payment-kit 1.29.2 → 1.29.4

package/cloudflare/run-build.js

@@ -1,366 +1,42 @@
 const { build } = require("esbuild");
 const path = require("path");
+const { buildCfEsbuildOptions } = require("./esbuild-cf-config.cjs");
+
 const cfDir = __dirname;
 const s = (f) => path.resolve(cfDir, f);
 
-// Phase 12b/12c: the queue-shim (libs/queue -> shims/queue.ts) and lock-shim
-// (libs/lock -> shims/lock.ts) plugins were REMOVED.
-//   - queue-shim: option A makes api/src/libs/queue the ONE queue engine for all
-//     runtimes (the worker drives it via api/src/libs/queue/runtime.ts); the
-//     duplicate shims/queue.ts engine is deleted, so there is nothing to redirect.
-//   - lock-shim: lock became a Phase 8 driver (libs/drivers/locks) and the old
-//     shims/lock.ts no longer exists; the redirect pointed at a deleted file and
-//     was the only thing that broke this script.
-// Everything else below is the original CF deploy-build optimization config.
-
-// Plugin to neutralize rolldown-generated `__require(import.meta.url)` helpers
-// that ship inside npm packages built with rolldown (e.g. @ocap/message,
-// @arcblock/did-connect-js). These helpers use `createRequire(import.meta.url)`
-// at module init to pull in CJS deps like `google-protobuf`, `debug`, etc. —
-// which neither resolve nor work in the CF Workers runtime.
-//
-// The downstream patches/shims that use these require calls are all either:
-//   - monkey-patches for edge cases Payment Kit doesn't exercise, or
-//   - debug()/logger() factories that Payment Kit doesn't need on CF.
-//
-// Replace every `_virtual/rolldown_runtime.mjs` with a stub whose `__require`
-// returns a Proxy that swallows further property accesses + function calls,
-// and whose `__commonJSMin` returns an empty-module factory. This lets the
-// importing modules finish loading without crashing the worker at startup.
-const rolldownRuntimeStub = `
-// After the Phase 2 CBOR switch (payment-method.ts + did-connect-auth.ts
-// moved off @ocap/client/legacy), no codepath in the worker calls
-// __require('google-protobuf') at runtime. The CBOR-only @ocap/client
-// default entry + @ocap/client/encode use plain ESM imports for their
-// deps. Any remaining __require calls in Rolldown-compiled packages
-// (debug, @arcblock/event-hub, etc.) are handled by the __noop Proxy
-// below — they don't need real modules for payment-kit's flows.
-const __requireMap = {};
-const __noopTarget = function(){};
-const __noopHandler = {
-  get(t, p) {
-    if (p === Symbol.toPrimitive || p === 'toString') return () => '';
-    if (p === 'default') return new Proxy(__noopTarget, __noopHandler);
-    return new Proxy(__noopTarget, __noopHandler);
-  },
-  apply() { return new Proxy(__noopTarget, __noopHandler); },
-  construct() { return new Proxy(__noopTarget, __noopHandler); },
-};
-const __noop = new Proxy(__noopTarget, __noopHandler);
-export const __commonJSMin = function(cb){
-  return function(){
-    var m = { exports: {} };
-    try { cb(m.exports, m); } catch (_) {}
-    return m.exports;
-  };
-};
-export const __require = function(id){
-  if (__requireMap[id]) return __requireMap[id];
-  return __noop;
-};
-export const __exportAll = function(target, source){
-  if (source) {
-    try {
-      for (var key in source) {
-        if (key !== 'default' && !Object.prototype.hasOwnProperty.call(target, key)) {
-          Object.defineProperty(target, key, {
-            get: function() { return source[key]; },
-            enumerable: true,
-            configurable: true,
-          });
-        }
-      }
-    } catch (_) {}
-  }
-  return target;
-};
-export const __toESM = function(mod){ return mod && mod.__esModule ? mod : { default: mod }; };
-export const __toCommonJS = function(mod){ return mod; };
-export const __copyProps = function(target){ return target; };
-export default { __commonJSMin, __require, __exportAll, __toESM, __toCommonJS, __copyProps };
-`;
-const rolldownRuntimeNoopPlugin = {
-  name: 'rolldown-runtime-noop',
-  setup(build) {
-    // Catch any import that resolves to a `_virtual/rolldown_runtime.mjs`
-    // file, regardless of which package it comes from.
