payment-kit 1.29.1 → 1.29.3

package/scripts/e2e-d1-tenancy.ts

@@ -0,0 +1,116 @@
+/* eslint-disable no-console */
+// D1 (S3.0) E2E harness — really runs the embedded factory with the three input
+// matrices and prints JSON-shaped results. Invoked by build-phases Layer 2; the
+// raw output is captured into planning/.../logs/sD1-e2e.log.
+//
+// Run: npx tsx scripts/e2e-d1-tenancy.ts
+import { Sequelize } from 'sequelize';
+import { setCoreConfig, getCoreConfig } from '../api/src/libs/env';
+import { getTenantMode, setDefaultInstanceDid } from '../api/src/libs/tenant';
+import {
+  createDefaultIdentityDriver,
+  setIdentityDriver,
+  createDefaultSecretsDriver,
+  setSecretsDriver,
+} from '../api/src/libs/drivers';
+import { createEmbeddedPaymentService } from '../api/src/service';
+
+const identity = { resolveInstanceDidForHost: () => null } as any;
+const secrets = createDefaultSecretsDriver();
+
+function freshDb() {
+  return { sequelize: new Sequelize({ dialect: 'sqlite', storage: ':memory:', logging: false }) as any };
+}
+function reset() {
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  setIdentityDriver(createDefaultIdentityDriver());
+  setSecretsDriver(createDefaultSecretsDriver());
+  delete process.env.PAYMENT_TENANT_MODE;
+}
+
+function emit(label: string, obj: unknown) {
+  console.log(`=== ${label} ===`);
+  console.log(JSON.stringify(obj, null, 2));
+}
+
+// matrix 1 — slot drives multi (no env)
+reset();
+createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, identity, secrets });
+emit('M1 slot-multi-no-env', { tenantMode: getTenantMode(), success: getTenantMode() === 'multi' });
+
+// matrix 2 — config carries multi, slot agrees
+reset();
+createEmbeddedPaymentService({
+  config: { PAYMENT_TENANT_MODE: 'multi' },
+  db: freshDb(),
+  tenancy: { mode: 'multi' },
+  identity,
+  secrets,
+});
+emit('M2 config-multi-slot-agrees', { tenantMode: getTenantMode(), success: getTenantMode() === 'multi' });
+
+// matrix 3 (NEGATIVE) — config single conflicts with slot multi -> must throw, no mode written
+reset();
+let conflictErr: any = null;
+try {
+  createEmbeddedPaymentService({
+    config: { PAYMENT_TENANT_MODE: 'single' },
+    db: freshDb(),
+    tenancy: { mode: 'multi' },
+    identity,
+    secrets,
+  });
+} catch (err: any) {
+  conflictErr = err;
+}
+emit('M3 conflict-negative', {
+  threw: conflictErr !== null,
+  name: conflictErr?.name,
+  code: conflictErr?.code,
+  message: conflictErr?.message,
+  coreConfigAfter: getCoreConfig() === undefined ? 'undefined (no half write)' : 'WRITTEN (bug!)',
+  success: conflictErr !== null && getCoreConfig() === undefined,
+});
+
+// matrix 4 (NEGATIVE) — multi without secrets -> fail-closed (no silent single)
+reset();
+let slotErr: any = null;
+try {
+  createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, identity });
+} catch (err: any) {
+  slotErr = err;
+}
+emit('M4 multi-missing-secrets-negative', {
+  threw: slotErr !== null,
+  name: slotErr?.name,
+  code: slotErr?.code,
+  slot: slotErr?.slot,
+  success: slotErr !== null && slotErr?.slot === 'secrets',
+});
+
+// matrix 4b (NEGATIVE) — multi without identity -> fail-closed (no silent single)
+reset();
+let identityErr: any = null;
+try {
+  createEmbeddedPaymentService({ config: {}, db: freshDb(), tenancy: { mode: 'multi' }, secrets } as any);
+} catch (err: any) {
+  identityErr = err;
+}
+emit('M4b multi-missing-identity-negative', {
+  threw: identityErr !== null,
+  name: identityErr?.name,
+  code: identityErr?.code,
+  slot: identityErr?.slot,
+  success: identityErr !== null && identityErr?.slot === 'identity',
+});
+
+// matrix 5 — legacy single compat (no tenancy + APP_PID)
+reset();
+process.env.BLOCKLET_APP_PID = 'did:abt:zLEGACYAPP';
+createEmbeddedPaymentService({ config: { BLOCKLET_APP_PID: 'did:abt:zLEGACYAPP' }, db: freshDb() });
+emit('M5 legacy-single-compat', { tenantMode: getTenantMode(), success: getTenantMode() === 'single' });
+delete process.env.BLOCKLET_APP_PID;
+
+console.log('=== DONE ===');
+process.exit(0);

package/scripts/e2e-d2-cron-queue.ts

@@ -0,0 +1,139 @@
+/* eslint-disable no-console */
+// D2 (S3.0) E2E harness — really runs the cron driver + queue teardown and
+// prints JSON-shaped results. Captured into planning/.../logs/sD2-e2e.log.
