payment-kit 1.29.0 → 1.29.2

package/scripts/e2e-migration-contract.ts

@@ -0,0 +1,100 @@
+/* eslint-disable no-console */
+// Phase 11 (W2′) E2E: the migration-driver contract provisions the embedded D1
+// schema through the db driver — NO wrangler in the library path. Applies the D1
+// SQL migrations via applySqlMigrations over an in-process SQLite db driver,
+// proves idempotency AND per-migration atomicity (a mid-migration failure rolls
+// back fully and a re-run recovers cleanly).
+//
+//   npx tsx scripts/e2e-migration-contract.ts
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+
+import { createNodeDbDriver } from '../api/src/libs/drivers/db';
+import { applySqlMigrations, type SqlMigration } from '../api/src/libs/drivers/migrate-runner';
+import { paymentCoreSqlMigrations } from '../api/src/store/sql-migrations';
+
+// A throwaway FILE-backed SQLite (not :memory:) so pooled connections share one
+// database — matching D1 / arc-node file semantics.
+function freshDriver() {
+  const file = path.join(fs.mkdtempSync(path.join(os.tmpdir(), 'mig-')), 'd1.sqlite');
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: file, logging: false, pool: { max: 5 } });
+  return { driver: createNodeDbDriver(sequelize), sequelize };
+}
+
+async function main() {
+  const migrations = paymentCoreSqlMigrations;
+  const checks: Array<[string, boolean]> = [];
+
+  // S11.2 fresh apply via the driver (no wrangler)
+  const a = freshDriver();
+  const firstRun = await applySqlMigrations(a.driver, migrations);
+  console.log(`=== S11.2 apply ${migrations.length} D1 SQL migrations via the db driver (no wrangler) ===`);
+  console.log(JSON.stringify({ applied: firstRun.length, names: firstRun }));
+  checks.push(['all migrations applied', firstRun.length === migrations.length]);
+
+  // S11.3 idempotent re-run
+  const secondRun = await applySqlMigrations(a.driver, migrations);
+  console.log('\n=== S11.3 idempotent re-run ===');
+  console.log(JSON.stringify({ applied_second_run: secondRun.length, idempotent: secondRun.length === 0 }));
+  checks.push(['idempotent re-run', secondRun.length === 0]);
+
+  // S11.4/5 schema + events parity (0008)
+  const tables = (
+    await a.driver.all<{ name: string }>(
+      "SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name NOT IN ('_sql_migrations')"
+    )
+  ).map((r) => r.name);
+  const eventsCols = (await a.driver.all<{ name: string }>('PRAGMA table_info("events")')).map((c) => c.name);
+  console.log('\n=== S11.4/5 provisioned schema + events parity (0008) ===');
+  console.log(JSON.stringify({ table_count: tables.length, has_api_version: eventsCols.includes('api_version'), has_metadata: eventsCols.includes('metadata') }));
+  checks.push(['events parity (api_version+metadata)', eventsCols.includes('api_version') && eventsCols.includes('metadata')]);
+  await a.sequelize.close();
+
+  // S11.7 ATOMICITY: a migration whose 2nd statement fails must roll back fully
+  // (no partial column, no tracker row) and a fixed re-run must recover.