-    build.onResolve({ filter: /_virtual\/rolldown_runtime\.mjs$/ }, (args) => {
-      return { path: args.path, namespace: 'rolldown-runtime-noop' };
-    });
-    build.onLoad({ filter: /.*/, namespace: 'rolldown-runtime-noop' }, () => ({
-      contents: rolldownRuntimeStub,
-      loader: 'js',
-      // Need a resolveDir so the virtual stub's `import "google-protobuf"` resolves
-      // against the workspace's node_modules. Pointing at cfDir is sufficient since
-      // pnpm hoists google-protobuf up to the repo root node_modules.
-      resolveDir: cfDir,
-    }));
-  },
-};
-
-// Plugin: fix lodash sub-path CJS/ESM interop
-// The "lodash" → "lodash-es" alias also redirects require('lodash/camelCase')
-// to lodash-es/camelCase (ESM). CJS consumers get { __esModule, default: fn }
-// instead of the function itself, causing "_m is not a function" at runtime.
-// Fix: intercept lodash-es sub-path imports from CJS contexts and generate a
-// virtual wrapper that re-exports the default as module.exports.
-const lodashSubpathPlugin = {
-  name: 'lodash-subpath-interop',
-  setup(build) {
-    // Intercept resolved lodash-es sub-path imports that come from require() calls
-    // Intercept CJS require('lodash/xxx') — the alias hasn't applied yet at this stage
-    build.onResolve({ filter: /^lodash\/.+/ }, (args) => {
-      if (args.kind === 'require-call') {
-        // Convert lodash/xxx → lodash-es/xxx and wrap for CJS compat
-        const esPath = args.path.replace(/^lodash\//, 'lodash-es/');
-        return {
-          path: esPath,
-          namespace: 'lodash-cjs-compat',
-        };
+// S3-CF Phase 2: the worker-safe alias / shim / plugin / banner table now lives in
+// esbuild-cf-config.cjs, shared with packages/payment-core/build-cf.mjs (the
+// re-bundleable @arcblock/payment-service/cf library) so the standalone Worker and
+// the embedded ./cf artifact can never drift. This script only adds the bits unique
+// to the standalone Worker bundle: the worker.ts entry point (with a default
+// export) and the dist/meta.json + size report.
+
+build(
+  buildCfEsbuildOptions({
+    entryPoints: [s("worker.ts")],
+    outdir: s("dist"),
+  })
+)
+  .then((result) => {
+    require("fs").writeFileSync(s("dist/meta.json"), JSON.stringify(result.metafile));
+    Object.entries(result.metafile.outputs).forEach(function (entry) {
+      var k = entry[0],
+        v = entry[1];
+      if (k.indexOf(".map") === -1) {
+        console.log(k + ": " + (v.bytes / 1024).toFixed(1) + "KB");
       }
     });
-    build.onLoad({ filter: /.*/, namespace: 'lodash-cjs-compat' }, (args) => {
-      // Resolve the actual file path, then read and re-export as CJS.
-      // By loading the original ESM source as 'js' with CJS-style wrapping,
-      // esbuild treats the result as CJS, avoiding the __toModule interop.
-      const subPath = args.path.replace('lodash-es/', '');
-      const filePath = require.resolve(`lodash-es/${subPath}`);
-      const source = require('fs').readFileSync(filePath, 'utf8');
-      // Transform: replace ESM export default with module.exports
-      // lodash-es modules all follow: import deps... ; function fn(...){...}; export default fn;
-      const transformed = source
-        .replace(/^export default /m, 'module.exports = ')
-        .replace(/^export\s*\{[^}]*\}\s*;?\s*$/m, '');
-      return {
-        contents: transformed,
-        loader: 'js',
-        resolveDir: require('path').dirname(filePath),
-      };
-    });
-  },
-};
-
-// Plugin: redirect bare `@arcblock/did-util` and `@ocap/message` imports to their
-// CBOR-only subpath entries, and noop `@arcblock/did-util/protobuf`. This strips
-// the protobuf runtime (`@ocap/proto/runtime`, `google-protobuf`, `*_pb.js`) out
-// of the CF Workers bundle. Only matches EXACT bare specifiers — subpath imports
-// (e.g. `@arcblock/did-util/cbor`) pass through untouched.
-const cborOnlyPlugin = {
-  name: 'cbor-only-redirect',
-  setup(build) {
-    build.onResolve({ filter: /^@arcblock\/did-util$/ }, () => ({
-      path: path.resolve(__dirname, '../../..', 'node_modules/@arcblock/did-util/esm/cbor.mjs'),
-    }));
-    build.onResolve({ filter: /^@ocap\/message$/ }, () => ({
-      path: path.resolve(__dirname, '../../..', 'node_modules/@ocap/message/esm/cbor.mjs'),
-    }));
-    build.onResolve({ filter: /^@arcblock\/did-util\/protobuf$/ }, () => ({
-      path: s('shims/noop.ts'),
-    }));
-  },
-};
-
-// Plugin: noop entire package trees that have sub-path imports (alias alone
-// doesn't work because esbuild treats "axon" alias as prefix, breaking
-// "axon/lib/plugins/queue"). This plugin intercepts bare + sub-path imports.
