payment-kit 1.29.2 → 1.29.3

package/api/tests/queues/event-tenant.spec.ts

@@ -64,6 +64,9 @@ let models: any;
 let handleEvent: any;
 let handleWebhook: any;
 let assertEventTenantAccessible: any;
+let startEventQueue: any;
+let eventQueue: any;
+let getInstanceDid: any;
 let logger: any;
 
 beforeAll(async () => {
@@ -72,7 +75,9 @@ beforeAll(async () => {
   models = require('../../src/store/models');
   models.initialize(sequelize);
   // eslint-disable-next-line global-require
-  ({ handleEvent } = require('../../src/queues/event'));
+  ({ handleEvent, startEventQueue, eventQueue } = require('../../src/queues/event'));
+  // eslint-disable-next-line global-require
+  ({ getInstanceDid } = require('../../src/libs/context'));
   // eslint-disable-next-line global-require
   ({ handleWebhook } = jest.requireActual('../../src/queues/webhook'));
   // eslint-disable-next-line global-require
@@ -167,7 +172,7 @@ describe('event delivery tenant isolation (phase 4)', () => {
 
   describe('paths 3+4 manual retry routes: caller tenant guard', () => {
     it('A caller cannot retry a B event (TENANT_MISMATCH -> 4xx mapping)', async () => {
-      await withTenant(TENANT_A, async () => {
+      await withTenant(TENANT_A, () => {
         expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).toThrow(
           expect.objectContaining({ code: TENANT_MISMATCH })
         );
@@ -186,7 +191,7 @@ describe('event delivery tenant isolation (phase 4)', () => {
     });
 
     it('same-tenant caller passes the guard', async () => {
-      await withTenant(TENANT_B, async () => {
+      await withTenant(TENANT_B, () => {
         expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).not.toThrow();
       });
     });
@@ -196,7 +201,7 @@ describe('event delivery tenant isolation (phase 4)', () => {
       // query scoped by caller tenant -> B endpoint invisible to A
       await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
       await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
-      const visible = await withTenant(TENANT_A, async () =>
+      const visible = await withTenant(TENANT_A, () =>
         models.WebhookEndpoint.findAll({
           where: { status: 'enabled', livemode: false, instance_did: TENANT_A },
         })
@@ -221,6 +226,57 @@ describe('event delivery tenant isolation (phase 4)', () => {
     });
   });
 
+  describe('startup recovery (startEventQueue): pending-webhook events re-enqueued under their tenant', () => {
+    const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+    afterEach(() => {
+      if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+      else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+    });
+
+    // Regression: in multi mode startup has NO ambient tenant. The old recovery
+    // pushed outside withTenant (and fetched only id), so injectJobTenant ->
+    // getInstanceDid threw TENANT_CONTEXT_MISSING — a FATAL unhandledRejection
+    // that crashed the daemon. The push must run inside withTenant(event tenant).
+    it('multi mode: recovers a pending event INSIDE its tenant context (no crash)', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      const event = await seedEvent(TENANT_A);
+
+      let tenantAtPush: string | undefined;
+      let threwAtPush = false;
+      (eventQueue.push as jest.Mock).mockImplementationOnce(() => {
+        try {
+          tenantAtPush = getInstanceDid(); // would THROW in multi mode if outside withTenant
+        } catch {
+          threwAtPush = true;
+        }
+      });
+
+      await expect(startEventQueue()).resolves.toBeUndefined();
+      expect(eventQueue.push).toHaveBeenCalledWith(
+        expect.objectContaining({ id: event.id, job: { eventId: event.id } })
+      );
+      expect(threwAtPush).toBe(false);
+      expect(tenantAtPush).toBe(TENANT_A);
+    });
+
+    // A row with no tenant cannot be re-stamped — skip it (warn), never crash.
+    it('multi mode: a tenant-less pending event is skipped, not pushed', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      const event = await seedEvent(TENANT_A);
+      // null out the tenant directly (bypass the scoped writer)
+      await sequelize.query('UPDATE events SET instance_did = NULL WHERE id = $id', {
+        bind: { id: event.id },
+      });
+
+      await expect(startEventQueue()).resolves.toBeUndefined();
+      expect(eventQueue.push).not.toHaveBeenCalled();
+      expect(logger.warn).toHaveBeenCalledWith(
+        'skip pending-webhook event with no tenant',
+        expect.objectContaining({ id: event.id })
+      );
+    });
+  });
+
   describe('data damage: retry keeps the original tenant', () => {
     it('failed delivery writes a failed attempt under the event tenant', async () => {
       componentRequest.mockRejectedValueOnce(Object.assign(new Error('boom'), { response: { status: 500 } }));