+  const b = freshDriver();
+  await applySqlMigrations(b.driver, migrations); // baseline schema
+  const broken: SqlMigration = {
+    name: '9999_atomicity_probe.sql',
+    sql: 'ALTER TABLE `events` ADD COLUMN `probe_col` TEXT;\nINSERT INTO `no_such_table` (x) VALUES (1);',
+  };
+  let threw = false;
+  try {
+    await applySqlMigrations(b.driver, [...migrations, broken]);
+  } catch {
+    threw = true;
+  }
+  const colsAfterFail = (await b.driver.all<{ name: string }>('PRAGMA table_info("events")')).map((c) => c.name);
+  const trackerAfterFail = (await b.driver.all<{ name: string }>("SELECT name FROM _sql_migrations WHERE name='9999_atomicity_probe.sql'")).length;
+  console.log('\n=== S11.7 atomicity: broken migration rolls back fully ===');
+  console.log(JSON.stringify({ threw, probe_col_rolled_back: !colsAfterFail.includes('probe_col'), tracker_not_written: trackerAfterFail === 0 }));
+  checks.push(['broken migration threw', threw]);
+  checks.push(['partial DDL rolled back (no probe_col)', !colsAfterFail.includes('probe_col')]);
+  checks.push(['tracker not written for failed migration', trackerAfterFail === 0]);
+
+  // re-run with the migration FIXED recovers cleanly (no "duplicate column")
+  const fixed: SqlMigration = { name: '9999_atomicity_probe.sql', sql: 'ALTER TABLE `events` ADD COLUMN `probe_col` TEXT;' };
+  const recovery = await applySqlMigrations(b.driver, [...migrations, fixed]);
+  const colsAfterFix = (await b.driver.all<{ name: string }>('PRAGMA table_info("events")')).map((c) => c.name);
+  console.log('\n=== S11.8 fixed re-run recovers (no replay of half-applied DDL) ===');
+  console.log(JSON.stringify({ applied: recovery, probe_col_present: colsAfterFix.includes('probe_col') }));
+  checks.push(['recovery applies the fixed migration', recovery.includes('9999_atomicity_probe.sql') && colsAfterFix.includes('probe_col')]);
+  await b.sequelize.close();
+
+  console.log('\n=== ASSERTIONS ===');
+  let ok = true;
+  for (const [name, pass] of checks) {
+    if (!pass) ok = false;
+    console.log(JSON.stringify({ check: name, pass }));
+  }
+  console.log(JSON.stringify({ success: ok, no_wrangler_in_path: true, migrations_from_package: true }));
+  if (!ok) process.exit(1);
+}
+
+main().catch((err) => {
+  console.error(JSON.stringify({ success: false, error: String(err?.stack || err) }));
+  process.exit(1);
+});

package/scripts/e2e-s0.ts

@@ -0,0 +1,61 @@
+/* eslint-disable no-console */
+// Phase 0 E2E — run real context module calls and print raw JSON evidence.
+import { TENANT_CONTEXT_MISSING, context, getInstanceDid, withTenant } from '../api/src/libs/context';
+
+async function main() {
+  // E1: withTenant fills instanceDid; requestId comes from context.run
+  const e1 = await context.run({ requestedBy: 'e2e' }, () =>
+    withTenant('did:abt:zA', async () => context.getContext())
+  );
+  console.log('=== E1 withTenant + getContext ===');
+  console.log(JSON.stringify(e1));
+
+  // E2 (negative): multi mode without withTenant -> TENANT_CONTEXT_MISSING
+  process.env.PAYMENT_TENANT_MODE = 'multi';
+  console.log('=== E2 multi mode without context (negative) ===');
+  try {
+    getInstanceDid();
+    console.log(JSON.stringify({ unexpected: 'no error thrown' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(JSON.stringify({ name: err.name, code: err.code, message: err.message }));
+    if (err.code !== TENANT_CONTEXT_MISSING) process.exit(1);
+  }
+
+  // Adversarial: invalid instanceDid inputs must be rejected
+  console.log('=== E2b adversarial inputs (negative) ===');
+  for (const bad of ['', '   ', 'a b', null, undefined, 123, { toString: () => 'did:abt:zX' }]) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      await withTenant(bad as any, async () => 'never');
+      console.log(JSON.stringify({ input: String(bad), unexpected: 'accepted' }));