-const noopPackagesPlugin = {
-  name: 'noop-packages',
-  setup(build) {
-    const packages = ['axon', '@arcblock/ws', '@arcblock/event-hub', 'graphql', 'follow-redirects', 'proxy-from-env'];
-    const filter = new RegExp('^(' + packages.join('|') + ')(\\/|$)');
-    build.onResolve({ filter }, () => ({ path: s('shims/noop.ts') }));
-  },
-};
-
-// Plugin: drop ethers' non-English BIP39 wordlists (~70K dead weight). The payment
-// worker never uses Mnemonic/HD wallets (0 source refs to Mnemonic/HDNode/wordlist),
-// so the 8 non-English word tables never execute. ethers' own /dist build strips
-// these too (~80kb). Keep LangEn (Mnemonic default). Stub the rest with a static
-// wordlist() returning null so wordlists.js's top-level LangXx.wordlist() calls
-// (run at module init) don't crash.
-const dropEthersWordlistsPlugin = {
-  name: 'drop-ethers-wordlists',
-  setup(build) {
-    build.onLoad({ filter: /ethers\/lib\.esm\/wordlists\/lang-(cz|es|fr|ja|ko|it|pt|zh)\.js$/ }, (args) => {
-      const lang = /lang-(\w+)\.js$/.exec(args.path)[1];
-      const cls = 'Lang' + lang.charAt(0).toUpperCase() + lang.slice(1);
-      return { contents: `export class ${cls} { static wordlist() { return null; } }`, loader: 'js' };
-    });
-  },
-};
-
-build({
-  entryPoints: [s("worker.ts")],
-  bundle: true, format: "esm", platform: "node", target: "esnext",
-  outdir: s("dist"), minify: true, sourcemap: true, metafile: true,
-  mainFields: ["module", "main"],
-  plugins: [
-    noopPackagesPlugin, rolldownRuntimeNoopPlugin, lodashSubpathPlugin, dropEthersWordlistsPlugin,
-  ],
-  external: ["cloudflare:*", "__STATIC_CONTENT_MANIFEST"],
-  // Give import.meta.url a stable fallback so bundled deps that call
-  // createRequire(import.meta.url) at module init don't throw at worker
-  // startup. The polyfill in banner handles any legitimate require() lookups.
-  define: {
-    "import.meta.url": '"file:///worker.js"',
-  },
-  banner: {
-    js: [
-      '// Polyfill require() for CJS modules that dynamically require Node builtins',
-      'import __nodeCrypto from "node:crypto";',
-      'import __nodeBuffer from "node:buffer";',
-      'import __nodeEvents from "node:events";',
-      'import __nodeStream from "node:stream";',
-      'import __nodeUtil from "node:util";',
-      'import __nodeAssert from "node:assert";',
-      'import __nodePath from "node:path";',
-      'import __nodeUrl from "node:url";',
-      'import __nodeProcess from "node:process";',
-      'const __qsShim = { stringify: function(o) { return new URLSearchParams(o).toString(); }, parse: function(s) { return Object.fromEntries(new URLSearchParams(s).entries()); } };',
-      'const __nodeModules = { crypto: __nodeCrypto, buffer: __nodeBuffer, events: __nodeEvents, stream: __nodeStream, util: __nodeUtil, assert: __nodeAssert, path: __nodePath, url: __nodeUrl, process: __nodeProcess, querystring: __qsShim };',
-      '// Accept both "xxx" and "node:xxx" specifier forms; return empty stub for unknown modules',
-      '// (some deps tree-shake to nothing but still call require() at init — a hard throw crashes the worker).',
-      'globalThis.require = globalThis.require || function(m) { var key = typeof m === "string" && m.indexOf("node:") === 0 ? m.slice(5) : m; if (__nodeModules[key]) return __nodeModules[key]; console.warn("[require shim] unknown module: " + m); return {}; };',
-      '// Ensure process.stderr.fd exists for debug/supports-color',
-      'if (typeof process !== "undefined") { if (!process.stderr) process.stderr = { fd: 2, write: function(){} }; else if (process.stderr.fd === undefined) process.stderr.fd = 2; if (!process.stdout) process.stdout = { fd: 1, write: function(){} }; else if (process.stdout.fd === undefined) process.stdout.fd = 1; }',
