From 236dcd893064baeebecca0aeb70f5cabd475aff5 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 21:48:21 +0800
Subject: [PATCH 01/21] feat: add Cloudflare Workers deployment for Media Kit

Migrate Media Kit from Blocklet Server (Express + SQLite + local disk) to
Cloudflare Workers (Hono + D1 + R2), enabling edge deployment with zero
server maintenance.

Backend (cloudflare/src/):
- Hono API server with full upload/folder/serve/status routes
- Presigned URL upload flow with multipart support
- R2 file storage with MD5 content dedup
- D1 database with Drizzle ORM
- AIGNE Hub proxy for AI Image generation
- SPA fallback for client-side routing

Frontend (cloudflare/frontend/):
- Reuses original blocklets/image-bin/src/ via Vite aliases
- Shim layer replaces @blocklet/* and @arcblock/* SDK dependencies
- window.blocklet injected in index.html for module-level access
- path-browserify polyfill for browser compatibility

Shared code changes (backward compatible):
- uploader: support both URL and base64 for AI Image results
- uploader: add presigned-upload Uppy plugin
- uploader: add .catch() for AI Image URL fetch

Deployed at: https://media-kit.yexiaofang.workers.dev

TODO:
- Replace x-user-did auth with CF auth SDK (shijun)
- Restrict CORS origin after auth is ready
- Production: use S3 CopyObject instead of R2 binding get+put for large files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/.gitignore                         |   16 +
 cloudflare/README.md                          |  221 ++
 cloudflare/docs/CHANGES.md                    |  266 ++
 cloudflare/docs/MIGRATION-PLAN.md             | 1319 ++++++++
 cloudflare/docs/MIGRATION-REPORT.md           |  277 ++
 cloudflare/drizzle.config.ts                  |    7 +
 cloudflare/frontend/index.html                |   48 +
 cloudflare/frontend/package.json              |   67 +
 cloudflare/frontend/src/App.tsx               |  143 +
 cloudflare/frontend/src/api.ts                |   14 +
 .../frontend/src/components/FolderList.tsx    |   89 +
 .../frontend/src/components/ImageGrid.tsx     |  128 +
 .../frontend/src/components/UploadButton.tsx  |   67 +
 cloudflare/frontend/src/main.tsx              |    7 +
 .../frontend/src/plugins/presigned-upload.ts  |  127 +
 cloudflare/frontend/src/shims/arcblock-did.ts |    8 +
 cloudflare/frontend/src/shims/arcblock-ux.tsx |  184 ++
 .../frontend/src/shims/blocklet-js-sdk.ts     |   11 +
 .../src/shims/blocklet-ui-react-dashboard.tsx |   36 +
 .../src/shims/blocklet-ui-react-footer.tsx    |   14 +
 .../src/shims/blocklet-ui-react-header.tsx    |   20 +
 .../frontend/src/shims/blocklet-ui-react.tsx  |   18 +
 .../src/shims/did-connect-react-button.tsx    |   13 +
 .../src/shims/did-connect-react-session.tsx   |   42 +
 cloudflare/frontend/src/shims/ux-button.tsx   |    1 +
 cloudflare/frontend/src/shims/ux-center.tsx   |    1 +
 cloudflare/frontend/src/shims/ux-config.tsx   |    1 +
 cloudflare/frontend/src/shims/ux-dialog.tsx   |    1 +
 cloudflare/frontend/src/shims/ux-empty.tsx    |    1 +
 .../frontend/src/shims/ux-locale-context.tsx  |    1 +
 cloudflare/frontend/src/shims/ux-result.tsx   |    1 +
 .../frontend/src/shims/ux-split-button.tsx    |    1 +
 cloudflare/frontend/src/shims/ux-toast.tsx    |    1 +
 .../frontend/src/shims/ux-with-tracker.tsx    |    1 +
 cloudflare/frontend/tsconfig.json             |   16 +
 cloudflare/frontend/vite.config.ts            |   72 +
 cloudflare/migrations/0001_initial.sql        |   58 +
 cloudflare/package.json                       |   33 +
 cloudflare/pnpm-lock.yaml                     | 2812 +++++++++++++++++
 cloudflare/scripts/migrate-data.ts            |  140 +
 cloudflare/src/__tests__/utils.test.ts        |   84 +
 .../src/__tests__/worker.integration.ts       |   90 +
 cloudflare/src/db/schema.ts                   |   56 +
 cloudflare/src/middleware/auth.ts             |   32 +
 cloudflare/src/routes/cleanup.ts              |   49 +
 cloudflare/src/routes/folders.ts              |   77 +
 cloudflare/src/routes/serve.ts                |   68 +
 cloudflare/src/routes/status.ts               |   29 +
 cloudflare/src/routes/unsplash.ts             |  115 +
 cloudflare/src/routes/upload.ts               |  725 +++++
 cloudflare/src/types.ts                       |   84 +
 cloudflare/src/utils/hash.ts                  |  128 +
 cloudflare/src/utils/s3.ts                    |  173 +
 cloudflare/src/worker.ts                      |  118 +
 cloudflare/tsconfig.json                      |   23 +
 cloudflare/vitest.config.ts                   |    7 +
 cloudflare/wrangler.toml                      |   45 +
 .../ai-image/show-panel/output/index.tsx      |    6 +-
 .../src/react/plugins/presigned-upload.ts     |  291 ++
 packages/uploader/src/react/uploader.tsx      |  335 +-
 pnpm-lock.yaml                                |  377 ++-
 61 files changed, 9054 insertions(+), 141 deletions(-)
 create mode 100644 cloudflare/.gitignore
 create mode 100644 cloudflare/README.md
 create mode 100644 cloudflare/docs/CHANGES.md
 create mode 100644 cloudflare/docs/MIGRATION-PLAN.md
 create mode 100644 cloudflare/docs/MIGRATION-REPORT.md
 create mode 100644 cloudflare/drizzle.config.ts
 create mode 100644 cloudflare/frontend/index.html
 create mode 100644 cloudflare/frontend/package.json
 create mode 100644 cloudflare/frontend/src/App.tsx
 create mode 100644 cloudflare/frontend/src/api.ts
 create mode 100644 cloudflare/frontend/src/components/FolderList.tsx
 create mode 100644 cloudflare/frontend/src/components/ImageGrid.tsx
 create mode 100644 cloudflare/frontend/src/components/UploadButton.tsx
 create mode 100644 cloudflare/frontend/src/main.tsx
 create mode 100644 cloudflare/frontend/src/plugins/presigned-upload.ts
 create mode 100644 cloudflare/frontend/src/shims/arcblock-did.ts
 create mode 100644 cloudflare/frontend/src/shims/arcblock-ux.tsx
 create mode 100644 cloudflare/frontend/src/shims/blocklet-js-sdk.ts
 create mode 100644 cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
 create mode 100644 cloudflare/frontend/src/shims/blocklet-ui-react-footer.tsx
 create mode 100644 cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
 create mode 100644 cloudflare/frontend/src/shims/blocklet-ui-react.tsx
 create mode 100644 cloudflare/frontend/src/shims/did-connect-react-button.tsx
 create mode 100644 cloudflare/frontend/src/shims/did-connect-react-session.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-button.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-center.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-config.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-dialog.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-empty.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-locale-context.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-result.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-split-button.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-toast.tsx
 create mode 100644 cloudflare/frontend/src/shims/ux-with-tracker.tsx
 create mode 100644 cloudflare/frontend/tsconfig.json
 create mode 100644 cloudflare/frontend/vite.config.ts
 create mode 100644 cloudflare/migrations/0001_initial.sql
 create mode 100644 cloudflare/package.json
 create mode 100644 cloudflare/pnpm-lock.yaml
 create mode 100644 cloudflare/scripts/migrate-data.ts
 create mode 100644 cloudflare/src/__tests__/utils.test.ts
 create mode 100644 cloudflare/src/__tests__/worker.integration.ts
 create mode 100644 cloudflare/src/db/schema.ts
 create mode 100644 cloudflare/src/middleware/auth.ts
 create mode 100644 cloudflare/src/routes/cleanup.ts
 create mode 100644 cloudflare/src/routes/folders.ts
 create mode 100644 cloudflare/src/routes/serve.ts
 create mode 100644 cloudflare/src/routes/status.ts
 create mode 100644 cloudflare/src/routes/unsplash.ts
 create mode 100644 cloudflare/src/routes/upload.ts
 create mode 100644 cloudflare/src/types.ts
 create mode 100644 cloudflare/src/utils/hash.ts
 create mode 100644 cloudflare/src/utils/s3.ts
 create mode 100644 cloudflare/src/worker.ts
 create mode 100644 cloudflare/tsconfig.json
 create mode 100644 cloudflare/vitest.config.ts
 create mode 100644 cloudflare/wrangler.toml
 create mode 100644 packages/uploader/src/react/plugins/presigned-upload.ts