package/api/tests/service/didconnect-storage-slot.spec.ts

@@ -0,0 +1,60 @@
+// S3-CF Phase 1 inversion ③ — DID-Connect token storage slot.
+//
+// The DID-Connect token handshake store is now a host-injected slot (same
+// reversal as db/queue/cron). The CF worker injects a D1-backed store so the
+// token state lands in PAYMENT_DB; node hosts omit it and keep the file-backed
+// nedb default. This spec locks the factory→libs/auth wiring and the default.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { Sequelize } from 'sequelize';
+
+import * as auth from '../../src/libs/auth';
+import { createEmbeddedPaymentService } from '../../src/service';
+
+function freshSequelize(): Sequelize {
+  const dbFile = path.join(fs.mkdtempSync(path.join(os.tmpdir(), 'pay-storage-slot-')), 'test.db');
+  return new Sequelize({ dialect: 'sqlite', storage: dbFile, logging: false });
+}
+
+const baseConfig = { BLOCKLET_APP_PID: 'zMOCK_STORAGE_SLOT' };
+
+describe('Phase 1 (S3-CF) ③ — DID-Connect token storage slot', () => {
+  afterEach(() => {
+    // reset the module-level injection so specs don't leak into each other
+    auth.setDidConnectTokenStorage(null);
+    jest.restoreAllMocks();
+  });
+
+  it('wires a host-provided storage slot into libs/auth (setDidConnectTokenStorage)', () => {
+    const spy = jest.spyOn(auth, 'setDidConnectTokenStorage');
+    const sentinel: auth.DidConnectTokenStorage = {
+      read: async () => null,
+      create: async () => undefined,
+      update: async () => undefined,
+      delete: async () => undefined,
+    };
+
+    createEmbeddedPaymentService({
+      config: baseConfig,
+      db: { sequelize: freshSequelize() },
+      tenancy: { mode: 'single', instanceDid: 'zMOCK_STORAGE_SLOT' },
+      storage: sentinel,
+    });
+
+    expect(spy).toHaveBeenCalledWith(sentinel);
+  });
+
+  it('omitting the slot leaves the node nedb default (setter never called)', () => {
+    const spy = jest.spyOn(auth, 'setDidConnectTokenStorage');
+
+    createEmbeddedPaymentService({
+      config: baseConfig,
+      db: { sequelize: freshSequelize() },
+      tenancy: { mode: 'single', instanceDid: 'zMOCK_STORAGE_SLOT' },
+    });
+
+    expect(spy).not.toHaveBeenCalled();
+  });
+});

