payment-kit 1.29.0 → 1.29.2

package/api/tests/libs/cron-driver-d2.spec.ts

@@ -0,0 +1,237 @@
+// D2 (S3.0) — the node-cron driver self-schedules via @abtnode/cron and exposes
+// a teardown surface (stop/dispose). cf-cron stays a passive matcher registry.
+//
+// "Self-schedule" is proven two ways: a runOnInit job runs once at register
+// (the @abtnode/cron live path), and a 1-second cron fires on its own with NO
+// external runDue() tick. Teardown is proven by: after stop() a scheduled job no
+// longer fires, and a stop()/start() cycle re-registers without double-firing.
+
+import fs from 'fs';
+import path from 'path';
+import { createCronRegistry } from '../../src/libs/drivers/cron';
+import { setCoreConfig } from '../../src/libs/env';
+
+const flush = () => new Promise((r) => setTimeout(r, 20));
+const wait = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+// real-timer 1s cron tests give the suite a little headroom
+jest.setTimeout(15000);
+
+describe('D2 — node-cron driver self-schedules (no external tick)', () => {
+  it('a runOnInit job runs once at register via the live @abtnode/cron path', async () => {
+    const driver = createCronRegistry('node-cron');
+    let ran = 0;
+    driver.register([
+      {
+        name: 'd2.init',
+        time: '0 0 0 1 1 *',
+        fn: () => {
+          ran += 1;
+        },
+        options: { runOnInit: true },
+      },
+    ]);
+    await flush();
+    expect(ran).toBe(1);
+    driver.stop();
+  });
+
+  it('a 1-second cron fires by itself with no runDue() call', async () => {
+    const driver = createCronRegistry('node-cron');
+    let ticks = 0;
+    driver.register([
+      {
+        name: 'd2.every-sec',
+        time: '*/1 * * * * *',
+        fn: () => {
+          ticks += 1;
+        },
+        options: { runOnInit: false },
+      },
+    ]);
+    await wait(2200); // ~2 self-scheduled ticks, zero external runDue
+    driver.stop();
+    expect(ticks).toBeGreaterThanOrEqual(1);
+  });
+});
+
+describe('D2 — multi mode skips runOnInit (matches CF; avoids tenant-less startup push)', () => {
+  afterEach(() => setCoreConfig(undefined));
+
+  it('a runOnInit job does NOT fire at register in multi mode', async () => {
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+    const driver = createCronRegistry('node-cron');
+    let ran = 0;
+    driver.register([
+      {
+        name: 'm.init',
+        time: '0 0 0 1 1 *',
+        fn: () => {
+          ran += 1;
+        },
+        options: { runOnInit: true },
+      },
+    ]);
+    await flush();
+    expect(ran).toBe(0); // skipped in multi — the job runs on its next scheduled tick
+    driver.stop();
+  });
+
+  it('single mode STILL honors runOnInit (the default tenant is always present)', async () => {
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'single' });
+    const driver = createCronRegistry('node-cron');
+    let ran = 0;
+    driver.register([
+      {
+        name: 's.init',
+        time: '0 0 0 1 1 *',
+        fn: () => {
+          ran += 1;
+        },
+        options: { runOnInit: true },
+      },
+    ]);
+    await flush();
+    expect(ran).toBe(1); // single keeps runOnInit
+    driver.stop();
+  });
+});
+
+describe('D2 — register receives all jobs (conservation)', () => {
+  it('getJobNames lists every registered job in order', () => {
+    const driver = createCronRegistry('node-cron');
+    driver.register([
+      { name: 'a', time: '0 0 0 1 1 *', fn: () => {} },
+      { name: 'b', time: '0 0 0 1 1 *', fn: () => {} },
+      { name: 'c', time: '0 0 0 1 1 *', fn: () => {} },
+    ]);
+    expect(driver.getJobNames().map((s) => s.split(' ')[0])).toEqual(['a', 'b', 'c']);
+    driver.stop();
+  });
+
+  it('SECURITY/conservation: no bare @abtnode/cron import or Cron.init survives in api/src', () => {
+    // the only allowed reference is the lazy require() inside the driver itself.
