tests.
+ */
+export function buildBootstrapScript(opts: BootstrapOptions): string {
+  const wb = buildBootstrap(opts);
+  const initial = JSON.stringify(wb);
+  const remoteUrl = JSON.stringify(wb.remoteBlockletUrl);
+  return `<script>
+window.global = globalThis;
+if (!window.blocklet) {
+  window.blocklet = ${initial};
+  window.blocklet.appUrl = window.blocklet.appUrl || window.location.origin;
+}
+(function () {
+  try {
+    var xhr = new XMLHttpRequest();
+    var url = ${remoteUrl};
+    xhr.open('GET', url + (url.indexOf('?') === -1 ? '?' : '&') + '_t=' + Date.now(), false);
+    xhr.send();
+    if (xhr.status === 200) {
+      var remote = JSON.parse(xhr.responseText);
+      window.blocklet = (${mergeRemote.toString()})(window.blocklet, remote);
+      if (!window.blocklet.env) window.blocklet.env = {};
+      window.blocklet.env.appName = window.blocklet.appName || '';
+      window.blocklet.env.appDescription = window.blocklet.appDescription || '';
+      window.blocklet.env.appLogo = window.blocklet.appLogo || '';
+      window.blocklet.env.appUrl = window.blocklet.appUrl || '';
+    }
+  } catch (e) { /* ignore — fall back to sync bootstrap */ }
+})();
+</script>`;
+}

package/scripts/core-env-whitelist.json

@@ -0,0 +1 @@
+[]

package/scripts/e2e-12b-runtime.ts

@@ -0,0 +1,149 @@
+// Phase 12b E2E harness — drives the core queue RUNTIME surface against a real
+// sqlite DB (outside jest) and prints JSON-shaped results for the build-phases
+// E2E hard gate. Proves worker(workerd) ↔ node parity for delay/cancel and that
+// the host-driven dispatchDueJobs()/flushQueueWork() seam runs the SAME engine.
+//
+// Run: npx tsx scripts/e2e-12b-runtime.ts   (cwd = blocklets/core)
+/* eslint-disable no-console, global-require, @typescript-eslint/no-var-requires */
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+const TENANT_A = 'did:abt:zE2E12BA';
+
+async function main() {
+  const STORE_DIR = path.join(process.cwd(), 'api/src/store');
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-12b-'));
+  // store/migrate.ts eagerly builds a sequelize at module-load (needs a data
+  // dir). We bind models to our OWN sqlite below; this just satisfies the eager
+  // path. Set BEFORE any in-repo require.
+  process.env.BLOCKLET_DATA_DIR = dir;
+  process.env.NODE_ENV = process.env.NODE_ENV || 'test';
+  // single-mode default tenant for the tenant-backfill migration + config gate
+  process.env.BLOCKLET_APP_PID = process.env.BLOCKLET_APP_PID || TENANT_A;
+  process.env.BLOCKLET_APP_ID = process.env.BLOCKLET_APP_ID || TENANT_A;
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'e2e.db'), logging: false });
+  const qi = sequelize.getQueryInterface();
+  const migDir = path.join(STORE_DIR, 'migrations');
+  const migrations = fs
+    .readdirSync(migDir)
+    .filter((f) => f.endsWith('.ts'))
+    .sort()
+    .map((f) => {
+      const mod = require(path.join(migDir, f));
+      return { name: f, up: async () => mod.up({ context: qi }), down: async () => mod.down({ context: qi }) };
+    });
+  const umzug = new Umzug({ migrations, storage: new SequelizeStorage({ sequelize }), logger: undefined });
+  await umzug.up();
+  require('../api/src/store/models').initialize(sequelize);
+
+  const createQueue = require('../api/src/libs/queue').default;
+  const {
+    setQueueRuntimeMode,
+    getAllQueueNames,
+    dispatchDueJobs,
+    flushQueueWork,
+  } = require('../api/src/libs/queue/runtime');
+
+  const out: any[] = [];
+  const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+  // --- S12b.1 registry non-empty (canonical engine, not the dead shim) ---
