payment-kit 1.29.2 → 1.29.3

package/cloudflare/shims/blocklet-sdk/wallet-handler.ts

@@ -1,6 +1,21 @@
+// CF FAIL-FAST shim for @blocklet/sdk/lib/wallet-handler.
+//
+// S3-CF (DID convergence): on workerd the @blocklet/sdk wallet wrapper is NOT a
+// working DID-Connect implementation. CF (and arc-node embedded) MUST inject the
+// real @arcblock/did-connect-js runtime via setDidConnectRuntime
+// (createCloudflareDidConnectRuntime). This used to be a silent no-op stub whose
+// `attach()` registered ZERO routes — a CF host that forgot to inject would serve
+// no DID-Connect routes and fail only at request time. It now throws on construct
+// so the misconfiguration fails loudly (a spec asserts the AUTH_SERVICE runtime
+// never reaches this path).
+const FORBIDDEN =
+  'CF must inject a DID-Connect runtime via setDidConnectRuntime(createCloudflareDidConnectRuntime); ' +
+  'the @blocklet/sdk wallet-handler shim is forbidden on workerd';
+
 export class WalletHandlers {
-  constructor(_opts?: any) {}
-  attach(_opts: any) {
-    // TODO: implement DID Connect for CF
+  constructor(_opts?: any) {
+    throw new Error(`[did-connect] WalletHandlers: ${FORBIDDEN}`);
   }
 }
+
+export default { WalletHandlers };

