payment-kit 1.29.0 → 1.29.2

package/api/src/store/models/entitlement-grant.ts

@@ -1,6 +1,8 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createIdGenerator } from '../../libs/util';
 
@@ -10,9 +12,13 @@ export const nextEntitlementGrantId = createIdGenerator('eg', 24);
 // Multiple grants for the same (customer, entitlement) can coexist across channels;
 // the "currently effective" grant is determined by status + active_until.
 // eslint-disable-next-line prettier/prettier
-export class EntitlementGrant extends Model<InferAttributes<EntitlementGrant>, InferCreationAttributes<EntitlementGrant>> {
+export class EntitlementGrant extends TenantModel<
+  InferAttributes<EntitlementGrant>,
+  InferCreationAttributes<EntitlementGrant>
+> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare entitlement_id: string;
   declare customer_id: string;
@@ -90,13 +96,19 @@ export class EntitlementGrant extends Model<InferAttributes<EntitlementGrant>, I
   };
 
   public static initialize(sequelize: any) {
-    this.init(EntitlementGrant.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'EntitlementGrant',
-      tableName: 'entitlement_grants',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...EntitlementGrant.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'EntitlementGrant',
+        tableName: 'entitlement_grants',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/entitlement-product.ts

@@ -1,11 +1,17 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 // Join table: which products unlock which entitlements (many-to-many)
 // eslint-disable-next-line prettier/prettier
-export class EntitlementProduct extends Model<InferAttributes<EntitlementProduct>, InferCreationAttributes<EntitlementProduct>> {
+export class EntitlementProduct extends TenantModel<
+  InferAttributes<EntitlementProduct>,
+  InferCreationAttributes<EntitlementProduct>
+> {
   declare entitlement_id: string;
   declare product_id: string;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare created_at: CreationOptional<Date>;
   declare updated_at: CreationOptional<Date>;
 
@@ -33,13 +39,19 @@ export class EntitlementProduct extends Model<InferAttributes<EntitlementProduct
   };
 
   public static initialize(sequelize: any) {
-    this.init(EntitlementProduct.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'EntitlementProduct',
-      tableName: 'entitlement_products',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...EntitlementProduct.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'EntitlementProduct',
+        tableName: 'entitlement_products',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate() {}

package/api/src/store/models/entitlement.ts

@@ -1,14 +1,17 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createIdGenerator } from '../../libs/util';
 
 export const nextEntitlementId = createIdGenerator('ent', 24);
 
 // eslint-disable-next-line prettier/prettier
-export class Entitlement extends Model<InferAttributes<Entitlement>, InferCreationAttributes<Entitlement>> {
+export class Entitlement extends TenantModel<InferAttributes<Entitlement>, InferCreationAttributes<Entitlement>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare key: string;
   declare name?: string;
@@ -33,7 +36,7 @@ export class Entitlement extends Model<InferAttributes<Entitlement>, InferCreati
     key: {
       type: DataTypes.STRING(64),
       allowNull: false,
-      unique: true,
+      // uniqueness is per tenant since Phase 2: see uq_* composite indexes in tenant-backfill.ts
     },
     name: {
       type: DataTypes.STRING(255),
@@ -60,13 +63,19 @@ export class Entitlement extends Model<InferAttributes<Entitlement>, InferCreati
   };
 
   public static initialize(sequelize: any) {
-    this.init(Entitlement.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'Entitlement',
-      tableName: 'entitlements',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...Entitlement.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'Entitlement',
+        tableName: 'entitlements',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/event.ts

@@ -1,5 +1,7 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createIdGenerator } from '../../libs/util';
 import type { EventType } from './types';
@@ -7,10 +9,11 @@ import type { EventType } from './types';
 const nextId = createIdGenerator('evt', 24);
 
 // eslint-disable-next-line prettier/prettier
-export class Event extends Model<InferAttributes<Event>, InferCreationAttributes<Event>> {
+export class Event extends TenantModel<InferAttributes<Event>, InferCreationAttributes<Event>> {
   declare id: CreationOptional<string>;
 