+  setQueueRuntimeMode('workerd');
+  let ranDue = 0;
+  const q = createQueue({
+    name: 'e2e-due',
+    onJob: async () => {
+      ranDue += 1;
+    },
+    options: { enableScheduledJob: true },
+  });
+  out.push({ case: 'S12b.1 registry non-empty', input: 'createQueue(e2e-due)', output: { queues: getAllQueueNames() } });
+
+  // --- S12b.2 workerd disables the background loop (no auto-dispatch) ---
+  await q.store.addJob('due-1', { v: 1, instance_did: TENANT_A }, { delay: 5, will_run_at: Date.now() - 1000 });
+  await sleep(80);
+  out.push({ case: 'S12b.2 workerd loop disabled', input: 'due delayed row + wait 80ms', output: { ranBeforeDispatch: ranDue } });
+
+  // --- S12b.3 host-driven dispatchDueJobs executes the due delayed job once ---
+  const dispatchResult = await dispatchDueJobs();
+  await flushQueueWork();
+  out.push({
+    case: 'S12b.3 dispatchDueJobs executes due job once',
+    input: 'dispatchDueJobs() + flushQueueWork()',
+    output: { dispatched: dispatchResult.dispatched, ran: ranDue, rowCleared: (await q.store.getJob('due-1')) === null },
+  });
+
+  // --- S12b.4 NEGATIVE: cancel an in-flight delayed job — no half-execution ---
+  let ranCancel = 0;
+  const qc = createQueue({
+    name: 'e2e-cancel',
+    onJob: async () => {
+      ranCancel += 1;
+    },
+    options: { enableScheduledJob: true },
+  });
+  await qc.store.addJob('cancel-1', { v: 1, instance_did: TENANT_A }, { delay: 5, will_run_at: Date.now() - 1000 });
+  await qc.cancel('cancel-1');
+  const cancelDispatch = await dispatchDueJobs();
+  await flushQueueWork();
+  out.push({
+    case: 'S12b.4 cancel in-flight leaves no residue',
+    input: 'cancel(cancel-1) before dispatchDueJobs()',
+    output: { dispatched: cancelDispatch.dispatched, ran: ranCancel },
+  });
+
+  // --- S12b.5 node entry parity: same redispatchDue body runs on a node loop ---
+  setQueueRuntimeMode('node');
+  let ranNode = 0;
+  const qn = createQueue({
+    name: 'e2e-node',
+    onJob: async () => {
+      ranNode += 1;
+    },
+    options: { enableScheduledJob: true, retryDelay: 1 },
+  });
+  await qn.store.addJob('node-1', { v: 1, instance_did: TENANT_A }, { delay: 2, will_run_at: Date.now() - 1000 });
+  // node loop polls every minDelay/2 (~1s in test) — wait for one cycle
+  await sleep(1500);
+  out.push({
+    case: 'S12b.5 node loop dispatches the same way',
+    input: 'node-mode delayed row + wait one poll cycle',
+    output: { ran: ranNode, rowCleared: (await qn.store.getJob('node-1')) === null },
+  });
+
+  // --- S12b.6 retry parity (node engine): maxRetries attempts then failed ---
+  let attempts = 0;
+  const qr = createQueue({
+    name: 'e2e-retry',
+    onJob: async () => {
+      attempts += 1;
+      throw new Error('always');
+    },
+    options: { maxRetries: 3, retryDelay: 1 },
+  });
+  const settled: any = await new Promise((resolve) => {
+    const ev = qr.push({ job: { v: 1, instance_did: TENANT_A } });
+    ev.on('failed', (d: any) => resolve({ event: 'failed', id: d.id }));
+    ev.on('finished', (d: any) => resolve({ event: 'finished', id: d.id }));
+  });
+  out.push({
+    case: 'S12b.6 retry up to maxRetries then failed',
+    input: 'maxRetries:3 onJob always throws',
+    output: { event: settled.event, attempts },
+  });
+
+  console.log(JSON.stringify({ phase: '12b', success: true, cases: out }, null, 2));
+
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+  process.exit(0);
+}
+
+main().catch((err) => {
+  console.log(JSON.stringify({ phase: '12b', success: false, error: err?.message || String(err) }));
+  console.error(err?.stack || err);
+  process.exit(1);
+});