+    const root = path.resolve(__dirname, '../../src');
+    const offenders: string[] = [];
+    const walk = (dir: string) => {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        const full = path.join(dir, entry.name);
+        if (entry.isDirectory()) walk(full);
+        else if (entry.name.endsWith('.ts')) {
+          const src = fs.readFileSync(full, 'utf8');
+          if (/import\s+[^;]*from\s+['"]@abtnode\/cron['"]/.test(src)) offenders.push(`${full}: import`);
+          if (/\bCron\.init\s*\(/.test(src)) offenders.push(`${full}: Cron.init`);
+        }
+      }
+    };
+    walk(root);
+    expect(offenders).toEqual([]);
+  });
+});
+
+describe('D2 — a throwing job routes to onError, does not crash the driver', () => {
+  it('onError receives (err, name); other jobs keep running', async () => {
+    const driver = createCronRegistry('node-cron');
+    const errs: Array<{ name: string; message: string }> = [];
+    let okRan = 0;
+    driver.register(
+      [
+        {
+          name: 'boom',
+          time: '0 0 0 1 1 *',
+          fn: () => {
+            throw new Error('kaboom');
+          },
+          options: { runOnInit: true },
+        },
+        {
+          name: 'ok',
+          time: '0 0 0 1 1 *',
+          fn: () => {
+            okRan += 1;
+          },
+          options: { runOnInit: true },
+        },
+      ],
+      (err, name) => errs.push({ name, message: err.message })
+    );
+    await flush();
+    expect(errs).toEqual([{ name: 'boom', message: 'kaboom' }]);
+    expect(okRan).toBe(1);
+    driver.stop();
+  });
+});
+
+describe('D2 — teardown: stop() kills the timer, start()/stop() is idempotent', () => {
+  it('after stop() a 1-second cron no longer fires', async () => {
+    const driver = createCronRegistry('node-cron');
+    let ticks = 0;
+    driver.register([
+      {
+        name: 'tear',
+        time: '*/1 * * * * *',
+        fn: () => {
+          ticks += 1;
+        },
+      },
+    ]);
+    driver.stop();
+    const before = ticks;
+    await wait(2200);
+    expect(ticks).toBe(before); // no fires after stop — timer was cleared
+  });
+
+  it('stop() then re-register does not double-fire (job set idempotent)', async () => {
+    const driver = createCronRegistry('node-cron');
+    let ran = 0;
+    const jobs = [
+      {
+        name: 'idem',
+        time: '0 0 0 1 1 *',
+        fn: () => {
+          ran += 1;
+        },
+        options: { runOnInit: true },
+      },
+    ];
+    driver.register(jobs);
+    await flush();
+    expect(ran).toBe(1);
+    driver.stop();
+    driver.register(jobs); // restart
+    await flush();
+    expect(ran).toBe(2); // exactly one more — not 3+ (old scheduler was torn down)
+    driver.stop();
+  });
+
+  it('dispose() clears the registry', () => {
+    const driver = createCronRegistry('node-cron');
+    driver.register([{ name: 'x', time: '0 0 0 1 1 *', fn: () => {} }]);
+    expect(driver.getJobNames().length).toBe(1);
+    driver.dispose();
+    expect(driver.getJobNames().length).toBe(0);
+  });
+});
+
+describe('D2 — cf-cron driver stays passive (no self-scheduling timer)', () => {
+  it('cf-cron does not run jobs on register; host drives runDue()', async () => {
+    const driver = createCronRegistry('cf-cron');
+    let ran = 0;
+    driver.register([
+      {
+        name: 'cf',
+        time: '*/1 * * * * *',
+        fn: () => {
+          ran += 1;
+        },
+        options: { runOnInit: true },
+      },
+    ]);
+    await wait(1200);
+    expect(ran).toBe(0); // no self-scheduling, runOnInit skipped on CF
+    const result = await driver.runDue(new Date());
+    expect(result.ran).toContain('cf');
+    driver.stop(); // no-op, must not throw
+    expect(ran).toBe(1);
+  });
+});

package/api/tests/libs/crons-conservation-d2.spec.ts

@@ -0,0 +1,52 @@
+// D2 (S3.0) — conservation: crons/index registers its FULL declared job set
+// through a single getCronDriver().register() call, with no bare @abtnode/cron
+// channel left behind. Verified at the source level (parsing crons/index.ts)
+// rather than by importing it — importing the whole crons graph pulls heavy
+// integration ESM deps outside this test's concern. Combined with the scanner
+// in cron-driver-d2.spec ("no bare @abtnode/cron import / Cron.init anywhere"),
+// this proves: ONE registration channel, carrying the whole declared set.