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare type: EventType;
   declare api_version: string;
@@ -91,13 +94,19 @@ export class Event extends Model<InferAttributes<Event>, InferCreationAttributes
   };
 
   public static initialize(sequelize: any) {
-    this.init(Event.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'Event',
-      tableName: 'events',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...Event.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'Event',
+        tableName: 'events',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/exchange-rate-provider.ts

@@ -1,9 +1,16 @@
+// Phase 11 (W2-3) carve-out: exchange_rate_providers is the platform-global
+// table (W1 §2.2 D2 exemption — exchange rates are a global fact, no instance_did
+// column). Its provider API keys are platform-wide config, NOT per-tenant, so it
+// deliberately uses the platform process key (@blocklet/sdk security) rather than
+// the per-tenant secrets keyring — routing it through the tenant facade would
+// encrypt/decrypt the shared config under a different key per request and break
+// it. Phase 12's shim relocation must preserve this platform-key path.
 import security from '@blocklet/sdk/lib/security';
 import cloneDeep from 'lodash/cloneDeep';
 import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model, Op } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 
 export const nextExchangeRateProviderId = createIdGenerator('erp', 24);
@@ -100,13 +107,19 @@ export class ExchangeRateProvider extends Model<
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: ExchangeRateProvider, options) => {
-            createEvent('ExchangeRateProvider', 'exchange_rate_provider.created', model, options).catch(console.error);
+            createEvent('ExchangeRateProvider', 'exchange_rate_provider.created', model, options).catch(
+              reportAuditFailure
+            );
           },
           afterUpdate: (model: ExchangeRateProvider, options) => {
-            createEvent('ExchangeRateProvider', 'exchange_rate_provider.updated', model, options).catch(console.error);
+            createEvent('ExchangeRateProvider', 'exchange_rate_provider.updated', model, options).catch(
+              reportAuditFailure
+            );
           },
           afterDestroy: (model: ExchangeRateProvider, options) => {
-            createEvent('ExchangeRateProvider', 'exchange_rate_provider.deleted', model, options).catch(console.error);
+            createEvent('ExchangeRateProvider', 'exchange_rate_provider.deleted', model, options).catch(
+              reportAuditFailure
+            );
           },
         },
       }

package/api/src/store/models/invoice-item.ts

@@ -1,6 +1,8 @@
 /* eslint-disable @typescript-eslint/indent */
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createIdGenerator } from '../../libs/util';
 import type { DiscountAmount } from './types';
@@ -13,9 +15,10 @@ export type InvoiceLineItem = {
 
 // @link https://stripe.com/docs/api/invoiceitems
 // eslint-disable-next-line prettier/prettier
-export class InvoiceItem extends Model<InferAttributes<InvoiceItem>, InferCreationAttributes<InvoiceItem>> {
+export class InvoiceItem extends TenantModel<InferAttributes<InvoiceItem>, InferCreationAttributes<InvoiceItem>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare amount: string;
   declare quantity: number;
@@ -149,13 +152,19 @@ export class InvoiceItem extends Model<InferAttributes<InvoiceItem>, InferCreati
   };
 
   public static initialize(sequelize: any) {
-    this.init(InvoiceItem.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'InvoiceItem',
-      tableName: 'invoice_items',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...InvoiceItem.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'InvoiceItem',
+        tableName: 'invoice_items',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/invoice.ts

@@ -6,14 +6,15 @@ import {
   DataTypes,
   InferAttributes,
   InferCreationAttributes,
-  Model,
   Op,
   Sequelize,
   WhereOptions,
 } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent, createStatusEvent } from '../../libs/audit';
+import { createEvent, createStatusEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import type {
   CustomerAddress,
@@ -29,13 +30,14 @@ import type {
 export const nextInvoiceId = createIdGenerator('in', 24);
 
