payment-kit 1.29.0 → 1.29.2

package/api/tests/embedded/embedded-multi-mode-d3.spec.ts

@@ -0,0 +1,257 @@
+// D3 (S3.0) — embedded multi-mode background harness. Builds a REAL embedded
+// payment service (createEmbeddedPaymentService) over a file-backed sqlite with
+// the full 46-table schema (applyPaymentCoreMigrations) and tenancy:{mode:'multi'}
+// + every slot, then exercises the background engine the way an arc-node host
+// drives it: queue retry, delayed-job restart recovery, cross-tenant isolation,
+// and slot-misconfig fail-closed.
+//
+// The engine-level retry/dispatch parity lives in queue-runtime-surface.spec;
+// this harness proves the SAME behavior holds through the assembled multi-mode
+// service (models bound by the factory, tenant carried in the payload).
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+
+import { withTenant, getInstanceDid } from '../../src/libs/context';
+import { createNodeDbDriver } from '../../src/libs/drivers/db';
+import {
+  applyPaymentCoreMigrations,
+  createMemoryLocksDriver,
+  createCronRegistry,
+  createKeyringSecretsDriver,
+  nodeQueueHostHooks,
+} from '../../src/libs/drivers';
+import { setQueueRuntimeMode, __test__ as runtimeTest } from '../../src/libs/queue/runtime';
+import { createEmbeddedPaymentService, PaymentCoreSlotError } from '../../src/service';
+
+jest.setTimeout(60000);
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const TENANT_A = 'did:abt:zD3TENANTA';
+const TENANT_B = 'did:abt:zD3TENANTB';
+const HOST_A = 'a.example.com';
+const HOST_B = 'b.example.com';
+
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'embedded-multi-d3-'));
+const dbFile = path.join(dir, 'payment.db');
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: dbFile, logging: false, pool: { max: 5 } });
+
+// multi-tenant identity: Host -> tenant, plus a per-tenant EK for the keyring.
+const identity = {
+  resolveInstanceDidForHost(host: string | undefined) {
+    if (host === HOST_A) return TENANT_A;
+    if (host === HOST_B) return TENANT_B;
+    return null; // unknown host fails closed at the resolver
+  },
+  getAppEk(instanceDid: string) {
+    // distinct per-tenant key material (hex) — the keyring isolates by this
+    return instanceDid === TENANT_A ? 'a'.repeat(64) : 'b'.repeat(64);
+  },
+};
+
+const baseSlots = () => ({
+  config: { BLOCKLET_APP_PID: TENANT_A, PAYMENT_LIVEMODE: 'true' },
+  db: { sequelize: sequelize as any },
+  tenancy: { mode: 'multi' as const },
+  identity,
+  secrets: createKeyringSecretsDriver(identity),
+  queue: nodeQueueHostHooks,
+  cron: createCronRegistry('node-cron'),
+  locks: createMemoryLocksDriver(),
+});
+
+let svc: ReturnType<typeof createEmbeddedPaymentService>;
+let createQueue: any;
+let createQueueStore: any;
+let tableCount = 0;
+
+const settle = (emitter: any): Promise<string> =>
+  new Promise((resolve) => {
+    ['finished', 'failed', 'cancelled'].forEach((e) => emitter.on(e, () => resolve(e)));
+  });
+const wait = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+beforeAll(async () => {
+  // provision the full embedded schema (9 SQL migrations -> 46 tables)
+  const driver = createNodeDbDriver(sequelize);
+  await applyPaymentCoreMigrations(driver);
+  // canonical embedded-schema count (task 13 / D4): 46 tables INCLUDING the
+  // _sql_migrations tracker row table.
+  const rows = await driver.all<{ name: string }>(
+    "SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'"
+  );
+  tableCount = rows.length;
+
+  // assemble the multi-mode embedded service (binds models to OUR sequelize)
+  svc = createEmbeddedPaymentService(baseSlots());
+  setQueueRuntimeMode('node');
+  createQueue = require('../../src/libs/queue').default;
+  createQueueStore = require('../../src/libs/queue/store').default;
+}, 120000);
+
+afterAll(async () => {
+  // exercise the D2 lifecycle teardown contract (no-op here since we never
+  // called lifecycle.start(), but it must not throw and clears any driver state)
+  await svc.lifecycle.stop();
+  runtimeTest.reset();
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+afterEach(() => {
+  runtimeTest.reset();
+  setQueueRuntimeMode('node');
+});
+
+describe('D3 happy path — multi service assembles + a job runs under its tenant', () => {
+  it('the embedded schema has 46 tables and the rpc surface is present', () => {
+    expect(tableCount).toBe(46);
+    expect(typeof svc.rpc.entitlements.check).toBe('function');
+    expect(typeof svc.rpc.meterEvents.report).toBe('function');
+  });
+
+  it('a job enqueued under tenant A executes under tenant A', async () => {
+    let observed = '';
+    const q = createQueue({
+      name: `d3-happy-${Date.now()}`,
+      onJob: async () => {
+        observed = getInstanceDid();
+      },
+    });
+    const ev = await withTenant(TENANT_A, async () => q.push({ job: { v: 1, instance_did: TENANT_A } }));
+    expect(await settle(ev)).toBe('finished');
+    expect(observed).toBe(TENANT_A);
+  });
+});
+
+describe('D3 bad input — slot misconfig fails closed (no silent single)', () => {
+  it('multi without a secrets slot throws PaymentCoreSlotError', () => {
+    const slots: any = baseSlots();
+    delete slots.secrets;
