payment-kit 1.29.0 → 1.29.2

package/api/src/queues/credit-grant.ts

@@ -4,7 +4,8 @@ import { Op } from 'sequelize';
 import { BN, fromTokenToUnit, fromUnitToToken } from '@ocap/util';
 import pAll from 'p-all';
 import dayjs from '../libs/dayjs';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 import {
   AutoRechargeConfig,
   CreditGrant,
@@ -48,7 +49,7 @@ type CreditGrantJob =
  * Non on-chain credits finish immediately; on-chain credits wait for mint success
  */
 async function activateGrant(creditGrant: CreditGrant) {
-  const paymentCurrency = await PaymentCurrency.findByPk(creditGrant.currency_id);
+  const paymentCurrency = await systemFindByPk(PaymentCurrency, creditGrant.currency_id);
   const isOnChainCredit = paymentCurrency && PaymentCurrency.isOnChainCredit(paymentCurrency);
 
   logger.info('Activating credit grant', {
@@ -76,10 +77,11 @@ async function activateGrant(creditGrant: CreditGrant) {
   }
 
   // Verify customer
-  const customer = await Customer.findByPk(creditGrant.customer_id);
+  const customer = await systemFindByPk(Customer, creditGrant.customer_id);
   if (!customer) {
     throw new Error(`Customer DID not found for credit grant ${creditGrant.id}`);
   }
+  assertJobObjectTenant(customer);
 
   const customerState = await getAccountState(paymentCurrency, customer.did);
 
@@ -161,7 +163,7 @@ export async function expireGrant(creditGrant: CreditGrant) {
     return;
   }
 
-  const paymentCurrency = await PaymentCurrency.findByPk(creditGrant.currency_id);
+  const paymentCurrency = await systemFindByPk(PaymentCurrency, creditGrant.currency_id);
   if (!paymentCurrency) {
     logger.error('Payment currency not found for credit grant transfer', {
       creditGrantId: creditGrant.id,
@@ -171,9 +173,10 @@ export async function expireGrant(creditGrant: CreditGrant) {
     await creditGrant.update({ status: 'expired' });
     return;
   }
+  assertJobObjectTenant(paymentCurrency);
 
   // Get customer DID
-  const customer = await Customer.findByPk(creditGrant.customer_id);
+  const customer = await systemFindByPk(Customer, creditGrant.customer_id);
   if (!customer?.did) {
     logger.error('Customer DID not found for credit grant transfer', {
       creditGrantId: creditGrant.id,
@@ -280,11 +283,12 @@ const handleCreditGrantJob = async (job: CreditGrantJob) => {
 
   const { creditGrantId, action } = job as { creditGrantId: string; action: 'activate' | 'expire' };
 
-  const creditGrant = await CreditGrant.findByPk(creditGrantId);
+  const creditGrant = await systemFindByPk(CreditGrant, creditGrantId);
   if (!creditGrant) {
     logger.error('Credit grant not found', { creditGrantId });
     return;
   }
+  assertJobObjectTenant(creditGrant);
 
   const now = dayjs().unix();
 
@@ -411,7 +415,7 @@ export async function scheduleCreditGrantJobs(creditGrant: CreditGrant) {
 export const startCreditGrantQueue = async () => {
   logger.info('Starting credit grant queue...');
 
-  const grantsToSchedule = await CreditGrant.findAll({
+  const grantsToSchedule = await systemFindAll(CreditGrant, {
     where: {
       [Op.or]: [
         { status: 'pending' },
@@ -424,7 +428,7 @@ export const startCreditGrantQueue = async () => {
     order: [['created_at', 'ASC']],
   });
 
-  const invoicesToSchedule = await Invoice.findAll({
+  const invoicesToSchedule = await systemFindAll(Invoice, {
     where: {
       status: 'paid',
       metadata: {
@@ -482,7 +486,7 @@ async function recoverCreditScheduleJobs(): Promise<void> {
   try {
     // Find subscriptions with active credit schedules
     // We filter for non-null credit_schedule_state in application code
-    const allActiveSubscriptions = await Subscription.findAll({
+    const allActiveSubscriptions = await systemFindAll(Subscription, {
       where: {
         status: ['active', 'trialing'],
       },
@@ -589,7 +593,7 @@ creditGrantQueue.on('finished', ({ id }) => {
 