 // eslint-disable-next-line prettier/prettier
-export class Invoice extends Model<InferAttributes<Invoice>, InferCreationAttributes<Invoice>> {
+export class Invoice extends TenantModel<InferAttributes<Invoice>, InferCreationAttributes<Invoice>> {
   declare id: CreationOptional<string>;
 
   // A unique, identifying string that appears on emails sent to the customer for this invoice
   declare number: string;
 
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare description?: string;
   declare statement_descriptor: string;
   declare period_end: number;
@@ -479,6 +481,12 @@ export class Invoice extends Model<InferAttributes<Invoice>, InferCreationAttrib
     this.init(
       {
         ...Invoice.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         starting_token_balance: {
           type: DataTypes.JSON,
           defaultValue: {},
@@ -496,23 +504,23 @@ export class Invoice extends Model<InferAttributes<Invoice>, InferCreationAttrib
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: Invoice, options) => {
-            createEvent('Invoice', 'invoice.created', model, options).catch(console.error);
+            createEvent('Invoice', 'invoice.created', model, options).catch(reportAuditFailure);
             if (model.status === 'paid') {
-              createEvent('Invoice', 'invoice.paid', model, options).catch(console.error);
+              createEvent('Invoice', 'invoice.paid', model, options).catch(reportAuditFailure);
             }
           },
           afterUpdate: (model: Invoice, options) => {
-            createEvent('Invoice', 'invoice.updated', model, options).catch(console.error);
+            createEvent('Invoice', 'invoice.updated', model, options).catch(reportAuditFailure);
             createStatusEvent(
               'Invoice',
               'invoice',
               { open: 'finalized', void: 'voided', paid: 'paid', uncollectible: 'marked_uncollectible' },
               model,
               options
-            ).catch(console.error);
+            ).catch(reportAuditFailure);
           },
           afterDestroy: (model: Invoice, options) => {
-            createEvent('Invoice', 'invoice.deleted', model, options).catch(console.error);
+            createEvent('Invoice', 'invoice.deleted', model, options).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/meter-event.ts

@@ -4,7 +4,6 @@ import {
   DataTypes,
   InferAttributes,
   InferCreationAttributes,
-  Model,
   Op,
   QueryTypes,
   Sequelize,
@@ -13,7 +12,9 @@ import {
 import type { LiteralUnion } from 'type-fest';
 
 import { BN } from '@ocap/util';
-import { createEvent } from '../../libs/audit';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import { GroupedBN, GroupedStrList, MeterEventPayload, MeterEventStatus, SourceData } from './types';
 import { Customer } from './customer';
@@ -30,13 +31,14 @@ type TMeterEventExpanded = MeterEvent & {
   paymentCurrency: TPaymentCurrency;
 };
 