-      '// Polyfill process.on/process.exit for modules that use them at init',
-      'if (typeof process !== "undefined" && !process.on) { process.on = function(){}; process.once = function(){}; process.off = function(){}; process.removeListener = function(){}; process.emit = function(){}; process.exit = function(){}; }',
-      '// CF Workers: defer timers called during global scope init until first request',
-      'var __deferredTimers = []; var __timersReady = false;',
-      'globalThis.__flushDeferredTimers = function() { if (__timersReady) return; __timersReady = true; var q = __deferredTimers; __deferredTimers = []; q.forEach(function(entry) { try { entry.fn.apply(null, entry.args); } catch(e) { console.error("deferred timer error:", e); } }); };',
-      'var _origSetTimeout = globalThis.setTimeout; globalThis.setTimeout = function() { if (!__timersReady) { var args = arguments; var fn = args[0]; __deferredTimers.push({fn: function(){ _origSetTimeout.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetTimeout.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
-      'var _origSetInterval = globalThis.setInterval; globalThis.setInterval = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetInterval.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return 0; } }; } var id = _origSetInterval.apply(this, arguments); if (typeof id === "number") { return { unref: function(){}, ref: function(){}, [Symbol.toPrimitive]: function(){ return id; } }; } if (id && !id.unref) id.unref = function(){}; return id; };',
-      'var _origSetImmediate = globalThis.setImmediate; if (_origSetImmediate) { globalThis.setImmediate = function() { if (!__timersReady) { var args = arguments; __deferredTimers.push({fn: function(){ _origSetImmediate.apply(globalThis, args); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetImmediate.apply(this, arguments); }; } else { globalThis.setImmediate = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return { unref: function(){}, ref: function(){} }; } return _origSetTimeout(fn, 0); }; }',
-      'if (typeof process !== "undefined") { var _origNextTick = process.nextTick; if (_origNextTick) { process.nextTick = function() { if (!__timersReady) { var args = Array.prototype.slice.call(arguments); var fn = args.shift(); __deferredTimers.push({fn: function(){ _origNextTick.apply(process, [fn].concat(args)); }, args: []}); return; } return _origNextTick.apply(process, arguments); }; } else { process.nextTick = function(fn) { if (!__timersReady) { __deferredTimers.push({fn: function(){ _origSetTimeout(fn, 0); }, args: []}); return; } _origSetTimeout(fn, 0); }; } }',
-    ].join('\n'),
-  },
-  alias: {
-    // axios → lightweight fetch-based shim (115KB → ~2KB)
-    "axios": s("shims/axios-lite.ts"),
-
-    // node-fetch → native fetch (drops encoding/tr46/whatwg-url polyfill ~754KB
-    // pulled in by @apple/app-store-server-library; dead weight on CF Workers)
-    "node-fetch": s("shims/node-fetch.ts"),
-
-    // Stripe — wrap constructor to use fetch HTTP client in CF Workers
-    "stripe": s("shims/stripe-cf.ts"),
-    "__real_stripe__": require.resolve("stripe"),
-
-    // @ocap/message ships a patch.mjs that monkey-patches google-protobuf at
-    // module init. google-protobuf isn't available in CF Workers (no filesystem
-    // for createRequire to resolve), and Payment Kit doesn't use the features
-    // that patch touches. Replace with a noop so the import chain stays alive
-    // but the patch is skipped. Same for the rolldown_runtime helper that
-    // relies on createRequire(import.meta.url).