 async function handleInvoiceCredit(invoiceId: string) {
   try {
-    const invoice = (await Invoice.findByPk(invoiceId, {
+    const invoice = (await systemFindByPk(Invoice, invoiceId, {
       include: [
         {
           model: Customer,
@@ -619,7 +623,7 @@ async function handleInvoiceCredit(invoiceId: string) {
         customerId: invoice.customer.id,
       });
       if (invoice.metadata?.auto_recharge?.config_id) {
-        const autoRechargeConfig = await AutoRechargeConfig.findByPk(invoice.metadata?.auto_recharge?.config_id);
+        const autoRechargeConfig = await systemFindByPk(AutoRechargeConfig, invoice.metadata?.auto_recharge?.config_id);
         if (autoRechargeConfig) {
           await autoRechargeConfig.updateDailyStats(invoice.total);
         }
@@ -635,7 +639,7 @@ async function handleInvoiceCredit(invoiceId: string) {
 
     const items = await Promise.all(
       lineItems.map(async (lineItem) => {
-        const price = (await Price.findByPk(lineItem.price_id, {
+        const price = (await systemFindByPk(Price, lineItem.price_id, {
           include: [{ model: Product, as: 'product' }],
         })) as TPriceExpanded | null;
 
@@ -664,7 +668,7 @@ async function handleInvoiceCredit(invoiceId: string) {
         }
 
         const quantity = lineItem.quantity || 1;
-        const currency = await PaymentCurrency.findByPk(creditConfig.currency_id);
+        const currency = await systemFindByPk(PaymentCurrency, creditConfig.currency_id);
 
         if (!currency) {
           logger.error('Currency not found', { currencyId: creditConfig.currency_id, invoiceId });
@@ -726,7 +730,7 @@ async function handleInvoiceCredit(invoiceId: string) {
       return;
     }
 
-    const existingGrants = await CreditGrant.findAll({
+    const existingGrants = await systemFindAll(CreditGrant, {
       where: {
         customer_id: invoice.customer.id,
         metadata: {
@@ -972,7 +976,7 @@ events.on('invoice.paid', async (invoice: Invoice) => {
   try {
     await addInvoiceCreditJob(invoice.id);
     if (invoice.subscription_id) {
-      const subscription = await Subscription.findByPk(invoice.subscription_id);
+      const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
       if (subscription) {
         const jobs = await activateAfterFirstPaymentSchedules(subscription, invoice.status_transitions?.paid_at);
         await Promise.all(jobs.map((job) => addScheduledCreditJob(job.jobId, job.job, job.runAt, true)));
@@ -989,11 +993,12 @@ events.on('invoice.paid', async (invoice: Invoice) => {
 events.on('customer.credit_grant.created', async (data: { id: string }) => {
   try {
     // Fetch instance since event emits dataValues (plain object)
-    const creditGrant = await CreditGrant.findByPk(data.id);
+    const creditGrant = await systemFindByPk(CreditGrant, data.id);
     if (!creditGrant) {
       logger.error('Credit grant not found for scheduling', { creditGrantId: data.id });
       return;
     }
+    assertJobObjectTenant(creditGrant);
     await scheduleCreditGrantJobs(creditGrant);
     logger.info('Credit grant jobs scheduled', {
       creditGrantId: creditGrant.id,
@@ -1053,7 +1058,7 @@ events.on('credit-grant.queued', async (id, job, args = {}) => {
  * Used by both subscription.created and subscription.started events
  */
 async function initializeAndScheduleCreditJobs(subscriptionId: string, eventName: string): Promise<void> {
-  const sub = await Subscription.findByPk(subscriptionId);
+  const sub = await systemFindByPk(Subscription, subscriptionId);
   if (!sub) {
     logger.warn('Subscription not found for credit schedule initialization', {
       subscriptionId,
@@ -1061,6 +1066,7 @@ async function initializeAndScheduleCreditJobs(subscriptionId: string, eventName
     });
     return;
   }
+  assertJobObjectTenant(sub);
 