-export class MeterEvent extends Model<InferAttributes<MeterEvent>, InferCreationAttributes<MeterEvent>> {
+export class MeterEvent extends TenantModel<InferAttributes<MeterEvent>, InferCreationAttributes<MeterEvent>> {
   declare id: CreationOptional<string>;
   declare event_name: string;
   declare payload: MeterEventPayload;
   declare identifier: string; // 防重复的唯一标识
   declare timestamp: number;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare status: MeterEventStatus;
   declare processed_at?: number; // 处理时间
   declare attempt_count: number; // 重试次数
@@ -85,7 +87,7 @@ export class MeterEvent extends Model<InferAttributes<MeterEvent>, InferCreation
     identifier: {
       type: DataTypes.STRING(255),
       allowNull: false,
-      unique: true, // 确保幂等性
+      // uniqueness is per tenant since Phase 2: see uq_* composite indexes in tenant-backfill.ts
     },
     livemode: {
       type: DataTypes.BOOLEAN,
@@ -220,6 +222,12 @@ export class MeterEvent extends Model<InferAttributes<MeterEvent>, InferCreation
     this.init(
       {
         ...this.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         source_data: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -231,10 +239,16 @@ export class MeterEvent extends Model<InferAttributes<MeterEvent>, InferCreation
         tableName: 'meter_events',
         createdAt: 'created_at',
         updatedAt: 'updated_at',
-        indexes: [{ fields: ['identifier'], unique: true }, { fields: ['status'] }, { fields: ['event_name'] }],
+        // identifier uniqueness is per tenant since Phase 2 (uq_meter_events_tenant_identifier);
+        // these model-level indexes only apply on sync(), which production never calls
+        indexes: [
+          { fields: ['instance_did', 'identifier'], unique: true },
+          { fields: ['status'] },
+          { fields: ['event_name'] },
+        ],
         hooks: {
           afterCreate: (model: MeterEvent, options) => {
-            createEvent('MeterEvent', 'billing.meter_event.created', model, options).catch(console.error);
+            createEvent('MeterEvent', 'billing.meter_event.created', model, options).catch(reportAuditFailure);
           },
         },
       }
@@ -294,16 +308,20 @@ export class MeterEvent extends Model<InferAttributes<MeterEvent>, InferCreation
     const [totalEvents, processedEvents, totalValue] = await Promise.all([
       this.count({ where: whereClause }),
       this.count({ where: { ...whereClause, status: 'completed' } }),
+      // 洞 G (Phase 4): raw read on a tenant table — guard with instance_did so
+      // the aggregate never crosses tenants (the sibling count() calls above are
+      // already scoped by TenantModel; this keeps the raw SUM consistent).
       // @ts-ignore
       this.sequelize.query(
-        `SELECT COALESCE(SUM(CAST(payload->>'value' AS DECIMAL)), 0) as total 
-         FROM meter_events 
-         WHERE event_name = :eventName 
+        `SELECT COALESCE(SUM(CAST(payload->>'value' AS DECIMAL)), 0) as total
+         FROM meter_events
+         WHERE event_name = :eventName AND instance_did = :instance_did
          ${startTime ? 'AND created_at >= :startTime' : ''}
          ${endTime ? 'AND created_at <= :endTime' : ''}`,
         {
           replacements: {
             eventName,
+            instance_did: getInstanceDid(),
             startTime: startTime?.toISOString(),
             endTime: endTime?.toISOString(),
           },

package/api/src/store/models/meter.ts

@@ -1,8 +1,10 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import type { TPaymentCurrency } from './payment-currency';
 
@@ -12,7 +14,7 @@ export type TMeterExpanded = TMeter & {
   paymentCurrency: TPaymentCurrency;
 };
 
-export class Meter extends Model<InferAttributes<Meter>, InferCreationAttributes<Meter>> {
+export class Meter extends TenantModel<InferAttributes<Meter>, InferCreationAttributes<Meter>> {
   declare id: CreationOptional<string>;
   declare object: CreationOptional<string>;
   declare name: string;
@@ -23,6 +25,7 @@ export class Meter extends Model<InferAttributes<Meter>, InferCreationAttributes
   declare description?: string;
   declare component_did?: string;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare metadata?: Record<string, any>;
   declare currency_id?: string;
@@ -54,7 +57,7 @@ export class Meter extends Model<InferAttributes<Meter>, InferCreationAttributes
     event_name: {
       type: DataTypes.STRING(128),
       allowNull: false,
-      unique: true,
+      // uniqueness is per tenant since Phase 2: see uq_* composite indexes in tenant-backfill.ts
     },
     aggregation_method: {
       type: DataTypes.ENUM('sum', 'count', 'last'),
@@ -115,25 +118,31 @@ export class Meter extends Model<InferAttributes<Meter>, InferCreationAttributes
   };
 