+
+import fs from 'fs';
+import path from 'path';
+
+const CRONS_SRC = path.resolve(__dirname, '../../src/crons/index.ts');
+
+describe('D2 — crons/index conservation (single driver channel, full job set)', () => {
+  const src = fs.readFileSync(CRONS_SRC, 'utf8');
+
+  it('registers through getCronDriver().register() exactly once (no bare Cron.init)', () => {
+    const registerCalls = src.match(/getCronDriver\(\)\.register\(/g) || [];
+    expect(registerCalls.length).toBe(1);
+    expect(src).not.toMatch(/Cron\.init\s*\(/);
+    expect(src).not.toMatch(/from\s+['"]@abtnode\/cron['"]/);
+  });
+
+  it('the declared job set reaches the driver in full (>=18 distinct named jobs)', () => {
+    const names = [...src.matchAll(/name:\s*'([^']+)'/g)].map((m) => m[1]);
+    // every job declared in the register([...]) array is a name: '...' literal
+    expect(names).toEqual(
+      expect.arrayContaining([
+        'subscription.will.renew',
+        'subscription.trial.will.end',
+        'customer.subscription.will_canceled',
+        'subscription.schedule.retry',
+        'refund.recovery',
+        'checkoutSession.cleanup.expired',
+        'stripe.invoice.sync',
+        'stripe.payment.sync',
+        'stripe.subscription.sync',
+        'customer.stake.revoked',
+        'iap.reconcile',
+        'event.retry',
+        'payment.stat',
+        'payment.daily.report',
+        'deposit.vault',
+        'credit.consumption',
+        'vendor.status.check',
+        'vendor.return.scan',
+      ])
+    );
+    expect(names.length).toBeGreaterThanOrEqual(18);
+    expect(new Set(names).size).toBe(names.length); // no duplicate names
+  });
+});

package/api/tests/libs/lock-tenant.spec.ts

@@ -0,0 +1,66 @@
+// Phase 8 (W2-1a): the libs/lock facade — tenant prefix + fail-closed.
+//
+// The driver-level semantics live in packages/payment-core/tests/drivers; this
+// spec covers the facade behavior that the call sites depend on: tenant
+// prefixing, the global-scope exemption, and multi-mode fail-closed.
+//
+// Dynamic require() is required: each case re-imports lock.ts after setting the
+// tenant-mode env + jest.resetModules so the module-level driver is fresh.