package/api/tests/service/fail-closed-http.spec.ts

@@ -0,0 +1,79 @@
+// TM-4 (frontend-serve P4) — MANDATORY fail-closed regression lock.
+//
+// Project principle #1: in multi-tenant mode a request with no resolvable
+// Host/tenant context MUST fail closed (4xx), never fall back to APP_PID/default
+// tenant. P4 wires a host static/SPA handler onto the full node hono app (after
+// the api/connect routes). This lock proves that slot did NOT weaken the API
+// gate: with createNodeStaticHandler attached, an /api/* request from an unbound
+// host still 400s with TENANT_HOST_UNRESOLVED. Runs in did-pay (no arc dev
+// runtime) — the same buildHonoApp + contextMiddleware the production svc uses.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { Hono } from 'hono';
+
+import { getInstanceDid } from '../../src/libs/context';
+import { createDefaultIdentityDriver, type IdentityDriver, setIdentityDriver } from '../../src/libs/drivers/identity';
+import { contextMiddleware, ensureI18n } from '../../src/middlewares/hono/context';
+import { createNodeStaticHandler } from '../../src/host-node/serve-static-arc';
+import { buildHonoApp } from '../../src/service';
+
+const BOUND = 'did:abt:zBOUNDTENANTAAAAAAAAAAAAAAAAAA';
+const identity: IdentityDriver = {
+  resolveInstanceDidForHost: (host) => (host === 'bound.example' ? BOUND : null),
+};
+
+let webRoot: string;
+beforeAll(() => {
+  webRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'tm4-web-'));
+  fs.writeFileSync(path.join(webRoot, 'index.html'), '<!doctype html><div id="app"></div>');
+});
+afterAll(() => fs.rmSync(webRoot, { recursive: true, force: true }));
+afterEach(() => {
+  delete process.env.PAYMENT_TENANT_MODE;
+  setIdentityDriver(createDefaultIdentityDriver());
+});
+
+// the production wiring: native pipeline (with the Host→tenant contextMiddleware)
+// + the host static/SPA slot attached last (exactly buildHonoApp's 3rd arg).
+function buildAppWithStatic(): Hono {
+  return buildHonoApp(
+    (native) => {
+      native.use('*', ensureI18n());
+      native.use('*', contextMiddleware());
+      native.get('/api/settings', (c) => c.json({ tenant: getInstanceDid() }));
+    },
+    undefined,
+    createNodeStaticHandler(webRoot)
+  );
+}
+
+describe('TM-4 — static slot must not weaken the multi-tenant API gate (P4)', () => {
+  it('multi mode, UNBOUND host: /api/settings → 400 fail-closed (no default-tenant fallback)', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://unbound.example/api/settings', { headers: { host: 'unbound.example' } }));
+    expect(res.status).toBe(400);
+    expect((await res.json()).error.code).toBe('TENANT_HOST_UNRESOLVED');
+  });
+
+  it('multi mode, BOUND host: /api/settings resolves its tenant (gate passes, slot present)', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://bound.example/api/settings', { headers: { host: 'bound.example' } }));
+    expect(res.status).toBe(200);
+    expect((await res.json()).tenant).toBe(BOUND);
+  });
+
+  it('the static slot still serves the SPA shell (html GET) — coexists with the gate', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://bound.example/admin', { headers: { host: 'bound.example', accept: 'text/html' } }));
+    expect(res.status).toBe(200);
+    expect(await res.text()).toContain('<div id="app">');
+  });
+});