   // initializeCreditSchedule only works for active/trialing subscriptions
   // and skips if already initialized
@@ -1147,10 +1153,11 @@ events.on('customer.subscription.trial_start', async (subscription: Subscription
  */
 events.on('customer.subscription.deleted', async (subscription: Subscription) => {
   try {
-    const sub = await Subscription.findByPk(subscription.id);
+    const sub = await systemFindByPk(Subscription, subscription.id);
     if (!sub) {
       return;
     }
+    assertJobObjectTenant(sub);
 
     const jobIds = await stopCreditSchedule(sub);
 

package/api/src/queues/credit-reconciliation.ts

@@ -7,10 +7,11 @@
 
 import { BN } from '@ocap/util';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { getAccountState, getCustomerTokenBalance } from '../integrations/arcblock/token';
 import { CreditGrant, CreditTransaction, Customer, PaymentCurrency } from '../store/models';
 import { events } from '../libs/event';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 type ReconciliationJob = {
   customerId: string;
@@ -39,7 +40,7 @@ type BalanceInfo = {
  */
 async function getBalanceInfo(customerId: string, currencyId: string): Promise<BalanceInfo> {
   // Get all granted credit grants that have been minted on-chain
-  const grants = await CreditGrant.findAll({
+  const grants = await systemFindAll(CreditGrant, {
     where: {
       customer_id: customerId,
       currency_id: currencyId,
@@ -53,7 +54,7 @@ async function getBalanceInfo(customerId: string, currencyId: string): Promise<B
     .toString();
 
   // Get pending transfers (consumed but token not yet transferred on-chain)
-  const pendingTransactions = await CreditTransaction.findAll({
+  const pendingTransactions = await systemFindAll(CreditTransaction, {
     where: {
       customer_id: customerId,
       transfer_status: 'pending',
@@ -98,13 +99,14 @@ async function handleReconciliation(job: ReconciliationJob) {
   });
 
   try {
-    const currency = await PaymentCurrency.findByPk(currencyId);
+    const currency = await systemFindByPk(PaymentCurrency, currencyId);
     if (!currency || !currency.isOnChainCredit()) {
       logger.warn('Currency not found or not on-chain credit', { currencyId });
       return;
     }
 
-    const customer = await Customer.findByPk(customerId);
+    const customer = await systemFindByPk(Customer, customerId);
+    assertJobObjectTenant(customer);
     if (!customer?.did) {
       logger.warn('Customer not found for reconciliation', { customerId });
       return;

package/api/src/queues/discount-status.ts

@@ -1,9 +1,10 @@
 import pAll from 'p-all';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { Coupon, PromotionCode } from '../store/models';
 import logger from '../libs/logger';
 import { events } from '../libs/event';
 import { validCoupon, validPromotionCode } from '../libs/discount/coupon';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 export type DiscountType = 'coupon' | 'promotion-code';
 
@@ -30,10 +31,11 @@ export async function processDiscountStatus(job: DiscountStatusJobData) {
  * Process coupon status check
  */
 async function processCouponStatus(couponId: string) {
-  const coupon = await Coupon.findByPk(couponId);
+  const coupon = await systemFindByPk(Coupon, couponId);
   if (!coupon) {
     return;
   }
+  assertJobObjectTenant(coupon);
 
   // Skip if already invalid
   if (!coupon.valid) {
@@ -54,7 +56,7 @@ async function processCouponStatus(couponId: string) {
       max_redemptions: coupon.max_redemptions,
       times_redeemed: coupon.times_redeemed,
     });
-    const promotionCodes = await PromotionCode.findAll({ where: { coupon_id: couponId, active: true } });
+    const promotionCodes = await systemFindAll(PromotionCode, { where: { coupon_id: couponId, active: true } });
     await pAll(
       promotionCodes.map(
         (promotionCode) => () =>
@@ -76,11 +78,12 @@ async function processCouponStatus(couponId: string) {
  * Process promotion code status check
  */
 async function processPromotionCodeStatus(promotionCodeId: string) {
-  const promotionCode = await PromotionCode.findByPk(promotionCodeId);
+  const promotionCode = await systemFindByPk(PromotionCode, promotionCodeId);
   if (!promotionCode) {
     logger.warn('Promotion code not found for status check', { promotionCodeId });
     return;
   }
+  assertJobObjectTenant(promotionCode);
 
   // Skip if already inactive
   if (!promotionCode.active) {
@@ -146,8 +149,8 @@ export const discountStatusQueue = createQueue<DiscountStatusJobData>({
 export const startDiscountStatusQueue = async () => {
   logger.info('Starting discount status queue...');
 