+      process.exit(1);
+    } catch (err: any) {
+      console.log(JSON.stringify({ input: String(bad), code: err.code }));
+    }
+  }
+
+  // Adversarial: context does not leak out of scope in multi mode (fail-closed after exit)
+  console.log('=== E2c context does not survive scope exit in multi mode ===');
+  await withTenant('did:abt:zA', async () => {});
+  try {
+    getInstanceDid();
+    console.log(JSON.stringify({ unexpected: 'leaked tenant after scope exit' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(JSON.stringify({ afterScopeExit: err.code }));
+  }
+
+  // single mode default fill
+  delete process.env.PAYMENT_TENANT_MODE;
+  process.env.BLOCKLET_APP_PID = process.env.BLOCKLET_APP_PID || 'zE2EDefaultAppPid';
+  console.log('=== E2d single mode default fill ===');
+  console.log(JSON.stringify({ singleModeDefault: getInstanceDid() }));
+
+  console.log(JSON.stringify({ success: true }));
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-s1.ts

@@ -0,0 +1,107 @@
+/* eslint-disable no-console */
+// Phase 1 E2E — run the full Umzug chain on a throwaway sqlite file, prove the
+// instance_did column exists on all 38 tables, then prove down removes it
+// without losing rows. Raw JSON only.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  // blocklet env must exist before importing any app module
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s1-'));
+  // mirror tools/jest-setup.js so import-time env checks pass
+  process.env.ABT_NODE_DID = wallet.address;
+  process.env.ABT_NODE_PK = wallet.publicKey;
+  process.env.ABT_NODE_PORT = '8089';
+  process.env.ABT_NODE_SERVICE_PORT = '40406';
+  process.env.BLOCKLET_MODE = 'test';
+  process.env.BLOCKLET_DID = wallet.address;
+  process.env.BLOCKLET_COMPONENT_DID = wallet.address;
+  process.env.BLOCKLET_LOG_DIR = tmp;
+  process.env.BLOCKLET_DATA_DIR = tmp;
+  process.env.BLOCKLET_APP_PK = wallet.publicKey;
+  process.env.BLOCKLET_APP_SK = wallet.secretKey;
+  process.env.BLOCKLET_APP_PSK = wallet.secretKey;
+  process.env.BLOCKLET_APP_EK = wallet.secretKey;
+  process.env.BLOCKLET_APP_PID = wallet.address;
+  process.env.BLOCKLET_APP_ID = wallet.address;
+  process.env.BLOCKLET_APP_IDS = wallet.address;
+  process.env.BLOCKLET_APP_NAME = 'payment-kit-e2e';
+  process.env.BLOCKLET_APP_DESCRIPTION = 'payment-kit-e2e';
+  process.env.BLOCKLET_APP_URL = 'http://127.0.0.1:3030';
+  process.env.BLOCKLET_MOUNT_POINTS = JSON.stringify([
+    { title: 'e2e', did: wallet.address, name: 'e2e', version: '0.0.1', mountPoint: '/', status: 6, port: 8181, resources: [] },
+  ]);
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+  const { TENANT_TABLES } = await import('../api/src/store/tenant-tables');
+
+  const dbPath = path.join(tmp, 'e2e.db');
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: dbPath, logging: false });
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: storeDir }],
+      resolve: ({ name, path: p, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(p!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+
+  await umzug.up();
+
+  // E1: every tenant table has the nullable column
+  console.log('=== E1 umzug up: instance_did present on all 38 tables ===');
+  const e1: { table: string; name: string; notnull: number }[] = [];
+  for (const table of TENANT_TABLES) {
+    // eslint-disable-next-line no-await-in-loop
+    const [rows] = await sequelize.query(
+      `SELECT name, "notnull" FROM pragma_table_info('${table}') WHERE name = 'instance_did'`
+    );
+    const row = (rows as any[])[0];
+    e1.push({ table, name: row?.name, notnull: row?.notnull });
+  }
+  console.log(JSON.stringify(e1));
+  const missing = e1.filter((r) => r.name !== 'instance_did');
+  console.log(JSON.stringify({ tables: e1.length, missing: missing.length }));
+  if (e1.length !== 38 || missing.length > 0) process.exit(1);