diff --git a/cloudflare/.gitignore b/cloudflare/.gitignore
new file mode 100644
index 0000000..b12db96
--- /dev/null
+++ b/cloudflare/.gitignore
@@ -0,0 +1,16 @@
+# Dependencies
+node_modules/
+
+# Build output
+public/
+
+# Wrangler
+.wrangler/
+.dev.vars
+
+# Frontend
+frontend/node_modules/
+frontend/node_modules/.vite/
+
+# OS
+.DS_Store
diff --git a/cloudflare/README.md b/cloudflare/README.md
new file mode 100644
index 0000000..21704d1
--- /dev/null
+++ b/cloudflare/README.md
@@ -0,0 +1,221 @@
+# Media Kit — Cloudflare Workers 部署指南
+
+## 前置条件
+
+- Node.js >= 18
+- pnpm
+- Cloudflare 账号（免费即可）
+- Wrangler CLI：`npm install -g wrangler`
+
+## 一次性初始化（首次部署）
+
+### 1. 登录 Cloudflare
+
+```bash
+wrangler login
+```
+
+### 2. 创建 D1 数据库
+
+```bash
+wrangler d1 create media-kit-db
+```
+
+输出中的 `database_id` 填入 `wrangler.toml` 第 20 行。
+
+### 3. 创建 R2 Bucket
+
+先在 Dashboard 激活 R2 服务（R2 → 激活），然后：
+
+```bash
+wrangler r2 bucket create media-kit-uploads
+```
+
+### 4. 配置 R2 CORS
+
+Dashboard → R2 → media-kit-uploads → 设置 → CORS 策略，添加：
+
+```json
+[
+  {
+    "AllowedOrigins": ["https://your-domain.com"],
+    "AllowedMethods": ["GET", "PUT", "HEAD"],
+    "AllowedHeaders": ["Content-Type"],
+    "MaxAgeSeconds": 86400
+  }
+]
+```
+
+`AllowedOrigins` 填实际部署的域名。
+
+### 5. 生成 R2 API Token
+
+Dashboard → R2 → 管理 R2 API 令牌 → 创建 API 令牌：
+- 权限：对象读和写
+- Bucket：media-kit-uploads
+- 记录 `Access Key ID` 和 `Secret Access Key`
+
+### 6. 配置 Secrets
+
+```bash
+cd cloudflare
+
+# R2 凭证
+wrangler secret put R2_ACCESS_KEY_ID
+wrangler secret put R2_SECRET_ACCESS_KEY
+
+# Cloudflare Account ID（Dashboard 右侧边栏可见）
+wrangler secret put CF_ACCOUNT_ID
+
+# AIGNE Hub API Key（AI Image 功能需要）
+wrangler secret put AIGNE_HUB_API_KEY
+
+# 可选：Unsplash API
+wrangler secret put UNSPLASH_KEY
+wrangler secret put UNSPLASH_SECRET
+```
+
+### 7. 应用数据库迁移
+
+```bash
+wrangler d1 migrations apply media-kit-db --remote
+```
+
+## 部署
+
+```bash
+cd cloudflare
+
+# 构建前端 + 部署 Worker
+npm run deploy
+```
+
+等价于：
+```bash
+cd frontend && npx vite build   # 构建前端到 public/
+cd .. && wrangler deploy         # 部署 Worker + 静态资源
+```
+
+部署后访问 `https://media-kit.<your-subdomain>.workers.dev`
+
+## 数据迁移（从 Blocklet Server 迁移）
+
+如果需要从现有 Blocklet Server 迁移数据：
+
+### 1. 迁移文件（本地磁盘/S3 → R2）
+
+```bash
+# 使用 rclone 同步文件
+rclone sync /path/to/blocklet/uploads r2:media-kit-uploads/
+
+# 如果源是 S3
+rclone sync s3:old-bucket r2:media-kit-uploads/
+```
+
+### 2. 迁移数据库（SQLite → D1）
+
+```bash
+cd cloudflare
+
+# 先试运行看数据量
+npx tsx scripts/migrate-data.ts --source /path/to/media-kit.db --dry-run
+
+# 正式迁移
+npx tsx scripts/migrate-data.ts --source /path/to/media-kit.db --d1-name media-kit-db
+```
+
+### 3. 切换 DNS
+
+确认迁移数据完整后，将域名 DNS 指向 Cloudflare Workers。
+
+## CI/CD 集成
+
+GitHub Actions 示例：
+
+```yaml
+name: Deploy Media Kit
+on:
+  push:
+    branches: [main]
+    paths: ['cloudflare/**']
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm install -g pnpm
+      - run: cd cloudflare/frontend && pnpm install && npx vite build
+      - run: cd cloudflare && npx wrangler deploy
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+```
+
+在 GitHub repo Settings → Secrets 里添加 `CF_API_TOKEN`（Dashboard → My Profile → API Tokens → Create Token）。
+
+## 本地开发
+
+```bash
+cd cloudflare
+
+# 创建 .dev.vars 文件
+cat > .dev.vars << 'EOF'
+ENVIRONMENT=development
+R2_ACCESS_KEY_ID=your-key
+R2_SECRET_ACCESS_KEY=your-secret
+CF_ACCOUNT_ID=your-account-id
+AIGNE_HUB_API_KEY=your-aigne-key
+EOF
+
+# 初始化本地数据库
+npm run db:migrate:local
+
+# 启动 Worker（终端 1）
+npm run dev
+
+# 启动前端开发服务器（终端 2）
+cd frontend && npx vite --port 3030
+```
+
+## 架构说明
+
+```
+cloudflare/
+  src/                    # CF Worker 后端（Hono + D1 + R2）
+    worker.ts             # 入口：路由 + AIGNE Hub 代理
+    routes/
+      upload.ts           # 上传：presign / proxy-put / direct / confirm
+      serve.ts            # 文件服务：R2 → 响应（生产用 cf.image）
+      folders.ts          # 文件夹 CRUD
+      status.ts           # Uploader 配置
+      unsplash.ts         # Unsplash 代理
+      cleanup.ts          # 定时清理过期 session
+    middleware/auth.ts     # x-user-did 认证
+    db/schema.ts           # Drizzle ORM 表定义
+    utils/
+      s3.ts               # R2 S3 兼容 API（presigned URL、multipart）
+      hash.ts             # MD5 哈希、MIME 检测、SVG 净化
+  frontend/               # 前端构建配置
+    vite.config.ts         # Alias 指向原版源码 + shim
+    src/shims/             # Blocklet SDK 替代实现
+    index.html             # window.blocklet 注入
+  public/                  # vite build 产物（Worker 静态资源）
+  wrangler.toml            # CF Workers 配置
+  migrations/              # D1 数据库迁移
+  scripts/migrate-data.ts  # SQLite → D1 迁移脚本
+```
+
+前端源码复用 `blocklets/image-bin/src/`，通过 Vite alias 将 `@blocklet/*` 和 `@arcblock/*` 依赖替换为 `frontend/src/shims/` 中的轻量实现。
+
+## 环境差异
+
+| 特性 | 本地开发 | 线上 |
+|------|---------|------|
+| R2 存储 | miniflare 本地模拟 | 真实 R2 |
+| D1 数据库 | 本地 SQLite | 真实 D1 |
+| Presigned URL | proxy-put 代理（避免 CORS） | 直传 R2（需配 CORS） |
+| 文件服务 | R2 binding 直接读取 | cf.image EXIF 剥离 + 自动 WebP |
+| 图片生成 | 代理到 hub.aigne.io | 代理到 hub.aigne.io |
diff --git a/cloudflare/docs/CHANGES.md b/cloudflare/docs/CHANGES.md
new file mode 100644
index 0000000..bc8d3e4
--- /dev/null
+++ b/cloudflare/docs/CHANGES.md
@@ -0,0 +1,266 @@
+# Media Kit — Cloudflare Workers 迁移改动总结
+
+## 一、背景
+
+### 项目现状
+
+Media Kit 是 ArcBlock 的媒体文件管理组件，核心包括：
+
+- **Blocklet 后端** (`blocklets/image-bin/`)：Node.js + Express + Sequelize + 本地存储，使用 TUS 协议处理文件上传
+- **前端上传组件** (`packages/uploader/`)：基于 Uppy 的 `<Uploader />` React 组件，被多个业务方（消费者）通过 `onUploadFinish={(result) => doSomething(result.data)}` 使用
+- **Cloudflare Worker** (`cloudflare/`)：一个独立的 CF Worker 实现（Hono + D1 + R2），使用 presigned URL 上传协议
+
+### 问题
+
+1. **前端只支持 TUS**：`@blocklet/uploader` 的上传逻辑硬编码了 TUS 协议（`@uppy/tus` 插件），无法对接 CF Worker 的 presigned URL 上传
+2. **CF Worker 有残留依赖**：之前尝试过 adapter pattern 方案（引入 `@blocklet/media-kit-core` 共享包），后来方案废弃，但 CF Worker 代码中仍残留了对 `@blocklet/media-kit-core` 的依赖和 adapters 目录，而该包已不存在，导致 CF Worker 无法编译
+3. **响应格式不一致**：CF Worker 的 confirm 端点返回 `{ id, created_at }` 等字段，而 Blocklet 端返回 `{ _id, createdAt }` 格式，消费者代码依赖后者
+
+### 已废弃的方案
+
+之前考虑过 adapter pattern（引入 `@blocklet/media-kit-core` 包，定义 `IDatabaseAdapter` / `IStorageAdapter` / `IConfigAdapter` 接口，让 Blocklet 和 CF Worker 共享 ~145 行业务逻辑）。该方案因过度抽象被废弃：共享逻辑量太少，不值得引入新包和接口层。
+
+### 新方案原则
+
+- **Blocklet 代码不动**：零改动，零风险
+- **CF Worker 保持独立实现**：不引入共享包，直接内联 Drizzle 查询
+- **前端最小改动**：只加 presigned 模式的条件分支
+- **消费者零感知**：`result.data` 结构在两种模式下完全一致
+
+---
+
+## 二、改动清单
+
+### 文件总览
+
+| 文件 | 操作 | 行数 | 说明 |
+|------|------|------|------|
+| `cloudflare/src/adapters/` | **DELETE** | -4 files | 删除废弃的 adapter pattern 残留 |
+| `cloudflare/package.json` | MODIFY | -1 行 | 移除 `@blocklet/media-kit-core` 依赖 |
+| `cloudflare/src/types.ts` | MODIFY | ~10 行 | ConfirmResponse 字段对齐 |
+| `cloudflare/src/routes/upload.ts` | **REWRITE** | 587 行 | 内联 list/delete/update + 修复 confirm 格式 + 修复 R2 流处理 bug |
+| `cloudflare/src/routes/status.ts` | **REWRITE** | 29 行 | 内联 + 加 `uploadMode: 'presigned'` |
+| `cloudflare/src/routes/folders.ts` | **REWRITE** | 77 行 | 内联 + 加 GET 端点 |
+| `packages/uploader/src/react/plugins/presigned-upload.ts` | **CREATE** | 291 行 | Uppy 自定义上传插件 |
+| `packages/uploader/src/react/uploader.tsx` | MODIFY | +39 行 | 条件分支：TUS / presigned |
+
+### 未改动的文件
+
+| 文件 | 原因 |
+|------|------|
+| `blocklets/image-bin/` | 完全不动，Blocklet 上传逻辑不受影响 |
+| `packages/media-kit-core/` | 不创建此包（方案已废弃） |
+| `pnpm-workspace.yaml` | cloudflare 是独立部署，不需加入 workspace |
+
+---
+
+## 三、详细改动说明
+
+### 3.1 清理 CF Worker adapter 残留
+
+**为什么**：之前 adapter pattern 方案废弃后，`cloudflare/src/adapters/` 目录和 `@blocklet/media-kit-core` 依赖残留在代码里。`media-kit-core` 包已被删除，导致 CF Worker 无法编译。
+
+**做了什么**：
+- 删除 `cloudflare/src/adapters/` 整个目录（`index.ts`、`database.ts`、`storage.ts`、`config.ts`）
+- 从 `cloudflare/package.json` 移除 `"@blocklet/media-kit-core": "workspace:^"` 依赖
+- 所有路由文件移除对 adapters 和 media-kit-core 的 import
+
+### 3.2 CF Worker 路由内联重写
+
+**为什么**：原来的 `GET /uploads`、`DELETE /uploads/:id`、`PUT /uploads/:id` 通过 adapter 调用 `media-kit-core` 的 handler 函数。包删除后需要用内联 Drizzle 查询替代。
+
+#### upload.ts — 内联 list/delete/update
+
+**GET /uploads**（列表）：
+- 直接查 D1 `uploads` 表，支持分页 (`page`/`pageSize`)
+- 权限控制：admin 可看所有，member 只能看自己的
+- 支持 `folderId` 和 `tag` 过滤
+- 查询 `uploadTags` 表获取每个文件的 tags
+- 返回格式使用 `_id` 字段名（与 Blocklet Sequelize 记录一致）
+
+**DELETE /uploads/:id**（删除）：
+- Admin only（通过 `isAdminMiddleware`）
+- 引用计数：同一个 `filename` 可能被多条记录引用（dedup），只有最后一条引用删除时才删 R2 文件
+- 同时删除关联的 `uploadTags` 记录
+
+**PUT /uploads/:id**（移动到文件夹）：
+- Admin only
+- 更新 `folderId` 和 `updatedAt`
+- 返回更新后的完整记录
+
+#### status.ts — 内联 + uploadMode
+
+**GET /uploader/status**：
+- 从环境变量读取配置（`ALLOWED_FILE_TYPES`、`MAX_UPLOAD_SIZE`、`UNSPLASH_KEY`、`USE_AI_IMAGE`）
+- 返回 `restrictions`、`availablePluginMap`
+- **新增 `uploadMode: 'presigned'`** — 前端据此选择上传协议
+
+#### folders.ts — 内联 + 新增 GET
+
+**POST /folders**（创建）：
+- Admin only，幂等（同名 folder 返回已有记录）
+- 返回 `_id` 格式
+
+**GET /folders**（列表，新增）：
+- 返回所有 folders，按创建时间倒序
+
+### 3.3 CF Worker 响应格式对齐
+
+**为什么**：消费者代码依赖 `result.data._id`、`result.data.createdAt` 等字段。CF Worker 之前返回 `id`、`created_at`，与 Blocklet 的 Sequelize 记录不一致。
+
+**做了什么**：
+
+`ConfirmResponse` 类型从：
+```typescript
+{ id, filename, originalname, mimetype, size, url, created_at, hashFileName }
+```
+改为：
+```typescript
+{ _id, filename, originalname, mimetype, size, url, createdAt, createdBy, tags }
+```
+
+confirm 端点的两个分支（dedup shortcut 和正常 confirm）都按新格式返回。list 和 update 端点也统一使用 `_id` 字段名。
+
+### 3.4 修复 R2 流处理 bug（confirm 流程）
+
+**为什么**：原始代码（迁移前就存在）在 confirm 流程中有 R2 body 流处理缺陷：
+
+1. **double GET**：第 224 行做完整 GET（拿到 body stream），第 230 行又做 range GET（取 4KB header）。两次网络 I/O 读同一对象，浪费资源
+2. **SVG 流耗尽**：对 SVG 文件调用 `r2Object.text()` 消耗了整个 body stream，之后 `streamMD5(r2Object.body)` 读到空流，MD5 结果错误
+3. **size 比较误判**：content dedup 时用 `existingObject.size === session.totalSize` 判断是否需要 copy，但这不是内容相等的充分条件
+
+**做了什么**：
+- 分离 range GET（仅用于 MIME 检测）和 full GET（用于 SVG/hash）
+- SVG 处理后始终重新 GET 获取 fresh stream 做 MD5
+- content dedup 简化：MD5 key 匹配即视为内容相同，不再比较 size
+
+### 3.5 创建 PresignedUpload Uppy 插件
+
+**为什么**：CF Worker 不支持 TUS 协议（TUS 需要有状态的服务端 session，CF Workers 是无状态的）。CF Worker 使用 presigned URL 协议：客户端获取签名 URL 后直传文件到 R2，再调用 confirm 端点确认。需要一个 Uppy 自定义插件实现此协议。
+
+**文件**：`packages/uploader/src/react/plugins/presigned-upload.ts`（291 行）
+
+**实现细节**：
+
+继承 `@uppy/core` 的 `BasePlugin`，在 `install()` 中通过 `addUploader()` 注册上传函数。
+
+**上传流程**：
+
+```
+1. POST /uploads/check     → 按 size+ext 去重检查
+   ↓ exists=true → 跳到 4（clone）
+   ↓ exists=false → 继续
+
+2. POST /uploads/presign   → 获取 presigned URL
+   ↓ multipart=false → 单次直传
+   ↓ multipart=true  → 分片上传
+
+3a. PUT presignedUrl        → XHR 直传（带进度上报）
+3b. 分片上传：
+    for each part:
+      POST /uploads/multipart/part-url → 获取分片 URL
+      PUT partUrl → 上传分片
+    POST /uploads/multipart/complete   → 组装分片
+
+4. POST /uploads/confirm   → 确认上传，获取 upload record
+```
+
+**关键设计**：
+
+- **进度上报**：直传使用 XHR `upload.onprogress`，分片使用累计已上传字节
+- **错误处理**：单个文件失败 emit `upload-error`，不阻塞其他文件。分片上传失败时自动调用 `POST /uploads/multipart/abort` 清理 R2 未完成的 multipart session
+- **事件兼容**：完成后 emit `upload-success` 事件，携带 `body: confirmData`，由 `uploader.tsx` 的监听器统一调用 `_onUploadFinish` 和 `emitUploadSuccess`，与 TUS 流程行为一致
+- **bind 安全**：构造函数中一次性 bind `handleUpload`，`install`/`uninstall` 使用同一引用，避免 removeUploader 泄漏
+
+### 3.6 修改 uploader.tsx — 条件分支
+
+**为什么**：需要根据后端返回的 `uploadMode` 选择上传协议，同时保持 TUS 逻辑完全不变。
+
+**改动点**（共 +39 行新增）：
+
+1. **state 新增 `uploadMode`**：
+   ```typescript
+   uploadMode: 'tus' as 'tus' | 'presigned'
+   ```
+
+2. **useRequest 中读取 uploadMode**：
+   ```typescript
+   state.uploadMode = data.uploadMode || 'tus';
+   ```
+   从 `GET /api/uploader/status` 响应中获取。fallback 为 `'tus'`，所以 Blocklet 即使不返回此字段也完全兼容。
+
+3. **initUploader 条件分支**：
+   ```typescript
+   if (uploadMode === 'presigned') {
+     currentUppy.use(PresignedUploadPlugin, { apiBase });
+     currentUppy.on('upload-success', async (file, response) => {
+       // 构造与 TUS 一致的 result，调用 _onUploadFinish
+     });
+   } else {
+     currentUppy.use(Tus, { ... }); // 原有逻辑，一行不改
+   }
+   ```
+
+4. **useEffect 依赖加 uploadMode**：确保 `uploadMode` 从 `'tus'` 变为 `'presigned'` 后 uppy 实例会重新初始化。
+
+---
+
+## 四、消费者兼容性
+
+消费者代码：
+```jsx
+<Uploader onUploadFinish={(result) => {
+  console.log(result.data._id);      // ✅ 两种模式下都有
+  console.log(result.data.url);       // ✅ 两种模式下都有
+  console.log(result.data.filename);  // ✅ 两种模式下都有
+}} />
+```
+
+`result.data` 在两种模式下结构一致：
+
+| 字段 | TUS (Blocklet) | Presigned (CF Worker) |
+|------|----------------|----------------------|
+| `_id` | Sequelize UUID | D1 UUID |
+| `url` | `/uploads/hash.ext` | `/uploads/hash.ext` |
+| `filename` | `hash.ext` | `hash.ext` |
+| `originalname` | 原始文件名 | 原始文件名 |
+| `mimetype` | MIME type | MIME type |
+| `size` | 文件大小 | 文件大小 |
+| `createdAt` | ISO 时间戳 | ISO 时间戳 |
+| `createdBy` | user DID | user DID |
+| `tags` | string[] | string[] |
+
+**消费者零改动，零感知。**
+
+---
+
+## 五、验证结果
+
+| 检查项 | 结果 |
+|--------|------|
+| CF Worker TypeScript 编译 | ✅ 通过（仅 `cloudflare:test` 预存 error） |
+| CF Worker 单元测试（14 tests） | ✅ 全部通过 |
+| Uploader 包构建（unbuild） | ✅ 通过，ESM/CJS 均生成 |
+| Presigned plugin 编译输出 | ✅ `lib/` 和 `es/` 均包含 |
+| 残留引用检查 | ✅ 无任何 `@blocklet/media-kit-core` 或 `adapters` 引用 |
+| Blocklet 代码 | ✅ 未触碰任何文件 |
+
+---
+
+## 六、架构图
+
+```
+消费者代码（零改动）
+  └── <Uploader onUploadFinish={fn} />
+        │
+        ├── uploadMode === 'tus'（Blocklet 默认）
+        │     └── Uppy + @uppy/tus
+        │           └── TUS 协议 → Blocklet Express 后端 → 本地存储
+        │
+        └── uploadMode === 'presigned'（CF Worker）
+              └── Uppy + PresignedUploadPlugin
+                    ├── POST /uploads/check     → D1 去重
+                    ├── POST /uploads/presign   → 获取签名 URL
+                    ├── PUT  presignedUrl        → 直传 R2
+                    └── POST /uploads/confirm   → D1 记录 + 返回 result.data
+```
diff --git a/cloudflare/docs/MIGRATION-PLAN.md b/cloudflare/docs/MIGRATION-PLAN.md
new file mode 100644
index 0000000..fc7a4c1
--- /dev/null
+++ b/cloudflare/docs/MIGRATION-PLAN.md
@@ -0,0 +1,1319 @@
+# Media Kit Cloudflare Migration Plan v6
+
+> Integrated from Media Kit Owner + Cloudflare Expert + Cross-Model Review (Claude Opus 4.6 + GPT-5.4).
+> Date: 2026-03-16 | Version: 6
+
+---
+
+## Changelog from v5
+
+| # | Change | Source | Description |
+|---|--------|--------|-------------|
+| V6-1 | Auth ensureAdmin 改为配置式 | Cross-review P1 | role=member 与 ensureAdmin 矛盾，改为环境变量 ADMIN_DIDS 配置管理员 |
+| V6-2 | Dedup check 改为 size+ext 粗筛 | Cross-review P1 | first-5MB hash 与 full-file hash filename 不匹配，改为按 size+ext 粗筛候选 |
+| V6-3 | cf.image origin 改为 Worker subrequest | Cross-review P1 | cf.image 经 Cloudflare 图片代理，不转发自定义 header，WAF 方案不可行 |
+| V6-4 | 补完前端响应契约 | Cross-review P1 | confirm/check/presign 的响应 schema 明确定义 |
+| V6-5 | 补充 folders 数据迁移 | Cross-review P2 | 迁移脚本遗漏 folders 表 |
+| V6-6 | 补充 tags 查询 API | Cross-review P2 | GET /api/uploads 缺少 tag 过滤参数 |
+| V6-7 | SVG 清洗改用 Workers 兼容方案 | Claude 发现 | DOMPurify 依赖 DOM API，Workers 中不可用 |
+| V6-8 | ListParts XML 解析改用标准解析器 | Claude 发现 | 正则解析 XML 脆弱，改用 Workers 内置 HTMLRewriter 或分步解析 |
+| V6-9 | 大文件 confirm 超时处理 | Cross-review P2 | >500MB 文件 hash 可能超 30s CPU 限制 |
+
+---
+
+## Changelog from v4 (preserved)
+
+| # | Change | Source | Description |
+|---|--------|--------|-------------|
+| V5-1 | 认证简化为默认放行 | 用户确认 | 先默认一个 DID 可上传，Shijun 过几天给出认证方案后再对接 |
+| V5-2 | AFS 推迟到下个版本 | 用户确认 | 先完成 Cloudflare 迁移，AFS 集成放到 v2 |
+| V5-3 | 废弃 Blocklet SDK API | 用户确认 | Group B (SDK Upload) 和所有 blocklet sdk 相关接口全部移除 |
+| V5-4 | 移除 Service Binding 认证 | 随 V5-1 | Service Binding 通信保留，但认证逻辑待后续 |
+
+---
+
+## Changelog from v3 (preserved)
+
+| # | Change | Source | Description |
+|---|--------|--------|-------------|
+| V4-1 | 移除认证设计 | Shijun 反馈 | 认证部分由 Shijun 封装的工具统一处理 |
+| V4-2 | 新增 AFS 集成 | Shijun 反馈 | 设计 media-kit 作为 AIGNE AFS 存储后端（已推迟到 v2） |
+| V4-3 | 移除 nonces 表 | 随 V4-1 | 不再需要 HMAC 防重放 |
+| V4-4 | 简化 wrangler.toml | 随 V4-1 | 移除认证相关密钥 |
+
+---
+
+## Changelog from v2 (preserved)
+
+| # | Issue (from Round 2 Cross-Review) | Severity | Source | Fix in v3 |
+|---|----------------------------------|----------|--------|-----------|
+| R2-1 | Service Binding `x-service-binding` header 可被外部伪造 | P1 | 双模型确认 | 改为 shared secret 验证 + 删除公网可触及的 header 信任 |
+| R2-2 | confirm 步骤 streamMD5 全量加载到内存，100MB 文件接近 128MB 限制 | P1 | 双模型确认 | 改用 js-md5 增量哈希 (O(1) 内存) |
+| R2-3 | HMAC nonce 防重放仍是 TODO，未实现 | P1 | Codex 发现 | 实现 KV nonce 存储 + 5 分钟 TTL |
+| R2-4 | 服务端文件校验缺失（SVG 窗口期 + mimetype 信任客户端） | P1 | Codex 发现 | confirm 步骤增加 mimetype 校验 + SVG sanitize 在 promote 前完成 |
+| R2-5 | `R2.copy()` API 不存在 | P1 | 双模型确认 | 改为 S3 CopyObject via aws4fetch |
+| R2-6 | `crypto.subtle.digest('MD5')` Workers 不支持 | P2 | Claude 发现 | 改用 js-md5 增量哈希 |
+| R2-7 | 前端 multipart 代码缺少 `/multipart/complete` 调用 | P2 | Codex 发现 | 修复前端流程：parts → complete → confirm |
+| R2-8 | Dedup check (first 5MB MD5) 存在碰撞误判风险 | P2 | Codex 发现 | Dedup 降级为 hint，confirm 阶段用全文件 hash 最终确认 |
+| R2-9 | `/api/url/import` 无 SSRF 防护 | P2 | Codex 发现 | 加 host denylist + size limit + redirect cap |
+| R2-10 | R2 Workers API 无 listParts 方法 | P2 | Claude 发现 | 改用 S3 ListParts via aws4fetch |
+| R2-11 | Transform Rule 不能直接触发 Image Resizing | P2 | Claude 发现 | 改为 Worker 内 `cf.image` 统一处理 |
+
+### Fixes from Round 3 (included in v3)
+
+| # | Issue (from Round 3) | Severity | Source | Fix |
+|---|---------------------|----------|--------|-----|
+| R3-1 | Service Binding 示例代码仍用旧 header | P2 | Codex | 更新示例使用 x-sb-secret |
+| R3-2 | KV nonce 最终一致性可被跨区域并发绕过 | P1 | Codex | 改用 D1 nonces 表（单主写入，原子唯一性） |
+| R3-3 | Mimetype 校验是客户端自引用 | P1 | Codex | 改为 magic-byte 内容嗅探（前 4KB） |
+| R3-4 | 前端 dedup 仍然跳过 confirm | P2 | Codex | 即使 dedup 命中也调用 confirm 创建用户记录 |
+| R3-5 | 公开 R2 域名绕过 EXIF 移除 | P1 | Codex | R2 bucket 私有 + WAF 限制 origin 访问 |
+| R3-6 | /multipart/complete 与 /confirm 职责矛盾 | P2 | Codex | 明确 complete 仅组装对象，confirm 统一做校验/promote |
+| R3-7 | Dedup 路径不删除 tempKey | P3 | Codex | 两条路径都删除 tempKey |
+
+### v1 → v2 Changelog (preserved)
+
+| # | Issue (from Codex R1) | Severity | Fix in v2 |
+|---|----------------------|----------|-----------|
+| 1 | R2 multipart 前端直传方案不完整 | P1 | 重新设计三层上传协议，补完 S3 presigned multipart 全流程 |
+| 2 | 断点续传能力丢失未补偿 | P1 | 设计 resumable multipart 协议（客户端持久化 + listParts） |
+| 3 | 95MB 直传阈值过高，内存溢出 | P1 | 小文件改为 R2 presigned PUT 直传（绕过 Worker 内存）；Worker 仅做签名 |
+| 4 | 客户端传入 hash 作 key，覆盖风险 | P1 | 改为 temp key 上传 → 服务端校验 → promote 流程 |
+| 5 | HMAC 认证消费 body + 重放 + 权限过大 | P1 | 改为 canonical request 签名（不读 body），加 nonce，scoped 权限 |
+| 6 | EXIF 策略回退隐私承诺 | P1 | 强制所有图片经过 Image Resizing，确保 EXIF 始终移除 |
+| 7 | Unsplash 重新托管违反 ToS | P1 | 改为 hotlink + attribution 模式，仅存 metadata |
+| 8 | tags JSON 全表扫描 | P2 | 新增 upload_tags 关联表 |
+| 9 | D1 全球访问模型未设计 | P2 | 补充 primary location + read replication 策略 |
+| 10 | 成本估算不准 | P2 | 三档成本模型（保守/中位/峰值） |
+| 11 | 文档内在不一致 | P2 | 修复 check API、迁移脚本参数化、status 响应兼容 |
+| 12 | Service Binding 可平替 component.call | P2 | 补充 Service Binding 架构 |
+
+---
+
+## 1. Executive Summary
+
+将 Media Kit (image-bin) 从 ArcBlock Blocklet Server 迁移到 Cloudflare Workers + R2 + D1。
+
+**Scope Change Declaration**: 迁移后，断点续传能力从 TUS 的字节级断点改为 R2 multipart 的分片级断点（最小粒度 5MB part），刷新页面后可恢复未完成的分片上传。这是可接受的产品范围变更。
+
+**核心技术栈变更**：
+
+| 层 | 现有 | 迁移后 |
+|---|---|---|
+| 运行时 | Express.js + Node.js | Hono + Cloudflare Workers |
+| 文件存储 | 本地磁盘 | Cloudflare R2 |
+| 数据库 | SQLite + Sequelize | Cloudflare D1 + Drizzle ORM |
+| 上传协议 | TUS 断点续传 (10MB chunks) | R2 presigned PUT + R2 S3 multipart |
+| 图片处理 | 无 | Cloudflare Image Resizing (Worker `cf.image`) |
+| CDN | CDN_HOST URL 替换 | Cloudflare CDN（原生） |
+| 认证 | DID Wallet + 组件签名 | 默认放行（预留 DID），待 Shijun 提供认证方案 |
+| 组件间调用 | blocklet component.call | Cloudflare Service Binding（保留通信，认证待定） |
+| 前端 | Vite + React (Blocklet) | Vite + React (Cloudflare Pages) |
+
+---
+
+## 2. Feature Inventory & Migration Impact
+
+### 2.1 API Endpoints
+
+#### Group A: Core Upload Management
+
+| Method | Path | Auth | Function | Impact |
+|--------|------|------|----------|--------|
+| GET | `/uploads/:filename` | Optional (referer) | 文件静态服务 + Image Resizing + EXIF strip | 🔄 Adapt |
+| POST | `/api/uploads/presign` | user + auth | 获取 R2 presigned PUT URL（小文件）或创建 multipart session（大文件） | 🔧 New |
+| POST | `/api/uploads/confirm` | user + auth | 上传完成确认，服务端校验 + promote + 写 D1 | 🔧 New |
+| POST | `/api/uploads/multipart/part-url` | user + auth | 获取单个 part 的 presigned PUT URL | 🔧 New |
+| POST | `/api/uploads/multipart/complete` | user + auth | 完成 multipart 上传 | 🔧 New |
+| POST | `/api/uploads/multipart/abort` | user + auth | 中止 multipart 上传 | 🔧 New |
+| GET | `/api/uploads/multipart/status` | user + auth | 查询 multipart 上传进度（已完成 parts） | 🔧 New |
+| POST | `/api/uploads/check` | user + auth | 文件去重检查（仅返回当前用户范围） | 🔧 New |
+| GET | `/api/uploads` | user + auth | 分页列出上传文件（支持 ?tag= 过滤） | 🔄 Adapt |
+| DELETE | `/api/uploads/:id` | user + isAdmin | 删除（引用计数） | 🔄 Adapt |
+| PUT | `/api/uploads/:id` | user + isAdmin | 移动到 folder | 🔄 Adapt |
+
+#### ~~Group B: SDK Upload~~ (v5 废弃)
+
+> Blocklet SDK 相关的 API 全部废弃，不迁移。
+
+#### Group B: Supporting Features
+
+| Method | Path | Auth | Function | Impact |
+|--------|------|------|----------|--------|
+| POST | `/api/folders` | user + isAdmin | 创建文件夹 | 🔄 Adapt |
+| POST | `/api/image/generations` | user + auth | AI 图片生成 | 🔄 Adapt |
+| GET | `/api/image/models` | None | AI 模型列表 | 🔄 Adapt |
+| GET | `/api/uploader/status` | None | 上传器配置（兼容现有前端响应 schema） | 🔄 Adapt |
+| GET | `/api/unsplash/search` | user + auth | Unsplash 搜索（hotlink 模式） | 🔧 New |
+| POST | `/api/unsplash/track-download` | user + auth | 触发 Unsplash download tracking | 🔧 New |
+| POST | `/api/url/import` | user + auth | 从 URL 导入文件 | 🔧 New |
+
+#### Group C: Drop
+
+| Path | Reason |
+|------|--------|
+| `/api/resources`, `/api/resources/export` | Blocklet imgpack 体系 |
+| `/proxy-to-uploads/*` | Blocklet 内部代理 |
+| `/api/sdk/uploads`, `/api/sdk/uploads/find` | Blocklet SDK 废弃 |
+
+#### Group D: Service Binding (替代 component.call)
+
+其他 Cloudflare Workers 通过 Service Binding 直接调用 media-kit Worker：
+
+```toml
+# 其他 Worker 的 wrangler.toml
+[[services]]
+binding = "MEDIA_KIT"
+service = "media-kit"
+```
+
+```typescript
+// 调用方（零网络延迟）
+// 认证方案待 Shijun 确定后对接
+const res = await env.MEDIA_KIT.fetch(
+  new Request('https://media-kit.internal/api/uploads', {
+    method: 'POST',
+    body: formData,
+    headers: {
+      'x-caller-id': 'my-worker-name',
+    },
+  })
+);
+```
+
+### 2.2 Data Model
+
+**uploads 表**（不变）:
+
+| Field | Type | Notes |
+|-------|------|-------|
+| id | TEXT PK | UUID |
+| filename | TEXT | MD5 hash + ext |
+| originalname | TEXT | 原始文件名 |
+| mimetype | TEXT | MIME 类型 |
+| size | INTEGER | 字节大小 |
+| remark | TEXT | 备注 |
+| folder_id | TEXT | 所属文件夹 |
+| created_at | TEXT | ISO 时间 |
+| updated_at | TEXT | ISO 时间 |
+| created_by | TEXT | 创建者 |
+| updated_by | TEXT | 更新者 |
+
+**upload_tags 表**（新增，替代 JSON tags 字段）:
+
+| Field | Type | Notes |
+|-------|------|-------|
+| upload_id | TEXT FK | 关联 uploads.id |
+| tag | TEXT | 标签值 |
+| PK | (upload_id, tag) | 复合主键 |
+
+索引：`(tag, upload_id)` — 支持按 tag 高效查询
+
+**folders 表**（不变）
+
+**upload_sessions 表**（新增，管理 multipart 上传状态）:
+
+| Field | Type | Notes |
+|-------|------|-------|
+| id | TEXT PK | UUID |
+| upload_id | TEXT | R2 multipart uploadId |
+| key | TEXT | R2 object key (temp key) |
+| final_key | TEXT | 最终 key (content hash) |
+| total_size | INTEGER | 预期总大小 |
+| part_size | INTEGER | 每 part 大小 |
+| status | TEXT | 'active' / 'completed' / 'aborted' |
+| created_by | TEXT | 创建者 |
+| created_at | TEXT | 创建时间 |
+| expires_at | TEXT | 过期时间（默认 24h） |
+
+---
+
+## 3. Architecture
+
+```
+                    ┌────────────────────────────┐
+                    │     Cloudflare CDN          │
+                    │  (caches Worker responses)  │
+                    └──────────┬─────────────────┘
+                               │
+             ┌─────────────────▼──────────────────┐
+             │        Cloudflare Worker            │
+             │         (Hono framework)            │
+             ├────────────────────────────────────┤
+             │  Middleware:                        │
+             │  cors → auth (默认放行) → ...      │
+             │                                    │
+             │  Image serving:                    │
+             │  cf.image { metadata:"none" }      │
+             │  (EXIF strip + resize in Worker)   │
+             │                                    │
+             │  Upload flow:                      │
+             │  presign → client PUT R2 → confirm │
+             │  (Worker 不接收文件 body)            │
+             └──┬──────────┬────────┬──┬──────────┘
+                │          │        │  │
+      ┌─────────▼──┐ ┌────▼───┐ ┌──▼──▼──────────┐
+      │  R2 Bucket │ │  D1    │ │ Service Bind    │
+      │  uploads   │ │ SQLite │ │ → other Workers │
+      │ (PRIVATE)  │ │        │ │                 │
+      └────────────┘ └────────┘ └─────────────────┘
+
+      ┌─────────────────┐
+      │ Cloudflare Pages │
+      │ (React Frontend) │
+      └─────────────────┘
+```
+
+> **IMPORTANT**: R2 bucket MUST be private (no public access). All file access goes
+> through the Worker, which applies `cf.image { metadata: 'none' }` for EXIF stripping.
+> A public R2 origin would allow bypassing EXIF removal.
+
+### D1 Deployment Strategy
+
+| Config | Value | Reason |
+|--------|-------|--------|
+| Primary Location | `auto` (nearest to first write) or explicit `enam`/`apac` | 根据主要用户群选择 |
+| Read Replication | Enabled | 列表查询可接受副本读 |
+| Session API | `withSession("first-primary")` for writes | 写后读一致性 |
+| Writes requiring consistency | Upload confirm, delete with ref count | 必须打到 primary |
+| Reads tolerating staleness | List uploads, folder list, status | 可用 read replica |
+
+---
+
+## 4. Upload Flow Redesign
+
+### 4.1 Design Principles
+
+1. **Worker 不接收文件 body** — 所有文件都直传 R2（presigned URL），Worker 仅做签名和元数据
+2. **Temp key → Promote** — 上传先写临时 key，服务端校验后 rename 为内容寻址 key
+3. **可恢复** — Multipart 上传支持刷新页面后恢复（客户端持久化 session，服务端 listParts）
+4. **服务端校验** — 上传完成后服务端计算完整文件 hash，不信任客户端 hash
+
+### 4.2 Upload Tiers
+
+| Tier | File Size | Method | Resumable |
+|------|-----------|--------|-----------|
+| Small | < 100MB | R2 presigned PUT (single request) | No (单次完成) |
+| Large | >= 100MB | R2 S3 multipart (per-part presigned PUT) | Yes (part 级) |
+
+### 4.3 Small File Flow (< 100MB)
+
+```
+1. Client: compute file metadata for dedup hint
+2. Client → POST /api/uploads/check { ext, size }
+   → Worker: query D1 for uploads where size = {size} AND filename LIKE '%.{ext}'
+     (按 size + ext 粗筛候选文件)
+   → If single match: return { exists: true, url, filename, uploadId }
+     (前端可展示 "已存在相同文件"，用户确认后调用 confirm 复用)
+   → If multiple matches: return { exists: false }
+     (多个候选无法确定，走正常上传流程)
+   → If no match: return { exists: false }
+   → NOTE: dedup check is a HINT only. It reduces unnecessary uploads but never
+     skips server-side hash verification. The confirm step always computes full-file
+     MD5 to determine the final content-addressable key.
+
+3. Client → POST /api/uploads/presign {
+     originalname, mimetype, size, ext, folderId
+   }
+   → Worker:
+     a. Generate temp key: `tmp/{uuid}.{ext}`
+     b. Generate presigned PUT URL for R2 (using S3 API)
+     c. Save upload session to D1 (upload_sessions)
+     d. Return { presignedUrl, sessionId, tempKey }
+
+4. Client → PUT presignedUrl (直传 R2，绕过 Worker)
+   → R2 receives file body
+
+5. Client → POST /api/uploads/confirm { sessionId }
+   → Worker:
+     a. Read first 4KB of R2 temp key for magic-byte content sniffing
+        (e.g., JPEG starts with FF D8 FF, PNG with 89 50 4E 47)
+        If detected mimetype conflicts with client-claimed mimetype, reject upload.
+        This prevents disguised file attacks (e.g., .exe renamed to .jpg).
+     b. Read file from R2 temp key (streaming)
+     c. Compute full MD5 hash (streaming js-md5, O(1) memory)
+     d. Final key = `{serverMD5}.{ext}`
+     e. If SVG: read content, sanitize (sanitize-svg — Workers-compatible, no DOM dependency),
+        re-upload sanitized version to tempKey
+        NOTE: DOMPurify requires DOM API (document/window) which Workers do NOT have.
+        Use `@poppanator/shtml` or a regex-based SVG sanitizer that strips <script>,
+        on* attributes, and external references without DOM.
+     f. If R2.head(finalKey) exists with same size → dedup: skip copy, delete tempKey
+     g. Else: S3 CopyObject(tempKey → finalKey) via aws4fetch, then R2.delete(tempKey)
+        NOTE: tempKey is ALWAYS deleted (both dedup and non-dedup paths)
+        NOTE: R2 Workers API has NO copy() method. Must use S3 CopyObject:
+        PUT /{bucket}/{finalKey} with header x-amz-copy-source: /{bucket}/{tempKey}
+     h. Insert D1 record
+     i. Return { url, ...doc }
+```
+
+**Key**: Worker 在 confirm 阶段流式读取 R2 对象计算 hash，使用增量 MD5（O(1) 内存）。
+
+```typescript
+// 流式 MD5 计算（Worker 中）— O(1) 内存，安全处理任意大小文件
+import md5 from 'js-md5';
+
+async function streamMD5(r2Object: R2ObjectBody): Promise<string> {
+  const hasher = md5.create();
+  const reader = r2Object.body.getReader();
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    hasher.update(value);
+  }
+  return hasher.hex();
+}
+```
+
+> Note: `crypto.subtle.digest('MD5')` is NOT supported in Workers WebCrypto.
+> Workers WebCrypto only supports SHA-1/256/384/512. Must use js-md5 (pure JS, ~3KB).
+> Alternative: For SHA-256 hash, can use Workers native `crypto.DigestStream` (zero-copy streaming).
+
+### 4.4 Large File Flow (>= 100MB) — Resumable Multipart
+
+```
+1. Client: dedup check (same as small — size + ext)
+
+2. Client → POST /api/uploads/presign {
+     originalname, mimetype, size, ext, folderId, multipart: true
+   }
+   → Worker:
+     a. Temp key: `tmp/{uuid}.{ext}`
+     b. R2.createMultipartUpload(tempKey, { httpMetadata })
+     c. Calculate part count (partSize = 10MB, min 5MB, max 10000 parts)
+     d. Save to D1 upload_sessions: { uploadId, tempKey, totalSize, partSize, status: 'active' }
+     e. Return { sessionId, uploadId, key: tempKey, partSize, partCount }
+
+3. For each part:
+   Client → POST /api/uploads/multipart/part-url { sessionId, partNumber }
+   → Worker:
+     a. Validate session exists and is active
+     b. Generate presigned PUT URL for this part using R2 S3 API:
+        - Method: PUT
+        - Key: tempKey
+        - PartNumber: partNumber
+        - UploadId: uploadId
+        - Expiry: 1 hour
+     c. Return { presignedUrl, partNumber }
+
+   Client → PUT presignedUrl with part body (直传 R2)
+   → R2 returns ETag in response header
+   Client: save { partNumber, etag } to localStorage (for resume)
+
+4. If page refresh / network recovery:
+   Client → GET /api/uploads/multipart/status { sessionId }
+   → Worker:
+     a. Check upload_sessions in D1
+     b. List completed parts via S3 ListParts API (aws4fetch):
+        GET /{bucket}/{key}?uploadId={uploadId}
+        NOTE: R2 Workers binding has NO listParts method. Must use S3 API + parse XML.
+     c. Return { completedParts: [{ partNumber, etag, size }], status }
+   Client: compare with localStorage, resume from first incomplete part
+
+5. Client → POST /api/uploads/multipart/complete {
+     sessionId, parts: [{ partNumber, etag }...]
+   }
+   → Worker:
+     a. R2.resumeMultipartUpload(key, uploadId).complete(parts)
+        → This materializes the R2 object. Without this, the object does NOT exist.
+     b. Return { status: 'assembled' }
+        NOTE: /multipart/complete ONLY assembles the R2 object. It does NOT do
+        hash verification, validation, promote, or D1 insert. Those happen in /confirm.
+        This separation ensures a single finalization path for both small and large files.
+
+6. Client → POST /api/uploads/confirm { sessionId }
+   (Same confirm endpoint as small files — single finalization path)
+   → Worker: same flow as small file confirm (magic-byte check, hash, promote, D1 insert)
+
+7. Abort (optional):
+   Client → POST /api/uploads/multipart/abort { sessionId }
+   → Worker: R2.resumeMultipartUpload(key, uploadId).abort()
+   → Update upload_sessions status = 'aborted'
+```
+
+### 4.5 Presigned URL Generation (S3 Compatible)
+
+```typescript
+import { AwsClient } from 'aws4fetch';
+
+function createS3Client(env: Env) {
+  return new AwsClient({
+    accessKeyId: env.R2_ACCESS_KEY_ID,
+    secretAccessKey: env.R2_SECRET_ACCESS_KEY,
+    region: 'auto',
+    service: 's3',
+  });
+}
+
+async function generatePresignedPutUrl(
+  s3: AwsClient, bucket: string, key: string, accountId: string,
+  options: { expiresIn?: number; contentType?: string; partNumber?: number; uploadId?: string } = {}
+) {
+  const { expiresIn = 3600, contentType, partNumber, uploadId } = options;
+  const endpoint = `https://${accountId}.r2.cloudflarestorage.com/${bucket}/${key}`;
+  const url = new URL(endpoint);
+
+  if (partNumber && uploadId) {
+    url.searchParams.set('partNumber', String(partNumber));
+    url.searchParams.set('uploadId', uploadId);
+  }
+  url.searchParams.set('X-Amz-Expires', String(expiresIn));
+
+  const signed = await s3.sign(new Request(url, {
+    method: 'PUT',
+    headers: contentType ? { 'Content-Type': contentType } : {},
+  }), { aws: { signQuery: true } });
+
+  return signed.url;
+}
+
+// S3 CopyObject — R2 Workers API has NO copy() method, must use S3 API
+async function s3CopyObject(
+  s3: AwsClient, bucket: string, sourceKey: string, destKey: string, accountId: string
+) {
+  const endpoint = `https://${accountId}.r2.cloudflarestorage.com/${bucket}/${destKey}`;
+  const signed = await s3.sign(new Request(endpoint, {
+    method: 'PUT',
+    headers: {
+      'x-amz-copy-source': `/${bucket}/${sourceKey}`,
+    },
+  }));
+  const res = await fetch(signed);
+  if (!res.ok) throw new Error(`CopyObject failed: ${res.status}`);
+}
+
+// S3 ListParts — R2 Workers API has NO listParts() method, must use S3 API
+async function s3ListParts(
+  s3: AwsClient, bucket: string, key: string, uploadId: string, accountId: string
+): Promise<Array<{ partNumber: number; etag: string; size: number }>> {
+  const endpoint = `https://${accountId}.r2.cloudflarestorage.com/${bucket}/${key}?uploadId=${uploadId}`;
+  const signed = await s3.sign(new Request(endpoint, { method: 'GET' }));
+  const res = await fetch(signed);
+  const xml = await res.text();
+  // Parse XML response for <Part> elements
+  // NOTE: Regex XML parsing is fragile (attribute order, whitespace, CDATA).
+  // Use a lightweight XML parser like 'fast-xml-parser' (Workers-compatible, ~15KB).
+  // Alternatively, split by <Part> tags and extract fields step by step.
+  const { XMLParser } = await import('fast-xml-parser');
+  const parser = new XMLParser();
+  const parsed = parser.parse(xml);
+  const rawParts = parsed?.ListPartsResult?.Part;
+  if (!rawParts) return [];
+  const partArray = Array.isArray(rawParts) ? rawParts : [rawParts];
+  return partArray.map((p: any) => ({
+    partNumber: Number(p.PartNumber),
+    etag: String(p.ETag),
+    size: Number(p.Size),
+  }));
+}
+```
+
+**R2 CORS 配置**（必须）：
+
+```json
+[
+  {
+    "AllowedOrigins": ["https://media.your-domain.com"],
+    "AllowedMethods": ["PUT", "GET", "HEAD"],
+    "AllowedHeaders": ["Content-Type", "Content-MD5"],
+    "ExposeHeaders": ["ETag"],
+    "MaxAgeSeconds": 3600
+  }
+]
+```
+
+### 4.6 Upload Session Cleanup
+
+```typescript
+// Cron trigger: 每小时清理过期 upload sessions
+export default {
+  async scheduled(event: ScheduledEvent, env: Env) {
+    const db = drizzle(env.DB);
+    const expired = await db.select().from(uploadSessions)
+      .where(and(
+        eq(uploadSessions.status, 'active'),
+        lt(uploadSessions.expiresAt, new Date().toISOString())
+      ));
+
+    for (const session of expired) {
+      try {
+        const multipart = env.R2_UPLOADS.resumeMultipartUpload(session.key, session.uploadId);
+        await multipart.abort();
+      } catch { /* already cleaned */ }
+      await db.update(uploadSessions)
+        .set({ status: 'aborted' })
+        .where(eq(uploadSessions.id, session.id));
+    }
+  },
+};
+```
+
+```toml
+# wrangler.toml
+[triggers]
+crons = ["0 * * * *"]  # Every hour
+```
+
+### 4.7 Frontend Uploader Changes
+
+```typescript
+// Core change: TUS → Presigned URL upload
+// New custom Uppy plugin: R2PresignedUpload
+
+class R2PresignedUpload extends BasePlugin {
+  async upload(fileIDs: string[]) {
+    for (const id of fileIDs) {
+      const file = this.uppy.getFile(id);
+      const { ext } = file.meta;
+
+      // 1. Dedup check (hint only — server must still confirm)
+      const checkRes = await fetch(`${apiBase}/api/uploads/check`, {
+        method: 'POST',
+        headers: authHeaders(),
+        body: JSON.stringify({ ext, size: file.size }),
+      });
+      const { exists, url, uploadId } = await checkRes.json();
+      if (exists && uploadId) {
+        // File exists — but still call confirm to ensure D1 record exists for THIS user
+        // (dedup shares the R2 object but each user gets their own D1 record)
+        // NOTE: url from /check contains the content-addressable filename
+        const confirmRes = await fetch(`${apiBase}/api/uploads/confirm`, {
+          method: 'POST',
+          headers: authHeaders(),
+          body: JSON.stringify({ existingUploadId: uploadId }),
+        });
+        const doc = await confirmRes.json();
+        this.uppy.emit('upload-success', file, doc);
+        continue;
+      }
+
+      // 2. Get presigned URL
+      const presignRes = await fetch(`${apiBase}/api/uploads/presign`, {
+        method: 'POST',
+        headers: authHeaders(),
+        body: JSON.stringify({
+          originalname: file.name,
+          mimetype: file.type,
+          size: file.size,
+          ext,
+          folderId,
+          multipart: file.size >= 100 * 1024 * 1024,
+        }),
+      });
+      const session = await presignRes.json();
+
+      if (!session.multipart) {
+        // 3a. Small file: single PUT
+        await fetch(session.presignedUrl, {
+          method: 'PUT',
+          body: file.data,
+          headers: { 'Content-Type': file.type },
+        });
+      } else {
+        // 3b. Large file: multipart upload all parts
+        const completedParts = await this.multipartUpload(file, session);
+
+        // 3c. Complete multipart (materializes the R2 object)
+        // Without this step, R2 object does NOT exist — confirm would fail!
+        await fetch(`${apiBase}/api/uploads/multipart/complete`, {
+          method: 'POST',
+          headers: authHeaders(),
+          body: JSON.stringify({
+            sessionId: session.sessionId,
+            parts: completedParts,
+          }),
+        });
+      }
+
+      // 4. Confirm (hash verify + promote + D1 insert)
+      const confirmRes = await fetch(`${apiBase}/api/uploads/confirm`, {
+        method: 'POST',
+        headers: authHeaders(),
+        body: JSON.stringify({ sessionId: session.sessionId }),
+      });
+      const doc = await confirmRes.json();
+      this.uppy.emit('upload-success', file, doc);
+    }
+  }
+
+  async multipartUpload(file, session) {
+    const { sessionId, partSize, partCount } = session;
+    const completedParts = [];
+
+    // Check localStorage for resume
+    const savedParts = JSON.parse(
+      localStorage.getItem(`upload-${sessionId}`) || '[]'
+    );
+
+    for (let i = 1; i <= partCount; i++) {
+      // Skip already completed parts
+      const saved = savedParts.find(p => p.partNumber === i);
+      if (saved) { completedParts.push(saved); continue; }
+
+      // Get presigned URL for this part
+      const urlRes = await fetch(`${apiBase}/api/uploads/multipart/part-url`, {
+        method: 'POST',
+        headers: authHeaders(),
+        body: JSON.stringify({ sessionId, partNumber: i }),
+      });
+      const { presignedUrl } = await urlRes.json();
+
+      // Upload part
+      const start = (i - 1) * partSize;
+      const end = Math.min(i * partSize, file.size);
+      const partBlob = file.data.slice(start, end);
+
+      const putRes = await fetch(presignedUrl, {
+        method: 'PUT',
+        body: partBlob,
+      });
+      const etag = putRes.headers.get('ETag');
+      completedParts.push({ partNumber: i, etag });
+
+      // Persist to localStorage for resume
+      localStorage.setItem(`upload-${sessionId}`, JSON.stringify(completedParts));
+
+      // Progress
+      this.uppy.emit('upload-progress', file, {
+        bytesUploaded: end,
+        bytesTotal: file.size,
+      });
+    }
+
+    // Clean up localStorage after successful upload
+    localStorage.removeItem(`upload-${sessionId}`);
+    return completedParts;
+  }
+}
+```
+
+**PrepareUpload plugin**: 不变（EXIF 方向修正、SVG 清洗、zip bomb 检测均为纯前端逻辑）。
+
+### 4.8 API Response Contracts
+
+所有 API 响应必须与现有前端兼容。以下是关键端点的响应 schema：
+
+```typescript
+// POST /api/uploads/check
+interface CheckResponse {
+  exists: boolean;
+  url?: string;        // 已存在文件的访问 URL（如 /uploads/{filename}）
+  filename?: string;   // 已存在文件的 filename（content hash key）
+  uploadId?: string;   // 已存在文件的 D1 record id（用于 dedup confirm）
+}
+
+// POST /api/uploads/presign
+interface PresignResponse {
+  sessionId: string;        // upload session id (UUID)
+  presignedUrl?: string;    // 小文件: R2 presigned PUT URL
+  multipart?: boolean;      // true if large file
+  uploadId?: string;        // 大文件: R2 multipart uploadId
+  key?: string;             // 大文件: temp key
+  partSize?: number;        // 大文件: 每 part 字节数
+  partCount?: number;       // 大文件: 总 part 数
+}
+
+// POST /api/uploads/confirm
+// 必须兼容现有前端 Uppy upload-success 事件期望的字段
+interface ConfirmResponse {
+  id: string;               // D1 record UUID
+  filename: string;         // content-addressable key (e.g., "abc123.png")
+  originalname: string;     // 原始文件名
+  mimetype: string;
+  size: number;
+  url: string;              // 文件访问 URL (e.g., "/uploads/abc123.png")
+  created_at: string;       // ISO timestamp
+  // 以下字段保持与现有前端兼容
+  hashFileName?: string;    // same as filename, for backward compat
+}
+
+// GET /api/uploads (分页列表)
+interface ListResponse {
+  data: ConfirmResponse[];
+  total: number;
+  page: number;
+  pageSize: number;
+}
+```
+
+---
+
+## 5. Component Design
+
+### 5.1 Authentication (v6 — 默认放行 + 管理员配置)
+
+> **v5 变更**: 先默认放行所有上传请求，使用一个硬编码的默认 DID 作为用户标识。
+> **v6 修复**: 增加 ADMIN_DIDS 环境变量，解决 role=member 与 isAdmin 检查的矛盾。
+> Shijun 过几天会提供认证方案，届时替换此占位实现。
+
+```typescript
+// cloudflare/src/middleware/auth.ts
+// 临时占位：默认放行，使用默认 DID
+// TODO: 替换为 Shijun 提供的认证方案
+
+const DEFAULT_DID = 'did:abt:default-uploader';
+
+export async function authMiddleware(c: Context, next: Next) {
+  const userId = c.req.header('x-user-did') || DEFAULT_DID;
+
+  // ADMIN_DIDS: 逗号分隔的管理员 DID 列表
+  // 默认放行时，DEFAULT_DID 自动包含在管理员列表中
+  const adminDids = (c.env.ADMIN_DIDS || DEFAULT_DID).split(',').map(s => s.trim());
+  const isAdmin = adminDids.includes(userId);
+
+  c.set('user', {
+    id: userId,
+    role: isAdmin ? 'admin' : 'member',
+  });
+
+  return next();
+}
+
+// 管理员检查中间件（替代原 ensureAdmin）
+export async function isAdminMiddleware(c: Context, next: Next) {
+  const user = c.get('user');
+  if (user.role !== 'admin') {
+    return c.json({ error: 'Admin access required' }, 403);
+  }
+  return next();
+}
+```
+
+**预留接口**：认证中间件读取 `x-user-did` header。当 Shijun 的认证工具就绪后，只需在 Worker 前面加一层认证网关（或中间件），将认证结果写入该 header 即可。管理员列表通过 `ADMIN_DIDS` 环境变量配置，认证方案就绪后可改为从认证结果中获取角色。
+
+### 5.2 EXIF Removal Strategy (v6 — Fixed)
+
+**Decision: Worker 内统一通过 `cf.image` 处理所有图片请求**
+
+> v2 错误：Transform Rules 不能触发 Image Resizing。v3 改为 Worker `cf.image`。
+> v5 错误：WAF + 自定义 header 方案不可行 — `cf.image` 通过 Cloudflare 图片代理发起请求，
+> 代理不会转发自定义 header，WAF 规则检查 `x-r2-origin-secret` 永远收不到该 header。
+>
+> **v6 方案**：R2 bucket 绑定公共域名（r2-origin.internal.com），但通过 Cloudflare
+> **IP Access Rule** 或 **Authenticated Origin Pull (mTLS)** 限制，仅允许 Cloudflare
+> 边缘 IP 访问。`cf.image` 从 Cloudflare 边缘发起 subrequest，天然来自 Cloudflare IP。
+> 外部直接访问该域名会被 IP 规则拦截。
+
+```typescript
+app.get('/uploads/:filename', async (c) => {
+  const { filename } = c.req.param();
+  const w = c.req.query('w');
+  const h = c.req.query('h');
+
+  const object = await c.env.R2_UPLOADS.head(filename);
+  if (!object) return c.text('404 NOT FOUND', 404);
+
+  const contentType = object.httpMetadata?.contentType || 'application/octet-stream';
+  const isImage = contentType.startsWith('image/');
+
+  // Images: pipe through cf.image for EXIF stripping + optional resize.
+  //
+  // cf.image requires a fetch to an origin URL (not ReadableStream).
+  // R2 origin domain is restricted via:
+  //   1. Cloudflare IP Access Rules (only edge IPs allowed)
+  //   2. Or: Authenticated Origin Pull (mTLS) enabled on the zone
+  // cf.image subrequests originate from Cloudflare edge, so they pass through.
+  // Direct external access to r2-origin domain is blocked.
+  if (isImage) {
+    const r2OriginUrl = `https://${c.env.R2_ORIGIN_DOMAIN}/${filename}`;
+    return fetch(r2OriginUrl, {
+      cf: {
+        image: {
+          metadata: 'none',           // ALWAYS strip EXIF
+          format: 'auto',             // auto WebP/AVIF based on Accept header
+          width: w ? parseInt(w) : undefined,
+          height: h ? parseInt(h) : undefined,
+          fit: (w || h) ? 'contain' : undefined,
+          quality: (w || h) ? 85 : 100,  // only compress when resizing
+        },
+      },
+    });
+  }
+
+  // Non-image files: serve directly from R2 binding (private, no Image Resizing needed)
+  const r2Object = await c.env.R2_UPLOADS.get(filename);
+  if (!r2Object) return c.text('404 NOT FOUND', 404);
+
+  return new Response(r2Object.body, {
+    headers: {
+      'Content-Type': contentType,
+      'Cache-Control': 'public, max-age=31536000, immutable',
+    },
+  });
+});
+```
+
+**R2 Origin 域名保护配置**:
+```
+# 方案 A: IP Access Rules（推荐，零成本）
+# Cloudflare 边缘 IP 列表: https://www.cloudflare.com/ips/
+# 在 DNS/Firewall 中配置：仅允许 Cloudflare IP 段访问 r2-origin 子域名
+
+# 方案 B: Authenticated Origin Pull（更安全，需要 Pro 以上）
+# 在 SSL/TLS → Origin Server 中启用 Authenticated Origin Pulls
+# cf.image 的 subrequest 自动携带 Cloudflare 客户端证书
+```
+
+### 5.3 Unsplash Strategy (v2 — ToS Compliant)
+
+**Decision: Hotlink + Attribution，不重新托管**
+
+Unsplash API Terms 要求：
+1. 使用 Unsplash 图片 URL 直接显示（hotlink）
+2. 显示 attribution（摄影师名称 + Unsplash 链接）
+3. 用户下载时调用 `download_location` endpoint
+
+```typescript
+// cloudflare/src/routes/unsplash.ts
+
+// 搜索：返回 Unsplash 图片列表（包含 hotlink URL 和 attribution）
+app.get('/search', authMiddleware, async (c) => {
+  const query = c.req.query('q');
+  const page = c.req.query('page') || '1';
+  const res = await fetch(
+    `https://api.unsplash.com/search/photos?query=${encodeURIComponent(query)}&page=${page}&per_page=30`,
+    { headers: { Authorization: `Client-ID ${c.env.UNSPLASH_KEY}` } }
+  );
+  const data = await res.json();
+
+  // Return structured results with attribution
+  return c.json({
+    results: data.results.map(photo => ({
+      id: photo.id,
+      urls: photo.urls,  // { raw, full, regular, small, thumb }
+      attribution: {
+        name: photo.user.name,
+        username: photo.user.username,
+        link: photo.user.links.html,
+      },
+      download_location: photo.links.download_location,
+      width: photo.width,
+      height: photo.height,
+      description: photo.description || photo.alt_description,
+    })),
+    total: data.total,
+    total_pages: data.total_pages,
+  });
+});
+
+// 用户选择图片后：触发下载跟踪 + 在 D1 记录 Unsplash 引用
+app.post('/track-download', authMiddleware, async (c) => {
+  const { downloadLocation, photoId, attribution } = await c.req.json();
+
+  // Required by Unsplash API: trigger download tracking
+  await fetch(downloadLocation, {
+    headers: { Authorization: `Client-ID ${c.env.UNSPLASH_KEY}` },
+  });
+
+  // Save reference in D1 (NOT the image file)
+  const db = drizzle(c.env.DB);
+  const id = crypto.randomUUID();
+  await db.insert(uploads).values({
+    id,
+    filename: `unsplash:${photoId}`, // special prefix, not an R2 key
+    originalname: `${attribution.name} via Unsplash`,
+    mimetype: 'image/jpeg',
+    size: 0, // not stored locally
+    folderId: c.req.header('x-folder-id') || 'default',
+    remark: JSON.stringify({ unsplash: true, attribution, photoId }),
+    createdAt: new Date().toISOString(),
+    updatedAt: new Date().toISOString(),
+    createdBy: c.get('user').id,
+    updatedBy: c.get('user').id,
+  });
+
+  return c.json({ id, photoId });
+});
+```
+
+**前端 Unsplash 插件**：显示 Unsplash 图片时使用 `urls.regular` (hotlink)，不从 R2 提供。需要改造 `createImageUrl()` 识别 `unsplash:` 前缀。
+
+### ~~5.4 AFS (Agentic File System) 集成~~ — 推迟到 v2
+
+> **v5 变更**: AFS 集成推迟到下个版本。先完成 Cloudflare 迁移的核心功能。
+> 完整的 AFS 设计方案（MediaStorage AFSModule）已保存在 git history 的 v4 版本中。
+
+### 5.5 Uploader Status Response (兼容现有前端)
+
+```typescript
+// GET /api/uploader/status — 保持与现有前端完全兼容的响应 schema
+app.get('/status', async (c) => {
+  const componentDid = c.req.header('x-component-did');
+
+  const availablePluginMap = {
+    AIImage: c.env.USE_AI_IMAGE === 'true',
+    Unsplash: !!(c.env.UNSPLASH_KEY && c.env.UNSPLASH_SECRET),
+    Uploaded: !!componentDid,  // if component context exists
+    Resources: false,           // dropped in CF version
+  };
+
+  const allowedFileTypes = c.env.ALLOWED_FILE_TYPES
+    ?.split(',')
+    .map(ext => {
+      const mimeMap: Record<string, string> = {
+        '.jpeg': 'image/jpeg', '.png': 'image/png', '.gif': 'image/gif',
+        '.svg': 'image/svg+xml', '.webp': 'image/webp', '.bmp': 'image/bmp',
+        '.ico': 'image/x-icon',
+      };
+      return mimeMap[ext.trim()] || '';
+    })
+    .filter(Boolean) || [];
+
+  const maxFileSize = parseSize(c.env.MAX_UPLOAD_SIZE) || Infinity;
+
+  return c.json({
+    availablePluginMap,
+    preferences: {
+      extsInput: c.env.ALLOWED_FILE_TYPES || '.jpeg,.png,.gif,.svg,.webp',
+      maxUploadSize: c.env.MAX_UPLOAD_SIZE || '100MB',
+      supportModels: c.env.SUPPORT_MODELS || '',
+      useAiImage: c.env.USE_AI_IMAGE === 'true',
+    },
+    restrictions: {
+      allowedFileTypes,
+      maxFileSize,
+    },
+  });
+});
+```
+
+### 5.6 Tags Query (v6 — 新增)
+
+```typescript
+// GET /api/uploads?tag=xxx — 按 tag 过滤上传文件
+// 使用 upload_tags 关联表 JOIN 查询
+app.get('/api/uploads', authMiddleware, async (c) => {
+  const tag = c.req.query('tag');
+  const page = parseInt(c.req.query('page') || '1');
+  const pageSize = parseInt(c.req.query('pageSize') || '20');
+  const offset = (page - 1) * pageSize;
+  const db = drizzle(c.env.DB);
+
+  let query;
+  if (tag) {
+    // JOIN upload_tags to filter by tag
+    query = db.select({ upload: uploads })
+      .from(uploads)
+      .innerJoin(uploadTags, eq(uploads.id, uploadTags.uploadId))
+      .where(eq(uploadTags.tag, tag))
+      .orderBy(desc(uploads.createdAt))
+      .limit(pageSize)
+      .offset(offset);
+  } else {
+    query = db.select().from(uploads)
+      .orderBy(desc(uploads.createdAt))
+      .limit(pageSize)
+      .offset(offset);
+  }
+
+  const data = await query;
+  // Count query for pagination
+  const [{ count }] = tag
+    ? await db.select({ count: sql`count(*)` })
+        .from(uploads)
+        .innerJoin(uploadTags, eq(uploads.id, uploadTags.uploadId))
+        .where(eq(uploadTags.tag, tag))
+    : await db.select({ count: sql`count(*)` }).from(uploads);
+
+  return c.json({ data, total: count, page, pageSize });
+});
+```
+
+### 5.7 Database Schema (v2)
+
+```sql
+-- migrations/0001_initial.sql
+
+CREATE TABLE IF NOT EXISTS uploads (
+  id TEXT PRIMARY KEY,
+  filename TEXT NOT NULL,
+  originalname TEXT,
+  mimetype TEXT,
+  size INTEGER,
+  remark TEXT DEFAULT '',
+  folder_id TEXT,
+  created_at TEXT,
+  updated_at TEXT,
+  created_by TEXT,
+  updated_by TEXT
+);
+
+CREATE INDEX idx_uploads_filename ON uploads(filename);
+CREATE INDEX idx_uploads_folder_id ON uploads(folder_id);
+CREATE INDEX idx_uploads_mimetype ON uploads(mimetype);
+CREATE INDEX idx_uploads_created_by ON uploads(created_by);
+CREATE INDEX idx_uploads_created_at ON uploads(created_at);
+
+-- Tags: normalized relation table (replaces JSON tags field)
+CREATE TABLE IF NOT EXISTS upload_tags (
+  upload_id TEXT NOT NULL,
+  tag TEXT NOT NULL,
+  PRIMARY KEY (upload_id, tag),
+  FOREIGN KEY (upload_id) REFERENCES uploads(id) ON DELETE CASCADE
+);
+
+CREATE INDEX idx_upload_tags_tag ON upload_tags(tag, upload_id);
+
+CREATE TABLE IF NOT EXISTS folders (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  created_at TEXT,
+  updated_at TEXT,
+  created_by TEXT,
+  updated_by TEXT
+);
+
+CREATE INDEX idx_folders_name ON folders(name);
+
+-- Upload sessions (multipart upload state)
+CREATE TABLE IF NOT EXISTS upload_sessions (
+  id TEXT PRIMARY KEY,
+  upload_id TEXT,
+  key TEXT NOT NULL,
+  final_key TEXT,
+  total_size INTEGER,
+  part_size INTEGER,
+  status TEXT DEFAULT 'active',
+  created_by TEXT,
+  created_at TEXT,
+  expires_at TEXT
+);
+
+CREATE INDEX idx_upload_sessions_status ON upload_sessions(status);
+CREATE INDEX idx_upload_sessions_expires ON upload_sessions(expires_at);
+
+-- NOTE: nonces table removed in v4 — auth handled by external tool
+```
+
+---
+
+## 6. Data Migration (v2 — Fixed)
+
+### 6.1 Files: Local Disk → R2
+
+```bash
+# rclone with .json metadata exclusion
+rclone copy /path/to/blocklet-data/uploads r2:media-kit-uploads \
+  --s3-provider=Cloudflare \
+  --s3-access-key-id=$R2_ACCESS_KEY \
+  --s3-secret-access-key=$R2_SECRET_KEY \
+  --s3-endpoint=https://$CF_ACCOUNT_ID.r2.cloudflarestorage.com \
+  --exclude "*.json" \
+  --transfers=16 --checkers=32 --progress
+```
+
+### 6.2 Database: SQLite → D1 (Parameterized)
+
+```typescript
+// scripts/migrate-data.ts — parameterized queries, no string concatenation
+import Database from 'better-sqlite3';
+
+const sourceDb = new Database('/path/to/media-kit.db');
+const uploads = sourceDb.prepare('SELECT * FROM uploads').all();
+
+// Generate parameterized SQL for wrangler d1 execute
+const BATCH_SIZE = 100;
+for (let i = 0; i < uploads.length; i += BATCH_SIZE) {
+  const batch = uploads.slice(i, i + BATCH_SIZE);
+
+  for (const u of batch) {
+    // Each insert is a separate parameterized statement
+    const stmt = `INSERT INTO uploads (id,filename,originalname,mimetype,size,remark,folder_id,created_at,updated_at,created_by,updated_by) VALUES (?,?,?,?,?,?,?,?,?,?,?)`;
+    const params = [
+      u.id, u.filename, u.originalname, u.mimetype, u.size,
+      u.remark || '', u.folderId || '',
+      u.createdAt, u.updatedAt, u.createdBy || '', u.updatedBy || ''
+    ];
+
+    // Use D1 HTTP API with parameterized queries
+    await d1Execute(stmt, params);
+
+    // Migrate tags from JSON to upload_tags table
+    const tags = JSON.parse(u.tags || '[]');
+    for (const tag of tags) {
+      await d1Execute(
+        'INSERT OR IGNORE INTO upload_tags (upload_id, tag) VALUES (?, ?)',
+        [u.id, tag]
+      );
+    }
+  }
+}
+
+// Migrate folders table
+const folders = sourceDb.prepare('SELECT * FROM folders').all();
+for (const f of folders) {
+  await d1Execute(
+    'INSERT INTO folders (id, name, created_at, updated_at, created_by, updated_by) VALUES (?,?,?,?,?,?)',
+    [f.id, f.name, f.createdAt, f.updatedAt, f.createdBy || '', f.updatedBy || '']
+  );
+}
+```
+
+---
+
+## 7. Cost Estimate (v2 — Three-tier)
+
+Based on: 5万 files, 100GB storage, 10万/day access, ~500 unique resize variants/day.
+
+| Item | Conservative | Medium | Peak |
+|------|-------------|--------|------|
+| Workers Paid Plan | $5 | $5 | $5 |
+| Workers Requests (beyond 10M/mo) | $0 | $0 | $1.50 |
+| R2 Storage (100GB) | $1.50 | $1.50 | $1.50 |
+| R2 Class A ops (writes) | $0.10 | $0.23 | $0.90 |
+| R2 Class B ops (reads) | $0.36 | $1.08 | $3.60 |
+| D1 rows_read (with tags join) | $0 | $0.75 | $2.50 |
+| D1 rows_written | $0 | $0 | $0.10 |
+| D1 Storage | $0 | $0 | $0 |
+| Image Transformations (unique) | $0 (5K free) | $5 ($0.50/1K × 10K) | $25 ($0.50/1K × 50K) |
+| Cloudflare Pro Plan (if needed) | $0 | $20 | $20 |
+| Cloudflare Pages | $0 | $0 | $0 |
+| R2 Egress | **$0** | **$0** | **$0** |
+| **Total** | **~$7/mo** | **~$34/mo** | **~$60/mo** |
+
+**Notes**:
+- Image Transformations 按 unique variants 计费（同一 URL 参数组合只算一次）
+- Pro Plan ($20) 仅在需要 Image Resizing (`cf.image`) 时必须
+- D1 rows_read：tags 关联查询比 JSON scan 更高效，但仍需关注频繁列表查询
+- Conservative 假设低流量、少量 resize；Peak 假设高流量、大量 resize 变体
+
+---
+
+## 8. wrangler.toml (v2)
+
+```toml
+name = "media-kit"
+main = "src/worker.ts"
+compatibility_date = "2024-12-01"
+compatibility_flags = ["nodejs_compat"]
+
+[vars]
+ENVIRONMENT = "production"
+MAX_UPLOAD_SIZE = "500MB"
+ALLOWED_FILE_TYPES = ".jpeg,.png,.gif,.svg,.webp,.bmp,.ico"
+USE_AI_IMAGE = "false"
+ADMIN_DIDS = "did:abt:default-uploader"  # 逗号分隔的管理员 DID 列表
+
+[[r2_buckets]]
+binding = "R2_UPLOADS"
+bucket_name = "media-kit-uploads"
+
+[[d1_databases]]
+binding = "DB"
+database_name = "media-kit-db"
+database_id = "to-be-created"
+
+# Service Binding (for other Workers to call media-kit)
+# Other Workers add: [[services]] binding = "MEDIA_KIT" service = "media-kit"
+
+[triggers]
+crons = ["0 * * * *"]
+
+[[routes]]
+pattern = "media.your-domain.com/*"
+zone_name = "your-domain.com"
+
+# Secrets (wrangler secret put):
+# R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY,
+# UNSPLASH_KEY, UNSPLASH_SECRET
+# R2_ORIGIN_DOMAIN (R2 公共域名，通过 IP Access Rule 限制仅 Cloudflare 边缘访问)
+# NOTE: 认证相关密钥待 Shijun 方案就绪后添加
+
+[env.staging]
+name = "media-kit-staging"
+[env.staging.vars]
+ENVIRONMENT = "staging"
+```
+
+---
+
+## 9. Risks & Mitigations (v3)
+
+| Risk | Impact | Mitigation |
+|------|--------|-----------|
+| Workers CPU timeout on confirm (hash large file) | Confirm fails | 文件 > 500MB: confirm 返回 `{ status: 'processing' }`，将 hash 任务推入 Queue；客户端轮询 `GET /api/uploads/confirm-status?sessionId=xxx`；Queue consumer 在 Worker 中运行（Queue handler 有 15min CPU 限制，足够处理大文件） |
+| D1 write concurrency | Upload conflicts | Single primary writer; writes are per-user natural sharding |
+| D1 cross-region latency | Slow list queries | Read replication enabled; list queries use replica |
+| SVG sanitize CPU | Timeout on large SVGs | Limit SVG to 5MB; reject larger. 使用 Workers 兼容方案（非 DOMPurify） |
+| R2 presigned URL expiry | Upload fails if slow | 1 hour expiry; client can request new URL |
+| Multipart session orphan | R2 storage waste | Hourly cron cleanup; 24h session expiry |
+| Unsplash hotlink availability | Image unavailable if removed | Store attribution metadata; show fallback |
+| Frontend refactor breaks other consumers | npm package incompatibility | Dual-mode package: TUS for Blocklet, presigned for CF |
+| Confirm step server-side hash mismatch | Indicates tampered upload | Reject and delete temp object; log for audit |
+| URL import SSRF | Internal network scanning | Host denylist (private IPs), 50MB size limit, max 3 redirects |
+| Service Binding secret leak | Privilege escalation | Rotate via wrangler secret; use per-service secrets if needed |
+| Dedup false positive (size+ext match) | Wrong file served | Dedup is hint only; single match required; confirm always verifies full-file hash |
+
+---
+
+## 10. Implementation Roadmap (v2)
+
+### Phase 1: Foundation (Week 1-2)
+- [ ] Create R2 bucket, D1 database, run migrations
+- [ ] Scaffold Worker (Hono + Drizzle + wrangler.toml)
+- [ ] Auth middleware（默认放行 + 预留 DID header）
+- [ ] `/uploads/*` file serving with Image Resizing
+- [ ] EXIF removal via `cf.image { metadata: 'none' }` in Worker
+- [ ] `GET/DELETE/PUT /api/uploads` CRUD
+
+### Phase 2: Upload Core (Week 2-3)
+- [ ] Presigned URL generation (aws4fetch)
+- [ ] R2 CORS configuration
+- [ ] Small file flow: presign → PUT → confirm
+- [ ] Large file flow: multipart create → part URLs → complete
+- [ ] Upload session management + cron cleanup
+- [ ] SVG sanitization on confirm
+- [ ] Frontend R2PresignedUpload plugin (replace TUS)
+
+### Phase 3: Features (Week 3-4)
+- [ ] Service Binding support（通信层，认证待定）
+- [ ] Folder management
+- [ ] Unsplash search + track-download (hotlink mode)
+- [ ] URL import (with SSRF protection: host denylist, 50MB size limit, max 3 redirects)
+- [ ] AI image generation proxy
+- [ ] Uploader status (compatible response schema)
+
+### Phase 4: Data Migration (Week 4-5)
+- [ ] Migration scripts (parameterized SQL)
+- [ ] rclone file migration
+- [ ] Verification (count, sampling, integrity)
+- [ ] tags → upload_tags migration
+
+### Phase 5: Testing & Launch (Week 5-6)
+- [ ] E2E tests (upload, resume, dedup, delete, resize)
+- [ ] Performance benchmark (presigned vs direct)
+- [ ] Staging deploy + smoke test
+- [ ] Production deploy
+- [ ] DNS cutover + monitoring
+
+### Future (v2)
+- [ ] 对接 Shijun 的认证方案（替换默认放行）
+- [ ] AFS MediaStorage 模块集成
+
+---
+
+## 11. Decisions Log (v6)
+
+| Decision | Choice | Rationale |
+|----------|--------|-----------|
+| Upload protocol | R2 presigned PUT + S3 multipart | Worker 不接收文件 body，无内存限制 |
+| Object key trust | Temp key → server hash → promote | 防止客户端伪造 key 覆盖他人文件 |
+| Resumability | Part-level resume (localStorage + S3 ListParts) | 替代 TUS 字节级断点 |
+| Server-side hash | js-md5 streaming (O(1) memory) | Workers WebCrypto 不支持 MD5；js-md5 纯 JS 3KB |
+| R2 copy/promote | S3 CopyObject via aws4fetch | R2 Workers binding 无 copy() 方法 |
+| R2 list parts | S3 ListParts + fast-xml-parser | R2 Workers binding 无 listParts()；正则解析 XML 脆弱 |
+| Auth | 默认放行 + ADMIN_DIDS 配置 | role=member 与管理操作矛盾，通过 ADMIN_DIDS 环境变量配置管理员 |
+| Blocklet SDK | 废弃 | SDK 相关 API 不迁移 |
+| AFS | 推迟到 v2 | 先完成核心迁移 |
+| EXIF removal | Worker `cf.image { metadata: 'none' }` + IP Access Rule 保护 origin | WAF 自定义 header 方案不可行（cf.image 代理不转发），改用 IP 限制 |
+| Unsplash | Hotlink + attribution | ToS 合规，不重新托管 |
+| Tags storage | Normalized upload_tags table + JOIN 查询 API | 避免 json_each() 全表扫描，支持 ?tag= 过滤 |
+| Dedup strategy | Size + ext 粗筛为 hint，confirm 阶段全文件 hash 最终确认 | first-5MB hash 与 filename(full hash) 不匹配，改为更简单的粗筛 |
+| SVG sanitization | Workers-compatible sanitizer（非 DOMPurify） | DOMPurify 依赖 DOM API，Workers 无 document/window |
+| Large file confirm | >500MB 异步 Queue 处理 | Workers 请求 CPU 限制 30s，Queue handler 15min |
+| URL import | Host denylist + size limit + redirect cap | 防 SSRF |
+| D1 replication | Read replicas for list queries | 降低跨区域延迟 |
+| Cost model | Three-tier (conservative/medium/peak) | 准确反映不同规模 |
+| ORM | Drizzle | Native D1 support |
+| Framework | Hono | Workers-native, Express-like |
+| Component call | Service Binding | 替代 blocklet component.call |
diff --git a/cloudflare/docs/MIGRATION-REPORT.md b/cloudflare/docs/MIGRATION-REPORT.md
new file mode 100644
index 0000000..e764521
--- /dev/null
+++ b/cloudflare/docs/MIGRATION-REPORT.md
@@ -0,0 +1,277 @@
+# Media Kit 迁移到 Cloudflare 方案报告
+
+> 2026 年 3 月 16 日 | 版本 6
+>
+> 本方案经过 Claude Opus 4.6 与 GPT-5.4 五轮交叉审查，累计发现并修复 40 个问题。
+> v6 更新：修复 Round 5 审查发现的 4 个 P1 + 4 个 P2 问题（auth 角色冲突、dedup 设计缺陷、
+> cf.image origin 方案不可行、前端响应契约缺失、DOMPurify 不兼容 Workers 等）。
+> 详细技术实现见 [MIGRATION-PLAN.md](./MIGRATION-PLAN.md)。
+
+---
+
+## 背景与动机
+
+Media Kit（又名 image-bin）是 ArcBlock 的媒体资产管理服务，目前运行在 Blocklet Server 上，使用 Express + SQLite + 本地磁盘存储。随着业务发展，我们希望将其迁移到 Cloudflare 边缘计算平台，以获得全球低延迟访问、零出站带宽费用以及免运维的基础设施。
+
+---
+
+## 迁移全景
+
+下表对比迁移前后的技术栈：
+
+| 层面 | 迁移前 | 迁移后 |
+|------|--------|--------|
+| 服务端运行时 | Express.js on Node.js | Hono on Cloudflare Workers |
+| 文件存储 | 服务器本地磁盘 | Cloudflare R2（私有存储桶） |
+| 数据库 | SQLite + Sequelize ORM | Cloudflare D1 + Drizzle ORM |
+| 上传方式 | TUS 协议（字节级断点续传） | R2 预签名直传 + S3 分片上传 |
+| 图片处理 | 不支持 | Cloudflare Image Resizing |
+| CDN 分发 | 手动 CDN_HOST 替换 | Cloudflare CDN 原生集成 |
+| 用户认证 | DID 钱包 + 组件签名 | 默认放行（预留 DID），待 Shijun 提供方案 |
+| 服务间通信 | Blocklet `component.call` | Cloudflare Service Binding |
+| 前端托管 | Blocklet 内嵌 | Cloudflare Pages |
+
+> **产品范围变更**：断点续传粒度从 TUS 的字节级降为分片级（最小 5MB）。用户刷新页面后仍可恢复未完成的上传，但恢复粒度是整个分片而非字节偏移。
+
+---
+
+## 整体架构
+
+```
+                ┌──────────────────────────┐
+                │     Cloudflare CDN       │
+                │   缓存 Worker 响应        │
+                └────────────┬─────────────┘
+                             │
+           ┌─────────────────▼────────────────┐
+           │       Cloudflare Worker          │
+           │        （Hono 框架）              │
+           ├──────────────────────────────────┤
+           │                                  │
+           │  认证层：默认放行（预留 DID）       │
+           │                                  │
+           │  图片服务：                        │
+           │  所有图片经 cf.image 去除 EXIF     │
+           │  支持按宽高参数实时缩放             │
+           │                                  │
+           │  上传流程：                        │
+           │  签名 → 客户端直传 R2 → 确认       │
+           │  Worker 全程不接触文件内容          │
+           │                                  │
+           └──┬──────────┬──────────┬─────────┘
+              │          │          │
+    ┌─────────▼──┐ ┌─────▼────┐ ┌──▼────────────┐
+    │ R2 存储桶   │ │ D1 数据库 │ │ Service Binding│
+    │ （私有）    │ │ （SQLite）│ │ 连接其他 Worker │
+    └────────────┘ └──────────┘ └───────────────┘
+
+    ┌──────────────────┐
+    │ Cloudflare Pages  │
+    │  React 前端        │
+    └──────────────────┘
+```
+
+这里有一个**重要的安全约束**：R2 存储桶不开放公共访问。所有文件请求都必须经过 Worker，Worker 会对图片自动应用 `cf.image { metadata: 'none' }`，确保 EXIF 信息在任何情况下都被移除——这是产品对用户隐私的承诺。
+
+---
+
+## 上传流程详解
+
+上传是 Media Kit 最核心的功能，迁移后的设计遵循四个原则：
+
+1. **Worker 不碰文件内容**——客户端拿到预签名 URL 后直接上传到 R2，Worker 只负责签发 URL 和记录元数据
+2. **先传临时位置，验证后再定位**——文件先上传到 `tmp/{uuid}.{ext}`，服务端确认内容后再移到以文件哈希命名的最终位置
+3. **大文件可恢复**——大于 100MB 的文件使用 S3 分片上传，每个分片完成后记录到 localStorage，刷新页面可从断点继续
+4. **服务端校验，不信任客户端**——最终的文件哈希由服务端流式计算（使用 js-md5，恒定内存占用），不依赖客户端提供的哈希值
+
+### 小文件（< 100MB）
+
+整个过程分五步：
+
+```
+第一步：客户端计算文件前 5MB 的 MD5（快速指纹）
+        ↓
+第二步：发送去重检查请求
+        如果数据库中已有相同指纹+相同大小的文件 → 跳过上传，直接确认
+        ↓
+第三步：请求预签名 URL
+        Worker 生成临时文件路径和签名后的上传地址
+        ↓
+第四步：客户端用预签名 URL 直接上传到 R2
+        这一步完全绕过 Worker，没有内存压力
+        ↓
+第五步：客户端请求确认
+        Worker 从 R2 读取刚上传的文件：
+        - 检查文件头的魔法字节，防止文件类型伪装
+        - 流式计算完整 MD5（内存恒定，不会溢出）
+        - 如果是 SVG，先做 XSS 清洗
+        - 将文件从临时路径复制到最终路径（以完整哈希命名）
+        - 删除临时文件
+        - 写入数据库记录
+```
+
+### 大文件（>= 100MB）
+
+与小文件共享去重检查和确认逻辑，区别在于上传阶段使用分片：
+
+```
+第一步：去重检查（同上）
+        ↓
+第二步：请求创建分片上传会话
+        Worker 在 R2 创建 multipart upload，返回会话信息
+        ↓
+第三步：逐片上传
+        每个分片：请求该片的预签名 URL → 上传 → 记录 ETag 到 localStorage
+        ↓
+第四步：如果中断了？
+        重新打开页面 → 从 localStorage 读取进度 → 向服务端查询已完成的分片 → 续传
+        ↓
+第五步：所有分片上传完成后，请求组装
+        Worker 调用 R2.complete() 将分片合并为完整对象
+        ↓
+第六步：请求确认（同小文件第五步）
+        这保证了大小文件的确认逻辑完全一致
+```
+
+---
+
+## 认证体系
+
+> **v5 变更**：当前版本先默认放行所有上传请求，使用硬编码的默认 DID 作为用户标识。Shijun 过几天会提供认证方案，届时替换。
+
+当前实现非常简单：auth 中间件尝试从 `x-user-did` header 读取用户 DID，如果没有就用默认值 `did:abt:default-uploader`。这保证了上传流程可以先跑通，认证方案就绪后只需在 Worker 前面加一层认证网关即可。
+
+同时，所有 Blocklet SDK 相关的 API（`/api/sdk/uploads` 等）在本次迁移中**全部废弃**，不做迁移。
+
+---
+
+---
+
+## 图片处理与隐私保护
+
+Media Kit 承诺自动移除所有图片的 EXIF 元数据（包含拍摄地点、设备信息等隐私数据）。在 Cloudflare 上，这通过 Worker 的 `cf.image` 参数实现。
+
+**工作方式**：当用户请求一张图片时，Worker 检测到文件类型是图片后，会通过一个 WAF 保护的 R2 自定义域名获取原始文件，同时附加 `cf.image { metadata: 'none' }` 参数。Cloudflare 的 Image Resizing 服务会在返回图片前自动剥离所有元数据。
+
+如果用户还传了宽高参数（如 `?w=200&h=150`），Worker 会同时传入尺寸参数，实现实时缩放。
+
+**为什么 R2 必须私有？** 如果 R2 存储桶有公开访问域名，任何人都可以绕过 Worker 直接访问原始文件，EXIF 信息就会泄露。因此存储桶必须是私有的，所有访问都经过 Worker。
+
+> 这个设计在审查中经历了三次迭代：v1 漏掉了 EXIF 移除；v2 错误地使用了 Transform Rule（实际上 Transform Rule 只能重写 URL，不能触发 Image Resizing）；v3 最终确定在 Worker 代码中使用 `cf.image`，并将 R2 设为私有。
+
+---
+
+## 数据库设计
+
+D1 是 Cloudflare 的边缘 SQLite 数据库。迁移后共 4 张表：
+
+| 表 | 说明 | 变化 |
+|---|------|------|
+| uploads | 文件元数据（ID、文件名、类型、大小、创建者等） | 结构不变 |
+| upload_tags | 文件标签 | 新增——原来标签存在 JSON 字段里，查询时需要 `json_each()` 全表扫描，现在用关联表 + 索引 |
+| folders | 文件夹 | 不变 |
+| upload_sessions | 分片上传会话 | 新增——记录进行中的分片上传状态，支持断点续传 |
+
+> v4 变更：移除了 nonces 表（随认证逻辑一起外部化）。
+
+**D1 部署策略**：启用读副本，让列表查询（占大多数请求）可以就近读取。写操作（上传确认、删除等）必须打到主节点以保证一致性。每小时运行 cron 清理过期的上传会话。
+
+---
+
+## Unsplash 集成
+
+原版 Media Kit 的 Companion 插件会将 Unsplash 图片下载后重新存储到本地。但 Unsplash 的服务条款明确要求使用他们的 URL 直接展示图片（hotlink），不允许重新托管。
+
+迁移后改为合规模式：搜索结果返回 Unsplash 的原始 URL 和摄影师署名信息，前端直接使用这些 URL 展示图片。用户选择图片时，系统调用 Unsplash 的下载追踪 API（这是 ToS 要求的），并在 D1 中记录引用关系，但不存储图片文件本身。
+
+---
+
+## 服务间通信
+
+在 Blocklet 体系中，组件间通过 `component.call` 互相调用。迁移后使用 Cloudflare Service Binding 替代——这是 Cloudflare 提供的零延迟 Worker 间通信机制。
+
+调用方在 `wrangler.toml` 中声明对 media-kit Worker 的绑定，然后通过 `env.MEDIA_KIT.fetch()` 发起请求。请求在 Cloudflare 内部网络完成，不经过公共互联网，性能接近函数调用。
+
+认证方面，当前版本默认放行，后续由 Shijun 的认证方案统一处理。
+
+---
+
+## 数据迁移
+
+迁移分两部分进行：
+
+**文件迁移**：使用 rclone 将本地磁盘的上传目录同步到 R2，排除 `.json` 元数据文件。支持 16 并发传输。
+
+**数据库迁移**：编写脚本从源 SQLite 读取数据，通过 D1 HTTP API 以参数化查询（非字符串拼接）批量插入。同时将 JSON 格式的 tags 字段拆分写入新的 upload_tags 关联表。
+
+---
+
+## 成本估算
+
+基于 5 万个文件、100GB 存储、每天 10 万次访问的规模：
+
+| 档位 | 月费用 | 适用场景 |
+|------|--------|---------|
+| 保守 | ~$7 | 低流量、很少用图片缩放 |
+| 中位 | ~$34 | 中等流量、常规缩放使用 |
+| 峰值 | ~$60 | 高流量、大量不同尺寸的缩放请求 |
+
+其中 Workers 基础套餐 $5/月，R2 存储 100GB 约 $1.50/月，最大的变量是 Image Resizing 的用量（按 unique 参数组合计费）和是否需要 Pro Plan（$20/月）。**R2 的出站带宽完全免费**，这是相比 AWS S3 的显著优势。
+
+---
+
+## 实施计划
+
+整个迁移预计 6 周完成，分五个阶段：
+
+**第 1-2 周：搭建基础**——创建 R2 存储桶和 D1 数据库，搭建 Hono Worker 骨架，auth 默认放行（预留 DID），完成文件服务（含 Image Resizing 和 EXIF 移除）。
+
+**第 2-3 周：上传核心**——实现预签名 URL 生成、小文件上传全流程、大文件分片上传全流程、前端 Uppy 插件替换（从 TUS 改为预签名直传）。
+
+**第 3-4 周：补齐功能**——Service Binding、文件夹管理、Unsplash 搜索（hotlink 模式）、URL 导入（含 SSRF 防护）、AI 图片生成代理。
+
+**第 5 周：数据迁移**——rclone 文件同步、D1 数据导入、标签关联表迁移、数据完整性校验。
+
+**第 6 周：测试上线**——端到端测试、性能基准测试、Staging 环境验证、生产部署、DNS 切换。
+
+---
+
+## 审查过程
+
+本方案经历了四轮跨模型交叉审查。每一轮由 Claude Opus 4.6 和 GPT-5.4（通过 Codex CLI）分别独立审查，然后交叉验证发现的问题：
+
+**第一轮**发现 7 个严重问题：R2 分片上传方案不完整、Worker 内存会溢出、HMAC 签名会消费请求体、EXIF 移除方案不可行、Unsplash 集成违反 ToS 等。全部修复后进入 v2。
+
+**第二轮**发现 5 个严重问题：Service Binding 认证可被伪造、`R2.copy()` API 根本不存在、Workers 不支持 MD5 哈希等。这些是 Cloudflare 平台的真实限制，只有深入了解平台才能发现。修复后进入 v3。
+
+**第三轮**发现 3 个严重问题：KV 的最终一致性无法保证 nonce 的原子唯一性、R2 公开域名会让用户绕过 EXIF 移除、分片上传的"组装"和"确认"步骤职责混淆。全部修复。
+
+**第四轮**确认：**所有严重问题已解决**。仅剩少量文档措辞优化建议。
+
+四轮审查累计发现并修复了 **15 个 P1（严重）+ 15 个 P2（中等）+ 1 个 P3（轻微）** 问题。
+
+---
+
+## 主要风险
+
+| 风险 | 缓解措施 |
+|------|---------|
+| 大文件哈希计算超时 | 使用流式增量哈希（恒定内存）；超大文件考虑异步队列 |
+| 分片上传会话遗留 | 每小时 cron 清理过期会话 |
+| 前端改造影响其他使用者 | 上传插件支持双模式——Blocklet 环境走 TUS，Cloudflare 环境走预签名 |
+| 去重误判 | 前 5MB 哈希仅作提示，最终去重以服务端全文件哈希为准 |
+
+---
+
+## 总结
+
+本方案将 Media Kit 从 Blocklet Server 完全迁移到 Cloudflare 边缘平台。核心设计保证了：
+
+- **零内存压力**：Worker 不接触文件内容，所有文件直传 R2
+- **隐私合规**：EXIF 在任何访问路径下都会被移除，无法绕过
+- **认证可插拔**：当前默认放行，预留 DID header，Shijun 方案就绪后无缝替换
+- **精简范围**：废弃 Blocklet SDK API，AFS 推迟到 v2，聚焦核心迁移
+- **成本可控**：月费 $7-60，R2 零出站费用
+- **可恢复上传**：大文件支持分片级断点续传
+
+方案经过四轮交叉审查验证了所有 Cloudflare 平台 API 的可行性，当前状态：**可以开始实施**。
diff --git a/cloudflare/drizzle.config.ts b/cloudflare/drizzle.config.ts
new file mode 100644
index 0000000..f920e69
--- /dev/null
+++ b/cloudflare/drizzle.config.ts
@@ -0,0 +1,7 @@
+import { defineConfig } from 'drizzle-kit';
+
+export default defineConfig({
+  schema: './src/db/schema.ts',
+  out: './migrations',
+  dialect: 'sqlite',
+});
diff --git a/cloudflare/frontend/index.html b/cloudflare/frontend/index.html
new file mode 100644
index 0000000..4347209
--- /dev/null
+++ b/cloudflare/frontend/index.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Media Kit</title>
+    <script>
+      // Must be set before any module loads — some modules read window.blocklet at top level
+      window.blocklet = {
+        prefix: '/',
+        appName: 'Media Kit',
+        appDescription: 'Media asset management',
+        appLogo: '',
+        version: '1.0.0',
+        status: 'running',
+        appUrl: window.location.origin,
+        tenantMode: 'single',
+        did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
+        componentId: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
+        CDN_HOST: '',
+        UNSPLASH_KEY: '',
+        componentMountPoints: [{
+          title: 'Media Kit',
+          name: 'image-bin',
+          did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
+          version: '1.0.0',
+          status: 'running',
+          mountPoint: '/',
+        }],
+        preferences: {
+          extsInput: '.jpeg,.png,.gif,.svg,.webp,.bmp,.ico',
+          maxUploadSize: '500MB',
+          useAiImage: true,
+        },
+        navigation: [],
+        theme: {},
+        languages: [
+          { code: 'en', name: 'English' },
+          { code: 'zh', name: '简体中文' },
+        ],
+      };
+    </script>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
diff --git a/cloudflare/frontend/package.json b/cloudflare/frontend/package.json
new file mode 100644
index 0000000..23217d0
--- /dev/null
+++ b/cloudflare/frontend/package.json
@@ -0,0 +1,67 @@
+{
+  "name": "media-kit-frontend",
+  "private": true,
+  "version": "1.0.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@emotion/react": "^11.14.0",
+    "@emotion/styled": "^11.14.0",
+    "@lottiefiles/react-lottie-player": "^3.5.4",
+    "@mui/icons-material": "^7.1.2",
+    "@mui/material": "^7.1.2",
+    "@uppy/core": "3.13.1",
+    "@uppy/dashboard": "3.9.1",
+    "@uppy/drag-drop": "3.1.1",
+    "@uppy/drop-target": "2.1.0",
+    "@uppy/file-input": "3.1.2",
+    "@uppy/golden-retriever": "3.2.0",
+    "@uppy/image-editor": "2.4.6",
+    "@uppy/locales": "3.5.4",
+    "@uppy/progress-bar": "3.1.1",
+    "@uppy/provider-views": "3.13.0",
+    "@uppy/react": "3.4.0",
+    "@uppy/status-bar": "3.3.3",
+    "@uppy/tus": "3.5.5",
+    "@uppy/unsplash": "3.3.1",
+    "@uppy/url": "3.6.1",
+    "@uppy/webcam": "3.4.2",
+    "ahooks": "^3.8.1",
+    "axios": "^1.7.0",
+    "copy-to-clipboard": "^3.3.3",
+    "dompurify": "^3.2.2",
+    "exifr": "^7.1.3",
+    "fflate": "^0.8.2",
+    "js-cookie": "^3.0.5",
+    "lodash": "^4.17.21",
+    "micromatch": "^4.0.8",
+    "mime-types": "^2.1.35",
+    "path-browserify": "^1.0.1",
+    "preact": "10.20.1",
+    "pretty-bytes": "^6.1.0",
+    "prop-types": "^15.8.1",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "react-player": "^2.16.0",
+    "react-router-dom": "^6.28.0",
+    "spark-md5": "^3.0.2",
+    "timeago.js": "^4.0.2",
+    "ufo": "^1.6.1",
+    "url-join": "^4.0.1",
+    "wolfy87-eventemitter": "^5.2.9",
+    "xbytes": "^1.9.1"
+  },
+  "devDependencies": {
+    "@types/js-cookie": "^3.0.6",
+    "@types/lodash": "^4.17.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@vitejs/plugin-react": "^4.3.0",
+    "typescript": "^5.5.0",
+    "vite": "^6.0.0"
+  }
+}
diff --git a/cloudflare/frontend/src/App.tsx b/cloudflare/frontend/src/App.tsx
new file mode 100644
index 0000000..dbc2cac
--- /dev/null
+++ b/cloudflare/frontend/src/App.tsx
@@ -0,0 +1,143 @@
+import { useState, useEffect, useCallback } from 'react';
+import AppBar from '@mui/material/AppBar';
+import Toolbar from '@mui/material/Toolbar';
+import Typography from '@mui/material/Typography';
+import Container from '@mui/material/Container';
+import Box from '@mui/material/Box';
+import CircularProgress from '@mui/material/CircularProgress';
+import Dialog from '@mui/material/Dialog';
+import DialogTitle from '@mui/material/DialogTitle';
+import DialogContent from '@mui/material/DialogContent';
+import DialogActions from '@mui/material/DialogActions';
+import Button from '@mui/material/Button';
+import api from './api';
+import UploadButton from './components/UploadButton';
+import ImageGrid from './components/ImageGrid';
+import FolderList from './components/FolderList';
+
+interface Upload {
+  id: string;
+  filename: string;
+  originalname: string;
+  mimetype: string;
+  size: number;
+  created_at: string;
+}
+
+interface Folder {
+  id: string;
+  name: string;
+}
+
+export default function App() {
+  const [uploads, setUploads] = useState<Upload[]>([]);
+  const [folders, setFolders] = useState<Folder[]>([]);
+  const [selectedFolder, setSelectedFolder] = useState('');
+  const [loading, setLoading] = useState(true);
+  const [page, setPage] = useState(1);
+  const [hasMore, setHasMore] = useState(true);
+  const [deleteTarget, setDeleteTarget] = useState<string | null>(null);
+
+  const pageSize = 20;
+
+  const fetchUploads = useCallback(
+    async (p = 1, append = false) => {
+      setLoading(true);
+      try {
+        const params: any = { page: p, pageSize };
+        if (selectedFolder) params.folderId = selectedFolder;
+        const { data } = await api.get('/api/uploads', { params });
+        const list = data.data || [];
+        setUploads(append ? (prev) => [...prev, ...list] : list);
+        setHasMore(list.length >= pageSize);
+        setPage(p);
+      } finally {
+        setLoading(false);
+      }
+    },
+    [selectedFolder]
+  );
+
+  const fetchFolders = async () => {
+    try {
+      const { data } = await api.get('/api/folders');
+      setFolders(data.data || data || []);
+    } catch {
+      // folders endpoint may not exist yet
+    }
+  };
+
+  useEffect(() => {
+    fetchUploads(1);
+  }, [fetchUploads]);
+
+  useEffect(() => {
+    fetchFolders();
+  }, []);
+
+  const handleUploadFinish = () => {
+    fetchUploads(1);
+  };
+
+  const handleDelete = async () => {
+    if (!deleteTarget) return;
+    await api.delete(`/api/uploads/${deleteTarget}`);
+    setDeleteTarget(null);
+    fetchUploads(1);
+  };
+
+  const loadMore = () => {
+    if (hasMore && !loading) {
+      fetchUploads(page + 1, true);
+    }
+  };
+
+  return (
+    <Box sx={{ minHeight: '100vh', bgcolor: 'grey.50' }}>
+      <AppBar position="static" elevation={1}>
+        <Toolbar>
+          <Typography variant="h6" sx={{ flexGrow: 1 }}>
+            Media Kit
+          </Typography>
+        </Toolbar>
+      </AppBar>
+
+      <Container maxWidth="lg" sx={{ py: 3 }}>
+        <Box sx={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', mb: 2 }}>
+          <FolderList
+            folders={folders}
+            selectedFolder={selectedFolder}
+            onSelect={(id) => setSelectedFolder(id)}
+            onCreated={fetchFolders}
+          />
+          <UploadButton folderId={selectedFolder} onUploadFinish={handleUploadFinish} />
+        </Box>
+
+        <ImageGrid uploads={uploads} onDelete={(id) => setDeleteTarget(id)} />
+
+        {loading && (
+          <Box sx={{ textAlign: 'center', py: 3 }}>
+            <CircularProgress />
+          </Box>
+        )}
+
+        {!loading && hasMore && uploads.length > 0 && (
+          <Box sx={{ textAlign: 'center', py: 2 }}>
+            <Button onClick={loadMore}>Load More</Button>
+          </Box>
+        )}
+      </Container>
+
+      <Dialog open={!!deleteTarget} onClose={() => setDeleteTarget(null)}>
+        <DialogTitle>Delete File</DialogTitle>
+        <DialogContent>Are you sure you want to delete this file?</DialogContent>
+        <DialogActions>
+          <Button onClick={() => setDeleteTarget(null)}>Cancel</Button>
+          <Button onClick={handleDelete} color="error" variant="contained">
+            Delete
+          </Button>
+        </DialogActions>
+      </Dialog>
+    </Box>
+  );
+}
diff --git a/cloudflare/frontend/src/api.ts b/cloudflare/frontend/src/api.ts
new file mode 100644
index 0000000..fc58335
--- /dev/null
+++ b/cloudflare/frontend/src/api.ts
@@ -0,0 +1,14 @@
+import axios from 'axios';
+
+const api = axios.create({
+  timeout: 200000,
+  headers: {
+    'x-user-did': 'did:abt:default-uploader',
+  },
+});
+
+export default api;
+
+export function getImageUrl(filename: string): string {
+  return `/uploads/${filename}`;
+}
diff --git a/cloudflare/frontend/src/components/FolderList.tsx b/cloudflare/frontend/src/components/FolderList.tsx
new file mode 100644
index 0000000..c7d1ac7
--- /dev/null
+++ b/cloudflare/frontend/src/components/FolderList.tsx
@@ -0,0 +1,89 @@
+import { useState } from 'react';
+import Box from '@mui/material/Box';
+import Chip from '@mui/material/Chip';
+import Button from '@mui/material/Button';
+import TextField from '@mui/material/TextField';
+import Dialog from '@mui/material/Dialog';
+import DialogTitle from '@mui/material/DialogTitle';
+import DialogContent from '@mui/material/DialogContent';
+import DialogActions from '@mui/material/DialogActions';
+import FolderIcon from '@mui/icons-material/Folder';
+import AddIcon from '@mui/icons-material/Add';
+import api from '../api';
+
+interface Folder {
+  id: string;
+  name: string;
+}
+
+interface Props {
+  folders: Folder[];
+  selectedFolder: string;
+  onSelect: (id: string) => void;
+  onCreated: () => void;
+}
+
+export default function FolderList({ folders, selectedFolder, onSelect, onCreated }: Props) {
+  const [open, setOpen] = useState(false);
+  const [name, setName] = useState('');
+  const [creating, setCreating] = useState(false);
+
+  const handleCreate = async () => {
+    if (!name.trim()) return;
+    setCreating(true);
+    try {
+      await api.post('/api/folders', { name: name.trim() });
+      setName('');
+      setOpen(false);
+      onCreated();
+    } finally {
+      setCreating(false);
+    }
+  };
+
+  return (
+    <>
+      <Box sx={{ display: 'flex', gap: 1, flexWrap: 'wrap', alignItems: 'center' }}>
+        <Chip
+          icon={<FolderIcon />}
+          label="All"
+          variant={selectedFolder === '' ? 'filled' : 'outlined'}
+          color={selectedFolder === '' ? 'primary' : 'default'}
+          onClick={() => onSelect('')}
+        />
+        {folders.map((f) => (
+          <Chip
+            key={f.id}
+            icon={<FolderIcon />}
+            label={f.name}
+            variant={selectedFolder === f.id ? 'filled' : 'outlined'}
+            color={selectedFolder === f.id ? 'primary' : 'default'}
+            onClick={() => onSelect(f.id)}
+          />
+        ))}
+        <Chip icon={<AddIcon />} label="New Folder" variant="outlined" onClick={() => setOpen(true)} />
+      </Box>
+
+      <Dialog open={open} onClose={() => setOpen(false)} maxWidth="xs" fullWidth>
+        <DialogTitle>Create Folder</DialogTitle>
+        <DialogContent>
+          <TextField
+            autoFocus
+            fullWidth
+            margin="dense"
+            label="Folder Name"
+            value={name}
+            onChange={(e) => setName(e.target.value)}
+            onKeyDown={(e) => e.key === 'Enter' && handleCreate()}
+          />
+        </DialogContent>
+        <DialogActions>
+          <Button onClick={() => setOpen(false)}>Cancel</Button>
+          <Button onClick={handleCreate} variant="contained" disabled={creating || !name.trim()}>
+            Create
+          </Button>
+        </DialogActions>
+      </Dialog>
+    </>
+  );
+}
diff --git a/cloudflare/frontend/src/components/ImageGrid.tsx b/cloudflare/frontend/src/components/ImageGrid.tsx
new file mode 100644
index 0000000..b154f15
--- /dev/null
+++ b/cloudflare/frontend/src/components/ImageGrid.tsx
@@ -0,0 +1,128 @@
+import { useState } from 'react';
+import Box from '@mui/material/Box';
+import Card from '@mui/material/Card';
+import CardMedia from '@mui/material/CardMedia';
+import CardActions from '@mui/material/CardActions';
+import IconButton from '@mui/material/IconButton';
+import Tooltip from '@mui/material/Tooltip';
+import Typography from '@mui/material/Typography';
+import ContentCopyIcon from '@mui/icons-material/ContentCopy';
+import DownloadIcon from '@mui/icons-material/Download';
+import DeleteIcon from '@mui/icons-material/Delete';
+import Snackbar from '@mui/material/Snackbar';
+import prettyBytes from 'pretty-bytes';
+import { format as timeago } from 'timeago.js';
+import { getImageUrl } from '../api';
+
+interface Upload {
+  id: string;
+  filename: string;
+  originalname: string;
+  mimetype: string;
+  size: number;
+  created_at: string;
+  url?: string;
+}
+
+interface Props {
+  uploads: Upload[];
+  onDelete: (id: string) => void;
+}
+
+function isImage(mimetype: string) {
+  return mimetype?.startsWith('image/');
+}
+
+function isVideo(mimetype: string) {
+  return mimetype?.startsWith('video/');
+}
+
+export default function ImageGrid({ uploads, onDelete }: Props) {
+  const [snackMsg, setSnackMsg] = useState('');
+
+  const copyUrl = (filename: string) => {
+    const url = `${window.location.origin}${getImageUrl(filename)}`;
+    navigator.clipboard.writeText(url);
+    setSnackMsg('URL copied');
+  };
+
+  const download = (filename: string, originalname: string) => {
+    const a = document.createElement('a');
+    a.href = getImageUrl(filename);
+    a.download = originalname;
+    a.click();
+  };
+
+  if (uploads.length === 0) {
+    return (
+      <Box sx={{ textAlign: 'center', py: 8, color: 'text.secondary' }}>
+        <Typography variant="h6">No files uploaded yet</Typography>
+        <Typography variant="body2">Click "Upload" to add files</Typography>
+      </Box>
+    );
+  }
+
+  return (
+    <>
+      <Box sx={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(200px, 1fr))', gap: 2 }}>
+        {uploads.map((item) => (
+          <Card key={item.id} sx={{ overflow: 'hidden' }}>
+            {isImage(item.mimetype) ? (
+              <CardMedia
+                component="img"
+                height={160}
+                image={getImageUrl(item.filename)}
+                alt={item.originalname}
+                sx={{ objectFit: 'cover' }}
+              />
+            ) : isVideo(item.mimetype) ? (
+              <Box sx={{ height: 160, display: 'flex', alignItems: 'center', justifyContent: 'center', bgcolor: 'grey.100' }}>
+                <video src={getImageUrl(item.filename)} style={{ maxHeight: 160, maxWidth: '100%' }} />
+              </Box>
+            ) : (
+              <Box sx={{ height: 160, display: 'flex', alignItems: 'center', justifyContent: 'center', bgcolor: 'grey.100' }}>
+                <Typography variant="body2" color="text.secondary">
+                  {item.mimetype || 'File'}
+                </Typography>
+              </Box>
+            )}
+            <Box sx={{ px: 1.5, py: 1 }}>
+              <Tooltip title={item.originalname}>
+                <Typography variant="body2" noWrap>
+                  {item.originalname}
+                </Typography>
+              </Tooltip>
+              <Typography variant="caption" color="text.secondary">
+                {prettyBytes(item.size || 0)} · {timeago(item.created_at)}
+              </Typography>
+            </Box>
+            <CardActions sx={{ pt: 0 }}>
+              <Tooltip title="Copy URL">
+                <IconButton size="small" onClick={() => copyUrl(item.filename)}>
+                  <ContentCopyIcon fontSize="small" />
+                </IconButton>
+              </Tooltip>
+              <Tooltip title="Download">
+                <IconButton size="small" onClick={() => download(item.filename, item.originalname)}>
+                  <DownloadIcon fontSize="small" />
+                </IconButton>
+              </Tooltip>
+              <Tooltip title="Delete">
+                <IconButton size="small" color="error" onClick={() => onDelete(item.id)}>
+                  <DeleteIcon fontSize="small" />
+                </IconButton>
+              </Tooltip>
+            </CardActions>
+          </Card>
+        ))}
+      </Box>
+      <Snackbar
+        open={!!snackMsg}
+        autoHideDuration={2000}
+        onClose={() => setSnackMsg('')}
+        message={snackMsg}
+        anchorOrigin={{ vertical: 'bottom', horizontal: 'center' }}
+      />
+    </>
+  );
+}
diff --git a/cloudflare/frontend/src/components/UploadButton.tsx b/cloudflare/frontend/src/components/UploadButton.tsx
new file mode 100644
index 0000000..8486d4f
--- /dev/null
+++ b/cloudflare/frontend/src/components/UploadButton.tsx
@@ -0,0 +1,67 @@
+import { lazy, Suspense, useRef, useCallback } from 'react';
+import Button from '@mui/material/Button';
+import CircularProgress from '@mui/material/CircularProgress';
+import CloudUploadIcon from '@mui/icons-material/CloudUpload';
+import { createPortal } from 'react-dom';
+
+const UploaderComponent = lazy(() =>
+  import('@blocklet/uploader').then((res) => ({
+    default: res.Uploader,
+  }))
+);
+
+interface Props {
+  folderId?: string;
+  onUploadFinish?: (data: any) => void;
+}
+
+export default function UploadButton({ folderId, onUploadFinish }: Props) {
+  const uploaderRef = useRef<any>(null);
+
+  const handleOpen = useCallback(() => {
+    uploaderRef.current?.open();
+  }, []);
+
+  const uploaderPortal = (
+    <Suspense fallback={null}>
+      <UploaderComponent
+        ref={uploaderRef}
+        popup
+        onUploadFinish={(result: any) => {
+          onUploadFinish?.(result.data);
+        }}
+        uploadedProps={{
+          onSelectedFiles: (files: any[]) => {
+            if (files.length) {
+              onUploadFinish?.(files[0]);
+            }
+          },
+        }}
+        coreProps={{
+          restrictions: {
+            allowedFileExts: ['.jpeg', '.png', '.gif', '.svg', '.webp', '.bmp', '.ico', '.jpg'],
+            maxFileSize: 500 * 1024 * 1024,
+          },
+          meta: { folderId: folderId || '' },
+        }}
+        apiPathProps={{
+          uploader: '/api/uploads',
+          companion: '/api/companion',
+        }}
+        installerProps={{
+          disabled: true,
+        }}
+        locale="en"
+      />
+    </Suspense>
+  );
+
+  return (
+    <>
+      <Button variant="contained" startIcon={<CloudUploadIcon />} onClick={handleOpen}>
+        Upload
+      </Button>
+      {createPortal(uploaderPortal, document.body)}
+    </>
+  );
+}
diff --git a/cloudflare/frontend/src/main.tsx b/cloudflare/frontend/src/main.tsx
new file mode 100644
index 0000000..661ebcd
--- /dev/null
+++ b/cloudflare/frontend/src/main.tsx
@@ -0,0 +1,7 @@
+// window.blocklet is already set in index.html <script> (must run before module imports)
+import { createRoot } from 'react-dom/client';
+
+// @ts-ignore - jsx file
+import App from 'image-bin-src/app';
+
+createRoot(document.getElementById('root')!).render(<App />);
diff --git a/cloudflare/frontend/src/plugins/presigned-upload.ts b/cloudflare/frontend/src/plugins/presigned-upload.ts
new file mode 100644
index 0000000..bef4fb2
--- /dev/null
+++ b/cloudflare/frontend/src/plugins/presigned-upload.ts
@@ -0,0 +1,127 @@
+/**
+ * Direct Upload Plugin for Uppy
+ *
+ * Uploads files through the Worker (POST /uploads/direct with FormData).
+ * Works in both local dev (miniflare) and production.
+ * For production with large files, can be extended to use presigned URLs.
+ */
+
+import { BasePlugin } from '@uppy/core';
+
+interface DirectUploadOptions {
+  id?: string;
+  apiBase: string;
+  headers?: Record<string, string>;
+}
+
+export default class DirectUploadPlugin extends BasePlugin {
+  declare opts: DirectUploadOptions;
+  private boundHandleUpload: (fileIDs: string[]) => Promise<void>;
+
+  constructor(uppy: any, opts: DirectUploadOptions) {
+    super(uppy, opts);
+    this.id = opts.id || 'DirectUpload';
+    this.type = 'uploader';
+    this.opts = opts;
+    this.boundHandleUpload = this.handleUpload.bind(this);
+  }
+
+  install() {
+    this.uppy.addUploader(this.boundHandleUpload);
+  }
+
+  uninstall() {
+    this.uppy.removeUploader(this.boundHandleUpload);
+  }
+
+  private async handleUpload(fileIDs: string[]): Promise<void> {
+    const files = fileIDs.map((id) => this.uppy.getFile(id));
+    for (const file of files) {
+      try {
+        await this.uploadFile(file);
+      } catch (err: any) {
+        this.uppy.log(`[DirectUpload] Error: ${err.message}`, 'error');
+        this.uppy.emit('upload-error', file, err);
+      }
+    }
+  }
+
+  private async uploadFile(file: any): Promise<void> {
+    const formData = new FormData();
+    formData.append('file', file.data, file.name);
+    if (file.meta?.folderId) {
+      formData.append('folderId', file.meta.folderId);
+    }
+    if (file.meta?.tags) {
+      formData.append('tags', file.meta.tags);
+    }
+
+    const xhr = new XMLHttpRequest();
+    const result = await new Promise<any>((resolve, reject) => {
+      xhr.open('POST', `${this.opts.apiBase}/uploads/direct`, true);
+
+      // Set auth headers
+      const headers = this.opts.headers || {};
+      headers['x-user-did'] = headers['x-user-did'] || 'did:abt:default-uploader';
+      Object.entries(headers).forEach(([k, v]) => {
+        if (k.toLowerCase() !== 'content-type') {
+          xhr.setRequestHeader(k, v);
+        }
+      });
+
+      xhr.upload.onprogress = (e) => {
+        if (e.lengthComputable) {
+          this.uppy.setFileState(file.id, {
+            progress: {
+              uploadStarted: Date.now(),
+              uploadComplete: false,
+              percentage: Math.round((e.loaded / e.total) * 100),
+              bytesUploaded: e.loaded,
+              bytesTotal: e.total,
+            },
+          });
+          this.uppy.emit('upload-progress', this.uppy.getFile(file.id), {
+            uploader: this,
+            bytesUploaded: e.loaded,
+            bytesTotal: e.total,
+          });
+        }
+      };
+
+      xhr.onload = () => {
+        if (xhr.status >= 200 && xhr.status < 300) {
+          resolve(JSON.parse(xhr.responseText));
+        } else {
+          let errMsg = `Upload failed: ${xhr.status}`;
+          try {
+            errMsg = JSON.parse(xhr.responseText).error || errMsg;
+          } catch {}
+          reject(new Error(errMsg));
+        }
+      };
+
+      xhr.onerror = () => reject(new Error('Network error during upload'));
+      xhr.onabort = () => reject(new Error('Upload aborted'));
+
+      xhr.send(formData);
+    });
+
+    const uploadURL = result.url || `/uploads/${result.filename}`;
+
+    this.uppy.setFileState(file.id, {
+      progress: {
+        uploadStarted: Date.now(),
+        uploadComplete: true,
+        percentage: 100,
+        bytesUploaded: file.size || file.data?.size || 0,
+        bytesTotal: file.size || file.data?.size || 0,
+      },
+    });
+
+    this.uppy.emit('upload-success', this.uppy.getFile(file.id), {
+      uploadURL,
+      status: 200,
+      body: result,
+    });
+  }
+}
diff --git a/cloudflare/frontend/src/shims/arcblock-did.ts b/cloudflare/frontend/src/shims/arcblock-did.ts
new file mode 100644
index 0000000..e27f99e
--- /dev/null
+++ b/cloudflare/frontend/src/shims/arcblock-did.ts
@@ -0,0 +1,8 @@
+/**
+ * Shim for @arcblock/did
+ * Provides basic DID validation.
+ */
+export function isValid(did: string): boolean {
+  if (!did || typeof did !== 'string') return false;
+  return /^z[1-9A-HJ-NP-Za-km-z]{20,50}$/.test(did) || did.startsWith('did:abt:');
+}
diff --git a/cloudflare/frontend/src/shims/arcblock-ux.tsx b/cloudflare/frontend/src/shims/arcblock-ux.tsx
new file mode 100644
index 0000000..4a5cc75
--- /dev/null
+++ b/cloudflare/frontend/src/shims/arcblock-ux.tsx
@@ -0,0 +1,184 @@
+/**
+ * Shim for @arcblock/ux components
+ * Provides minimal implementations of all used components.
+ */
+import { createContext, useContext, useState, type ReactNode } from 'react';
+import { ThemeProvider, createTheme } from '@mui/material/styles';
+import MuiButton from '@mui/material/Button';
+import MuiDialog from '@mui/material/Dialog';
+import MuiDialogTitle from '@mui/material/DialogTitle';
+import MuiDialogContent from '@mui/material/DialogContent';
+import MuiDialogActions from '@mui/material/DialogActions';
+import Snackbar from '@mui/material/Snackbar';
+import Alert from '@mui/material/Alert';
+import Box from '@mui/material/Box';
+import Typography from '@mui/material/Typography';
+import CircularProgress from '@mui/material/CircularProgress';
+import ButtonGroup from '@mui/material/ButtonGroup';
+import Menu from '@mui/material/Menu';
+import MenuItem from '@mui/material/MenuItem';
+import ArrowDropDownIcon from '@mui/icons-material/ArrowDropDown';
+import { useRef } from 'react';
+
+// --- Toast ---
+let toastFn: ((msg: string, severity: 'success' | 'error' | 'info' | 'warning') => void) | null = null;
+
+export function ToastProvider({ children }: { children: ReactNode }) {
+  const [open, setOpen] = useState(false);
+  const [message, setMessage] = useState('');
+  const [severity, setSeverity] = useState<'success' | 'error' | 'info' | 'warning'>('success');
+
+  toastFn = (msg, sev) => {
+    setMessage(msg);
+    setSeverity(sev);
+    setOpen(true);
+  };
+
+  return (
+    <>
+      {children}
+      <Snackbar open={open} autoHideDuration={3000} onClose={() => setOpen(false)} anchorOrigin={{ vertical: 'top', horizontal: 'center' }}>
+        <Alert severity={severity} onClose={() => setOpen(false)}>
+          {message}
+        </Alert>
+      </Snackbar>
+    </>
+  );
+}
+
+export const Toast = {
+  success: (msg: string) => toastFn?.(msg, 'success'),
+  error: (msg: string) => toastFn?.(msg, 'error'),
+  info: (msg: string) => toastFn?.(msg, 'info'),
+  warning: (msg: string) => toastFn?.(msg, 'warning'),
+};
+
+// --- Center ---
+export function Center({ children, ...props }: any) {
+  return (
+    <Box display="flex" justifyContent="center" alignItems="center" minHeight="200px" {...props}>
+      {children || <CircularProgress />}
+    </Box>
+  );
+}
+
+// --- ConfigProvider ---
+const defaultTheme = createTheme();
+
+export function ConfigProvider({ children, translations, fallbackLocale, theme, injectFirst }: any) {
+  const muiTheme = theme ? createTheme(theme) : defaultTheme;
+  return (
+    <ThemeProvider theme={muiTheme}>
+      <LocaleProvider translations={translations} fallbackLocale={fallbackLocale}>
+        {children}
+      </LocaleProvider>
+    </ThemeProvider>
+  );
+}
+
+// --- Locale Context ---
+const LocaleContext = createContext<any>({ locale: 'en', t: (key: string, data?: any) => key, changeLocale: () => {} });
+
+function LocaleProvider({ children, translations, fallbackLocale }: any) {
+  const [locale, setLocale] = useState(fallbackLocale || 'en');
+
+  const t = (key: string, data?: any) => {
+    // Translations are pre-flattened (e.g. { 'common.buckets': 'Buckets' })
+    let val = translations?.[locale]?.[key];
+    if (val === undefined) {
+      val = translations?.[fallbackLocale || 'en']?.[key];
+    }
+    if (typeof val === 'string' && data) {
+      return Object.entries(data).reduce((s: string, [k, v]) => s.replace(`{${k}}`, String(v)), val);
+    }
+    return val || key;
+  };
+
+  return (
+    <LocaleContext.Provider value={{ locale, t, changeLocale: setLocale }}>
+      {children}
+    </LocaleContext.Provider>
+  );
+}
+
+export function useLocaleContext() {
+  return useContext(LocaleContext);
+}
+
+// --- withTracker ---
+export function withTracker(Component: any) {
+  return Component;
+}
+
+// --- Result ---
+export function Result({ status, title, extra }: any) {
+  return (
+    <Box sx={{ textAlign: 'center', py: 8 }}>
+      <Typography variant="h4" gutterBottom>{status}</Typography>
+      <Typography variant="body1" gutterBottom>{title}</Typography>
+      {extra && <Box sx={{ mt: 2 }}>{extra}</Box>}
+    </Box>
+  );
+}
+
+// --- Button (wraps MUI Button) ---
+export function Button(props: any) {
+  return <MuiButton {...props} />;
+}
+
+// --- SplitButton ---
+// Original API: <SplitButton menu={[{ children, onClick, disabled }]} onClick={...}>label</SplitButton>
+export function SplitButton({ children, menu, options, onClick, size, variant, color, ...rest }: any) {
+  const [anchorEl, setAnchorEl] = useState<null | HTMLElement>(null);
+  const items = menu || options || [];
+
+  return (
+    <>
+      <ButtonGroup variant={variant || 'outlined'} color={color} size={size} {...rest}>
+        <MuiButton onClick={onClick} size={size}>{children}</MuiButton>
+        <MuiButton size={size} onClick={(e) => setAnchorEl(e.currentTarget)}>
+          <ArrowDropDownIcon />
+        </MuiButton>
+      </ButtonGroup>
+      <Menu anchorEl={anchorEl} open={!!anchorEl} onClose={() => setAnchorEl(null)}>
+        {items.map((item: any, i: number) => (
+          <MenuItem
+            key={i}
+            disabled={item.disabled}
+            onClick={() => {
+              setAnchorEl(null);
+              item.onClick?.();
+            }}>
+            {item.children || item.label}
+          </MenuItem>
+        ))}
+      </Menu>
+    </>
+  );
+}
+
+// --- Confirm Dialog ---
+export function Confirm({ open, title, onConfirm, onCancel, children, ...props }: any) {
+  return (
+    <MuiDialog open={!!open} onClose={onCancel} {...props}>
+      {title && <MuiDialogTitle>{title}</MuiDialogTitle>}
+      <MuiDialogContent>{children}</MuiDialogContent>
+      <MuiDialogActions>
+        <MuiButton onClick={onCancel}>Cancel</MuiButton>
+        <MuiButton onClick={onConfirm} variant="contained" color="primary">Confirm</MuiButton>
+      </MuiDialogActions>
+    </MuiDialog>
+  );
+}
+
+// --- Empty ---
+export function Empty({ children, ...props }: any) {
+  return (
+    <Box sx={{ textAlign: 'center', py: 8, color: 'text.secondary' }} {...props}>
+      <Typography variant="body1">{children || 'No data'}</Typography>
+    </Box>
+  );
+}
+
+// Default export fallback for any unmatched import
+export default { Toast, ToastProvider, Center, ConfigProvider, useLocaleContext, withTracker, Result, Button, SplitButton, Confirm, Empty };
diff --git a/cloudflare/frontend/src/shims/blocklet-js-sdk.ts b/cloudflare/frontend/src/shims/blocklet-js-sdk.ts
new file mode 100644
index 0000000..8c6de26
--- /dev/null
+++ b/cloudflare/frontend/src/shims/blocklet-js-sdk.ts
@@ -0,0 +1,11 @@
+/**
+ * Shim for @blocklet/js-sdk
+ * Replaces createAxios with standard axios.create
+ */
+import axios from 'axios';
+
+export function createAxios(options?: { timeout?: number }) {
+  return axios.create({
+    timeout: options?.timeout || 200000,
+  });
+}
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
new file mode 100644
index 0000000..9588f76
--- /dev/null
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
@@ -0,0 +1,36 @@
+/**
+ * Shim for @blocklet/ui-react/lib/Dashboard
+ * Provides a simple layout wrapper + useAppInfo hook.
+ * Must support className, styled() wrapping, and .dashboard-main class.
+ */
+import { createContext, useContext, forwardRef, type ReactNode } from 'react';
+
+const AppInfoContext = createContext<any>({});
+
+export function useAppInfo() {
+  const ctx = useContext(AppInfoContext);
+  return {
+    updateAppInfo: () => {},
+    ...ctx,
+  };
+}
+
+const Dashboard = forwardRef<HTMLDivElement, any>(({ children, className, id, ...rest }, ref) => {
+  return (
+    <AppInfoContext.Provider value={{}}>
+      <div
+        ref={ref}
+        id={id || 'media-kit-layout'}
+        className={className}
+        style={{ display: 'flex', flexDirection: 'column', height: '100vh' }}
+        {...rest}>
+        <div className="dashboard-main" style={{ flex: 1, overflowY: 'auto', padding: 24 }}>
+          {children}
+        </div>
+      </div>
+    </AppInfoContext.Provider>
+  );
+});
+
+Dashboard.displayName = 'Dashboard';
+export default Dashboard;
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react-footer.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react-footer.tsx
new file mode 100644
index 0000000..e7db23c
--- /dev/null
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react-footer.tsx
@@ -0,0 +1,14 @@
+/**
+ * Shim for @blocklet/ui-react/lib/Footer
+ * Minimal footer.
+ */
+import Box from '@mui/material/Box';
+import Typography from '@mui/material/Typography';
+
+export default function Footer(props: any) {
+  return (
+    <Box component="footer" sx={{ py: 2, textAlign: 'center', color: 'text.secondary' }} {...props}>
+      <Typography variant="caption">Powered by Media Kit</Typography>
+    </Box>
+  );
+}
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
new file mode 100644
index 0000000..596e964
--- /dev/null
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
@@ -0,0 +1,20 @@
+/**
+ * Shim for @blocklet/ui-react/lib/Header
+ * Simple app bar header.
+ */
+import AppBar from '@mui/material/AppBar';
+import Toolbar from '@mui/material/Toolbar';
+import Typography from '@mui/material/Typography';
+
+export default function Header(props: any) {
+  const appName = (window as any).blocklet?.appName || 'Media Kit';
+  return (
+    <AppBar position="static" elevation={1} sx={{ bgcolor: 'background.paper', color: 'text.primary' }} {...props}>
+      <Toolbar>
+        <Typography variant="h6" sx={{ flexGrow: 1 }}>
+          {appName}
+        </Typography>
+      </Toolbar>
+    </AppBar>
+  );
+}
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react.tsx
new file mode 100644
index 0000000..88c82ab
--- /dev/null
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react.tsx
@@ -0,0 +1,18 @@
+/**
+ * Shim for @blocklet/ui-react
+ * ComponentInstaller: passthrough wrapper (media-kit is always available on CF)
+ */
+import { type ReactNode } from 'react';
+
+interface ComponentInstallerProps {
+  children: ReactNode;
+  onClose?: () => void;
+  did?: string;
+  disabled?: boolean;
+  fallback?: ReactNode;
+  [key: string]: any;
+}
+
+export default function ComponentInstaller({ children }: ComponentInstallerProps) {
+  return <>{children}</>;
+}
diff --git a/cloudflare/frontend/src/shims/did-connect-react-button.tsx b/cloudflare/frontend/src/shims/did-connect-react-button.tsx
new file mode 100644
index 0000000..f20cc23
--- /dev/null
+++ b/cloudflare/frontend/src/shims/did-connect-react-button.tsx
@@ -0,0 +1,13 @@
+/**
+ * Shim for @arcblock/did-connect-react/lib/Button
+ * Renders a simple login button (no DID Connect).
+ */
+import Button from '@mui/material/Button';
+
+export default function ConnectButton(props: any) {
+  return (
+    <Button variant="contained" onClick={props.onClick} {...props}>
+      {props.children || 'Login'}
+    </Button>
+  );
+}
diff --git a/cloudflare/frontend/src/shims/did-connect-react-session.tsx b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
new file mode 100644
index 0000000..ae6de31
--- /dev/null
+++ b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
@@ -0,0 +1,42 @@
+/**
+ * Shim for @arcblock/did-connect-react/lib/Session
+ * Provides a fake session context that always returns an authenticated admin user.
+ */
+import { createContext, type ReactNode } from 'react';
+
+const defaultSession = {
+  session: {
+    user: {
+      did: 'did:abt:default-uploader',
+      role: 'admin',
+      fullName: 'Admin',
+      avatar: '',
+    },
+    token: 'fake-token',
+  },
+  loading: false,
+  error: null,
+  // Common session helpers that components might call
+  login: () => {},
+  logout: () => {},
+};
+
+const SessionContext = createContext<any>(defaultSession);
+
+function SessionProvider({ children }: { children: ReactNode; serviceHost?: string; protectedRoutes?: string[] }) {
+  return <SessionContext.Provider value={defaultSession}>{children}</SessionContext.Provider>;
+}
+
+function SessionConsumer({ children }: { children: (session: any) => ReactNode }) {
+  return <SessionContext.Consumer>{children}</SessionContext.Consumer>;
+}
+
+function withSession(Component: any) {
+  return function WrappedComponent(props: any) {
+    return <Component {...props} session={defaultSession} />;
+  };
+}
+
+export function createAuthServiceSessionContext() {
+  return { SessionProvider, SessionContext, SessionConsumer, withSession };
+}
diff --git a/cloudflare/frontend/src/shims/ux-button.tsx b/cloudflare/frontend/src/shims/ux-button.tsx
new file mode 100644
index 0000000..9cefe9d
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-button.tsx
@@ -0,0 +1 @@
+export { Button as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-center.tsx b/cloudflare/frontend/src/shims/ux-center.tsx
new file mode 100644
index 0000000..7cd3f9b
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-center.tsx
@@ -0,0 +1 @@
+export { Center as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-config.tsx b/cloudflare/frontend/src/shims/ux-config.tsx
new file mode 100644
index 0000000..daa1cf8
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-config.tsx
@@ -0,0 +1 @@
+export { ConfigProvider as default, ConfigProvider } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-dialog.tsx b/cloudflare/frontend/src/shims/ux-dialog.tsx
new file mode 100644
index 0000000..bbf6c5f
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-dialog.tsx
@@ -0,0 +1 @@
+export { Confirm } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-empty.tsx b/cloudflare/frontend/src/shims/ux-empty.tsx
new file mode 100644
index 0000000..d1c7b27
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-empty.tsx
@@ -0,0 +1 @@
+export { Empty as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-locale-context.tsx b/cloudflare/frontend/src/shims/ux-locale-context.tsx
new file mode 100644
index 0000000..220614f
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-locale-context.tsx
@@ -0,0 +1 @@
+export { useLocaleContext } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-result.tsx b/cloudflare/frontend/src/shims/ux-result.tsx
new file mode 100644
index 0000000..84fee36
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-result.tsx
@@ -0,0 +1 @@
+export { Result as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-split-button.tsx b/cloudflare/frontend/src/shims/ux-split-button.tsx
new file mode 100644
index 0000000..e7b7e05
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-split-button.tsx
@@ -0,0 +1 @@
+export { SplitButton as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-toast.tsx b/cloudflare/frontend/src/shims/ux-toast.tsx
new file mode 100644
index 0000000..0cf914b
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-toast.tsx
@@ -0,0 +1 @@
+export { ToastProvider as default, ToastProvider, Toast } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-with-tracker.tsx b/cloudflare/frontend/src/shims/ux-with-tracker.tsx
new file mode 100644
index 0000000..6f09975
--- /dev/null
+++ b/cloudflare/frontend/src/shims/ux-with-tracker.tsx
@@ -0,0 +1 @@
+export { withTracker as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/tsconfig.json b/cloudflare/frontend/tsconfig.json
new file mode 100644
index 0000000..6b2a769
--- /dev/null
+++ b/cloudflare/frontend/tsconfig.json
@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "moduleResolution": "bundler",
+    "jsx": "react-jsx",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "noEmit": true
+  },
+  "include": ["src"]
+}
diff --git a/cloudflare/frontend/vite.config.ts b/cloudflare/frontend/vite.config.ts
new file mode 100644
index 0000000..bcfbea0
--- /dev/null
+++ b/cloudflare/frontend/vite.config.ts
@@ -0,0 +1,72 @@
+import { defineConfig } from 'vite';
+import react from '@vitejs/plugin-react';
+import { join } from 'path';
+
+const root = join(__dirname, '../..');
+const shimDir = join(__dirname, 'src/shims');
+const uploaderSrc = join(root, 'packages/uploader/src');
+const imageBinSrc = join(root, 'blocklets/image-bin/src');
+
+export default defineConfig({
+  // @ts-ignore
+  plugins: [react()],
+  build: {
+    outDir: '../public',
+    emptyOutDir: true,
+  },
+  server: {
+    port: 3030,
+    proxy: {
+      '/api': 'http://localhost:8787',
+      '/uploads': 'http://localhost:8787',
+      '/health': 'http://localhost:8787',
+    },
+    fs: {
+      strict: false,
+      allow: ['../../../'],
+    },
+  },
+  resolve: {
+    alias: {
+      // Original frontend source
+      'image-bin-src': imageBinSrc,
+
+      // @blocklet/uploader → monorepo source
+      '@blocklet/uploader': join(uploaderSrc, 'react.ts'),
+      '@blocklet/uploader/middlewares': join(uploaderSrc, 'middlewares.ts'),
+
+      // @blocklet/* shims
+      '@blocklet/js-sdk': join(shimDir, 'blocklet-js-sdk.ts'),
+      '@blocklet/ui-react/lib/Dashboard': join(shimDir, 'blocklet-ui-react-dashboard.tsx'),
+      '@blocklet/ui-react/lib/Header': join(shimDir, 'blocklet-ui-react-header.tsx'),
+      '@blocklet/ui-react/lib/Footer': join(shimDir, 'blocklet-ui-react-footer.tsx'),
+      '@blocklet/ui-react/lib/ComponentInstaller': join(shimDir, 'blocklet-ui-react.tsx'),
+
+      // @arcblock/* shims (each needs its own file for correct default exports)
+      '@arcblock/did-connect-react/lib/Session': join(shimDir, 'did-connect-react-session.tsx'),
+      '@arcblock/did-connect-react/lib/Button': join(shimDir, 'did-connect-react-button.tsx'),
+      '@arcblock/ux/lib/Toast': join(shimDir, 'ux-toast.tsx'),
+      '@arcblock/ux/lib/Center': join(shimDir, 'ux-center.tsx'),
+      '@arcblock/ux/lib/Config': join(shimDir, 'ux-config.tsx'),
+      '@arcblock/ux/lib/withTracker': join(shimDir, 'ux-with-tracker.tsx'),
+      '@arcblock/ux/lib/Locale/context': join(shimDir, 'ux-locale-context.tsx'),
+      '@arcblock/ux/lib/Result': join(shimDir, 'ux-result.tsx'),
+      '@arcblock/ux/lib/Button': join(shimDir, 'ux-button.tsx'),
+      '@arcblock/ux/lib/SplitButton': join(shimDir, 'ux-split-button.tsx'),
+      '@arcblock/ux/lib/Dialog': join(shimDir, 'ux-dialog.tsx'),
+      '@arcblock/ux/lib/Empty': join(shimDir, 'ux-empty.tsx'),
+      '@arcblock/did': join(shimDir, 'arcblock-did.ts'),
+
+      // Node.js polyfill
+      path: 'path-browserify',
+    },
+    dedupe: ['react', 'react-dom', '@mui/material', '@emotion/react', '@emotion/styled', 'lodash'],
+  },
+  define: {
+    'process.env': {},
+    'process.platform': '"browser"',
+  },
+  optimizeDeps: {
+    include: ['path-browserify'],
+  },
+});
diff --git a/cloudflare/migrations/0001_initial.sql b/cloudflare/migrations/0001_initial.sql
new file mode 100644
index 0000000..d900eea
--- /dev/null
+++ b/cloudflare/migrations/0001_initial.sql
@@ -0,0 +1,58 @@
+-- Migration: 0001_initial
+-- Media Kit initial schema for Cloudflare D1
+
+CREATE TABLE IF NOT EXISTS uploads (
+  id TEXT PRIMARY KEY,
+  filename TEXT NOT NULL,
+  originalname TEXT,
+  mimetype TEXT,
+  size INTEGER,
+  remark TEXT DEFAULT '',
+  folder_id TEXT,
+  created_at TEXT,
+  updated_at TEXT,
+  created_by TEXT,
+  updated_by TEXT
+);
+
+CREATE INDEX idx_uploads_filename ON uploads(filename);
+CREATE INDEX idx_uploads_folder_id ON uploads(folder_id);
+CREATE INDEX idx_uploads_mimetype ON uploads(mimetype);
+CREATE INDEX idx_uploads_created_by ON uploads(created_by);
+CREATE INDEX idx_uploads_created_at ON uploads(created_at);
+
+CREATE TABLE IF NOT EXISTS upload_tags (
+  upload_id TEXT NOT NULL,
+  tag TEXT NOT NULL,
+  PRIMARY KEY (upload_id, tag),
+  FOREIGN KEY (upload_id) REFERENCES uploads(id) ON DELETE CASCADE
+);
+
+CREATE INDEX idx_upload_tags_tag ON upload_tags(tag, upload_id);
+
+CREATE TABLE IF NOT EXISTS folders (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  created_at TEXT,
+  updated_at TEXT,
+  created_by TEXT,
+  updated_by TEXT
+);
+
+CREATE INDEX idx_folders_name ON folders(name);
+
+CREATE TABLE IF NOT EXISTS upload_sessions (
+  id TEXT PRIMARY KEY,
+  upload_id TEXT,
+  key TEXT NOT NULL,
+  final_key TEXT,
+  total_size INTEGER,
+  part_size INTEGER,
+  status TEXT DEFAULT 'active',
+  created_by TEXT,
+  created_at TEXT,
+  expires_at TEXT
+);
+
+CREATE INDEX idx_upload_sessions_status ON upload_sessions(status);
+CREATE INDEX idx_upload_sessions_expires ON upload_sessions(expires_at);
diff --git a/cloudflare/package.json b/cloudflare/package.json
new file mode 100644
index 0000000..99e6047
--- /dev/null
+++ b/cloudflare/package.json
@@ -0,0 +1,33 @@
+{
+  "name": "media-kit-worker",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "dev": "wrangler dev",
+    "build:frontend": "cd frontend && npx vite build",
+    "predeploy": "npm run build:frontend",
+    "deploy": "wrangler deploy",
+    "deploy:staging": "wrangler deploy --env staging",
+    "db:generate": "drizzle-kit generate",
+    "db:migrate:local": "wrangler d1 migrations apply media-kit-db --local",
+    "db:migrate:remote": "wrangler d1 migrations apply media-kit-db --remote",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "aws4fetch": "^1.0.18",
+    "drizzle-orm": "^0.31.0",
+    "fast-xml-parser": "^4.3.0",
+    "hono": "^4.4.0",
+    "js-md5": "^0.8.3"
+  },
+  "devDependencies": {
+    "@cloudflare/vitest-pool-workers": "~0.5.41",
+    "@cloudflare/workers-types": "^4.20240529.0",
+    "drizzle-kit": "^0.22.0",
+    "typescript": "^5.5.0",
+    "vitest": "~2.1.9",
+    "wrangler": "^3.60.0"
+  }
+}
diff --git a/cloudflare/pnpm-lock.yaml b/cloudflare/pnpm-lock.yaml
new file mode 100644
index 0000000..048ad0b
--- /dev/null
+++ b/cloudflare/pnpm-lock.yaml
@@ -0,0 +1,2812 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    dependencies:
+      aws4fetch:
+        specifier: ^1.0.18
+        version: 1.0.20
+      drizzle-orm:
+        specifier: ^0.31.0
+        version: 0.31.4(@cloudflare/workers-types@4.20260316.1)
+      fast-xml-parser:
+        specifier: ^4.3.0
+        version: 4.5.4
+      hono:
+        specifier: ^4.4.0
+        version: 4.12.8
+      js-md5:
+        specifier: ^0.8.3
+        version: 0.8.3
+    devDependencies:
+      '@cloudflare/vitest-pool-workers':
+        specifier: ~0.5.41
+        version: 0.5.41(@cloudflare/workers-types@4.20260316.1)(@vitest/runner@2.1.9)(@vitest/snapshot@2.1.9)(vitest@2.1.9(@types/node@25.5.0))
+      '@cloudflare/workers-types':
+        specifier: ^4.20240529.0
+        version: 4.20260316.1
+      drizzle-kit:
+        specifier: ^0.22.0
+        version: 0.22.8
+      typescript:
+        specifier: ^5.5.0
+        version: 5.9.3
+      vitest:
+        specifier: ~2.1.9
+        version: 2.1.9(@types/node@25.5.0)
+      wrangler:
+        specifier: ^3.60.0
+        version: 3.114.17(@cloudflare/workers-types@4.20260316.1)
+
+packages:
+
+  '@cloudflare/kv-asset-handler@0.3.4':
+    resolution: {integrity: sha512-YLPHc8yASwjNkmcDMQMY35yiWjoKAKnhUbPRszBRS0YgH+IXtsMp61j+yTcnCE3oO2DgP0U3iejLC8FTtKDC8Q==}
+    engines: {node: '>=16.13'}
+
+  '@cloudflare/unenv-preset@2.0.2':
+    resolution: {integrity: sha512-nyzYnlZjjV5xT3LizahG1Iu6mnrCaxglJ04rZLpDwlDVDZ7v46lNsfxhV3A/xtfgQuSHmLnc6SVI+KwBpc3Lwg==}
+    peerDependencies:
+      unenv: 2.0.0-rc.14
+      workerd: ^1.20250124.0
+    peerDependenciesMeta:
+      workerd:
+        optional: true
+
+  '@cloudflare/vitest-pool-workers@0.5.41':
+    resolution: {integrity: sha512-J0uYmOKJgyo/az5nV8QHlR6xQ+HHB6S65tOEutkvUPbuPDbFlBPRT+XHJhSTNNvZGeM1t2qZIzxp0WGmXLtNlQ==}
+    peerDependencies:
+      '@vitest/runner': 2.0.x - 2.1.x
+      '@vitest/snapshot': 2.0.x - 2.1.x
+      vitest: 2.0.x - 2.1.x
+
+  '@cloudflare/workerd-darwin-64@1.20241230.0':
+    resolution: {integrity: sha512-BZHLg4bbhNQoaY1Uan81O3FV/zcmWueC55juhnaI7NAobiQth9RppadPNpxNAmS9fK2mR5z8xrwMQSQrHmztyQ==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@cloudflare/workerd-darwin-64@1.20250718.0':
+    resolution: {integrity: sha512-FHf4t7zbVN8yyXgQ/r/GqLPaYZSGUVzeR7RnL28Mwj2djyw2ZergvytVc7fdGcczl6PQh+VKGfZCfUqpJlbi9g==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@cloudflare/workerd-darwin-arm64@1.20241230.0':
+    resolution: {integrity: sha512-lllxycj7EzYoJ0VOJh8M3palUgoonVrILnzGrgsworgWlIpgjfXGS7b41tEGCw6AxSxL9prmTIGtfSPUvn/rjg==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@cloudflare/workerd-darwin-arm64@1.20250718.0':
+    resolution: {integrity: sha512-fUiyUJYyqqp4NqJ0YgGtp4WJh/II/YZsUnEb6vVy5Oeas8lUOxnN+ZOJ8N/6/5LQCVAtYCChRiIrBbfhTn5Z8Q==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@cloudflare/workerd-linux-64@1.20241230.0':
+    resolution: {integrity: sha512-Y3mHcW0KghOmWdNZyHYpEOG4Ba/ga8tht5vj1a+WXfagEjMO8Y98XhZUlCaYa9yB7Wh5jVcK5LM2jlO/BLgqpA==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [linux]
+
+  '@cloudflare/workerd-linux-64@1.20250718.0':
+    resolution: {integrity: sha512-5+eb3rtJMiEwp08Kryqzzu8d1rUcK+gdE442auo5eniMpT170Dz0QxBrqkg2Z48SFUPYbj+6uknuA5tzdRSUSg==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [linux]
+
+  '@cloudflare/workerd-linux-arm64@1.20241230.0':
+    resolution: {integrity: sha512-IAjhsWPlHzhhkJ6I49sDG6XfMnhPvv0szKGXxTWQK/IWMrbGdHm4RSfNKBSoLQm67jGMIzbmcrX9UIkms27Y1g==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@cloudflare/workerd-linux-arm64@1.20250718.0':
+    resolution: {integrity: sha512-Aa2M/DVBEBQDdATMbn217zCSFKE+ud/teS+fFS+OQqKABLn0azO2qq6ANAHYOIE6Q3Sq4CxDIQr8lGdaJHwUog==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@cloudflare/workerd-windows-64@1.20241230.0':
+    resolution: {integrity: sha512-y5SPIk9iOb2gz+yWtHxoeMnjPnkYQswiCJ480oHC6zexnJLlKTpcmBCjDH1nWCT4pQi8F25gaH8thgElf4NvXQ==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [win32]
+
+  '@cloudflare/workerd-windows-64@1.20250718.0':
+    resolution: {integrity: sha512-dY16RXKffmugnc67LTbyjdDHZn5NoTF1yHEf2fN4+OaOnoGSp3N1x77QubTDwqZ9zECWxgQfDLjddcH8dWeFhg==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [win32]
+
+  '@cloudflare/workers-types@4.20260316.1':
+    resolution: {integrity: sha512-HUZ+vQD8/1A4Fz/8WAlzYWcS5W5u3Nu7Dv9adkIkmLfeKqMIRn01vc4nSUBar60KkmohyQHkPi8jtWV/zazvAg==}
+
+  '@cspotcode/source-map-support@0.8.1':
+    resolution: {integrity: sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==}
+    engines: {node: '>=12'}
+
+  '@emnapi/runtime@1.9.0':
+    resolution: {integrity: sha512-QN75eB0IH2ywSpRpNddCRfQIhmJYBCJ1x5Lb3IscKAL8bMnVAKnRg8dCoXbHzVLLH7P38N2Z3mtulB7W0J0FKw==}
+
+  '@esbuild-kit/core-utils@3.3.2':
+    resolution: {integrity: sha512-sPRAnw9CdSsRmEtnsl2WXWdyquogVpB3yZ3dgwJfe8zrOzTsV7cJvmwrKVa+0ma5BoiGJ+BoqkMvawbayKUsqQ==}
+    deprecated: 'Merged into tsx: https://tsx.is'
+
+  '@esbuild-kit/esm-loader@2.6.5':
+    resolution: {integrity: sha512-FxEMIkJKnodyA1OaCUoEvbYRkoZlLZ4d/eXFu9Fh8CbBBgP5EmZxrfTRyN0qpXZ4vOvqnE5YdRdcrmUUXuU+dA==}
+    deprecated: 'Merged into tsx: https://tsx.is'
+
+  '@esbuild-plugins/node-globals-polyfill@0.2.3':
+    resolution: {integrity: sha512-r3MIryXDeXDOZh7ih1l/yE9ZLORCd5e8vWg02azWRGj5SPTuoh69A2AIyn0Z31V/kHBfZ4HgWJ+OK3GTTwLmnw==}
+    peerDependencies:
+      esbuild: '*'
+
+  '@esbuild-plugins/node-modules-polyfill@0.2.2':
+    resolution: {integrity: sha512-LXV7QsWJxRuMYvKbiznh+U1ilIop3g2TeKRzUxOG5X3YITc8JyyTa90BmLwqqv0YnX4v32CSlG+vsziZp9dMvA==}
+    peerDependencies:
+      esbuild: '*'
+
+  '@esbuild/aix-ppc64@0.19.12':
+    resolution: {integrity: sha512-bmoCYyWdEL3wDQIVbcyzRyeKLgk2WtWLTWz1ZIAZF/EGbNOwSA6ew3PftJ1PqMiOOGu0OyFMzG53L0zqIpPeNA==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [aix]
+
+  '@esbuild/aix-ppc64@0.21.5':
+    resolution: {integrity: sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [aix]
+
+  '@esbuild/android-arm64@0.17.19':
+    resolution: {integrity: sha512-KBMWvEZooR7+kzY0BtbTQn0OAYY7CsiydT63pVEaPtVYF0hXbUaOyZog37DKxK7NF3XacBJOpYT4adIJh+avxA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [android]
+
+  '@esbuild/android-arm64@0.18.20':
+    resolution: {integrity: sha512-Nz4rJcchGDtENV0eMKUNa6L12zz2zBDXuhj/Vjh18zGqB44Bi7MBMSXjgunJgjRhCmKOjnPuZp4Mb6OKqtMHLQ==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [android]
+
+  '@esbuild/android-arm64@0.19.12':
+    resolution: {integrity: sha512-P0UVNGIienjZv3f5zq0DP3Nt2IE/3plFzuaS96vihvD0Hd6H/q4WXUGpCxD/E8YrSXfNyRPbpTq+T8ZQioSuPA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [android]
+
+  '@esbuild/android-arm64@0.21.5':
+    resolution: {integrity: sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [android]
+
+  '@esbuild/android-arm@0.17.19':
+    resolution: {integrity: sha512-rIKddzqhmav7MSmoFCmDIb6e2W57geRsM94gV2l38fzhXMwq7hZoClug9USI2pFRGL06f4IOPHHpFNOkWieR8A==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [android]
+
+  '@esbuild/android-arm@0.18.20':
+    resolution: {integrity: sha512-fyi7TDI/ijKKNZTUJAQqiG5T7YjJXgnzkURqmGj13C6dCqckZBLdl4h7bkhHt/t0WP+zO9/zwroDvANaOqO5Sw==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [android]
+
+  '@esbuild/android-arm@0.19.12':
+    resolution: {integrity: sha512-qg/Lj1mu3CdQlDEEiWrlC4eaPZ1KztwGJ9B6J+/6G+/4ewxJg7gqj8eVYWvao1bXrqGiW2rsBZFSX3q2lcW05w==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [android]
+
+  '@esbuild/android-arm@0.21.5':
+    resolution: {integrity: sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [android]
+
+  '@esbuild/android-x64@0.17.19':
+    resolution: {integrity: sha512-uUTTc4xGNDT7YSArp/zbtmbhO0uEEK9/ETW29Wk1thYUJBz3IVnvgEiEwEa9IeLyvnpKrWK64Utw2bgUmDveww==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [android]
+
+  '@esbuild/android-x64@0.18.20':
+    resolution: {integrity: sha512-8GDdlePJA8D6zlZYJV/jnrRAi6rOiNaCC/JclcXpB+KIuvfBN4owLtgzY2bsxnx666XjJx2kDPUmnTtR8qKQUg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [android]
+
+  '@esbuild/android-x64@0.19.12':
+    resolution: {integrity: sha512-3k7ZoUW6Q6YqhdhIaq/WZ7HwBpnFBlW905Fa4s4qWJyiNOgT1dOqDiVAQFwBH7gBRZr17gLrlFCRzF6jFh7Kew==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [android]
+
+  '@esbuild/android-x64@0.21.5':
+    resolution: {integrity: sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [android]
+
+  '@esbuild/darwin-arm64@0.17.19':
+    resolution: {integrity: sha512-80wEoCfF/hFKM6WE1FyBHc9SfUblloAWx6FJkFWTWiCoht9Mc0ARGEM47e67W9rI09YoUxJL68WHfDRYEAvOhg==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@esbuild/darwin-arm64@0.18.20':
+    resolution: {integrity: sha512-bxRHW5kHU38zS2lPTPOyuyTm+S+eobPUnTNkdJEfAddYgEcll4xkT8DB9d2008DtTbl7uJag2HuE5NZAZgnNEA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@esbuild/darwin-arm64@0.19.12':
+    resolution: {integrity: sha512-B6IeSgZgtEzGC42jsI+YYu9Z3HKRxp8ZT3cqhvliEHovq8HSX2YX8lNocDn79gCKJXOSaEot9MVYky7AKjCs8g==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@esbuild/darwin-arm64@0.21.5':
+    resolution: {integrity: sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@esbuild/darwin-x64@0.17.19':
+    resolution: {integrity: sha512-IJM4JJsLhRYr9xdtLytPLSH9k/oxR3boaUIYiHkAawtwNOXKE8KoU8tMvryogdcT8AU+Bflmh81Xn6Q0vTZbQw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@esbuild/darwin-x64@0.18.20':
+    resolution: {integrity: sha512-pc5gxlMDxzm513qPGbCbDukOdsGtKhfxD1zJKXjCCcU7ju50O7MeAZ8c4krSJcOIJGFR+qx21yMMVYwiQvyTyQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@esbuild/darwin-x64@0.19.12':
+    resolution: {integrity: sha512-hKoVkKzFiToTgn+41qGhsUJXFlIjxI/jSYeZf3ugemDYZldIXIxhvwN6erJGlX4t5h417iFuheZ7l+YVn05N3A==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@esbuild/darwin-x64@0.21.5':
+    resolution: {integrity: sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@esbuild/freebsd-arm64@0.17.19':
+    resolution: {integrity: sha512-pBwbc7DufluUeGdjSU5Si+P3SoMF5DQ/F/UmTSb8HXO80ZEAJmrykPyzo1IfNbAoaqw48YRpv8shwd1NoI0jcQ==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-arm64@0.18.20':
+    resolution: {integrity: sha512-yqDQHy4QHevpMAaxhhIwYPMv1NECwOvIpGCZkECn8w2WFHXjEwrBn3CeNIYsibZ/iZEUemj++M26W3cNR5h+Tw==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-arm64@0.19.12':
+    resolution: {integrity: sha512-4aRvFIXmwAcDBw9AueDQ2YnGmz5L6obe5kmPT8Vd+/+x/JMVKCgdcRwH6APrbpNXsPz+K653Qg8HB/oXvXVukA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-arm64@0.21.5':
+    resolution: {integrity: sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-x64@0.17.19':
+    resolution: {integrity: sha512-4lu+n8Wk0XlajEhbEffdy2xy53dpR06SlzvhGByyg36qJw6Kpfk7cp45DR/62aPH9mtJRmIyrXAS5UWBrJT6TQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-x64@0.18.20':
+    resolution: {integrity: sha512-tgWRPPuQsd3RmBZwarGVHZQvtzfEBOreNuxEMKFcd5DaDn2PbBxfwLcj4+aenoh7ctXcbXmOQIn8HI6mCSw5MQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-x64@0.19.12':
+    resolution: {integrity: sha512-EYoXZ4d8xtBoVN7CEwWY2IN4ho76xjYXqSXMNccFSx2lgqOG/1TBPW0yPx1bJZk94qu3tX0fycJeeQsKovA8gg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-x64@0.21.5':
+    resolution: {integrity: sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@esbuild/linux-arm64@0.17.19':
+    resolution: {integrity: sha512-ct1Tg3WGwd3P+oZYqic+YZF4snNl2bsnMKRkb3ozHmnM0dGWuxcPTTntAF6bOP0Sp4x0PjSF+4uHQ1xvxfRKqg==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@esbuild/linux-arm64@0.18.20':
+    resolution: {integrity: sha512-2YbscF+UL7SQAVIpnWvYwM+3LskyDmPhe31pE7/aoTMFKKzIc9lLbyGUpmmb8a8AixOL61sQ/mFh3jEjHYFvdA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@esbuild/linux-arm64@0.19.12':
+    resolution: {integrity: sha512-EoTjyYyLuVPfdPLsGVVVC8a0p1BFFvtpQDB/YLEhaXyf/5bczaGeN15QkR+O4S5LeJ92Tqotve7i1jn35qwvdA==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@esbuild/linux-arm64@0.21.5':
+    resolution: {integrity: sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@esbuild/linux-arm@0.17.19':
+    resolution: {integrity: sha512-cdmT3KxjlOQ/gZ2cjfrQOtmhG4HJs6hhvm3mWSRDPtZ/lP5oe8FWceS10JaSJC13GBd4eH/haHnqf7hhGNLerA==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [linux]
+
+  '@esbuild/linux-arm@0.18.20':
+    resolution: {integrity: sha512-/5bHkMWnq1EgKr1V+Ybz3s1hWXok7mDFUMQ4cG10AfW3wL02PSZi5kFpYKrptDsgb2WAJIvRcDm+qIvXf/apvg==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [linux]
+
+  '@esbuild/linux-arm@0.19.12':
+    resolution: {integrity: sha512-J5jPms//KhSNv+LO1S1TX1UWp1ucM6N6XuL6ITdKWElCu8wXP72l9MM0zDTzzeikVyqFE6U8YAV9/tFyj0ti+w==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [linux]
+
+  '@esbuild/linux-arm@0.21.5':
+    resolution: {integrity: sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==}
+    engines: {node: '>=12'}
+    cpu: [arm]
+    os: [linux]
+
+  '@esbuild/linux-ia32@0.17.19':
+    resolution: {integrity: sha512-w4IRhSy1VbsNxHRQpeGCHEmibqdTUx61Vc38APcsRbuVgK0OPEnQ0YD39Brymn96mOx48Y2laBQGqgZ0j9w6SQ==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [linux]
+
+  '@esbuild/linux-ia32@0.18.20':
+    resolution: {integrity: sha512-P4etWwq6IsReT0E1KHU40bOnzMHoH73aXp96Fs8TIT6z9Hu8G6+0SHSw9i2isWrD2nbx2qo5yUqACgdfVGx7TA==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [linux]
+
+  '@esbuild/linux-ia32@0.19.12':
+    resolution: {integrity: sha512-Thsa42rrP1+UIGaWz47uydHSBOgTUnwBwNq59khgIwktK6x60Hivfbux9iNR0eHCHzOLjLMLfUMLCypBkZXMHA==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [linux]
+
+  '@esbuild/linux-ia32@0.21.5':
+    resolution: {integrity: sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [linux]
+
+  '@esbuild/linux-loong64@0.17.19':
+    resolution: {integrity: sha512-2iAngUbBPMq439a+z//gE+9WBldoMp1s5GWsUSgqHLzLJ9WoZLZhpwWuym0u0u/4XmZ3gpHmzV84PonE+9IIdQ==}
+    engines: {node: '>=12'}
+    cpu: [loong64]
+    os: [linux]
+
+  '@esbuild/linux-loong64@0.18.20':
+    resolution: {integrity: sha512-nXW8nqBTrOpDLPgPY9uV+/1DjxoQ7DoB2N8eocyq8I9XuqJ7BiAMDMf9n1xZM9TgW0J8zrquIb/A7s3BJv7rjg==}
+    engines: {node: '>=12'}
+    cpu: [loong64]
+    os: [linux]
+
+  '@esbuild/linux-loong64@0.19.12':
+    resolution: {integrity: sha512-LiXdXA0s3IqRRjm6rV6XaWATScKAXjI4R4LoDlvO7+yQqFdlr1Bax62sRwkVvRIrwXxvtYEHHI4dm50jAXkuAA==}
+    engines: {node: '>=12'}
+    cpu: [loong64]
+    os: [linux]
+
+  '@esbuild/linux-loong64@0.21.5':
+    resolution: {integrity: sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==}
+    engines: {node: '>=12'}
+    cpu: [loong64]
+    os: [linux]
+