   public static initialize(sequelize: any) {
-    this.init(this.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'Meter',
-      tableName: 'meters',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-      indexes: [{ fields: ['event_name'] }, { fields: ['currency_id'] }],
-      hooks: {
-        afterCreate: (model: Meter, options) => {
-          createEvent('Meter', 'meter.created', model, options).catch(console.error);
-        },
-        afterUpdate: (model: Meter, options) => {
-          createEvent('Meter', 'meter.updated', model, options).catch(console.error);
-        },
-        afterDestroy: (model: Meter, options) => {
-          createEvent('Meter', 'meter.deleted', model, options).catch(console.error);
-        },
+    this.init(
+      {
+        ...this.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
       },
-    });
+      {
+        sequelize,
+        modelName: 'Meter',
+        tableName: 'meters',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+        indexes: [{ fields: ['event_name'] }, { fields: ['currency_id'] }],
+        hooks: {
+          afterCreate: (model: Meter, options) => {
+            createEvent('Meter', 'meter.created', model, options).catch(reportAuditFailure);
+          },
+          afterUpdate: (model: Meter, options) => {
+            createEvent('Meter', 'meter.updated', model, options).catch(reportAuditFailure);
+          },
+          afterDestroy: (model: Meter, options) => {
+            createEvent('Meter', 'meter.deleted', model, options).catch(reportAuditFailure);
+          },
+        },
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/payment-currency.ts

@@ -5,26 +5,34 @@ import {
   FindOptions,
   InferAttributes,
   InferCreationAttributes,
-  Model,
   Op,
   QueryTypes,
 } from 'sequelize';
-import { getUrl } from '@blocklet/sdk';
+// Phase 13b2: import the submodule, not the @blocklet/sdk index. The index eagerly
+// require()s ./wallet-authenticator -> @arcblock/did-connect-js, which a host with
+// skewed @arcblock deps (e.g. arc's @arcblock/validator@1.30.24 override dropping
+// the Joi export that the old did-connect-js@1.29.27 needs) crashes at module-init.
+// This model is bound by initialize() during createEmbeddedPaymentService, so the
+// index would otherwise load that whole auth chain on the entitlements path.
+import { getUrl } from '@blocklet/sdk/lib/component';
 import type { LiteralUnion } from 'type-fest';
 import { fromTokenToUnit } from '@ocap/util';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 import { createIdGenerator } from '../../libs/util';
 import { RechargeConfig, VaultConfig } from './types';
 
 const nextId = createIdGenerator('pc', 12);
 
 // eslint-disable-next-line prettier/prettier
-export class PaymentCurrency extends Model<InferAttributes<PaymentCurrency>, InferCreationAttributes<PaymentCurrency>> {
+export class PaymentCurrency extends TenantModel<InferAttributes<PaymentCurrency>, InferCreationAttributes<PaymentCurrency>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
   declare payment_method_id: string;
 
   declare active: boolean;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare locked: boolean;
   declare is_base_currency: boolean;
 
@@ -137,6 +145,12 @@ export class PaymentCurrency extends Model<InferAttributes<PaymentCurrency>, Inf
     this.init(
       {
         ...PaymentCurrency.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         type: {
           type: DataTypes.ENUM('standard', 'credit'),
           defaultValue: 'standard',
@@ -203,14 +217,17 @@ export class PaymentCurrency extends Model<InferAttributes<PaymentCurrency>, Inf
     if (price) {
       return true;
     }
+    // 洞 G (Phase 4): raw read on prices (tenant table) — guard with
+    // instance_did so currency-usage never counts another tenant's prices.
     // @ts-ignore
     const [{ count }] = await this.sequelize.query(
-      `SELECT count(p.id) AS count 
-       FROM prices AS p 
-       JOIN json_each(p.currency_options) AS option 
-       ON json_extract(option.value, '$.currency_id') = ?`,
+      `SELECT count(p.id) AS count
+       FROM prices AS p
+       JOIN json_each(p.currency_options) AS option
+       ON json_extract(option.value, '$.currency_id') = :currency_id
+       WHERE p.instance_did = :instance_did`,
       {
-        replacements: [this.id],
+        replacements: { currency_id: this.id, instance_did: getInstanceDid() },
         type: QueryTypes.SELECT,
       }
     );