+/* eslint-disable global-require, import/no-dynamic-require */
+
+describe('getLock facade — tenant prefix + fail-closed', () => {
+  const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+
+  afterEach(() => {
+    if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+    else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+    jest.resetModules();
+  });
+
+  it('rejects an empty lock name', () => {
+    const { getLock } = require('../../src/libs/lock');
+    expect(() => getLock('')).toThrow(/non-empty lock name/);
+  });
+
+  it('multi mode: tenant-scoped getLock without context fails closed', () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    jest.resetModules();
+    const { getLock } = require('../../src/libs/lock');
+    let code: string | undefined;
+    try {
+      getLock('payment-intent-1');
+    } catch (e: any) {
+      code = e.code;
+    }
+    expect(code).toBe('TENANT_CONTEXT_MISSING');
+  });
+
+  it('multi mode: global-scoped getLock needs no tenant', () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    jest.resetModules();
+    const { getLock } = require('../../src/libs/lock');
+    const lock = getLock('startInvoiceQueue', { scope: 'global' });
+    expect(lock.name).toBe('startInvoiceQueue');
+  });
+
+  it('multi mode: tenant-scoped getLock inside withTenant carries the prefix', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    jest.resetModules();
+    const { getLock } = require('../../src/libs/lock');
+    const { withTenant } = require('../../src/libs/context');
+    await withTenant('did:abt:TENANT_A', () => {
+      const lock = getLock('payment-intent-1');
+      expect(lock.name).toBe('tenant:did:abt:TENANT_A::payment-intent-1');
+    });
+  });
+
+  it('single mode: tenant-scoped getLock falls back to the deployment app DID prefix', () => {
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    jest.resetModules();
+    const { getLock } = require('../../src/libs/lock');
+    const lock = getLock('payment-intent-1');
+    // single mode never fails closed — name is prefixed with the constant default tenant
+    expect(lock.name.startsWith('tenant:')).toBe(true);
+    expect(lock.name.endsWith('::payment-intent-1')).toBe(true);
+  });
+});

package/api/tests/libs/scoped.spec.ts

@@ -0,0 +1,222 @@
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH } from '../../src/libs/tenant';
+import {
+  scopedAggregate,
+  scopedCount,
+  scopedCreate,
+  scopedDestroy,
+  scopedFindAll,
+  scopedFindByPk,
+  scopedFindOne,
+  scopedQuery,
+  scopedSum,
+  scopedUpdate,
+} from '../../src/store/scoped';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+
+// real DB: full migration chain on a temp file, then bind the model
+// singletons to it (order matters — initialize() after DDL, see
+// tenant-columns-model.spec.ts for why)
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'scoped-spec-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let Customer: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  const models = require('../../src/store/models');
+  models.initialize(sequelize);
+  Customer = models.Customer;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+const seedCustomer = (tenant: string, did: string) =>
+  withTenant(tenant, () => scopedCreate(Customer, { livemode: false, did, delinquent: false }));
+
+describe('scoped helpers (phase 3)', () => {
+  beforeEach(async () => {
+    await sequelize.query('DELETE FROM customers');
+  });
+
+  describe('happy path', () => {
+    it('scoped find returns only the active tenant rows; create stamps the tenant', async () => {
+      await seedCustomer(TENANT_A, 'z-user-a');
+      await seedCustomer(TENANT_B, 'z-user-b');
+
+      const aRows = await withTenant(TENANT_A, () => scopedFindAll(Customer));
+      expect(aRows.map((r: any) => r.did)).toEqual(['z-user-a']);