+  '@esbuild/linux-mips64el@0.17.19':
+    resolution: {integrity: sha512-LKJltc4LVdMKHsrFe4MGNPp0hqDFA1Wpt3jE1gEyM3nKUvOiO//9PheZZHfYRfYl6AwdTH4aTcXSqBerX0ml4A==}
+    engines: {node: '>=12'}
+    cpu: [mips64el]
+    os: [linux]
+
+  '@esbuild/linux-mips64el@0.18.20':
+    resolution: {integrity: sha512-d5NeaXZcHp8PzYy5VnXV3VSd2D328Zb+9dEq5HE6bw6+N86JVPExrA6O68OPwobntbNJ0pzCpUFZTo3w0GyetQ==}
+    engines: {node: '>=12'}
+    cpu: [mips64el]
+    os: [linux]
+
+  '@esbuild/linux-mips64el@0.19.12':
+    resolution: {integrity: sha512-fEnAuj5VGTanfJ07ff0gOA6IPsvrVHLVb6Lyd1g2/ed67oU1eFzL0r9WL7ZzscD+/N6i3dWumGE1Un4f7Amf+w==}
+    engines: {node: '>=12'}
+    cpu: [mips64el]
+    os: [linux]
+
+  '@esbuild/linux-mips64el@0.21.5':
+    resolution: {integrity: sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==}
+    engines: {node: '>=12'}
+    cpu: [mips64el]
+    os: [linux]
+
+  '@esbuild/linux-ppc64@0.17.19':
+    resolution: {integrity: sha512-/c/DGybs95WXNS8y3Ti/ytqETiW7EU44MEKuCAcpPto3YjQbyK3IQVKfF6nbghD7EcLUGl0NbiL5Rt5DMhn5tg==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@esbuild/linux-ppc64@0.18.20':
+    resolution: {integrity: sha512-WHPyeScRNcmANnLQkq6AfyXRFr5D6N2sKgkFo2FqguP44Nw2eyDlbTdZwd9GYk98DZG9QItIiTlFLHJHjxP3FA==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@esbuild/linux-ppc64@0.19.12':
+    resolution: {integrity: sha512-nYJA2/QPimDQOh1rKWedNOe3Gfc8PabU7HT3iXWtNUbRzXS9+vgB0Fjaqr//XNbd82mCxHzik2qotuI89cfixg==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@esbuild/linux-ppc64@0.21.5':
+    resolution: {integrity: sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==}
+    engines: {node: '>=12'}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@esbuild/linux-riscv64@0.17.19':
+    resolution: {integrity: sha512-FC3nUAWhvFoutlhAkgHf8f5HwFWUL6bYdvLc/TTuxKlvLi3+pPzdZiFKSWz/PF30TB1K19SuCxDTI5KcqASJqA==}
+    engines: {node: '>=12'}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@esbuild/linux-riscv64@0.18.20':
+    resolution: {integrity: sha512-WSxo6h5ecI5XH34KC7w5veNnKkju3zBRLEQNY7mv5mtBmrP/MjNBCAlsM2u5hDBlS3NGcTQpoBvRzqBcRtpq1A==}
+    engines: {node: '>=12'}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@esbuild/linux-riscv64@0.19.12':
+    resolution: {integrity: sha512-2MueBrlPQCw5dVJJpQdUYgeqIzDQgw3QtiAHUC4RBz9FXPrskyyU3VI1hw7C0BSKB9OduwSJ79FTCqtGMWqJHg==}
+    engines: {node: '>=12'}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@esbuild/linux-riscv64@0.21.5':
+    resolution: {integrity: sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==}
+    engines: {node: '>=12'}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@esbuild/linux-s390x@0.17.19':
+    resolution: {integrity: sha512-IbFsFbxMWLuKEbH+7sTkKzL6NJmG2vRyy6K7JJo55w+8xDk7RElYn6xvXtDW8HCfoKBFK69f3pgBJSUSQPr+4Q==}
+    engines: {node: '>=12'}
+    cpu: [s390x]
+    os: [linux]
+
+  '@esbuild/linux-s390x@0.18.20':
+    resolution: {integrity: sha512-+8231GMs3mAEth6Ja1iK0a1sQ3ohfcpzpRLH8uuc5/KVDFneH6jtAJLFGafpzpMRO6DzJ6AvXKze9LfFMrIHVQ==}
+    engines: {node: '>=12'}
+    cpu: [s390x]
+    os: [linux]
+
+  '@esbuild/linux-s390x@0.19.12':
+    resolution: {integrity: sha512-+Pil1Nv3Umes4m3AZKqA2anfhJiVmNCYkPchwFJNEJN5QxmTs1uzyy4TvmDrCRNT2ApwSari7ZIgrPeUx4UZDg==}
+    engines: {node: '>=12'}
+    cpu: [s390x]
+    os: [linux]
+
+  '@esbuild/linux-s390x@0.21.5':
+    resolution: {integrity: sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==}
+    engines: {node: '>=12'}
+    cpu: [s390x]
+    os: [linux]
+
+  '@esbuild/linux-x64@0.17.19':
+    resolution: {integrity: sha512-68ngA9lg2H6zkZcyp22tsVt38mlhWde8l3eJLWkyLrp4HwMUr3c1s/M2t7+kHIhvMjglIBrFpncX1SzMckomGw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [linux]
+
+  '@esbuild/linux-x64@0.18.20':
+    resolution: {integrity: sha512-UYqiqemphJcNsFEskc73jQ7B9jgwjWrSayxawS6UVFZGWrAAtkzjxSqnoclCXxWtfwLdzU+vTpcNYhpn43uP1w==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [linux]
+
+  '@esbuild/linux-x64@0.19.12':
+    resolution: {integrity: sha512-B71g1QpxfwBvNrfyJdVDexenDIt1CiDN1TIXLbhOw0KhJzE78KIFGX6OJ9MrtC0oOqMWf+0xop4qEU8JrJTwCg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [linux]
+
+  '@esbuild/linux-x64@0.21.5':
+    resolution: {integrity: sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [linux]
+
+  '@esbuild/netbsd-x64@0.17.19':
+    resolution: {integrity: sha512-CwFq42rXCR8TYIjIfpXCbRX0rp1jo6cPIUPSaWwzbVI4aOfX96OXY8M6KNmtPcg7QjYeDmN+DD0Wp3LaBOLf4Q==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [netbsd]
+
+  '@esbuild/netbsd-x64@0.18.20':
+    resolution: {integrity: sha512-iO1c++VP6xUBUmltHZoMtCUdPlnPGdBom6IrO4gyKPFFVBKioIImVooR5I83nTew5UOYrk3gIJhbZh8X44y06A==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [netbsd]
+
+  '@esbuild/netbsd-x64@0.19.12':
+    resolution: {integrity: sha512-3ltjQ7n1owJgFbuC61Oj++XhtzmymoCihNFgT84UAmJnxJfm4sYCiSLTXZtE00VWYpPMYc+ZQmB6xbSdVh0JWA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [netbsd]
+
+  '@esbuild/netbsd-x64@0.21.5':
+    resolution: {integrity: sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [netbsd]
+
+  '@esbuild/openbsd-x64@0.17.19':
+    resolution: {integrity: sha512-cnq5brJYrSZ2CF6c35eCmviIN3k3RczmHz8eYaVlNasVqsNY+JKohZU5MKmaOI+KkllCdzOKKdPs762VCPC20g==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/openbsd-x64@0.18.20':
+    resolution: {integrity: sha512-e5e4YSsuQfX4cxcygw/UCPIEP6wbIL+se3sxPdCiMbFLBWu0eiZOJ7WoD+ptCLrmjZBK1Wk7I6D/I3NglUGOxg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/openbsd-x64@0.19.12':
+    resolution: {integrity: sha512-RbrfTB9SWsr0kWmb9srfF+L933uMDdu9BIzdA7os2t0TXhCRjrQyCeOt6wVxr79CKD4c+p+YhCj31HBkYcXebw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/openbsd-x64@0.21.5':
+    resolution: {integrity: sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/sunos-x64@0.17.19':
+    resolution: {integrity: sha512-vCRT7yP3zX+bKWFeP/zdS6SqdWB8OIpaRq/mbXQxTGHnIxspRtigpkUcDMlSCOejlHowLqII7K2JKevwyRP2rg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [sunos]
+
+  '@esbuild/sunos-x64@0.18.20':
+    resolution: {integrity: sha512-kDbFRFp0YpTQVVrqUd5FTYmWo45zGaXe0X8E1G/LKFC0v8x0vWrhOWSLITcCn63lmZIxfOMXtCfti/RxN/0wnQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [sunos]
+
+  '@esbuild/sunos-x64@0.19.12':
+    resolution: {integrity: sha512-HKjJwRrW8uWtCQnQOz9qcU3mUZhTUQvi56Q8DPTLLB+DawoiQdjsYq+j+D3s9I8VFtDr+F9CjgXKKC4ss89IeA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [sunos]
+
+  '@esbuild/sunos-x64@0.21.5':
+    resolution: {integrity: sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [sunos]
+
+  '@esbuild/win32-arm64@0.17.19':
+    resolution: {integrity: sha512-yYx+8jwowUstVdorcMdNlzklLYhPxjniHWFKgRqH7IFlUEa0Umu3KuYplf1HUZZ422e3NU9F4LGb+4O0Kdcaag==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@esbuild/win32-arm64@0.18.20':
+    resolution: {integrity: sha512-ddYFR6ItYgoaq4v4JmQQaAI5s7npztfV4Ag6NrhiaW0RrnOXqBkgwZLofVTlq1daVTQNhtI5oieTvkRPfZrePg==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@esbuild/win32-arm64@0.19.12':
+    resolution: {integrity: sha512-URgtR1dJnmGvX864pn1B2YUYNzjmXkuJOIqG2HdU62MVS4EHpU2946OZoTMnRUHklGtJdJZ33QfzdjGACXhn1A==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@esbuild/win32-arm64@0.21.5':
+    resolution: {integrity: sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==}
+    engines: {node: '>=12'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@esbuild/win32-ia32@0.17.19':
+    resolution: {integrity: sha512-eggDKanJszUtCdlVs0RB+h35wNlb5v4TWEkq4vZcmVt5u/HiDZrTXe2bWFQUez3RgNHwx/x4sk5++4NSSicKkw==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [win32]
+
+  '@esbuild/win32-ia32@0.18.20':
+    resolution: {integrity: sha512-Wv7QBi3ID/rROT08SABTS7eV4hX26sVduqDOTe1MvGMjNd3EjOz4b7zeexIR62GTIEKrfJXKL9LFxTYgkyeu7g==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [win32]
+
+  '@esbuild/win32-ia32@0.19.12':
+    resolution: {integrity: sha512-+ZOE6pUkMOJfmxmBZElNOx72NKpIa/HFOMGzu8fqzQJ5kgf6aTGrcJaFsNiVMH4JKpMipyK+7k0n2UXN7a8YKQ==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [win32]
+
+  '@esbuild/win32-ia32@0.21.5':
+    resolution: {integrity: sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==}
+    engines: {node: '>=12'}
+    cpu: [ia32]
+    os: [win32]
+
+  '@esbuild/win32-x64@0.17.19':
+    resolution: {integrity: sha512-lAhycmKnVOuRYNtRtatQR1LPQf2oYCkRGkSFnseDAKPl8lu5SOsK/e1sXe5a0Pc5kHIHe6P2I/ilntNv2xf3cA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [win32]
+
+  '@esbuild/win32-x64@0.18.20':
+    resolution: {integrity: sha512-kTdfRcSiDfQca/y9QIkng02avJ+NCaQvrMejlsB3RRv5sE9rRoeBPISaZpKxHELzRxZyLvNts1P27W3wV+8geQ==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [win32]
+
+  '@esbuild/win32-x64@0.19.12':
+    resolution: {integrity: sha512-T1QyPSDCyMXaO3pzBkF96E8xMkiRYbUEZADd29SyPGabqxMViNoii+NcK7eWJAEoU6RZyEm5lVSIjTmcdoB9HA==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [win32]
+
+  '@esbuild/win32-x64@0.21.5':
+    resolution: {integrity: sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==}
+    engines: {node: '>=12'}
+    cpu: [x64]
+    os: [win32]
+
+  '@fastify/busboy@2.1.1':
+    resolution: {integrity: sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==}
+    engines: {node: '>=14'}
+
+  '@img/sharp-darwin-arm64@0.33.5':
+    resolution: {integrity: sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@img/sharp-darwin-x64@0.33.5':
+    resolution: {integrity: sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [darwin]
+
+  '@img/sharp-libvips-darwin-arm64@1.0.4':
+    resolution: {integrity: sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@img/sharp-libvips-darwin-x64@1.0.4':
+    resolution: {integrity: sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@img/sharp-libvips-linux-arm64@1.0.4':
+    resolution: {integrity: sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-arm@1.0.5':
+    resolution: {integrity: sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==}
+    cpu: [arm]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-s390x@1.0.4':
+    resolution: {integrity: sha512-u7Wz6ntiSSgGSGcjZ55im6uvTrOxSIS8/dgoVMoiGE9I6JAfU50yH5BoDlYA1tcuGS7g/QNtetJnxA6QEsCVTA==}
+    cpu: [s390x]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-x64@1.0.4':
+    resolution: {integrity: sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-libvips-linuxmusl-arm64@1.0.4':
+    resolution: {integrity: sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-libvips-linuxmusl-x64@1.0.4':
+    resolution: {integrity: sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-linux-arm64@0.33.5':
+    resolution: {integrity: sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-linux-arm@0.33.5':
+    resolution: {integrity: sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm]
+    os: [linux]
+
+  '@img/sharp-linux-s390x@0.33.5':
+    resolution: {integrity: sha512-y/5PCd+mP4CA/sPDKl2961b+C9d+vPAveS33s6Z3zfASk2j5upL6fXVPZi7ztePZ5CuH+1kW8JtvxgbuXHRa4Q==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [s390x]
+    os: [linux]
+
+  '@img/sharp-linux-x64@0.33.5':
+    resolution: {integrity: sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-linuxmusl-arm64@0.33.5':
+    resolution: {integrity: sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-linuxmusl-x64@0.33.5':
+    resolution: {integrity: sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-wasm32@0.33.5':
+    resolution: {integrity: sha512-ykUW4LVGaMcU9lu9thv85CbRMAwfeadCJHRsg2GmeRa/cJxsVY9Rbd57JcMxBkKHag5U/x7TSBpScF4U8ElVzg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [wasm32]
+
+  '@img/sharp-win32-ia32@0.33.5':
+    resolution: {integrity: sha512-T36PblLaTwuVJ/zw/LaH0PdZkRz5rd3SmMHX8GSmR7vtNSP5Z6bQkExdSK7xGWyxLw4sUknBuugTelgw2faBbQ==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [ia32]
+    os: [win32]
+
+  '@img/sharp-win32-x64@0.33.5':
+    resolution: {integrity: sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [win32]
+
+  '@jridgewell/resolve-uri@3.1.2':
+    resolution: {integrity: sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==}
+    engines: {node: '>=6.0.0'}
+
+  '@jridgewell/sourcemap-codec@1.5.5':
+    resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==}
+
+  '@jridgewell/trace-mapping@0.3.9':
+    resolution: {integrity: sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==}
+
+  '@rollup/rollup-android-arm-eabi@4.59.0':
+    resolution: {integrity: sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==}
+    cpu: [arm]
+    os: [android]
+
+  '@rollup/rollup-android-arm64@4.59.0':
+    resolution: {integrity: sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==}
+    cpu: [arm64]
+    os: [android]
+
+  '@rollup/rollup-darwin-arm64@4.59.0':
+    resolution: {integrity: sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@rollup/rollup-darwin-x64@4.59.0':
+    resolution: {integrity: sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@rollup/rollup-freebsd-arm64@4.59.0':
+    resolution: {integrity: sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@rollup/rollup-freebsd-x64@4.59.0':
+    resolution: {integrity: sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
+    resolution: {integrity: sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==}
+    cpu: [arm]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
+    resolution: {integrity: sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==}
+    cpu: [arm]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm64-gnu@4.59.0':
+    resolution: {integrity: sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm64-musl@4.59.0':
+    resolution: {integrity: sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@rollup/rollup-linux-loong64-gnu@4.59.0':
+    resolution: {integrity: sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==}
+    cpu: [loong64]
+    os: [linux]
+
+  '@rollup/rollup-linux-loong64-musl@4.59.0':
+    resolution: {integrity: sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==}
+    cpu: [loong64]
+    os: [linux]
+
+  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
+    resolution: {integrity: sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@rollup/rollup-linux-ppc64-musl@4.59.0':
+    resolution: {integrity: sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
+    resolution: {integrity: sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@rollup/rollup-linux-riscv64-musl@4.59.0':
+    resolution: {integrity: sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@rollup/rollup-linux-s390x-gnu@4.59.0':
+    resolution: {integrity: sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==}
+    cpu: [s390x]
+    os: [linux]
+
+  '@rollup/rollup-linux-x64-gnu@4.59.0':
+    resolution: {integrity: sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==}
+    cpu: [x64]
+    os: [linux]
+
+  '@rollup/rollup-linux-x64-musl@4.59.0':
+    resolution: {integrity: sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==}
+    cpu: [x64]
+    os: [linux]
+
+  '@rollup/rollup-openbsd-x64@4.59.0':
+    resolution: {integrity: sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@rollup/rollup-openharmony-arm64@4.59.0':
+    resolution: {integrity: sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==}
+    cpu: [arm64]
+    os: [openharmony]
+
+  '@rollup/rollup-win32-arm64-msvc@4.59.0':
+    resolution: {integrity: sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==}
+    cpu: [arm64]
+    os: [win32]
+
+  '@rollup/rollup-win32-ia32-msvc@4.59.0':
+    resolution: {integrity: sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==}
+    cpu: [ia32]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-gnu@4.59.0':
+    resolution: {integrity: sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==}
+    cpu: [x64]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-msvc@4.59.0':
+    resolution: {integrity: sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==}
+    cpu: [x64]
+    os: [win32]
+
+  '@types/estree@1.0.8':
+    resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
+
+  '@types/node-forge@1.3.14':
+    resolution: {integrity: sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==}
+
+  '@types/node@25.5.0':
+    resolution: {integrity: sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==}
+
+  '@vitest/expect@2.1.9':
+    resolution: {integrity: sha512-UJCIkTBenHeKT1TTlKMJWy1laZewsRIzYighyYiJKZreqtdxSos/S1t+ktRMQWu2CKqaarrkeszJx1cgC5tGZw==}
+
+  '@vitest/mocker@2.1.9':
+    resolution: {integrity: sha512-tVL6uJgoUdi6icpxmdrn5YNo3g3Dxv+IHJBr0GXHaEdTcw3F+cPKnsXFhli6nO+f/6SDKPHEK1UN+k+TQv0Ehg==}
+    peerDependencies:
+      msw: ^2.4.9
+      vite: ^5.0.0
+    peerDependenciesMeta:
+      msw:
+        optional: true
+      vite:
+        optional: true
+
+  '@vitest/pretty-format@2.1.9':
+    resolution: {integrity: sha512-KhRIdGV2U9HOUzxfiHmY8IFHTdqtOhIzCpd8WRdJiE7D/HUcZVD0EgQCVjm+Q9gkUXWgBvMmTtZgIG48wq7sOQ==}
+
+  '@vitest/runner@2.1.9':
+    resolution: {integrity: sha512-ZXSSqTFIrzduD63btIfEyOmNcBmQvgOVsPNPe0jYtESiXkhd8u2erDLnMxmGrDCwHCCHE7hxwRDCT3pt0esT4g==}
+
+  '@vitest/snapshot@2.1.9':
+    resolution: {integrity: sha512-oBO82rEjsxLNJincVhLhaxxZdEtV0EFHMK5Kmx5sJ6H9L183dHECjiefOAdnqpIgT5eZwT04PoggUnW88vOBNQ==}
+
+  '@vitest/spy@2.1.9':
+    resolution: {integrity: sha512-E1B35FwzXXTs9FHNK6bDszs7mtydNi5MIfUWpceJ8Xbfb1gBMscAnwLbEu+B44ed6W3XjL9/ehLPHR1fkf1KLQ==}
+
+  '@vitest/utils@2.1.9':
+    resolution: {integrity: sha512-v0psaMSkNJ3A2NMrUEHFRzJtDPFn+/VWZ5WxImB21T9fjucJRmS7xCS3ppEnARb9y11OAzaD+P2Ps+b+BGX5iQ==}
+
+  acorn-walk@8.3.2:
+    resolution: {integrity: sha512-cjkyv4OtNCIeqhHrfS81QWXoCBPExR/J62oyEqepVw8WaQeSqpW2uhuLPh1m9eWhDuOo/jUXVTlifvesOWp/4A==}
+    engines: {node: '>=0.4.0'}
+
+  acorn@8.14.0:
+    resolution: {integrity: sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==}
+    engines: {node: '>=0.4.0'}
+    hasBin: true
+
+  acorn@8.16.0:
+    resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
+    engines: {node: '>=0.4.0'}
+    hasBin: true
+
+  as-table@1.0.55:
+    resolution: {integrity: sha512-xvsWESUJn0JN421Xb9MQw6AsMHRCUknCe0Wjlxvjud80mU4E6hQf1A6NzQKcYNmYw62MfzEtXc+badstZP3JpQ==}
+
+  assertion-error@2.0.1:
+    resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==}
+    engines: {node: '>=12'}
+
+  aws4fetch@1.0.20:
+    resolution: {integrity: sha512-/djoAN709iY65ETD6LKCtyyEI04XIBP5xVvfmNxsEP0uJB5tyaGBztSryRr4HqMStr9R06PisQE7m9zDTXKu6g==}
+
+  birpc@0.2.14:
+    resolution: {integrity: sha512-37FHE8rqsYM5JEKCnXFyHpBCzvgHEExwVVTq+nUmloInU7l8ezD1TpOhKpS8oe1DTYFqEK27rFZVKG43oTqXRA==}
+
+  blake3-wasm@2.1.5:
+    resolution: {integrity: sha512-F1+K8EbfOZE49dtoPtmxUQrpXaBIl3ICvasLh+nJta0xkz+9kF/7uet9fLnwKqhDrmj6g+6K3Tw9yQPUg2ka5g==}
+
+  buffer-from@1.1.2:
+    resolution: {integrity: sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==}
+
+  cac@6.7.14:
+    resolution: {integrity: sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==}
+    engines: {node: '>=8'}
+
+  capnp-ts@0.7.0:
+    resolution: {integrity: sha512-XKxXAC3HVPv7r674zP0VC3RTXz+/JKhfyw94ljvF80yynK6VkTnqE3jMuN8b3dUVmmc43TjyxjW4KTsmB3c86g==}
+
+  chai@5.3.3:
+    resolution: {integrity: sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==}
+    engines: {node: '>=18'}
+
+  check-error@2.1.3:
+    resolution: {integrity: sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==}
+    engines: {node: '>= 16'}
+
+  chokidar@4.0.3:
+    resolution: {integrity: sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==}
+    engines: {node: '>= 14.16.0'}
+
+  cjs-module-lexer@1.4.3:
+    resolution: {integrity: sha512-9z8TZaGM1pfswYeXrUpzPrkx8UnWYdhJclsiYMm6x/w5+nN+8Tf/LnAgfLGQCm59qAOxU8WwHEq2vNwF6i4j+Q==}
+
+  color-convert@2.0.1:
+    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
+    engines: {node: '>=7.0.0'}
+
+  color-name@1.1.4:
+    resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
+
+  color-string@1.9.1:
+    resolution: {integrity: sha512-shrVawQFojnZv6xM40anx4CkoDP+fZsw/ZerEMsW/pyzsRbElpsL/DBVW7q3ExxwusdNXI3lXpuhEZkzs8p5Eg==}
+
+  color@4.2.3:
+    resolution: {integrity: sha512-1rXeuUUiGGrykh+CeBdu5Ie7OJwinCgQY0bc7GCRxy5xVHy+moaqkpL/jqQq0MtQOeYcrqEz4abc5f0KtU7W4A==}
+    engines: {node: '>=12.5.0'}
+
+  confbox@0.1.8:
+    resolution: {integrity: sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==}
+
+  cookie@0.7.2:
+    resolution: {integrity: sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==}
+    engines: {node: '>= 0.6'}
+
+  data-uri-to-buffer@2.0.2:
+    resolution: {integrity: sha512-ND9qDTLc6diwj+Xe5cdAgVTbLVdXbtxTJRXRhli8Mowuaan+0EJOtdqJ0QCHNSSPyoXGx9HX2/VMnKeC34AChA==}
+
+  date-fns@4.1.0:
+    resolution: {integrity: sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg==}
+
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
+    engines: {node: '>=6.0'}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  deep-eql@5.0.2:
+    resolution: {integrity: sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==}
+    engines: {node: '>=6'}
+
+  defu@6.1.4:
+    resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==}
+
+  detect-libc@2.1.2:
+    resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
+    engines: {node: '>=8'}
+
+  devalue@4.3.3:
+    resolution: {integrity: sha512-UH8EL6H2ifcY8TbD2QsxwCC/pr5xSwPvv85LrLXVihmHVC3T3YqTCIwnR5ak0yO1KYqlxrPVOA/JVZJYPy2ATg==}
+
+  drizzle-kit@0.22.8:
+    resolution: {integrity: sha512-VjI4wsJjk3hSqHSa3TwBf+uvH6M6pRHyxyoVbt935GUzP9tUR/BRZ+MhEJNgryqbzN2Za1KP0eJMTgKEPsalYQ==}
+    hasBin: true
+
+  drizzle-orm@0.31.4:
+    resolution: {integrity: sha512-VGD9SH9aStF2z4QOTnVlVX/WghV/EnuEzTmsH3fSVp2E4fFgc8jl3viQrS/XUJx1ekW4rVVLJMH42SfGQdjX3Q==}
+    peerDependencies:
+      '@aws-sdk/client-rds-data': '>=3'
+      '@cloudflare/workers-types': '>=3'
+      '@electric-sql/pglite': '>=0.1.1'
+      '@libsql/client': '*'
+      '@neondatabase/serverless': '>=0.1'
+      '@op-engineering/op-sqlite': '>=2'
+      '@opentelemetry/api': ^1.4.1
+      '@planetscale/database': '>=1'
+      '@prisma/client': '*'
+      '@tidbcloud/serverless': '*'
+      '@types/better-sqlite3': '*'
+      '@types/pg': '*'
+      '@types/react': '>=18'
+      '@types/sql.js': '*'
+      '@vercel/postgres': '>=0.8.0'
+      '@xata.io/client': '*'
+      better-sqlite3: '>=7'
+      bun-types: '*'
+      expo-sqlite: '>=13.2.0'
+      knex: '*'
+      kysely: '*'
+      mysql2: '>=2'
+      pg: '>=8'
+      postgres: '>=3'
+      prisma: '*'
+      react: '>=18'
+      sql.js: '>=1'
+      sqlite3: '>=5'
+    peerDependenciesMeta:
+      '@aws-sdk/client-rds-data':
+        optional: true
+      '@cloudflare/workers-types':
+        optional: true
+      '@electric-sql/pglite':
+        optional: true
+      '@libsql/client':
+        optional: true
+      '@neondatabase/serverless':
+        optional: true
+      '@op-engineering/op-sqlite':
+        optional: true
+      '@opentelemetry/api':
+        optional: true
+      '@planetscale/database':
+        optional: true
+      '@prisma/client':
+        optional: true
+      '@tidbcloud/serverless':
+        optional: true
+      '@types/better-sqlite3':
+        optional: true
+      '@types/pg':
+        optional: true
+      '@types/react':
+        optional: true
+      '@types/sql.js':
+        optional: true
+      '@vercel/postgres':
+        optional: true
+      '@xata.io/client':
+        optional: true
+      better-sqlite3:
+        optional: true
+      bun-types:
+        optional: true
+      expo-sqlite:
+        optional: true
+      knex:
+        optional: true
+      kysely:
+        optional: true
+      mysql2:
+        optional: true
+      pg:
+        optional: true
+      postgres:
+        optional: true
+      prisma:
+        optional: true
+      react:
+        optional: true
+      sql.js:
+        optional: true
+      sqlite3:
+        optional: true
+
+  es-module-lexer@1.7.0:
+    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+
+  esbuild-register@3.6.0:
+    resolution: {integrity: sha512-H2/S7Pm8a9CL1uhp9OvjwrBh5Pvx0H8qVOxNu8Wed9Y7qv56MPtq+GGM8RJpq6glYJn9Wspr8uw7l55uyinNeg==}
+    peerDependencies:
+      esbuild: '>=0.12 <1'
+
+  esbuild@0.17.19:
+    resolution: {integrity: sha512-XQ0jAPFkK/u3LcVRcvVHQcTIqD6E2H1fvZMA5dQPSOWb3suUbWbfbRf94pjc0bNzRYLfIrDRQXr7X+LHIm5oHw==}
+    engines: {node: '>=12'}
+    hasBin: true
+
+  esbuild@0.18.20:
+    resolution: {integrity: sha512-ceqxoedUrcayh7Y7ZX6NdbbDzGROiyVBgC4PriJThBKSVPWnnFHZAkfI1lJT8QFkOwH4qOS2SJkS4wvpGl8BpA==}
+    engines: {node: '>=12'}
+    hasBin: true
+
+  esbuild@0.19.12:
+    resolution: {integrity: sha512-aARqgq8roFBj054KvQr5f1sFu0D65G+miZRCuJyJ0G13Zwx7vRar5Zhn2tkQNzIXcBrNVsv/8stehpj+GAjgbg==}
+    engines: {node: '>=12'}
+    hasBin: true
+
+  esbuild@0.21.5:
+    resolution: {integrity: sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==}
+    engines: {node: '>=12'}
+    hasBin: true
+
+  escape-string-regexp@4.0.0:
+    resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==}
+    engines: {node: '>=10'}
+
+  estree-walker@0.6.1:
+    resolution: {integrity: sha512-SqmZANLWS0mnatqbSfRP5g8OXZC12Fgg1IwNtLsyHDzJizORW4khDfjPqJZsemPWBB2uqykUah5YpQ6epsqC/w==}
+
+  estree-walker@3.0.3:
+    resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==}
+
+  exit-hook@2.2.1:
+    resolution: {integrity: sha512-eNTPlAD67BmP31LDINZ3U7HSF8l57TxOY2PmBJ1shpCvpnxBF93mWCE8YHBnXs8qiUZJc9WDcWIeC3a2HIAMfw==}
+    engines: {node: '>=6'}
+
+  expect-type@1.3.0:
+    resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
+    engines: {node: '>=12.0.0'}
+
+  exsolve@1.0.8:
+    resolution: {integrity: sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==}
+
+  fast-xml-parser@4.5.4:
+    resolution: {integrity: sha512-jE8ugADnYOBsu1uaoayVl1tVKAMNOXyjwvv2U6udEA2ORBhDooJDWoGxTkhd4Qn4yh59JVVt/pKXtjPwx9OguQ==}
+    hasBin: true
+
+  fsevents@2.3.3:
+    resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
+  function-bind@1.1.2:
+    resolution: {integrity: sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==}
+
+  get-source@2.0.12:
+    resolution: {integrity: sha512-X5+4+iD+HoSeEED+uwrQ07BOQr0kEDFMVqqpBuI+RaZBpBpHCuXxo70bjar6f0b0u/DQJsJ7ssurpP0V60Az+w==}
+
+  get-tsconfig@4.13.6:
+    resolution: {integrity: sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==}
+
+  glob-to-regexp@0.4.1:
+    resolution: {integrity: sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw==}
+
+  hasown@2.0.2:
+    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
+    engines: {node: '>= 0.4'}
+
+  hono@4.12.8:
+    resolution: {integrity: sha512-VJCEvtrezO1IAR+kqEYnxUOoStaQPGrCmX3j4wDTNOcD1uRPFpGlwQUIW8niPuvHXaTUxeOUl5MMDGrl+tmO9A==}
+    engines: {node: '>=16.9.0'}
+
+  is-arrayish@0.3.4:
+    resolution: {integrity: sha512-m6UrgzFVUYawGBh1dUsWR5M2Clqic9RVXC/9f8ceNlv2IcO9j9J/z8UoCLPqtsPBFNzEpfR3xftohbfqDx8EQA==}
+
+  is-core-module@2.16.1:
+    resolution: {integrity: sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==}
+    engines: {node: '>= 0.4'}
+
+  itty-time@1.0.6:
+    resolution: {integrity: sha512-+P8IZaLLBtFv8hCkIjcymZOp4UJ+xW6bSlQsXGqrkmJh7vSiMFSlNne0mCYagEE0N7HDNR5jJBRxwN0oYv61Rw==}
+
+  js-md5@0.8.3:
+    resolution: {integrity: sha512-qR0HB5uP6wCuRMrWPTrkMaev7MJZwJuuw4fnwAzRgP4J4/F8RwtodOKpGp4XpqsLBFzzgqIO42efFAyz2Et6KQ==}
+
+  loupe@3.2.1:
+    resolution: {integrity: sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==}
+
+  magic-string@0.25.9:
+    resolution: {integrity: sha512-RmF0AsMzgt25qzqqLc1+MbHmhdx0ojF2Fvs4XnOqz2ZOBXzzkEwc/dJQZCYHAn7v1jbVOjAZfK8msRn4BxO4VQ==}
+
+  magic-string@0.30.21:
+    resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
+
+  mime@3.0.0:
+    resolution: {integrity: sha512-jSCU7/VB1loIWBZe14aEYHU/+1UMEHoaO7qxCOVJOw9GgH72VAWppxNcjU+x9a2k3GSIBXNKxXQFqRvvZ7vr3A==}
+    engines: {node: '>=10.0.0'}
+    hasBin: true
+
+  miniflare@3.20241230.0:
+    resolution: {integrity: sha512-ZtWNoNAIj5Q0Vb3B4SPEKr7DDmVG8a0Stsp/AuRkYXoJniA5hsbKjFNIGhTXGMIHVP5bvDrKJWt/POIDGfpiKg==}
+    engines: {node: '>=16.13'}
+    hasBin: true
+
+  miniflare@3.20250718.3:
+    resolution: {integrity: sha512-JuPrDJhwLrNLEJiNLWO7ZzJrv/Vv9kZuwMYCfv0LskQDM6Eonw4OvywO3CH/wCGjgHzha/qyjUh8JQ068TjDgQ==}
+    engines: {node: '>=16.13'}
+    hasBin: true
+
+  mlly@1.8.1:
+    resolution: {integrity: sha512-SnL6sNutTwRWWR/vcmCYHSADjiEesp5TGQQ0pXyLhW5IoeibRlF/CbSLailbB3CNqJUk9cVJ9dUDnbD7GrcHBQ==}
+
+  ms@2.1.3:
+    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
+
+  mustache@4.2.0:
+    resolution: {integrity: sha512-71ippSywq5Yb7/tVYyGbkBggbU8H3u5Rz56fH60jGFgr8uHwxs+aSKeqmluIVzM0m0kB7xQjKS6qPfd0b2ZoqQ==}
+    hasBin: true
+
+  nanoid@3.3.11:
+    resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==}
+    engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
+    hasBin: true
+
+  node-forge@1.3.3:
+    resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==}
+    engines: {node: '>= 6.13.0'}
+
+  ohash@1.1.6:
+    resolution: {integrity: sha512-TBu7PtV8YkAZn0tSxobKY2n2aAQva936lhRrj6957aDaCf9IEtqsKbgMzXE/F/sjqYOwmrukeORHNLe5glk7Cg==}
+
+  ohash@2.0.11:
+    resolution: {integrity: sha512-RdR9FQrFwNBNXAr4GixM8YaRZRJ5PUWbKYbE5eOsrwAjJW0q2REGcf79oYPsLyskQCZG1PLN+S/K1V00joZAoQ==}
+
+  path-parse@1.0.7:
+    resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==}
+
+  path-to-regexp@6.3.0:
+    resolution: {integrity: sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ==}
+
+  pathe@1.1.2:
+    resolution: {integrity: sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==}
+
+  pathe@2.0.3:
+    resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
+
+  pathval@2.0.1:
+    resolution: {integrity: sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==}
+    engines: {node: '>= 14.16'}
+
+  picocolors@1.1.1:
+    resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
+
+  pkg-types@1.3.1:
+    resolution: {integrity: sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ==}
+
+  postcss@8.5.8:
+    resolution: {integrity: sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==}
+    engines: {node: ^10 || ^12 || >=14}
+
+  printable-characters@1.0.42:
+    resolution: {integrity: sha512-dKp+C4iXWK4vVYZmYSd0KBH5F/h1HoZRsbJ82AVKRO3PEo8L4lBS/vLwhVtpwwuYcoIsVY+1JYKR268yn480uQ==}
+
+  readdirp@4.1.2:
+    resolution: {integrity: sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==}
+    engines: {node: '>= 14.18.0'}
+
+  resolve-pkg-maps@1.0.0:
+    resolution: {integrity: sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==}
+
+  resolve@1.22.11:
+    resolution: {integrity: sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==}
+    engines: {node: '>= 0.4'}
+    hasBin: true
+
+  rollup-plugin-inject@3.0.2:
+    resolution: {integrity: sha512-ptg9PQwzs3orn4jkgXJ74bfs5vYz1NCZlSQMBUA0wKcGp5i5pA1AO3fOUEte8enhGUC+iapTCzEWw2jEFFUO/w==}
+    deprecated: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
+
+  rollup-plugin-node-polyfills@0.2.1:
+    resolution: {integrity: sha512-4kCrKPTJ6sK4/gLL/U5QzVT8cxJcofO0OU74tnB19F40cmuAKSzH5/siithxlofFEjwvw1YAhPmbvGNA6jEroA==}
+
+  rollup-pluginutils@2.8.2:
+    resolution: {integrity: sha512-EEp9NhnUkwY8aif6bxgovPHMoMoNr2FulJziTndpt5H9RdwC47GSGuII9XxpSdzVGM0GWrNPHV6ie1LTNJPaLQ==}
+
+  rollup@4.59.0:
+    resolution: {integrity: sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==}
+    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
+    hasBin: true
+
+  selfsigned@2.4.1:
+    resolution: {integrity: sha512-th5B4L2U+eGLq1TVh7zNRGBapioSORUeymIydxgFpwww9d2qyKvtuPU2jJuHvYAwwqi2Y596QBL3eEqcPEYL8Q==}
+    engines: {node: '>=10'}
+
+  semver@7.7.4:
+    resolution: {integrity: sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
+  sharp@0.33.5:
+    resolution: {integrity: sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+
+  siginfo@2.0.0:
+    resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
+
+  simple-swizzle@0.2.4:
+    resolution: {integrity: sha512-nAu1WFPQSMNr2Zn9PGSZK9AGn4t/y97lEm+MXTtUDwfP0ksAIX4nO+6ruD9Jwut4C49SB1Ws+fbXsm/yScWOHw==}
+
+  source-map-js@1.2.1:
+    resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
+    engines: {node: '>=0.10.0'}
+
+  source-map-support@0.5.21:
+    resolution: {integrity: sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==}
+
+  source-map@0.6.1:
+    resolution: {integrity: sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==}
+    engines: {node: '>=0.10.0'}
+
+  sourcemap-codec@1.4.8:
+    resolution: {integrity: sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA==}
+    deprecated: Please use @jridgewell/sourcemap-codec instead
+
+  stackback@0.0.2:
+    resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
+
+  stacktracey@2.2.0:
+    resolution: {integrity: sha512-ETyQEz+CzXiLjEbyJqpbp+/T79RQD/6wqFucRBIlVNZfYq2Ay7wbretD4cxpbymZlaPWx58aIhPEY1Cr8DlVvg==}
+
+  std-env@3.10.0:
+    resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
+
+  stoppable@1.1.0:
+    resolution: {integrity: sha512-KXDYZ9dszj6bzvnEMRYvxgeTHU74QBFL54XKtP3nyMuJ81CFYtABZ3bAzL2EdFUaEwJOBOgENyFj3R7oTzDyyw==}
+    engines: {node: '>=4', npm: '>=6'}
+
+  strnum@1.1.2:
+    resolution: {integrity: sha512-vrN+B7DBIoTTZjnPNewwhx6cBA/H+IS7rfW68n7XxC1y7uoiGQBxaKzqucGUgavX15dJgiGztLJ8vxuEzwqBdA==}
+
+  supports-preserve-symlinks-flag@1.0.0:
+    resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
+    engines: {node: '>= 0.4'}
+
+  tinybench@2.9.0:
+    resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
+
+  tinyexec@0.3.2:
+    resolution: {integrity: sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==}
+
+  tinypool@1.1.1:
+    resolution: {integrity: sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+
+  tinyrainbow@1.2.0:
+    resolution: {integrity: sha512-weEDEq7Z5eTHPDh4xjX789+fHfF+P8boiFB+0vbWzpbnbsEr/GRaohi/uMKxg8RZMXnl1ItAi/IUHWMsjDV7kQ==}
+    engines: {node: '>=14.0.0'}
+
+  tinyspy@3.0.2:
+    resolution: {integrity: sha512-n1cw8k1k0x4pgA2+9XrOkFydTerNcJ1zWCO5Nn9scWHTD+5tp8dghT2x1uduQePZTZgd3Tupf+x9BxJjeJi77Q==}
+    engines: {node: '>=14.0.0'}
+
+  tslib@2.8.1:
+    resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==}
+
+  typescript@5.9.3:
+    resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
+    engines: {node: '>=14.17'}
+    hasBin: true
+
+  ufo@1.6.3:
+    resolution: {integrity: sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q==}
+
+  undici-types@7.18.2:
+    resolution: {integrity: sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==}
+
+  undici@5.29.0:
+    resolution: {integrity: sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==}
+    engines: {node: '>=14.0'}
+
+  unenv-nightly@2.0.0-20241218-183400-5d6aec3:
+    resolution: {integrity: sha512-7Xpi29CJRbOV1/IrC03DawMJ0hloklDLq/cigSe+J2jkcC+iDres2Cy0r4ltj5f0x7DqsaGaB4/dLuCPPFZnZA==}
+
+  unenv@2.0.0-rc.14:
+    resolution: {integrity: sha512-od496pShMen7nOy5VmVJCnq8rptd45vh6Nx/r2iPbrba6pa6p+tS2ywuIHRZ/OBvSbQZB0kWvpO9XBNVFXHD3Q==}
+
+  vite-node@2.1.9:
+    resolution: {integrity: sha512-AM9aQ/IPrW/6ENLQg3AGY4K1N2TGZdR5e4gu/MmmR2xR3Ll1+dib+nook92g4TV3PXVyeyxdWwtaCAiUL0hMxA==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+
+  vite@5.4.21:
+    resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@types/node': ^18.0.0 || >=20.0.0
+      less: '*'
+      lightningcss: ^1.21.0
+      sass: '*'
+      sass-embedded: '*'
+      stylus: '*'
+      sugarss: '*'
+      terser: ^5.4.0
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+      less:
+        optional: true
+      lightningcss:
+        optional: true
+      sass:
+        optional: true
+      sass-embedded:
+        optional: true
+      stylus:
+        optional: true
+      sugarss:
+        optional: true
+      terser:
+        optional: true
+
+  vitest@2.1.9:
+    resolution: {integrity: sha512-MSmPM9REYqDGBI8439mA4mWhV5sKmDlBKWIYbA3lRb2PTHACE0mgKwA8yQ2xq9vxDTuk4iPrECBAEW2aoFXY0Q==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@types/node': ^18.0.0 || >=20.0.0
+      '@vitest/browser': 2.1.9
+      '@vitest/ui': 2.1.9
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+
+  why-is-node-running@2.3.0:
+    resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==}
+    engines: {node: '>=8'}
+    hasBin: true
+
+  workerd@1.20241230.0:
+    resolution: {integrity: sha512-EgixXP0JGXGq6J9lz17TKIZtfNDUvJNG+cl9paPMfZuYWT920fFpBx+K04YmnbQRLnglsivF1GT9pxh1yrlWhg==}
+    engines: {node: '>=16'}
+    hasBin: true
+
+  workerd@1.20250718.0:
+    resolution: {integrity: sha512-kqkIJP/eOfDlUyBzU7joBg+tl8aB25gEAGqDap+nFWb+WHhnooxjGHgxPBy3ipw2hnShPFNOQt5lFRxbwALirg==}
+    engines: {node: '>=16'}
+    hasBin: true
+
+  wrangler@3.100.0:
+    resolution: {integrity: sha512-+nsZK374Xnp2BEQQuB/18pnObgsOey0AHVlg75pAdwNaKAmB2aa0/E5rFb7i89DiiwFYoZMz3cARY1UKcm/WQQ==}
+    engines: {node: '>=16.17.0'}
+    deprecated: Downgrade to 3.99.0
+    hasBin: true
+    peerDependencies:
+      '@cloudflare/workers-types': ^4.20241230.0
+    peerDependenciesMeta:
+      '@cloudflare/workers-types':
+        optional: true
+
+  wrangler@3.114.17:
+    resolution: {integrity: sha512-tAvf7ly+tB+zwwrmjsCyJ2pJnnc7SZhbnNwXbH+OIdVas3zTSmjcZOjmLKcGGptssAA3RyTKhcF9BvKZzMUycA==}
+    engines: {node: '>=16.17.0'}
+    hasBin: true
+    peerDependencies:
+      '@cloudflare/workers-types': ^4.20250408.0
+    peerDependenciesMeta:
+      '@cloudflare/workers-types':
+        optional: true
+
+  ws@8.18.0:
+    resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==}
+    engines: {node: '>=10.0.0'}
+    peerDependencies:
+      bufferutil: ^4.0.1
+      utf-8-validate: '>=5.0.2'
+    peerDependenciesMeta:
+      bufferutil:
+        optional: true
+      utf-8-validate:
+        optional: true
+
+  xxhash-wasm@1.1.0:
+    resolution: {integrity: sha512-147y/6YNh+tlp6nd/2pWq38i9h6mz/EuQ6njIrmW8D1BS5nCqs0P6DG+m6zTGnNz5I+uhZ0SHxBs9BsPrwcKDA==}
+
+  youch@3.3.4:
+    resolution: {integrity: sha512-UeVBXie8cA35DS6+nBkls68xaBBXCye0CNznrhszZjTbRVnJKQuNsyLKBTTL4ln1o1rh2PKtv35twV7irj5SEg==}
+
+  zod@3.22.3:
+    resolution: {integrity: sha512-EjIevzuJRiRPbVH4mGc8nApb/lVLKVpmUhAaR5R5doKGfAnGJ6Gr3CViAVjP+4FWSxCsybeWQdcgCtbX+7oZug==}
+
+snapshots:
+
+  '@cloudflare/kv-asset-handler@0.3.4':
+    dependencies:
+      mime: 3.0.0
+
+  '@cloudflare/unenv-preset@2.0.2(unenv@2.0.0-rc.14)(workerd@1.20250718.0)':
+    dependencies:
+      unenv: 2.0.0-rc.14
+    optionalDependencies:
+      workerd: 1.20250718.0
+
+  '@cloudflare/vitest-pool-workers@0.5.41(@cloudflare/workers-types@4.20260316.1)(@vitest/runner@2.1.9)(@vitest/snapshot@2.1.9)(vitest@2.1.9(@types/node@25.5.0))':
+    dependencies:
+      '@vitest/runner': 2.1.9
+      '@vitest/snapshot': 2.1.9
+      birpc: 0.2.14
+      cjs-module-lexer: 1.4.3
+      devalue: 4.3.3
+      esbuild: 0.17.19
+      miniflare: 3.20241230.0
+      semver: 7.7.4
+      vitest: 2.1.9(@types/node@25.5.0)
+      wrangler: 3.100.0(@cloudflare/workers-types@4.20260316.1)
+      zod: 3.22.3
+    transitivePeerDependencies:
+      - '@cloudflare/workers-types'
+      - bufferutil
+      - supports-color
+      - utf-8-validate
+
+  '@cloudflare/workerd-darwin-64@1.20241230.0':
+    optional: true
+
+  '@cloudflare/workerd-darwin-64@1.20250718.0':
+    optional: true
+
+  '@cloudflare/workerd-darwin-arm64@1.20241230.0':
+    optional: true
+
+  '@cloudflare/workerd-darwin-arm64@1.20250718.0':
+    optional: true
+
+  '@cloudflare/workerd-linux-64@1.20241230.0':
+    optional: true
+
+  '@cloudflare/workerd-linux-64@1.20250718.0':
+    optional: true
+
+  '@cloudflare/workerd-linux-arm64@1.20241230.0':
+    optional: true
+
+  '@cloudflare/workerd-linux-arm64@1.20250718.0':
+    optional: true
+
+  '@cloudflare/workerd-windows-64@1.20241230.0':
+    optional: true
+
+  '@cloudflare/workerd-windows-64@1.20250718.0':
+    optional: true
+
+  '@cloudflare/workers-types@4.20260316.1': {}
+
+  '@cspotcode/source-map-support@0.8.1':
+    dependencies:
+      '@jridgewell/trace-mapping': 0.3.9
+
+  '@emnapi/runtime@1.9.0':
+    dependencies:
+      tslib: 2.8.1
+    optional: true
+
+  '@esbuild-kit/core-utils@3.3.2':
+    dependencies:
+      esbuild: 0.18.20
+      source-map-support: 0.5.21
+
+  '@esbuild-kit/esm-loader@2.6.5':
+    dependencies:
+      '@esbuild-kit/core-utils': 3.3.2
+      get-tsconfig: 4.13.6
+
+  '@esbuild-plugins/node-globals-polyfill@0.2.3(esbuild@0.17.19)':
+    dependencies:
+      esbuild: 0.17.19
+
+  '@esbuild-plugins/node-modules-polyfill@0.2.2(esbuild@0.17.19)':
+    dependencies:
+      esbuild: 0.17.19
+      escape-string-regexp: 4.0.0
+      rollup-plugin-node-polyfills: 0.2.1
+
+  '@esbuild/aix-ppc64@0.19.12':
+    optional: true
+
+  '@esbuild/aix-ppc64@0.21.5':
+    optional: true
+
+  '@esbuild/android-arm64@0.17.19':
+    optional: true
+
+  '@esbuild/android-arm64@0.18.20':
+    optional: true
+
+  '@esbuild/android-arm64@0.19.12':
+    optional: true
+
+  '@esbuild/android-arm64@0.21.5':
+    optional: true
+
+  '@esbuild/android-arm@0.17.19':
+    optional: true
+
+  '@esbuild/android-arm@0.18.20':
+    optional: true
+
+  '@esbuild/android-arm@0.19.12':
+    optional: true
+
+  '@esbuild/android-arm@0.21.5':
+    optional: true
+
+  '@esbuild/android-x64@0.17.19':
+    optional: true
+
+  '@esbuild/android-x64@0.18.20':
+    optional: true
+
+  '@esbuild/android-x64@0.19.12':
+    optional: true
+
+  '@esbuild/android-x64@0.21.5':
+    optional: true
+
+  '@esbuild/darwin-arm64@0.17.19':
+    optional: true
+
+  '@esbuild/darwin-arm64@0.18.20':
+    optional: true
+
+  '@esbuild/darwin-arm64@0.19.12':
+    optional: true
+
+  '@esbuild/darwin-arm64@0.21.5':
+    optional: true
+
+  '@esbuild/darwin-x64@0.17.19':
+    optional: true
+
+  '@esbuild/darwin-x64@0.18.20':
+    optional: true
+
+  '@esbuild/darwin-x64@0.19.12':
+    optional: true
+
+  '@esbuild/darwin-x64@0.21.5':
+    optional: true
+
+  '@esbuild/freebsd-arm64@0.17.19':
+    optional: true
+
+  '@esbuild/freebsd-arm64@0.18.20':
+    optional: true
+
+  '@esbuild/freebsd-arm64@0.19.12':
+    optional: true
+
+  '@esbuild/freebsd-arm64@0.21.5':
+    optional: true
+
+  '@esbuild/freebsd-x64@0.17.19':
+    optional: true
+
+  '@esbuild/freebsd-x64@0.18.20':
+    optional: true
+
+  '@esbuild/freebsd-x64@0.19.12':
+    optional: true
+
+  '@esbuild/freebsd-x64@0.21.5':
+    optional: true
+
+  '@esbuild/linux-arm64@0.17.19':
+    optional: true
+
+  '@esbuild/linux-arm64@0.18.20':
+    optional: true
+
+  '@esbuild/linux-arm64@0.19.12':
+    optional: true
+
+  '@esbuild/linux-arm64@0.21.5':
+    optional: true
+
+  '@esbuild/linux-arm@0.17.19':
+    optional: true
+
+  '@esbuild/linux-arm@0.18.20':
+    optional: true
+
+  '@esbuild/linux-arm@0.19.12':
+    optional: true
+
+  '@esbuild/linux-arm@0.21.5':
+    optional: true
+
+  '@esbuild/linux-ia32@0.17.19':
+    optional: true
+
+  '@esbuild/linux-ia32@0.18.20':
+    optional: true
+
+  '@esbuild/linux-ia32@0.19.12':
+    optional: true
+
+  '@esbuild/linux-ia32@0.21.5':
+    optional: true
+
+  '@esbuild/linux-loong64@0.17.19':
+    optional: true
+
+  '@esbuild/linux-loong64@0.18.20':
+    optional: true
+
+  '@esbuild/linux-loong64@0.19.12':
+    optional: true
+
+  '@esbuild/linux-loong64@0.21.5':
+    optional: true
+
+  '@esbuild/linux-mips64el@0.17.19':
+    optional: true
+
+  '@esbuild/linux-mips64el@0.18.20':
+    optional: true
+
+  '@esbuild/linux-mips64el@0.19.12':
+    optional: true
+
+  '@esbuild/linux-mips64el@0.21.5':
+    optional: true
+
+  '@esbuild/linux-ppc64@0.17.19':
+    optional: true
+
+  '@esbuild/linux-ppc64@0.18.20':
+    optional: true
+
+  '@esbuild/linux-ppc64@0.19.12':
+    optional: true
+
+  '@esbuild/linux-ppc64@0.21.5':
+    optional: true
+
+  '@esbuild/linux-riscv64@0.17.19':
+    optional: true
+
+  '@esbuild/linux-riscv64@0.18.20':
+    optional: true
+
+  '@esbuild/linux-riscv64@0.19.12':
+    optional: true
+
+  '@esbuild/linux-riscv64@0.21.5':
+    optional: true
+
+  '@esbuild/linux-s390x@0.17.19':
+    optional: true
+
+  '@esbuild/linux-s390x@0.18.20':
+    optional: true
+
+  '@esbuild/linux-s390x@0.19.12':
+    optional: true
+
+  '@esbuild/linux-s390x@0.21.5':
+    optional: true
+
+  '@esbuild/linux-x64@0.17.19':
+    optional: true
+
+  '@esbuild/linux-x64@0.18.20':
+    optional: true
+
+  '@esbuild/linux-x64@0.19.12':
+    optional: true
+
+  '@esbuild/linux-x64@0.21.5':
+    optional: true
+
+  '@esbuild/netbsd-x64@0.17.19':
+    optional: true
+
+  '@esbuild/netbsd-x64@0.18.20':
+    optional: true
+
+  '@esbuild/netbsd-x64@0.19.12':
+    optional: true
+
+  '@esbuild/netbsd-x64@0.21.5':
+    optional: true
+
+  '@esbuild/openbsd-x64@0.17.19':
+    optional: true
+
+  '@esbuild/openbsd-x64@0.18.20':
+    optional: true
+
+  '@esbuild/openbsd-x64@0.19.12':
+    optional: true
+
+  '@esbuild/openbsd-x64@0.21.5':
+    optional: true
+
+  '@esbuild/sunos-x64@0.17.19':
+    optional: true
+
+  '@esbuild/sunos-x64@0.18.20':
+    optional: true
+
+  '@esbuild/sunos-x64@0.19.12':
+    optional: true
+
+  '@esbuild/sunos-x64@0.21.5':
+    optional: true
+
+  '@esbuild/win32-arm64@0.17.19':
+    optional: true
+
+  '@esbuild/win32-arm64@0.18.20':
+    optional: true
+
+  '@esbuild/win32-arm64@0.19.12':
+    optional: true
+
+  '@esbuild/win32-arm64@0.21.5':
+    optional: true
+
+  '@esbuild/win32-ia32@0.17.19':
+    optional: true
+
+  '@esbuild/win32-ia32@0.18.20':
+    optional: true
+
+  '@esbuild/win32-ia32@0.19.12':
+    optional: true
+
+  '@esbuild/win32-ia32@0.21.5':
+    optional: true
+
+  '@esbuild/win32-x64@0.17.19':
+    optional: true
+
+  '@esbuild/win32-x64@0.18.20':
+    optional: true
+
+  '@esbuild/win32-x64@0.19.12':
+    optional: true
+
+  '@esbuild/win32-x64@0.21.5':
+    optional: true
+
+  '@fastify/busboy@2.1.1': {}
+
+  '@img/sharp-darwin-arm64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-darwin-arm64': 1.0.4
+    optional: true
+
+  '@img/sharp-darwin-x64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-darwin-x64': 1.0.4
+    optional: true
+
+  '@img/sharp-libvips-darwin-arm64@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-darwin-x64@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-arm64@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-arm@1.0.5':
+    optional: true
+
+  '@img/sharp-libvips-linux-s390x@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-x64@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-linuxmusl-arm64@1.0.4':
+    optional: true
+
+  '@img/sharp-libvips-linuxmusl-x64@1.0.4':
+    optional: true
+
+  '@img/sharp-linux-arm64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-arm64': 1.0.4
+    optional: true
+
+  '@img/sharp-linux-arm@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-arm': 1.0.5
+    optional: true
+
+  '@img/sharp-linux-s390x@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-s390x': 1.0.4
+    optional: true
+
+  '@img/sharp-linux-x64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-x64': 1.0.4
+    optional: true
+
+  '@img/sharp-linuxmusl-arm64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linuxmusl-arm64': 1.0.4
+    optional: true
+
+  '@img/sharp-linuxmusl-x64@0.33.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linuxmusl-x64': 1.0.4
+    optional: true
+
+  '@img/sharp-wasm32@0.33.5':
+    dependencies:
+      '@emnapi/runtime': 1.9.0
+    optional: true
+
+  '@img/sharp-win32-ia32@0.33.5':
+    optional: true
+
+  '@img/sharp-win32-x64@0.33.5':
+    optional: true
+
+  '@jridgewell/resolve-uri@3.1.2': {}
+
+  '@jridgewell/sourcemap-codec@1.5.5': {}
+
+  '@jridgewell/trace-mapping@0.3.9':
+    dependencies:
+      '@jridgewell/resolve-uri': 3.1.2
+      '@jridgewell/sourcemap-codec': 1.5.5
+
+  '@rollup/rollup-android-arm-eabi@4.59.0':
+    optional: true
+
+  '@rollup/rollup-android-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-darwin-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-darwin-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-freebsd-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-freebsd-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-loong64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-loong64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-ppc64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-riscv64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-s390x-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-x64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-x64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-openbsd-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-openharmony-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-arm64-msvc@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-ia32-msvc@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-x64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-x64-msvc@4.59.0':
+    optional: true
+
+  '@types/estree@1.0.8': {}
+
+  '@types/node-forge@1.3.14':
+    dependencies:
+      '@types/node': 25.5.0
+
+  '@types/node@25.5.0':
+    dependencies:
+      undici-types: 7.18.2
+
+  '@vitest/expect@2.1.9':
+    dependencies:
+      '@vitest/spy': 2.1.9
+      '@vitest/utils': 2.1.9
+      chai: 5.3.3
+      tinyrainbow: 1.2.0
+
+  '@vitest/mocker@2.1.9(vite@5.4.21(@types/node@25.5.0))':
+    dependencies:
+      '@vitest/spy': 2.1.9
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 5.4.21(@types/node@25.5.0)
+
+  '@vitest/pretty-format@2.1.9':
+    dependencies:
+      tinyrainbow: 1.2.0
+
+  '@vitest/runner@2.1.9':
+    dependencies:
+      '@vitest/utils': 2.1.9
+      pathe: 1.1.2
+
+  '@vitest/snapshot@2.1.9':
+    dependencies:
+      '@vitest/pretty-format': 2.1.9
+      magic-string: 0.30.21
+      pathe: 1.1.2
+
+  '@vitest/spy@2.1.9':
+    dependencies:
+      tinyspy: 3.0.2
+
+  '@vitest/utils@2.1.9':
+    dependencies:
+      '@vitest/pretty-format': 2.1.9
+      loupe: 3.2.1
+      tinyrainbow: 1.2.0
+
+  acorn-walk@8.3.2: {}
+
+  acorn@8.14.0: {}
+
+  acorn@8.16.0: {}
+
+  as-table@1.0.55:
+    dependencies:
+      printable-characters: 1.0.42
+
+  assertion-error@2.0.1: {}
+
+  aws4fetch@1.0.20: {}
+
+  birpc@0.2.14: {}
+
+  blake3-wasm@2.1.5: {}
+
+  buffer-from@1.1.2: {}
+
+  cac@6.7.14: {}
+
+  capnp-ts@0.7.0:
+    dependencies:
+      debug: 4.4.3
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - supports-color
+
+  chai@5.3.3:
+    dependencies:
+      assertion-error: 2.0.1
+      check-error: 2.1.3
+      deep-eql: 5.0.2
+      loupe: 3.2.1
+      pathval: 2.0.1
+
+  check-error@2.1.3: {}
+
+  chokidar@4.0.3:
+    dependencies:
+      readdirp: 4.1.2
+
+  cjs-module-lexer@1.4.3: {}
+
+  color-convert@2.0.1:
+    dependencies:
+      color-name: 1.1.4
+    optional: true
+
+  color-name@1.1.4:
+    optional: true
+
+  color-string@1.9.1:
+    dependencies:
+      color-name: 1.1.4
+      simple-swizzle: 0.2.4
+    optional: true
+
+  color@4.2.3:
+    dependencies:
+      color-convert: 2.0.1
+      color-string: 1.9.1
+    optional: true
+
+  confbox@0.1.8: {}
+
+  cookie@0.7.2: {}
+
+  data-uri-to-buffer@2.0.2: {}
+
+  date-fns@4.1.0: {}
+
+  debug@4.4.3:
+    dependencies:
+      ms: 2.1.3
+
+  deep-eql@5.0.2: {}
+
+  defu@6.1.4: {}
+
+  detect-libc@2.1.2:
+    optional: true
+
+  devalue@4.3.3: {}
+
+  drizzle-kit@0.22.8:
+    dependencies:
+      '@esbuild-kit/esm-loader': 2.6.5
+      esbuild: 0.19.12
+      esbuild-register: 3.6.0(esbuild@0.19.12)
+    transitivePeerDependencies:
+      - supports-color
+
+  drizzle-orm@0.31.4(@cloudflare/workers-types@4.20260316.1):
+    optionalDependencies:
+      '@cloudflare/workers-types': 4.20260316.1
+
+  es-module-lexer@1.7.0: {}
+
+  esbuild-register@3.6.0(esbuild@0.19.12):
+    dependencies:
+      debug: 4.4.3
+      esbuild: 0.19.12
+    transitivePeerDependencies:
+      - supports-color
+
+  esbuild@0.17.19:
+    optionalDependencies:
+      '@esbuild/android-arm': 0.17.19
+      '@esbuild/android-arm64': 0.17.19
+      '@esbuild/android-x64': 0.17.19
+      '@esbuild/darwin-arm64': 0.17.19
+      '@esbuild/darwin-x64': 0.17.19
+      '@esbuild/freebsd-arm64': 0.17.19
+      '@esbuild/freebsd-x64': 0.17.19
+      '@esbuild/linux-arm': 0.17.19
+      '@esbuild/linux-arm64': 0.17.19
+      '@esbuild/linux-ia32': 0.17.19
+      '@esbuild/linux-loong64': 0.17.19
+      '@esbuild/linux-mips64el': 0.17.19
+      '@esbuild/linux-ppc64': 0.17.19
+      '@esbuild/linux-riscv64': 0.17.19
+      '@esbuild/linux-s390x': 0.17.19
+      '@esbuild/linux-x64': 0.17.19
+      '@esbuild/netbsd-x64': 0.17.19
+      '@esbuild/openbsd-x64': 0.17.19
+      '@esbuild/sunos-x64': 0.17.19
+      '@esbuild/win32-arm64': 0.17.19
+      '@esbuild/win32-ia32': 0.17.19
+      '@esbuild/win32-x64': 0.17.19
+
+  esbuild@0.18.20:
+    optionalDependencies:
+      '@esbuild/android-arm': 0.18.20
+      '@esbuild/android-arm64': 0.18.20
+      '@esbuild/android-x64': 0.18.20
+      '@esbuild/darwin-arm64': 0.18.20
+      '@esbuild/darwin-x64': 0.18.20
+      '@esbuild/freebsd-arm64': 0.18.20
+      '@esbuild/freebsd-x64': 0.18.20
+      '@esbuild/linux-arm': 0.18.20
+      '@esbuild/linux-arm64': 0.18.20
+      '@esbuild/linux-ia32': 0.18.20
+      '@esbuild/linux-loong64': 0.18.20
+      '@esbuild/linux-mips64el': 0.18.20
+      '@esbuild/linux-ppc64': 0.18.20
+      '@esbuild/linux-riscv64': 0.18.20
+      '@esbuild/linux-s390x': 0.18.20
+      '@esbuild/linux-x64': 0.18.20
+      '@esbuild/netbsd-x64': 0.18.20
+      '@esbuild/openbsd-x64': 0.18.20
+      '@esbuild/sunos-x64': 0.18.20
+      '@esbuild/win32-arm64': 0.18.20
+      '@esbuild/win32-ia32': 0.18.20
+      '@esbuild/win32-x64': 0.18.20
+
+  esbuild@0.19.12:
+    optionalDependencies:
+      '@esbuild/aix-ppc64': 0.19.12
+      '@esbuild/android-arm': 0.19.12
+      '@esbuild/android-arm64': 0.19.12
+      '@esbuild/android-x64': 0.19.12
+      '@esbuild/darwin-arm64': 0.19.12
+      '@esbuild/darwin-x64': 0.19.12
+      '@esbuild/freebsd-arm64': 0.19.12
+      '@esbuild/freebsd-x64': 0.19.12
+      '@esbuild/linux-arm': 0.19.12
+      '@esbuild/linux-arm64': 0.19.12
+      '@esbuild/linux-ia32': 0.19.12
+      '@esbuild/linux-loong64': 0.19.12
+      '@esbuild/linux-mips64el': 0.19.12
+      '@esbuild/linux-ppc64': 0.19.12
+      '@esbuild/linux-riscv64': 0.19.12
+      '@esbuild/linux-s390x': 0.19.12
+      '@esbuild/linux-x64': 0.19.12
+      '@esbuild/netbsd-x64': 0.19.12
+      '@esbuild/openbsd-x64': 0.19.12
+      '@esbuild/sunos-x64': 0.19.12
+      '@esbuild/win32-arm64': 0.19.12
+      '@esbuild/win32-ia32': 0.19.12
+      '@esbuild/win32-x64': 0.19.12
+
+  esbuild@0.21.5:
+    optionalDependencies:
+      '@esbuild/aix-ppc64': 0.21.5
+      '@esbuild/android-arm': 0.21.5
+      '@esbuild/android-arm64': 0.21.5
+      '@esbuild/android-x64': 0.21.5
+      '@esbuild/darwin-arm64': 0.21.5
+      '@esbuild/darwin-x64': 0.21.5
+      '@esbuild/freebsd-arm64': 0.21.5
+      '@esbuild/freebsd-x64': 0.21.5
+      '@esbuild/linux-arm': 0.21.5
+      '@esbuild/linux-arm64': 0.21.5
+      '@esbuild/linux-ia32': 0.21.5
+      '@esbuild/linux-loong64': 0.21.5
+      '@esbuild/linux-mips64el': 0.21.5
+      '@esbuild/linux-ppc64': 0.21.5
+      '@esbuild/linux-riscv64': 0.21.5
+      '@esbuild/linux-s390x': 0.21.5
+      '@esbuild/linux-x64': 0.21.5
+      '@esbuild/netbsd-x64': 0.21.5
+      '@esbuild/openbsd-x64': 0.21.5
+      '@esbuild/sunos-x64': 0.21.5
+      '@esbuild/win32-arm64': 0.21.5
+      '@esbuild/win32-ia32': 0.21.5
+      '@esbuild/win32-x64': 0.21.5
+
+  escape-string-regexp@4.0.0: {}
+
+  estree-walker@0.6.1: {}
+
+  estree-walker@3.0.3:
+    dependencies:
+      '@types/estree': 1.0.8
+
+  exit-hook@2.2.1: {}
+
+  expect-type@1.3.0: {}
+
+  exsolve@1.0.8: {}
+
+  fast-xml-parser@4.5.4:
+    dependencies:
+      strnum: 1.1.2
+
+  fsevents@2.3.3:
+    optional: true
+
+  function-bind@1.1.2: {}
+
+  get-source@2.0.12:
+    dependencies:
+      data-uri-to-buffer: 2.0.2
+      source-map: 0.6.1
+
+  get-tsconfig@4.13.6:
+    dependencies:
+      resolve-pkg-maps: 1.0.0
+
+  glob-to-regexp@0.4.1: {}
+
+  hasown@2.0.2:
+    dependencies:
+      function-bind: 1.1.2
+
+  hono@4.12.8: {}
+
+  is-arrayish@0.3.4:
+    optional: true
+
+  is-core-module@2.16.1:
+    dependencies:
+      hasown: 2.0.2
+
+  itty-time@1.0.6: {}
+
+  js-md5@0.8.3: {}
+
+  loupe@3.2.1: {}
+
+  magic-string@0.25.9:
+    dependencies:
+      sourcemap-codec: 1.4.8
+
+  magic-string@0.30.21:
+    dependencies:
+      '@jridgewell/sourcemap-codec': 1.5.5
+
+  mime@3.0.0: {}
+
+  miniflare@3.20241230.0:
+    dependencies:
+      '@cspotcode/source-map-support': 0.8.1
+      acorn: 8.14.0
+      acorn-walk: 8.3.2
+      capnp-ts: 0.7.0
+      exit-hook: 2.2.1
+      glob-to-regexp: 0.4.1
+      stoppable: 1.1.0
+      undici: 5.29.0
+      workerd: 1.20241230.0
+      ws: 8.18.0
+      youch: 3.3.4
+      zod: 3.22.3
+    transitivePeerDependencies:
+      - bufferutil
+      - supports-color
+      - utf-8-validate
+
+  miniflare@3.20250718.3:
+    dependencies:
+      '@cspotcode/source-map-support': 0.8.1
+      acorn: 8.14.0
+      acorn-walk: 8.3.2
+      exit-hook: 2.2.1
+      glob-to-regexp: 0.4.1
+      stoppable: 1.1.0
+      undici: 5.29.0
+      workerd: 1.20250718.0
+      ws: 8.18.0
+      youch: 3.3.4
+      zod: 3.22.3
+    transitivePeerDependencies:
+      - bufferutil
+      - utf-8-validate
+
+  mlly@1.8.1:
+    dependencies:
+      acorn: 8.16.0
+      pathe: 2.0.3
+      pkg-types: 1.3.1
+      ufo: 1.6.3
+
+  ms@2.1.3: {}
+
+  mustache@4.2.0: {}
+
+  nanoid@3.3.11: {}
+
+  node-forge@1.3.3: {}
+
+  ohash@1.1.6: {}
+
+  ohash@2.0.11: {}
+
+  path-parse@1.0.7: {}
+
+  path-to-regexp@6.3.0: {}
+
+  pathe@1.1.2: {}
+
+  pathe@2.0.3: {}
+
+  pathval@2.0.1: {}
+
+  picocolors@1.1.1: {}
+
+  pkg-types@1.3.1:
+    dependencies:
+      confbox: 0.1.8
+      mlly: 1.8.1
+      pathe: 2.0.3
+
+  postcss@8.5.8:
+    dependencies:
+      nanoid: 3.3.11
+      picocolors: 1.1.1
+      source-map-js: 1.2.1
+
+  printable-characters@1.0.42: {}
+
+  readdirp@4.1.2: {}
+
+  resolve-pkg-maps@1.0.0: {}
+
+  resolve@1.22.11:
+    dependencies:
+      is-core-module: 2.16.1
+      path-parse: 1.0.7
+      supports-preserve-symlinks-flag: 1.0.0
+
+  rollup-plugin-inject@3.0.2:
+    dependencies:
+      estree-walker: 0.6.1
+      magic-string: 0.25.9
+      rollup-pluginutils: 2.8.2
+
+  rollup-plugin-node-polyfills@0.2.1:
+    dependencies:
+      rollup-plugin-inject: 3.0.2
+
+  rollup-pluginutils@2.8.2:
+    dependencies:
+      estree-walker: 0.6.1
+
+  rollup@4.59.0:
+    dependencies:
+      '@types/estree': 1.0.8
+    optionalDependencies:
+      '@rollup/rollup-android-arm-eabi': 4.59.0
+      '@rollup/rollup-android-arm64': 4.59.0
+      '@rollup/rollup-darwin-arm64': 4.59.0
+      '@rollup/rollup-darwin-x64': 4.59.0
+      '@rollup/rollup-freebsd-arm64': 4.59.0
+      '@rollup/rollup-freebsd-x64': 4.59.0
+      '@rollup/rollup-linux-arm-gnueabihf': 4.59.0
+      '@rollup/rollup-linux-arm-musleabihf': 4.59.0
+      '@rollup/rollup-linux-arm64-gnu': 4.59.0
+      '@rollup/rollup-linux-arm64-musl': 4.59.0
+      '@rollup/rollup-linux-loong64-gnu': 4.59.0
+      '@rollup/rollup-linux-loong64-musl': 4.59.0
+      '@rollup/rollup-linux-ppc64-gnu': 4.59.0
+      '@rollup/rollup-linux-ppc64-musl': 4.59.0
+      '@rollup/rollup-linux-riscv64-gnu': 4.59.0
+      '@rollup/rollup-linux-riscv64-musl': 4.59.0
+      '@rollup/rollup-linux-s390x-gnu': 4.59.0
+      '@rollup/rollup-linux-x64-gnu': 4.59.0
+      '@rollup/rollup-linux-x64-musl': 4.59.0
+      '@rollup/rollup-openbsd-x64': 4.59.0
+      '@rollup/rollup-openharmony-arm64': 4.59.0
+      '@rollup/rollup-win32-arm64-msvc': 4.59.0
+      '@rollup/rollup-win32-ia32-msvc': 4.59.0
+      '@rollup/rollup-win32-x64-gnu': 4.59.0
+      '@rollup/rollup-win32-x64-msvc': 4.59.0
+      fsevents: 2.3.3
+
+  selfsigned@2.4.1:
+    dependencies:
+      '@types/node-forge': 1.3.14
+      node-forge: 1.3.3
+
+  semver@7.7.4: {}
+
+  sharp@0.33.5:
+    dependencies:
+      color: 4.2.3
+      detect-libc: 2.1.2
+      semver: 7.7.4
+    optionalDependencies:
+      '@img/sharp-darwin-arm64': 0.33.5
+      '@img/sharp-darwin-x64': 0.33.5
+      '@img/sharp-libvips-darwin-arm64': 1.0.4
+      '@img/sharp-libvips-darwin-x64': 1.0.4
+      '@img/sharp-libvips-linux-arm': 1.0.5
+      '@img/sharp-libvips-linux-arm64': 1.0.4
+      '@img/sharp-libvips-linux-s390x': 1.0.4
+      '@img/sharp-libvips-linux-x64': 1.0.4
+      '@img/sharp-libvips-linuxmusl-arm64': 1.0.4
+      '@img/sharp-libvips-linuxmusl-x64': 1.0.4
+      '@img/sharp-linux-arm': 0.33.5
+      '@img/sharp-linux-arm64': 0.33.5
+      '@img/sharp-linux-s390x': 0.33.5
+      '@img/sharp-linux-x64': 0.33.5
+      '@img/sharp-linuxmusl-arm64': 0.33.5
+      '@img/sharp-linuxmusl-x64': 0.33.5
+      '@img/sharp-wasm32': 0.33.5
+      '@img/sharp-win32-ia32': 0.33.5
+      '@img/sharp-win32-x64': 0.33.5
+    optional: true
+
+  siginfo@2.0.0: {}
+
+  simple-swizzle@0.2.4:
+    dependencies:
+      is-arrayish: 0.3.4
+    optional: true
+
+  source-map-js@1.2.1: {}
+
+  source-map-support@0.5.21:
+    dependencies:
+      buffer-from: 1.1.2
+      source-map: 0.6.1
+
+  source-map@0.6.1: {}
+
+  sourcemap-codec@1.4.8: {}
+
+  stackback@0.0.2: {}
+
+  stacktracey@2.2.0:
+    dependencies:
+      as-table: 1.0.55
+      get-source: 2.0.12
+
+  std-env@3.10.0: {}
+
+  stoppable@1.1.0: {}
+
+  strnum@1.1.2: {}
+
+  supports-preserve-symlinks-flag@1.0.0: {}
+
+  tinybench@2.9.0: {}
+
+  tinyexec@0.3.2: {}
+
+  tinypool@1.1.1: {}
+
+  tinyrainbow@1.2.0: {}
+
+  tinyspy@3.0.2: {}
+
+  tslib@2.8.1: {}
+
+  typescript@5.9.3: {}
+
+  ufo@1.6.3: {}
+
+  undici-types@7.18.2: {}
+
+  undici@5.29.0:
+    dependencies:
+      '@fastify/busboy': 2.1.1
+
+  unenv-nightly@2.0.0-20241218-183400-5d6aec3:
+    dependencies:
+      defu: 6.1.4
+      mlly: 1.8.1
+      ohash: 1.1.6
+      pathe: 1.1.2
+      ufo: 1.6.3
+
+  unenv@2.0.0-rc.14:
+    dependencies:
+      defu: 6.1.4
+      exsolve: 1.0.8
+      ohash: 2.0.11
+      pathe: 2.0.3
+      ufo: 1.6.3
+
+  vite-node@2.1.9(@types/node@25.5.0):
+    dependencies:
+      cac: 6.7.14
+      debug: 4.4.3
+      es-module-lexer: 1.7.0
+      pathe: 1.1.2
+      vite: 5.4.21(@types/node@25.5.0)
+    transitivePeerDependencies:
+      - '@types/node'
+      - less
+      - lightningcss
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+
+  vite@5.4.21(@types/node@25.5.0):
+    dependencies:
+      esbuild: 0.21.5
+      postcss: 8.5.8
+      rollup: 4.59.0
+    optionalDependencies:
+      '@types/node': 25.5.0
+      fsevents: 2.3.3
+
+  vitest@2.1.9(@types/node@25.5.0):
+    dependencies:
+      '@vitest/expect': 2.1.9
+      '@vitest/mocker': 2.1.9(vite@5.4.21(@types/node@25.5.0))
+      '@vitest/pretty-format': 2.1.9
+      '@vitest/runner': 2.1.9
+      '@vitest/snapshot': 2.1.9
+      '@vitest/spy': 2.1.9
+      '@vitest/utils': 2.1.9
+      chai: 5.3.3
+      debug: 4.4.3
+      expect-type: 1.3.0
+      magic-string: 0.30.21
+      pathe: 1.1.2
+      std-env: 3.10.0
+      tinybench: 2.9.0
+      tinyexec: 0.3.2
+      tinypool: 1.1.1
+      tinyrainbow: 1.2.0
+      vite: 5.4.21(@types/node@25.5.0)
+      vite-node: 2.1.9(@types/node@25.5.0)
+      why-is-node-running: 2.3.0
+    optionalDependencies:
+      '@types/node': 25.5.0
+    transitivePeerDependencies:
+      - less
+      - lightningcss
+      - msw
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+
+  why-is-node-running@2.3.0:
+    dependencies:
+      siginfo: 2.0.0
+      stackback: 0.0.2
+
+  workerd@1.20241230.0:
+    optionalDependencies:
+      '@cloudflare/workerd-darwin-64': 1.20241230.0
+      '@cloudflare/workerd-darwin-arm64': 1.20241230.0
+      '@cloudflare/workerd-linux-64': 1.20241230.0
+      '@cloudflare/workerd-linux-arm64': 1.20241230.0
+      '@cloudflare/workerd-windows-64': 1.20241230.0
+
+  workerd@1.20250718.0:
+    optionalDependencies:
+      '@cloudflare/workerd-darwin-64': 1.20250718.0
+      '@cloudflare/workerd-darwin-arm64': 1.20250718.0
+      '@cloudflare/workerd-linux-64': 1.20250718.0
+      '@cloudflare/workerd-linux-arm64': 1.20250718.0
+      '@cloudflare/workerd-windows-64': 1.20250718.0
+
+  wrangler@3.100.0(@cloudflare/workers-types@4.20260316.1):
+    dependencies:
+      '@cloudflare/kv-asset-handler': 0.3.4
+      '@esbuild-plugins/node-globals-polyfill': 0.2.3(esbuild@0.17.19)
+      '@esbuild-plugins/node-modules-polyfill': 0.2.2(esbuild@0.17.19)
+      blake3-wasm: 2.1.5
+      chokidar: 4.0.3
+      date-fns: 4.1.0
+      esbuild: 0.17.19
+      itty-time: 1.0.6
+      miniflare: 3.20241230.0
+      nanoid: 3.3.11
+      path-to-regexp: 6.3.0
+      resolve: 1.22.11
+      selfsigned: 2.4.1
+      source-map: 0.6.1
+      unenv: unenv-nightly@2.0.0-20241218-183400-5d6aec3
+      workerd: 1.20241230.0
+      xxhash-wasm: 1.1.0
+    optionalDependencies:
+      '@cloudflare/workers-types': 4.20260316.1
+      fsevents: 2.3.3
+    transitivePeerDependencies:
+      - bufferutil
+      - supports-color
+      - utf-8-validate
+
+  wrangler@3.114.17(@cloudflare/workers-types@4.20260316.1):
+    dependencies:
+      '@cloudflare/kv-asset-handler': 0.3.4
+      '@cloudflare/unenv-preset': 2.0.2(unenv@2.0.0-rc.14)(workerd@1.20250718.0)
+      '@esbuild-plugins/node-globals-polyfill': 0.2.3(esbuild@0.17.19)
+      '@esbuild-plugins/node-modules-polyfill': 0.2.2(esbuild@0.17.19)
+      blake3-wasm: 2.1.5
+      esbuild: 0.17.19
+      miniflare: 3.20250718.3
+      path-to-regexp: 6.3.0
+      unenv: 2.0.0-rc.14
+      workerd: 1.20250718.0
+    optionalDependencies:
+      '@cloudflare/workers-types': 4.20260316.1
+      fsevents: 2.3.3
+      sharp: 0.33.5
+    transitivePeerDependencies:
+      - bufferutil
+      - utf-8-validate
+
+  ws@8.18.0: {}
+
+  xxhash-wasm@1.1.0: {}
+
+  youch@3.3.4:
+    dependencies:
+      cookie: 0.7.2
+      mustache: 4.2.0
+      stacktracey: 2.2.0
+
+  zod@3.22.3: {}
diff --git a/cloudflare/scripts/migrate-data.ts b/cloudflare/scripts/migrate-data.ts
new file mode 100644
index 0000000..68c4b1a
--- /dev/null
+++ b/cloudflare/scripts/migrate-data.ts
@@ -0,0 +1,140 @@
+/**
+ * Data migration script: SQLite (Blocklet) → D1 (Cloudflare)
+ *
+ * Usage:
+ *   npx tsx scripts/migrate-data.ts --source /path/to/media-kit.db --d1-name media-kit-db
+ *
+ * Prerequisites:
+ *   - Source SQLite database from Blocklet Server
+ *   - wrangler CLI authenticated with Cloudflare account
+ *   - D1 database already created with schema (run db:migrate:remote first)
+ */
+
+import Database from 'better-sqlite3';
+
+const SOURCE_DB_PATH = process.argv.find((_, i, a) => a[i - 1] === '--source') || '';
+const D1_DB_NAME = process.argv.find((_, i, a) => a[i - 1] === '--d1-name') || 'media-kit-db';
+const DRY_RUN = process.argv.includes('--dry-run');
+const BATCH_SIZE = 50;
+
+if (!SOURCE_DB_PATH) {
+  console.error('Usage: npx tsx scripts/migrate-data.ts --source <path-to-sqlite-db> [--d1-name <name>] [--dry-run]');
+  process.exit(1);
+}
+
+interface UploadRow {
+  id: string;
+  filename: string;
+  originalname: string | null;
+  mimetype: string | null;
+  size: number | null;
+  remark: string | null;
+  tags: string | null;
+  folderId: string | null;
+  createdAt: string | null;
+  updatedAt: string | null;
+  createdBy: string | null;
+  updatedBy: string | null;
+}
+
+interface FolderRow {
+  id: string;
+  name: string;
+  createdAt: string | null;
+  updatedAt: string | null;
+  createdBy: string | null;
+  updatedBy: string | null;
+}
+
+async function d1Execute(sql: string, params: any[]) {
+  if (DRY_RUN) {
+    console.log(`[DRY RUN] ${sql}`);
+    console.log(`  params: ${JSON.stringify(params)}`);
+    return;
+  }
+
+  const paramsJson = JSON.stringify(params);
+  const { execSync } = await import('child_process');
+  execSync(
+    `wrangler d1 execute ${D1_DB_NAME} --remote --command "${sql.replace(/"/g, '\\"')}" --json`,
+    {
+      stdio: 'pipe',
+      env: { ...process.env },
+      input: paramsJson,
+    },
+  );
+}
+
+async function main() {
+  console.log(`Opening source database: ${SOURCE_DB_PATH}`);
+  const sourceDb = new Database(SOURCE_DB_PATH, { readonly: true });
+
+  // Migrate uploads
+  const uploads = sourceDb.prepare('SELECT * FROM uploads').all() as UploadRow[];
+  console.log(`Found ${uploads.length} uploads to migrate`);
+
+  let uploadCount = 0;
+  for (let i = 0; i < uploads.length; i += BATCH_SIZE) {
+    const batch = uploads.slice(i, i + BATCH_SIZE);
+    for (const u of batch) {
+      const stmt = `INSERT OR IGNORE INTO uploads (id,filename,originalname,mimetype,size,remark,folder_id,created_at,updated_at,created_by,updated_by) VALUES (?,?,?,?,?,?,?,?,?,?,?)`;
+      const params = [
+        u.id,
+        u.filename,
+        u.originalname || '',
+        u.mimetype || '',
+        u.size || 0,
+        u.remark || '',
+        u.folderId || '',
+        u.createdAt || '',
+        u.updatedAt || '',
+        u.createdBy || '',
+        u.updatedBy || '',
+      ];
+      await d1Execute(stmt, params);
+
+      // Migrate tags from JSON to upload_tags table
+      try {
+        const tags: string[] = JSON.parse(u.tags || '[]');
+        for (const tag of tags) {
+          if (tag) {
+            await d1Execute(
+              'INSERT OR IGNORE INTO upload_tags (upload_id, tag) VALUES (?, ?)',
+              [u.id, tag],
+            );
+          }
+        }
+      } catch {
+        // Invalid JSON tags, skip
+      }
+
+      uploadCount++;
+    }
+    console.log(`  Migrated ${Math.min(i + BATCH_SIZE, uploads.length)}/${uploads.length} uploads`);
+  }
+
+  // Migrate folders
+  const folders = sourceDb.prepare('SELECT * FROM folders').all() as FolderRow[];
+  console.log(`Found ${folders.length} folders to migrate`);
+
+  for (const f of folders) {
+    await d1Execute(
+      'INSERT OR IGNORE INTO folders (id, name, created_at, updated_at, created_by, updated_by) VALUES (?,?,?,?,?,?)',
+      [f.id, f.name, f.createdAt || '', f.updatedAt || '', f.createdBy || '', f.updatedBy || ''],
+    );
+  }
+
+  sourceDb.close();
+
+  console.log(`\nMigration complete!`);
+  console.log(`  Uploads: ${uploadCount}`);
+  console.log(`  Folders: ${folders.length}`);
+  if (DRY_RUN) {
+    console.log(`  (DRY RUN - no data was actually written)`);
+  }
+}
+
+main().catch((err) => {
+  console.error('Migration failed:', err);
+  process.exit(1);
+});
diff --git a/cloudflare/src/__tests__/utils.test.ts b/cloudflare/src/__tests__/utils.test.ts
new file mode 100644
index 0000000..a4e94d8
--- /dev/null
+++ b/cloudflare/src/__tests__/utils.test.ts
@@ -0,0 +1,84 @@
+import { describe, it, expect } from 'vitest';
+import { detectMimeType, sanitizeSvg } from '../utils/hash';
+
+describe('detectMimeType', () => {
+  it('detects JPEG', () => {
+    const bytes = new Uint8Array([0xff, 0xd8, 0xff, 0xe0, 0x00]);
+    expect(detectMimeType(bytes)).toBe('image/jpeg');
+  });
+
+  it('detects PNG', () => {
+    const bytes = new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]);
+    expect(detectMimeType(bytes)).toBe('image/png');
+  });
+
+  it('detects GIF', () => {
+    const bytes = new Uint8Array([0x47, 0x49, 0x46, 0x38, 0x39]);
+    expect(detectMimeType(bytes)).toBe('image/gif');
+  });
+
+  it('detects BMP', () => {
+    const bytes = new Uint8Array([0x42, 0x4d, 0x00, 0x00]);
+    expect(detectMimeType(bytes)).toBe('image/bmp');
+  });
+
+  it('detects ICO', () => {
+    const bytes = new Uint8Array([0x00, 0x00, 0x01, 0x00]);
+    expect(detectMimeType(bytes)).toBe('image/x-icon');
+  });
+
+  it('detects PDF', () => {
+    const bytes = new Uint8Array([0x25, 0x50, 0x44, 0x46, 0x2d]);
+    expect(detectMimeType(bytes)).toBe('application/pdf');
+  });
+
+  it('detects SVG', () => {
+    const svgStr = '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+    const bytes = new TextEncoder().encode(svgStr);
+    expect(detectMimeType(bytes)).toBe('image/svg+xml');
+  });
+
+  it('returns null for unknown', () => {
+    const bytes = new Uint8Array([0x01, 0x02, 0x03, 0x04]);
+    expect(detectMimeType(bytes)).toBeNull();
+  });
+
+  it('returns null for too-short input', () => {
+    const bytes = new Uint8Array([0xff, 0xd8]);
+    expect(detectMimeType(bytes)).toBeNull();
+  });
+});
+
+describe('sanitizeSvg', () => {
+  it('removes script tags', () => {
+    const input = '<svg><script>alert("xss")</script><rect/></svg>';
+    const result = sanitizeSvg(input);
+    expect(result).not.toContain('<script');
+    expect(result).toContain('<rect/>');
+  });
+
+  it('removes on* event attributes', () => {
+    const input = '<svg><rect onclick="alert(1)" onload="hack()"/></svg>';
+    const result = sanitizeSvg(input);
+    expect(result).not.toContain('onclick');
+    expect(result).not.toContain('onload');
+  });
+
+  it('removes javascript: URLs', () => {
+    const input = '<svg><a href="javascript:alert(1)"><text>click</text></a></svg>';
+    const result = sanitizeSvg(input);
+    expect(result).not.toContain('javascript:');
+  });
+
+  it('removes foreignObject', () => {
+    const input = '<svg><foreignObject><body><script>alert(1)</script></body></foreignObject></svg>';
+    const result = sanitizeSvg(input);
+    expect(result).not.toContain('foreignObject');
+  });
+
+  it('preserves safe SVG content', () => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" fill="red"/></svg>';
+    const result = sanitizeSvg(input);
+    expect(result).toBe(input);
+  });
+});
diff --git a/cloudflare/src/__tests__/worker.integration.ts b/cloudflare/src/__tests__/worker.integration.ts
new file mode 100644
index 0000000..96cd2bf
--- /dev/null
+++ b/cloudflare/src/__tests__/worker.integration.ts
@@ -0,0 +1,90 @@
+import { describe, it, expect } from 'vitest';
+import { env, SELF } from 'cloudflare:test';
+
+describe('Worker integration', () => {
+  it('responds to health check', async () => {
+    const res = await SELF.fetch('https://media-kit.test/health');
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.status).toBe('ok');
+    expect(body.version).toBe('1.0.0');
+  });
+
+  it('returns 404 for unknown routes', async () => {
+    const res = await SELF.fetch('https://media-kit.test/nonexistent');
+    expect(res.status).toBe(404);
+  });
+
+  it('returns uploader status without auth', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/uploader/status');
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body).toHaveProperty('availablePluginMap');
+    expect(body).toHaveProperty('preferences');
+    expect(body).toHaveProperty('restrictions');
+    expect(body.availablePluginMap.Resources).toBe(false);
+    expect(body.restrictions).toHaveProperty('allowedFileTypes');
+    expect(body.restrictions).toHaveProperty('maxFileSize');
+  });
+
+  it('returns 404 for non-existent upload file', async () => {
+    const res = await SELF.fetch('https://media-kit.test/uploads/nonexistent.png');
+    expect(res.status).toBe(404);
+  });
+
+  it('check endpoint returns exists:false for empty DB', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/uploads/check', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ size: 1024, ext: '.png' }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.exists).toBe(false);
+  });
+
+  it('presign endpoint returns sessionId and presignedUrl', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/uploads/presign', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        originalname: 'test.png',
+        mimetype: 'image/png',
+        size: 1024,
+        ext: '.png',
+      }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body).toHaveProperty('sessionId');
+    // presignedUrl may fail without real R2 credentials, but sessionId should exist
+    expect(typeof body.sessionId).toBe('string');
+  });
+
+  it('list uploads returns paginated response', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/uploads');
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body).toHaveProperty('uploads');
+    expect(body).toHaveProperty('folders');
+    expect(body).toHaveProperty('total');
+    expect(body).toHaveProperty('page');
+    expect(body).toHaveProperty('pageSize');
+  });
+
+  it('auth middleware sets default DID', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/uploads');
+    expect(res.status).toBe(200);
+    // If auth failed, we'd get 401/403
+  });
+
+  it('admin routes reject non-admin users', async () => {
+    // Default DID is in ADMIN_DIDS, so it IS admin
+    // A different DID should be rejected
+    const res = await SELF.fetch('https://media-kit.test/api/uploads/some-id', {
+      method: 'DELETE',
+      headers: { 'x-user-did': 'did:abt:non-admin-user' },
+    });
+    expect(res.status).toBe(403);
+  });
+});
diff --git a/cloudflare/src/db/schema.ts b/cloudflare/src/db/schema.ts
new file mode 100644
index 0000000..75d6b8a
--- /dev/null
+++ b/cloudflare/src/db/schema.ts
@@ -0,0 +1,56 @@
+import { sqliteTable, text, integer, index, primaryKey } from 'drizzle-orm/sqlite-core';
+
+export const uploads = sqliteTable('uploads', {
+  id: text('id').primaryKey(),
+  filename: text('filename').notNull(),
+  originalname: text('originalname'),
+  mimetype: text('mimetype'),
+  size: integer('size'),
+  remark: text('remark').default(''),
+  folderId: text('folder_id'),
+  createdAt: text('created_at'),
+  updatedAt: text('updated_at'),
+  createdBy: text('created_by'),
+  updatedBy: text('updated_by'),
+}, (table) => ({
+  filenameIdx: index('idx_uploads_filename').on(table.filename),
+  folderIdIdx: index('idx_uploads_folder_id').on(table.folderId),
+  mimetypeIdx: index('idx_uploads_mimetype').on(table.mimetype),
+  createdByIdx: index('idx_uploads_created_by').on(table.createdBy),
+  createdAtIdx: index('idx_uploads_created_at').on(table.createdAt),
+}));
+
+export const uploadTags = sqliteTable('upload_tags', {
+  uploadId: text('upload_id').notNull().references(() => uploads.id, { onDelete: 'cascade' }),
+  tag: text('tag').notNull(),
+}, (table) => ({
+  pk: primaryKey({ columns: [table.uploadId, table.tag] }),
+  tagIdx: index('idx_upload_tags_tag').on(table.tag, table.uploadId),
+}));
+
+export const folders = sqliteTable('folders', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  createdAt: text('created_at'),
+  updatedAt: text('updated_at'),
+  createdBy: text('created_by'),
+  updatedBy: text('updated_by'),
+}, (table) => ({
+  nameIdx: index('idx_folders_name').on(table.name),
+}));
+
+export const uploadSessions = sqliteTable('upload_sessions', {
+  id: text('id').primaryKey(),
+  uploadId: text('upload_id'),
+  key: text('key').notNull(),
+  finalKey: text('final_key'),
+  totalSize: integer('total_size'),
+  partSize: integer('part_size'),
+  status: text('status').default('active'),
+  createdBy: text('created_by'),
+  createdAt: text('created_at'),
+  expiresAt: text('expires_at'),
+}, (table) => ({
+  statusIdx: index('idx_upload_sessions_status').on(table.status),
+  expiresIdx: index('idx_upload_sessions_expires').on(table.expiresAt),
+}));
diff --git a/cloudflare/src/middleware/auth.ts b/cloudflare/src/middleware/auth.ts
new file mode 100644
index 0000000..e370f5d
--- /dev/null
+++ b/cloudflare/src/middleware/auth.ts
@@ -0,0 +1,32 @@
+import { Context, Next } from 'hono';
+import type { HonoEnv } from '../types';
+
+const DEFAULT_DID = 'did:abt:default-uploader';
+
+/**
+ * Auth middleware.
+ *
+ * TODO: replace with shijun's CF auth SDK.
+ * When auth is ready, upload flow should go through Worker (not presigned URL direct upload)
+ * to ensure every request is authenticated.
+ */
+export async function authMiddleware(c: Context<HonoEnv>, next: Next) {
+  const userId = c.req.header('x-user-did') || DEFAULT_DID;
+  const adminDids = (c.env.ADMIN_DIDS || DEFAULT_DID).split(',').map((s) => s.trim());
+  const isAdmin = adminDids.includes(userId);
+
+  c.set('user', {
+    id: userId,
+    role: isAdmin ? 'admin' : 'member',
+  });
+
+  return next();
+}
+
+export async function isAdminMiddleware(c: Context<HonoEnv>, next: Next) {
+  const user = c.get('user');
+  if (user.role !== 'admin') {
+    return c.json({ error: 'Admin access required' }, 403);
+  }
+  return next();
+}
diff --git a/cloudflare/src/routes/cleanup.ts b/cloudflare/src/routes/cleanup.ts
new file mode 100644
index 0000000..a50806e
--- /dev/null
+++ b/cloudflare/src/routes/cleanup.ts
@@ -0,0 +1,49 @@
+import { drizzle } from 'drizzle-orm/d1';
+import { eq, and, lt } from 'drizzle-orm';
+import type { Env } from '../types';
+import { uploadSessions } from '../db/schema';
+import { createS3Client, s3AbortMultipartUpload } from '../utils/s3';
+
+/**
+ * Clean up expired upload sessions.
+ *
+ * Called from the scheduled cron handler (every hour).
+ * - Queries D1 for active sessions past their expires_at time
+ * - For each: aborts the multipart upload via S3 API, updates status to 'aborted'
+ */
+export async function cleanupExpiredSessions(env: Env): Promise<void> {
+  const db = drizzle(env.DB);
+  const now = new Date().toISOString();
+
+  // Find all active sessions that have expired
+  const expired = await db
+    .select()
+    .from(uploadSessions)
+    .where(
+      and(
+        eq(uploadSessions.status, 'active'),
+        lt(uploadSessions.expiresAt, now),
+      ),
+    );
+
+  if (expired.length === 0) return;
+
+  const s3 = createS3Client(env);
+
+  for (const session of expired) {
+    // Attempt to abort the multipart upload in R2 via S3 API
+    if (session.uploadId && session.key) {
+      try {
+        await s3AbortMultipartUpload(s3, env, session.key, session.uploadId);
+      } catch {
+        // Ignore errors — upload might already be cleaned up or completed
+      }
+    }
+
+    // Mark session as aborted in D1
+    await db
+      .update(uploadSessions)
+      .set({ status: 'aborted' })
+      .where(eq(uploadSessions.id, session.id));
+  }
+}
diff --git a/cloudflare/src/routes/folders.ts b/cloudflare/src/routes/folders.ts
new file mode 100644
index 0000000..5f29fa3
--- /dev/null
+++ b/cloudflare/src/routes/folders.ts
@@ -0,0 +1,77 @@
+import { Hono } from 'hono';
+import { eq, desc } from 'drizzle-orm';
+import type { HonoEnv } from '../types';
+import { isAdminMiddleware } from '../middleware/auth';
+import { folders } from '../db/schema';
+
+export const folderRoutes = new Hono<HonoEnv>();
+
+/**
+ * POST /folders — Create a folder (admin only).
+ * If a folder with the same name already exists, return the existing one.
+ */
+folderRoutes.post('/folders', isAdminMiddleware, async (c) => {
+  const db = c.get('db');
+  const user = c.get('user');
+  const body = await c.req.json<{ name: string }>();
+
+  if (!body.name) {
+    return c.json({ error: 'Folder name is required' }, 400);
+  }
+
+  // Check if folder already exists
+  const [existing] = await db
+    .select()
+    .from(folders)
+    .where(eq(folders.name, body.name))
+    .limit(1);
+
+  if (existing) {
+    return c.json({
+      _id: existing.id,
+      name: existing.name,
+      createdAt: existing.createdAt || '',
+      updatedAt: existing.updatedAt || '',
+      createdBy: existing.createdBy || '',
+      updatedBy: existing.updatedBy || '',
+    });
+  }
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  await db.insert(folders).values({
+    id,
+    name: body.name,
+    createdAt: now,
+    updatedAt: now,
+    createdBy: user.id,
+    updatedBy: user.id,
+  });
+
+  return c.json({
+    _id: id,
+    name: body.name,
+    createdAt: now,
+    updatedAt: now,
+    createdBy: user.id,
+    updatedBy: user.id,
+  });
+});
+
+/**
+ * GET /folders — List all folders.
+ */
+folderRoutes.get('/folders', async (c) => {
+  const db = c.get('db');
+  const rows = await db.select().from(folders).orderBy(desc(folders.createdAt));
+
+  return c.json(rows.map((row) => ({
+    _id: row.id,
+    name: row.name,
+    createdAt: row.createdAt || '',
+    updatedAt: row.updatedAt || '',
+    createdBy: row.createdBy || '',
+    updatedBy: row.updatedBy || '',
+  })));
+});
diff --git a/cloudflare/src/routes/serve.ts b/cloudflare/src/routes/serve.ts
new file mode 100644
index 0000000..27a4909
--- /dev/null
+++ b/cloudflare/src/routes/serve.ts
@@ -0,0 +1,68 @@
+import { Hono } from 'hono';
+import type { HonoEnv } from '../types';
+
+export const fileServingRoutes = new Hono<HonoEnv>();
+
+/**
+ * GET /uploads/:filename — Serve files from R2.
+ *
+ * Production: images go through cf.image for EXIF stripping + resize.
+ * Local dev: serve directly from R2 binding (no cf.image).
+ */
+fileServingRoutes.get('/uploads/:filename', async (c) => {
+  const { filename } = c.req.param();
+  const w = c.req.query('w');
+  const h = c.req.query('h');
+  const downloadName = c.req.query('filename');
+
+  const isProduction = c.env.ENVIRONMENT === 'production' && c.env.R2_ORIGIN_DOMAIN;
+
+  const object = await c.env.R2_UPLOADS.head(filename);
+  if (!object) {
+    return c.text('404 NOT FOUND', 404);
+  }
+
+  const contentType = object.httpMetadata?.contentType || 'application/octet-stream';
+  const isImage = contentType.startsWith('image/');
+
+  // Production: use cf.image for EXIF stripping + auto format + resize
+  if (isImage && isProduction) {
+    const r2OriginUrl = `https://${c.env.R2_ORIGIN_DOMAIN}/${filename}`;
+
+    const imageOptions: Record<string, unknown> = {
+      metadata: 'none',
+      format: 'auto',
+    };
+
+    if (w) imageOptions.width = parseInt(w, 10);
+    if (h) imageOptions.height = parseInt(h, 10);
+
+    if (w || h) {
+      imageOptions.fit = 'contain';
+      imageOptions.quality = 85;
+    } else {
+      imageOptions.quality = 100;
+    }
+
+    return fetch(r2OriginUrl, {
+      cf: { image: imageOptions },
+    } as RequestInit);
+  }
+
+  // Local dev / non-image: serve directly from R2 binding
+  const r2Object = await c.env.R2_UPLOADS.get(filename);
+  if (!r2Object) {
+    return c.text('404 NOT FOUND', 404);
+  }
+
+  const headers: Record<string, string> = {
+    'Content-Type': contentType,
+    'Cache-Control': 'public, max-age=31536000, immutable',
+  };
+
+  if (downloadName) {
+    headers['Content-Disposition'] = `attachment; filename="${encodeURIComponent(downloadName)}"`;
+  }
+
+  return new Response(r2Object.body, { headers });
+});
diff --git a/cloudflare/src/routes/status.ts b/cloudflare/src/routes/status.ts
new file mode 100644
index 0000000..7b98697
--- /dev/null
+++ b/cloudflare/src/routes/status.ts
@@ -0,0 +1,29 @@
+import { Hono } from 'hono';
+import type { HonoEnv } from '../types';
+
+export const statusRoutes = new Hono<HonoEnv>();
+
+/**
+ * GET /uploader/status — Return uploader config for the frontend.
+ */
+statusRoutes.get('/uploader/status', async (c) => {
+  const env = c.env;
+
+  const allowedFileTypes = env.ALLOWED_FILE_TYPES || '.jpeg,.png,.gif,.svg,.webp,.bmp,.ico';
+  const maxUploadSize = env.MAX_UPLOAD_SIZE || '100MB';
+  const isUnsplashEnabled = !!(env.UNSPLASH_KEY && env.UNSPLASH_SECRET);
+  const isAiImageEnabled = env.USE_AI_IMAGE !== 'false';
+
+  return c.json({
+    uploadMode: 'presigned',
+    restrictions: {
+      allowedFileExts: allowedFileTypes,
+      maxFileSize: maxUploadSize,
+    },
+    availablePluginMap: {
+      Uploaded: true,
+      ...(isUnsplashEnabled ? { Unsplash: true } : {}),
+      ...(isAiImageEnabled ? { AIImage: true } : {}),
+    },
+  });
+});
diff --git a/cloudflare/src/routes/unsplash.ts b/cloudflare/src/routes/unsplash.ts
new file mode 100644
index 0000000..8f7ce1c
--- /dev/null
+++ b/cloudflare/src/routes/unsplash.ts
@@ -0,0 +1,115 @@
+import { Hono } from 'hono';
+import type { HonoEnv } from '../types';
+import { uploads } from '../db/schema';
+
+export const unsplashRoutes = new Hono<HonoEnv>();
+
+/**
+ * GET /unsplash/search — Search Unsplash photos.
+ * Proxies to Unsplash API with Client-ID auth.
+ * Returns structured results with attribution (ToS compliant).
+ */
+unsplashRoutes.get('/unsplash/search', async (c) => {
+  const query = c.req.query('q');
+  if (!query) {
+    return c.json({ error: 'query parameter "q" is required' }, 400);
+  }
+
+  const page = c.req.query('page') || '1';
+  const perPage = c.req.query('per_page') || '30';
+
+  const res = await fetch(
+    `https://api.unsplash.com/search/photos?query=${encodeURIComponent(query)}&page=${page}&per_page=${perPage}`,
+    {
+      headers: {
+        Authorization: `Client-ID ${c.env.UNSPLASH_KEY}`,
+      },
+    },
+  );
+
+  if (!res.ok) {
+    return c.json({ error: 'Unsplash API request failed' }, res.status as 400);
+  }
+
+  const data = (await res.json()) as {
+    results: Array<{
+      id: string;
+      urls: Record<string, string>;
+      user: { name: string; username: string; links: { html: string } };
+      links: { download_location: string };
+      width: number;
+      height: number;
+      description: string | null;
+      alt_description: string | null;
+    }>;
+    total: number;
+    total_pages: number;
+  };
+
+  return c.json({
+    results: data.results.map((photo) => ({
+      id: photo.id,
+      urls: photo.urls,
+      attribution: {
+        name: photo.user.name,
+        username: photo.user.username,
+        link: photo.user.links.html,
+      },
+      download_location: photo.links.download_location,
+      width: photo.width,
+      height: photo.height,
+      description: photo.description || photo.alt_description,
+    })),
+    total: data.total,
+    total_pages: data.total_pages,
+  });
+});
+
+/**
+ * POST /unsplash/track-download — Track download + save reference in D1.
+ * Required by Unsplash API ToS: must trigger download tracking when user selects a photo.
+ * Saves a reference record in the uploads table with `unsplash:{photoId}` as filename
+ * (not an actual R2 key — images are hotlinked, not re-hosted).
+ */
+unsplashRoutes.post('/unsplash/track-download', async (c) => {
+  const body = await c.req.json<{
+    downloadLocation: string;
+    photoId: string;
+    attribution: { name: string; username: string; link: string };
+  }>();
+
+  const { downloadLocation, photoId, attribution } = body;
+
+  if (!downloadLocation || !photoId || !attribution) {
+    return c.json({ error: 'downloadLocation, photoId, and attribution are required' }, 400);
+  }
+
+  // Required by Unsplash API: trigger download tracking
+  await fetch(downloadLocation, {
+    headers: {
+      Authorization: `Client-ID ${c.env.UNSPLASH_KEY}`,
+    },
+  });
+
+  // Save reference in D1 (NOT the image file — hotlink only)
+  const db = c.get('db');
+  const user = c.get('user');
+  const now = new Date().toISOString();
+  const id = crypto.randomUUID();
+
+  await db.insert(uploads).values({
+    id,
+    filename: `unsplash:${photoId}`, // special prefix, not an R2 key
+    originalname: `${attribution.name} via Unsplash`,
+    mimetype: 'image/jpeg',
+    size: 0, // not stored locally
+    folderId: c.req.header('x-folder-id') || null,
+    remark: JSON.stringify({ unsplash: true, attribution, photoId }),
+    createdAt: now,
+    updatedAt: now,
+    createdBy: user.id,
+    updatedBy: user.id,
+  });
+
+  return c.json({ id, photoId });
+});
diff --git a/cloudflare/src/routes/upload.ts b/cloudflare/src/routes/upload.ts
new file mode 100644
index 0000000..025bbce
--- /dev/null
+++ b/cloudflare/src/routes/upload.ts
@@ -0,0 +1,725 @@
+import { Hono } from 'hono';
+import { eq, and, like, desc, sql, inArray } from 'drizzle-orm';
+import type { HonoEnv, CheckResponse, PresignResponse, ConfirmResponse } from '../types';
+import { uploads, uploadTags, uploadSessions, folders } from '../db/schema';
+import {
+  createS3Client,
+  generatePresignedPutUrl,
+  s3CreateMultipartUpload,
+  s3CompleteMultipartUpload,
+  s3AbortMultipartUpload,
+  s3ListParts,
+} from '../utils/s3';
+import { streamMD5, detectMimeType, sanitizeSvg } from '../utils/hash';
+import { isAdminMiddleware } from '../middleware/auth';
+
+const MULTIPART_THRESHOLD = 100 * 1024 * 1024; // 100MB
+const DEFAULT_PART_SIZE = 10 * 1024 * 1024; // 10MB
+const MIN_PART_SIZE = 5 * 1024 * 1024; // 5MB
+const MAX_PARTS = 10000;
+const SESSION_EXPIRY_HOURS = 24;
+function parseSize(size: string): number {
+  const match = size.match(/^(\d+)\s*(MB|GB|KB)?$/i);
+  if (!match) return 500 * 1024 * 1024;
+  const num = parseInt(match[1], 10);
+  const unit = (match[2] || 'MB').toUpperCase();
+  if (unit === 'GB') return num * 1024 * 1024 * 1024;
+  if (unit === 'KB') return num * 1024;
+  return num * 1024 * 1024;
+}
+
+export const uploadRoutes = new Hono<HonoEnv>();
+
+// POST /uploads/check — Dedup check by size+ext
+uploadRoutes.post('/uploads/check', async (c) => {
+  const { size, ext } = await c.req.json<{ size: number; ext: string }>();
+  if (!size || !ext) {
+    return c.json({ exists: false } satisfies CheckResponse);
+  }
+
+  const db = c.get('db');
+  const cleanExt = ext.replace(/^\./, '');
+  const matches = await db
+    .select()
+    .from(uploads)
+    .where(and(eq(uploads.size, size), like(uploads.filename, `%.${cleanExt}`)));
+
+  if (matches.length === 1) {
+    const match = matches[0];
+    return c.json({
+      exists: true,
+      url: `/uploads/${match.filename}`,
+      filename: match.filename,
+      uploadId: match.id,
+    } satisfies CheckResponse);
+  }
+
+  return c.json({ exists: false } satisfies CheckResponse);
+});
+
+// POST /uploads/presign — Generate presigned URL or create multipart session
+uploadRoutes.post('/uploads/presign', async (c) => {
+  const { originalname, mimetype, size, ext, folderId } = await c.req.json<{
+    originalname: string;
+    mimetype?: string;
+    size: number;
+    ext: string;
+    folderId?: string;
+  }>();
+
+  const db = c.get('db');
+  const user = c.get('user');
+  const s3 = createS3Client(c.env);
+  const cleanExt = ext.replace(/^\./, '');
+  const sessionId = crypto.randomUUID();
+  const tempKey = `tmp/${crypto.randomUUID()}.${cleanExt}`;
+  const now = new Date().toISOString();
+  const expiresAt = new Date(Date.now() + SESSION_EXPIRY_HOURS * 60 * 60 * 1000).toISOString();
+
+  const isMultipart = size >= MULTIPART_THRESHOLD;
+
+  if (isMultipart) {
+    const uploadId = await s3CreateMultipartUpload(s3, c.env, tempKey, mimetype);
+
+    let partSize = DEFAULT_PART_SIZE;
+    let partCount = Math.ceil(size / partSize);
+    if (partCount > MAX_PARTS) {
+      partSize = Math.ceil(size / MAX_PARTS);
+      if (partSize < MIN_PART_SIZE) partSize = MIN_PART_SIZE;
+      partCount = Math.ceil(size / partSize);
+    }
+
+    await db.insert(uploadSessions).values({
+      id: sessionId,
+      uploadId,
+      key: tempKey,
+      totalSize: size,
+      partSize,
+      status: 'active',
+      createdBy: user.id,
+      createdAt: now,
+      expiresAt,
+    });
+
+    return c.json({
+      sessionId,
+      multipart: true,
+      uploadId,
+      key: tempKey,
+      partSize,
+      partCount,
+    } satisfies PresignResponse);
+  }
+
+  await db.insert(uploadSessions).values({
+    id: sessionId,
+    key: tempKey,
+    totalSize: size,
+    status: 'active',
+    createdBy: user.id,
+    createdAt: now,
+    expiresAt,
+  });
+
+  // In dev mode, return a proxy URL through the worker (avoids CORS with remote R2)
+  const isDev = c.env.ENVIRONMENT === 'development';
+  let presignedUrl: string;
+
+  if (isDev) {
+    presignedUrl = `/api/uploads/proxy-put/${sessionId}`;
+  } else {
+    presignedUrl = await generatePresignedPutUrl(s3, c.env, tempKey, {
+      contentType: mimetype,
+    });
+  }
+
+  return c.json({
+    sessionId,
+    presignedUrl,
+  } satisfies PresignResponse);
+});
+
+// POST /uploads/confirm — Finalize upload
+uploadRoutes.post('/uploads/confirm', async (c) => {
+  const body = await c.req.json<{
+    sessionId?: string;
+    existingUploadId?: string;
+    originalname?: string;
+    mimetype?: string;
+    folderId?: string;
+    tags?: string;
+  }>();
+
+  const db = c.get('db');
+  const user = c.get('user');
+
+  // Dedup shortcut: clone existing record for current user
+  if (body.existingUploadId) {
+    const [existing] = await db
+      .select()
+      .from(uploads)
+      .where(eq(uploads.id, body.existingUploadId))
+      .limit(1);
+
+    if (!existing) {
+      return c.json({ error: 'Upload not found' }, 404);
+    }
+
+    const newId = crypto.randomUUID();
+    const now = new Date().toISOString();
+
+    await db.insert(uploads).values({
+      id: newId,
+      filename: existing.filename,
+      originalname: body.originalname || existing.originalname,
+      mimetype: existing.mimetype,
+      size: existing.size,
+      folderId: body.folderId || existing.folderId,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user.id,
+      updatedBy: user.id,
+    });
+
+    if (body.tags) {
+      const tagList = body.tags.split(',').map((t) => t.trim()).filter(Boolean);
+      if (tagList.length > 0) {
+        await db.insert(uploadTags).values(tagList.map((tag) => ({ uploadId: newId, tag })));
+      }
+    }
+
+    // Fetch tags for the new record
+    const tags = await db
+      .select({ tag: uploadTags.tag })
+      .from(uploadTags)
+      .where(eq(uploadTags.uploadId, newId));
+
+    return c.json({
+      _id: newId,
+      filename: existing.filename,
+      originalname: body.originalname || existing.originalname || '',
+      mimetype: existing.mimetype || '',
+      size: existing.size || 0,
+      url: `/uploads/${existing.filename}`,
+      createdAt: now,
+      createdBy: user.id,
+      tags: tags.map((t) => t.tag),
+    } satisfies ConfirmResponse);
+  }
+
+  // Normal confirm flow
+  if (!body.sessionId) {
+    return c.json({ error: 'sessionId or existingUploadId required' }, 400);
+  }
+
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, body.sessionId))
+    .limit(1);
+
+  if (!session) {
+    return c.json({ error: 'Session not found' }, 404);
+  }
+
+  if (session.status !== 'active') {
+    return c.json({ error: 'Session is not active' }, 400);
+  }
+
+  // Reject files exceeding MAX_UPLOAD_SIZE (would need Queue for async hash processing)
+  const maxSize = parseSize(c.env.MAX_UPLOAD_SIZE || '500MB');
+  if (session.totalSize && session.totalSize > maxSize) {
+    return c.json({ error: `File size exceeds limit (${c.env.MAX_UPLOAD_SIZE || '500MB'})` }, 400);
+  }
+
+  // Range-read first 4KB for MIME detection (separate from full body)
+  const rangeObj = await c.env.R2_UPLOADS.get(session.key, { range: { offset: 0, length: 4096 } });
+  if (!rangeObj) {
+    return c.json({ error: 'Temp file not found in R2' }, 404);
+  }
+  const headerBytes = new Uint8Array(await rangeObj.arrayBuffer());
+  const detectedMime = detectMimeType(headerBytes);
+
+  if (body.mimetype && detectedMime && !areMimeTypesCompatible(detectedMime, body.mimetype)) {
+    await c.env.R2_UPLOADS.delete(session.key);
+    await db.update(uploadSessions).set({ status: 'aborted' }).where(eq(uploadSessions.id, body.sessionId));
+    return c.json({ error: 'File content does not match claimed MIME type' }, 400);
+  }
+
+  const finalMime = detectedMime || body.mimetype || 'application/octet-stream';
+
+  // SVG sanitization — needs full object read
+  if (finalMime === 'image/svg+xml') {
+    const svgObj = await c.env.R2_UPLOADS.get(session.key);
+    if (svgObj) {
+      const svgText = await svgObj.text();
+      const sanitized = sanitizeSvg(svgText);
+      if (sanitized !== svgText) {
+        await c.env.R2_UPLOADS.put(session.key, sanitized);
+      }
+    }
+  }
+
+  // Streaming MD5 hash — always get a fresh stream
+  const hashObj = await c.env.R2_UPLOADS.get(session.key);
+  if (!hashObj) {
+    return c.json({ error: 'Failed to read file for hashing' }, 500);
+  }
+
+  const md5Hash = await streamMD5(hashObj.body);
+  const fileSize = session.totalSize || hashObj.size;
+  const ext = session.key.split('.').pop() || '';
+  const finalKey = `${md5Hash}.${ext}`;
+
+  // Check if final key already exists (content dedup by MD5)
+  const existingObject = await c.env.R2_UPLOADS.head(finalKey);
+  if (existingObject) {
+    // MD5-based key match means content is identical, just delete temp
+    await c.env.R2_UPLOADS.delete(session.key);
+  } else {
+    // Use R2 binding for copy (works in local dev with miniflare)
+    const srcObj = await c.env.R2_UPLOADS.get(session.key);
+    if (srcObj) {
+      await c.env.R2_UPLOADS.put(finalKey, srcObj.body, {
+        httpMetadata: srcObj.httpMetadata,
+      });
+    }
+    await c.env.R2_UPLOADS.delete(session.key);
+  }
+
+  // Insert D1 record
+  const newId = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  await db.insert(uploads).values({
+    id: newId,
+    filename: finalKey,
+    originalname: body.originalname || finalKey,
+    mimetype: finalMime,
+    size: fileSize,
+    folderId: body.folderId,
+    createdAt: now,
+    updatedAt: now,
+    createdBy: user.id,
+    updatedBy: user.id,
+  });
+
+  if (body.tags) {
+    const tagList = body.tags.split(',').map((t) => t.trim()).filter(Boolean);
+    if (tagList.length > 0) {
+      await db.insert(uploadTags).values(tagList.map((tag) => ({ uploadId: newId, tag })));
+    }
+  }
+
+  await db
+    .update(uploadSessions)
+    .set({ status: 'completed', finalKey })
+    .where(eq(uploadSessions.id, body.sessionId));
+
+  // Fetch tags for response
+  const responseTags = body.tags
+    ? body.tags.split(',').map((t) => t.trim()).filter(Boolean)
+    : [];
+
+  return c.json({
+    _id: newId,
+    filename: finalKey,
+    originalname: body.originalname || finalKey,
+    mimetype: finalMime,
+    size: fileSize,
+    url: `/uploads/${finalKey}`,
+    createdAt: now,
+    createdBy: user.id,
+    tags: responseTags,
+  } satisfies ConfirmResponse);
+});
+
+// POST /uploads/multipart/part-url — Get presigned URL for a single part
+uploadRoutes.post('/uploads/multipart/part-url', async (c) => {
+  const { sessionId, partNumber } = await c.req.json<{ sessionId: string; partNumber: number }>();
+  const db = c.get('db');
+
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, sessionId))
+    .limit(1);
+
+  if (!session || session.status !== 'active') {
+    return c.json({ error: 'Session not found or not active' }, 400);
+  }
+
+  if (!session.uploadId) {
+    return c.json({ error: 'Session is not a multipart upload' }, 400);
+  }
+
+  const s3 = createS3Client(c.env);
+  const presignedUrl = await generatePresignedPutUrl(s3, c.env, session.key, {
+    partNumber,
+    uploadId: session.uploadId,
+  });
+
+  return c.json({ presignedUrl, partNumber });
+});
+
+// POST /uploads/multipart/complete — Complete multipart upload
+uploadRoutes.post('/uploads/multipart/complete', async (c) => {
+  const { sessionId, parts } = await c.req.json<{
+    sessionId: string;
+    parts: Array<{ partNumber: number; etag: string }>;
+  }>();
+  const db = c.get('db');
+
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, sessionId))
+    .limit(1);
+
+  if (!session || session.status !== 'active') {
+    return c.json({ error: 'Session not found or not active' }, 400);
+  }
+
+  if (!session.uploadId) {
+    return c.json({ error: 'Session is not a multipart upload' }, 400);
+  }
+
+  const s3 = createS3Client(c.env);
+  await s3CompleteMultipartUpload(s3, c.env, session.key, session.uploadId, parts);
+
+  return c.json({ status: 'assembled' });
+});
+
+// POST /uploads/multipart/abort — Abort multipart upload
+uploadRoutes.post('/uploads/multipart/abort', async (c) => {
+  const { sessionId } = await c.req.json<{ sessionId: string }>();
+  const db = c.get('db');
+
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, sessionId))
+    .limit(1);
+
+  if (!session) {
+    return c.json({ error: 'Session not found' }, 404);
+  }
+
+  if (session.uploadId) {
+    const s3 = createS3Client(c.env);
+    await s3AbortMultipartUpload(s3, c.env, session.key, session.uploadId);
+  }
+
+  await db
+    .update(uploadSessions)
+    .set({ status: 'aborted' })
+    .where(eq(uploadSessions.id, sessionId));
+
+  return c.json({ status: 'aborted' });
+});
+
+// GET /uploads/multipart/status — Query completed parts
+uploadRoutes.get('/uploads/multipart/status', async (c) => {
+  const sessionId = c.req.query('sessionId');
+  if (!sessionId) {
+    return c.json({ error: 'sessionId required' }, 400);
+  }
+
+  const db = c.get('db');
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, sessionId))
+    .limit(1);
+
+  if (!session) {
+    return c.json({ error: 'Session not found' }, 404);
+  }
+
+  if (!session.uploadId) {
+    return c.json({ completedParts: [], status: session.status });
+  }
+
+  const s3 = createS3Client(c.env);
+  const completedParts = await s3ListParts(s3, c.env, session.key, session.uploadId);
+
+  return c.json({ completedParts, status: session.status });
+});
+
+// PUT /uploads/proxy-put/:sessionId — Dev-mode proxy: receive file body and put to local R2
+uploadRoutes.put('/uploads/proxy-put/:sessionId', async (c) => {
+  const db = c.get('db');
+  const sessionId = c.req.param('sessionId');
+
+  const [session] = await db
+    .select()
+    .from(uploadSessions)
+    .where(eq(uploadSessions.id, sessionId))
+    .limit(1);
+
+  if (!session || session.status !== 'active') {
+    return c.json({ error: 'Session not found or not active' }, 400);
+  }
+
+  const body = await c.req.arrayBuffer();
+  const contentType = c.req.header('content-type') || 'application/octet-stream';
+
+  await c.env.R2_UPLOADS.put(session.key, body, {
+    httpMetadata: { contentType },
+  });
+
+  return new Response(null, { status: 200 });
+});
+
+// POST /uploads/direct — Direct upload through Worker (for local dev or small files)
+uploadRoutes.post('/uploads/direct', async (c) => {
+  const db = c.get('db');
+  const user = c.get('user');
+
+  const formData = await c.req.formData();
+  const file = formData.get('file') as File | null;
+  const folderId = (formData.get('folderId') as string) || '';
+  const tags = (formData.get('tags') as string) || '';
+
+  if (!file) {
+    return c.json({ error: 'No file provided' }, 400);
+  }
+
+  const ext = file.name.split('.').pop() || 'bin';
+  const tempKey = `tmp/${crypto.randomUUID()}.${ext}`;
+
+  // Upload to R2 binding directly (works in local dev)
+  await c.env.R2_UPLOADS.put(tempKey, file.stream(), {
+    httpMetadata: { contentType: file.type },
+  });
+
+  // Read back for MD5 hash
+  const obj = await c.env.R2_UPLOADS.get(tempKey);
+  if (!obj) {
+    return c.json({ error: 'Failed to read uploaded file' }, 500);
+  }
+
+  const md5Hash = await streamMD5(obj.body);
+  const finalKey = `${md5Hash}.${ext}`;
+
+  // Content dedup — use R2 binding directly (no S3 client needed)
+  const existingObj = await c.env.R2_UPLOADS.head(finalKey);
+  if (existingObj) {
+    await c.env.R2_UPLOADS.delete(tempKey);
+  } else {
+    // Copy via R2 binding: get + put + delete temp
+    const srcObj = await c.env.R2_UPLOADS.get(tempKey);
+    if (srcObj) {
+      await c.env.R2_UPLOADS.put(finalKey, srcObj.body, {
+        httpMetadata: srcObj.httpMetadata,
+      });
+    }
+    await c.env.R2_UPLOADS.delete(tempKey);
+  }
+
+  const newId = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  await db.insert(uploads).values({
+    id: newId,
+    filename: finalKey,
+    originalname: file.name,
+    mimetype: file.type || 'application/octet-stream',
+    size: file.size,
+    folderId: folderId || null,
+    createdAt: now,
+    updatedAt: now,
+    createdBy: user.id,
+    updatedBy: user.id,
+  });
+
+  if (tags) {
+    const tagList = tags.split(',').map((t) => t.trim()).filter(Boolean);
+    if (tagList.length > 0) {
+      await db.insert(uploadTags).values(tagList.map((tag) => ({ uploadId: newId, tag })));
+    }
+  }
+
+  return c.json({
+    _id: newId,
+    filename: finalKey,
+    originalname: file.name,
+    mimetype: file.type || 'application/octet-stream',
+    size: file.size,
+    url: `/uploads/${finalKey}`,
+    createdAt: now,
+    createdBy: user.id,
+    tags: tags ? tags.split(',').map((t) => t.trim()).filter(Boolean) : [],
+  });
+});
+
+// GET /uploads — List uploads with pagination (inline Drizzle query)
+uploadRoutes.get('/uploads', async (c) => {
+  const db = c.get('db');
+  const user = c.get('user');
+
+  const page = parseInt(c.req.query('page') || '1', 10);
+  const pageSize = parseInt(c.req.query('pageSize') || '20', 10);
+  const folderId = c.req.query('folderId');
+  const tag = c.req.query('tag') || c.req.query('tags');
+  const createdBy = c.req.query('createdBy');
+
+  const conditions: ReturnType<typeof eq>[] = [];
+
+  // Admin can see all uploads; members only see their own
+  if (user.role === 'admin' && createdBy) {
+    conditions.push(eq(uploads.createdBy, createdBy));
+  } else if (user.role !== 'admin') {
+    conditions.push(eq(uploads.createdBy, user.id));
+  }
+
+  if (folderId) {
+    conditions.push(eq(uploads.folderId, folderId));
+  }
+
+  if (tag) {
+    const taggedIds = db
+      .select({ uploadId: uploadTags.uploadId })
+      .from(uploadTags)
+      .where(eq(uploadTags.tag, tag));
+    conditions.push(inArray(uploads.id, taggedIds));
+  }
+
+  const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
+
+  const [data, countResult] = await Promise.all([
+    db
+      .select()
+      .from(uploads)
+      .where(whereClause)
+      .orderBy(desc(uploads.createdAt), desc(uploads.updatedAt))
+      .limit(pageSize)
+      .offset((page - 1) * pageSize),
+    db
+      .select({ count: sql<number>`count(*)` })
+      .from(uploads)
+      .where(whereClause),
+  ]);
+
+  // Fetch tags for all uploads in the result
+  const uploadIds = data.map((u) => u.id);
+  const allTags = uploadIds.length > 0
+    ? await db.select().from(uploadTags).where(inArray(uploadTags.uploadId, uploadIds))
+    : [];
+  const tagsByUpload = new Map<string, string[]>();
+  allTags.forEach((t) => {
+    const list = tagsByUpload.get(t.uploadId) || [];
+    list.push(t.tag);
+    tagsByUpload.set(t.uploadId, list);
+  });
+
+  const rows = data.map((row) => ({
+    _id: row.id,
+    filename: row.filename,
+    originalname: row.originalname || '',
+    mimetype: row.mimetype || '',
+    size: row.size || 0,
+    remark: row.remark || '',
+    folderId: row.folderId,
+    tags: tagsByUpload.get(row.id) || [],
+    url: `/uploads/${row.filename}`,
+    createdAt: row.createdAt || '',
+    updatedAt: row.updatedAt || '',
+    createdBy: row.createdBy || '',
+    updatedBy: row.updatedBy || '',
+  }));
+
+  // Fetch folders for the response (matches original blocklet API format)
+  const allFolders = await db.select().from(folders).orderBy(desc(folders.createdAt));
+  const folderRows = allFolders.map((f: any) => ({
+    _id: f.id,
+    name: f.name,
+    createdAt: f.createdAt || '',
+    updatedAt: f.updatedAt || '',
+    createdBy: f.createdBy || '',
+    updatedBy: f.updatedBy || '',
+  }));
+
+  const total = countResult[0]?.count ?? 0;
+
+  return c.json({
+    uploads: rows,
+    folders: folderRows,
+    total,
+    page,
+    pageSize,
+    pageCount: Math.ceil(total / pageSize),
+  });
+});
+
+// DELETE /uploads/:id — Delete upload (admin only)
+uploadRoutes.delete('/uploads/:id', isAdminMiddleware, async (c) => {
+  const db = c.get('db');
+  const id = c.req.param('id');
+
+  const [record] = await db.select().from(uploads).where(eq(uploads.id, id)).limit(1);
+  if (!record) {
+    return c.json({ error: 'Upload not found' }, 404);
+  }
+
+  // Check if any other records reference the same filename
+  const [countResult] = await db
+    .select({ count: sql<number>`count(*)` })
+    .from(uploads)
+    .where(eq(uploads.filename, record.filename));
+
+  // Only delete the actual file if this is the last reference
+  if ((countResult?.count ?? 0) <= 1) {
+    await c.env.R2_UPLOADS.delete(record.filename);
+  }
+
+  // Delete tags and record
+  await db.delete(uploadTags).where(eq(uploadTags.uploadId, id));
+  await db.delete(uploads).where(eq(uploads.id, id));
+
+  return c.json({ success: true });
+});
+
+// PUT /uploads/:id — Move to folder (admin only)
+uploadRoutes.put('/uploads/:id', isAdminMiddleware, async (c) => {
+  const db = c.get('db');
+  const id = c.req.param('id');
+  const body = await c.req.json<{ folderId: string }>();
+
+  const [record] = await db.select().from(uploads).where(eq(uploads.id, id)).limit(1);
+  if (!record) {
+    return c.json({ error: 'Upload not found' }, 404);
+  }
+
+  const now = new Date().toISOString();
+  await db
+    .update(uploads)
+    .set({ folderId: body.folderId, updatedAt: now })
+    .where(eq(uploads.id, id));
+
+  const [updated] = await db.select().from(uploads).where(eq(uploads.id, id)).limit(1);
+
+  return c.json({
+    _id: updated.id,
+    filename: updated.filename,
+    originalname: updated.originalname || '',
+    mimetype: updated.mimetype || '',
+    size: updated.size || 0,
+    folderId: updated.folderId,
+    url: `/uploads/${updated.filename}`,
+    createdAt: updated.createdAt || '',
+    updatedAt: updated.updatedAt || '',
+    createdBy: updated.createdBy || '',
+    updatedBy: updated.updatedBy || '',
+  });
+});
+
+function areMimeTypesCompatible(detected: string, claimed: string): boolean {
+  if (detected === claimed) return true;
+  const detectedBase = detected.split('/')[0];
+  const claimedBase = claimed.split('/')[0];
+  if (detectedBase === claimedBase) return true;
+  // application/octet-stream is a generic fallback, always compatible
+  if (claimed === 'application/octet-stream') return true;
+  return false;
+}
diff --git a/cloudflare/src/types.ts b/cloudflare/src/types.ts
new file mode 100644
index 0000000..8af69fd
--- /dev/null
+++ b/cloudflare/src/types.ts
@@ -0,0 +1,84 @@
+import type { DrizzleD1Database } from 'drizzle-orm/d1';
+
+export interface Env {
+  // D1 Database
+  DB: D1Database;
+  // R2 Bucket
+  R2_UPLOADS: R2Bucket;
+  // R2 S3 credentials (for presigned URLs)
+  R2_ACCESS_KEY_ID: string;
+  R2_SECRET_ACCESS_KEY: string;
+  CF_ACCOUNT_ID: string;
+  // R2 origin domain for cf.image (protected by IP Access Rule)
+  R2_ORIGIN_DOMAIN: string;
+  // Environment config
+  ENVIRONMENT: string;
+  MAX_UPLOAD_SIZE: string;
+  ALLOWED_FILE_TYPES: string;
+  USE_AI_IMAGE: string;
+  ADMIN_DIDS: string;
+  // Unsplash
+  UNSPLASH_KEY: string;
+  UNSPLASH_SECRET: string;
+  // AIGNE Hub
+  AIGNE_HUB_URL: string;
+  AIGNE_HUB_API_KEY: string;
+  // Upload Queue (for large file async confirm)
+  CONFIRM_QUEUE: Queue<ConfirmQueueMessage>;
+}
+
+export interface ConfirmQueueMessage {
+  sessionId: string;
+  userId: string;
+}
+
+export interface UserContext {
+  id: string;
+  role: 'admin' | 'member';
+}
+
+// Hono env bindings
+export type HonoEnv = {
+  Bindings: Env;
+  Variables: {
+    user: UserContext;
+    db: DrizzleD1Database;
+  };
+};
+
+// API response types
+export interface CheckResponse {
+  exists: boolean;
+  url?: string;
+  filename?: string;
+  uploadId?: string;
+}
+
+export interface PresignResponse {
+  sessionId: string;
+  presignedUrl?: string;
+  multipart?: boolean;
+  uploadId?: string;
+  key?: string;
+  partSize?: number;
+  partCount?: number;
+}
+
+export interface ConfirmResponse {
+  _id: string;
+  filename: string;
+  originalname: string;
+  mimetype: string;
+  size: number;
+  url: string;
+  createdAt: string;
+  createdBy: string;
+  tags?: string[];
+}
+
+export interface ListResponse {
+  data: ConfirmResponse[];
+  total: number;
+  page: number;
+  pageSize: number;
+}
diff --git a/cloudflare/src/utils/hash.ts b/cloudflare/src/utils/hash.ts
new file mode 100644
index 0000000..2eafb87
--- /dev/null
+++ b/cloudflare/src/utils/hash.ts
@@ -0,0 +1,128 @@
+// @ts-ignore - js-md5 types don't match the actual API
+import md5 from 'js-md5';
+
+/**
+ * Compute MD5 hash of an R2 object using streaming (O(1) memory).
+ * Workers WebCrypto does NOT support MD5 — must use js-md5.
+ */
+export async function streamMD5(body: ReadableStream<Uint8Array>): Promise<string> {
+  const hasher = (md5 as any).create();
+  const reader = body.getReader();
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    hasher.update(value);
+  }
+
+  return hasher.hex();
+}
+
+/**
+ * Detect MIME type from file magic bytes (first 4KB).
+ * Returns detected MIME type or null if unknown.
+ */
+export function detectMimeType(bytes: Uint8Array): string | null {
+  if (bytes.length < 4) return null;
+
+  // JPEG: FF D8 FF
+  if (bytes[0] === 0xff && bytes[1] === 0xd8 && bytes[2] === 0xff) {
+    return 'image/jpeg';
+  }
+
+  // PNG: 89 50 4E 47 0D 0A 1A 0A
+  if (
+    bytes[0] === 0x89 &&
+    bytes[1] === 0x50 &&
+    bytes[2] === 0x4e &&
+    bytes[3] === 0x47
+  ) {
+    return 'image/png';
+  }
+
+  // GIF: 47 49 46 38
+  if (
+    bytes[0] === 0x47 &&
+    bytes[1] === 0x49 &&
+    bytes[2] === 0x46 &&
+    bytes[3] === 0x38
+  ) {
+    return 'image/gif';
+  }
+
+  // WebP: 52 49 46 46 ... 57 45 42 50
+  if (
+    bytes[0] === 0x52 &&
+    bytes[1] === 0x49 &&
+    bytes[2] === 0x46 &&
+    bytes[3] === 0x46 &&
+    bytes.length >= 12 &&
+    bytes[8] === 0x57 &&
+    bytes[9] === 0x45 &&
+    bytes[10] === 0x42 &&
+    bytes[11] === 0x50
+  ) {
+    return 'image/webp';
+  }
+
+  // BMP: 42 4D
+  if (bytes[0] === 0x42 && bytes[1] === 0x4d) {
+    return 'image/bmp';
+  }
+
+  // ICO: 00 00 01 00
+  if (
+    bytes[0] === 0x00 &&
+    bytes[1] === 0x00 &&
+    bytes[2] === 0x01 &&
+    bytes[3] === 0x00
+  ) {
+    return 'image/x-icon';
+  }
+
+  // PDF: 25 50 44 46 (%PDF)
+  if (
+    bytes[0] === 0x25 &&
+    bytes[1] === 0x50 &&
+    bytes[2] === 0x44 &&
+    bytes[3] === 0x46
+  ) {
+    return 'application/pdf';
+  }
+
+  // SVG: check for <?xml or <svg (text-based)
+  const text = new TextDecoder().decode(bytes.slice(0, 256));
+  if (text.includes('<svg') || (text.includes('<?xml') && text.includes('<svg'))) {
+    return 'image/svg+xml';
+  }
+
+  return null;
+}
+
+/**
+ * Basic SVG sanitization for Workers environment.
+ * DOMPurify requires DOM API (document/window) which Workers do NOT have.
+ * This strips dangerous elements and attributes from SVG content.
+ */
+export function sanitizeSvg(svgContent: string): string {
+  // Remove script tags and their content
+  let sanitized = svgContent.replace(/<script[\s\S]*?<\/script>/gi, '');
+
+  // Remove on* event attributes
+  sanitized = sanitized.replace(/\s+on\w+\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+
+  // Remove javascript: URLs
+  sanitized = sanitized.replace(/href\s*=\s*["']javascript:[^"']*["']/gi, 'href=""');
+  sanitized = sanitized.replace(/xlink:href\s*=\s*["']javascript:[^"']*["']/gi, 'xlink:href=""');
+
+  // Remove data: URLs (potential XSS vector)
+  sanitized = sanitized.replace(/href\s*=\s*["']data:[^"']*["']/gi, 'href=""');
+
+  // Remove foreignObject (can embed arbitrary HTML)
+  sanitized = sanitized.replace(/<foreignObject[\s\S]*?<\/foreignObject>/gi, '');
+
+  // Remove use elements pointing to external resources
+  sanitized = sanitized.replace(/<use[^>]*href\s*=\s*["']https?:[^"']*["'][^>]*\/>/gi, '');
+
+  return sanitized;
+}
diff --git a/cloudflare/src/utils/s3.ts b/cloudflare/src/utils/s3.ts
new file mode 100644
index 0000000..88bf709
--- /dev/null
+++ b/cloudflare/src/utils/s3.ts
@@ -0,0 +1,173 @@
+import { AwsClient } from 'aws4fetch';
+import { XMLParser } from 'fast-xml-parser';
+import type { Env } from '../types';
+
+export function createS3Client(env: Env) {
+  return new AwsClient({
+    accessKeyId: env.R2_ACCESS_KEY_ID,
+    secretAccessKey: env.R2_SECRET_ACCESS_KEY,
+    region: 'auto',
+    service: 's3',
+  });
+}
+
+function s3Endpoint(env: Env, key: string) {
+  return `https://${env.CF_ACCOUNT_ID}.r2.cloudflarestorage.com/media-kit-uploads/${key}`;
+}
+
+export async function generatePresignedPutUrl(
+  s3: AwsClient,
+  env: Env,
+  key: string,
+  options: {
+    expiresIn?: number;
+    contentType?: string;
+    partNumber?: number;
+    uploadId?: string;
+  } = {},
+) {
+  const { expiresIn = 3600, contentType, partNumber, uploadId } = options;
+  const url = new URL(s3Endpoint(env, key));
+
+  if (partNumber && uploadId) {
+    url.searchParams.set('partNumber', String(partNumber));
+    url.searchParams.set('uploadId', uploadId);
+  }
+  url.searchParams.set('X-Amz-Expires', String(expiresIn));
+
+  const headers: Record<string, string> = {};
+  if (contentType) headers['Content-Type'] = contentType;
+
+  const signed = await s3.sign(
+    new Request(url.toString(), { method: 'PUT', headers }),
+    { aws: { signQuery: true } },
+  );
+
+  return signed.url;
+}
+
+export async function s3CopyObject(
+  s3: AwsClient,
+  env: Env,
+  sourceKey: string,
+  destKey: string,
+) {
+  const endpoint = s3Endpoint(env, destKey);
+  const signed = await s3.sign(
+    new Request(endpoint, {
+      method: 'PUT',
+      headers: {
+        'x-amz-copy-source': `/media-kit-uploads/${sourceKey}`,
+      },
+    }),
+  );
+  const res = await fetch(signed);
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`CopyObject failed: ${res.status} ${body}`);
+  }
+}
+
+export async function s3CreateMultipartUpload(
+  s3: AwsClient,
+  env: Env,
+  key: string,
+  contentType?: string,
+): Promise<string> {
+  const url = new URL(s3Endpoint(env, key));
+  url.searchParams.set('uploads', '');
+
+  const headers: Record<string, string> = {};
+  if (contentType) headers['Content-Type'] = contentType;
+
+  const signed = await s3.sign(
+    new Request(url.toString(), { method: 'POST', headers }),
+  );
+  const res = await fetch(signed);
+  if (!res.ok) throw new Error(`CreateMultipartUpload failed: ${res.status}`);
+
+  const xml = await res.text();
+  const parser = new XMLParser();
+  const parsed = parser.parse(xml);
+  return parsed.InitiateMultipartUploadResult.UploadId;
+}
+
+export async function s3CompleteMultipartUpload(
+  s3: AwsClient,
+  env: Env,
+  key: string,
+  uploadId: string,
+  parts: Array<{ partNumber: number; etag: string }>,
+) {
+  const url = new URL(s3Endpoint(env, key));
+  url.searchParams.set('uploadId', uploadId);
+
+  const partsXml = parts
+    .sort((a, b) => a.partNumber - b.partNumber)
+    .map(
+      (p) =>
+        `<Part><PartNumber>${p.partNumber}</PartNumber><ETag>${p.etag}</ETag></Part>`,
+    )
+    .join('');
+  const body = `<CompleteMultipartUpload>${partsXml}</CompleteMultipartUpload>`;
+
+  const signed = await s3.sign(
+    new Request(url.toString(), {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/xml' },
+      body,
+    }),
+  );
+  const res = await fetch(signed);
+  if (!res.ok) {
+    const respBody = await res.text();
+    throw new Error(`CompleteMultipartUpload failed: ${res.status} ${respBody}`);
+  }
+}
+
+export async function s3AbortMultipartUpload(
+  s3: AwsClient,
+  env: Env,
+  key: string,
+  uploadId: string,
+) {
+  const url = new URL(s3Endpoint(env, key));
+  url.searchParams.set('uploadId', uploadId);
+
+  const signed = await s3.sign(
+    new Request(url.toString(), { method: 'DELETE' }),
+  );
+  const res = await fetch(signed);
+  if (!res.ok) {
+    // Ignore errors — might already be cleaned up
+  }
+}
+
+export async function s3ListParts(
+  s3: AwsClient,
+  env: Env,
+  key: string,
+  uploadId: string,
+): Promise<Array<{ partNumber: number; etag: string; size: number }>> {
+  const url = new URL(s3Endpoint(env, key));
+  url.searchParams.set('uploadId', uploadId);
+
+  const signed = await s3.sign(
+    new Request(url.toString(), { method: 'GET' }),
+  );
+  const res = await fetch(signed);
+  if (!res.ok) return [];
+
+  const xml = await res.text();
+  const parser = new XMLParser();
+  const parsed = parser.parse(xml);
+  const rawParts = parsed?.ListPartsResult?.Part;
+  if (!rawParts) return [];
+
+  const partArray = Array.isArray(rawParts) ? rawParts : [rawParts];
+  return partArray.map((p: any) => ({
+    partNumber: Number(p.PartNumber),
+    etag: String(p.ETag),
+    size: Number(p.Size),
+  }));
+}
diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
new file mode 100644
index 0000000..32034ec
--- /dev/null
+++ b/cloudflare/src/worker.ts
@@ -0,0 +1,118 @@
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { drizzle } from 'drizzle-orm/d1';
+import type { HonoEnv, Env } from './types';
+import { authMiddleware } from './middleware/auth';
+import { uploadRoutes } from './routes/upload';
+import { fileServingRoutes } from './routes/serve';
+import { folderRoutes } from './routes/folders';
+import { unsplashRoutes } from './routes/unsplash';
+import { statusRoutes } from './routes/status';
+import { cleanupExpiredSessions } from './routes/cleanup';
+
+const app = new Hono<HonoEnv>();
+
+// Global middleware
+// TODO: restrict CORS origin to actual deployment domain when auth is implemented
+app.use('*', cors());
+app.use('*', async (c, next) => {
+  const db = drizzle(c.env.DB);
+  c.set('db', db);
+  return next();
+});
+
+// File serving (no auth required for public files, EXIF stripped)
+app.route('/', fileServingRoutes);
+
+// Status endpoint (no auth)
+app.route('/api', statusRoutes);
+
+// Auth-protected routes
+// TODO: replace x-user-did header auth with shijun's CF auth SDK when ready
+app.use('/api/*', authMiddleware);
+app.route('/api', uploadRoutes);
+app.route('/api', folderRoutes);
+app.route('/api', unsplashRoutes);
+
+// AI Image — proxy to AIGNE Hub (same flow as original blocklet version)
+const AIGNE_HUB_DID = 'z8ia3xzq2tMq8CRHfaXj1BTYJyYnEcHbqP8cJ';
+
+let aigneHubMountPoint: string | null = null;
+
+async function getAigneHubMountPoint(env: Env): Promise<string> {
+  if (aigneHubMountPoint) return aigneHubMountPoint;
+  const hubBase = env.AIGNE_HUB_URL || 'https://hub.aigne.io';
+  const res = await fetch(`${hubBase}/__blocklet__.js?type=json`);
+  if (!res.ok) throw new Error(`AIGNE Hub fetch failed: ${res.status}`);
+  const blocklet: any = await res.json();
+  const comp = (blocklet?.componentMountPoints || []).find((m: any) => m.did === AIGNE_HUB_DID);
+  if (!comp) throw new Error('AIGNE Hub component not found');
+  aigneHubMountPoint = `${hubBase}${comp.mountPoint}`;
+  return aigneHubMountPoint;
+}
+
+app.get('/api/image/models', async (c) => {
+  const hubUrl = await getAigneHubMountPoint(c.env);
+  const apiKey = c.env.AIGNE_HUB_API_KEY || '';
+  const res = await fetch(`${hubUrl}/api/ai/models?type=image`, {
+    headers: { Authorization: `Bearer ${apiKey}` },
+  });
+  const data = await res.json();
+  return c.json(data, res.status as any);
+});
+
+app.post('/api/image/generations', async (c) => {
+  const { prompt, number = 1, model = 'dall-e-2', ...rest } = await c.req.json();
+  const hubUrl = await getAigneHubMountPoint(c.env);
+  const res = await fetch(`${hubUrl}/api/v2/image`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-user-did': c.get('user')?.id || '',
+      Authorization: `Bearer ${c.env.AIGNE_HUB_API_KEY || ''}`,
+    },
+    body: JSON.stringify({
+      input: {
+        ...rest,
+        prompt,
+        n: parseInt(String(number), 10),
+        modelOptions: { model },
+        outputFileType: 'url',
+      },
+    }),
+  });
+  const data: any = await res.json();
+  return c.json(data, res.status as any);
+});
+
+// Health check
+app.get('/health', (c) => c.json({ status: 'ok', version: '1.0.0' }));
+
+// SPA fallback — non-API routes return index.html for client-side routing
+app.notFound(async (c) => {
+  const path = new URL(c.req.url).pathname;
+  if (path.startsWith('/api/') || path.startsWith('/health')) {
+    return c.json({ error: 'Not Found' }, 404);
+  }
+  try {
+    const assets = (c.env as any).ASSETS;
+    if (assets) {
+      return assets.fetch(new Request(new URL('/', c.req.url)));
+    }
+  } catch {}
+  return c.json({ error: 'Not Found' }, 404);
+});
+
+// Error handler
+app.onError((err, c) => {
+  console.error('Unhandled error:', err);
+  return c.json({ error: err.message || 'Internal Server Error' }, 500);
+});
+
+export default {
+  fetch: app.fetch,
+
+  async scheduled(_event: ScheduledEvent, env: Env, ctx: ExecutionContext) {
+    ctx.waitUntil(cleanupExpiredSessions(env));
+  },
+};
diff --git a/cloudflare/tsconfig.json b/cloudflare/tsconfig.json
new file mode 100644
index 0000000..e46355c
--- /dev/null
+++ b/cloudflare/tsconfig.json
@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ESNext"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": false,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "noEmit": true,
+    "jsx": "react-jsx",
+    "jsxImportSource": "hono/jsx",
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["node_modules"]
+}
diff --git a/cloudflare/vitest.config.ts b/cloudflare/vitest.config.ts
new file mode 100644
index 0000000..eae12be
--- /dev/null
+++ b/cloudflare/vitest.config.ts
@@ -0,0 +1,7 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    include: ['src/__tests__/utils.test.ts'],
+  },
+});
diff --git a/cloudflare/wrangler.toml b/cloudflare/wrangler.toml
new file mode 100644
index 0000000..13bbf28
--- /dev/null
+++ b/cloudflare/wrangler.toml
@@ -0,0 +1,45 @@
+name = "media-kit"
+main = "src/worker.ts"
+compatibility_date = "2024-12-01"
+compatibility_flags = ["nodejs_compat"]
+
+# Serve frontend static assets (vite build output)
+[assets]
+directory = "./public"
+not_found_handling = "single-page-application"
+binding = "ASSETS"
+
+[vars]
+ENVIRONMENT = "production"
+MAX_UPLOAD_SIZE = "500MB"
+ALLOWED_FILE_TYPES = ".jpeg,.png,.gif,.svg,.webp,.bmp,.ico"
+USE_AI_IMAGE = "true"
+ADMIN_DIDS = "did:abt:default-uploader"
+AIGNE_HUB_URL = "https://hub.aigne.io"
+
+[[r2_buckets]]
+binding = "R2_UPLOADS"
+bucket_name = "media-kit-uploads"
+
+[[d1_databases]]
+binding = "DB"
+database_name = "media-kit-db"
+database_id = "d0ab97f4-ddf7-4388-b91f-be8427cd0c10"
+migrations_dir = "migrations"
+
+[triggers]
+crons = ["0 * * * *"]
+
+# Secrets (wrangler secret put):
+# R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY
+# R2_ORIGIN_DOMAIN (R2 public domain, restricted by IP Access Rule)
+# UNSPLASH_KEY, UNSPLASH_SECRET
+# CF_ACCOUNT_ID
+# AIGNE_HUB_API_KEY
+# AIGNE_HUB_URL can also be set as secret to override the default
+
+[env.staging]
+name = "media-kit-staging"
+[env.staging.vars]
+ENVIRONMENT = "staging"
+ADMIN_DIDS = "did:abt:default-uploader"
diff --git a/packages/uploader/src/react/plugins/ai-image/show-panel/output/index.tsx b/packages/uploader/src/react/plugins/ai-image/show-panel/output/index.tsx
index 8e67456..a3c40bb 100644
--- a/packages/uploader/src/react/plugins/ai-image/show-panel/output/index.tsx
+++ b/packages/uploader/src/react/plugins/ai-image/show-panel/output/index.tsx
@@ -76,8 +76,10 @@ export default function Output({
       const res = await handleApi({ ...options, outputFileType: 'file' });
       if (res.images) {
         const list: FileContent[] = res.images || [];
-        const arr = list.map((item) => ({
-          src: `data:image/png;base64,${item.data}`,
+        const arr = list.map((item: FileContent & {
+          url?: string;
+        }) => ({
+          src: item?.url || `data:image/png;base64,${item.data}`,
           alt: options.prompt,
         }));
 