+    expect(() => createEmbeddedPaymentService(slots)).toThrow(PaymentCoreSlotError);
+  });
+
+  it('multi without an identity slot throws PaymentCoreSlotError', () => {
+    const slots: any = baseSlots();
+    delete slots.identity;
+    expect(() => createEmbeddedPaymentService(slots)).toThrow(PaymentCoreSlotError);
+  });
+
+  it('multi without cron/queue/locks still assembles (safe Node defaults, not a degrade)', () => {
+    // identity + secrets are the ONLY slots whose absence silently degrades to
+    // single-tenant (D1), so they fail closed. cron/queue/locks have correct
+    // Node defaults (node-cron registry, no-op flush, memory locks) for a
+    // single-process daemon, so their absence is NOT an error — it must not be
+    // conflated with the identity/secrets fail-closed case.
+    const slots: any = baseSlots();
+    delete slots.cron;
+    delete slots.queue;
+    delete slots.locks;
+    expect(() => createEmbeddedPaymentService(slots)).not.toThrow();
+  });
+});
+
+describe('D3 security — cross-tenant job object is fail-closed', () => {
+  it('a job whose loaded object tenant != payload tenant is rejected (structured)', async () => {
+    const { assertJobObjectTenant } = require('../../src/libs/queue');
+    let leaked = false;
+    let observed = '';
+    const q = createQueue({
+      name: `d3-xtenant-${Date.now()}`,
+      onJob: async () => {
+        observed = getInstanceDid();
+        // payload says A; an object loaded cross-tenant belongs to B
+        assertJobObjectTenant({ instance_did: TENANT_B });
+        leaked = true; // unreachable — assert throws first
+      },
+    });
+    const ev = await withTenant(TENANT_A, async () => q.push({ job: { tag: 'x', instance_did: TENANT_A } }));
+    expect(await settle(ev)).toBe('failed');
+    expect(observed).toBe(TENANT_A);
+    expect(leaked).toBe(false);
+  });
+});
+
+describe('D3 data loss — delayed/persisted job recovers on restart', () => {
+  it('a persisted row left by a prior queue is recovered + executed by a fresh queue (same id)', async () => {
+    const name = `d3-recover-${Date.now()}`;
+    const jobId = `recover-${Date.now()}`;
+    // simulate a prior process: a persisted immediate row sits in the store,
+    // never executed (no live queue ran it)
+    const store = createQueueStore(name);
+    await store.addJob(jobId, { v: 1, instance_did: TENANT_A }, {});
+
+    // "restart": a fresh queue with the same name boots and recovers the row.
+    // Capture the RECOVERED row's id from the runtime's finished event (the
+    // job payload carries no id, so this is the only faithful source — proving
+    // the recovered id is the original, not a freshly generated one).
+    let ranId = '';
+    let executions = 0;
+    const q = createQueue({
+      name,
+      onJob: async () => {
+        executions += 1;
+      },
+    });
+    q.on('finished', (data: { id: string }) => {
+      ranId = data.id;
+    });
+    // loadExisting runs on process.nextTick; give it room to recover + execute
+    await wait(400);
+    const remaining = await store.getJobs();
+    expect(ranId).toBe(jobId); // the RECOVERED row's id is the original (not regenerated)
+    expect(executions).toBe(1); // executed exactly once on recovery
+    expect(remaining.find((r: any) => r.id === jobId)).toBeUndefined(); // consumed, not duplicated
+  });
+});
+
+describe('D3 data damage — retry does not double-execute (idempotent)', () => {
+  it('a job that fails then succeeds runs its success side-effect exactly once', async () => {
+    let attempts = 0;
+    let successes = 0;
+    const q = createQueue({
+      name: `d3-retry-${Date.now()}`,
+      onJob: async () => {
+        attempts += 1;
+        if (attempts < 3) throw new Error('transient');
+        successes += 1; // only on the successful attempt
+      },
+      options: { maxRetries: 5, retryDelay: 1 },
+    });
+    const ev = await withTenant(TENANT_A, async () => q.push({ job: { v: 1, instance_did: TENANT_A } }));
+    expect(await settle(ev)).toBe('finished');
+    expect(attempts).toBe(3); // 2 failures + 1 success, no infinite loop
+    expect(successes).toBe(1); // side-effect exactly once, not per attempt
+  });
+});
+
+describe('D3 data leak — tenant A and tenant B background jobs do not bleed', () => {
+  it('A and B jobs each run strictly under their own tenant scope', async () => {
+    const seen: Record<string, string> = {};
+    const qa = createQueue({
+      name: `d3-leak-a-${Date.now()}`,
+      onJob: async () => {
+        seen.a = getInstanceDid();
+      },
+    });
+    const qb = createQueue({
+      name: `d3-leak-b-${Date.now()}`,
+      onJob: async () => {
+        seen.b = getInstanceDid();
+      },
+    });
+    const ea = await withTenant(TENANT_A, async () => qa.push({ job: { instance_did: TENANT_A } }));
+    const eb = await withTenant(TENANT_B, async () => qb.push({ job: { instance_did: TENANT_B } }));
+    expect(await settle(ea)).toBe('finished');
+    expect(await settle(eb)).toBe('finished');
+    expect(seen.a).toBe(TENANT_A);
+    expect(seen.b).toBe(TENANT_B);
+    expect(seen.a).not.toBe(seen.b); // no cross-tenant bleed
+  });
+});