-    "@ocap/message/esm/patch.mjs": s("shims/noop.ts"),
-    "@ocap/message/esm/_virtual/rolldown_runtime.mjs": s("shims/noop.ts"),
-
-    "sequelize": s("shims/sequelize-d1/index.ts"),
-    "sqlite3": s("shims/noop.ts"),
-    "cls-hooked": s("shims/noop.ts"),
-    "express-async-errors": s("shims/noop.ts"),
-    "cors": s("shims/cors.ts"),
-    "cookie-parser": s("shims/cookie-parser.ts"),
-    "@blocklet/sdk/lib/middlewares/fallback": s("shims/blocklet-sdk/fallback.ts"),
-    "@blocklet/sdk/lib/middlewares/cdn": s("shims/blocklet-sdk/cdn.ts"),
-    "@blocklet/sdk/lib/middlewares/session": s("shims/blocklet-sdk/session.ts"),
-    "@blocklet/sdk/lib/middlewares": s("shims/blocklet-sdk/middlewares.ts"),
-    "@blocklet/sdk/lib/env": s("shims/blocklet-sdk/env.ts"),
-    "@blocklet/sdk/lib/config": s("shims/blocklet-sdk/config.ts"),
-    "@blocklet/sdk/lib/component": s("shims/blocklet-sdk/component.ts"),
-    "@blocklet/sdk/lib/wallet": s("shims/blocklet-sdk/wallet.ts"),
-    "@blocklet/sdk/lib/wallet-authenticator": s("shims/blocklet-sdk/wallet-authenticator.ts"),
-    "@blocklet/sdk/lib/wallet-handler": s("shims/blocklet-sdk/wallet-handler.ts"),
-    "@blocklet/sdk/lib/security": s("shims/blocklet-sdk/security.ts"),
-    "@blocklet/sdk/lib/util/verify-sign": s("shims/blocklet-sdk/verify-sign.ts"),
-    "@blocklet/sdk/lib/util/verify-session": s("shims/blocklet-sdk/verify-session.ts"),
-    "@blocklet/sdk/lib/util/component-api": s("shims/blocklet-sdk/component-api.ts"),
-    "@blocklet/sdk/lib/error-handler": s("shims/noop.ts"),
-    "@blocklet/sdk/lib/did": s("shims/blocklet-sdk/did.ts"),
-    "@blocklet/sdk/lib/types/notification": s("shims/noop.ts"),
-    "@blocklet/sdk/service/notification": s("shims/blocklet-sdk/notification.ts"),
-    "@blocklet/sdk/service/eventbus": s("shims/blocklet-sdk/eventbus.ts"),
-    "@blocklet/sdk/service/auth": s("shims/blocklet-sdk/auth-service.ts"),
-    "@blocklet/sdk/service/blocklet": s("shims/blocklet-sdk/auth-service.ts"),
-    "@blocklet/sdk": s("shims/blocklet-sdk/index.ts"),
-    "@blocklet/xss": s("shims/xss.ts"),
-    "@blocklet/error": s("shims/error.ts"),
-    "@blocklet/logger": s("shims/blocklet-sdk/logger.ts"),
-    "@blocklet/payment-vendor": s("shims/payment-vendor.ts"),
-    "@arcblock/did-connect-storage-nedb": s("shims/nedb-storage.ts"),
-    "@abtnode/cron": s("shims/cron.ts"),
-    "dotenv-flow": s("shims/noop.ts"),
-    "fastq": s("shims/fastq.ts"),
-
-    // Bundle size optimizations — lodash base import aliased to lodash-es for tree-shaking.
-    // Sub-path imports (lodash/camelCase etc.) handled by lodashSubpathPlugin below.
-    "lodash": "lodash-es",                   // 357KB CJS → tree-shakeable ESM
-    "esprima": s("shims/noop.ts"),           // 215KB — only used by @ocap/contract, not called in payment-kit
-    "mustache": s("shims/noop.ts"),          //  16KB — template engine, not used in payment-kit
-    "mime-types": s("shims/mime-types.ts"),   // 150KB — lightweight shim with common MIME types
-    "mime-db": s("shims/noop.ts"),
-    "ws": s("shims/ws-lite.ts"),             //  66KB — native WebSocket wrapper for CF Workers
-    "crypto-js": s("shims/crypto-js-warn.ts"),  // 115KB — AES legacy not used, warns if called
-    "crypto-js/aes": s("shims/crypto-js-warn.ts"),
-    "crypto-js/enc-base64": s("shims/noop.ts"),
-    "crypto-js/enc-hex": s("shims/noop.ts"),
-    "crypto-js/enc-latin1": s("shims/noop.ts"),
-    "crypto-js/enc-utf8": s("shims/noop.ts"),
-    "crypto-js/enc-utf16": s("shims/noop.ts"),
-
-    // Force ESM-only to avoid CJS+ESM double-bundling
-    "valibot": path.resolve(__dirname, "../../..", "node_modules/valibot/dist/index.mjs"), // 396KB → ~200KB
-    // CF Workers: noop modules not useful in Workers environment
-    "phoenix": s("shims/noop.ts"),                // 36KB — Phoenix channels, only used by @arcblock/ws
-    "numbro": s("shims/noop.ts"),                 // 49KB — number formatting, replaced inline in util.ts
-
-    // Node built-in shims (not fully supported in CF Workers nodejs_compat)
-    "os": s("shims/node-os.ts"),
-    "node:os": s("shims/node-os.ts"),
-    "tty": s("shims/node-tty.ts"),
-    "node:tty": s("shims/node-tty.ts"),
-    "http": s("shims/node-http.ts"),