-  const coupons = await Coupon.findAll({ where: { valid: true } });
-  const promotionCodes = await PromotionCode.findAll({ where: { active: true } });
+  const coupons = await systemFindAll(Coupon, { where: { valid: true } });
+  const promotionCodes = await systemFindAll(PromotionCode, { where: { active: true } });
   await pAll(
     coupons.map(
       (coupon) => () =>

package/api/src/queues/event.ts

@@ -1,8 +1,11 @@
 import { Op } from 'sequelize';
+import { isCfWorker } from '../libs/env';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 import { events } from '../libs/event';
 import logger from '../libs/logger';
 import createQueue from '../libs/queue';
+import { resolveRowTenant } from '../libs/tenant';
 import { Event } from '../store/models/event';
 import { WebhookAttempt } from '../store/models/webhook-attempt';
 import { WebhookEndpoint } from '../store/models/webhook-endpoint';
@@ -15,7 +18,7 @@ type EventJob = {
 export const handleEvent = async (job: EventJob) => {
   logger.info('Starting to handle event', job);
 
-  const event = await Event.findByPk(job.eventId);
+  const event = await systemFindByPk(Event, job.eventId);
   if (!event) {
     logger.warn('Event not found', job);
     return;
@@ -26,7 +29,12 @@ export const handleEvent = async (job: EventJob) => {
     return;
   }
 
-  const webhooks = await WebhookEndpoint.findAll({ where: { status: 'enabled', livemode: event.livemode } });
+  // Phase 4 (W1-3): fanout only to endpoints of the event's own tenant.
+  // resolveRowTenant fails closed for NULL-tenant events in multi mode.
+  const eventTenant = resolveRowTenant(event);
+  const webhooks = await systemFindAll(WebhookEndpoint, {
+    where: { status: 'enabled', livemode: event.livemode, instance_did: eventTenant },
+  });
   const eventWebhooks = webhooks.filter((webhook) => webhook.enabled_events.includes(event.type));
   if (eventWebhooks.length === 0) {
     logger.info('no webhook endpoint for event', job);
@@ -75,7 +83,7 @@ export const eventQueue = createQueue<EventJob>({
 });
 
 export const startEventQueue = async () => {
-  const docs = await Event.findAll({
+  const docs = await systemFindAll(Event, {
     where: {
       pending_webhooks: { [Op.gt]: 0 },
     },
@@ -100,7 +108,7 @@ eventQueue.on('failed', ({ id, job, error }) => {
 });
 
 events.on('event.created', async (event) => {
-  if ((globalThis as any).__CF_ENV__) {
+  if (isCfWorker()) {
     // CF Workers: execute inline to save 2 CF Queue ops per event.
     // eventQueue only dispatches webhooks — lightweight DB lookup + webhookQueue.push.
     // Webhook delivery still goes through webhookQueue with full retry guarantees.

package/api/src/queues/exchange-rate-health.ts

@@ -11,6 +11,9 @@ const REPRESENTATIVE_TOKENS = ['ABT', 'ETH'];
 interface HealthCheckJob {
   type: 'health_check';
   timestamp: number;
+  /** D6: the tenant this check belongs to — carried in the payload so the
+   *  re-schedule survives outside any ALS context (multi mode). */
+  instance_did?: string;
 }
 
 interface HealthCheckResult {
@@ -201,43 +204,59 @@ export const exchangeRateHealthQueue = createQueue<HealthCheckJob>({
 // Schedule health checks every 6 hours
 const HEALTH_CHECK_INTERVAL = 6 * 60 * 60; // 6 hours in seconds
 