package/api/tests/service/static-arc-handler.spec.ts

@@ -0,0 +1,101 @@
+// P3b (README D3 / F3) — arc-node clean static/SPA handler.
+//
+// Drives createNodeStaticHandler over a real temp webRoot through buildHonoApp's
+// staticHandler slot (the same wiring arc uses), via in-process app.fetch.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { buildHonoApp } from '../../src/service';
+import { createNodeStaticHandler } from '../../src/host-node/serve-static-arc';
+
+let webRoot: string;
+
+beforeAll(() => {
+  webRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'arc-webroot-'));
+  fs.mkdirSync(path.join(webRoot, 'assets'), { recursive: true });
+  // index.html with a build-time bootstrap already baked in (P2) — the handler
+  // must serve this VERBATIM, no server-side re-injection.
+  fs.writeFileSync(
+    path.join(webRoot, 'index.html'),
+    '<!doctype html><html><head><script>window.blocklet={prefix:"/.well-known/payment"}</script></head><body><div id="app"></div></body></html>'
+  );
+  fs.writeFileSync(path.join(webRoot, 'assets', 'app.js'), 'console.log("asset")');
+});
+
+afterAll(() => {
+  fs.rmSync(webRoot, { recursive: true, force: true });
+});
+
+const appWith = () => buildHonoApp(undefined, undefined, createNodeStaticHandler(webRoot));
+
+describe('P3b — createNodeStaticHandler', () => {
+  it('bad-input: throws at construction when webRoot has no index.html', () => {
+    const empty = fs.mkdtempSync(path.join(os.tmpdir(), 'arc-empty-'));
+    expect(() => createNodeStaticHandler(empty)).toThrow(/no index\.html/);
+    fs.rmSync(empty, { recursive: true, force: true });
+  });
+
+  it('happy: root + deep link return index.html, asset hits the file', async () => {
+    const app = appWith();
+    const root = await app.fetch(new Request('http://h/', { headers: { accept: 'text/html' } }));
+    expect(root.status).toBe(200);
+    expect(await root.text()).toContain('<div id="app">');
+
+    const deep = await app.fetch(new Request('http://h/admin', { headers: { accept: 'text/html' } }));
+    expect(deep.status).toBe(200);
+    expect(await deep.text()).toContain('<!doctype html');
+
+    const asset = await app.fetch(new Request('http://h/assets/app.js'));
+    expect(asset.status).toBe(200);
+    expect(await asset.text()).toContain('console.log("asset")');
+  });
+
+  it('bad-input: non-GET / non-html accept does not return index.html', async () => {
+    const app = appWith();
+    const post = await app.fetch(new Request('http://h/admin', { method: 'POST', headers: { accept: 'text/html' } }));
+    expect(post.status).not.toBe(200);
+    const json = await app.fetch(new Request('http://h/admin', { headers: { accept: 'application/json' } }));
+    expect(await json.text()).not.toContain('<!doctype html');
+  });
+
+  it('security: asset miss → 404, NOT index.html (RESOURCE_PATTERN, T3b.2)', async () => {
+    const app = appWith();
+    const miss = await app.fetch(new Request('http://h/assets/nope.js'));
+    expect(miss.status).toBe(404);
+    expect(await miss.text()).not.toContain('<!doctype html');
+  });
+
+  it('security: path traversal never leaks out-of-webRoot files (asset-typed → 404; SPA-typed → index.html, never passwd)', async () => {
+    const app = appWith();
+    const indexHtml = fs.readFileSync(path.join(webRoot, 'index.html'), 'utf8');
+    // asset-typed traversal (serveStatic must reject, never serve outside webRoot)
+    for (const p of ['/assets/..%2f..%2f..%2f..%2fetc%2fpasswd.js', '/assets/../../../../etc/hosts.css']) {
+      const res = await app.fetch(new Request(`http://h${p}`));
+      const body = await res.text();
+      expect(body).not.toMatch(/root:.*:0:0:/); // no /etc/passwd content
+      expect(res.status).toBe(404); // miss, not a leaked file
+    }
+    // SPA-typed traversal (no asset extension) → safe app shell, NOT a host file
+    const spa = await app.fetch(new Request('http://h/../../../../etc/passwd', { headers: { accept: 'text/html' } }));
+    const spaBody = await spa.text();
+    expect(spaBody).not.toMatch(/root:.*:0:0:/);
+    expect(spaBody === indexHtml || spa.status === 404).toBe(true);
+  });
+
+  it('data-loss: /api/* is NOT swallowed by the static handler (wired last)', async () => {
+    const app = appWith();
+    const res = await app.fetch(new Request('http://h/api/healthz'));
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+  });
+
+  it('data-leak: index.html is served VERBATIM — exactly one window.blocklet (no server-side re-inject, TM-3)', async () => {
+    const app = appWith();
+    const res = await app.fetch(new Request('http://h/dashboard', { headers: { accept: 'text/html' } }));
+    const html = await res.text();
+    expect((html.match(/window\.blocklet\s*=/g) || []).length).toBe(1);
+    // byte-identical to the build artifact
+    expect(html).toBe(fs.readFileSync(path.join(webRoot, 'index.html'), 'utf8'));
+  });
+});