+//
+// Run: NODE_ENV=test npx tsx scripts/e2e-d2-cron-queue.ts
+//
+// Covers: (1) crons/index conservation — every declared job flows through the
+// injected driver, no bare @abtnode/cron; (2) node-cron self-schedules a real
+// 1s cron with NO external runDue tick; (3) teardown — stop() clears the cron
+// timer (active-handle count drops); (4) cf-cron stays passive (negative).
+process.env.NODE_ENV = 'test';
+process.env.BLOCKLET_MODE = 'test';
+
+import fs from 'fs';
+import path from 'path';
+import { createCronRegistry, setCronDriver } from '../api/src/libs/drivers/cron';
+
+const wait = (ms: number) => new Promise((r) => setTimeout(r, ms));
+const cronTimers = () => (process as any).getActiveResourcesInfo().filter((r: string) => r === 'Timeout').length;
+function emit(label: string, obj: unknown) {
+  console.log(`=== ${label} ===`);
+  console.log(JSON.stringify(obj, null, 2));
+}
+
+async function main() {
+  // NOTE: crons/index conservation (every declared job flows through the
+  // injected driver) is verified in jest where the db/env is set up —
+  // tests/libs/crons-conservation-d2.spec.ts — because importing crons/index
+  // eagerly builds queues that need a real sequelize. Here we exercise the
+  // driver self-scheduling + teardown directly (no db needed).
+  setCronDriver(createCronRegistry('node-cron'));
+
+  // 1) job-names list — the full declared cron set crons/index registers through
+  // the driver (parsed from source; importing the graph needs a real DB/ESM).
+  const cronsSrc = fs.readFileSync(path.resolve(__dirname, '../api/src/crons/index.ts'), 'utf8');
+  const declaredNames = [...cronsSrc.matchAll(/name:\s*'([^']+)'/g)].map((m) => m[1]);
+  emit('C1 crons-conservation-job-names', {
+    registerCalls: (cronsSrc.match(/getCronDriver\(\)\.register\(/g) || []).length,
+    bareCronInit: /Cron\.init\s*\(/.test(cronsSrc),
+    count: declaredNames.length,
+    names: declaredNames,
+    success: declaredNames.length >= 18 && (cronsSrc.match(/getCronDriver\(\)\.register\(/g) || []).length === 1,
+  });
+
+  // 2) node-cron self-schedules a real 1s cron with no external runDue
+  const node = createCronRegistry('node-cron');
+  let ticks = 0;
+  const beforeReg = cronTimers();
+  node.register([
+    {
+      name: 'recon',
+      time: '*/1 * * * * *',
+      fn: () => {
+        ticks += 1;
+      },
+    },
+  ]);
+  const withTimer = cronTimers();
+  await wait(2200);
+  const ticksWhileRunning = ticks;
+  emit('C2 node-self-schedule', {
+    ticksWhileRunning,
+    timerAddedOnRegister: withTimer > beforeReg,
+    success: ticksWhileRunning >= 1 && withTimer > beforeReg,
+  });
+
+  // 3) teardown — stop() clears the cron timer; no more ticks
+  node.stop();
+  const afterStop = cronTimers();
+  const ticksAtStop = ticks;
+  await wait(2200);
+  emit('C3 teardown-stop', {
+    timersWithCron: withTimer,
+    timersAfterStop: afterStop,
+    timerCleared: afterStop < withTimer,
+    ticksAfterStop: ticks - ticksAtStop,
+    success: afterStop < withTimer && ticks - ticksAtStop === 0,
+  });
+
+  // 4) restart idempotent — re-register after stop, no double scheduler
+  let ran2 = 0;
+  node.register([
+    {
+      name: 'init2',
+      time: '0 0 0 1 1 *',
+      fn: () => {
+        ran2 += 1;
+      },
+      options: { runOnInit: true },
+    },
+  ]);
+  await wait(50);
+  const afterFirst = ran2;
+  node.stop();
+  node.register([
+    {
+      name: 'init2',
+      time: '0 0 0 1 1 *',
+      fn: () => {
+        ran2 += 1;
+      },
+      options: { runOnInit: true },
+    },
+  ]);
+  await wait(50);
+  node.stop();
+  emit('C4 restart-idempotent', {
+    afterFirstStart: afterFirst,