package/cloudflare/tests/cf-adapter.spec.ts

@@ -0,0 +1,244 @@
+// S3-CF Phase 3 — the CF payment adapter host glue. These unit-test the
+// request-path behavior (caller strip/inject, tenant context, raw-body fidelity,
+// lazy provision in-flight dedup, scheduled due-dispatch, queue demux) against the
+// REAL helpers with fake services — no Miniflare/D1 needed (the worker bundle
+// build is the integration gate; this is the behavior gate).
+
+import { injectCaller, createTenantProvisioner, buildFetch, buildScheduled, buildQueueConsumer } from '../cf-adapter';
+import type { CloudflareCallerIdentity } from '../cf-adapter';
+import { context as requestContext } from '../../api/src/libs/context';
+
+const noopBindEnv = () => undefined;
+const noopFlush = async () => undefined;
+
+describe('injectCaller — CF API gate caller header glue (decision #5)', () => {
+  it('happy: injects canonical x-user-* from the host-resolved caller', () => {
+    const h = new Headers();
+    injectCaller(h, { did: 'zUSER', role: 'admin', authMethod: 'passkey', displayName: 'Alice' });
+    expect(h.get('x-user-did')).toBe('did:abt:zUSER');
+    expect(h.get('x-user-role')).toBe('blocklet-admin');
+    expect(h.get('x-user-provider')).toBe('passkey');
+    expect(h.get('x-user-fullname')).toBe(encodeURIComponent('Alice'));
+  });
+
+  it('security: STRIPS a client-forged identity header (no caller = anonymous, not forged)', () => {
+    const h = new Headers({ 'x-user-did': 'did:abt:zEVIL', 'x-user-role': 'blocklet-owner' });
+    injectCaller(h, null);
+    expect(h.get('x-user-did')).toBeNull();
+    expect(h.get('x-user-role')).toBeNull();
+  });
+
+  it('security: a forged header cannot survive even WITH a real caller (strip-then-inject)', () => {
+    const h = new Headers({ 'x-user-did': 'did:abt:zEVIL' });
+    injectCaller(h, { did: 'zREAL', role: 'member' });
+    expect(h.get('x-user-did')).toBe('did:abt:zREAL'); // not zEVIL
+  });
+
+  it('keeps an already-canonical did:abt: prefix and prefixes a bare did', () => {
+    const a = new Headers();
+    injectCaller(a, { did: 'did:abt:zABC' });
+    expect(a.get('x-user-did')).toBe('did:abt:zABC');
+    const b = new Headers();
+    injectCaller(b, { did: 'zABC' });
+    expect(b.get('x-user-did')).toBe('did:abt:zABC');
+  });
+});
+
+describe('createTenantProvisioner — lazy first-request provisioning, in-flight dedup', () => {
+  it('data-loss: concurrent first-requests for the same tenant provision ONCE', async () => {
+    let calls = 0;
+    const provision = jest.fn(async () => {
+      calls += 1;
+      await new Promise((r) => setTimeout(r, 5));
+    });
+    const provisioner = createTenantProvisioner(provision);
+    await Promise.all([provisioner('zA'), provisioner('zA'), provisioner('zA'), provisioner('zA')]);
+    expect(calls).toBe(1);
+    expect(provision).toHaveBeenCalledTimes(1);
+  });
+
+  it('different tenants each provision once', async () => {
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    await Promise.all([provisioner('zA'), provisioner('zB'), provisioner('zA')]);
+    expect(provision).toHaveBeenCalledTimes(2);
+  });
+
+  it('a failed provision is dropped so the next request RETRIES (not cached as done)', async () => {
+    let n = 0;
+    const provision = jest.fn(async () => {
+      n += 1;
+      if (n === 1) throw new Error('transient');
+    });
+    const provisioner = createTenantProvisioner(provision);
+    await expect(provisioner('zA')).rejects.toThrow('transient');
+    await expect(provisioner('zA')).resolves.toBeUndefined(); // retried, now succeeds
+    expect(provision).toHaveBeenCalledTimes(2);
+  });
+
+  it('null tenant is a no-op (no provision attempt)', async () => {
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    await provisioner(null);
+    expect(provision).not.toHaveBeenCalled();
+  });
+});
+
+// A fake embedded service: captures what the adapter forwards (headers, raw body,
+// basePath) and the tenant context active at fetch time.
+function fakeSvc() {
+  const seen: { did?: string; role?: string; tenant?: string; basePath?: string; body?: string } = {};
+  return {
+    seen,
+    http: {
+      async fetch(req: Request, opts?: { basePath?: string }) {
+        seen.did = req.headers.get('x-user-did') ?? undefined;
+        seen.role = req.headers.get('x-user-role') ?? undefined;
+        seen.tenant = requestContext.peekInstanceDid();
+        seen.basePath = opts?.basePath;
+        seen.body = await req.text();
+        return new Response('ok', { status: 200 });
+      },
+    },
+  };
+}
+
+describe('buildFetch — drives the single http.fetch under the tenant context', () => {
+  it('happy: strips forged x-user-*, injects the real caller, runs under withTenant, passes basePath, flushes', async () => {
+    const svc = fakeSvc();
+    let flushed = 0;
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zTENANT',
+      resolveCaller: () => ({ did: 'zREAL', role: 'member' } as CloudflareCallerIdentity),