diff --git a/packages/uploader/src/react/plugins/presigned-upload.ts b/packages/uploader/src/react/plugins/presigned-upload.ts
new file mode 100644
index 0000000..9a32980
--- /dev/null
+++ b/packages/uploader/src/react/plugins/presigned-upload.ts
@@ -0,0 +1,291 @@
+/**
+ * Presigned Upload Plugin for Uppy
+ *
+ * Implements presigned URL upload flow as an alternative to TUS protocol.
+ * Used when the backend returns uploadMode: 'presigned' from /api/uploader/status.
+ *
+ * Flow:
+ * 1. POST /uploads/check    → dedup check (size + ext)
+ * 2. POST /uploads/presign  → get presigned URL or multipart session
+ * 3. PUT  presignedUrl       → direct upload to R2/S3
+ * 4. POST /uploads/confirm  → confirm and get upload record
+ *
+ * For large files (>= multipart threshold):
+ * 2b. POST /uploads/presign → get multipart session
+ * 3b. For each part:
+ *     POST /uploads/multipart/part-url → get part presigned URL
+ *     PUT  partUrl → upload part
+ * 3c. POST /uploads/multipart/complete → assemble parts
+ * 4.  POST /uploads/confirm → confirm
+ */
+
+import { BasePlugin } from '@uppy/core';
+import Cookie from 'js-cookie';
+
+// @ts-ignore - getExt is exported from utils
+import { getExt } from '../../utils';
+
+interface PresignedUploadOptions {
+  id?: string;
+  apiBase: string; // e.g. '/api' or full URL
+  headers?: Record<string, string>;
+}
+
+export default class PresignedUploadPlugin extends BasePlugin {
+  declare opts: PresignedUploadOptions;
+
+  private boundHandleUpload: (fileIDs: string[]) => Promise<void>;
+
+  constructor(uppy: any, opts: PresignedUploadOptions) {
+    super(uppy, opts);
+    this.id = opts.id || 'PresignedUpload';
+    this.type = 'uploader';
+    this.opts = opts;
+    this.boundHandleUpload = this.handleUpload.bind(this);
+  }
+
+  install() {
+    this.uppy.addUploader(this.boundHandleUpload);
+  }
+
+  uninstall() {
+    this.uppy.removeUploader(this.boundHandleUpload);
+  }
+
+  private getHeaders(): Record<string, string> {
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      ...(this.opts.headers || {}),
+    };
+    const csrfToken = Cookie.get('x-csrf-token');
+    if (csrfToken) {
+      headers['x-csrf-token'] = csrfToken;
+    }
+    // @ts-ignore
+    const componentDid = window?.uploaderComponentId || window?.blocklet?.componentId;
+    if (componentDid) {
+      headers['x-component-did'] = (componentDid || '').split('/').pop() || '';
+    }
+    return headers;
+  }
+
+  private async apiCall(path: string, body: any): Promise<any> {
+    const url = `${this.opts.apiBase}${path}`;
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: this.getHeaders(),
+      body: JSON.stringify(body),
+      credentials: 'include',
+    });
+    if (!res.ok) {
+      const error = await res.json().catch(() => ({ error: res.statusText }));
+      throw new Error(error.error || `Upload failed: ${res.status}`);
+    }
+    return res.json();
+  }
+
+  private async handleUpload(fileIDs: string[]): Promise<void> {
+    const files = fileIDs.map((id) => this.uppy.getFile(id));
+
+    for (const file of files) {
+      try {
+        await this.uploadFile(file);
+      } catch (err: any) {
+        this.uppy.log(`[PresignedUpload] Error uploading ${file.name}: ${err.message}`, 'error');
+        this.uppy.emit('upload-error', file, err);
+      }
+    }
+  }
+
+  private async uploadFile(file: any): Promise<void> {
+    const ext = getExt(file) || file.name.split('.').pop() || '';
+    const size = file.size || file.data?.size || 0;
+    const folderId = file.meta?.folderId || '';
+    const tags = file.meta?.tags || '';
+
+    // Step 1: Dedup check
+    const checkResult = await this.apiCall('/uploads/check', { size, ext: `.${ext}` });
+
+    let confirmData: any;
+
+    if (checkResult.exists) {
+      // File already exists — clone it via confirm
+      confirmData = await this.apiCall('/uploads/confirm', {
+        existingUploadId: checkResult.uploadId,
+        originalname: file.name,
+        mimetype: file.type,
+        folderId,
+        tags,
+      });
+    } else {
+      // Step 2: Get presigned URL
+      const presignResult = await this.apiCall('/uploads/presign', {
+        originalname: file.name,
+        mimetype: file.type,
+        size,
+        ext: `.${ext}`,
+        folderId,
+      });
+
+      // Step 3: Upload file
+      try {
+        if (presignResult.multipart) {
+          await this.uploadMultipart(file, presignResult);
+        } else {
+          await this.uploadDirect(file, presignResult.presignedUrl);
+        }
+      } catch (uploadErr) {
+        // Abort multipart session on failure to avoid orphaned R2 parts
+        if (presignResult.multipart) {
+          await this.apiCall('/uploads/multipart/abort', { sessionId: presignResult.sessionId }).catch(() => {});
+        }
+        throw uploadErr;
+      }
+
+      // Step 4: Confirm
+      confirmData = await this.apiCall('/uploads/confirm', {
+        sessionId: presignResult.sessionId,
+        originalname: file.name,
+        mimetype: file.type,
+        folderId,
+        tags,
+      });
+    }
+
+    // Build result compatible with TUS flow — use the url from server response directly
+    const uploadURL = confirmData.url || `/uploads/${confirmData.filename}`;
+
+    const result = {
+      data: confirmData,
+      method: 'POST',
+      url: uploadURL,
+      status: 200,
+      headers: {} as Record<string, string>,
+      file,
+      uploadURL,
+    };
+
+    // Set file state
+    this.uppy.setFileState(file.id, {
+      progress: {
+        uploadStarted: Date.now(),
+        uploadComplete: true,
+        percentage: 100,
+        bytesUploaded: file.size || file.data?.size || 0,
+        bytesTotal: file.size || file.data?.size || 0,
+      },
+      responseResult: result,
+    });
+
+    // Emit upload-success — the listener in uploader.tsx handles _onUploadFinish and emitUploadSuccess
+    this.uppy.emit('upload-success', this.uppy.getFile(file.id), {
+      uploadURL,
+      status: 200,
+      body: confirmData,
+    });
+  }
+
+  private async uploadDirect(file: any, presignedUrl: string): Promise<void> {
+    const xhr = new XMLHttpRequest();
+    await new Promise<void>((resolve, reject) => {
+      xhr.open('PUT', presignedUrl, true);
+      if (file.type) {
+        xhr.setRequestHeader('Content-Type', file.type);
+      }
+
+      xhr.upload.onprogress = (e) => {
+        if (e.lengthComputable) {
+          const percentage = Math.round((e.loaded / e.total) * 100);
+          this.uppy.setFileState(file.id, {
+            progress: {
+              uploadStarted: Date.now(),
+              uploadComplete: false,
+              percentage,
+              bytesUploaded: e.loaded,
+              bytesTotal: e.total,
+            },
+          });
+          // @ts-ignore
+          this.uppy.calculateTotalProgress?.();
+          this.uppy.emit('upload-progress', this.uppy.getFile(file.id), {
+            uploader: this,
+            bytesUploaded: e.loaded,
+            bytesTotal: e.total,
+          });
+        }
+      };
+
+      xhr.onload = () => {
+        if (xhr.status >= 200 && xhr.status < 300) {
+          resolve();
+        } else {
+          reject(new Error(`Direct upload failed: ${xhr.status} ${xhr.statusText}`));
+        }
+      };
+
+      xhr.onerror = () => reject(new Error('Network error during upload'));
+      xhr.onabort = () => reject(new Error('Upload aborted'));
+
+      xhr.send(file.data);
+    });
+  }
+
+  private async uploadMultipart(file: any, presignResult: any): Promise<void> {
+    const { sessionId, partSize, partCount } = presignResult;
+    const size = file.size || file.data?.size || 0;
+    const parts: Array<{ partNumber: number; etag: string }> = [];
+
+    let totalUploaded = 0;
+
+    for (let i = 0; i < partCount; i++) {
+      const partNumber = i + 1;
+      const start = i * partSize;
+      const end = Math.min(start + partSize, size);
+      const partBlob = file.data.slice(start, end);
+
+      // Get presigned URL for this part
+      const { presignedUrl } = await this.apiCall('/uploads/multipart/part-url', {
+        sessionId,
+        partNumber,
+      });
+
+      // Upload part
+      const res = await fetch(presignedUrl, {
+        method: 'PUT',
+        body: partBlob,
+      });
+
+      if (!res.ok) {
+        throw new Error(`Part ${partNumber} upload failed: ${res.status}`);
+      }
+
+      const etag = res.headers.get('ETag') || '';
+      parts.push({ partNumber, etag: etag.replace(/"/g, '') });
+
+      totalUploaded += end - start;
+      const percentage = Math.round((totalUploaded / size) * 100);
+      this.uppy.setFileState(file.id, {
+        progress: {
+          uploadStarted: Date.now(),
+          uploadComplete: false,
+          percentage,
+          bytesUploaded: totalUploaded,
+          bytesTotal: size,
+        },
+      });
+      // @ts-ignore
+      this.uppy.calculateTotalProgress?.();
+      this.uppy.emit('upload-progress', this.uppy.getFile(file.id), {
+        uploader: this,
+        bytesUploaded: totalUploaded,
+        bytesTotal: size,
+      });
+    }
+
+    // Complete multipart upload
+    await this.apiCall('/uploads/multipart/complete', {
+      sessionId,
+      parts,
+    });
+  }
+}
diff --git a/packages/uploader/src/react/uploader.tsx b/packages/uploader/src/react/uploader.tsx
index b6be5e1..6f8399f 100644
--- a/packages/uploader/src/react/uploader.tsx
+++ b/packages/uploader/src/react/uploader.tsx
@@ -22,6 +22,8 @@ import DropTarget from '@uppy/drop-target';
 import ImageEditor from '@uppy/image-editor';
 import ThumbnailGenerator from '@uppy/thumbnail-generator';
 import Tus from '@uppy/tus';
+// @ts-ignore
+import PresignedUploadPlugin from './plugins/presigned-upload';
 import ComponentInstaller from '@blocklet/ui-react/lib/ComponentInstaller';
 import mime from 'mime-types';
 import xbytes from 'xbytes';
@@ -162,22 +164,42 @@ const getPluginList = (props: any) => {
                       const uploader = ref.current.getUploader();
                       uploader?.emit('ai-image:selected', data);
 