-    "node:http": s("shims/node-http.ts"),
-    "https": s("shims/node-https.ts"),
-    "node:https": s("shims/node-https.ts"),
-    "http2": s("shims/node-http.ts"),
-    "node:http2": s("shims/node-http.ts"),
-    "net": s("shims/node-net.ts"),
-    "node:net": s("shims/node-net.ts"),
-    "tls": s("shims/node-misc.ts"),
-    "node:tls": s("shims/node-misc.ts"),
-    "fs": s("shims/node-fs.ts"),
-    "node:fs": s("shims/node-fs.ts"),
-    "cluster": s("shims/node-misc.ts"),
-    "node:cluster": s("shims/node-misc.ts"),
-    "zlib": s("shims/node-zlib.ts"),
-    "node:zlib": s("shims/node-zlib.ts"),
-    "child_process": s("shims/node-child-process.ts"),
-    "node:child_process": s("shims/node-child-process.ts"),
-    "bufferutil": s("shims/noop.ts"),
-    "utf-8-validate": s("shims/noop.ts"),
-    "dns": s("shims/noop.ts"),
-    "node:dns": s("shims/noop.ts"),
-    "pg": s("shims/noop.ts"),
-    "postgres": s("shims/noop.ts"),
-  },
-  logLevel: "warning",
-}).then(result => {
-  require('fs').writeFileSync(s('dist/meta.json'), JSON.stringify(result.metafile));
-  Object.entries(result.metafile.outputs).forEach(function(entry) {
-    var k = entry[0], v = entry[1];
-    if (k.indexOf(".map") === -1) {
-      console.log(k + ": " + (v.bytes / 1024).toFixed(1) + "KB");
+    console.log("BUILD SUCCESS");
+  })
+  .catch((err) => {
+    console.error("BUILD FAILED: " + (err.errors ? err.errors.length + " errors" : err.message));
+    if (err.errors) {
+      err.errors.slice(0, 20).forEach(function (e) {
+        var loc = e.location ? " at " + e.location.file + ":" + e.location.line : "";
+        console.error("  " + e.text + loc);
+      });
+      if (err.errors.length > 20) console.error("  ... and " + (err.errors.length - 20) + " more");
     }
+    process.exitCode = 1;
   });
-  console.log("BUILD SUCCESS");
-}).catch(err => {
-  console.error("BUILD FAILED: " + (err.errors ? err.errors.length + " errors" : err.message));
-  if (err.errors) {
-    err.errors.slice(0, 20).forEach(function(e) {
-      var loc = e.location ? " at " + e.location.file + ":" + e.location.line : "";
-      console.error("  " + e.text + loc);
-    });
-    if (err.errors.length > 20) console.error("  ... and " + (err.errors.length - 20) + " more");
-  }
-});

package/cloudflare/scripts/cf-package-import-probe.mjs

@@ -0,0 +1,90 @@
+// S3-CF Phase 2 命门 acceptance gate — the tiny-worker dynamic import probe.
+//
+// Builds a throwaway Worker whose ONLY payment touchpoint is
+//   import { createCloudflarePaymentAdapter } from "@arcblock/payment-service/cf";
+// and runs `wrangler deploy --dry-run` with a CLEAN wrangler config: NO alias, NO
+// define, NO external rules of its own — only `nodejs_compat`. If the published
+// `./cf` artifact is genuinely self-contained + re-bundleable, this succeeds. If
+// the consumer would need ANY alias/define/external, wrangler reports an unresolved
+// import and the probe fails (命门 RED → architecture §3 service-binding fallback).
+//
+//   node blocklets/core/cloudflare/scripts/cf-package-import-probe.mjs
+//
+// Reproducible: a fixed temp dir, the local payment-core symlinked as
+// @arcblock/payment-service so the package `exports` map ("./cf" → dist/cf.js) is
+// what resolves — exactly what arc sees from the published tarball.
+
+import { mkdirSync, writeFileSync, rmSync, symlinkSync, existsSync } from 'fs';
+import { dirname, join, resolve } from 'path';
+import { fileURLToPath } from 'url';
+import { execFileSync } from 'child_process';
+import { tmpdir } from 'os';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const paymentCoreDir = resolve(here, '../../../../packages/payment-core');
+const cfDist = join(paymentCoreDir, 'dist', 'cf.js');
+
+if (!existsSync(cfDist)) {
+  console.error(`probe RED — ${cfDist} missing. Run \`node packages/payment-core/build-cf.mjs\` first.`);
+  process.exit(1);
+}
+
+const probeDir = join(tmpdir(), 'cf-import-probe');
+rmSync(probeDir, { recursive: true, force: true });
+mkdirSync(join(probeDir, 'src'), { recursive: true });
+mkdirSync(join(probeDir, 'node_modules', '@arcblock'), { recursive: true });
+
+// Symlink the local payment-core as @arcblock/payment-service so the import
+// resolves through the real package `exports` map — NOT a bypass path.