+    afterRestart: ran2,
+    success: afterFirst === 1 && ran2 === 2, // exactly one run per start, no double
+  });
+
+  // 5) NEGATIVE — cf-cron stays passive: register does NOT self-fire
+  const cf = createCronRegistry('cf-cron');
+  let cfRan = 0;
+  cf.register([
+    {
+      name: 'cf',
+      time: '*/1 * * * * *',
+      fn: () => {
+        cfRan += 1;
+      },
+      options: { runOnInit: true },
+    },
+  ]);
+  await wait(1200);
+  const cfSelfFired = cfRan;
+  const due = await cf.runDue(new Date());
+  emit('C5 cf-passive-negative', {
+    selfFiredWithoutHostTick: cfSelfFired,
+    ranViaRunDue: due.ran,
+    success: cfSelfFired === 0 && due.ran.includes('cf'),
+  });
+
+  console.log('=== DONE ===');
+  process.exit(0);
+}
+
+main();

package/scripts/e2e-d3-embedded-multi.ts

@@ -0,0 +1,171 @@
+/* eslint-disable no-console */
+// D3 (S3.0) E2E harness — builds a REAL embedded multi-mode payment service over
+// a file-backed sqlite (46-table schema) and exercises the background engine,
+// emitting JSON. Captured into planning/.../logs/sD3-e2e.log.
+//
+//   NODE_ENV=test npx tsx scripts/e2e-d3-embedded-multi.ts
+process.env.NODE_ENV = 'test';
+process.env.BLOCKLET_MODE = 'test';
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+
+import { withTenant, getInstanceDid } from '../api/src/libs/context';
+import { createNodeDbDriver } from '../api/src/libs/drivers/db';
+import {
+  applyPaymentCoreMigrations,
+  createMemoryLocksDriver,
+  createCronRegistry,
+  createKeyringSecretsDriver,
+  nodeQueueHostHooks,
+} from '../api/src/libs/drivers';
+import { setQueueRuntimeMode } from '../api/src/libs/queue/runtime';
+import { createEmbeddedPaymentService } from '../api/src/service';
+
+const TENANT_A = 'did:abt:zD3A';
+const TENANT_B = 'did:abt:zD3B';
+const identity = {
+  resolveInstanceDidForHost: (h: string | undefined) => (h === 'a' ? TENANT_A : h === 'b' ? TENANT_B : null),
+  getAppEk: (id: string) => (id === TENANT_A ? 'a'.repeat(64) : 'b'.repeat(64)),
+};
+const wait = (ms: number) => new Promise((r) => setTimeout(r, ms));
+const settle = (e: any): Promise<string> =>
+  new Promise((res) => ['finished', 'failed', 'cancelled'].forEach((ev) => e.on(ev, () => res(ev))));
+function emit(label: string, obj: unknown) {
+  console.log(`=== ${label} ===`);
+  console.log(JSON.stringify(obj, null, 2));
+}
+
+async function main() {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'd3-e2e-'));
+  const sequelize = new Sequelize({
+    dialect: 'sqlite',
+    storage: path.join(dir, 'p.db'),
+    logging: false,
+    pool: { max: 5 },
+  });
+  const driver = createNodeDbDriver(sequelize);
+  await applyPaymentCoreMigrations(driver);
+  const tables = await driver.all<{ name: string }>(
+    "SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'"
+  );
+
+  const slots = () => ({
+    config: { BLOCKLET_APP_PID: TENANT_A, PAYMENT_LIVEMODE: 'true' },
+    db: { sequelize: sequelize as any },
+    tenancy: { mode: 'multi' as const },
+    identity,
+    secrets: createKeyringSecretsDriver(identity),
+    queue: nodeQueueHostHooks,
+    cron: createCronRegistry('node-cron'),
+    locks: createMemoryLocksDriver(),
+  });
+  const svc = createEmbeddedPaymentService(slots());
+  setQueueRuntimeMode('node');
+  const createQueue = require('../api/src/libs/queue').default;
+  const createQueueStore = require('../api/src/libs/queue/store').default;
+
+  // happy — assembly
+  emit('D3.1 assembly', {
+    tableCount: tables.length,
+    hasEntitlementsCheck: typeof svc.rpc.entitlements.check === 'function',
+    hasMeterReport: typeof svc.rpc.meterEvents.report === 'function',
+    success: tables.length === 46,