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: async () => {
+        flushed += 1;
+      },
+    });
+    const req = new Request('https://x/.well-known/payment/api/products', {
+      method: 'POST',
+      headers: { 'x-user-did': 'did:abt:zFORGED' },
+      body: 'raw-bytes',
+    });
+    const res = await fetch(req, {}, { waitUntil() {} } as any);
+    expect(res.status).toBe(200);
+    expect(svc.seen.did).toBe('did:abt:zREAL'); // forged stripped, real injected
+    expect(svc.seen.tenant).toBe('did:abt:zTENANT'); // ran under withTenant
+    expect(svc.seen.basePath).toBe('/.well-known/payment');
+    expect(svc.seen.body).toBe('raw-bytes'); // data-damage: raw body preserved
+    expect(flushed).toBe(1);
+  });
+
+  it('security: forged x-user-did with NO caller resolved → stripped, anonymous (fail-safe)', async () => {
+    const svc = fakeSvc();
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zT',
+      resolveCaller: () => null,
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    await fetch(new Request('https://x/api/x', { headers: { 'x-user-did': 'did:abt:zEVIL' } }), {}, { waitUntil() {} } as any);
+    expect(svc.seen.did).toBeUndefined();
+  });
+
+  it('data-leak: an unknown host (tenant null) is NOT wrapped — the core fail-closes tenant-scoped routes', async () => {
+    const svc = fakeSvc();
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => null,
+      provision: async () => undefined,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    await fetch(new Request('https://unknown/api/x'), {}, { waitUntil() {} } as any);
+    expect(svc.seen.tenant).toBeUndefined(); // no context leaked; core will reject tenant-scoped routes
+  });
+
+  it('data-loss: a first request triggers the lazy provisioner exactly once for its tenant', async () => {
+    const svc = fakeSvc();
+    const provision = jest.fn(async () => undefined);
+    const provisioner = createTenantProvisioner(provision);
+    const fetch = buildFetch({
+      svc: svc as any,
+      basePath: '/.well-known/payment',
+      resolveTenant: () => 'did:abt:zP',
+      provision: provisioner,
+      bindEnv: noopBindEnv,
+      flush: noopFlush,
+    });
+    const ctx = { waitUntil() {} } as any;
+    await Promise.all([
+      fetch(new Request('https://x/api/a'), {}, ctx),
+      fetch(new Request('https://x/api/b'), {}, ctx),
+    ]);
+    expect(provision).toHaveBeenCalledTimes(1);
+    expect(provision).toHaveBeenCalledWith('did:abt:zP');
+  });
+});
+
+describe('buildScheduled — host-driven due dispatch', () => {
+  it('runs crons for the intended minute then dispatches due jobs then flushes (ordered)', async () => {
+    const order: string[] = [];
+    const scheduled = buildScheduled({
+      bindEnv: () => order.push('bind'),
+      runCrons: async (when: Date) => {
+        order.push(`crons:${when.toISOString()}`);
+      },
+      dispatchDue: async () => {
+        order.push('dispatch');
+      },
+      flush: async () => {
+        order.push('flush');
+      },
+    });
+    const t = Date.UTC(2026, 3, 17, 10, 0, 0);
+    await scheduled({ cron: '*/5 * * * *', scheduledTime: t } as any, {}, { waitUntil() {} } as any);
+    expect(order).toEqual(['bind', `crons:${new Date(t).toISOString()}`, 'dispatch', 'flush']);
+  });
+});
+
+describe('buildQueueConsumer — payment queue message demux', () => {
+  it('routes each message to its core queue handle by name, then acks; flushes once', async () => {
+    const ran: Array<{ name: string; id: string }> = [];
+    const acked: string[] = [];
+    let flushed = 0;
+    const handle = { pushAndWait: async (p: any) => ran.push({ name: 'refund', id: p.id }) };
+    const queue = buildQueueConsumer({
+      bindEnv: noopBindEnv,
+      getHandle: (name: string) => (name === 'refund' ? (handle as any) : undefined),
+      flush: async () => {
+        flushed += 1;
+      },
+    });
+    const batch = {
+      messages: [
+        { body: { queueName: 'refund', jobId: 'j1', job: {} }, ack: () => acked.push('j1') },
+        { body: { queueName: 'unknown', jobId: 'j2', job: {} }, ack: () => acked.push('j2') },
+      ],
+    };
+    await queue(batch as any, {}, { waitUntil() {} } as any);
+    expect(ran).toEqual([{ name: 'refund', id: 'j1' }]);
+    expect(acked).toEqual(['j1', 'j2']); // unknown handler still acked (no infinite redelivery)
+    expect(flushed).toBe(1);
+  });
+
+  it('a throwing handler is acked (not retried via CF Queue — D1 scheduled redispatch owns retries)', async () => {
+    const acked: string[] = [];
+    const handle = { pushAndWait: async () => { throw new Error('boom'); } };
+    const queue = buildQueueConsumer({
+      bindEnv: noopBindEnv,
+      getHandle: () => handle as any,
+      flush: noopFlush,
+    });
+    const batch = { messages: [{ body: { queueName: 'refund', jobId: 'j1', job: {} }, ack: () => acked.push('j1') }] };
+    await queue(batch as any, {}, { waitUntil() {} } as any);
+    expect(acked).toEqual(['j1']);
+  });
+});