+symlinkSync(paymentCoreDir, join(probeDir, 'node_modules', '@arcblock', 'payment-service'), 'dir');
+
+// The tiny worker. Reference the imported symbol so esbuild can't tree-shake the
+// import away (the whole point is to force the ./cf graph into the bundle).
+writeFileSync(
+  join(probeDir, 'src', 'index.ts'),
+  `import { createCloudflarePaymentAdapter, PAYMENT_PREFIX } from "@arcblock/payment-service/cf";
+export default {
+  async fetch() {
+    // touch the import so it is retained; never actually called in --dry-run
+    if (typeof createCloudflarePaymentAdapter !== "function") throw new Error("not a function");
+    return new Response("ok:" + PAYMENT_PREFIX);
+  },
+};
+`,
+);
+
+// CLEAN wrangler config — the load-bearing part of the gate: zero alias / zero
+// define / zero external rules. Only nodejs_compat (a platform flag every Workers
+// host sets), the same the standalone worker uses.
+writeFileSync(
+  join(probeDir, 'wrangler.jsonc'),
+  JSON.stringify(
+    {
+      name: 'cf-import-probe',
+      main: 'src/index.ts',
+      compatibility_date: '2026-01-01',
+      compatibility_flags: ['nodejs_compat'],
+    },
+    null,
+    2,
+  ),
+);
+
+writeFileSync(join(probeDir, 'package.json'), JSON.stringify({ name: 'cf-import-probe', private: true }, null, 2));
+
+const outDir = join(probeDir, 'out');
+console.log(`[probe] wrangler deploy --dry-run in ${probeDir} (clean config: nodejs_compat only)`);
+try {
+  const stdout = execFileSync(
+    'npx',
+    ['wrangler', 'deploy', '--dry-run', '--outdir', outDir],
+    { cwd: probeDir, encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] },
+  );
+  console.log(stdout);
+  console.log('\n命门 GREEN — tiny worker built + dry-run deployed with ZERO consumer-side alias/define/external ✓');
+} catch (err) {
+  console.error('\n命门 RED — tiny worker dry-run FAILED. Consumer would need alias/define/external:');
+  console.error(err.stdout || '');
+  console.error(err.stderr || err.message);
+  process.exit(1);
+}

package/cloudflare/scripts/didconnect-mock-smoke.mjs

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+/**
+ * S3-CF (DID convergence) — local mock-AUTH_SERVICE smoke (TEST HARNESS ONLY).
+ *
+ * Runs the REAL built worker (dist/worker.js) in Miniflare with a MOCK AUTH_SERVICE
+ * that implements the production RPC contract (getInstanceAppIdentity) returning a
+ * deterministic TEST-ONLY appSk — no real secret, never in prod/wrangler config.
+ *
+ * The smoke goes through the REAL path (no handler/authenticator bypass):
+ *   Host → tenant context → CF IdentityDriver → AUTH_SERVICE.getInstanceAppIdentity
+ *   → resolveTenantIdentity → real @arcblock/did-connect-js authenticator
+ *   → core buildConnectRoutesHono → tokenStorage.create (CF D1).
+ *
+ * Asserts the locally-verifiable integration facts:
+ *   - /api/did/<action>/token is registered (not 404) and, WITH the mock, no longer
+ *     fail-closes on getInstanceAppIdentity (the mock RPC is reached + appSk used);
+ *   - a token row lands in the CF D1 _did_connect_tokens table, stamped with the
+ *     tenant instanceDid.
+ * (The full wallet scan/auth handshake against a REAL AUTH_SERVICE stays a
+ * deploy/staging gate — see cloudflare/README.md.)
+ *
+ *   node scripts/didconnect-mock-smoke.mjs
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { Miniflare } from "miniflare";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const cfDir = join(__dirname, "..");
+const workerPath = join(cfDir, "dist", "worker.js");
+
+if (!existsSync(workerPath)) {
+  console.error(`mock-smoke: ${workerPath} not found — run \`node run-build.js\` first.`);
+  process.exit(2);
+}
+
+// Deterministic TEST-ONLY app signing key (ROLE_APPLICATION/ED25519/SHA3). NOT a
+// real secret — generated once for the harness; isolation uses a second key.
+const TEST_APP_SK =
+  "0xe86ad1043f2de80374ea9eb2ca5a0cdf0111126804cfb128e9e658cc44ae47694497dddaacf925929a19e8bc84a5059569983f307a4c67a694cca79c2001e634";
+const INSTANCE_DID = "zMOCK_APP_INSTANCE";
+
+const mockAuthScript = `
+  import { WorkerEntrypoint } from 'cloudflare:workers';
+  // Mock of the did-connect-service@4.0.3 AUTH_SERVICE RPC surface used on the DID path.