+
+  // E3 (negative): down removes the column, business rows survive
+  const [before] = await sequelize.query('SELECT COUNT(*) AS n FROM payment_currencies');
+  await umzug.down();
+  const [cols] = await sequelize.query(
+    "SELECT name FROM pragma_table_info('customers') WHERE name = 'instance_did'"
+  );
+  const [after] = await sequelize.query('SELECT COUNT(*) AS n FROM payment_currencies');
+  console.log('=== E3 umzug down: column gone, rows preserved (negative) ===');
+  console.log(
+    JSON.stringify({
+      instanceDidColumnsAfterDown: (cols as any[]).length,
+      paymentCurrenciesBefore: (before as any[])[0].n,
+      paymentCurrenciesAfter: (after as any[])[0].n,
+    })
+  );
+  if ((cols as any[]).length !== 0) process.exit(1);
+  if ((before as any[])[0].n !== (after as any[])[0].n) process.exit(1);
+
+  console.log(JSON.stringify({ success: true }));
+  await sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-s2.ts

@@ -0,0 +1,178 @@
+/* eslint-disable no-console, no-await-in-loop */
+// Phase 2 E2E — backfill + unique key revisions on a throwaway sqlite DB.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s2-'));
+  Object.assign(process.env, {
+    ABT_NODE_DID: wallet.address,
+    ABT_NODE_PK: wallet.publicKey,
+    ABT_NODE_PORT: '8089',
+    ABT_NODE_SERVICE_PORT: '40406',
+    BLOCKLET_MODE: 'test',
+    BLOCKLET_DID: wallet.address,
+    BLOCKLET_COMPONENT_DID: wallet.address,
+    BLOCKLET_LOG_DIR: tmp,
+    BLOCKLET_DATA_DIR: tmp,
+    BLOCKLET_APP_PK: wallet.publicKey,
+    BLOCKLET_APP_SK: wallet.secretKey,
+    BLOCKLET_APP_PSK: wallet.secretKey,
+    BLOCKLET_APP_EK: wallet.secretKey,
+    BLOCKLET_APP_PID: wallet.address,
+    BLOCKLET_APP_ID: wallet.address,
+    BLOCKLET_APP_IDS: wallet.address,
+    BLOCKLET_APP_NAME: 'payment-kit-e2e',
+    BLOCKLET_APP_DESCRIPTION: 'payment-kit-e2e',
+    BLOCKLET_APP_URL: 'http://127.0.0.1:3030',
+    BLOCKLET_MOUNT_POINTS: JSON.stringify([
+      {
+        title: 'e2e',
+        did: wallet.address,
+        name: 'e2e',
+        version: '0.0.1',
+        mountPoint: '/',
+        status: 6,
+        port: 8181,
+        resources: [],
+      },
+    ]),
+  });
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+  const { TENANT_TABLES } = await import('../api/src/store/tenant-tables');
+  const { runTenantBackfill } = await import('../api/src/store/tenant-backfill');
+
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const makeHarness = (file: string) => {
+    const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(tmp, file), logging: false });
+    const umzug = new Umzug({
+      migrations: {
+        glob: ['migrations/*.ts', { cwd: storeDir }],
+        resolve: ({ name, path: p, context }) => {
+          // eslint-disable-next-line import/no-dynamic-require, global-require
+          const migration = require(p!);
+          return {
+            name: name.replace(/\.ts$/, '.js'),
+            up: () => migration.up({ context }),
+            down: () => migration.down({ context }),
+          };
+        },
+      },
+      context: sequelize.getQueryInterface(),
+      storage: new SequelizeStorage({ sequelize }),
+      logger: undefined,
+    });
+    return { sequelize, umzug };
+  };
+
+  // --- E1: seed NULL rows, run backfill, prove zero NULLs per table
+  const h1 = makeHarness('e1.db');
+  await h1.umzug.up();
+  await h1.umzug.down(); // back to phase 1 state (columns exist, no backfill)
+  const now = new Date().toISOString();
+  await h1.sequelize.query(
+    `INSERT INTO customers (id, livemode, did, delinquent, created_at, updated_at) VALUES ('cus_e1', 0, 'z-e1', 0, '${now}', '${now}')`
+  );
+  await h1.sequelize.query(
+    `INSERT INTO products (id, livemode, active, name, type, created_at, updated_at) VALUES ('prod_e1', 0, 1, 'e1', 'service', '${now}', '${now}')`