+      expect((aRows[0] as any).instance_did).toBe(TENANT_A);
+
+      const bRows = await withTenant(TENANT_B, () => scopedFindAll(Customer));
+      expect(bRows.map((r: any) => r.did)).toEqual(['z-user-b']);
+    });
+  });
+
+  describe('bad input', () => {
+    it('multi mode without context fails closed', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      try {
+        await expect(scopedFindAll(Customer)).rejects.toMatchObject({ code: TENANT_CONTEXT_MISSING });
+      } finally {
+        delete process.env.PAYMENT_TENANT_MODE;
+      }
+    });
+
+    it('raw SQL without an instance_did binding is refused', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(() => scopedQuery(sequelize, 'SELECT * FROM customers')).toThrow(
+          expect.objectContaining({ code: TENANT_MISMATCH })
+        );
+      });
+    });
+
+    it('raw SQL with the binding is auto-supplied the active tenant', async () => {
+      await seedCustomer(TENANT_A, 'z-user-a');
+      await seedCustomer(TENANT_B, 'z-user-b');
+      const [rows] = await withTenant(TENANT_A, () =>
+        scopedQuery(sequelize, 'SELECT did FROM customers WHERE instance_did = $instance_did')
+      );
+      expect((rows as any[]).map((r) => r.did)).toEqual(['z-user-a']);
+    });
+  });
+
+  describe('security', () => {
+    it('explicit foreign where.instance_did is rejected, not silently overridden', async () => {
+      await withTenant(TENANT_A, async () => {
+        await expect(scopedFindAll(Customer, { where: { instance_did: TENANT_B } as any })).rejects.toMatchObject({
+          code: TENANT_MISMATCH,
+        });
+      });
+    });
+
+    it('explicit foreign instance_did on create is rejected', async () => {
+      await withTenant(TENANT_A, async () => {
+        await expect(
+          scopedCreate(Customer, { livemode: false, did: 'z-x', delinquent: false, instance_did: TENANT_B })
+        ).rejects.toMatchObject({ code: TENANT_MISMATCH });
+      });
+    });
+
+    it('scanner flags the deliberately-violating fixture file (raw query, no $instance_did)', () => {
+      const fixture = path.join(__dirname, '../fixtures/bare-query-violation.ts');
+      let failed = false;
+      let output = '';
+      try {
+        execFileSync('node', [path.join(__dirname, '../../../scripts/scan-tenant-queries.js'), '--json', fixture], {
+          encoding: 'utf8',
+        });
+      } catch (err: any) {
+        failed = true;
+        output = err.stdout || '';
+      }
+      expect(failed).toBe(true);
+      const result = JSON.parse(output);
+      expect(result.violations.length).toBeGreaterThan(0);
+      expect(result.violations[0].file).toContain('bare-query-violation.ts');
+      expect(result.violations[0].line).toBeGreaterThan(0);
+    });
+  });
+
+  describe('data loss', () => {
+    it('scoped destroy/update only touch the active tenant rows', async () => {
+      await seedCustomer(TENANT_A, 'z-user-a');
+      await seedCustomer(TENANT_B, 'z-user-b');
+
+      await withTenant(TENANT_A, () => scopedDestroy(Customer, { where: {} }));
+      const [allRows] = await sequelize.query('SELECT did, instance_did FROM customers');
+      expect(allRows).toHaveLength(1);
+      expect((allRows as any[])[0].instance_did).toBe(TENANT_B);
+
+      await withTenant(TENANT_B, () => scopedUpdate(Customer, { name: 'renamed' }, { where: {} }));
+      const [updated] = await sequelize.query('SELECT name FROM customers');
+      expect((updated as any[])[0].name).toBe('renamed');
+    });
+  });
+
+  describe('data damage', () => {
+    it('findByPk on another tenant row returns null (cross-tenant = not-found, §13.1)', async () => {
+      // Customer now extends TenantModel: scopedFindByPk delegates to the
+      // scoped override, so a cross-tenant pk resolves to null (not-found)
+      // rather than throwing — the unified §13.1 semantics (404, not 403).