+  });
+
+  // bad input — slot misconfig (NEGATIVE)
+  const noSecrets: any = slots();
+  delete noSecrets.secrets;
+  const noIdentity: any = slots();
+  delete noIdentity.identity;
+  const tryBuild = (s: any) => {
+    try {
+      createEmbeddedPaymentService(s);
+      return { threw: false, slot: null };
+    } catch (e: any) {
+      return { threw: true, slot: e?.slot, code: e?.code };
+    }
+  };
+  const s1 = tryBuild(noSecrets);
+  const s2 = tryBuild(noIdentity);
+  emit('D3.2 slot-misconfig-negative', {
+    missingSecrets: s1,
+    missingIdentity: s2,
+    success: s1.threw && s1.slot === 'secrets' && s2.threw && s2.slot === 'identity',
+  });
+
+  // retry trace
+  const trace: number[] = [];
+  let successes = 0;
+  const rq = createQueue({
+    name: 'd3-retry',
+    onJob: async () => {
+      trace.push(trace.length + 1);
+      if (trace.length < 3) throw new Error('transient');
+      successes += 1;
+    },
+    options: { maxRetries: 5, retryDelay: 1 },
+  });
+  const rEv = await withTenant(TENANT_A, async () => rq.push({ job: { instance_did: TENANT_A } }));
+  const rEnd = await settle(rEv);
+  emit('D3.3 retry-trace', {
+    attempts: trace.length,
+    successSideEffects: successes,
+    terminal: rEnd,
+    success: trace.length === 3 && successes === 1 && rEnd === 'finished',
+  });
+
+  // restart recovery — job-id set diff
+  const jobId = 'recover-1';
+  const store = createQueueStore('d3-recover');
+  await store.addJob(jobId, { instance_did: TENANT_A }, {});
+  const before = (await store.getJobs()).map((r: any) => r.id);
+  let ranId = '';
+  const recoverQ = createQueue({
+    name: 'd3-recover',
+    onJob: async () => {},
+  });
+  // the recovered row's id comes from the runtime finished event (the payload
+  // carries no id) — proving the recovered id is the original, not regenerated.
+  recoverQ.on('finished', (data: { id: string }) => {
+    ranId = data.id;
+  });
+  await wait(400);
+  const after = (await store.getJobs()).map((r: any) => r.id);
+  emit('D3.4 restart-recovery', {
+    beforeJobIds: before,
+    afterJobIds: after,
+    executedId: ranId,
+    success: before.includes(jobId) && !after.includes(jobId) && ranId === jobId,
+  });
+
+  // cross-tenant rejection (NEGATIVE)
+  const { assertJobObjectTenant } = require('../api/src/libs/queue');
+  let leaked = false;
+  let observed = '';
+  const xq = createQueue({
+    name: 'd3-xtenant',
+    onJob: async () => {
+      observed = getInstanceDid();
+      assertJobObjectTenant({ instance_did: TENANT_B });
+      leaked = true;
+    },
+  });
+  const xEv = await withTenant(TENANT_A, async () => xq.push({ job: { instance_did: TENANT_A } }));
+  const xEnd = await settle(xEv);
+  emit('D3.5 cross-tenant-rejection-negative', {
+    observedTenant: observed,
+    leaked,
+    terminal: xEnd,
+    success: observed === TENANT_A && !leaked && xEnd === 'failed',
+  });
+
+  console.log('=== DONE ===');
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+  process.exit(0);
+}
+
+main();

package/scripts/e2e-hono-s2.ts

@@ -0,0 +1,125 @@
+/* eslint-disable no-console, global-require, import/no-extraneous-dependencies, @typescript-eslint/no-var-requires */
+// Phase 2 (express→hono) E2E — SELF-VALIDATING harness. Serves the REAL
+// buildConnectRoutesHono() (DID-Connect via did-connect-js native attachHono)
+// through REAL @hono/node-server serve(), then drives the surface over a real TCP
+// socket and prints PASS/FAIL for each spec-table category. Uses the spike's env
+// bootstrap (testSetup → a valid appInfo so generateSession succeeds — jest's
+// bare env cannot, which is why these session-dependent checks live here).