+  );
+  await h1.umzug.up(); // backfill migration
+
+  console.log('=== E1 backfill: zero NULLs across all 38 tables ===');
+  const e1: { table: string; nulls: number }[] = [];
+  for (const table of TENANT_TABLES) {
+    const [rows] = await h1.sequelize.query(`SELECT COUNT(*) AS n FROM ${table} WHERE instance_did IS NULL`);
+    e1.push({ table, nulls: (rows as any[])[0].n });
+  }
+  console.log(JSON.stringify(e1));
+  if (e1.some((r) => r.nulls !== 0)) process.exit(1);
+  const [filled] = await h1.sequelize.query("SELECT instance_did FROM customers WHERE id = 'cus_e1'");
+  console.log(JSON.stringify({ backfilledValue: (filled as any[])[0].instance_did, appPid: wallet.address }));
+
+  // --- E2: per-tenant unique key, cross-tenant duplicates allowed
+  console.log('=== E2 unique key: (A,CODE1) ok, (B,CODE1) ok, (A,CODE1) rejected ===');
+  const promo = (id: string, tenant: string) =>
+    h1.sequelize.query(
+      `INSERT INTO promotion_codes (id, livemode, active, code, coupon_id, instance_did, created_at, updated_at)
+       VALUES ('${id}', 0, 1, 'CODE1', 'coup_x', '${tenant}', '${now}', '${now}')`
+    );
+  await promo('promo_a', 'did:abt:zTenantA');
+  console.log(JSON.stringify({ insert: 'promo_a tenant A', ok: true }));
+  await promo('promo_b', 'did:abt:zTenantB');
+  console.log(JSON.stringify({ insert: 'promo_b tenant B (same code)', ok: true }));
+  try {
+    await promo('promo_a2', 'did:abt:zTenantA');
+    console.log(JSON.stringify({ unexpected: 'duplicate accepted' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(
+      JSON.stringify({ insert: 'promo_a2 tenant A duplicate', error: err.original?.message || err.message })
+    );
+  }
+
+  // --- E3 (negative): backfill without phase 1 columns fails loudly
+  console.log('=== E3 backfill on a DB without phase 1 (negative) ===');
+  const h3 = makeHarness('e3.db');
+  await h3.umzug.up();
+  await h3.umzug.down(); // revert backfill
+  await h3.umzug.down(); // revert tenant columns -> pre-phase-1 schema
+  try {
+    await runTenantBackfill(h3.sequelize as any);
+    console.log(JSON.stringify({ unexpected: 'backfill succeeded without phase 1' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(JSON.stringify({ error: err.message }));
+  }
+  const [pragma] = await h3.sequelize.query(
+    "SELECT COUNT(*) AS n FROM pragma_table_info('customers') WHERE name = 'instance_did'"
+  );
+  console.log(JSON.stringify({ instanceDidColumnsAfterFailedBackfill: (pragma as any[])[0].n }));
+
+  // --- L3 adversarial: suspicious app DID must never reach DDL. The app DID
+  // is snapshotted at SDK import, so the malicious value must be present from
+  // process start -> run the attempt in a child process.
+  console.log('=== L3 adversarial: app DID with a quote refused before DDL ===');
+  const h4 = makeHarness('e4.db');
+  await h4.umzug.up({ to: '20260610-tenant-columns.js' } as any);
+  const { execFileSync } = await import('child_process');
+  const childScript = `
+    const path = require('path');
+    (async () => {
+      const { Sequelize } = require('sequelize');
+      const { runTenantBackfill } = require(${JSON.stringify(path.join(storeDir, 'tenant-backfill.ts'))});
+      const sequelize = new Sequelize({ dialect: 'sqlite', storage: ${JSON.stringify(path.join(tmp, 'e4.db'))}, logging: false });
+      try {
+        await runTenantBackfill(sequelize);
+        console.log(JSON.stringify({ unexpected: 'suspicious DID accepted' }));
+        process.exit(2);
+      } catch (err) {
+        console.log(JSON.stringify({ error: String(err.message).slice(0, 140) }));
+      }
+      await sequelize.close();
+    })();
+  `;
+  const childOut = execFileSync('npx', ['tsx', '-e', childScript], {
+    env: { ...process.env, BLOCKLET_APP_PID: "z'); DROP TABLE customers; --" },