+  export class MockAuth extends WorkerEntrypoint {
+    async getInstanceAppIdentity(instanceDid) {
+      return { appSk: ${JSON.stringify(TEST_APP_SK)}, appInfo: { name: 'Mock Tenant', description: 'mock', icon: 'https://x/i.png' } };
+    }
+    async resolveInstanceDidForHost(host) { return null; }
+    async getAppEk(instanceDid) { return null; }
+    async resolveIdentity() { return null; }
+  }
+  export default { fetch() { return new Response('mock-auth'); } };
+`;
+
+const mf = new Miniflare({
+  workers: [
+    {
+      name: "payment",
+      modules: true,
+      modulesRoot: join(cfDir, "dist"),
+      scriptPath: workerPath,
+      compatibilityDate: "2024-12-01",
+      compatibilityFlags: ["nodejs_compat"],
+      d1Databases: { DB: "payment-mock-smoke" },
+      serviceBindings: { AUTH_SERVICE: { name: "mock-auth", entrypoint: "MockAuth" } },
+      bindings: {
+        APP_NAME: "Payment Kit",
+        APP_PID: INSTANCE_DID,
+        APP_URL: "http://localhost",
+        PAYMENT_LIVEMODE: "false",
+      },
+    },
+    {
+      name: "mock-auth",
+      modules: true,
+      script: mockAuthScript,
+      compatibilityDate: "2024-12-01",
+      compatibilityFlags: ["nodejs_compat"],
+    },
+  ],
+});
+
+let failed = false;
+const log = (...a) => console.log(...a);
+
+try {
+  const db = await mf.getD1Database("DB", "payment");
+  await db.exec(
+    "CREATE TABLE IF NOT EXISTS _did_connect_tokens (token TEXT PRIMARY KEY, data TEXT NOT NULL, expires_at INTEGER NOT NULL)",
+  );
+
+  // 1) healthz
+  const health = await mf.dispatchFetch("http://localhost/api/healthz");
+  log("=== healthz ===", health.status, await health.text());
+
+  // 2) /api/did/payment/token through the mock AUTH_SERVICE
+  const res = await mf.dispatchFetch("http://localhost/api/did/payment/token", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: "{}",
+  });
+  const body = await res.text();
+  log("=== POST /api/did/payment/token ===", res.status);
+  log(body.slice(0, 800));
+
+  if (body.includes("getInstanceAppIdentity unavailable")) {
+    console.error("FAIL: still fail-closed — the mock AUTH_SERVICE RPC was not reached");
+    failed = true;
+  } else {
+    log("PASS: past the fail-closed gate — mock getInstanceAppIdentity reached + appSk resolved");
+  }
+
+  // 3) a token row landed in D1, stamped with the tenant instanceDid
+  const { results } = await db.prepare("SELECT token, data FROM _did_connect_tokens").all();
+  log("=== _did_connect_tokens rows ===", JSON.stringify(results, null, 2));
+  const tagged = (results || []).some((r) => {
+    try {
+      return JSON.parse(r.data).instanceDid === INSTANCE_DID;
+    } catch {
+      return false;
+    }
+  });
+  if (tagged) {
+    log(`PASS: a token row is stamped with instanceDid=${INSTANCE_DID}`);
+  } else {
+    console.error("FAIL: no token row stamped with the tenant instanceDid");
+    failed = true;
+  }
+} catch (err) {
+  console.error("mock-smoke error:", err?.stack || err?.message || err);
+  failed = true;
+} finally {
+  await mf.dispose();
+}
+
+process.exit(failed ? 1 : 0);

package/cloudflare/shims/blocklet-sdk/wallet-authenticator.ts

@@ -1,3 +1,18 @@
+// CF FAIL-FAST shim for @blocklet/sdk/lib/wallet-authenticator.
+//
+// S3-CF (DID convergence): see wallet-handler.ts. On workerd the @blocklet/sdk
+// WalletAuthenticator is a no-op — it cannot sign DID-Connect sessions/certs. CF
+// (and arc-node embedded) MUST inject the real @arcblock/did-connect-js runtime.
+// Throw on construct so a host that forgot to inject fails loudly instead of
+// producing an authenticator that silently signs nothing.
+const FORBIDDEN =
+  'CF must inject a DID-Connect runtime via setDidConnectRuntime(createCloudflareDidConnectRuntime); ' +
+  'the @blocklet/sdk wallet-authenticator shim is forbidden on workerd';
+
 export class WalletAuthenticator {
-  constructor(_opts?: any) {}
+  constructor(_opts?: any) {
+    throw new Error(`[did-connect] WalletAuthenticator: ${FORBIDDEN}`);
+  }
 }
+
+export default { WalletAuthenticator };