package/api/tests/fixtures/bare-query-violation.ts

@@ -0,0 +1,13 @@
+// Deliberately violating fixture for the tenant query scanner self-test.
+// NOT part of the CI scan scope (api/tests is excluded); the scanner is
+// pointed at this file explicitly in scoped.spec.ts.
+//
+// W1′ Phase 5: a bare `Customer.findAll()` is now SAFE (Customer extends
+// TenantModel — auto-scoped), so the violation the scanner must catch is a raw
+// `.query(...)` on a tenant table with NO $instance_did bind (assertion ②).
+import { sequelize } from '../../src/store/sequelize';
+
+export function rawQueryViolation() {
+  // raw read on a tenant table (coupons) with no tenant bind — scanner flags it
+  return sequelize.query('SELECT * FROM coupons WHERE livemode = 1');
+}

package/api/tests/fixtures/core-env-violation.ts

@@ -0,0 +1,10 @@
+// Phase 12 (W2-4a) negative fixture — core code reading process.env / the CF env
+// mirror directly, which the core-env scanner must reject (config must flow
+// through the env/config boundary). Not in the CI scan scope; passed explicitly
+// to the scanner in tests to prove the rule fires.
+/* eslint-disable */
+export function badConfigRead() {
+  const a = process.env.SOME_SECRET; // VIOLATION: direct process.env read in core
+  const b = (globalThis as any).__CF_ENV__?.APP_URL; // VIOLATION: CF env mirror read
+  return { a, b };
+}