+// D6: every scheduled health-check job carries its tenant in the PAYLOAD so the
+// re-schedule (on 'finished') preserves it WITHOUT relying on the ALS context —
+// the 'finished' listener fires outside any withTenant() scope. In multi mode a
+// tenant-less push would throw TENANT_CONTEXT_MISSING; here `instance_did` is set
+// on the job, so injectJobTenant honors it instead of reading the (absent) ALS.
+let scheduleListenerBound = false;
+
+function scheduleNextHealthCheck(instanceDid?: string): void {
+  const now = Math.floor(Date.now() / 1000);
+  const nextRun = now + HEALTH_CHECK_INTERVAL;
+
+  exchangeRateHealthQueue.push({
+    job: {
+      type: 'health_check',
+      timestamp: Date.now(),
+      // carry the tenant in the payload (multi mode has no ALS context here)
+      ...(instanceDid ? { instance_did: instanceDid } : {}),
+    } as HealthCheckJob,
+    runAt: nextRun,
+    persist: true,
+  });
+
+  logger.info('Scheduled next exchange rate health check', {
+    nextRunAt: new Date(nextRun * 1000).toISOString(),
+    intervalHours: HEALTH_CHECK_INTERVAL / 3600,
+    instanceDid,
+  });
+}
+
 /**
- * Initialize and schedule periodic health checks
+ * Schedule periodic health checks for a tenant. The initial push AND every
+ * re-schedule carry `instance_did` in the job payload, so the cancel-then-replay
+ * recovery (D2) and the post-restart redispatch stay under the correct tenant.
  */
-export function scheduleHealthChecks(): void {
-  const scheduleNext = () => {
-    const now = Math.floor(Date.now() / 1000);
-    const nextRun = now + HEALTH_CHECK_INTERVAL;
-
-    exchangeRateHealthQueue.push({
-      job: {
-        type: 'health_check',
-        timestamp: Date.now(),
-      },
-      runAt: nextRun,
-      persist: true,
+export function scheduleHealthChecks(instanceDid?: string): void {
+  scheduleNextHealthCheck(instanceDid);
+
+  // bind the re-schedule listener ONCE (idempotent across bootstrapTenant calls);
+  // it reads the finished job's own instance_did to re-schedule under that tenant.
+  if (!scheduleListenerBound) {
+    scheduleListenerBound = true;
+    exchangeRateHealthQueue.on('finished', (data: { job?: HealthCheckJob }) => {
+      scheduleNextHealthCheck(data?.job?.instance_did);
     });
-
-    logger.info('Scheduled next exchange rate health check', {
-      nextRunAt: new Date(nextRun * 1000).toISOString(),
-      intervalHours: HEALTH_CHECK_INTERVAL / 3600,
-    });
-  };
-
-  // Schedule initial check
-  scheduleNext();
-
-  // Listen for completed checks and schedule next one
-  exchangeRateHealthQueue.on('finished', () => {
-    scheduleNext();
-  });
+  }
 
   logger.info('Exchange rate health check scheduling initialized', {
     intervalHours: HEALTH_CHECK_INTERVAL / 3600,
+    instanceDid,
   });
 }
 
-// Export for explicit initialization in index.ts
-export function startExchangeRateHealthQueue(): void {
-  scheduleHealthChecks();
+// Export for explicit initialization (single mode / per-tenant bootstrap).
+export function startExchangeRateHealthQueue(instanceDid?: string): void {
+  scheduleHealthChecks(instanceDid);
 }

package/api/src/queues/invoice.ts

@@ -1,10 +1,11 @@
 import { Op } from 'sequelize';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 import { getInvoiceShouldPayTotal, handleOverdraftProtectionInvoiceAfterPayment } from '../libs/invoice';
-import { createEvent } from '../libs/audit';
+import { createEvent, reportAuditFailure } from '../libs/audit';
 import dayjs from '../libs/dayjs';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { PaymentMethod, Invoice, InvoiceItem } from '../store/models';
 import { CheckoutSession } from '../store/models/checkout-session';
 import { PaymentIntent } from '../store/models/payment-intent';
@@ -29,11 +30,12 @@ type InvoiceJob = {
 export const handleInvoice = async (job: InvoiceJob) => {
   logger.info('handle invoice', job);
 
-  const invoice = await Invoice.findByPk(job.invoiceId);
+  const invoice = await systemFindByPk(Invoice, job.invoiceId);
   if (!invoice) {
     logger.warn('invoice not found', { invoiceId: job.invoiceId });
     return;
   }
+  assertJobObjectTenant(invoice);
   if (invoice.status !== 'open') {
     logger.warn('invoice not open', { invoiceId: job.invoiceId });
     return;
@@ -63,7 +65,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     logger.info('Invoice updated to paid status', { invoiceId: invoice.id });
 