package/cloudflare/tests/did-connect-token-storage.spec.ts

@@ -0,0 +1,105 @@
+// S3-CF (DID convergence) — CF DID-Connect token store: tenant isolation + waitUntil.
+//
+// Deterministic unit tests over a fake D1 (no chain, no AUTH_SERVICE):
+//   - a token minted under tenant A is invisible under tenant B (read/exist/
+//     update/delete all not-found) — the isolation the convergence requires.
+//   - the fire-and-forget `update` (did-connect-js onProcessError) still lands via
+//     __cfWaitUntil__ even when the caller never awaits — the "scanned → succeed"
+//     regression the standalone worker's waitUntil hack fixed.
+import { context } from '../../api/src/libs/context';
+import { CloudflareTenantTokenStorage } from '../did-connect-token-storage';
+
+const A = 'zMOCK_TENANT_A';
+const B = 'zMOCK_TENANT_B';
+
+/** Minimal in-memory D1 double covering the prepare/bind/run/first shape the store uses. */
+function fakeD1() {
+  const rows = new Map<string, { data: string; expires_at: number }>();
+  const db: any = {
+    withSession: () => db,
+    prepare(sql: string) {
+      const stmt: any = {
+        _args: [] as any[],
+        bind(...args: any[]) {
+          stmt._args = args;
+          return stmt;
+        },
+        async run() {
+          if (sql.startsWith('INSERT')) {
+            const [token, data, exp] = stmt._args;
+            rows.set(token, { data, expires_at: exp });
+          } else if (sql.startsWith('UPDATE')) {
+            const [data, exp, token] = stmt._args;
+            if (rows.has(token)) rows.set(token, { data, expires_at: exp });
+          } else if (sql.startsWith('DELETE')) {
+            rows.delete(stmt._args[0]);
+          }
+          return { success: true };
+        },
+        async first() {
+          const [token, now] = stmt._args;
+          const r = rows.get(token);
+          return r && r.expires_at > now ? { data: r.data } : null;
+        },
+      };
+      return stmt;
+    },
+  };
+  return { db, rows };
+}
+
+describe('S3-CF DID convergence — CloudflareTenantTokenStorage', () => {
+  let restoreEnv: any;
+  let restoreWaitUntil: any;
+
+  beforeEach(() => {
+    restoreEnv = (globalThis as any).__CF_ENV__;
+    restoreWaitUntil = (globalThis as any).__cfWaitUntil__;
+  });
+  afterEach(() => {
+    (globalThis as any).__CF_ENV__ = restoreEnv;
+    (globalThis as any).__cfWaitUntil__ = restoreWaitUntil;
+  });
+
+  it('isolates tokens by tenant — A token is not-found under tenant B', async () => {
+    const { db } = fakeD1();
+    (globalThis as any).__CF_ENV__ = { DB: db };
+    const store = new CloudflareTenantTokenStorage({ ttl: 300 });
+
+    // create + read under tenant A
+    await context.withTenant(A, () => store.create('tok-1', 'created'));
+    const underA = await context.withTenant(A, () => store.read('tok-1'));
+    expect(underA?.token).toBe('tok-1');
+    expect(underA?.instanceDid).toBe(A);
+    expect(await context.withTenant(A, () => store.exist('tok-1'))).toBe(true);
+
+    // the SAME token is invisible under tenant B
+    expect(await context.withTenant(B, () => store.read('tok-1'))).toBeNull();
+    expect(await context.withTenant(B, () => store.exist('tok-1'))).toBe(false);
+    // B cannot advance A's handshake
+    expect(await context.withTenant(B, () => store.update('tok-1', { status: 'hijacked' }))).toBeNull();
+    // and B's delete is a no-op (A's token survives)
+    await context.withTenant(B, () => store.delete('tok-1'));
+    expect((await context.withTenant(A, () => store.read('tok-1')))?.token).toBe('tok-1');
+  });
+
+  it('update lands via __cfWaitUntil__ even when the caller never awaits (waitUntil regression)', async () => {
+    const { db } = fakeD1();
+    (globalThis as any).__CF_ENV__ = { DB: db };
+    const pending: Promise<any>[] = [];
+    (globalThis as any).__cfWaitUntil__ = (p: Promise<any>) => pending.push(p);
+
+    const store = new CloudflareTenantTokenStorage({ ttl: 300 });
+    await context.withTenant(A, async () => {
+      await store.create('tok-2', 'scanned');
+      // fire-and-forget, as did-connect-js's onProcessError does — NOT awaited
+      store.update('tok-2', { status: 'succeed' });
+    });
+
+    // before draining waitUntil, the write may not have landed; drain then assert
+    await Promise.all(pending);
+    const after = await context.withTenant(A, () => store.read('tok-2'));
+    expect(after?.status).toBe('succeed');
+    expect(after?.instanceDid).toBe(A); // owning tenant preserved through update
+  });
+});