package/api/tests/fixtures/host-read-violation.ts

@@ -0,0 +1,19 @@
+// Phase 10 (W2-2) negative fixture — a route reading the Host directly, which
+// the tenant-scan rule must reject (tenant may only be resolved at the single
+// middleware point). Not part of the CI scan scope; passed explicitly to the
+// scanner in tests to prove the rule fires.
+/* eslint-disable */
+// Minimal req/res shapes — this is a STATIC-SCAN fixture (the tenant-query scanner
+// reads the source text for Host reads); the handlers are never executed, so the
+// express types are unnecessary (core is express-free post Phase 4).
+type AnyReq = { headers: Record<string, any>; hostname?: string };
+type AnyRes = { json: (body: any) => any };
+
+export function badHandlerA(req: AnyReq, res: AnyRes) {
+  const host = req.headers.host; // VIOLATION: host read outside the tenant middleware
+  res.json({ host });
+}
+
+export function badHandlerB(req: AnyReq, res: AnyRes) {
+  res.json({ h: req.hostname }); // VIOLATION: req.hostname read outside the tenant middleware
+}

package/api/tests/fixtures/tenants.ts

@@ -0,0 +1,4 @@
+// Two distinct tenant instanceDids used by all multi-tenant isolation tests.
+// Built on top of the Phase 0 test injection helper (`withTenant`).
+export const TENANT_A = 'did:abt:zTenantAAAAAAAAAAAAAAAAAAAAAAA';
+export const TENANT_B = 'did:abt:zTenantBBBBBBBBBBBBBBBBBBBBBBB';