package/api/tests/service/static-externalized.spec.ts

@@ -0,0 +1,48 @@
+// S3-CF Phase 1 inversion ① — static/SPA shell externalized from buildHonoApp.
+//
+// The runtime-neutral hono app must NOT wire node-only static serving
+// (@hono/node-server/serve-static + the node:fs fallback) itself — that is what
+// kept `http.fetch` node-bound and forced the CF worker onto a second surface.
+// Instead the HOST injects a `staticHandler` (node blocklet-server replicates
+// today's serving; the CF/standalone worker serves assets via env.ASSETS and
+// injects nothing). This spec locks the delegation.
+import { Hono } from 'hono';
+import { buildHonoApp } from '../../src/service';
+
+describe('Phase 1 (S3-CF) — static/SPA shell externalized from buildHonoApp', () => {
+  it('serves no static itself — an unmatched html GET 404s when no staticHandler is given', async () => {
+    const app = buildHonoApp();
+    const res = await app.fetch(
+      new Request('http://app.local/some/spa/deeplink', { headers: { accept: 'text/html' } })
+    );
+    // No SPA fallback is wired into the neutral app; the host owns it.
+    expect(res.status).toBe(404);
+  });
+
+  it('invokes the host-provided staticHandler exactly once with the app, after the api/connect routes', async () => {
+    let called = 0;
+    let received: unknown;
+    const app = buildHonoApp(undefined, undefined, (a: Hono) => {
+      called += 1;
+      received = a;
+      a.get('/__host_static_probe', (c) => c.text('served-by-host'));
+    });
+
+    expect(called).toBe(1);
+    expect(received).toBe(app);
+
+    const res = await app.fetch(new Request('http://app.local/__host_static_probe'));
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe('served-by-host');
+  });
+
+  it('keeps /api/healthz reachable even with a host staticHandler wired last', async () => {
+    const app = buildHonoApp(undefined, undefined, (a: Hono) => {
+      a.use('*', async (c) => c.text('static-catchall'));
+    });
+    const res = await app.fetch(new Request('http://app.local/api/healthz'));
+    // healthz is registered before the host static catch-all, so it still wins.
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+  });
+});

package/blocklet.yml

@@ -14,7 +14,7 @@ repository:
   type: git
   url: git+https://github.com/blocklet/payment-kit.git
 specVersion: 1.2.8
-version: 1.29.2
+version: 1.29.3
 logo: logo.png
 files:
   - dist

package/cloudflare/MIGRATION-RUNBOOK.md

@@ -104,15 +104,11 @@ sqlite3 $PAYMENT_DB "SELECT name FROM sqlite_master WHERE type='table' AND name
 ### 0.3 创建 Cloudflare 资源
 
 ```bash
-# 1. D1 数据库
+# 1. D1 数据库（业务数据 + DID Connect token 握手态都在这里）
 wrangler d1 create payment-kit-prod
 # 记录 database_id，填入 wrangler.json
 
-# 2. KV Namespace（DID Connect session 存储）
-wrangler kv namespace create DID_CONNECT_KV
-# 记录 id，填入 wrangler.json
-
-# 3. CF Queue（任务队列）
+# 2. CF Queue（任务队列）
 wrangler queues create payment-kit-jobs
 
 # 4. Dead Letter Queue（可选，用于失败任务追踪）
@@ -376,8 +372,7 @@ CF Worker 使用 `_did_connect_tokens` 表（存在 D1 中）而非 KV 存储 DI
 以保证强一致性。该表由 schema migration 自动创建，无需从 Blocklet Server 迁移历史 token 数据
 （用户会重新登录）。
 
-> 注: wrangler.json 中仍保留了 `DID_CONNECT_KV` 配置，但实际 token 已迁移到 D1。
-> KV 可用于其他缓存用途。
+> 注: KV (`DID_CONNECT_KV`) 已彻底移除——token 握手态完全走 D1，路由挂载以 `env.DB` 为前提。
 
 ---
 

package/cloudflare/README.md

@@ -6,8 +6,7 @@
 
 ```
 Payment Kit Worker
-  ├── D1 Database           # 业务数据（customers/invoices/subscriptions ...）
-  ├── KV: DID_CONNECT_KV    # DID Connect session 临时存储
+  ├── D1 Database           # 业务数据 + DID Connect token 握手态（_did_connect_tokens）
   ├── CF Queue              # 可选 executor 绑定；队列引擎是 api/src/libs/queue（node 引擎）
   ├── Hyperdrive            # （可选）连接 Postgres，仅在启用时使用
   ├── Service Binding
@@ -102,19 +101,15 @@ Payment Kit Worker      →  本指南涵盖的部分
 在 Payment Kit 部署前创建以下资源，把生成的 ID 填到 `wrangler.jsonc`：
 
 ```bash
-# 1. D1 数据库
+# 1. D1 数据库（业务数据 + DID Connect token 握手态都在这里）
 wrangler d1 create payment-kit-prod
 #   → 记下 database_id
 
-# 2. KV Namespace（DID Connect session 存储）
-wrangler kv namespace create DID_CONNECT_KV
-#   → 记下 id
-
-# 3. CF Queue + DLQ（任务队列）
+# 2. CF Queue + DLQ（任务队列）
 wrangler queues create payment-kit-jobs
 wrangler queues create payment-kit-jobs-dlq
 
-# 4.（可选）Hyperdrive，仅当需要连接外部 Postgres 时
+# 3.（可选）Hyperdrive，仅当需要连接外部 Postgres 时
 wrangler hyperdrive create payment-kit-hyperdrive --connection-string "postgres://..."
 ```
 