package/cloudflare/tests/worker-handler-gate.spec.ts

@@ -1,20 +1,45 @@
-// Phase 12c HARD GATE (scan): the CF worker is a host adapter. It must mount the
-// embedded service's resource-route surface (svc.http.resourceRoutes) and NEVER
-// access svc.handler — whose lazy getter builds the node-only Express app shell
-// that does not belong under workerd. It also must not import the deleted legacy
-// shims/queue.ts duplicate engine. This statically scans the worker source so a
-// regression fails the suite (the runtime Proxy in ensurePaymentService is the
-// second line of defense).
+// Phase 12c HARD GATE + S3-CF Phase 1B (scan): the CF worker is a host adapter that
+// drives the core via the SINGLE runtime-neutral surface `svc.http.fetch`. It must
+// NOT read `svc.handler` (the node-convenience getter) and — post Phase 1B — must
+// NOT use the LITE `svc.http.resourceRoutes.fetch` dispatcher (the second surface is
+// gone), and must NOT double-own payment `/api/*` cors / tenant (the core full
+// pipeline owns those). This statically scans the worker source so a regression
+// fails the suite (the runtime Proxy in ensurePaymentService is the second defense).
 import fs from 'fs';
 import path from 'path';
 
 const workerSrc = fs.readFileSync(path.join(__dirname, '../worker.ts'), 'utf8');
 
-describe('Phase 12c — worker host-adapter hard gate', () => {
-  it('mounts the resource-route surface (svc.http.resourceRoutes)', () => {
-    expect(workerSrc).toMatch(/service\.http\.resourceRoutes/);
+// non-comment code lines only
+const codeLines = workerSrc
+  .split('\n')
+  .map((line, n) => ({ line: line.trim(), n: n + 1 }))
+  .filter(({ line }) => !line.startsWith('//') && !line.startsWith('*') && !line.startsWith('/*'));
+
+describe('S3-CF Phase 1B — worker drives the single svc.http.fetch surface', () => {
+  it('forwards payment /api/* through svc.http.fetch', () => {
+    expect(workerSrc).toMatch(/service\.http\.fetch\(/);
+  });
+
+  it('no longer dispatches through the LITE svc.http.resourceRoutes surface', () => {
+    const offending = codeLines.filter(({ line }) => /service\.http\.resourceRoutes/.test(line));
+    expect(offending).toEqual([]);
   });
 
+  it('does not double-own payment /api/* cors or tenant (core full pipeline owns them)', () => {
+    const doubleCors = codeLines.filter(({ line }) => /app\.use\(\s*['"]\/api\/\*['"]\s*,\s*cors\(\)/.test(line));
+    const doubleTenant = codeLines.filter(({ line }) => /app\.use\(\s*['"]\/api\/\*['"]\s*,\s*tenantMiddleware\(\)/.test(line));
+    expect(doubleCors).toEqual([]);
+    expect(doubleTenant).toEqual([]);
+  });
+
+  it('strips client-forged x-user-* before injecting the resolved caller identity', () => {
+    expect(workerSrc).toMatch(/for \(const h of USER_HEADERS\) headers\.delete\(h\)/);
+    expect(workerSrc).toMatch(/headers\.set\(['"]x-user-did['"]/);
+  });
+});
+
+describe('Phase 12c — worker host-adapter hard gate', () => {
   it('never reads .handler on the payment service', () => {
     const offending = workerSrc
       .split('\n')

package/cloudflare/vite.config.ts

@@ -4,6 +4,8 @@ import svgr from 'vite-plugin-svgr';
 import tsconfigPaths from 'vite-tsconfig-paths';
 import path from 'path';
 
+import { buildBootstrapScript, PAYMENT_KIT_DID } from '../scripts/bootstrap-inject';
+
 const coreDir = path.resolve(__dirname, '..');
 