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+
+const testSetup = require('@blocklet/sdk/lib/util/test-setup').default;
+
+testSetup();
+process.env.BLOCKLET_DATA_DIR = process.env.BLOCKLET_DATA_DIR || fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s2-'));
+const { fromRandom } = require('@ocap/wallet');
+const { types } = require('@ocap/mcrypto');
+
+const appWallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+process.env.BLOCKLET_APP_SK = appWallet.secretKey;
+process.env.BLOCKLET_APP_PK = appWallet.publicKey;
+process.env.BLOCKLET_APP_ID = appWallet.address;
+process.env.BLOCKLET_APP_PID = appWallet.address;
+
+const { serve } = require('@hono/node-server');
+const { buildConnectRoutesHono } = require('../api/src/service');
+
+const PORT = Number(process.env.E2E_PORT || 9272);
+const connectApp = buildConnectRoutesHono();
+
+let pass = 0;
+let fail = 0;
+const check = (name: string, cond: boolean, detail = '') => {
+  if (cond) {
+    pass += 1;
+    console.log(`  PASS  ${name}`);
+  } else {
+    fail += 1;
+    console.log(`  FAIL  ${name}  ${detail}`);
+  }
+};
+
+const server = serve({ fetch: connectApp.fetch, port: PORT }, async (info: { port: number }) => {
+  const base = `http://127.0.0.1:${info.port}`;
+  console.log(`E2E_READY ${info.port} (real @hono/node-server socket)`);
+  try {
+    // E1 happy path: generateSession returns the full session shape
+    const r1 = await fetch(`${base}/api/did/payment/token`);
+    const s1: any = await r1.json();
+    console.log(`E1 GET /api/did/payment/token → ${r1.status} ${JSON.stringify(s1).slice(0, 240)}`);
+    check('E1 happy: status 200', r1.status === 200);
+    check('E1 happy: status="created"', s1.status === 'created');
+    check('E1 happy: token present', !!s1.token);
+
+    // Data loss (deep-link): the url carries the session token as _t_
+    const decoded = decodeURIComponent(decodeURIComponent(s1.url || ''));
+    check('Data-loss: deep-link url carries _t_=<token>', decoded.includes(`_t_=${s1.token}`), decoded.slice(0, 120));
+
+    // Data damage: appInfo intact (name + publisher/nodeDid), not stripped/garbled
+    check(
+      'Data-damage: appInfo.name present',
+      !!(s1.appInfo && s1.appInfo.name),
+      JSON.stringify(s1.appInfo).slice(0, 120)
+    );
+    check('Data-damage: appInfo.publisher (did) present', !!(s1.appInfo && s1.appInfo.publisher));
+
+    // Data leak: two sessions get DISTINCT tokens (no reuse/bleed)
+    const r2 = await fetch(`${base}/api/did/collect/token`);
+    const s2: any = await r2.json();
+    check(
+      'Data-leak: a second session has a DISTINCT token',
+      !!s2.token && s2.token !== s1.token,
+      `${s1.token} vs ${s2.token}`
+    );
+
+    // Security: with a VALID session token, an UNSIGNED/forged auth POST is not
+    // accepted — onAuthResponse refuses the unsigned payload, so the session never
+    // advances to succeed and no authInfo is returned (the auth verification path
+    // runs unchanged under the hono adapter).