@@ -183,13 +178,6 @@ wrangler hyperdrive create payment-kit-hyperdrive --connection-string "postgres:
     }
   ],
 
-  "kv_namespaces": [
-    {
-      "binding": "DID_CONNECT_KV",
-      "id": "<your-kv-namespace-id>"
-    }
-  ],
-
   // 可选：启用 Hyperdrive（连接外部 Postgres）
   // "hyperdrive": [
   //   { "binding": "HYPERDRIVE", "id": "<your-hyperdrive-id>" }
@@ -255,12 +243,11 @@ wrangler deployments list --name media-kit
 ```bash
 cd blocklets/core/cloudflare
 wrangler d1 create payment-kit-prod
-wrangler kv namespace create DID_CONNECT_KV
 wrangler queues create payment-kit-jobs
 wrangler queues create payment-kit-jobs-dlq
 ```
 
-把返回的 `database_id` / `kv namespace id` 填到 `wrangler.jsonc` 对应位置。
+把返回的 `database_id` 填到 `wrangler.jsonc` 对应位置。
 
 ### Phase 2：填写 `wrangler.jsonc`
 
@@ -329,7 +316,7 @@ window.blocklet = { appName: 'Payment Kit', appUrl: '...', appPid: '...', ... }
 
 1. `ensureModelsInit()` — Sequelize-D1 sync，在 D1 里自动建表
 2. `initFromAuthService(env)` — 从 `AUTH_SERVICE.getAppEk(APP_PID)` 拉 EK 并初始化 crypto chain（`PBKDF2 → AES password`）
-3. DID Connect 路由挂载 — `APP_SK` + `DID_CONNECT_KV` 都就绪才会挂载
+3. DID Connect 路由挂载 — `APP_SK` + `DB`（D1）都就绪才会挂载
 
 查看首请求日志：
 
@@ -476,7 +463,7 @@ wrangler d1 execute payment-kit-prod --remote \
 ### DID Connect 登录卡在 challenge 阶段
 
 - `APP_SK` 必须是 hex 字符串，对应的 public key 必须在 blocklet-service 里注册为该 APP_PID 的 key
-- `DID_CONNECT_KV` 必须已创建并 binding 正确
+- `DB`（D1）binding 必须正确：DID Connect token 握手态存在 `_did_connect_tokens` 表，路由挂载也以 `env.DB` 为前提
 
 ---
 
@@ -489,7 +476,7 @@ blocklets/core/cloudflare/
   ├── build.ts               # diagnostic/backup 构建（更少优化；不是 deploy build）
   ├── queue-runtime-mode.ts  # 把 core 队列引擎 pin 成 workerd（在业务队列加载前）
   ├── vite.config.ts         # 前端 Vite 构建配置
-  ├── did-connect-auth.ts    # DID Connect 登录路由（挂载需要 APP_SK + DID_CONNECT_KV）
+  ├── did-connect-auth.ts    # DID Connect 登录路由（挂载需要 APP_SK + DB；token 握手态用 D1 _did_connect_tokens）
   ├── wrangler.jsonc         # 生产配置模板
   ├── wrangler.migration-test.json # 迁移测试环境配置
   ├── index.html             # 前端开发入口

package/cloudflare/STAGING-MIGRATION-GUIDE.md

@@ -166,15 +166,11 @@ curl https://<MEDIA_KIT_URL>/
 ```bash
 cd <payment-kit-repo>/blocklets/core/cloudflare
 
-# 4.1 D1 数据库
+# 4.1 D1 数据库（业务数据 + DID Connect token 握手态都在这里）
 wrangler d1 create payment-kit-staging
 #   记下返回的 database_id，记为 $D1_ID
 
-# 4.2 KV Namespace（DID Connect session）
-wrangler kv namespace create payment-kit-staging-didconnect
-#   记下返回的 id，记为 $KV_ID
-
-# 4.3 CF Queue 主队列 + DLQ
+# 4.2 CF Queue 主队列 + DLQ
 wrangler queues create payment-kit-staging-jobs
 wrangler queues create payment-kit-staging-jobs-dlq
 ```
@@ -183,7 +179,6 @@ wrangler queues create payment-kit-staging-jobs-dlq
 
 ```
 D1_ID=<...>
-KV_ID=<...>
 ```
 