 // Absolute path to the original session file we want to replace
@@ -30,54 +32,60 @@ export default defineConfig({
         return null;
       },
     },
-    // Inject window.blocklet + global polyfills into HTML
+    // Inject window.blocklet + global polyfills into HTML via the runtime-neutral
+    // bootstrap helper (P2 / README D2 — single source shared with vite.arc.config.ts).
+    // CF is a root deploy: uiPrefix='/', remoteBlockletUrl root-exact (the helper's
+    // T2.3 lock prevents the old `pfx + '__blocklet__.js'` prefix-join bug), prefix
+    // in localOnly (G3). navigation/componentMountPoints are this blocklet's own
+    // (AUTH_SERVICE doesn't know them) so they stay local.
     {
       name: 'cf-inject-blocklet',
       transformIndexHtml(html: string) {
-        const injection = `<script>
-window.global = globalThis;
-// Minimal bootstrap — full config loaded from __blocklet__.js
-if (!window.blocklet) {
-  window.blocklet = {
-    prefix: '/',
-    groupPrefix: '/',
-    appUrl: window.location.origin,
-    componentMountPoints: [{did:'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',name:'Media Kit',mountPoint:'/media-kit',appId:'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',status:'running',capabilities:{component:true}}],
-    navigation: [
-      {id:'payments',title:{en:'Payments',zh:'支付管理'},icon:'ion:card-outline',link:'/admin',section:['dashboard','sessionManager'],role:['admin','owner']},
-      {id:'integrations',title:{en:'Integrations',zh:'快速集成'},icon:'ion:flash-outline',link:'/integrations',section:['dashboard','sessionManager'],role:['admin','owner']},
-      {id:'billing',title:{en:'Billing',zh:'我的账单'},icon:'ion:receipt-outline',link:'/customer',private:true,section:['userCenter','sessionManager'],role:['owner','admin','member','guest']},
-    ],
-  };
-}
-// Load full config from /__blocklet__.js?type=json (served by worker, includes auth/branding/theme from AUTH_SERVICE).
-// Using type=json lets us JSON.parse the response directly instead of slicing out a { } substring from a JS assignment.
-(function() {
-  try {
-    var xhr = new XMLHttpRequest();
-    var pfx = (window.blocklet && window.blocklet.prefix) || '/';
-    xhr.open('GET', pfx + '__blocklet__.js?type=json&_t=' + Date.now(), false);
-    xhr.send();
-    if (xhr.status === 200) {
-      var remote = JSON.parse(xhr.responseText);
-      // navigation / componentMountPoints are owned by this blocklet — AUTH_SERVICE
-      // doesn't know about them, so we never want remote values to clobber the
-      // ones the bootstrap above set.
-      var localOnly = ['navigation', 'componentMountPoints'];
-      Object.keys(remote).forEach(function(k) {
-        if (localOnly.indexOf(k) === -1) {
-          window.blocklet[k] = remote[k];
-        }
-      });
-      if (!window.blocklet.env) window.blocklet.env = {};
-      window.blocklet.env.appName = window.blocklet.appName || '';
-      window.blocklet.env.appDescription = window.blocklet.appDescription || '';
-      window.blocklet.env.appLogo = window.blocklet.appLogo || '';
-      window.blocklet.env.appUrl = window.blocklet.appUrl || '';
-    }
-  } catch(e) { /* ignore */ }
-})();
-</script>`;
+        const injection = buildBootstrapScript({
+          uiPrefix: '/',
+          componentId: PAYMENT_KIT_DID,
+          remoteBlockletUrl: '/__blocklet__.js?type=json',
+          localOnly: ['prefix', 'navigation', 'componentMountPoints'],
+          extra: {
+            componentMountPoints: [
+              {
+                did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
+                name: 'Media Kit',
+                mountPoint: '/media-kit',
+                appId: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
+                status: 'running',
+                capabilities: { component: true },
+              },
+            ],
+            navigation: [
+              {
+                id: 'payments',
+                title: { en: 'Payments', zh: '支付管理' },
+                icon: 'ion:card-outline',
+                link: '/admin',
+                section: ['dashboard', 'sessionManager'],
+                role: ['admin', 'owner'],
+              },
+              {
+                id: 'integrations',
+                title: { en: 'Integrations', zh: '快速集成' },
+                icon: 'ion:flash-outline',
+                link: '/integrations',
+                section: ['dashboard', 'sessionManager'],
+                role: ['admin', 'owner'],
+              },
+              {
+                id: 'billing',
+                title: { en: 'Billing', zh: '我的账单' },
+                icon: 'ion:receipt-outline',
+                link: '/customer',
+                private: true,
+                section: ['userCenter', 'sessionManager'],
+                role: ['owner', 'admin', 'member', 'guest'],
+              },
+            ],
+          },
+        });
         return html.replace('<head>', '<head>' + injection);
       },
     },