-                      data.forEach(({ src: base64, alt }: any, index: number) => {
+                      data.forEach(({ src, alt }: any, index: number) => {
                         const getSliceText = (str: string) => {
                           return str?.length > 16 ? `${str?.slice(0, 8)}...${str?.slice(-4)}` : str;
                         };
 
-                        const fileName = `${getSliceText(alt) || getSliceText(base64)}.png`; // must be png
-
-                        const formatFile = {
-                          name: fileName,
-                          type: 'image/png', // must be png
-                          data: base64ToFile(base64, fileName),
-                          source: 'AIImage',
-                          isRemote: false,
-                        };
-
-                        uploader?.addFile(formatFile);
+                        const fileName = `${getSliceText(alt) || 'ai-image'}.png`; // must be png
+
+                        // Support both URL and base64 data URI
+                        if (src && !src.startsWith('data:')) {
+                          // URL — fetch and convert to File
+                          fetch(src)
+                            .then((res) => res.blob())
+                            .then((blob) => {
+                              const file = new File([blob], fileName, { type: 'image/png' });
+                              uploader?.addFile({
+                                name: fileName,
+                                type: 'image/png',
+                                data: file,
+                                source: 'AIImage',
+                                isRemote: false,
+                              });
+                            })
+                            .catch((err) => {
+                              uploader?.log(`[AIImage] Failed to fetch image: ${err.message}`, 'error');
+                            });
+                        } else {
+                          // base64 data URI
+                          const formatFile = {
+                            name: fileName,
+                            type: 'image/png',
+                            data: base64ToFile(src, fileName),
+                            source: 'AIImage',
+                            isRemote: false,
+                          };
+                          uploader?.addFile(formatFile);
+                        }
                       });
                     }}
                   />
@@ -276,6 +298,7 @@ export function initUploader(props: any) {
     restrictions,
     onChange,
     initialFiles,
+    uploadMode = 'tus',
   } = props;
 