     if (invoice.subscription_id) {
-      const subscription = await Subscription.findByPk(invoice.subscription_id);
+      const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
       if (subscription) {
         if (subscription.status === 'incomplete') {
           await subscription.start();
@@ -78,17 +80,17 @@ export const handleInvoice = async (job: InvoiceJob) => {
           }
         } else {
           if (invoice.billing_reason === 'subscription_cycle') {
-            createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(console.error);
+            createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(reportAuditFailure);
           }
           if (invoice.billing_reason === 'subscription_update') {
-            createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(console.error);
+            createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(reportAuditFailure);
           }
         }
       }
     }
 
     if (invoice.checkout_session_id) {
-      const checkoutSession = await CheckoutSession.findByPk(invoice.checkout_session_id);
+      const checkoutSession = await systemFindByPk(CheckoutSession, invoice.checkout_session_id);
       if (checkoutSession && checkoutSession.status === 'open') {
         await checkoutSession.update({ status: 'complete', payment_status: 'no_payment_required' });
         logger.info('invoice checkout session updated', { invoice: invoice.id, checkoutSession: checkoutSession.id });
@@ -96,7 +98,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     }
 
     if (invoice.payment_intent_id) {
-      const paymentIntent = await PaymentIntent.findByPk(invoice.payment_intent_id);
+      const paymentIntent = await systemFindByPk(PaymentIntent, invoice.payment_intent_id);
       if (
         paymentIntent &&
         ['requires_action', 'requires_capture', 'requires_payment_method'].includes(paymentIntent.status)
@@ -119,7 +121,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
       invoiceId: job.invoiceId,
       paymentIntent: invoice.payment_intent_id,
     });
-    paymentIntent = await PaymentIntent.findByPk(invoice.payment_intent_id);
+    paymentIntent = await systemFindByPk(PaymentIntent, invoice.payment_intent_id);
     if (paymentIntent && paymentIntent.isImmutable() === false) {
       await paymentIntent.update({ status: 'requires_capture', customer_id: invoice.customer_id });
       logger.info('PaymentIntent updated for invoice', {
@@ -166,7 +168,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     });
 
     if (invoice.checkout_session_id) {
-      const checkoutSession = await CheckoutSession.findByPk(invoice.checkout_session_id);
+      const checkoutSession = await systemFindByPk(CheckoutSession, invoice.checkout_session_id);
       if (checkoutSession && checkoutSession.status === 'open') {
         await checkoutSession.update({ payment_intent_id: paymentIntent.id });
         logger.info('PaymentIntent attached to invoice checkout session', {
@@ -212,14 +214,14 @@ export const invoiceQueue = createQueue<InvoiceJob>({
 });
 
 export const startInvoiceQueue = async () => {
-  const lock = getLock('startInvoiceQueue');
+  const lock = getLock('startInvoiceQueue', { scope: 'global' });
   if (lock.locked) {
     return;
   }
 
   try {
     await lock.acquire();
-    const invoices = await Invoice.findAll({
+    const invoices = await systemFindAll(Invoice, {
       where: {
         status: 'open',
         collection_method: 'charge_automatically',
@@ -259,11 +261,12 @@ invoiceQueue.on('failed', ({ id, job, error }) => {
 });
 
 events.on('invoice.paid', async ({ id: invoiceId }) => {
-  const invoice = await Invoice.findByPk(invoiceId);
+  const invoice = await systemFindByPk(Invoice, invoiceId);
   if (!invoice) {
     logger.error('Invoice not found for paid event', { invoiceId });
     return;
   }
+  assertJobObjectTenant(invoice);
   logger.info('Processing paid invoice', { invoiceId, billingReason: invoice.billing_reason });
 
   const checkBillingReason = ['subscription_cycle', 'subscription_cancel'];
@@ -286,7 +289,7 @@ events.on('invoice.paid', async ({ id: invoiceId }) => {
 // Separate listener to mark quotes as paid - independent of other invoice.paid handlers
 events.on('invoice.paid', async ({ id: invoiceId }) => {
   try {
-    const invoiceItems = await InvoiceItem.findAll({
+    const invoiceItems = await systemFindAll(InvoiceItem, {
       where: { invoice_id: invoiceId },
     });
 