+    const rAuth = await fetch(`${base}/api/did/payment/auth?_t_=${s1.token}`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ userDid: 'did:abt:zForgedUser', claims: [] }),
+    });
+    const authBody = await rAuth.text();
+    let authJson: any = {};
+    try {
+      authJson = JSON.parse(authBody);
+    } catch {
+      /* non-json error body */
+    }
+    console.log(`Security POST /auth (unsigned, valid _t_) → ${rAuth.status} ${authBody.slice(0, 160)}`);
+    check(
+      'Security: unsigned/forged auth POST does NOT succeed (onAuthResponse refuses it)',
+      authJson.status !== 'succeed' && !authJson.authInfo,
+      `status=${rAuth.status}`
+    );
+    // and the session must NOT have advanced to succeed
+    const rStatus = await fetch(`${base}/api/did/payment/status?_t_=${s1.token}`);
+    const st: any = await rStatus.json().catch(() => ({}));
+    check(
+      'Security: session stays unauthenticated after the unsigned POST',
+      st.status !== 'succeed',
+      `status=${st.status}`
+    );
+
+    // E3 negative: a forged/non-existent token never resolves to a session
+    const rForged = await fetch(`${base}/api/did/payment/auth?_t_=deadbeef-not-a-token`);
+    const forgedBody = await rForged.text();
+    console.log(`E3 negative GET /auth?_t_=forged → ${rForged.status} ${forgedBody.slice(0, 100)}`);
+    check(
+      'E3 negative: forged token does not return a created session/authInfo',
+      !forgedBody.includes('"status":"created"') && !forgedBody.includes('authInfo')
+    );
+  } catch (err: any) {
+    fail += 1;
+    console.log(`  FAIL  harness error: ${err.message}`);
+  } finally {
+    console.log(`\nphase2-e2e: ${pass} passed, ${fail} failed`);
+    server.close();
+    process.exit(fail ? 1 : 0);
+  }
+});
+
+export {}; // make this file a module so its top-level consts do not collide with sibling e2e scripts in tsc global scope

package/scripts/e2e-hono-s3e.ts

@@ -0,0 +1,135 @@
+/* eslint-disable no-console, global-require, import/no-extraneous-dependencies, @typescript-eslint/no-var-requires */
+// Phase 3e (express→hono) E2E — SELF-VALIDATING. Proves the Stripe webhook RAW
+// BODY survives the FULL native pipeline (cors→xss→csrf→ensureI18n→cdn→context→
+// livemode, applied via mountResourceGroup) over a REAL @hono/node-server socket:
+// xss SKIPS the webhook path, so the handler's c.req.arrayBuffer() gets the exact
+// bytes and stripe.constructEvent verifies. Tampered bytes → reject (§3.1).
+process.env.NODE_ENV = 'test';
+process.env.BLOCKLET_APP_SK = process.env.BLOCKLET_APP_SK || 'e2e_s3e_secret';
+process.env.BLOCKLET_APP_PID = process.env.BLOCKLET_APP_PID || 'did:abt:zE2ES3eTenant';
+
+const Stripe = require('stripe');
+const { serve } = require('@hono/node-server');
+const { Hono } = require('hono');
+const { buildHonoApp } = require('../api/src/service');
+const { mountResourceGroup } = require('../api/src/middlewares/hono/pipeline');
+
+const secret = 'whsec_e2e_s3e';
+const stripe = new Stripe('sk_test_dummy', { apiVersion: '2023-08-16' });
+const payload = JSON.stringify({
+  id: 'evt_s3e_1',
+  type: 'payment_intent.succeeded',
+  livemode: false,
+  data: { object: { metadata: {}, note: '欧元 €42 — naïve café 🚀 "x"' } },
+});
+const sigHeader = stripe.webhooks.generateTestHeaderString({ payload, secret });
+
+// A representative stripe webhook mounted at /api/integrations/stripe — exercises
+// the REAL native pipeline (xss skip) + raw-body read + constructEvent. (The real
+// route's extra PaymentMethod lookup is orthogonal to raw-body fidelity.)