   const pluginMap = keyBy(pluginList, 'id');
@@ -314,159 +337,191 @@ export function initUploader(props: any) {
     },
     ...coreProps,
     restrictions,
-  }).use(Tus, {
-    chunkSize: 1024 * 1024 * 10, // default chunk size 10MB
-    removeFingerprintOnSuccess: true,
-    // docs: https://github.com/tus/tus-js-client/blob/main/docs/api.md
-    withCredentials: true,
-    endpoint: uploaderUrl,
-
-    async onBeforeRequest(req, file) {
-      // @ts-ignore
-      const { hashFileName, id, meta } = file;
+  });
 
-      // @ts-ignore
-      const mockResponse = currentUppy.getFile(id)?.mockResponse || null;
-      if (req.getMethod() === 'PATCH' && mockResponse) {
-        // mock response to avoid next step upload
-        req.send = () => mockResponse;
-      }
+  if (uploadMode === 'presigned') {
+    // Presigned URL upload mode (for CF Workers / R2)
+    const apiBase = uploaderUrl.replace(/\/uploads\/?$/, '');
+    // @ts-ignore
+    currentUppy.use(PresignedUploadPlugin, {
+      apiBase,
+    });
 
-      const ext = getExt(file);
-
-      // put the hash in the header
-      req.setHeader('x-uploader-file-name', `${hashFileName}`);
-      req.setHeader('x-uploader-file-id', `${id}`);
-      req.setHeader('x-uploader-file-ext', `${ext}`);
-      req.setHeader('x-uploader-base-url', new URL(req.getURL()).pathname);
-      req.setHeader('x-uploader-endpoint-url', uploaderUrl);
-      req.setHeader(
-        'x-uploader-metadata',
-        JSON.stringify(meta, (key, value) => {
-          if (typeof value === 'string') {
-            return encodeURIComponent(value);
-          }
-          return value;
-        })
-      );
-      // add csrf token if exist
-      const csrfToken = Cookie.get('x-csrf-token');
-      if (csrfToken) {
-        req.setHeader('x-csrf-token', csrfToken);
-      }
+    // Wire up _onUploadFinish for presigned mode
+    currentUppy.on('upload-success', async (file: any, response: any) => {
+      // Skip if this event was already handled (e.g. from TUS or mock)
+      if (!response.body) return;
+
+      const result = {
+        data: response.body,
+        method: 'POST',
+        url: response.uploadURL || '',
+        status: 200,
+        headers: {} as Record<string, string>,
+        file,
+        uploadURL: response.uploadURL || '',
+      };
+
+      await _onUploadFinish?.(result);
 
-      // @ts-ignore get folderId when upload using
-      const componentDid = window?.uploaderComponentId || window?.blocklet?.componentId;
-      if (componentDid) {
+      // @ts-ignore custom event — mirrors TUS flow's emitUploadSuccess
+      currentUppy.emitUploadSuccess(file, result);
+    });
+  } else {
+    // TUS upload mode (default, for Blocklet)
+    currentUppy.use(Tus, {
+      chunkSize: 1024 * 1024 * 10, // default chunk size 10MB
+      removeFingerprintOnSuccess: true,
+      // docs: https://github.com/tus/tus-js-client/blob/main/docs/api.md
+      withCredentials: true,
+      endpoint: uploaderUrl,
+
+      async onBeforeRequest(req, file) {
         // @ts-ignore
-        req.setHeader('x-component-did', (componentDid || '').split('/').pop());
-      }
-    },
-    onAfterResponse: async (req, res) => {
-      const result = {} as any;
-      const xhr = req.getUnderlyingObject();
+        const { hashFileName, id, meta } = file;
 
-      try {
-        if (xhr.response) {
-          result.data = JSON.parse(xhr.response);
+        // @ts-ignore
+        const mockResponse = currentUppy.getFile(id)?.mockResponse || null;
+        if (req.getMethod() === 'PATCH' && mockResponse) {
+          // mock response to avoid next step upload
+          req.send = () => mockResponse;
         }
-      } catch (error) {
-        result.data = {};
-      }
 
-      result.method = req.getMethod().toUpperCase();
-      result.url = req.getURL();
-      result.status = xhr.status;
-      // @ts-ignore
-      result.headers = {
-        // @ts-ignore
-        ...req._headers,
-      };
+        const ext = getExt(file);
+
+        // put the hash in the header
+        req.setHeader('x-uploader-file-name', `${hashFileName}`);
+        req.setHeader('x-uploader-file-id', `${id}`);
+        req.setHeader('x-uploader-file-ext', `${ext}`);
+        req.setHeader('x-uploader-base-url', new URL(req.getURL()).pathname);
+        req.setHeader('x-uploader-endpoint-url', uploaderUrl);
+        req.setHeader(
+          'x-uploader-metadata',
+          JSON.stringify(meta, (key, value) => {
+            if (typeof value === 'string') {
+              return encodeURIComponent(value);
+            }
+            return value;
+          })
+        );
+        // add csrf token if exist
+        const csrfToken = Cookie.get('x-csrf-token');
+        if (csrfToken) {
+          req.setHeader('x-csrf-token', csrfToken);
+        }
 
-      const allResponseHeaders = xhr.getAllResponseHeaders();
+        // @ts-ignore get folderId when upload using
+        const componentDid = window?.uploaderComponentId || window?.blocklet?.componentId;
+        if (componentDid) {
+          // @ts-ignore
+          req.setHeader('x-component-did', (componentDid || '').split('/').pop());
+        }
+      },
+      onAfterResponse: async (req, res) => {
+        const result = {} as any;
+        const xhr = req.getUnderlyingObject();
 
-      // format headers
-      if (allResponseHeaders) {
-        const headers = allResponseHeaders.split('\r\n');
-        headers.forEach((item: string) => {
-          const [key, value] = item.split(': ');
-          if (key && value) {
-            result.headers[key] = value;
+        try {
+          if (xhr.response) {
+            result.data = JSON.parse(xhr.response);
           }
-        });
-      }
+        } catch (error) {
+          result.data = {};
+        }
 
-      const file = currentUppy.getFile(result.headers['x-uploader-file-id']);
+        result.method = req.getMethod().toUpperCase();
+        result.url = req.getURL();
+        result.status = xhr.status;
+        // @ts-ignore
+        result.headers = {
+          // @ts-ignore
+          ...req._headers,
+        };
 
-      // @ts-ignore
-      if (req.getMethod() === 'PATCH' && file.mockResponse) {
-        // mock response do nothing
-        return;
-      }
+        const allResponseHeaders = xhr.getAllResponseHeaders();
 
-      // only call onUploadFinish if it's a PATCH / POST request
-      if (['PATCH', 'POST'].includes(result.method) && [200, 500].includes(result.status)) {
-        const isExist = [true, 'true'].includes(result.headers['x-uploader-file-exist']);
-        const uploadURL = getUrl(result.url, result.headers['x-uploader-file-name']); // upload URL with file name
+        // format headers
+        if (allResponseHeaders) {
+          const headers = allResponseHeaders.split('\r\n');
+          headers.forEach((item: string) => {
+            const [key, value] = item.split(': ');
+            if (key && value) {
+              result.headers[key] = value;
+            }
+          });
+        }
 
-        result.file = file;
-        result.uploadURL = uploadURL;
+        const file = currentUppy.getFile(result.headers['x-uploader-file-id']);
 
-        const responseResult = {
-          uploadURL,
-          ...result,
-        };
+        // @ts-ignore
+        if (req.getMethod() === 'PATCH' && file.mockResponse) {
+          // mock response do nothing
+          return;
+        }
 
-        currentUppy.setFileState(file.id, {
-          responseResult,
-        });
+        // only call onUploadFinish if it's a PATCH / POST request
+        if (['PATCH', 'POST'].includes(result.method) && [200, 500].includes(result.status)) {
+          const isExist = [true, 'true'].includes(result.headers['x-uploader-file-exist']);
+          const uploadURL = getUrl(result.url, result.headers['x-uploader-file-name']); // upload URL with file name
 
-        // exist but not upload
-        if (isExist && file) {
-          // if POST method check exist
-          if (result.method === 'POST') {
-            // set mock response to avoid next step upload
-            currentUppy.setFileState(file.id, {
-              mockResponse: res,
-            });
-          }
+          result.file = file;
+          result.uploadURL = uploadURL;
 
-          // only trigger uppy event when exist
-          currentUppy.emit('upload-success', currentUppy.getFile(file.id), {
-            ...responseResult,
-            body: result.data,
+          const responseResult = {
+            uploadURL,
+            ...result,
+          };
+
+          currentUppy.setFileState(file.id, {
+            responseResult,
           });
-          currentUppy.emit('postprocess-complete', currentUppy.getFile(file.id));
 
-          // @ts-ignore
-          currentUppy.calculateTotalProgress();
-        }
+          // exist but not upload
+          if (isExist && file) {
+            // if POST method check exist
+            if (result.method === 'POST') {
+              // set mock response to avoid next step upload
+              currentUppy.setFileState(file.id, {
+                mockResponse: res,
+              });
+            }
 
-        if (result.status === 200) {
-          await _onUploadFinish?.(result);
+            // only trigger uppy event when exist
+            currentUppy.emit('upload-success', currentUppy.getFile(file.id), {
+              ...responseResult,
+              body: result.data,
+            });
+            currentUppy.emit('postprocess-complete', currentUppy.getFile(file.id));
 
-          // @ts-ignore custom event
-          currentUppy.emitUploadSuccess(file, result);
+            // @ts-ignore
+            currentUppy.calculateTotalProgress();
+          }
+
+          if (result.status === 200) {
+            await _onUploadFinish?.(result);
+
+            // @ts-ignore custom event
+            currentUppy.emitUploadSuccess(file, result);
+          }
         }
-      }
 
-      // each time a response is received
-      if (_onAfterResponse) {
-        await _onAfterResponse?.(xhr);
-      }
+        // each time a response is received
+        if (_onAfterResponse) {
+          await _onAfterResponse?.(xhr);
+        }
 
-      const uploadProgressDone = currentUppy.getState().totalProgress === 100;
+        const uploadProgressDone = currentUppy.getState().totalProgress === 100;
 
-      const shouldAutoCloseAfterDropUpload = currentUppy.getFiles().every((item: any) => item.source === 'DropTarget');
+        const shouldAutoCloseAfterDropUpload = currentUppy.getFiles().every((item: any) => item.source === 'DropTarget');
 
-      // close uploader when upload progress done and all files are from DropTarget
-      if (uploadProgressDone && shouldAutoCloseAfterDropUpload) {
-        currentUppy.close();
-      }
-    },
-    ...tusProps,
-  });
-  // .use(GoldenRetriever);
+        // close uploader when upload progress done and all files are from DropTarget
+        if (uploadProgressDone && shouldAutoCloseAfterDropUpload) {
+          currentUppy.close();
+        }
+      },
+      ...tusProps,
+    });
+  }
 
   const appendUploadIdEvent = ({ fileIDs, id }: { fileIDs: string[]; id: string }) => {
     fileIDs.forEach((fileId: any) => {
@@ -551,6 +606,7 @@ export function Uploader({
     availablePluginMap: {} as any,
     restrictions: cloneDeep(props?.coreProps?.restrictions) || ({} as any),
     isError: false,
+    uploadMode: 'tus' as 'tus' | 'presigned',
   });
 
   const theme = useTheme();
@@ -595,6 +651,7 @@ export function Uploader({
         try {
           await mediaKitApi.get('/api/uploader/status').then(({ data }: any) => {
             state.availablePluginMap = data.availablePluginMap;
+            state.uploadMode = data.uploadMode || 'tus';
 
             if (!apiPathProps.disableMediaKitPrefix && isNil(props?.coreProps?.restrictions)) {
               restrictions = data.restrictions || {};
@@ -733,6 +790,7 @@ export function Uploader({
       apiPathProps,
       pluginList,
       restrictions: state.restrictions,
+      uploadMode: state.uploadMode,
     });
 
     state.uppy.open = open;
@@ -832,6 +890,7 @@ export function Uploader({
       locale,
       restrictions: state.restrictions,
       theme,
+      uploadMode: state.uploadMode,
     }),
   ]);
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3ae1ba0..0cc8942 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -274,6 +274,166 @@ importers:
         specifier: ^5.2.9
         version: 5.2.9
 
+  cloudflare/frontend:
+    dependencies:
+      '@emotion/react':
+        specifier: ^11.14.0
+        version: 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled':
+        specifier: ^11.14.0
+        version: 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@lottiefiles/react-lottie-player':
+        specifier: ^3.5.4
+        version: 3.5.4(react@19.1.0)
+      '@mui/icons-material':
+        specifier: ^7.1.2
+        version: 7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@mui/material':
+        specifier: ^7.1.2
+        version: 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      '@uppy/core':
+        specifier: 3.13.1
+        version: 3.13.1
+      '@uppy/dashboard':
+        specifier: 3.9.1
+        version: 3.9.1(@uppy/core@3.13.1)
+      '@uppy/drag-drop':
+        specifier: 3.1.1
+        version: 3.1.1(@uppy/core@3.13.1)
+      '@uppy/drop-target':
+        specifier: 2.1.0
+        version: 2.1.0(@uppy/core@3.13.1)
+      '@uppy/file-input':
+        specifier: 3.1.2
+        version: 3.1.2(@uppy/core@3.13.1)
+      '@uppy/golden-retriever':
+        specifier: 3.2.0
+        version: 3.2.0(@uppy/core@3.13.1)
+      '@uppy/image-editor':
+        specifier: 2.4.6
+        version: 2.4.6(@uppy/core@3.13.1)
+      '@uppy/locales':
+        specifier: 3.5.4
+        version: 3.5.4
+      '@uppy/progress-bar':
+        specifier: 3.1.1
+        version: 3.1.1(@uppy/core@3.13.1)
+      '@uppy/provider-views':
+        specifier: 3.13.0
+        version: 3.13.0(@uppy/core@3.13.1)
+      '@uppy/react':
+        specifier: 3.4.0
+        version: 3.4.0(@uppy/core@3.13.1)(@uppy/dashboard@3.9.1(@uppy/core@3.13.1))(@uppy/drag-drop@3.1.1(@uppy/core@3.13.1))(@uppy/file-input@3.1.2(@uppy/core@3.13.1))(@uppy/progress-bar@3.1.1(@uppy/core@3.13.1))(@uppy/status-bar@3.3.3(@uppy/core@3.13.1))(react@19.1.0)
+      '@uppy/status-bar':
+        specifier: 3.3.3
+        version: 3.3.3(@uppy/core@3.13.1)
+      '@uppy/tus':
+        specifier: 3.5.5
+        version: 3.5.5(@uppy/core@3.13.1)
+      '@uppy/unsplash':
+        specifier: 3.3.1
+        version: 3.3.1(@uppy/core@3.13.1)
+      '@uppy/url':
+        specifier: 3.6.1
+        version: 3.6.1(@uppy/core@3.13.1)
+      '@uppy/webcam':
+        specifier: 3.4.2
+        version: 3.4.2(@uppy/core@3.13.1)
+      ahooks:
+        specifier: ^3.8.1
+        version: 3.8.5(react@19.1.0)
+      axios:
+        specifier: ^1.7.0
+        version: 1.10.0
+      copy-to-clipboard:
+        specifier: ^3.3.3
+        version: 3.3.3
+      dompurify:
+        specifier: ^3.2.2
+        version: 3.2.6
+      exifr:
+        specifier: ^7.1.3
+        version: 7.1.3
+      fflate:
+        specifier: ^0.8.2
+        version: 0.8.2
+      js-cookie:
+        specifier: ^3.0.5
+        version: 3.0.5
+      lodash:
+        specifier: ^4.17.21
+        version: 4.17.21
+      micromatch:
+        specifier: ^4.0.8
+        version: 4.0.8
+      mime-types:
+        specifier: ^2.1.35
+        version: 2.1.35
+      path-browserify:
+        specifier: ^1.0.1
+        version: 1.0.1
+      preact:
+        specifier: 10.20.1
+        version: 10.20.1
+      pretty-bytes:
+        specifier: ^6.1.0
+        version: 6.1.1
+      prop-types:
+        specifier: ^15.8.1
+        version: 15.8.1
+      react:
+        specifier: ^19.0.0
+        version: 19.1.0
+      react-dom:
+        specifier: ^19.0.0
+        version: 19.1.0(react@19.1.0)
+      react-player:
+        specifier: ^2.16.0
+        version: 2.16.0(react@19.1.0)
+      react-router-dom:
+        specifier: ^6.28.0
+        version: 6.28.0(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      spark-md5:
+        specifier: ^3.0.2
+        version: 3.0.2
+      timeago.js:
+        specifier: ^4.0.2
+        version: 4.0.2
+      ufo:
+        specifier: ^1.6.1
+        version: 1.6.1
+      url-join:
+        specifier: ^4.0.1
+        version: 4.0.1
+      wolfy87-eventemitter:
+        specifier: ^5.2.9
+        version: 5.2.9
+      xbytes:
+        specifier: ^1.9.1
+        version: 1.9.1
+    devDependencies:
+      '@types/js-cookie':
+        specifier: ^3.0.6
+        version: 3.0.6
+      '@types/lodash':
+        specifier: ^4.17.0
+        version: 4.17.13
+      '@types/react':
+        specifier: ^19.0.0
+        version: 19.2.14
+      '@types/react-dom':
+        specifier: ^19.0.0
+        version: 19.2.3(@types/react@19.2.14)
+      '@vitejs/plugin-react':
+        specifier: ^4.3.0
+        version: 4.6.0(vite@6.4.1(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1))
+      typescript:
+        specifier: ^5.5.0
+        version: 5.7.2
+      vite:
+        specifier: ^6.0.0
+        version: 6.4.1(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1)
+
   packages/uploader:
     dependencies:
       '@blocklet/ui-react':
@@ -3878,6 +4038,9 @@ packages:
   '@types/js-cookie@2.2.7':
     resolution: {integrity: sha512-aLkWa0C0vO5b4Sr798E26QgOkss68Un0bLjs7u9qxzPT5CG+8DuNTffWES58YzJs3hrVAOs1wonycqEBqNJubA==}
 
+  '@types/js-cookie@3.0.6':
+    resolution: {integrity: sha512-wkw9yd1kEXOPnvEeEV1Go1MmxtBJL0RR79aOTAApecWFVu7w0NNXNqhcWgvw2YgZDYadliXkl14pa3WXw5jlCQ==}
+
   '@types/json5@0.0.29':
     resolution: {integrity: sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==}
 
@@ -3950,6 +4113,11 @@ packages:
   '@types/react-dom@18.3.1':
     resolution: {integrity: sha512-qW1Mfv8taImTthu4KoXgDfLuk4bydU6Q/TkADnDWWHwi4NX4BR+LWfTp2sVmTqRrsHvyDDTelgelxJ+SsejKKQ==}
 
+  '@types/react-dom@19.2.3':
+    resolution: {integrity: sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==}
+    peerDependencies:
+      '@types/react': ^19.2.0
+
   '@types/react-transition-group@4.4.12':
     resolution: {integrity: sha512-8TV6R3h2j7a91c+1DXdJi3Syo69zzIZbz7Lg5tORM5LEJG7X/E6a1V3drRyBRZq7/utz7A+c4OgYLiLcYGHG6w==}
     peerDependencies:
@@ -3958,6 +4126,9 @@ packages:
   '@types/react@18.3.12':
     resolution: {integrity: sha512-D2wOSq/d6Agt28q7rSI3jhU7G6aiuzljDGZ2hTZHIkrTLUI+AF3WMeKkEZ9nN2fkBAlcktT6vcZjDFiIhMYEQw==}
 
+  '@types/react@19.2.14':
+    resolution: {integrity: sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==}
+
   '@types/resolve@1.20.2':
     resolution: {integrity: sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==}
 
@@ -5427,6 +5598,9 @@ packages:
   csstype@3.1.3:
     resolution: {integrity: sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==}
 
+  csstype@3.2.3:
+    resolution: {integrity: sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==}
+
   cuint@0.2.2:
     resolution: {integrity: sha512-d4ZVpCW31eWwCMe1YT3ur7mUDnTXbgwyzaL320DrcRT45rfjYxkt5QWLrmOJ+/UEAI2+fQgKe/fCjR8l4TpRgw==}
 
@@ -10739,6 +10913,46 @@ packages:
     peerDependencies:
       vite: '>=2.6.0'
 
+  vite@6.4.1:
+    resolution: {integrity: sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+    hasBin: true
+    peerDependencies:
+      '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0
+      jiti: '>=1.21.0'
+      less: '*'
+      lightningcss: ^1.21.0
+      sass: '*'
+      sass-embedded: '*'
+      stylus: '*'
+      sugarss: '*'
+      terser: ^5.16.0
+      tsx: ^4.8.1
+      yaml: ^2.4.2
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+      jiti:
+        optional: true
+      less:
+        optional: true
+      lightningcss:
+        optional: true
+      sass:
+        optional: true
+      sass-embedded:
+        optional: true
+      stylus:
+        optional: true
+      sugarss:
+        optional: true
+      terser:
+        optional: true
+      tsx:
+        optional: true
+      yaml:
+        optional: true
+
   vite@7.0.0:
     resolution: {integrity: sha512-ixXJB1YRgDIw2OszKQS9WxGHKwLdCsbQNkpJN171udl6szi/rIySHL6/Os3s2+oE4P/FLD4dxg4mD7Wust+u5g==}
     engines: {node: ^20.19.0 || >=22.12.0}
@@ -14083,6 +14297,22 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@emotion/babel-plugin': 11.13.5
+      '@emotion/cache': 11.14.0
+      '@emotion/serialize': 1.3.3
+      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.1.0)
+      '@emotion/utils': 1.4.2
+      '@emotion/weak-memoize': 0.4.0
+      hoist-non-react-statics: 3.3.2
+      react: 19.1.0
+    optionalDependencies:
+      '@types/react': 19.2.14
+    transitivePeerDependencies:
+      - supports-color
+
   '@emotion/serialize@1.3.3':
     dependencies:
       '@emotion/hash': 0.9.2
@@ -14108,6 +14338,21 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@emotion/babel-plugin': 11.13.5
+      '@emotion/is-prop-valid': 1.3.1
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/serialize': 1.3.3
+      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.1.0)
+      '@emotion/utils': 1.4.2
+      react: 19.1.0
+    optionalDependencies:
+      '@types/react': 19.2.14
+    transitivePeerDependencies:
+      - supports-color
+
   '@emotion/unitless@0.10.0': {}
 
   '@emotion/use-insertion-effect-with-fallbacks@1.2.0(react@19.1.0)':
@@ -15020,6 +15265,14 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.3.12
 
+  '@mui/icons-material@7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react: 19.1.0
+    optionalDependencies:
+      '@types/react': 19.2.14
+
   '@mui/lab@7.0.0-beta.14(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0))(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@18.3.12)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -15073,6 +15326,27 @@ snapshots:
       '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)
       '@types/react': 18.3.12
 
+  '@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@mui/core-downloads-tracker': 7.1.2
+      '@mui/system': 7.1.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@mui/types': 7.4.8(@types/react@19.2.14)
+      '@mui/utils': 7.3.5(@types/react@19.2.14)(react@19.1.0)
+      '@popperjs/core': 2.11.8
+      '@types/react-transition-group': 4.4.12(@types/react@19.2.14)
+      clsx: 2.1.1
+      csstype: 3.1.3
+      prop-types: 15.8.1
+      react: 19.1.0
+      react-dom: 19.1.0(react@19.1.0)
+      react-is: 19.2.0
+      react-transition-group: 4.4.5(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+    optionalDependencies:
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@types/react': 19.2.14
+
   '@mui/private-theming@7.1.1(@types/react@18.3.12)(react@19.1.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -15082,6 +15356,15 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.3.12
 
+  '@mui/private-theming@7.1.1(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@mui/utils': 7.3.5(@types/react@19.2.14)(react@19.1.0)
+      prop-types: 15.8.1
+      react: 19.1.0
+    optionalDependencies:
+      '@types/react': 19.2.14
+
   '@mui/styled-engine@7.1.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0))(react@19.1.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -15095,6 +15378,19 @@ snapshots:
       '@emotion/react': 11.14.0(@types/react@18.3.12)(react@19.1.0)
       '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)
 
+  '@mui/styled-engine@7.1.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@emotion/cache': 11.14.0
+      '@emotion/serialize': 1.3.3
+      '@emotion/sheet': 1.4.0
+      csstype: 3.1.3
+      prop-types: 15.8.1
+      react: 19.1.0
+    optionalDependencies:
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+
   '@mui/system@7.1.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -15111,12 +15407,34 @@ snapshots:
       '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)
       '@types/react': 18.3.12
 
+  '@mui/system@7.1.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@mui/private-theming': 7.1.1(@types/react@19.2.14)(react@19.1.0)
+      '@mui/styled-engine': 7.1.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(react@19.1.0)
+      '@mui/types': 7.4.8(@types/react@19.2.14)
+      '@mui/utils': 7.3.5(@types/react@19.2.14)(react@19.1.0)
+      clsx: 2.1.1
+      csstype: 3.1.3
+      prop-types: 15.8.1
+      react: 19.1.0
+    optionalDependencies:
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@types/react': 19.2.14
+
   '@mui/types@7.4.8(@types/react@18.3.12)':
     dependencies:
       '@babel/runtime': 7.28.4
     optionalDependencies:
       '@types/react': 18.3.12
 
+  '@mui/types@7.4.8(@types/react@19.2.14)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+    optionalDependencies:
+      '@types/react': 19.2.14
+
   '@mui/utils@7.3.5(@types/react@18.3.12)(react@19.1.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -15129,6 +15447,18 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.3.12
 
+  '@mui/utils@7.3.5(@types/react@19.2.14)(react@19.1.0)':
+    dependencies:
+      '@babel/runtime': 7.28.4
+      '@mui/types': 7.4.8(@types/react@19.2.14)
+      '@types/prop-types': 15.7.15
+      clsx: 2.1.1
+      prop-types: 15.8.1
+      react: 19.1.0
+      react-is: 19.2.0
+    optionalDependencies:
+      '@types/react': 19.2.14
+
   '@nedb/binary-search-tree@2.1.5': {}
 
   '@nedb/core@2.1.5':
@@ -16812,6 +17142,8 @@ snapshots:
 
   '@types/js-cookie@2.2.7': {}
 
+  '@types/js-cookie@3.0.6': {}
+
   '@types/json5@0.0.29': {}
 
   '@types/jsonfile@6.1.4':
@@ -16888,15 +17220,27 @@ snapshots:
     dependencies:
       '@types/react': 18.3.12
 
+  '@types/react-dom@19.2.3(@types/react@19.2.14)':
+    dependencies:
+      '@types/react': 19.2.14
+
   '@types/react-transition-group@4.4.12(@types/react@18.3.12)':
     dependencies:
       '@types/react': 18.3.12
 
+  '@types/react-transition-group@4.4.12(@types/react@19.2.14)':
+    dependencies:
+      '@types/react': 19.2.14
+
   '@types/react@18.3.12':
     dependencies:
       '@types/prop-types': 15.7.15
       csstype: 3.1.3
 
+  '@types/react@19.2.14':
+    dependencies:
+      csstype: 3.2.3
+
   '@types/resolve@1.20.2': {}
 
   '@types/responselike@1.0.3':
@@ -17295,6 +17639,18 @@ snapshots:
       is-mobile: 3.1.1
       preact: 10.20.1
 
+  '@vitejs/plugin-react@4.6.0(vite@6.4.1(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1))':
+    dependencies:
+      '@babel/core': 7.27.7
+      '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.27.7)
+      '@babel/plugin-transform-react-jsx-source': 7.27.1(@babel/core@7.27.7)
+      '@rolldown/pluginutils': 1.0.0-beta.19
+      '@types/babel__core': 7.20.5
+      react-refresh: 0.17.0
+      vite: 6.4.1(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1)
+    transitivePeerDependencies:
+      - supports-color
+
   '@vitejs/plugin-react@4.6.0(vite@7.0.0(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1))':
     dependencies:
       '@babel/core': 7.27.7
@@ -17729,7 +18085,7 @@ snapshots:
 
   axios@1.10.0:
     dependencies:
-      follow-redirects: 1.15.9(debug@4.3.7)
+      follow-redirects: 1.15.9
       form-data: 4.0.2
       proxy-from-env: 1.1.0
     transitivePeerDependencies:
@@ -18803,6 +19159,8 @@ snapshots:
 
   csstype@3.1.3: {}
 
+  csstype@3.2.3: {}
+
   cuint@0.2.2: {}
 
   culvert@0.1.2: {}
@@ -20148,6 +20506,8 @@ snapshots:
     dependencies:
       from2: 2.3.0
 