+      const created: any = await seedCustomer(TENANT_B, 'z-user-b');
+      await withTenant(TENANT_A, async () => {
+        await expect(scopedFindByPk(Customer, created.id)).resolves.toBeNull();
+      });
+      // same pk under the right tenant works
+      const found: any = await withTenant(TENANT_B, () => scopedFindByPk(Customer, created.id));
+      expect(found.did).toBe('z-user-b');
+    });
+
+    it('scopedUpdate refuses to change instance_did (rows never change tenant)', async () => {
+      await seedCustomer(TENANT_A, 'z-user-a');
+      await withTenant(TENANT_A, async () => {
+        await expect(scopedUpdate(Customer, { instance_did: TENANT_B } as any, { where: {} })).rejects.toMatchObject({
+          code: TENANT_MISMATCH,
+        });
+      });
+    });
+  });
+
+  describe('data leak', () => {
+    it('findOne/count never see the other tenant even with identical data', async () => {
+      await seedCustomer(TENANT_A, 'z-same-shape');
+      await withTenant(TENANT_B, () =>
+        scopedCreate(Customer, { livemode: false, did: 'z-same-shape-b', delinquent: false, name: 'same' })
+      );
+
+      await withTenant(TENANT_A, async () => {
+        expect(await scopedCount(Customer)).toBe(1);
+        const one: any = await scopedFindOne(Customer, { where: { livemode: false } });
+        expect(one.did).toBe('z-same-shape');
+        expect(await scopedFindOne(Customer, { where: { did: 'z-same-shape-b' } })).toBeNull();
+      });
+    });
+
+    it('sum/aggregate are tenant-isolated too', async () => {
+      await withTenant(TENANT_A, () =>
+        scopedCreate(Customer, { livemode: false, did: 'z-sum-a', delinquent: false, next_invoice_sequence: 5 })
+      );
+      await withTenant(TENANT_B, () =>
+        scopedCreate(Customer, { livemode: false, did: 'z-sum-b', delinquent: false, next_invoice_sequence: 11 })
+      );
+      await withTenant(TENANT_A, async () => {
+        expect(await scopedSum(Customer, 'next_invoice_sequence' as any)).toBe(5);
+        expect(await scopedAggregate(Customer, 'next_invoice_sequence' as any, 'max')).toBe(5);
+      });
+      await withTenant(TENANT_B, async () => {
+        expect(await scopedSum(Customer, 'next_invoice_sequence' as any)).toBe(11);
+      });
+    });
+  });
+});

package/api/tests/libs/secrets-facade.spec.ts

@@ -0,0 +1,52 @@
+// Phase 11 (W2-3): the tenant-aware secrets facade resolves the tenant from
+// TenantContext and fails closed in multi mode without context.
+/* eslint-disable global-require */
+
+describe('secrets facade — tenant resolution + fail-closed', () => {
+  const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+
+  afterEach(() => {
+    if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+    else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+    jest.resetModules();
+  });
+
+  it('multi mode: encryptSecret without tenant context fails closed', () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    jest.resetModules();
+    const { encryptSecret } = require('../../src/libs/secrets');
+    let code: string | undefined;
+    try {
+      encryptSecret('value');
+    } catch (e: any) {
+      code = e.code;
+    }
+    expect(code).toBe('TENANT_CONTEXT_MISSING');
+  });
+
+  it('single mode: encryptSecret/decryptSecret roundtrip via the default (process) key', () => {
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    jest.resetModules();
+    const { encryptSecret, decryptSecret } = require('../../src/libs/secrets');
+    const ct = encryptSecret('stripe-secret');
+    expect(decryptSecret(ct)).toBe('stripe-secret');
+  });
+
+  it('multi mode: inside withTenant, the facade resolves and uses that tenant', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    jest.resetModules();
+    const { withTenant } = require('../../src/libs/context');
+    const { setSecretsDriver, createKeyringSecretsDriver } = require('../../src/libs/drivers');
+    const { encryptSecret, decryptSecret, warmupSecrets } = require('../../src/libs/secrets');
+    const identity = {
+      resolveInstanceDidForHost: () => null,
+      getAppEk: (did: string) => `ek-${did}`,
+    };
+    setSecretsDriver(createKeyringSecretsDriver(identity));
+    await withTenant('did:abt:zFACADE_A', async () => {
+      await warmupSecrets(); // warm current tenant for the sync hot path
+      const ct = encryptSecret('per-tenant');
+      expect(decryptSecret(ct)).toBe('per-tenant');
+    });
+  });
+});