@@ -304,7 +307,7 @@ events.on('invoice.paid', async ({ id: invoiceId }) => {
     await Promise.all(
       quoteIds.map(async (quoteId) => {
         try {
-          const quote = await PriceQuote.findByPk(quoteId);
+          const quote = await systemFindByPk(PriceQuote, quoteId);
           if (quote && quote.status !== 'paid') {
             await quote.update({ invoice_id: invoiceId });
             await quoteService.markAsPaid(quoteId);

package/api/src/queues/notification.ts

@@ -1,5 +1,6 @@
 import { Op } from 'sequelize';
 import debounce from 'lodash/debounce';
+import { systemFindByPk } from '../store/scoped';
 /* eslint-disable @typescript-eslint/indent */
 import { events } from '../libs/event';
 import logger from '../libs/logger';
@@ -62,7 +63,7 @@ import {
   SubscriptionStakeSlashSucceededEmailTemplate,
   SubscriptionStakeSlashSucceededEmailTemplateOptions,
 } from '../libs/notification/template/subscription-stake-slash-succeeded';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   CheckoutSession,
   EventType,
@@ -263,7 +264,8 @@ async function getNotificationTemplate(job: NotificationQueueJob): Promise<BaseE
   }
   if (job.type === 'refund.succeeded') {
     const { refundId } = job.options as { refundId: string };
-    const refund = await Refund.findByPk(refundId);
+    const refund = await systemFindByPk(Refund, refundId);
+    if (refund) assertJobObjectTenant(refund);
     if (refund?.subscription_id) {
       return new SubscriptionRefundSucceededEmailTemplate(
         job.options as SubscriptionRefundSucceededEmailTemplateOptions
@@ -570,7 +572,8 @@ export async function startNotificationQueue() {
   // 一次性购买成功
   events.on('checkout.session.completed', async (checkoutSession: CheckoutSession) => {
     if (checkoutSession.mode === 'payment') {
-      const paymentLink = await PaymentLink.findByPk(checkoutSession.payment_link_id);
+      const paymentLink = await systemFindByPk(PaymentLink, checkoutSession.payment_link_id);
+      if (paymentLink) assertJobObjectTenant(paymentLink);
       if (paymentLink?.submit_type === 'donate') {
         addNotificationJob('customer.reward.succeeded', { checkoutSessionId: checkoutSession.id }, [
           checkoutSession.id,
@@ -583,7 +586,8 @@ export async function startNotificationQueue() {
   });
 
   events.on('customer.subscription.renewed', async (subscription: Subscription) => {
-    const customer = await Customer.findByPk(subscription.customer_id);
+    const customer = await systemFindByPk(Customer, subscription.customer_id);
+    if (customer) assertJobObjectTenant(customer);
     const preference = customer?.preference?.notification;
     if (!subscription.latest_invoice_id) {
       logger.warn('Missing latest_invoice_id for subscription', { subscriptionId: subscription.id });
@@ -619,7 +623,8 @@ export async function startNotificationQueue() {
   });
 
   events.on('customer.subscription.renew_failed', async (subscription: Subscription, { invoiceId }) => {
-    const invoice = await Invoice.findByPk(invoiceId || subscription.latest_invoice_id);
+    const invoice = await systemFindByPk(Invoice, invoiceId || subscription.latest_invoice_id);
+    if (invoice) assertJobObjectTenant(invoice);
 
     logger.info('events.on', 'customer.subscription.renew_failed', {
       subscriptionId: subscription.id,
@@ -731,7 +736,8 @@ export async function startNotificationQueue() {
   events.on(
     'customer.auto_recharge.failed',
     async (customer: Customer, { autoRechargeConfigId, invoiceId, paymentIntentId }) => {
-      const invoice = await Invoice.findByPk(invoiceId);
+      const invoice = await systemFindByPk(Invoice, invoiceId);
+      if (invoice) assertJobObjectTenant(invoice);
       logger.info('addNotificationJob:customer.auto_recharge.failed', autoRechargeConfigId);
       if (invoice && autoRechargeConfigId && invoice.metadata?.auto_recharge_failed_reason) {
         addNotificationJob(
@@ -819,7 +825,8 @@ export async function startNotificationQueue() {
 
       // Reuse customer.auto_recharge.failed notification with skipped reason
       // This ensures users are notified when auto-recharge cannot proceed
-      const customer = await Customer.findByPk(data.customer_id);
+      const customer = await systemFindByPk(Customer, data.customer_id);
+      if (customer) assertJobObjectTenant(customer);
       if (customer) {
         addNotificationJob(
           'customer.auto_recharge.failed',