+  follow-redirects@1.15.9: {}
+
   follow-redirects@1.15.9(debug@4.3.7):
     optionalDependencies:
       debug: 4.3.7
@@ -25103,6 +25463,21 @@ snapshots:
       - supports-color
       - typescript
 
+  vite@6.4.1(@types/node@22.10.1)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1):
+    dependencies:
+      esbuild: 0.25.5
+      fdir: 6.5.0(picomatch@4.0.3)
+      picomatch: 4.0.3
+      postcss: 8.5.6
+      rollup: 4.44.1
+      tinyglobby: 0.2.15
+    optionalDependencies:
+      '@types/node': 22.10.1
+      fsevents: 2.3.3
+      jiti: 2.6.1
+      tsx: 4.19.2
+      yaml: 2.8.1
+
   vite@7.0.0(@types/node@20.17.9)(jiti@2.6.1)(tsx@4.19.2)(yaml@2.8.1):
     dependencies:
       esbuild: 0.25.5

From e94766a8254f9f95dc0a685062089c68bacad794 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:09:27 +0800
Subject: [PATCH 02/21] fix: improve CF Workers implementation based on review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Code improvements:
- Multipart: use R2 binding for create/complete/abort instead of S3 API
  (zero latency, no credential dependency, only listParts still uses S3)
- proxy-put: stream request body directly to R2 instead of arrayBuffer()
  (avoids 128MB memory ceiling for large files in dev mode)
- Cleanup: delete temp R2 objects for expired single-file sessions
  (previously only multipart sessions were cleaned up)
- SVG sanitization: add <style> block stripping and xlink:href data: fix
- D1: add TODO for withSession("first-primary") write consistency
- Fix TypeScript error in direct upload FormData casting

Documentation updates:
- README: fix wrangler.toml line number reference, clarify deploy paths
- MIGRATION-REPORT: Cloudflare Pages → Workers Static Assets
- MIGRATION-PLAN: mark /api/url/import as unimplemented, add GET /api/folders
- All design docs: add "historical reference" note at top

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/README.md                |  8 ++++----
 cloudflare/docs/CHANGES.md          |  2 ++
 cloudflare/docs/MIGRATION-PLAN.md   |  5 ++++-
 cloudflare/docs/MIGRATION-REPORT.md | 14 ++++++++------
 cloudflare/src/routes/cleanup.ts    | 19 +++++++++++++------
 cloudflare/src/routes/upload.ts     | 20 ++++++++++----------
 cloudflare/src/utils/hash.ts        |  6 +++++-
 cloudflare/src/worker.ts            |  4 ++++
 8 files changed, 50 insertions(+), 28 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index 21704d1..14638ef 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -21,7 +21,7 @@ wrangler login
 wrangler d1 create media-kit-db
 ```
 
-输出中的 `database_id` 填入 `wrangler.toml` 第 20 行。
+输出中的 `database_id` 填入 `wrangler.toml` 的 `[[d1_databases]]` 节的 `database_id`。
 
 ### 3. 创建 R2 Bucket
 
@@ -92,8 +92,8 @@ npm run deploy
 
 等价于：
 ```bash
-cd frontend && npx vite build   # 构建前端到 public/
-cd .. && wrangler deploy         # 部署 Worker + 静态资源
+cd cloudflare/frontend && npx vite build   # 构建前端到 cloudflare/public/
+cd cloudflare && wrangler deploy           # 部署 Worker + 静态资源
 ```
 
 部署后访问 `https://media-kit.<your-subdomain>.workers.dev`
@@ -187,7 +187,7 @@ cloudflare/
   src/                    # CF Worker 后端（Hono + D1 + R2）
     worker.ts             # 入口：路由 + AIGNE Hub 代理
     routes/
-      upload.ts           # 上传：presign / proxy-put / direct / confirm
+      upload.ts           # 上传：presign / proxy-put（开发模式代理上传） / direct（FormData 上传） / confirm
       serve.ts            # 文件服务：R2 → 响应（生产用 cf.image）
       folders.ts          # 文件夹 CRUD
       status.ts           # Uploader 配置
diff --git a/cloudflare/docs/CHANGES.md b/cloudflare/docs/CHANGES.md
index bc8d3e4..ef39db4 100644
--- a/cloudflare/docs/CHANGES.md
+++ b/cloudflare/docs/CHANGES.md
@@ -1,3 +1,5 @@
+> **注意**：本文为迁移改动的历史记录，最终实现以代码和 README.md 为准。
+
 # Media Kit — Cloudflare Workers 迁移改动总结
 
 ## 一、背景
diff --git a/cloudflare/docs/MIGRATION-PLAN.md b/cloudflare/docs/MIGRATION-PLAN.md
index fc7a4c1..69ad4b2 100644
--- a/cloudflare/docs/MIGRATION-PLAN.md
+++ b/cloudflare/docs/MIGRATION-PLAN.md
@@ -1,3 +1,5 @@
+> **注意**：本文为迁移设计阶段的参考文档，最终实现以代码和 README.md 为准。
+
 # Media Kit Cloudflare Migration Plan v6
 
 > Integrated from Media Kit Owner + Cloudflare Expert + Cross-Model Review (Claude Opus 4.6 + GPT-5.4).
@@ -146,7 +148,8 @@
 | GET | `/api/uploader/status` | None | 上传器配置（兼容现有前端响应 schema） | 🔄 Adapt |
 | GET | `/api/unsplash/search` | user + auth | Unsplash 搜索（hotlink 模式） | 🔧 New |
 | POST | `/api/unsplash/track-download` | user + auth | 触发 Unsplash download tracking | 🔧 New |
-| POST | `/api/url/import` | user + auth | 从 URL 导入文件 | 🔧 New |
+| POST | `/api/url/import` | user + auth | 从 URL 导入文件 | ❌ 未实现 |
+| GET | `/api/folders` | user | 列出所有文件夹 | 🔄 Adapt |
 
 #### Group C: Drop
 
diff --git a/cloudflare/docs/MIGRATION-REPORT.md b/cloudflare/docs/MIGRATION-REPORT.md
index e764521..72d5e61 100644
--- a/cloudflare/docs/MIGRATION-REPORT.md
+++ b/cloudflare/docs/MIGRATION-REPORT.md
@@ -1,3 +1,5 @@
+> **注意**：本文为迁移设计阶段的参考文档，最终实现以代码和 README.md 为准。
+
 # Media Kit 迁移到 Cloudflare 方案报告
 
 > 2026 年 3 月 16 日 | 版本 6
@@ -29,7 +31,7 @@ Media Kit（又名 image-bin）是 ArcBlock 的媒体资产管理服务，目前
 | CDN 分发 | 手动 CDN_HOST 替换 | Cloudflare CDN 原生集成 |
 | 用户认证 | DID 钱包 + 组件签名 | 默认放行（预留 DID），待 Shijun 提供方案 |
 | 服务间通信 | Blocklet `component.call` | Cloudflare Service Binding |
-| 前端托管 | Blocklet 内嵌 | Cloudflare Pages |
+| 前端托管 | Blocklet 内嵌 | Cloudflare Workers Static Assets（与 Worker 同部署） |
 
 > **产品范围变更**：断点续传粒度从 TUS 的字节级降为分片级（最小 5MB）。用户刷新页面后仍可恢复未完成的上传，但恢复粒度是整个分片而非字节偏移。
 
@@ -65,10 +67,10 @@ Media Kit（又名 image-bin）是 ArcBlock 的媒体资产管理服务，目前
     │ （私有）    │ │ （SQLite）│ │ 连接其他 Worker │
     └────────────┘ └──────────┘ └───────────────┘
 
-    ┌──────────────────┐
-    │ Cloudflare Pages  │
-    │  React 前端        │
-    └──────────────────┘
+    ┌────────────────────────────────────────────┐
+    │ Cloudflare Workers Static Assets（与 Worker 同部署）│
+    │  React 前端                                        │
+    └────────────────────────────────────────────┘
 ```
 
 这里有一个**重要的安全约束**：R2 存储桶不开放公共访问。所有文件请求都必须经过 Worker，Worker 会对图片自动应用 `cf.image { metadata: 'none' }`，确保 EXIF 信息在任何情况下都被移除——这是产品对用户隐私的承诺。
@@ -151,7 +153,7 @@ Media Kit（又名 image-bin）是 ArcBlock 的媒体资产管理服务，目前
 
 Media Kit 承诺自动移除所有图片的 EXIF 元数据（包含拍摄地点、设备信息等隐私数据）。在 Cloudflare 上，这通过 Worker 的 `cf.image` 参数实现。
 
-**工作方式**：当用户请求一张图片时，Worker 检测到文件类型是图片后，会通过一个 WAF 保护的 R2 自定义域名获取原始文件，同时附加 `cf.image { metadata: 'none' }` 参数。Cloudflare 的 Image Resizing 服务会在返回图片前自动剥离所有元数据。
+**工作方式**：当用户请求一张图片时，Worker 检测到文件类型是图片后，会通过 R2 Origin Domain 获取原始文件（该域名通过 IP Access Rule 限制仅 Cloudflare 边缘 IP 可访问），同时附加 `cf.image { metadata: 'none' }` 参数。Cloudflare 的 Image Resizing 服务会在返回图片前自动剥离所有元数据。
 
 如果用户还传了宽高参数（如 `?w=200&h=150`），Worker 会同时传入尺寸参数，实现实时缩放。
 
diff --git a/cloudflare/src/routes/cleanup.ts b/cloudflare/src/routes/cleanup.ts
index a50806e..e3d7834 100644
--- a/cloudflare/src/routes/cleanup.ts
+++ b/cloudflare/src/routes/cleanup.ts
@@ -2,14 +2,15 @@ import { drizzle } from 'drizzle-orm/d1';
 import { eq, and, lt } from 'drizzle-orm';
 import type { Env } from '../types';
 import { uploadSessions } from '../db/schema';
-import { createS3Client, s3AbortMultipartUpload } from '../utils/s3';
 
 /**
  * Clean up expired upload sessions.
  *
  * Called from the scheduled cron handler (every hour).
  * - Queries D1 for active sessions past their expires_at time
- * - For each: aborts the multipart upload via S3 API, updates status to 'aborted'
+ * - For multipart: aborts via R2 binding
+ * - For single-file: deletes temp R2 object
+ * - Updates status to 'aborted'
  */
 export async function cleanupExpiredSessions(env: Env): Promise<void> {
   const db = drizzle(env.DB);
@@ -28,16 +29,22 @@ export async function cleanupExpiredSessions(env: Env): Promise<void> {
 
   if (expired.length === 0) return;
 
-  const s3 = createS3Client(env);
-
   for (const session of expired) {
-    // Attempt to abort the multipart upload in R2 via S3 API
     if (session.uploadId && session.key) {
+      // Multipart session — abort via R2 binding
       try {
-        await s3AbortMultipartUpload(s3, env, session.key, session.uploadId);
+        const multipart = env.R2_UPLOADS.resumeMultipartUpload(session.key, session.uploadId);
+        await multipart.abort();
       } catch {
         // Ignore errors — upload might already be cleaned up or completed
       }
+    } else if (session.key && session.key.startsWith('tmp/')) {
+      // Single-file session — delete the temp R2 object
+      try {
+        await env.R2_UPLOADS.delete(session.key);
+      } catch {
+        // Ignore errors — object might already be deleted
+      }
     }
 
     // Mark session as aborted in D1
diff --git a/cloudflare/src/routes/upload.ts b/cloudflare/src/routes/upload.ts
index 025bbce..1e23876 100644
--- a/cloudflare/src/routes/upload.ts
+++ b/cloudflare/src/routes/upload.ts
@@ -5,9 +5,6 @@ import { uploads, uploadTags, uploadSessions, folders } from '../db/schema';
 import {
   createS3Client,
   generatePresignedPutUrl,
-  s3CreateMultipartUpload,
-  s3CompleteMultipartUpload,
-  s3AbortMultipartUpload,
   s3ListParts,
 } from '../utils/s3';
 import { streamMD5, detectMimeType, sanitizeSvg } from '../utils/hash';
@@ -79,7 +76,10 @@ uploadRoutes.post('/uploads/presign', async (c) => {
   const isMultipart = size >= MULTIPART_THRESHOLD;
 
   if (isMultipart) {
-    const uploadId = await s3CreateMultipartUpload(s3, c.env, tempKey, mimetype);
+    const multipartUpload = await c.env.R2_UPLOADS.createMultipartUpload(tempKey, {
+      httpMetadata: mimetype ? { contentType: mimetype } : undefined,
+    });
+    const uploadId = multipartUpload.uploadId;
 
     let partSize = DEFAULT_PART_SIZE;
     let partCount = Math.ceil(size / partSize);
@@ -384,8 +384,8 @@ uploadRoutes.post('/uploads/multipart/complete', async (c) => {
     return c.json({ error: 'Session is not a multipart upload' }, 400);
   }
 
-  const s3 = createS3Client(c.env);
-  await s3CompleteMultipartUpload(s3, c.env, session.key, session.uploadId, parts);
+  const multipart = c.env.R2_UPLOADS.resumeMultipartUpload(session.key, session.uploadId);
+  await multipart.complete(parts.map(p => ({ partNumber: p.partNumber, etag: p.etag })));
 
   return c.json({ status: 'assembled' });
 });
@@ -406,8 +406,8 @@ uploadRoutes.post('/uploads/multipart/abort', async (c) => {
   }
 
   if (session.uploadId) {
-    const s3 = createS3Client(c.env);
-    await s3AbortMultipartUpload(s3, c.env, session.key, session.uploadId);
+    const multipart = c.env.R2_UPLOADS.resumeMultipartUpload(session.key, session.uploadId);
+    await multipart.abort();
   }
 
   await db
@@ -461,7 +461,7 @@ uploadRoutes.put('/uploads/proxy-put/:sessionId', async (c) => {
     return c.json({ error: 'Session not found or not active' }, 400);
   }
 
-  const body = await c.req.arrayBuffer();
+  const body = c.req.raw.body;
   const contentType = c.req.header('content-type') || 'application/octet-stream';
 
   await c.env.R2_UPLOADS.put(session.key, body, {
@@ -477,7 +477,7 @@ uploadRoutes.post('/uploads/direct', async (c) => {
   const user = c.get('user');
 
   const formData = await c.req.formData();
-  const file = formData.get('file') as File | null;
+  const file = formData.get('file') as unknown as File | null;
   const folderId = (formData.get('folderId') as string) || '';
   const tags = (formData.get('tags') as string) || '';
 
diff --git a/cloudflare/src/utils/hash.ts b/cloudflare/src/utils/hash.ts
index 2eafb87..9e78125 100644
--- a/cloudflare/src/utils/hash.ts
+++ b/cloudflare/src/utils/hash.ts
@@ -108,6 +108,9 @@ export function sanitizeSvg(svgContent: string): string {
   // Remove script tags and their content
   let sanitized = svgContent.replace(/<script[\s\S]*?<\/script>/gi, '');
 
+  // Remove style blocks (can contain CSS-based attacks)
+  sanitized = sanitized.replace(/<style[\s\S]*?<\/style>/gi, '');
+
   // Remove on* event attributes
   sanitized = sanitized.replace(/\s+on\w+\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
 
@@ -115,8 +118,9 @@ export function sanitizeSvg(svgContent: string): string {
   sanitized = sanitized.replace(/href\s*=\s*["']javascript:[^"']*["']/gi, 'href=""');
   sanitized = sanitized.replace(/xlink:href\s*=\s*["']javascript:[^"']*["']/gi, 'xlink:href=""');
 
-  // Remove data: URLs (potential XSS vector)
+  // Remove data: URLs (potential XSS vector) from both href and xlink:href
   sanitized = sanitized.replace(/href\s*=\s*["']data:[^"']*["']/gi, 'href=""');
+  sanitized = sanitized.replace(/xlink:href\s*=\s*["']data:[^"']*["']/gi, 'xlink:href=""');
 
   // Remove foreignObject (can embed arbitrary HTML)
   sanitized = sanitized.replace(/<foreignObject[\s\S]*?<\/foreignObject>/gi, '');
diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index 32034ec..c67d55c 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -15,6 +15,10 @@ const app = new Hono<HonoEnv>();
 // Global middleware
 // TODO: restrict CORS origin to actual deployment domain when auth is implemented
 app.use('*', cors());
+// TODO: D1 write consistency — When Drizzle ORM adds support for D1's withSession API,
+// wrap write-path requests with `c.env.DB.withSession("first-primary")` to ensure
+// read-after-write consistency. Without this, D1 replicas may serve stale reads
+// immediately after writes (e.g., confirm then list may miss the new upload).
 app.use('*', async (c, next) => {
   const db = drizzle(c.env.DB);
   c.set('db', db);

From 348d2d67beca9f8f4975f5ebda1dd4b9b4bc2317 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:16:19 +0800
Subject: [PATCH 03/21] fix: proxy AIGNE Hub generated image URLs through
 Worker

Hub image URLs (hub.aigne.io/image-bin/uploads/...) fail to load directly
from the browser due to connection issues. Rewrite URLs in the generation
response to go through /api/image/proxy, which fetches from Hub server-side
and streams to the client. Only allows proxying URLs from the configured
AIGNE_HUB_URL to prevent open proxy abuse.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/src/worker.ts | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index c67d55c..7d6a652 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -86,9 +86,43 @@ app.post('/api/image/generations', async (c) => {
     }),
   });
   const data: any = await res.json();
+
+  // Rewrite hub image URLs to go through our proxy (avoids CORS/connection issues)
+  if (data.images) {
+    data.images = data.images.map((img: any) => {
+      if (img.url) {
+        // /api/image/proxy?url=<encoded-hub-url>
+        img.url = `/api/image/proxy?url=${encodeURIComponent(img.url)}`;
+      }
+      return img;
+    });
+  }
+
   return c.json(data, res.status as any);
 });
 
+// GET /api/image/proxy — Proxy AIGNE Hub generated images
+app.get('/api/image/proxy', async (c) => {
+  const url = c.req.query('url');
+  if (!url) return c.json({ error: 'url required' }, 400);
+
+  // Only allow proxying from AIGNE Hub
+  const hubBase = c.env.AIGNE_HUB_URL || 'https://hub.aigne.io';
+  if (!url.startsWith(hubBase)) {
+    return c.json({ error: 'Invalid URL' }, 403);
+  }
+
+  const res = await fetch(url);
+  if (!res.ok) return c.json({ error: `Upstream error: ${res.status}` }, res.status as any);
+
+  return new Response(res.body, {
+    headers: {
+      'Content-Type': res.headers.get('content-type') || 'image/png',
+      'Cache-Control': 'public, max-age=86400',
+    },
+  });
+});
+
 // Health check
 app.get('/health', (c) => c.json({ status: 'ok', version: '1.0.0' }));
 

From d7ffe9c0c09e273666c426e61437a659ae66e840 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:22:18 +0800
Subject: [PATCH 04/21] fix: disable caching for AI generated image proxy

AI generated images from AIGNE Hub are temporary and should not be cached.
Previous 24h browser cache caused stale images to appear when selecting
generated results. Also disable CF edge cache for the proxy fetch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/src/worker.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index 7d6a652..591c8ca 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -112,13 +112,15 @@ app.get('/api/image/proxy', async (c) => {
     return c.json({ error: 'Invalid URL' }, 403);
   }
 
-  const res = await fetch(url);
+  const res = await fetch(url, {
+    cf: { cacheTtl: 0 },  // Don't use CF cache for hub images (they may be temporary)
+  } as RequestInit);
   if (!res.ok) return c.json({ error: `Upstream error: ${res.status}` }, res.status as any);
 
   return new Response(res.body, {
     headers: {
       'Content-Type': res.headers.get('content-type') || 'image/png',
-      'Cache-Control': 'public, max-age=86400',
+      'Cache-Control': 'no-cache',  // AI generated images should not be cached by browser
     },
   });
 });

From 5b65d84e049e6414cfcae52a681d975bd744a3a6 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:27:57 +0800
Subject: [PATCH 05/21] fix: stop auto-rewriting AI image URLs to proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hub image URLs are served directly to the frontend now. The proxy endpoint
caused slow loading and stale image issues. The /api/image/proxy endpoint
is kept available but not auto-applied — can be used manually if needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/src/worker.ts | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index 591c8ca..d2e73e4 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -86,18 +86,6 @@ app.post('/api/image/generations', async (c) => {
     }),
   });
   const data: any = await res.json();
-
-  // Rewrite hub image URLs to go through our proxy (avoids CORS/connection issues)
-  if (data.images) {
-    data.images = data.images.map((img: any) => {
-      if (img.url) {
-        // /api/image/proxy?url=<encoded-hub-url>
-        img.url = `/api/image/proxy?url=${encodeURIComponent(img.url)}`;
-      }
-      return img;
-    });
-  }
-
   return c.json(data, res.status as any);
 });
 

From dc63a9cd4882764bb0ff52fe9c9251660b860207 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:36:48 +0800
Subject: [PATCH 06/21] fix: AI image temp caching in R2 + Toast shim default
 export
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

AI Image generation:
- Download hub images to tmp/ai/ in R2 during generation
- Return local /uploads/tmp/ai/xxx.png URLs (fast, no CORS)
- Cron cleanup deletes tmp/ai/ files older than 24 hours
- User clicks "Use selected" → fetches from local R2 (instant)

Toast shim:
- Fix default export: Toast object (with success/error methods)
  was incorrectly exporting ToastProvider as default

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/frontend/src/shims/ux-toast.tsx |  8 +++-
 cloudflare/src/routes/cleanup.ts           | 18 +++++++++
 cloudflare/src/worker.ts                   | 43 +++++++++++-----------
 3 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/cloudflare/frontend/src/shims/ux-toast.tsx b/cloudflare/frontend/src/shims/ux-toast.tsx
index 0cf914b..7b29983 100644
--- a/cloudflare/frontend/src/shims/ux-toast.tsx
+++ b/cloudflare/frontend/src/shims/ux-toast.tsx
@@ -1 +1,7 @@
-export { ToastProvider as default, ToastProvider, Toast } from './arcblock-ux';
+import { ToastProvider, Toast } from './arcblock-ux';
+
+// Default export is Toast (the object with success/error methods)
+// because actions.jsx does: import Toast from '@arcblock/ux/lib/Toast'
+// while app.jsx does: import { ToastProvider } from '@arcblock/ux/lib/Toast'
+export default Toast;
+export { ToastProvider, Toast };
diff --git a/cloudflare/src/routes/cleanup.ts b/cloudflare/src/routes/cleanup.ts
index e3d7834..f237581 100644
--- a/cloudflare/src/routes/cleanup.ts
+++ b/cloudflare/src/routes/cleanup.ts
@@ -53,4 +53,22 @@ export async function cleanupExpiredSessions(env: Env): Promise<void> {
       .set({ status: 'aborted' })
       .where(eq(uploadSessions.id, session.id));
   }
+
+  // Clean up AI-generated temp images (tmp/ai/*) older than 24 hours
+  await cleanupTempAiImages(env);
+}
+
+async function cleanupTempAiImages(env: Env): Promise<void> {
+  const cutoff = new Date(Date.now() - 24 * 60 * 60 * 1000);
+
+  const listed = await env.R2_UPLOADS.list({ prefix: 'tmp/ai/' });
+  for (const obj of listed.objects) {
+    if (obj.uploaded < cutoff) {
+      try {
+        await env.R2_UPLOADS.delete(obj.key);
+      } catch {
+        // ignore
+      }
+    }
+  }
 }
diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index d2e73e4..ba999c9 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -86,31 +86,30 @@ app.post('/api/image/generations', async (c) => {
     }),
   });
   const data: any = await res.json();
-  return c.json(data, res.status as any);
-});
 
-// GET /api/image/proxy — Proxy AIGNE Hub generated images
-app.get('/api/image/proxy', async (c) => {
-  const url = c.req.query('url');
-  if (!url) return c.json({ error: 'url required' }, 400);
-
-  // Only allow proxying from AIGNE Hub
-  const hubBase = c.env.AIGNE_HUB_URL || 'https://hub.aigne.io';
-  if (!url.startsWith(hubBase)) {
-    return c.json({ error: 'Invalid URL' }, 403);
+  // Download hub images to R2 temp directory for fast local access
+  // Avoids CORS + hub connection instability. Cleaned up by cron after 24h.
+  if (data.images) {
+    data.images = await Promise.all(
+      data.images.map(async (img: any) => {
+        if (!img.url) return img;
+        try {
+          const imgRes = await fetch(img.url);
+          if (!imgRes.ok || !imgRes.body) return img;
+          const ext = (img.url.split('.').pop()?.split('?')[0]) || 'png';
+          const key = `tmp/ai/${crypto.randomUUID()}.${ext}`;
+          await c.env.R2_UPLOADS.put(key, imgRes.body, {
+            httpMetadata: { contentType: img.mimeType || 'image/png' },
+          });
+          return { ...img, url: `/uploads/${key}` };
+        } catch {
+          return img;
+        }
+      })
+    );
   }
 
-  const res = await fetch(url, {
-    cf: { cacheTtl: 0 },  // Don't use CF cache for hub images (they may be temporary)
-  } as RequestInit);
-  if (!res.ok) return c.json({ error: `Upstream error: ${res.status}` }, res.status as any);
-
-  return new Response(res.body, {
-    headers: {
-      'Content-Type': res.headers.get('content-type') || 'image/png',
-      'Cache-Control': 'no-cache',  // AI generated images should not be cached by browser
-    },
-  });
+  return c.json(data, res.status as any);
 });
 
 // Health check

From 8a17a2e8c3ea743acca6d95f4229174beb145a26 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 22:45:11 +0800
Subject: [PATCH 07/21] fix: serve route supports nested paths (tmp/ai/*)

Changed /uploads/:filename to /uploads/* wildcard match so that
AI-generated temp images at /uploads/tmp/ai/xxx.png can be served.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/src/routes/serve.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloudflare/src/routes/serve.ts b/cloudflare/src/routes/serve.ts
index 27a4909..8881073 100644
--- a/cloudflare/src/routes/serve.ts
+++ b/cloudflare/src/routes/serve.ts
@@ -9,8 +9,8 @@ export const fileServingRoutes = new Hono<HonoEnv>();
  * Production: images go through cf.image for EXIF stripping + resize.
  * Local dev: serve directly from R2 binding (no cf.image).
  */
-fileServingRoutes.get('/uploads/:filename', async (c) => {
-  const { filename } = c.req.param();
+fileServingRoutes.get('/uploads/*', async (c) => {
+  const filename = c.req.path.replace('/uploads/', '');
   const w = c.req.query('w');
   const h = c.req.query('h');
   const downloadName = c.req.query('filename');

From e39b19cdfc2f54ceba7a8bc706151c60cf6c90c0 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 23:00:23 +0800
Subject: [PATCH 08/21] refactor: replace @arcblock/ux and @arcblock/did shims
 with real packages

These packages are pure UI components with no Blocklet Server dependency,
so shims were unnecessary. Removed 13 shim files, keeping only 7 shims
for packages that truly depend on Blocklet Server runtime:

- @blocklet/js-sdk (createAxios)
- @blocklet/ui-react (Dashboard/Header/Footer/ComponentInstaller)
- @arcblock/did-connect-react (SessionProvider/ConnectButton)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/frontend/package.json              |   2 +
 cloudflare/frontend/src/shims/arcblock-did.ts |   8 -
 cloudflare/frontend/src/shims/arcblock-ux.tsx | 184 ------------------
 cloudflare/frontend/src/shims/ux-button.tsx   |   1 -
 cloudflare/frontend/src/shims/ux-center.tsx   |   1 -
 cloudflare/frontend/src/shims/ux-config.tsx   |   1 -
 cloudflare/frontend/src/shims/ux-dialog.tsx   |   1 -
 cloudflare/frontend/src/shims/ux-empty.tsx    |   1 -
 .../frontend/src/shims/ux-locale-context.tsx  |   1 -
 cloudflare/frontend/src/shims/ux-result.tsx   |   1 -
 .../frontend/src/shims/ux-split-button.tsx    |   1 -
 cloudflare/frontend/src/shims/ux-toast.tsx    |   7 -
 .../frontend/src/shims/ux-with-tracker.tsx    |   1 -
 cloudflare/frontend/vite.config.ts            |  14 +-
 pnpm-lock.yaml                                | 177 +++++++++++++++--
 15 files changed, 162 insertions(+), 239 deletions(-)
 delete mode 100644 cloudflare/frontend/src/shims/arcblock-did.ts
 delete mode 100644 cloudflare/frontend/src/shims/arcblock-ux.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-button.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-center.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-config.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-dialog.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-empty.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-locale-context.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-result.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-split-button.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-toast.tsx
 delete mode 100644 cloudflare/frontend/src/shims/ux-with-tracker.tsx

diff --git a/cloudflare/frontend/package.json b/cloudflare/frontend/package.json
index 23217d0..05c278d 100644
--- a/cloudflare/frontend/package.json
+++ b/cloudflare/frontend/package.json
@@ -9,6 +9,8 @@
     "preview": "vite preview"
   },
   "dependencies": {
+    "@arcblock/did": "^1.27.16",
+    "@arcblock/ux": "^3.3.9",
     "@emotion/react": "^11.14.0",
     "@emotion/styled": "^11.14.0",
     "@lottiefiles/react-lottie-player": "^3.5.4",
diff --git a/cloudflare/frontend/src/shims/arcblock-did.ts b/cloudflare/frontend/src/shims/arcblock-did.ts
deleted file mode 100644
index e27f99e..0000000
--- a/cloudflare/frontend/src/shims/arcblock-did.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-/**
- * Shim for @arcblock/did
- * Provides basic DID validation.
- */
-export function isValid(did: string): boolean {
-  if (!did || typeof did !== 'string') return false;
-  return /^z[1-9A-HJ-NP-Za-km-z]{20,50}$/.test(did) || did.startsWith('did:abt:');
-}
diff --git a/cloudflare/frontend/src/shims/arcblock-ux.tsx b/cloudflare/frontend/src/shims/arcblock-ux.tsx
deleted file mode 100644
index 4a5cc75..0000000
--- a/cloudflare/frontend/src/shims/arcblock-ux.tsx
+++ /dev/null
@@ -1,184 +0,0 @@
-/**
- * Shim for @arcblock/ux components
- * Provides minimal implementations of all used components.
- */
-import { createContext, useContext, useState, type ReactNode } from 'react';
-import { ThemeProvider, createTheme } from '@mui/material/styles';
-import MuiButton from '@mui/material/Button';
-import MuiDialog from '@mui/material/Dialog';
-import MuiDialogTitle from '@mui/material/DialogTitle';
-import MuiDialogContent from '@mui/material/DialogContent';
-import MuiDialogActions from '@mui/material/DialogActions';
-import Snackbar from '@mui/material/Snackbar';
-import Alert from '@mui/material/Alert';
-import Box from '@mui/material/Box';
-import Typography from '@mui/material/Typography';
-import CircularProgress from '@mui/material/CircularProgress';
-import ButtonGroup from '@mui/material/ButtonGroup';
-import Menu from '@mui/material/Menu';
-import MenuItem from '@mui/material/MenuItem';
-import ArrowDropDownIcon from '@mui/icons-material/ArrowDropDown';
-import { useRef } from 'react';
-
-// --- Toast ---
-let toastFn: ((msg: string, severity: 'success' | 'error' | 'info' | 'warning') => void) | null = null;
-
-export function ToastProvider({ children }: { children: ReactNode }) {
-  const [open, setOpen] = useState(false);
-  const [message, setMessage] = useState('');
-  const [severity, setSeverity] = useState<'success' | 'error' | 'info' | 'warning'>('success');
-
-  toastFn = (msg, sev) => {
-    setMessage(msg);
-    setSeverity(sev);
-    setOpen(true);
-  };
-
-  return (
-    <>
-      {children}
-      <Snackbar open={open} autoHideDuration={3000} onClose={() => setOpen(false)} anchorOrigin={{ vertical: 'top', horizontal: 'center' }}>
-        <Alert severity={severity} onClose={() => setOpen(false)}>
-          {message}
-        </Alert>
-      </Snackbar>
-    </>
-  );
-}
-
-export const Toast = {
-  success: (msg: string) => toastFn?.(msg, 'success'),
-  error: (msg: string) => toastFn?.(msg, 'error'),
-  info: (msg: string) => toastFn?.(msg, 'info'),
-  warning: (msg: string) => toastFn?.(msg, 'warning'),
-};
-
-// --- Center ---
-export function Center({ children, ...props }: any) {
-  return (
-    <Box display="flex" justifyContent="center" alignItems="center" minHeight="200px" {...props}>
-      {children || <CircularProgress />}
-    </Box>
-  );
-}
-
-// --- ConfigProvider ---
-const defaultTheme = createTheme();
-
-export function ConfigProvider({ children, translations, fallbackLocale, theme, injectFirst }: any) {
-  const muiTheme = theme ? createTheme(theme) : defaultTheme;
-  return (
-    <ThemeProvider theme={muiTheme}>
-      <LocaleProvider translations={translations} fallbackLocale={fallbackLocale}>
-        {children}
-      </LocaleProvider>
-    </ThemeProvider>
-  );
-}
-
-// --- Locale Context ---
-const LocaleContext = createContext<any>({ locale: 'en', t: (key: string, data?: any) => key, changeLocale: () => {} });
-
-function LocaleProvider({ children, translations, fallbackLocale }: any) {
-  const [locale, setLocale] = useState(fallbackLocale || 'en');
-
-  const t = (key: string, data?: any) => {
-    // Translations are pre-flattened (e.g. { 'common.buckets': 'Buckets' })
-    let val = translations?.[locale]?.[key];
-    if (val === undefined) {
-      val = translations?.[fallbackLocale || 'en']?.[key];
-    }
-    if (typeof val === 'string' && data) {
-      return Object.entries(data).reduce((s: string, [k, v]) => s.replace(`{${k}}`, String(v)), val);
-    }
-    return val || key;
-  };
-
-  return (
-    <LocaleContext.Provider value={{ locale, t, changeLocale: setLocale }}>
-      {children}
-    </LocaleContext.Provider>
-  );
-}
-
-export function useLocaleContext() {
-  return useContext(LocaleContext);
-}
-
-// --- withTracker ---
-export function withTracker(Component: any) {
-  return Component;
-}
-
-// --- Result ---
-export function Result({ status, title, extra }: any) {
-  return (
-    <Box sx={{ textAlign: 'center', py: 8 }}>
-      <Typography variant="h4" gutterBottom>{status}</Typography>
-      <Typography variant="body1" gutterBottom>{title}</Typography>
-      {extra && <Box sx={{ mt: 2 }}>{extra}</Box>}
-    </Box>
-  );
-}
-
-// --- Button (wraps MUI Button) ---
-export function Button(props: any) {
-  return <MuiButton {...props} />;
-}
-
-// --- SplitButton ---
-// Original API: <SplitButton menu={[{ children, onClick, disabled }]} onClick={...}>label</SplitButton>
-export function SplitButton({ children, menu, options, onClick, size, variant, color, ...rest }: any) {
-  const [anchorEl, setAnchorEl] = useState<null | HTMLElement>(null);
-  const items = menu || options || [];
-
-  return (
-    <>
-      <ButtonGroup variant={variant || 'outlined'} color={color} size={size} {...rest}>
-        <MuiButton onClick={onClick} size={size}>{children}</MuiButton>
-        <MuiButton size={size} onClick={(e) => setAnchorEl(e.currentTarget)}>
-          <ArrowDropDownIcon />
-        </MuiButton>
-      </ButtonGroup>
-      <Menu anchorEl={anchorEl} open={!!anchorEl} onClose={() => setAnchorEl(null)}>
-        {items.map((item: any, i: number) => (
-          <MenuItem
-            key={i}
-            disabled={item.disabled}
-            onClick={() => {
-              setAnchorEl(null);
-              item.onClick?.();
-            }}>
-            {item.children || item.label}
-          </MenuItem>
-        ))}
-      </Menu>
-    </>
-  );
-}
-
-// --- Confirm Dialog ---
-export function Confirm({ open, title, onConfirm, onCancel, children, ...props }: any) {
-  return (
-    <MuiDialog open={!!open} onClose={onCancel} {...props}>
-      {title && <MuiDialogTitle>{title}</MuiDialogTitle>}
-      <MuiDialogContent>{children}</MuiDialogContent>
-      <MuiDialogActions>
-        <MuiButton onClick={onCancel}>Cancel</MuiButton>
-        <MuiButton onClick={onConfirm} variant="contained" color="primary">Confirm</MuiButton>
-      </MuiDialogActions>
-    </MuiDialog>
-  );
-}
-
-// --- Empty ---
-export function Empty({ children, ...props }: any) {
-  return (
-    <Box sx={{ textAlign: 'center', py: 8, color: 'text.secondary' }} {...props}>
-      <Typography variant="body1">{children || 'No data'}</Typography>
-    </Box>
-  );
-}
-
-// Default export fallback for any unmatched import
-export default { Toast, ToastProvider, Center, ConfigProvider, useLocaleContext, withTracker, Result, Button, SplitButton, Confirm, Empty };
diff --git a/cloudflare/frontend/src/shims/ux-button.tsx b/cloudflare/frontend/src/shims/ux-button.tsx
deleted file mode 100644
index 9cefe9d..0000000
--- a/cloudflare/frontend/src/shims/ux-button.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { Button as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-center.tsx b/cloudflare/frontend/src/shims/ux-center.tsx
deleted file mode 100644
index 7cd3f9b..0000000
--- a/cloudflare/frontend/src/shims/ux-center.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { Center as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-config.tsx b/cloudflare/frontend/src/shims/ux-config.tsx
deleted file mode 100644
index daa1cf8..0000000
--- a/cloudflare/frontend/src/shims/ux-config.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { ConfigProvider as default, ConfigProvider } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-dialog.tsx b/cloudflare/frontend/src/shims/ux-dialog.tsx
deleted file mode 100644
index bbf6c5f..0000000
--- a/cloudflare/frontend/src/shims/ux-dialog.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { Confirm } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-empty.tsx b/cloudflare/frontend/src/shims/ux-empty.tsx
deleted file mode 100644
index d1c7b27..0000000
--- a/cloudflare/frontend/src/shims/ux-empty.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { Empty as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-locale-context.tsx b/cloudflare/frontend/src/shims/ux-locale-context.tsx
deleted file mode 100644
index 220614f..0000000
--- a/cloudflare/frontend/src/shims/ux-locale-context.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { useLocaleContext } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-result.tsx b/cloudflare/frontend/src/shims/ux-result.tsx
deleted file mode 100644
index 84fee36..0000000
--- a/cloudflare/frontend/src/shims/ux-result.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { Result as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-split-button.tsx b/cloudflare/frontend/src/shims/ux-split-button.tsx
deleted file mode 100644
index e7b7e05..0000000
--- a/cloudflare/frontend/src/shims/ux-split-button.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { SplitButton as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/src/shims/ux-toast.tsx b/cloudflare/frontend/src/shims/ux-toast.tsx
deleted file mode 100644
index 7b29983..0000000
--- a/cloudflare/frontend/src/shims/ux-toast.tsx
+++ /dev/null
@@ -1,7 +0,0 @@
-import { ToastProvider, Toast } from './arcblock-ux';
-
-// Default export is Toast (the object with success/error methods)
-// because actions.jsx does: import Toast from '@arcblock/ux/lib/Toast'
-// while app.jsx does: import { ToastProvider } from '@arcblock/ux/lib/Toast'
-export default Toast;
-export { ToastProvider, Toast };
diff --git a/cloudflare/frontend/src/shims/ux-with-tracker.tsx b/cloudflare/frontend/src/shims/ux-with-tracker.tsx
deleted file mode 100644
index 6f09975..0000000
--- a/cloudflare/frontend/src/shims/ux-with-tracker.tsx
+++ /dev/null
@@ -1 +0,0 @@
-export { withTracker as default } from './arcblock-ux';
diff --git a/cloudflare/frontend/vite.config.ts b/cloudflare/frontend/vite.config.ts
index bcfbea0..5452b5c 100644
--- a/cloudflare/frontend/vite.config.ts
+++ b/cloudflare/frontend/vite.config.ts
@@ -42,20 +42,10 @@ export default defineConfig({
       '@blocklet/ui-react/lib/Footer': join(shimDir, 'blocklet-ui-react-footer.tsx'),
       '@blocklet/ui-react/lib/ComponentInstaller': join(shimDir, 'blocklet-ui-react.tsx'),
 
-      // @arcblock/* shims (each needs its own file for correct default exports)
+      // @arcblock/did-connect-react shims (depends on Blocklet Server session API)
       '@arcblock/did-connect-react/lib/Session': join(shimDir, 'did-connect-react-session.tsx'),
       '@arcblock/did-connect-react/lib/Button': join(shimDir, 'did-connect-react-button.tsx'),
-      '@arcblock/ux/lib/Toast': join(shimDir, 'ux-toast.tsx'),
-      '@arcblock/ux/lib/Center': join(shimDir, 'ux-center.tsx'),
-      '@arcblock/ux/lib/Config': join(shimDir, 'ux-config.tsx'),
-      '@arcblock/ux/lib/withTracker': join(shimDir, 'ux-with-tracker.tsx'),
-      '@arcblock/ux/lib/Locale/context': join(shimDir, 'ux-locale-context.tsx'),
-      '@arcblock/ux/lib/Result': join(shimDir, 'ux-result.tsx'),
-      '@arcblock/ux/lib/Button': join(shimDir, 'ux-button.tsx'),
-      '@arcblock/ux/lib/SplitButton': join(shimDir, 'ux-split-button.tsx'),
-      '@arcblock/ux/lib/Dialog': join(shimDir, 'ux-dialog.tsx'),
-      '@arcblock/ux/lib/Empty': join(shimDir, 'ux-empty.tsx'),
-      '@arcblock/did': join(shimDir, 'arcblock-did.ts'),
+      // @arcblock/ux and @arcblock/did — use real packages (no Blocklet Server dependency)
 
       // Node.js polyfill
       path: 'path-browserify',
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 0cc8942..6fe6dc3 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -276,6 +276,12 @@ importers:
 
   cloudflare/frontend:
     dependencies:
+      '@arcblock/did':
+        specifier: ^1.27.16
+        version: 1.27.16(encoding@0.1.13)
+      '@arcblock/ux':
+        specifier: ^3.3.9
+        version: 3.3.9(0b44bd2550fd96f4bd8c50e74bebcbda)
       '@emotion/react':
         specifier: ^11.14.0
         version: 11.14.0(@types/react@19.2.14)(react@19.1.0)
@@ -344,7 +350,7 @@ importers:
         version: 3.8.5(react@19.1.0)
       axios:
         specifier: ^1.7.0
-        version: 1.10.0
+        version: 1.10.0(debug@4.4.3)
       copy-to-clipboard:
         specifier: ^3.3.3
         version: 3.3.3
@@ -6862,7 +6868,7 @@ packages:
 
   glob@7.2.3:
     resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
-    deprecated: Glob versions prior to v9 are no longer supported
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   glob@8.1.0:
     resolution: {integrity: sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==}
@@ -9162,6 +9168,7 @@ packages:
   prebuild-install@7.1.3:
     resolution: {integrity: sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==}
     engines: {node: '>=10'}
+    deprecated: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
     hasBin: true
 
   prelude-ls@1.2.1:
@@ -10416,6 +10423,7 @@ packages:
   tar@6.2.1:
     resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==}
     engines: {node: '>=10'}
+    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   taskkill@3.1.0:
     resolution: {integrity: sha512-5KcOFzPvd1nGFVrmB7H4+QAWVjYOf//+QTbOj0GpXbqtqbKGWVczG+rq6VhXAtdtlKLTs16NAmHRyF5vbggQ2w==}
@@ -12517,7 +12525,7 @@ snapshots:
       '@ocap/wallet': 1.27.16(encoding@0.1.13)
       debug: 4.4.3
       json-stable-stringify: 1.1.1
-      semver: 7.7.2
+      semver: 7.7.3
     transitivePeerDependencies:
       - encoding
       - supports-color
@@ -12600,6 +12608,88 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@arcblock/ux@3.3.9(0b44bd2550fd96f4bd8c50e74bebcbda)':
+    dependencies:
+      '@arcblock/bridge': 3.3.9
+      '@arcblock/did': 1.27.16(encoding@0.1.13)
+      '@arcblock/did-motif': 1.1.14
+      '@arcblock/icons': 3.3.9(react@19.1.0)
+      '@arcblock/nft-display': 3.3.9(encoding@0.1.13)
+      '@arcblock/react-hooks': 3.3.9
+      '@blocklet/js-sdk': 1.17.7(debug@4.4.3)(encoding@0.1.13)
+      '@blocklet/theme': 3.3.9
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@fontsource/roboto': 5.1.1
+      '@fontsource/ubuntu-mono': 5.2.6
+      '@iconify-icons/logos': 1.2.36
+      '@iconify-icons/material-symbols': 1.2.58
+      '@iconify-icons/mdi': 1.2.48
+      '@iconify-icons/tabler': 1.2.95
+      '@iconify/react': 5.2.1(react@19.1.0)
+      '@mui/icons-material': 7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      '@mui/utils': 7.3.5(@types/react@19.2.14)(react@19.1.0)
+      '@ocap/mcrypto': 1.27.16(encoding@0.1.13)
+      '@solana/qr-code-styling': 1.6.0
+      '@types/dompurify': 3.2.0
+      '@types/mui-datatables': 4.3.12(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      ahooks: 3.8.5(react@19.1.0)
+      awesome-phonenumber: 7.5.0
+      axios: 1.10.0(debug@4.4.3)
+      base64-url: 2.3.3
+      color-convert: 3.1.0
+      copy-to-clipboard: 3.3.3
+      d3-geo: 1.12.1
+      dayjs: 1.11.13
+      debug: 4.4.3
+      devices.css: 0.1.15
+      dompurify: 3.2.6
+      highlight.js: 11.11.1
+      iconify-icon: 1.0.8
+      iconify-icons-material-symbols-400: 0.0.1
+      is-svg: 4.4.0
+      js-cookie: 2.2.1
+      lodash: 4.17.21
+      mui-datatables: 4.3.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@mui/icons-material@7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      notistack: 2.0.8(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      p-retry: 4.6.1
+      pako: 2.1.0
+      qrcode.react: 3.2.0(react@19.1.0)
+      react: 19.1.0
+      react-cookie-consent: 6.4.1(react@19.1.0)
+      react-error-boundary: 3.1.4(react@19.1.0)
+      react-ga4: 2.1.0
+      react-helmet: 6.1.0(react@19.1.0)
+      react-international-phone: 3.1.2(react@19.1.0)
+      react-intersection-observer: 8.34.0(react@19.1.0)
+      react-lottie-player: 1.5.6(react@19.1.0)
+      react-player: 1.15.3(react@19.1.0)
+      react-router-dom: 6.28.0(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react-shadow: 19.1.0(prop-types@15.8.1)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react-share: 5.2.2(react@19.1.0)
+      react-svg: 16.3.0(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react-use: 17.6.0(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      rebound: 0.1.0
+      semver: 7.7.3
+      topojson-client: 3.1.0
+      type-fest: 4.41.0
+      validator: 13.15.15
+      versor: 0.0.4
+      webfontloader: 1.6.28
+      zustand: 5.0.5(@types/react@19.2.14)(immer@10.1.3)(react@19.1.0)
+    transitivePeerDependencies:
+      - '@emotion/server'
+      - '@mui/material-pigment-css'
+      - '@types/react'
+      - bluebird
+      - encoding
+      - immer
+      - prop-types
+      - react-dom
+      - supports-color
+      - use-sync-external-store
+
   '@arcblock/ux@3.3.9(f191a1a0ebeaec895783842648b902bd)':
     dependencies:
       '@arcblock/bridge': 3.3.9
@@ -15492,7 +15582,7 @@ snapshots:
   '@npmcli/fs@1.1.1':
     dependencies:
       '@gar/promisify': 1.1.3
-      semver: 7.7.2
+      semver: 7.7.3
     optional: true
 
   '@npmcli/move-file@1.1.2':
@@ -17043,7 +17133,7 @@ snapshots:
 
   '@types/bn.js@5.2.0':
     dependencies:
-      '@types/node': 20.17.9
+      '@types/node': 22.10.1
 
   '@types/body-parser@1.19.5':
     dependencies:
@@ -17112,7 +17202,7 @@ snapshots:
 
   '@types/hoist-non-react-statics@3.3.5':
     dependencies:
-      '@types/react': 18.3.12
+      '@types/react': 19.2.14
       hoist-non-react-statics: 3.3.2
 
   '@types/http-cache-semantics@4.0.4': {}
@@ -17174,10 +17264,10 @@ snapshots:
 
   '@types/mui-datatables@4.3.12(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
     dependencies:
-      '@emotion/react': 11.14.0(@types/react@18.3.12)(react@19.1.0)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)
-      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
-      '@types/react': 18.3.12
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      '@types/react': 19.2.14
       csstype: 3.1.2
     transitivePeerDependencies:
       - '@mui/material-pigment-css'
@@ -17198,7 +17288,6 @@ snapshots:
   '@types/node@22.10.1':
     dependencies:
       undici-types: 6.20.0
-    optional: true
 
   '@types/normalize-package-data@2.4.4': {}
 
@@ -18085,7 +18174,7 @@ snapshots:
 
   axios@1.10.0:
     dependencies:
-      follow-redirects: 1.15.9
+      follow-redirects: 1.15.9(debug@4.4.3)
       form-data: 4.0.2
       proxy-from-env: 1.1.0
     transitivePeerDependencies:
@@ -20506,8 +20595,6 @@ snapshots:
     dependencies:
       from2: 2.3.0
 
-  follow-redirects@1.15.9: {}
-
   follow-redirects@1.15.9(debug@4.3.7):
     optionalDependencies:
       debug: 4.3.7
@@ -22570,6 +22657,34 @@ snapshots:
     transitivePeerDependencies:
       - '@emotion/server'
 
+  mui-datatables@4.3.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@mui/icons-material@7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0):
+    dependencies:
+      '@babel/runtime-corejs3': 7.26.0
+      '@emotion/cache': 11.14.0
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@mui/icons-material': 7.1.2(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      clsx: 1.2.1
+      lodash.assignwith: 4.2.0
+      lodash.clonedeep: 4.5.0
+      lodash.debounce: 4.0.8
+      lodash.find: 4.6.0
+      lodash.get: 4.4.2
+      lodash.isequal: 4.5.0
+      lodash.isundefined: 3.0.1
+      lodash.memoize: 4.1.2
+      lodash.merge: 4.6.2
+      prop-types: 15.8.1
+      react: 19.1.0
+      react-dnd: 11.1.3(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react-dnd-html5-backend: 11.1.3
+      react-dom: 19.1.0(react@19.1.0)
+      react-sortable-tree-patch-react-17: 2.9.0(react-dnd@11.1.3(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      react-to-print: 2.15.1(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      tss-react: 3.7.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(react@19.1.0)
+    transitivePeerDependencies:
+      - '@emotion/server'
+
   multer@1.4.5-lts.1:
     dependencies:
       append-field: 1.0.0
@@ -22594,7 +22709,7 @@ snapshots:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.0
       css-tree: 1.1.3
-      csstype: 3.1.3
+      csstype: 3.2.3
       fastest-stable-stringify: 2.0.2
       inline-style-prefixer: 7.0.1
       react: 19.1.0
@@ -22636,7 +22751,7 @@ snapshots:
 
   node-abi@3.75.0:
     dependencies:
-      semver: 7.7.2
+      semver: 7.7.3
 
   node-addon-api@7.1.1: {}
 
@@ -22671,7 +22786,7 @@ snapshots:
       nopt: 5.0.0
       npmlog: 6.0.2
       rimraf: 3.0.2
-      semver: 7.7.2
+      semver: 7.7.3
       tar: 6.2.1
       which: 2.0.2
     transitivePeerDependencies:
@@ -22767,6 +22882,17 @@ snapshots:
       '@emotion/react': 11.14.0(@types/react@18.3.12)(react@19.1.0)
       '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.12)(react@19.1.0))(@types/react@18.3.12)(react@19.1.0)
 
+  notistack@2.0.8(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@mui/material@7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0):
+    dependencies:
+      '@mui/material': 7.1.2(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      clsx: 1.2.1
+      hoist-non-react-statics: 3.3.2
+      react: 19.1.0
+      react-dom: 19.1.0(react@19.1.0)
+    optionalDependencies:
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(@types/react@19.2.14)(react@19.1.0)
+
   npm-packlist@7.0.4:
     dependencies:
       ignore-walk: 6.0.5
@@ -25103,6 +25229,14 @@ snapshots:
       '@emotion/utils': 1.4.2
       react: 19.1.0
 
+  tss-react@3.7.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.1.0))(react@19.1.0):
+    dependencies:
+      '@emotion/cache': 11.14.0
+      '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.1.0)
+      '@emotion/serialize': 1.3.3
+      '@emotion/utils': 1.4.2
+      react: 19.1.0
+
   tsx@4.19.2:
     dependencies:
       esbuild: 0.23.1
@@ -25285,8 +25419,7 @@ snapshots:
 
   undici-types@6.19.8: {}
 
-  undici-types@6.20.0:
-    optional: true
+  undici-types@6.20.0: {}
 
   unique-filename@1.1.1:
     dependencies:
@@ -25837,6 +25970,12 @@ snapshots:
       immer: 10.1.3
       react: 19.1.0
 
+  zustand@5.0.5(@types/react@19.2.14)(immer@10.1.3)(react@19.1.0):
+    optionalDependencies:
+      '@types/react': 19.2.14
+      immer: 10.1.3
+      react: 19.1.0
+
   zx@7.2.3:
     dependencies:
       '@types/fs-extra': 11.0.4

From d8ad92b66c8bada2ef1c8de4818b1e0818843f76 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Tue, 17 Mar 2026 23:09:39 +0800
Subject: [PATCH 09/21] docs: update README to reflect current implementation

- Shims: clarify only @blocklet/* and did-connect-react need shims,
  @arcblock/ux and @arcblock/did use real packages
- Add AIGNE_HUB_URL to secrets documentation
- Add AI temp image cleanup (tmp/ai/, 24h) to architecture description
- Update environment differences table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cloudflare/README.md | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index 14638ef..3c4121a 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -67,8 +67,10 @@ wrangler secret put R2_SECRET_ACCESS_KEY
 # Cloudflare Account ID（Dashboard 右侧边栏可见）
 wrangler secret put CF_ACCOUNT_ID
 
-# AIGNE Hub API Key（AI Image 功能需要）
+# AIGNE Hub（AI Image 功能需要）
 wrangler secret put AIGNE_HUB_API_KEY
+# 可选：覆盖默认 AIGNE Hub URL（默认 https://hub.aigne.io）
+# wrangler secret put AIGNE_HUB_URL
 