package/api/tests/integrations/iap-tenant.spec.ts

@@ -0,0 +1,284 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Hono } from 'hono';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+// capture the tenant the verified-event handler runs under
+const handleGooglePlayEvent = jest.fn().mockImplementation(async () => {
+  // eslint-disable-next-line global-require
+  const { getInstanceDid } = require('../../src/libs/context');
+  handlerTenants.push(getInstanceDid());
+});
+const handlerTenants: string[] = [];
+jest.mock('../../src/integrations/google-play/handlers', () => ({
+  __esModule: true,
+  default: (...args: any[]) => handleGooglePlayEvent(...args),
+}));
+
+const handleAppStoreNotification = jest.fn().mockImplementation(async () => {
+  // eslint-disable-next-line global-require
+  const { getInstanceDid } = require('../../src/libs/context');
+  appStoreTenants.push(getInstanceDid());
+});
+const appStoreTenants: string[] = [];
+jest.mock('../../src/integrations/app-store/handlers', () => ({
+  __esModule: true,
+  default: (...args: any[]) => handleAppStoreNotification(...args),
+}));
+// unverified routing peek: bundleId comes straight from our fake payload
+jest.mock('../../src/integrations/app-store/notification-routing', () => ({
+  __esModule: true,
+  peekNotificationRouting: (signedPayload: string) => JSON.parse(signedPayload),
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'iap-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let models: any;
+let app: Hono;
+
+const rtdnEnvelope = (packageName: string) => ({
+  message: {
+    messageId: `msg-${Math.random().toString(36).slice(2)}`,
+    data: Buffer.from(
+      JSON.stringify({
+        version: '1.0',
+        packageName,
+        eventTimeMillis: String(Date.now()),
+        subscriptionNotification: {
+          version: '1.0',
+          notificationType: 4,
+          purchaseToken: 'token-x',
+          subscriptionId: 'sku-x',
+        },
+      })
+    ).toString('base64'),
+  },
+  subscription: 'projects/x/subscriptions/y',
+});
+
+const postWebhook = async (body: any): Promise<{ status: number; json: any }> => {
+  const res = await app.fetch(
+    new Request('http://app.local/api/integrations/google-play/webhook', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+  );
+  return { status: res.status, json: JSON.parse((await res.text()) || '{}') };
+};
+
+const seedMethod = (tenant: string, packageName: string) =>
+  withTenant(tenant, () =>
+    models.PaymentMethod.create({
+      livemode: false,
+      active: true,
+      type: 'google_play',
+      instance_did: tenant,
+      confirmation: { type: 'callback' },
+      features: { recurring: true, refund: true, dispute: false },
+      settings: models.PaymentMethod.encryptSettings({
+        google_play: { package_name: packageName, service_account_json: '{"client_email":"x","private_key":"y"}' },
+      }),
+    })
+  );
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  const googlePlay = require('../../src/routes/hono/integrations/google-play').default;
+  // eslint-disable-next-line global-require
+  const appStore = require('../../src/routes/hono/integrations/app-store').default;
+  // eslint-disable-next-line global-require
+  const { mountResourceGroup } = require('../../src/middlewares/hono/resource-mount');
+  // Mount exactly as production does (app-shell pipeline → sanitizedBody/livemode
+  // populated, csrf skipped without a cookie). Drive via app.fetch — single-mode
+  // test env, so contextMiddleware resolves the default tenant without a Host.
+  app = new Hono();
+  mountResourceGroup(app, '/api/integrations/google-play', googlePlay);
+  mountResourceGroup(app, '/api/integrations/app-store', appStore);
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+beforeEach(async () => {
+  // restoreMocks=true resets spies after each test — re-install per test.
+  // the App Store client is exercised elsewhere; here it must only verify
+  jest
+    .spyOn(models.PaymentMethod.prototype, 'getAppStoreClient')
+    .mockReturnValue({ verifyNotificationPayload: async (p: string) => JSON.parse(p) } as any);
+  handleGooglePlayEvent.mockClear();
+  handleAppStoreNotification.mockClear();
+  handlerTenants.length = 0;
+  appStoreTenants.length = 0;
+  await sequelize.query('DELETE FROM payment_methods');
+  await sequelize.query('DELETE FROM prices');
+  await sequelize.query('DELETE FROM products');
+});
+
+const seedAppStoreMethod = (tenant: string, bundleId: string) =>
+  withTenant(tenant, () =>
+    models.PaymentMethod.create({
+      livemode: false,
+      active: true,
+      type: 'app_store',
+      instance_did: tenant,
+      confirmation: { type: 'callback' },
+      features: { recurring: true, refund: false, dispute: false },
+      settings: models.PaymentMethod.encryptSettings({
+        app_store: { bundle_id: bundleId, environment: 'production' },
+      }),
+    })
+  );
+
+const postAppStoreWebhook = async (routing: {
+  bundleId: string;
+  environment?: string;
+}): Promise<{ status: number; json: any }> => {
+  const res = await app.fetch(
+    new Request('http://app.local/api/integrations/app-store/webhook', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ signedPayload: JSON.stringify(routing) }),
+    })
+  );
+  return { status: res.status, json: JSON.parse((await res.text()) || '{}') };
+};
+
+describe('IAP channel-identifier tenant reverse lookup (phase 6)', () => {
+  it('happy path: RTDN routes to the tenant that registered the package_name', async () => {
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    await seedMethod(TENANT_B, 'com.tenant.b');
+
+    const res = await postWebhook(rtdnEnvelope('com.tenant.b'));
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ received: true });
+    expect(handleGooglePlayEvent).toHaveBeenCalledTimes(1);
+    expect(handlerTenants).toEqual([TENANT_B]);
+  });
+
+  it('bad input: unregistered package_name is acked-skipped without touching any tenant', async () => {
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    const res = await postWebhook(rtdnEnvelope('com.unknown.app'));
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ skipped: true });
+    expect(handleGooglePlayEvent).not.toHaveBeenCalled();
+  });
+
+  it('security: ambiguous registration (same package under two tenants) is refused', async () => {
+    await seedMethod(TENANT_A, 'com.shared.app');
+    await seedMethod(TENANT_B, 'com.shared.app');
+    const res = await postWebhook(rtdnEnvelope('com.shared.app'));
+    expect(res.status).toBe(200);
+    expect(res.json.reason).toContain('ambiguous');
+    expect(handleGooglePlayEvent).not.toHaveBeenCalled();
+  });
+
+  it('app-store: JWS bundleId routes to the registering tenant; ambiguity refused', async () => {
+    await seedAppStoreMethod(TENANT_A, 'com.ios.a');
+    await seedAppStoreMethod(TENANT_B, 'com.ios.b');
+
+    const res = await postAppStoreWebhook({ bundleId: 'com.ios.b', environment: 'production' });
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ received: true });
+    expect(appStoreTenants).toEqual([TENANT_B]);
+
+    // ambiguity: register the SAME bundle under another tenant -> refused
+    await seedAppStoreMethod(TENANT_A, 'com.ios.b');
+    const dup = await postAppStoreWebhook({ bundleId: 'com.ios.b', environment: 'production' });
+    expect(dup.json.reason).toContain('ambiguous');
+    expect(appStoreTenants).toHaveLength(1); // no second delivery
+  });
+
+  it('data damage: two tenants with the same SKU resolve to their own Price via bundle scoping', async () => {
+    const seedPrice = (tenant: string, bundleId: string, marker: string) =>
+      withTenant(tenant, async () => {
+        const product = await models.Product.create({
+          livemode: false,
+          active: true,
+          instance_did: tenant,
+          name: marker,
+          type: 'service',
+        });
+        return models.Price.create({
+          livemode: false,
+          active: true,
+          instance_did: tenant,
+          product_id: product.id,
+          type: 'recurring',
+          billing_scheme: 'per_unit',
+          unit_amount: '100',
+          currency_options: [],
+          metadata: { app_store_product_id: 'sku.shared', bundle_id: bundleId },
+          nickname: marker,
+        });
+      });
+    const priceA = await seedPrice(TENANT_A, 'com.ios.a', 'price-a');
+    const priceB = await seedPrice(TENANT_B, 'com.ios.b', 'price-b');
+
+    // the (sku, bundle_id) lookup used by the IAP handlers. The handler first
+    // reverse-resolves the tenant from the registering PaymentMethod, then runs
+    // the price lookup under withTenant(tenant) — TenantModel scopes it to that
+    // tenant's row even though both share the SKU.
+    const foundA: any = await withTenant(TENANT_A, () =>
+      models.Price.findOne({
+        where: { 'metadata.app_store_product_id': 'sku.shared', 'metadata.bundle_id': 'com.ios.a' } as any,
+      })
+    );
+    const foundB: any = await withTenant(TENANT_B, () =>
+      models.Price.findOne({
+        where: { 'metadata.app_store_product_id': 'sku.shared', 'metadata.bundle_id': 'com.ios.b' } as any,
+      })
+    );
+    expect(foundA.id).toBe(priceA.id);
+    expect(foundA.instance_did).toBe(TENANT_A);
+    expect(foundB.id).toBe(priceB.id);
+    expect(foundB.instance_did).toBe(TENANT_B);
+  });
+
+  it('data leak: a forged notification can only ever land in the registering tenant', async () => {
+    // even if an attacker controls the payload entirely, the tenant is chosen
+    // by the server-side registration, never by payload contents
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    const res = await postWebhook({
+      ...rtdnEnvelope('com.tenant.a'),
+      attacker: { wants: TENANT_B },
+    });
+    expect(res.status).toBe(200);
+    expect(handlerTenants).toEqual([TENANT_A]);
+  });
+});