package/scripts/e2e-core-config.ts

@@ -0,0 +1,125 @@
+/* eslint-disable no-console */
+// Phase 8 (W2′) deterministic E2E: prove the injected config slot is authoritative
+// and fails closed on a missing required field. Emits raw JSON for each call.
+//
+//   npx tsx scripts/e2e-core-config.ts
+
+import { setCoreConfig, readConfig } from '../api/src/libs/env';
+import { getTenantMode, getDefaultInstanceDid, setDefaultInstanceDid } from '../api/src/libs/tenant';
+import { createEmbeddedPaymentService } from '../api/src/service';
+
+function emit(label: string, input: any, output: any) {
+  console.log(`=== ${label} ===`);
+  console.log(`input: ${JSON.stringify(input)}`);
+  console.log(`output: ${JSON.stringify(output)}`);
+  console.log('');
+}
+
+function tryFactory(slots: any): { threw: boolean; name?: string; code?: string; field?: string; message?: string } {
+  try {
+    createEmbeddedPaymentService(slots);
+    return { threw: false };
+  } catch (err: any) {
+    return { threw: true, name: err?.name, code: err?.code, field: err?.field, message: err?.message };
+  }
+}
+
+function main() {
+  const checks: Array<[string, boolean]> = [];
+
+  // ---- Happy: injected config is authoritative, env is the fallback ----
+  process.env.E2E_KEY = 'from-env';
+  setCoreConfig({ E2E_KEY: 'from-config', PAYMENT_TENANT_MODE: 'multi' });
+  const injected = readConfig('E2E_KEY');
+  emit('S8.1 injected config wins over process.env', { env: 'from-env', config: 'from-config' }, { read: injected });
+  checks.push(['injected config wins', injected === 'from-config']);
+
+  setCoreConfig({ ONLY: 'x' });
+  const fallback = readConfig('E2E_KEY');
+  emit('S8.2 fallback to process.env when key absent from config', { configKeys: ['ONLY'] }, { read: fallback });
+  checks.push(['fallback to env', fallback === 'from-env']);
+  delete process.env.E2E_KEY;
+
+  // ---- getTenantMode reads mode from injected config (single source of truth) ----
+  delete process.env.PAYMENT_TENANT_MODE;
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+  const modeMulti = getTenantMode();
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'single' });
+  const modeSingle = getTenantMode();
+  emit('S8.3 getTenantMode from injected config', { config: ['multi', 'single'] }, { modeMulti, modeSingle });
+  checks.push(['mode multi from config', modeMulti === 'multi']);
+  checks.push(['mode single from config', modeSingle === 'single']);
+
+  // injected config wins over a conflicting env mirror
+  process.env.PAYMENT_TENANT_MODE = 'single';
+  setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+  const modeConflict = getTenantMode();
+  emit('S8.4 config wins over conflicting process.env', { env: 'single', config: 'multi' }, { mode: modeConflict });
+  checks.push(['config beats conflicting env', modeConflict === 'multi']);
+  delete process.env.PAYMENT_TENANT_MODE;
+
+  // app DID from injected config
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  setCoreConfig({ BLOCKLET_APP_PID: 'did:abt:zCONFIGAPP', PAYMENT_TENANT_MODE: 'single' });
+  const appDid = getDefaultInstanceDid();
+  emit('S8.5 getDefaultInstanceDid from injected config', { config: 'did:abt:zCONFIGAPP' }, { appDid });
+  checks.push(['app DID from config', appDid === 'did:abt:zCONFIGAPP']);
+
+  // ---- Negative: fail-fast on missing required field ----
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  const failFast = tryFactory({ config: {}, db: { sequelize: {} } });
+  emit('S8.6 single-mode factory missing BLOCKLET_APP_PID -> fail-fast', { config: {}, tenancy: 'single(default)' }, failFast);
+  checks.push([
+    'fail-fast MissingConfigError(BLOCKLET_APP_PID)',
+    failFast.threw && failFast.code === 'MISSING_CONFIG_FIELD' && failFast.field === 'BLOCKLET_APP_PID',
+  ]);
+
+  // multi mode does not require BLOCKLET_APP_PID (tenant resolved per request)
+  setCoreConfig(undefined);
+  const multiNoPid = tryFactory({ config: { PAYMENT_TENANT_MODE: 'multi' }, db: { sequelize: {} }, tenancy: { mode: 'multi' } });
+  emit('S8.7 multi mode does NOT require BLOCKLET_APP_PID', { tenancy: 'multi' }, multiNoPid);
+  checks.push(['multi mode skips the requirement', !(multiNoPid.code === 'MISSING_CONFIG_FIELD')]);
+
+  // ---- Layer 3: adversarial ----
+  console.log('##### LAYER 3: ADVERSARIAL #####\n');
+  // a) prototype-pollution key in config must not poison readConfig or globals
+  setCoreConfig(JSON.parse('{"__proto__": {"polluted": true}, "SAFE": "ok"}'));
+  const polluted = ({} as any).polluted === true;
+  const safeRead = readConfig('SAFE');
+  emit('S8.A1 prototype-pollution config key', { config: '{"__proto__":{"polluted":true},"SAFE":"ok"}' }, { globalPolluted: polluted, safeRead });
+  checks.push(['no prototype pollution from config', polluted === false]);
+  checks.push(['benign keys still readable', safeRead === 'ok']);
+
+  // b) the fail-fast error message must not echo secret values
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  delete process.env.BLOCKLET_APP_PID;
+  const secretLeak = tryFactory({ config: { STRIPE_SECRET: 'sk_live_DEADBEEF_should_not_appear' }, db: { sequelize: {} } });
+  const leaks = (secretLeak.message || '').includes('sk_live_DEADBEEF');
+  emit('S8.A2 fail-fast error does not echo secret config values', { secretInConfig: 'sk_live_DEADBEEF...' }, { message: secretLeak.message, leaks });
+  checks.push(['error does not leak secret value', leaks === false]);
+
+  // c) numeric/garbage config coerced to string by the boundary (no crash)
+  setCoreConfig({ NUMERIC: 12345, BOOL: true });
+  const numeric = readConfig('NUMERIC');
+  const bool = readConfig('BOOL');
+  emit('S8.A3 non-string config values coerced safely', { NUMERIC: 12345, BOOL: true }, { numeric, bool });
+  checks.push(['non-string config coerced to string', numeric === '12345' && bool === 'true']);
+
+  // restore + report
+  setCoreConfig(undefined);
+
+  console.log('##### ASSERTIONS #####');
+  let allPass = true;
+  for (const [name, ok] of checks) {
+    if (!ok) allPass = false;
+    console.log(JSON.stringify({ check: name, pass: ok }));
+  }
+  console.log(JSON.stringify({ success: allPass, total: checks.length, passed: checks.filter(([, ok]) => ok).length }));
+  if (!allPass) process.exit(1);
+}
+
+main();