 # 可选：Unsplash API
 wrangler secret put UNSPLASH_KEY
@@ -192,7 +194,7 @@ cloudflare/
       folders.ts          # 文件夹 CRUD
       status.ts           # Uploader 配置
       unsplash.ts         # Unsplash 代理
-      cleanup.ts          # 定时清理过期 session
+      cleanup.ts          # 定时清理过期 session + AI 临时图片（tmp/ai/，24h）
     middleware/auth.ts     # x-user-did 认证
     db/schema.ts           # Drizzle ORM 表定义
     utils/
@@ -208,7 +210,12 @@ cloudflare/
   scripts/migrate-data.ts  # SQLite → D1 迁移脚本
 ```
 
-前端源码复用 `blocklets/image-bin/src/`，通过 Vite alias 将 `@blocklet/*` 和 `@arcblock/*` 依赖替换为 `frontend/src/shims/` 中的轻量实现。
+前端源码复用 `blocklets/image-bin/src/`，通过 Vite alias 将依赖 Blocklet Server 运行时的包替换为 shim：
+- `@blocklet/js-sdk` → createAxios shim（标准 axios）
+- `@blocklet/ui-react` → Dashboard/Header/Footer/ComponentInstaller shim
+- `@arcblock/did-connect-react` → SessionProvider/ConnectButton shim
+
+`@arcblock/ux` 和 `@arcblock/did` 直接使用原包（纯 UI 组件，无 Blocklet Server 依赖）。
 
 ## 环境差异
 
@@ -218,4 +225,4 @@ cloudflare/
 | D1 数据库 | 本地 SQLite | 真实 D1 |
 | Presigned URL | proxy-put 代理（避免 CORS） | 直传 R2（需配 CORS） |
 | 文件服务 | R2 binding 直接读取 | cf.image EXIF 剥离 + 自动 WebP |
-| 图片生成 | 代理到 hub.aigne.io | 代理到 hub.aigne.io |
+| AI 图片生成 | 代理到 hub.aigne.io，临时缓存到 R2 tmp/ai/ | 同左，cron 每小时清理 24h 前的临时文件 |

From f730f7c9f44bae6243f4bcc4dbbb092575e6125b Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Wed, 18 Mar 2026 09:45:51 +0800
Subject: [PATCH 10/21] feat: hide resource tab in CF Workers mode

Resource tab is a Blocklet Server feature (browse installed component
resources) that has no equivalent in CF Workers. Added window.blocklet.
inCFWorkers flag to conditionally hide it. Blocklet version unaffected
(flag is undefined by default).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 blocklets/image-bin/src/contexts/upload.jsx | 3 ++-
 cloudflare/frontend/index.html              | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/blocklets/image-bin/src/contexts/upload.jsx b/blocklets/image-bin/src/contexts/upload.jsx
index 04e5bc7..897b1f2 100644
--- a/blocklets/image-bin/src/contexts/upload.jsx
+++ b/blocklets/image-bin/src/contexts/upload.jsx
@@ -29,7 +29,8 @@ function UploadProvider({ children, pageSize = 12, type = '' }) {
 
   const tabs = [
     { key: 'bucket', value: t('common.buckets') },
-    { key: 'resource', value: t('common.resources') },
+    // Resource tab not available in CF Workers mode
+    ...(!window.blocklet?.inCFWorkers ? [{ key: 'resource', value: t('common.resources') }] : []),
   ];
   const [tab, setTab] = useState('bucket');
 
diff --git a/cloudflare/frontend/index.html b/cloudflare/frontend/index.html
index 4347209..9e0a56e 100644
--- a/cloudflare/frontend/index.html
+++ b/cloudflare/frontend/index.html
@@ -15,6 +15,7 @@
         status: 'running',
         appUrl: window.location.origin,
         tenantMode: 'single',
+        inCFWorkers: true,
         did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
         componentId: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
         CDN_HOST: '',

From a06be04ee20c7df9e62d13f41c81ed5f8ccd2a59 Mon Sep 17 00:00:00 2001
From: xiaofang <xiaofang@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:49:30 +0800
Subject: [PATCH 11/21] fix: ensure absolute upload URL for cross-origin
 compatibility

Updated the PresignedUploadPlugin to construct an absolute upload URL when the URL starts with a slash. This change ensures compatibility with cross-origin requests, particularly when using Cloudflare Workers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 packages/uploader/src/react/plugins/presigned-upload.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/uploader/src/react/plugins/presigned-upload.ts b/packages/uploader/src/react/plugins/presigned-upload.ts
index 9a32980..1fdcd9a 100644
--- a/packages/uploader/src/react/plugins/presigned-upload.ts
+++ b/packages/uploader/src/react/plugins/presigned-upload.ts
@@ -153,7 +153,11 @@ export default class PresignedUploadPlugin extends BasePlugin {
     }
 
     // Build result compatible with TUS flow — use the url from server response directly
-    const uploadURL = confirmData.url || `/uploads/${confirmData.filename}`;
+    let uploadURL = confirmData.url || `/uploads/${confirmData.filename}`;
+    // Ensure absolute URL for cross-origin compatibility (CF Workers proxy)
+    if (uploadURL.startsWith('/')) {
+      uploadURL = `${this.opts.apiBase || window.location.origin}${uploadURL}`;
+    }
 
     const result = {
       data: confirmData,

From e4935e3a8f5436d3e380afd0298012e93ec50177 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:34:36 +0800
Subject: [PATCH 12/21] feat(cloudflare): integrate DID service auth via
 service binding with prefix support

---
 cloudflare/frontend/index.html                |  22 +-
 cloudflare/frontend/src/api.ts                |   4 +-
 .../frontend/src/plugins/presigned-upload.ts  |   4 +-
 .../frontend/src/shims/blocklet-js-sdk.ts     |   3 +-
 .../src/shims/blocklet-ui-react-dashboard.tsx |   5 +-
 .../src/shims/blocklet-ui-react-header.tsx    |  70 ++++-
 .../src/shims/did-connect-react-session.tsx   | 119 ++++++--
 cloudflare/frontend/vite.config.ts            |   2 +
 .../src/__tests__/worker.integration.ts       |  61 +---
 cloudflare/src/middleware/auth.ts             | 107 ++++++-
 cloudflare/src/routes/status.ts               |   1 +
 cloudflare/src/types.ts                       |  37 ++-
 cloudflare/src/worker.ts                      | 272 +++++++++++++++++-
 cloudflare/wrangler.toml                      |  15 +-
 14 files changed, 595 insertions(+), 127 deletions(-)

diff --git a/cloudflare/frontend/index.html b/cloudflare/frontend/index.html
index 9e0a56e..70d4a07 100644
--- a/cloudflare/frontend/index.html
+++ b/cloudflare/frontend/index.html
@@ -5,29 +5,14 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Media Kit</title>
     <script>
-      // Must be set before any module loads — some modules read window.blocklet at top level
+      // Minimal defaults — overridden by /__blocklet__.js from AUTH_SERVICE
       window.blocklet = {
         prefix: '/',
         appName: 'Media Kit',
-        appDescription: 'Media asset management',
-        appLogo: '',
-        version: '1.0.0',
-        status: 'running',
         appUrl: window.location.origin,
-        tenantMode: 'single',
         inCFWorkers: true,
-        did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
-        componentId: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
-        CDN_HOST: '',
-        UNSPLASH_KEY: '',
-        componentMountPoints: [{
-          title: 'Media Kit',
-          name: 'image-bin',
-          did: 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9',
-          version: '1.0.0',
-          status: 'running',
-          mountPoint: '/',
-        }],
+        cloudflareWorker: true,
+        componentMountPoints: [],
         preferences: {
           extsInput: '.jpeg,.png,.gif,.svg,.webp,.bmp,.ico',
           maxUploadSize: '500MB',
@@ -41,6 +26,7 @@
         ],
       };
     </script>
+    <script src="/__blocklet__.js"></script>
   </head>
   <body>
     <div id="root"></div>
diff --git a/cloudflare/frontend/src/api.ts b/cloudflare/frontend/src/api.ts
index fc58335..8a96df9 100644
--- a/cloudflare/frontend/src/api.ts
+++ b/cloudflare/frontend/src/api.ts
@@ -2,9 +2,7 @@ import axios from 'axios';
 
 const api = axios.create({
   timeout: 200000,
-  headers: {
-    'x-user-did': 'did:abt:default-uploader',
-  },
+  withCredentials: true, // send login_token cookie
 });
 
 export default api;
diff --git a/cloudflare/frontend/src/plugins/presigned-upload.ts b/cloudflare/frontend/src/plugins/presigned-upload.ts
index bef4fb2..efbb590 100644
--- a/cloudflare/frontend/src/plugins/presigned-upload.ts
+++ b/cloudflare/frontend/src/plugins/presigned-upload.ts
@@ -60,9 +60,9 @@ export default class DirectUploadPlugin extends BasePlugin {
     const result = await new Promise<any>((resolve, reject) => {
       xhr.open('POST', `${this.opts.apiBase}/uploads/direct`, true);
 
-      // Set auth headers
+      // Set custom headers (auth is handled via login_token cookie)
+      xhr.withCredentials = true;
       const headers = this.opts.headers || {};
-      headers['x-user-did'] = headers['x-user-did'] || 'did:abt:default-uploader';
       Object.entries(headers).forEach(([k, v]) => {
         if (k.toLowerCase() !== 'content-type') {
           xhr.setRequestHeader(k, v);
diff --git a/cloudflare/frontend/src/shims/blocklet-js-sdk.ts b/cloudflare/frontend/src/shims/blocklet-js-sdk.ts
index 8c6de26..bb26401 100644
--- a/cloudflare/frontend/src/shims/blocklet-js-sdk.ts
+++ b/cloudflare/frontend/src/shims/blocklet-js-sdk.ts
@@ -1,11 +1,12 @@
 /**
  * Shim for @blocklet/js-sdk
- * Replaces createAxios with standard axios.create
+ * Replaces createAxios with standard axios.create (with cookie credentials)
  */
 import axios from 'axios';
 
 export function createAxios(options?: { timeout?: number }) {
   return axios.create({
     timeout: options?.timeout || 200000,
+    withCredentials: true,
   });
 }
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
index 9588f76..4dc9f2c 100644
--- a/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react-dashboard.tsx
@@ -1,9 +1,9 @@
 /**
  * Shim for @blocklet/ui-react/lib/Dashboard
- * Provides a simple layout wrapper + useAppInfo hook.
- * Must support className, styled() wrapping, and .dashboard-main class.
+ * Provides a simple layout wrapper with Header + content area.
  */
 import { createContext, useContext, forwardRef, type ReactNode } from 'react';
+import Header from './blocklet-ui-react-header';
 
 const AppInfoContext = createContext<any>({});
 
@@ -24,6 +24,7 @@ const Dashboard = forwardRef<HTMLDivElement, any>(({ children, className, id, ..
         className={className}
         style={{ display: 'flex', flexDirection: 'column', height: '100vh' }}
         {...rest}>
+        <Header sx={{ borderBottom: '1px solid #eee' }} />
         <div className="dashboard-main" style={{ flex: 1, overflowY: 'auto', padding: 24 }}>
           {children}
         </div>
diff --git a/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx b/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
index 596e964..4c2acb8 100644
--- a/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
+++ b/cloudflare/frontend/src/shims/blocklet-ui-react-header.tsx
@@ -1,19 +1,85 @@
 /**
  * Shim for @blocklet/ui-react/lib/Header
- * Simple app bar header.
+ * Shows app name + user avatar/logout when authenticated.
  */
+import { useState, useEffect } from 'react';
 import AppBar from '@mui/material/AppBar';
 import Toolbar from '@mui/material/Toolbar';
 import Typography from '@mui/material/Typography';
+import Box from '@mui/material/Box';
+import Avatar from '@mui/material/Avatar';
+import IconButton from '@mui/material/IconButton';
+import Menu from '@mui/material/Menu';
+import MenuItem from '@mui/material/MenuItem';
+import axios from 'axios';
+
+interface SessionUser {
+  did: string;
+  fullName?: string;
+  avatar?: string;
+  role?: string;
+}
 
 export default function Header(props: any) {
   const appName = (window as any).blocklet?.appName || 'Media Kit';
+  const [user, setUser] = useState<SessionUser | null>(null);
+  const [anchorEl, setAnchorEl] = useState<HTMLElement | null>(null);
+
+  useEffect(() => {
+    axios
+      .get('/.well-known/service/api/did/session', { withCredentials: true })
+      .then(({ data }) => {
+        if (data?.user) setUser(data.user);
+      })
+      .catch(() => {});
+  }, []);
+
+  const handleLogout = async () => {
+    setAnchorEl(null);
+    try {
+      await axios.get('/.well-known/service/api/did/logout', { withCredentials: true });
+    } catch {}
+    window.location.href = '/.well-known/service/login';
+  };
+
+  const initials = user?.fullName
+    ? user.fullName.charAt(0).toUpperCase()
+    : user?.did?.slice(-2) || '?';
+
   return (
-    <AppBar position="static" elevation={1} sx={{ bgcolor: 'background.paper', color: 'text.primary' }} {...props}>
+    <AppBar
+      position="static"
+      elevation={1}
+      sx={{ bgcolor: 'background.paper', color: 'text.primary' }}
+      {...props}>
       <Toolbar>
         <Typography variant="h6" sx={{ flexGrow: 1 }}>
           {appName}
         </Typography>
+        {user && (
+          <Box>
+            <IconButton onClick={(e) => setAnchorEl(e.currentTarget)} size="small">
+              <Avatar
+                src={user.avatar || undefined}
+                sx={{ width: 32, height: 32, fontSize: 14, bgcolor: 'primary.main' }}>
+                {initials}
+              </Avatar>
+            </IconButton>
+            <Menu
+              anchorEl={anchorEl}
+              open={!!anchorEl}
+              onClose={() => setAnchorEl(null)}
+              anchorOrigin={{ vertical: 'bottom', horizontal: 'right' }}
+              transformOrigin={{ vertical: 'top', horizontal: 'right' }}>
+              <MenuItem disabled sx={{ opacity: '1 !important' }}>
+                <Typography variant="body2" color="text.secondary">
+                  {user.fullName || user.did}
+                </Typography>
+              </MenuItem>
+              <MenuItem onClick={handleLogout}>Logout</MenuItem>
+            </Menu>
+          </Box>
+        )}
       </Toolbar>
     </AppBar>
   );
diff --git a/cloudflare/frontend/src/shims/did-connect-react-session.tsx b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
index ae6de31..7b1c53f 100644
--- a/cloudflare/frontend/src/shims/did-connect-react-session.tsx
+++ b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
@@ -1,30 +1,103 @@
 /**
  * Shim for @arcblock/did-connect-react/lib/Session
- * Provides a fake session context that always returns an authenticated admin user.
+ * Uses real DID Connect session with login_token cookie for HTTPS.
+ * Note: /.well-known/service/* paths are global (no prefix) — they're the auth service.
  */
-import { createContext, type ReactNode } from 'react';
-
-const defaultSession = {
-  session: {
-    user: {
-      did: 'did:abt:default-uploader',
-      role: 'admin',
-      fullName: 'Admin',
-      avatar: '',
-    },
-    token: 'fake-token',
-  },
-  loading: false,
-  error: null,
-  // Common session helpers that components might call
+import { createContext, useState, useEffect, useCallback, type ReactNode } from 'react';
+import axios from 'axios';
+
+interface SessionUser {
+  did: string;
+  role: string;
+  fullName: string;
+  avatar: string;
+}
+
+interface SessionState {
+  user: SessionUser | null;
+  loading: boolean;
+  error: Error | null;
+}
+
+const SessionContext = createContext<any>({
+  session: { user: null, loading: true, error: null },
   login: () => {},
   logout: () => {},
-};
+});
+
+function SessionProvider({
+  children,
+  serviceHost: _serviceHost,
+  protectedRoutes,
+}: {
+  children: ReactNode;
+  serviceHost?: string;
+  protectedRoutes?: string[];
+}) {
+  const [session, setSession] = useState<SessionState>({ user: null, loading: true, error: null });
+
+  const fetchSession = useCallback(async () => {
+    try {
+      const { data } = await axios.get('/.well-known/service/api/did/session', {
+        withCredentials: true,
+      });
+      const user = data?.user || null;
+      setSession({ user, loading: false, error: null });
+
+      // Redirect to login if on a protected route and not authenticated
+      if (!user && protectedRoutes?.length) {
+        const path = window.location.pathname;
+        const isProtected = protectedRoutes.some(
+          (r) => r.endsWith('*') ? path.startsWith(r.slice(0, -1)) : path === r
+        );
+        if (isProtected) {
+          const returnUrl = encodeURIComponent(path + window.location.search);
+          window.location.href = `/.well-known/service/login?return=${returnUrl}`;
+        }
+      }
+    } catch {
+      setSession({ user: null, loading: false, error: null });
+    }
+  }, [protectedRoutes]);
+
+  useEffect(() => {
+    fetchSession();
+  }, [fetchSession]);
+
+  const login = useCallback(() => {
+    const returnUrl = encodeURIComponent(window.location.pathname + window.location.search);
+    window.location.href = `/.well-known/service/login?return=${returnUrl}`;
+  }, []);
+
+  const logout = useCallback(async () => {
+    try {
+      await axios.get('/.well-known/service/api/did/logout', { withCredentials: true });
+    } catch {
+      // ignore
+    }
+    setSession({ user: null, loading: false, error: null });
+    window.location.href = '/.well-known/service/login';
+  }, []);
+
+  const value = {
+    session: { ...session, login, logout },
+    login,
+    logout,
+  };
 
-const SessionContext = createContext<any>(defaultSession);
+  // Don't render children until session is resolved — avoids flash of 403
+  if (session.loading) {
+    return (
+      <SessionContext.Provider value={value}>
+        <div style={{ display: 'flex', justifyContent: 'center', alignItems: 'center', height: '100vh' }}>
+          <div style={{ width: 32, height: 32, border: '3px solid #e0e0e0', borderTopColor: '#1dc1c7', borderRadius: '50%', animation: 'spin 0.8s linear infinite' }} />
+          <style>{`@keyframes spin { to { transform: rotate(360deg) } }`}</style>
+        </div>
+      </SessionContext.Provider>
+    );
+  }
 
-function SessionProvider({ children }: { children: ReactNode; serviceHost?: string; protectedRoutes?: string[] }) {
-  return <SessionContext.Provider value={defaultSession}>{children}</SessionContext.Provider>;
+  return <SessionContext.Provider value={value}>{children}</SessionContext.Provider>;
 }
 
 function SessionConsumer({ children }: { children: (session: any) => ReactNode }) {
@@ -33,7 +106,11 @@ function SessionConsumer({ children }: { children: (session: any) => ReactNode }
 
 function withSession(Component: any) {
   return function WrappedComponent(props: any) {
-    return <Component {...props} session={defaultSession} />;
+    return (
+      <SessionContext.Consumer>
+        {(ctx: any) => <Component {...props} session={ctx} />}
+      </SessionContext.Consumer>
+    );
   };
 }
 
diff --git a/cloudflare/frontend/vite.config.ts b/cloudflare/frontend/vite.config.ts
index 5452b5c..c312fee 100644
--- a/cloudflare/frontend/vite.config.ts
+++ b/cloudflare/frontend/vite.config.ts
@@ -20,6 +20,8 @@ export default defineConfig({
       '/api': 'http://localhost:8787',
       '/uploads': 'http://localhost:8787',
       '/health': 'http://localhost:8787',
+      '/__blocklet__.js': 'http://localhost:8787',
+      '/.well-known/service': 'http://localhost:8787',
     },
     fs: {
       strict: false,
diff --git a/cloudflare/src/__tests__/worker.integration.ts b/cloudflare/src/__tests__/worker.integration.ts
index 96cd2bf..f7da270 100644
--- a/cloudflare/src/__tests__/worker.integration.ts
+++ b/cloudflare/src/__tests__/worker.integration.ts
@@ -1,5 +1,5 @@
 import { describe, it, expect } from 'vitest';
-import { env, SELF } from 'cloudflare:test';
+import { SELF } from 'cloudflare:test';
 
 describe('Worker integration', () => {
   it('responds to health check', async () => {
@@ -32,59 +32,22 @@ describe('Worker integration', () => {
     expect(res.status).toBe(404);
   });
 
-  it('check endpoint returns exists:false for empty DB', async () => {
-    const res = await SELF.fetch('https://media-kit.test/api/uploads/check', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ size: 1024, ext: '.png' }),
-    });
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body.exists).toBe(false);
-  });
-
-  it('presign endpoint returns sessionId and presignedUrl', async () => {
-    const res = await SELF.fetch('https://media-kit.test/api/uploads/presign', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        originalname: 'test.png',
-        mimetype: 'image/png',
-        size: 1024,
-        ext: '.png',
-      }),
-    });
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body).toHaveProperty('sessionId');
-    // presignedUrl may fail without real R2 credentials, but sessionId should exist
-    expect(typeof body.sessionId).toBe('string');
-  });
-
-  it('list uploads returns paginated response', async () => {
+  it('auth-protected routes require authentication (no AUTH_SERVICE returns 503)', async () => {
+    // Without AUTH_SERVICE binding, auth middleware returns 503
     const res = await SELF.fetch('https://media-kit.test/api/uploads');
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body).toHaveProperty('uploads');
-    expect(body).toHaveProperty('folders');
-    expect(body).toHaveProperty('total');
-    expect(body).toHaveProperty('page');
-    expect(body).toHaveProperty('pageSize');
+    expect([401, 503]).toContain(res.status);
   });
 
-  it('auth middleware sets default DID', async () => {
-    const res = await SELF.fetch('https://media-kit.test/api/uploads');
+  it('returns __blocklet__.js with app metadata', async () => {
+    const res = await SELF.fetch('https://media-kit.test/__blocklet__.js?type=json');
     expect(res.status).toBe(200);
-    // If auth failed, we'd get 401/403
+    const body = await res.json() as any;
+    expect(body).toHaveProperty('appName');
+    expect(body.cloudflareWorker).toBe(true);
   });
 
-  it('admin routes reject non-admin users', async () => {
-    // Default DID is in ADMIN_DIDS, so it IS admin
-    // A different DID should be rejected
-    const res = await SELF.fetch('https://media-kit.test/api/uploads/some-id', {
-      method: 'DELETE',
-      headers: { 'x-user-did': 'did:abt:non-admin-user' },
-    });
-    expect(res.status).toBe(403);
+  it('DID auth proxy returns 503 without AUTH_SERVICE', async () => {
+    const res = await SELF.fetch('https://media-kit.test/api/did/session');
+    expect(res.status).toBe(503);
   });
 });
diff --git a/cloudflare/src/middleware/auth.ts b/cloudflare/src/middleware/auth.ts
index e370f5d..a448347 100644
--- a/cloudflare/src/middleware/auth.ts
+++ b/cloudflare/src/middleware/auth.ts
@@ -1,24 +1,101 @@
 import { Context, Next } from 'hono';
-import type { HonoEnv } from '../types';
+import type { HonoEnv, CallerIdentityDTO } from '../types';
 
-const DEFAULT_DID = 'did:abt:default-uploader';
+// === JWT identity cache — avoid repeated AUTH_SERVICE RPC for the same token ===
+const JWT_CACHE_MAX_SIZE = 1000;
+const JWT_CACHE_DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes fallback
+const jwtIdentityCache = new Map<string, { identity: CallerIdentityDTO; expiresAt: number }>();
+
+function getJwtExpiry(jwt: string): number | null {
+  try {
+    const parts = jwt.split('.');
+    if (parts.length !== 3) return null;
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const decoded = JSON.parse(atob(payload));
+    if (typeof decoded.exp === 'number') {
+      return decoded.exp * 1000;
+    }
+  } catch {
+    // Fall through — use default TTL
+  }
+  return null;
+}
+
+function getCachedIdentity(key: string): CallerIdentityDTO | null {
+  const entry = jwtIdentityCache.get(key);
+  if (!entry) return null;
+  if (Date.now() >= entry.expiresAt) {
+    jwtIdentityCache.delete(key);
+    return null;
+  }
+  return entry.identity;
+}
+
+function cacheIdentity(key: string, identity: CallerIdentityDTO): void {
+  if (jwtIdentityCache.size >= JWT_CACHE_MAX_SIZE) {
+    const firstKey = jwtIdentityCache.keys().next().value;
+    if (firstKey) jwtIdentityCache.delete(firstKey);
+  }
+  const expiresAt = getJwtExpiry(key) ?? Date.now() + JWT_CACHE_DEFAULT_TTL_MS;
+  jwtIdentityCache.set(key, { identity, expiresAt });
+}
+
+// Paths that must bypass auth (login/session/logout are handled by DID auth proxy)
+const AUTH_BYPASS_PREFIXES = ['/api/did/', '/api/uploader/'];
 
 /**
- * Auth middleware.
- *
- * TODO: replace with shijun's CF auth SDK.
- * When auth is ready, upload flow should go through Worker (not presigned URL direct upload)
- * to ensure every request is authenticated.
+ * Auth middleware — resolves caller identity via AUTH_SERVICE RPC (Service Binding to DID service).
+ * Extracts JWT from login_token cookie or Authorization header, calls resolveIdentity,
+ * and sets user context for downstream handlers.
  */
 export async function authMiddleware(c: Context<HonoEnv>, next: Next) {
-  const userId = c.req.header('x-user-did') || DEFAULT_DID;
-  const adminDids = (c.env.ADMIN_DIDS || DEFAULT_DID).split(',').map((s) => s.trim());
-  const isAdmin = adminDids.includes(userId);
-
-  c.set('user', {
-    id: userId,
-    role: isAdmin ? 'admin' : 'member',
-  });
+  // Skip auth for DID login/session routes (they're proxied to AUTH_SERVICE directly)
+  const path = new URL(c.req.url).pathname;
+  if (AUTH_BYPASS_PREFIXES.some((p) => path.startsWith(p))) {
+    return next();
+  }
+
+  const authService = c.env.AUTH_SERVICE;
+  if (!authService || typeof authService.resolveIdentity !== 'function') {
+    // AUTH_SERVICE not configured — reject request
+    return c.json({ error: 'Authentication service not available' }, 503);
+  }
+
+  try {
+    const cookieHeader = c.req.header('Cookie') || '';
+    const match = cookieHeader.match(/(?:^|;\s*)login_token=([^;]*)/);
+    const jwt = match ? decodeURIComponent(match[1]) : null;
+    const authHeader = c.req.header('Authorization') || null;
+
+    // Try cache first
+    const cacheKey = jwt || authHeader;
+    let caller: CallerIdentityDTO | null = null;
+    if (cacheKey) {
+      caller = getCachedIdentity(cacheKey);
+    }
+
+    if (!caller) {
+      caller = await authService.resolveIdentity(jwt, authHeader, c.env.APP_PID);
+      if (caller && cacheKey) {
+        cacheIdentity(cacheKey, caller);
+      }
+    }
+
+    if (!caller) {
+      return c.json({ error: 'Unauthorized' }, 401);
+    }
+
+    // Map caller identity to UserContext — role comes entirely from AUTH_SERVICE
+    const role = caller.role === 'owner' || caller.role === 'admin' ? 'admin' : caller.role || 'member';
+
+    c.set('user', {
+      id: caller.did,
+      role,
+    });
+  } catch (e: any) {
+    console.error('[Auth] resolveIdentity error:', e?.message || e);
+    return c.json({ error: 'Authentication failed' }, 401);
+  }
 
   return next();
 }
diff --git a/cloudflare/src/routes/status.ts b/cloudflare/src/routes/status.ts
index 7b98697..7b8638e 100644
--- a/cloudflare/src/routes/status.ts
+++ b/cloudflare/src/routes/status.ts
@@ -22,6 +22,7 @@ statusRoutes.get('/uploader/status', async (c) => {
     },
     availablePluginMap: {
       Uploaded: true,
+      Resources: false,
       ...(isUnsplashEnabled ? { Unsplash: true } : {}),
       ...(isAiImageEnabled ? { AIImage: true } : {}),
     },
diff --git a/cloudflare/src/types.ts b/cloudflare/src/types.ts
index 8af69fd..088ef3d 100644
--- a/cloudflare/src/types.ts
+++ b/cloudflare/src/types.ts
@@ -1,5 +1,16 @@
 import type { DrizzleD1Database } from 'drizzle-orm/d1';
 
+export interface CallerIdentityDTO {
+  did: string;
+  pk: string;
+  displayName: string;
+  avatar: string;
+  role: 'owner' | 'admin' | 'member' | 'guest';
+  authMethod: 'passkey' | 'did-connect' | 'access-key' | 'oauth' | 'email';
+  accessKeyId?: string;
+  approved: boolean;
+}
+
 export interface Env {
   // D1 Database
   DB: D1Database;
@@ -16,7 +27,29 @@ export interface Env {
   MAX_UPLOAD_SIZE: string;
   ALLOWED_FILE_TYPES: string;
   USE_AI_IMAGE: string;
-  ADMIN_DIDS: string;
+  // App identity
+  APP_SK: string;    // 64-byte hex secret key — used to register & derive instance DID
+  APP_NAME: string;
+  APP_PID: string;   // Derived from APP_SK after registerApp; can also be set explicitly
+  APP_PREFIX: string; // Mount prefix (e.g. '/media-kit') — empty or '/' means root
+  // Auth Service (DID Connect via Service Binding)
+  AUTH_SERVICE: {
+    fetch: (request: Request | string) => Promise<Response>;
+    resolveIdentity: (
+      jwt: string | null,
+      authorizationHeader: string | null,
+      instanceDid?: string
+    ) => Promise<CallerIdentityDTO | null>;
+    verify: (jwt: string) => Promise<CallerIdentityDTO | null>;
+    verifyFull: (jwt: string) => Promise<CallerIdentityDTO | null>;
+    registerApp: (config: {
+      instanceDid: string;
+      appSk: string;
+      appPsk?: string;
+      appName?: string;
+      appDescription?: string;
+    }) => Promise<{ instanceDid: string }>;
+  };
   // Unsplash
   UNSPLASH_KEY: string;
   UNSPLASH_SECRET: string;
@@ -34,7 +67,7 @@ export interface ConfirmQueueMessage {
 
 export interface UserContext {
   id: string;
-  role: 'admin' | 'member';
+  role: 'owner' | 'admin' | 'member' | 'guest';
 }
 
 // Hono env bindings
diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index ba999c9..b1648d4 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -12,9 +12,70 @@ import { cleanupExpiredSessions } from './routes/cleanup';
 
 const app = new Hono<HonoEnv>();
 
-// Global middleware
-// TODO: restrict CORS origin to actual deployment domain when auth is implemented
-app.use('*', cors());
+// Prefix strip middleware — allows mounting at a sub-path (e.g. /media-kit/)
+// When APP_PREFIX is set, requests to /media-kit/* are internally rewritten to /*
+// and X-Mount-Prefix is set so __blocklet__.js and HTML rewriting work correctly.
+app.use('*', async (c, next) => {
+  const prefix = c.env.APP_PREFIX;
+  if (!prefix || prefix === '/') return next();
+
+  const pfx = prefix.endsWith('/') ? prefix.slice(0, -1) : prefix;
+  const url = new URL(c.req.url);
+  if (url.pathname.startsWith(pfx + '/') || url.pathname === pfx) {
+    // Strip prefix and rewrite URL
+    const newPath = url.pathname.slice(pfx.length) || '/';
+    url.pathname = newPath;
+    const newReq = new Request(url.toString(), c.req.raw);
+    newReq.headers.set('X-Mount-Prefix', pfx + '/');
+    // Replace the raw request so downstream sees the stripped path
+    return app.fetch(newReq, c.env);
+  }
+
+  return next();
+});
+
+// Root path redirect: logged in → /media-kit/admin, not logged in → login
+// /.well-known/service/* is global (no prefix) — it's the auth service
+app.get('/', async (c) => {
+  const pfx = c.env.APP_PREFIX || '';
+  const loginUrl = '/.well-known/service/login';
+  const adminUrl = `${pfx}/admin`;
+
+  const authService = c.env.AUTH_SERVICE;
+  if (!authService || typeof authService.resolveIdentity !== 'function') {
+    return c.redirect(loginUrl);
+  }
+
+  const cookieHeader = c.req.header('Cookie') || '';
+  const match = cookieHeader.match(/(?:^|;\s*)login_token=([^;]*)/);
+  const jwt = match ? decodeURIComponent(match[1]) : null;
+  if (!jwt) {
+    return c.redirect(loginUrl);
+  }
+
+  try {
+    const caller = await authService.resolveIdentity(jwt, null, c.env.APP_PID);
+    if (caller) {
+      return c.redirect(adminUrl);
+    }
+  } catch {}
+
+  return c.redirect(loginUrl);
+});
+
+// Global middleware — CORS restricted to deployment origin
+app.use(
+  '*',
+  cors({
+    origin: (origin) => {
+      // Auth is enforced by AUTH_SERVICE — CORS allows same-origin requests with credentials
+      return origin || '';
+    },
+    credentials: true,
+    allowHeaders: ['Content-Type', 'Authorization'],
+    allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  })
+);
 // TODO: D1 write consistency — When Drizzle ORM adds support for D1's withSession API,
 // wrap write-path requests with `c.env.DB.withSession("first-primary")` to ensure
 // read-after-write consistency. Without this, D1 replicas may serve stale reads
@@ -25,14 +86,170 @@ app.use('*', async (c, next) => {
   return next();
 });
 
+// Auto-register instance in DID service on first request
+let registeredInstanceDid: string | null = null;
+
+async function ensureRegistered(env: Env): Promise<string> {
+  if (registeredInstanceDid) return registeredInstanceDid;
+  if (!env.AUTH_SERVICE || !env.APP_SK) {
+    return env.APP_PID || '';
+  }
+  try {
+    const result = await env.AUTH_SERVICE.registerApp({
+      instanceDid: 'auto',
+      appSk: env.APP_SK,
+      appName: env.APP_NAME || 'Media Kit',
+      appDescription: 'Media asset management',
+    });
+    registeredInstanceDid = result.instanceDid;
+    console.log(`[media-kit] Registered as instance: ${registeredInstanceDid}`);
+    return registeredInstanceDid;
+  } catch (e: any) {
+    console.error('[media-kit] registerApp failed:', e?.message || e);
+    return env.APP_PID || '';
+  }
+}
+
+// Resolve instance DID on every request (cached after first call)
+app.use('*', async (c, next) => {
+  const instanceDid = await ensureRegistered(c.env);
+  if (instanceDid) {
+    // Override APP_PID with the derived instance DID
+    (c.env as any).APP_PID = instanceDid;
+  }
+  return next();
+});
+
+// DID Auth login/session routes — proxy to AUTH_SERVICE (blocklet-service)
+const DID_AUTH_PROXY_PATHS = [
+  '/api/did/login/',
+  '/api/did/session',
+  '/api/did/refreshSession',
+  '/api/did/connect/',
+  '/api/did/logout',
+];
+
+app.all('/api/did/*', async (c) => {
+  const path = new URL(c.req.url).pathname;
+  const shouldProxy = DID_AUTH_PROXY_PATHS.some((p) => path.startsWith(p) || path === p);
+  if (!shouldProxy) {
+    return c.json({ error: 'Not Found' }, 404);
+  }
+  if (!c.env.AUTH_SERVICE) {
+    return c.json({ error: 'AUTH_SERVICE not configured' }, 503);
+  }
+  const url = new URL(c.req.url);
+  url.pathname = `/.well-known/service${url.pathname}`;
+  const req = new Request(url.toString(), c.req.raw);
+  if (c.env.APP_PID) {
+    req.headers.set('X-Instance-Did', c.env.APP_PID);
+  }
+  const resp = await c.env.AUTH_SERVICE.fetch(req);
+  return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: new Headers(resp.headers) });
+});
+
+// Proxy all /.well-known/service/* to AUTH_SERVICE (login page, session API, admin, etc.)
+app.all('/.well-known/service/*', async (c) => {
+  if (!c.env.AUTH_SERVICE) {
+    return c.json({ error: 'AUTH_SERVICE not configured' }, 503);
+  }
+  const req = new Request(c.req.url, c.req.raw);
+  if (c.env.APP_PID) {
+    req.headers.set('X-Instance-Did', c.env.APP_PID);
+    req.headers.set('X-Arc-Domain', new URL(c.req.url).host);
+  }
+  const resp = await c.env.AUTH_SERVICE.fetch(req);
+  return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: new Headers(resp.headers) });
+});
+
+// Media Kit component DID (used by uploader to detect media-kit)
+const MEDIA_KIT_COMPONENT_DID = 'z8ia1mAXo8ZE7ytGF36L5uBf9kD2kenhqFGp9';
+
+// __blocklet__.js — app metadata for frontend SessionProvider
+app.get('/__blocklet__.js', async (c) => {
+  const isJson = new URL(c.req.url).searchParams.get('type') === 'json';
+  const requestOrigin = new URL(c.req.url).origin;
+  const mountPrefix = c.req.header('X-Mount-Prefix') || '/';
+  const defaultPreferences = {
+    extsInput: c.env.ALLOWED_FILE_TYPES || '.jpeg,.png,.gif,.svg,.webp,.bmp,.ico',
+    maxUploadSize: c.env.MAX_UPLOAD_SIZE || '500MB',
+    useAiImage: c.env.USE_AI_IMAGE === 'true',
+  };
+  const data: Record<string, unknown> = {
+    appPid: c.env.APP_PID || '',
+    appName: c.env.APP_NAME || 'Media Kit',
+    appUrl: requestOrigin,
+    prefix: mountPrefix,
+    groupPrefix: mountPrefix,
+    cloudflareWorker: true,
+          inCFWorkers: true,
+    componentId: MEDIA_KIT_COMPONENT_DID,
+    preferences: defaultPreferences,
+    componentMountPoints: [{
+      title: 'Media Kit',
+      name: 'image-bin',
+      did: MEDIA_KIT_COMPONENT_DID,
+      version: '1.0.0',
+      status: 'running',
+      mountPoint: mountPrefix,
+    }],
+  };
+
+  // Merge auth service metadata (appPid, appUrl, DID, theme, etc.)
+  if (c.env.AUTH_SERVICE) {
+    try {
+      const url = new URL(c.req.url);
+      url.pathname = '/__blocklet__.js';
+      url.searchParams.set('type', 'json');
+      const blockletReq = new Request(url.toString(), c.req.raw);
+      if (c.env.APP_PID) blockletReq.headers.set('X-Instance-Did', c.env.APP_PID);
+      const resp = await c.env.AUTH_SERVICE.fetch(blockletReq);
+      if (resp.ok) {
+        const authData = (await resp.json()) as Record<string, unknown>;
+        const authPreferences = authData.preferences as Record<string, unknown> | undefined;
+        Object.assign(data, authData, {
+          appName: c.env.APP_NAME || authData.appName || 'Media Kit',
+          appUrl: requestOrigin,
+          prefix: mountPrefix,
+          groupPrefix: mountPrefix,
+          cloudflareWorker: true,
+          inCFWorkers: true,
+          componentId: MEDIA_KIT_COMPONENT_DID,
+          preferences: { ...defaultPreferences, ...authPreferences },
+          // Ensure media-kit component is always present
+          componentMountPoints: [
+            ...((authData.componentMountPoints as any[]) || []),
+            {
+              title: 'Media Kit',
+              name: 'image-bin',
+              did: MEDIA_KIT_COMPONENT_DID,
+              version: '1.0.0',
+              status: 'running',
+              mountPoint: mountPrefix,
+            },
+          ],
+        });
+      }
+    } catch (e: any) {
+      console.error('[__blocklet__.js] AUTH_SERVICE fetch error:', e?.message || e);
+    }
+  }
+
+  if (isJson) {
+    return c.json(data);
+  }
+  return c.text(`window.blocklet = ${JSON.stringify(data)};`, 200, {
+    'Content-Type': 'application/javascript',
+  });
+});
+
 // File serving (no auth required for public files, EXIF stripped)
 app.route('/', fileServingRoutes);
 
 // Status endpoint (no auth)
 app.route('/api', statusRoutes);
 
-// Auth-protected routes
-// TODO: replace x-user-did header auth with shijun's CF auth SDK when ready
+// Auth-protected routes (via AUTH_SERVICE RPC)
 app.use('/api/*', authMiddleware);
 app.route('/api', uploadRoutes);
 app.route('/api', folderRoutes);
@@ -115,18 +332,55 @@ app.post('/api/image/generations', async (c) => {
 // Health check
 app.get('/health', (c) => c.json({ status: 'ok', version: '1.0.0' }));
 
-// SPA fallback — non-API routes return index.html for client-side routing
+// SPA fallback — non-API routes return index.html with prefix-aware asset rewriting
 app.notFound(async (c) => {
   const path = new URL(c.req.url).pathname;
   if (path.startsWith('/api/') || path.startsWith('/health')) {
     return c.json({ error: 'Not Found' }, 404);
   }
+
+  const assets = (c.env as any).ASSETS;
+  if (!assets) {
+    return c.json({ error: 'Not Found' }, 404);
+  }
+
+  // Rewrite HTML for mount prefix support + inject __blocklet__.js
+  const rewriteHtml = async (htmlResponse: Response) => {
+    if (!htmlResponse.headers.get('content-type')?.includes('text/html')) return htmlResponse;
+    let html = await htmlResponse.text();
+    const mountPrefix = c.req.header('X-Mount-Prefix');
+    if (mountPrefix && mountPrefix !== '/') {
+      const pfx = mountPrefix.endsWith('/') ? mountPrefix.slice(0, -1) : mountPrefix;
+      // Rewrite all absolute asset/src paths in HTML attributes
+      html = html.replace(/((?:src|href)=["'])\/(assets|src)\//g, `$1${pfx}/$2/`);
+      // Rewrite __blocklet__.js script tag
+      html = html.replace(/(<script[^>]*src=["'])\/__blocklet__\.js(["'])/g, `$1${pfx}/__blocklet__.js$2`);
+    }
+    return new Response(html, {
+      status: htmlResponse.status,
+      headers: { ...Object.fromEntries(htmlResponse.headers.entries()), 'Cache-Control': 'no-cache' },
+    });
+  };
+
   try {
-    const assets = (c.env as any).ASSETS;
-    if (assets) {
-      return assets.fetch(new Request(new URL('/', c.req.url)));
+    // Try exact asset first
+    const assetResponse = await assets.fetch(c.req.raw);
+    if (assetResponse.status !== 404) {
+      if (assetResponse.headers.get('content-type')?.includes('text/html')) {
+        return rewriteHtml(assetResponse);
+      }
+      return assetResponse;
     }
   } catch {}
+
+  // Fall back to index.html for SPA routing
+  try {
+    const url = new URL(c.req.url);
+    url.pathname = '/index.html';
+    const htmlResponse = await assets.fetch(new Request(url.toString(), c.req.raw));
+    return rewriteHtml(htmlResponse);
+  } catch {}
+
   return c.json({ error: 'Not Found' }, 404);
 });
 
diff --git a/cloudflare/wrangler.toml b/cloudflare/wrangler.toml
index 13bbf28..f4305d2 100644
--- a/cloudflare/wrangler.toml
+++ b/cloudflare/wrangler.toml
@@ -6,7 +6,8 @@ compatibility_flags = ["nodejs_compat"]
 # Serve frontend static assets (vite build output)
 [assets]
 directory = "./public"
-not_found_handling = "single-page-application"
+not_found_handling = "none"
+html_handling = "none"
 binding = "ASSETS"
 
 [vars]
@@ -14,9 +15,16 @@ ENVIRONMENT = "production"
 MAX_UPLOAD_SIZE = "500MB"
 ALLOWED_FILE_TYPES = ".jpeg,.png,.gif,.svg,.webp,.bmp,.ico"
 USE_AI_IMAGE = "true"
-ADMIN_DIDS = "did:abt:default-uploader"
+APP_NAME = "Media Kit"
+APP_PREFIX = "/media-kit"
 AIGNE_HUB_URL = "https://hub.aigne.io"
 
+# Service Binding to DID Connect Auth Worker (blocklet-service)
+[[services]]
+binding = "AUTH_SERVICE"
+service = "blocklet-service"
+entrypoint = "BlockletServiceRPC"
+
 [[r2_buckets]]
 binding = "R2_UPLOADS"
 bucket_name = "media-kit-uploads"
@@ -31,6 +39,7 @@ migrations_dir = "migrations"
 crons = ["0 * * * *"]
 
 # Secrets (wrangler secret put):
+# APP_SK (64-byte hex secret key — used to auto-register instance in DID service)
 # R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY
 # R2_ORIGIN_DOMAIN (R2 public domain, restricted by IP Access Rule)
 # UNSPLASH_KEY, UNSPLASH_SECRET
@@ -42,4 +51,4 @@ crons = ["0 * * * *"]
 name = "media-kit-staging"
 [env.staging.vars]
 ENVIRONMENT = "staging"
-ADMIN_DIDS = "did:abt:default-uploader"
+APP_NAME = "Media Kit (Staging)"

From b5e1d8db3b272a3cdedadda3cdde1ce03e1b3260 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:39:12 +0800
Subject: [PATCH 13/21] fix(cloudflare): redirect to login instead of showing
 403 for unauthenticated users

---
 .../src/shims/did-connect-react-session.tsx    | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/cloudflare/frontend/src/shims/did-connect-react-session.tsx b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
index 7b1c53f..81a9b32 100644
--- a/cloudflare/frontend/src/shims/did-connect-react-session.tsx
+++ b/cloudflare/frontend/src/shims/did-connect-react-session.tsx
@@ -44,19 +44,15 @@ function SessionProvider({
       const user = data?.user || null;
       setSession({ user, loading: false, error: null });
 
-      // Redirect to login if on a protected route and not authenticated
-      if (!user && protectedRoutes?.length) {
-        const path = window.location.pathname;
-        const isProtected = protectedRoutes.some(
-          (r) => r.endsWith('*') ? path.startsWith(r.slice(0, -1)) : path === r
-        );
-        if (isProtected) {
-          const returnUrl = encodeURIComponent(path + window.location.search);
-          window.location.href = `/.well-known/service/login?return=${returnUrl}`;
-        }
+      // Not authenticated — redirect to login
+      if (!user) {
+        const returnUrl = encodeURIComponent(window.location.pathname + window.location.search);
+        window.location.href = `/.well-known/service/login?return=${returnUrl}`;
       }
     } catch {
-      setSession({ user: null, loading: false, error: null });
+      // Session fetch failed — redirect to login
+      const returnUrl = encodeURIComponent(window.location.pathname + window.location.search);
+      window.location.href = `/.well-known/service/login?return=${returnUrl}`;
     }
   }, [protectedRoutes]);
 

From b341c159c4034a03b5d71efa0363033cdf210c23 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:40:36 +0800
Subject: [PATCH 14/21] docs(cloudflare): update README with auth integration,
 prefix support and merge checklist

---
 cloudflare/README.md | 104 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 92 insertions(+), 12 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index 3c4121a..a4a368b 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -6,6 +6,7 @@
 - pnpm
 - Cloudflare 账号（免费即可）
 - Wrangler CLI：`npm install -g wrangler`
+- DID service（blocklet-service）已部署为 CF Worker
 
 ## 一次性初始化（首次部署）
 
@@ -60,6 +61,10 @@ Dashboard → R2 → 管理 R2 API 令牌 → 创建 API 令牌：
 ```bash
 cd cloudflare
 
+# APP_SK — 用于在 DID service 中注册 instance（自动派生 instance DID）
+# 生成方法：node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+wrangler secret put APP_SK
+
 # R2 凭证
 wrangler secret put R2_ACCESS_KEY_ID
 wrangler secret put R2_SECRET_ACCESS_KEY
@@ -69,8 +74,6 @@ wrangler secret put CF_ACCOUNT_ID
 
 # AIGNE Hub（AI Image 功能需要）
 wrangler secret put AIGNE_HUB_API_KEY
-# 可选：覆盖默认 AIGNE Hub URL（默认 https://hub.aigne.io）
-# wrangler secret put AIGNE_HUB_URL
 
 # 可选：Unsplash API
 wrangler secret put UNSPLASH_KEY
@@ -100,6 +103,76 @@ cd cloudflare && wrangler deploy           # 部署 Worker + 静态资源
 
 部署后访问 `https://media-kit.<your-subdomain>.workers.dev`
 
+## 认证架构
+
+Media Kit 通过 CF Service Binding 对接 DID service（blocklet-service）进行用户认证。
+
+```
+用户请求（带 login_token cookie）
+    ↓
+media-kit Worker
+    ↓ AUTH_SERVICE.resolveIdentity(jwt, authHeader, instanceDid)
+blocklet-service Worker（Service Binding，零网络延迟）
+    ↓ 返回 { did, role, displayName }
+media-kit 设置 user context → 处理请求
+```
+
+### 关键配置
+
+```toml
+# wrangler.toml
+
+# Service Binding 到 DID service
+[[services]]
+binding = "AUTH_SERVICE"
+service = "blocklet-service"
+entrypoint = "BlockletServiceRPC"
+```
+
+### 自动注册
+
+Worker 首次启动时通过 `AUTH_SERVICE.registerApp()` 自动注册 instance：
+- 从 `APP_SK`（secret）派生 instance DID
+- 无需手动配置 `APP_PID` — 自动从 APP_SK 生成
+
+### 认证流程
+
+1. 用户访问 `/` → 未登录时 302 到 `/.well-known/service/login`
+2. DID service 提供登录页（passkey / wallet / email）
+3. 登录成功 → 设置 `login_token` cookie → 重定向回 media-kit
+4. media-kit auth middleware 从 cookie 提取 JWT → 调用 `AUTH_SERVICE.resolveIdentity()` 验证
+5. JWT 验证结果缓存 5 分钟（避免重复 RPC 调用）
+
+### 路由代理
+
+| 路径 | 处理方式 |
+|------|---------|
+| `/.well-known/service/*` | 代理到 AUTH_SERVICE（登录页、session API、管理后台） |
+| `/api/did/*` | 代理到 AUTH_SERVICE（login/session/logout） |
+| `/__blocklet__.js` | Worker 生成（合并 AUTH_SERVICE 元数据） |
+| `/api/uploader/status` | 无需认证 — 返回 uploader 配置 |
+| `/api/*`（其他） | 需要认证 |
+
+## Prefix 支持
+
+Media Kit 支持挂载在子路径下运行，通过 `APP_PREFIX` 环境变量配置：
+
+```toml
+# wrangler.toml
+[vars]
+APP_PREFIX = "/media-kit"    # 可改为任意路径，留空或 "/" 表示根路径
+```
+
+配置后：
+- 访问 `/media-kit/admin` → media-kit 管理页面
+- 访问 `/media-kit/api/*` → media-kit API
+- 访问 `/media-kit/__blocklet__.js` → 返回正确的 prefix 配置
+- 访问 `/` → 自动重定向到 `/media-kit/admin`（已登录）或登录页（未登录）
+
+Prefix 也支持通过 gateway Worker 的 `X-Mount-Prefix` header 动态设置。
+
+**注意**：`/.well-known/service/*` 是全局认证服务路径，不加 prefix。
+
 ## 数据迁移（从 Blocklet Server 迁移）
 
 如果需要从现有 Blocklet Server 迁移数据：
@@ -166,6 +239,7 @@ cd cloudflare
 # 创建 .dev.vars 文件
 cat > .dev.vars << 'EOF'
 ENVIRONMENT=development
+APP_SK=<64-byte-hex-secret-key>
 R2_ACCESS_KEY_ID=your-key
 R2_SECRET_ACCESS_KEY=your-secret
 CF_ACCOUNT_ID=your-account-id
@@ -187,33 +261,34 @@ cd frontend && npx vite --port 3030
 ```
 cloudflare/
   src/                    # CF Worker 后端（Hono + D1 + R2）
-    worker.ts             # 入口：路由 + AIGNE Hub 代理
+    worker.ts             # 入口：prefix strip、root redirect、auth proxy、路由、SPA fallback
     routes/
-      upload.ts           # 上传：presign / proxy-put（开发模式代理上传） / direct（FormData 上传） / confirm
+      upload.ts           # 上传：presign / proxy-put / direct / confirm
       serve.ts            # 文件服务：R2 → 响应（生产用 cf.image）
       folders.ts          # 文件夹 CRUD
-      status.ts           # Uploader 配置
+      status.ts           # Uploader 配置（uploadMode: presigned）
       unsplash.ts         # Unsplash 代理
-      cleanup.ts          # 定时清理过期 session + AI 临时图片（tmp/ai/，24h）
-    middleware/auth.ts     # x-user-did 认证
+      cleanup.ts          # 定时清理过期 session + AI 临时图片
+    middleware/auth.ts     # AUTH_SERVICE RPC 认证 + JWT 缓存
     db/schema.ts           # Drizzle ORM 表定义
+    types.ts               # Env、CallerIdentityDTO、UserContext 类型
     utils/
       s3.ts               # R2 S3 兼容 API（presigned URL、multipart）
       hash.ts             # MD5 哈希、MIME 检测、SVG 净化
   frontend/               # 前端构建配置
     vite.config.ts         # Alias 指向原版源码 + shim
     src/shims/             # Blocklet SDK 替代实现
-    index.html             # window.blocklet 注入
+    index.html             # window.blocklet 默认值 + __blocklet__.js 加载
   public/                  # vite build 产物（Worker 静态资源）
-  wrangler.toml            # CF Workers 配置
+  wrangler.toml            # CF Workers 配置（Service Binding、prefix 等）
   migrations/              # D1 数据库迁移
   scripts/migrate-data.ts  # SQLite → D1 迁移脚本
 ```
 
 前端源码复用 `blocklets/image-bin/src/`，通过 Vite alias 将依赖 Blocklet Server 运行时的包替换为 shim：
-- `@blocklet/js-sdk` → createAxios shim（标准 axios）
-- `@blocklet/ui-react` → Dashboard/Header/Footer/ComponentInstaller shim
-- `@arcblock/did-connect-react` → SessionProvider/ConnectButton shim
+- `@blocklet/js-sdk` → createAxios shim（axios + withCredentials）
+- `@blocklet/ui-react` → Dashboard（含 Header）/ Header / Footer / ComponentInstaller shim
+- `@arcblock/did-connect-react` → SessionProvider（真实 DID Connect session via cookie）/ ConnectButton shim
 
 `@arcblock/ux` 和 `@arcblock/did` 直接使用原包（纯 UI 组件，无 Blocklet Server 依赖）。
 
@@ -221,8 +296,13 @@ cloudflare/
 
 | 特性 | 本地开发 | 线上 |
 |------|---------|------|
+| 认证 | AUTH_SERVICE Service Binding（需本地运行 blocklet-service） | AUTH_SERVICE Service Binding |
 | R2 存储 | miniflare 本地模拟 | 真实 R2 |
 | D1 数据库 | 本地 SQLite | 真实 D1 |
 | Presigned URL | proxy-put 代理（避免 CORS） | 直传 R2（需配 CORS） |
 | 文件服务 | R2 binding 直接读取 | cf.image EXIF 剥离 + 自动 WebP |
 | AI 图片生成 | 代理到 hub.aigne.io，临时缓存到 R2 tmp/ai/ | 同左，cron 每小时清理 24h 前的临时文件 |
+
+## Merge 前待完成
+
+- [ ] Production optimization: S3 CopyObject for large file dedup（独立于认证，可随时做）

From fe28a923d3c3b588c464989a9ec256050c135ee1 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:42:03 +0800
Subject: [PATCH 15/21] docs(cloudflare): remove unnecessary S3 CopyObject TODO

---
 cloudflare/README.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index a4a368b..27fd7ce 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -302,7 +302,3 @@ cloudflare/
 | Presigned URL | proxy-put 代理（避免 CORS） | 直传 R2（需配 CORS） |
 | 文件服务 | R2 binding 直接读取 | cf.image EXIF 剥离 + 自动 WebP |
 | AI 图片生成 | 代理到 hub.aigne.io，临时缓存到 R2 tmp/ai/ | 同左，cron 每小时清理 24h 前的临时文件 |
-
-## Merge 前待完成
-
-- [ ] Production optimization: S3 CopyObject for large file dedup（独立于认证，可随时做）

From 0c5261dbc4fe0916cebf74dad3682159c4152a4a Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:55:41 +0800
Subject: [PATCH 16/21] fix(cloudflare): prevent double-slash in redirect when
 APP_PREFIX is root

---
 cloudflare/src/worker.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index b1648d4..eb03d01 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -37,7 +37,8 @@ app.use('*', async (c, next) => {
 // Root path redirect: logged in → /media-kit/admin, not logged in → login
 // /.well-known/service/* is global (no prefix) — it's the auth service
 app.get('/', async (c) => {
-  const pfx = c.env.APP_PREFIX || '';
+  const raw = c.env.APP_PREFIX || '/';
+  const pfx = raw === '/' ? '' : raw.replace(/\/$/, '');
   const loginUrl = '/.well-known/service/login';
   const adminUrl = `${pfx}/admin`;
 

From 7e99e7b595edb30a8a47f3668033829486253176 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 10:56:37 +0800
Subject: [PATCH 17/21] chore(cloudflare): remove APP_PREFIX from
 wrangler.toml, set via env instead

---
 cloudflare/wrangler.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cloudflare/wrangler.toml b/cloudflare/wrangler.toml
index f4305d2..36aeafc 100644
--- a/cloudflare/wrangler.toml
+++ b/cloudflare/wrangler.toml
@@ -16,7 +16,6 @@ MAX_UPLOAD_SIZE = "500MB"
 ALLOWED_FILE_TYPES = ".jpeg,.png,.gif,.svg,.webp,.bmp,.ico"
 USE_AI_IMAGE = "true"
 APP_NAME = "Media Kit"
-APP_PREFIX = "/media-kit"
 AIGNE_HUB_URL = "https://hub.aigne.io"
 
 # Service Binding to DID Connect Auth Worker (blocklet-service)

From 1d92b5f815f3213e7c940340221b6931b50274df Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 11:02:16 +0800
Subject: [PATCH 18/21] docs(cloudflare): update APP_PREFIX to use secret
 instead of vars

---
 cloudflare/README.md | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index 27fd7ce..76afeae 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -75,6 +75,9 @@ wrangler secret put CF_ACCOUNT_ID
 # AIGNE Hub（AI Image 功能需要）
 wrangler secret put AIGNE_HUB_API_KEY
 
+# 可选：挂载子路径（默认 /，即根路径）
+# wrangler secret put APP_PREFIX   # 例如 /media-kit
+
 # 可选：Unsplash API
 wrangler secret put UNSPLASH_KEY
 wrangler secret put UNSPLASH_SECRET
@@ -155,15 +158,13 @@ Worker 首次启动时通过 `AUTH_SERVICE.registerApp()` 自动注册 instance
 
 ## Prefix 支持
 
-Media Kit 支持挂载在子路径下运行，通过 `APP_PREFIX` 环境变量配置：
+Media Kit 支持挂载在子路径下运行，通过 `APP_PREFIX` secret 配置：
 
-```toml
-# wrangler.toml
-[vars]
-APP_PREFIX = "/media-kit"    # 可改为任意路径，留空或 "/" 表示根路径
+```bash
+wrangler secret put APP_PREFIX   # 输入如 /media-kit 或 /media-kit/
 ```
 
-配置后：
+不设置时默认为 `/`（根路径）。尾部斜杠自动 normalize。配置后：
 - 访问 `/media-kit/admin` → media-kit 管理页面
 - 访问 `/media-kit/api/*` → media-kit API
 - 访问 `/media-kit/__blocklet__.js` → 返回正确的 prefix 配置

From 5f5658d0c8ab4087ebe5f2fae7a1e0215764caba Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 11:03:24 +0800
Subject: [PATCH 19/21] docs(cloudflare): APP_PREFIX via dashboard vars, not
 secret

---
 cloudflare/README.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index 76afeae..e08ffc8 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -76,7 +76,7 @@ wrangler secret put CF_ACCOUNT_ID
 wrangler secret put AIGNE_HUB_API_KEY
 
 # 可选：挂载子路径（默认 /，即根路径）
-# wrangler secret put APP_PREFIX   # 例如 /media-kit
+# 在 Dashboard → Workers → Settings → Variables 中设置 APP_PREFIX，例如 /media-kit
 
 # 可选：Unsplash API
 wrangler secret put UNSPLASH_KEY
@@ -158,11 +158,9 @@ Worker 首次启动时通过 `AUTH_SERVICE.registerApp()` 自动注册 instance
 
 ## Prefix 支持
 
-Media Kit 支持挂载在子路径下运行，通过 `APP_PREFIX` secret 配置：
+Media Kit 支持挂载在子路径下运行，通过 `APP_PREFIX` 环境变量配置：
 
-```bash
-wrangler secret put APP_PREFIX   # 输入如 /media-kit 或 /media-kit/
-```
+在 Dashboard → Workers → media-kit → Settings → Variables 中添加 `APP_PREFIX`，值如 `/media-kit`。
 
 不设置时默认为 `/`（根路径）。尾部斜杠自动 normalize。配置后：
 - 访问 `/media-kit/admin` → media-kit 管理页面

From 1c984571aadc8a1c059cad6d59b4df657d10e2a4 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 11:32:08 +0800
Subject: [PATCH 20/21] fix(cloudflare): address cross-review security and
 logic issues

- CORS: restrict to same-origin only (was echoing any origin with credentials)
- Prefix strip: add X-Prefix-Stripped header to prevent middleware double-execution
- JWT cache: extract raw token from Bearer header for correct expiry parsing
- Cleanup: don't skip AI temp image cleanup when no expired sessions exist
- isAdminMiddleware: guard against undefined user context
---
 cloudflare/src/middleware/auth.ts |  8 ++++++--
 cloudflare/src/routes/cleanup.ts  |  2 --
 cloudflare/src/worker.ts          | 13 ++++++++-----
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/cloudflare/src/middleware/auth.ts b/cloudflare/src/middleware/auth.ts
index a448347..e02c48d 100644
--- a/cloudflare/src/middleware/auth.ts
+++ b/cloudflare/src/middleware/auth.ts
@@ -67,8 +67,9 @@ export async function authMiddleware(c: Context<HonoEnv>, next: Next) {
     const jwt = match ? decodeURIComponent(match[1]) : null;
     const authHeader = c.req.header('Authorization') || null;
 
-    // Try cache first
-    const cacheKey = jwt || authHeader;
+    // Try cache first — extract raw token from Bearer header for correct expiry parsing
+    const rawToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : authHeader;
+    const cacheKey = jwt || rawToken;
     let caller: CallerIdentityDTO | null = null;
     if (cacheKey) {
       caller = getCachedIdentity(cacheKey);
@@ -102,6 +103,9 @@ export async function authMiddleware(c: Context<HonoEnv>, next: Next) {
 
 export async function isAdminMiddleware(c: Context<HonoEnv>, next: Next) {
   const user = c.get('user');
+  if (!user) {
+    return c.json({ error: 'Unauthorized' }, 401);
+  }
   if (user.role !== 'admin') {
     return c.json({ error: 'Admin access required' }, 403);
   }
diff --git a/cloudflare/src/routes/cleanup.ts b/cloudflare/src/routes/cleanup.ts
index f237581..5786745 100644
--- a/cloudflare/src/routes/cleanup.ts
+++ b/cloudflare/src/routes/cleanup.ts
@@ -27,8 +27,6 @@ export async function cleanupExpiredSessions(env: Env): Promise<void> {
       ),
     );
 
-  if (expired.length === 0) return;
-
   for (const session of expired) {
     if (session.uploadId && session.key) {
       // Multipart session — abort via R2 binding
diff --git a/cloudflare/src/worker.ts b/cloudflare/src/worker.ts
index eb03d01..bac89fc 100644
--- a/cloudflare/src/worker.ts
+++ b/cloudflare/src/worker.ts
@@ -16,18 +16,20 @@ const app = new Hono<HonoEnv>();
 // When APP_PREFIX is set, requests to /media-kit/* are internally rewritten to /*
 // and X-Mount-Prefix is set so __blocklet__.js and HTML rewriting work correctly.
 app.use('*', async (c, next) => {
+  // Already stripped by a previous pass — skip
+  if (c.req.header('X-Prefix-Stripped')) return next();
+
   const prefix = c.env.APP_PREFIX;
   if (!prefix || prefix === '/') return next();
 
   const pfx = prefix.endsWith('/') ? prefix.slice(0, -1) : prefix;
   const url = new URL(c.req.url);
   if (url.pathname.startsWith(pfx + '/') || url.pathname === pfx) {
-    // Strip prefix and rewrite URL
     const newPath = url.pathname.slice(pfx.length) || '/';
     url.pathname = newPath;
     const newReq = new Request(url.toString(), c.req.raw);
     newReq.headers.set('X-Mount-Prefix', pfx + '/');
-    // Replace the raw request so downstream sees the stripped path
+    newReq.headers.set('X-Prefix-Stripped', '1');
     return app.fetch(newReq, c.env);
   }
 
@@ -68,9 +70,10 @@ app.get('/', async (c) => {
 app.use(
   '*',
   cors({
-    origin: (origin) => {
-      // Auth is enforced by AUTH_SERVICE — CORS allows same-origin requests with credentials
-      return origin || '';
+    origin: (origin, c) => {
+      // Only allow same-origin — SPA is served from the same worker
+      const self = new URL(c.req.url).origin;
+      return origin === self ? origin : '';
     },
     credentials: true,
     allowHeaders: ['Content-Type', 'Authorization'],

From 85b96c9b77055323a7e4da8a2aac3a1cbd9953d1 Mon Sep 17 00:00:00 2001
From: xiaomoziyi <823346486@qq.com>
Date: Fri, 10 Apr 2026 11:42:53 +0800
Subject: [PATCH 21/21] chore(release): bump version to 0.15.0 and add
 Cloudflare Workers deployment for Media Kit

---
 CHANGELOG.md                          | 4 ++++
 blocklets/image-bin/blocklet.yml      | 2 +-
 blocklets/image-bin/package.json      | 2 +-
 package.json                          | 2 +-
 packages/uploader-server/package.json | 2 +-
 packages/uploader/package.json        | 2 +-
 packages/xss/package.json             | 2 +-
 version                               | 2 +-
 8 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 752c79a..04ce1b9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.15.0 (2026-4-10)
+
+- feat: Cloudflare Workers deployment for Media Kit
+
 ## 0.14.20 (2026-1-7)
 
 - feat: change bundle method
diff --git a/blocklets/image-bin/blocklet.yml b/blocklets/image-bin/blocklet.yml
index 3ab0745..f83db99 100644
--- a/blocklets/image-bin/blocklet.yml
+++ b/blocklets/image-bin/blocklet.yml
@@ -1,5 +1,5 @@
 name: image-bin
-version: 0.14.20
+version: 0.15.0
 title: Media Kit
 description: >-
   Self-hosted media management that replaces expensive cloud services while
diff --git a/blocklets/image-bin/package.json b/blocklets/image-bin/package.json
index eac149e..83c632a 100644
--- a/blocklets/image-bin/package.json
+++ b/blocklets/image-bin/package.json
@@ -1,6 +1,6 @@
 {
   "name": "image-bin",
-  "version": "0.14.20",
+  "version": "0.15.0",
   "private": true,
   "scripts": {
     "dev": "blocklet dev",
diff --git a/package.json b/package.json
index 297223e..d166089 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "image-bin",
-  "version": "0.14.20",
+  "version": "0.15.0",
   "private": true,
   "scripts": {
     "lint": "pnpm -r lint",
diff --git a/packages/uploader-server/package.json b/packages/uploader-server/package.json
index 7873e8c..3c3cec1 100644
--- a/packages/uploader-server/package.json
+++ b/packages/uploader-server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/uploader-server",
-  "version": "0.14.20",
+  "version": "0.15.0",
   "description": "blocklet upload server",
   "publishConfig": {
     "access": "public"
diff --git a/packages/uploader/package.json b/packages/uploader/package.json
index 0edf263..f8c613e 100644
--- a/packages/uploader/package.json
+++ b/packages/uploader/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/uploader",
-  "version": "0.14.20",
+  "version": "0.15.0",
   "description": "blocklet upload component",
   "publishConfig": {
     "access": "public"
diff --git a/packages/xss/package.json b/packages/xss/package.json
index 1a2a0b5..a691013 100644
--- a/packages/xss/package.json
+++ b/packages/xss/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/xss",
-  "version": "0.14.20",
+  "version": "0.15.0",
   "description": "blocklet prevent xss attack",
   "publishConfig": {
     "access": "public"
diff --git a/version b/version
index eaebb62..7092c7c 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-0.14.20
\ No newline at end of file
+0.15.0
\ No newline at end of file