+const stripeApp = new Hono();
+stripeApp.post('/webhook', async (c: any) => {
+  const signature = c.req.header('stripe-signature');
+  if (!signature) return c.json({ error: 'no sig' }, 400);
+  const raw = Buffer.from(await c.req.arrayBuffer());
+  try {
+    const event = stripe.webhooks.constructEvent(raw, signature, secret);
+    return c.json({ received: true, id: event.id, bytesIn: raw.length });
+  } catch (err: any) {
+    return c.json({ error: err.message }, 400);
+  }
+});
+
+const bridge = (() => Promise.resolve(new Response('bridge', { status: 404 }))) as any;
+bridge.close = () => Promise.resolve();
+const app = buildHonoApp(
+  () => bridge,
+  (native: any) => mountResourceGroup(native, '/api/integrations/stripe', stripeApp)
+);
+
+let pass = 0;
+let fail = 0;
+const check = (name: string, cond: boolean, extra = '') => {
+  if (cond) {
+    pass += 1;
+    console.log(`  PASS  ${name}`);
+  } else {
+    fail += 1;
+    console.log(`  FAIL  ${name}  ${extra}`);
+  }
+};
+
+const PORT = Number(process.env.E2E_PORT || 9278);
+const server = serve({ fetch: app.fetch, port: PORT }, async (info: { port: number }) => {
+  const base = `http://127.0.0.1:${info.port}`;
+  console.log(`E2E_READY ${info.port} (real @hono/node-server socket)`);
+  try {
+    // 1) valid signature over a real socket → constructEvent verifies through the native pipeline
+    const r1 = await fetch(`${base}/api/integrations/stripe/webhook`, {
+      method: 'POST',
+      headers: { 'stripe-signature': sigHeader, 'content-type': 'application/json' },
+      body: Buffer.from(payload, 'utf8'),
+    });
+    const b1: any = await r1.json();
+    console.log(`E1 signed webhook → ${r1.status} ${JSON.stringify(b1)}`);
+    check(
+      'E1 raw-body verified through native pipeline (xss skip)',
+      r1.status === 200 && b1.received === true && b1.id === 'evt_s3e_1'
+    );
+    check(
+      'E1 exact byte count delivered (no consumption/re-encode)',
+      b1.bytesIn === Buffer.byteLength(payload, 'utf8'),
+      `${b1.bytesIn} vs ${Buffer.byteLength(payload, 'utf8')}`
+    );
+
+    // 2) tampered bytes over the wire → reject
+    const buf = Buffer.from(payload, 'utf8');
+    // eslint-disable-next-line no-bitwise -- intentional single-byte flip to tamper the payload
+    buf[10] = (buf[10] as number) ^ 0x01;
+    const r2 = await fetch(`${base}/api/integrations/stripe/webhook`, {
+      method: 'POST',
+      headers: { 'stripe-signature': sigHeader, 'content-type': 'application/json' },
+      body: buf,
+    });
+    console.log(`E2 tampered webhook → ${r2.status}`);
+    check('E2 tampered body → 400 (signature mismatch)', r2.status === 400);
+
+    // 3) chunked transfer-encoding (streamed body) → still verifies
+    const stream = new ReadableStream({
+      start(controller) {
+        const b = Buffer.from(payload, 'utf8');
+        let i = 0;
+        const push = () => {
+          if (i >= b.length) {
+            controller.close();
+            return;
+          }
+          const end = Math.min(i + 5, b.length);
+          controller.enqueue(new Uint8Array(b.subarray(i, end)));
+          i = end;
+          setTimeout(push, 1);
+        };
+        push();
+      },
+    });
+    const r3 = await fetch(`${base}/api/integrations/stripe/webhook`, {
+      method: 'POST',
+      headers: { 'stripe-signature': sigHeader, 'content-type': 'application/json' },
+      body: stream,
+      // @ts-ignore duplex is required for a streamed request body
+      duplex: 'half',
+    });
+    const b3: any = await r3.json();
+    console.log(`E3 chunked webhook → ${r3.status} ${JSON.stringify(b3)}`);
+    check('E3 chunked transfer-encoding raw-body verified', r3.status === 200 && b3.received === true);
+  } catch (err: any) {
+    fail += 1;
+    console.log(`  FAIL  harness error: ${err.message}`);
+  } finally {
+    console.log(`\nphase3e-e2e: ${pass} passed, ${fail} failed`);
+    server.close();
+    process.exit(fail ? 1 : 0);
+  }
+});
+
+export {}; // make this file a module so its top-level consts do not collide with sibling e2e scripts in tsc global scope