package/api/tests/libs/archive-query.spec.ts

@@ -124,6 +124,32 @@ describe('archive/query', () => {
       expect(mockClose).toHaveBeenCalled();
     });
 
+    it('洞 G: the data SELECT on a tenant table is instance_did-guarded', async () => {
+      const mockClose = jest.fn();
+      let dataSql = '';
+      let dataOpts: any = null;
+      const mockQuery = jest.fn().mockImplementation((sql: string, opts: any) => {
+        if (sql.includes('sqlite_master')) return [[{ name: 'invoices' }]];
+        dataSql = sql;
+        dataOpts = opts;
+        return [];
+      });
+      mockListArchiveFiles.mockReturnValue(['/tmp/archive-2024.db']);
+      mockOpenArchiveSequelize.mockReturnValue({ query: mockQuery, close: mockClose } as any);
+      mockArchiveMetadataFindAll.mockResolvedValue([]);
+
+      await queryArchive({
+        table: 'invoices',
+        from: Math.floor(new Date('2024-01-01').getTime() / 1000),
+        page: 1,
+        limit: 10,
+      });
+
+      // the archived tenant-table read carries an instance_did predicate + bind
+      expect(dataSql).toMatch(/instance_did/);
+      expect(dataOpts?.replacements?.instance_did).toBeTruthy();
+    });
+
     it('should skip archive files that do not have the requested table', async () => {
       const mockClose = jest.fn();
       // Return empty array for sqlite_master query (table doesn't exist)