+    encoding: 'utf8',
+  });
+  console.log(childOut.trim().split('\n').pop());
+  const [still] = await h4.sequelize.query("SELECT COUNT(*) AS n FROM sqlite_master WHERE name = 'customers'");
+  console.log(JSON.stringify({ customersTableSurvives: (still as any[])[0].n === 1 }));
+  if ((still as any[])[0].n !== 1) process.exit(1);
+
+  console.log(JSON.stringify({ success: true }));
+  await h1.sequelize.close();
+  await h3.sequelize.close();
+  await h4.sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-s3.ts

@@ -0,0 +1,110 @@
+/* eslint-disable no-console */
+// Phase 3 E2E — scoped helpers against a real dual-tenant sqlite DB.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s3-'));
+  Object.assign(process.env, {
+    ABT_NODE_DID: wallet.address,
+    ABT_NODE_PK: wallet.publicKey,
+    ABT_NODE_PORT: '8089',
+    ABT_NODE_SERVICE_PORT: '40406',
+    BLOCKLET_MODE: 'test',
+    BLOCKLET_DID: wallet.address,
+    BLOCKLET_COMPONENT_DID: wallet.address,
+    BLOCKLET_LOG_DIR: tmp,
+    BLOCKLET_DATA_DIR: tmp,
+    BLOCKLET_APP_PK: wallet.publicKey,
+    BLOCKLET_APP_SK: wallet.secretKey,
+    BLOCKLET_APP_PSK: wallet.secretKey,
+    BLOCKLET_APP_EK: wallet.secretKey,
+    BLOCKLET_APP_PID: wallet.address,
+    BLOCKLET_APP_ID: wallet.address,
+    BLOCKLET_APP_IDS: wallet.address,
+    BLOCKLET_APP_NAME: 'payment-kit-e2e',
+    BLOCKLET_APP_DESCRIPTION: 'payment-kit-e2e',
+    BLOCKLET_APP_URL: 'http://127.0.0.1:3030',
+    BLOCKLET_MOUNT_POINTS: JSON.stringify([
+      {
+        title: 'e2e',
+        did: wallet.address,
+        name: 'e2e',
+        version: '0.0.1',
+        mountPoint: '/',
+        status: 6,
+        port: 8181,
+        resources: [],
+      },
+    ]),
+  });
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(tmp, 'e2e.db'), logging: false });
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: storeDir }],
+      resolve: ({ name, path: p, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(p!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+  await umzug.up();
+
+  const models = await import('../api/src/store/models');
+  models.initialize(sequelize);
+  const { withTenant } = await import('../api/src/libs/context');
+  const { scopedCreate, scopedFindAll, scopedFindByPk } = await import('../api/src/store/scoped');
+
+  const TENANT_A = 'did:abt:zTenantAAAA';
+  const TENANT_B = 'did:abt:zTenantBBBB';
+
+  // E3: dual-tenant seed, scoped findAll sees only its own rows
+  await withTenant(TENANT_A, () =>
+    scopedCreate(models.Customer as any, { livemode: false, did: 'z-user-a', delinquent: false })
+  );
+  const bCustomer: any = await withTenant(TENANT_B, () =>
+    scopedCreate(models.Customer as any, { livemode: false, did: 'z-user-b', delinquent: false })
+  );
+
+  console.log('=== E3 dual-tenant scoped findAll ===');
+  const aView = await withTenant(TENANT_A, () => scopedFindAll(models.Customer as any));
+  console.log(JSON.stringify({ tenant: 'A', rows: aView.map((r: any) => ({ did: r.did, instance_did: r.instance_did })) }));
+  const bView = await withTenant(TENANT_B, () => scopedFindAll(models.Customer as any));
+  console.log(JSON.stringify({ tenant: 'B', rows: bView.map((r: any) => ({ did: r.did, instance_did: r.instance_did })) }));
+  if (aView.length !== 1 || bView.length !== 1) process.exit(1);
+
+  // adversarial: A loads B's pk -> TENANT_MISMATCH
+  console.log('=== E3b cross-tenant findByPk (negative) ===');
+  try {
+    await withTenant(TENANT_A, () => scopedFindByPk(models.Customer as any, bCustomer.id));
+    console.log(JSON.stringify({ unexpected: 'cross-tenant read succeeded' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(JSON.stringify({ code: err.code, message: err.message }));
+  }
+
+  console.log(JSON.stringify({ success: true }));
+  await sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});