 ## Phase 5：Payment Kit — 导出 AWS 数据（20 min）
@@ -327,13 +322,6 @@ cp wrangler.migration-test.json wrangler.staging.json
     }
   ],
 
-  "kv_namespaces": [
-    {
-      "binding": "DID_CONNECT_KV",
-      "id": "<Phase 4.2 的 KV_ID>"
-    }
-  ],
-
   "services": [
     {
       "binding": "MEDIA_KIT",
@@ -529,7 +517,7 @@ wrangler d1 execute payment-kit-staging --remote --command \
 **如果 Phase 10~12 任何一步发现致命问题**：
 
 1. **停止切流**：staging 还在 `*.workers.dev`，AWS 源端仍然运行，无需回滚 DNS
-2. **保留 CF 资源**：D1 / KV / Queue 不删，便于复现问题
+2. **保留 CF 资源**：D1 / Queue 不删，便于复现问题
 3. **修复后重跑**：Phase 5~12 是幂等的（`INSERT OR IGNORE`），可以安全重跑
 4. **确认失败原因**：查 `wrangler tail` 日志 + 对比 AWS 源端行为
 

package/cloudflare/build.ts

@@ -55,13 +55,18 @@ async function main() {
       '@blocklet/sdk/lib/util/verify-sign': path.resolve(cfDir, 'shims/blocklet-sdk/verify-sign.ts'),
       '@blocklet/sdk/lib/util/component-api': path.resolve(cfDir, 'shims/blocklet-sdk/component-api.ts'),
       // Phase 4 (express→hono): the native hono resource routes pull in the forked
-      // app-shell middleware (session — LIVE on CF; csrf/cdn/fallback — node-shell
-      // only, bundled-but-unreachable on CF). Each needs a util subpath shim so the
-      // bare `@blocklet/sdk` catch-all below doesn't mangle the import.
+      // app-shell middleware (session — LIVE on CF via sessionMiddleware; csrf/cdn —
+      // bundled today, and LIVE once the converged http.fetch runs the full pipeline
+      // on the worker). Each needs a util subpath resolution so the bare
+      // `@blocklet/sdk` catch-all below doesn't mangle the import.
       '@blocklet/sdk/lib/util/login': path.resolve(cfDir, 'shims/blocklet-sdk/login.ts'),
       '@blocklet/sdk/lib/util/service-api': path.resolve(cfDir, 'shims/blocklet-sdk/service-api.ts'),
-      '@blocklet/sdk/lib/util/csrf': path.resolve(cfDir, 'shims/blocklet-sdk/util-csrf.ts'),
-      '@blocklet/sdk/lib/util/wallet': path.resolve(cfDir, 'shims/blocklet-sdk/util-wallet.ts'),
+      // S3-CF Phase 1 ②: csrf/wallet pass through to the REAL worker-safe modules
+      // (util/csrf is crypto-only, util/wallet zero-dep), matching run-build.js — the
+      // converged single http.fetch runs the full pipeline on the worker, so csrf
+      // must REALLY protect write routes (a dead stub would silently disable it).
+      '@blocklet/sdk/lib/util/csrf': require.resolve('@blocklet/sdk/lib/util/csrf'),
+      '@blocklet/sdk/lib/util/wallet': require.resolve('@blocklet/sdk/lib/util/wallet'),
       '@blocklet/sdk/lib/util/asset-host-transformer': path.resolve(cfDir, 'shims/blocklet-sdk/asset-host-transformer.ts'),
       '@blocklet/sdk/lib/util/constants': path.resolve(cfDir, 'shims/blocklet-sdk/util-constants.ts'),
       '@blocklet/sdk/lib/error-handler': path.resolve(cfDir, 'shims/noop.ts'),