payment-kit 1.29.0 → 1.29.2

package/scripts/e2e-s4.ts

@@ -0,0 +1,191 @@
+/* eslint-disable no-console */
+// Phase 4 E2E — real dual-tenant webhook delivery through the actual
+// fanout (handleEvent) + delivery (handleWebhook) pipeline, with two live
+// HTTP receivers. Raw JSON evidence only.
+import fs from 'fs';
+import http from 'http';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s4-'));
+  Object.assign(process.env, {
+    ABT_NODE_DID: wallet.address,
+    ABT_NODE_PK: wallet.publicKey,
+    ABT_NODE_PORT: '8089',
+    ABT_NODE_SERVICE_PORT: '40406',
+    BLOCKLET_MODE: 'test',
+    BLOCKLET_DID: wallet.address,
+    BLOCKLET_COMPONENT_DID: wallet.address,
+    BLOCKLET_LOG_DIR: tmp,
+    BLOCKLET_DATA_DIR: tmp,
+    BLOCKLET_APP_PK: wallet.publicKey,
+    BLOCKLET_APP_SK: wallet.secretKey,
+    BLOCKLET_APP_PSK: wallet.secretKey,
+    BLOCKLET_APP_EK: wallet.secretKey,
+    BLOCKLET_APP_PID: wallet.address,
+    BLOCKLET_APP_ID: wallet.address,
+    BLOCKLET_APP_IDS: wallet.address,
+    BLOCKLET_APP_NAME: 'payment-kit-e2e',
+    BLOCKLET_APP_DESCRIPTION: 'payment-kit-e2e',
+    BLOCKLET_APP_URL: 'http://127.0.0.1:3030',
+    BLOCKLET_MOUNT_POINTS: JSON.stringify([
+      {
+        title: 'e2e',
+        did: wallet.address,
+        name: 'e2e',
+        version: '0.0.1',
+        mountPoint: '/',
+        status: 6,
+        port: 8181,
+        resources: [],
+      },
+    ]),
+  });
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(tmp, 'e2e.db'), logging: false });
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: storeDir }],
+      resolve: ({ name, path: p, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(p!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+  await umzug.up();
+
+  const models = await import('../api/src/store/models');
+  models.initialize(sequelize);
+  const { withTenant } = await import('../api/src/libs/context');
+  const { handleEvent } = await import('../api/src/queues/event');
+  const { handleWebhook } = await import('../api/src/queues/webhook');
+  const { assertEventTenantAccessible } = await import('../api/src/routes/hono/events');
+
+  const TENANT_A = 'did:abt:zTenantAAAA';
+  const TENANT_B = 'did:abt:zTenantBBBB';
+
+  // two live receivers
+  const received: Record<string, any[]> = { A: [], B: [] };
+  const makeReceiver = (key: 'A' | 'B') =>
+    new Promise<{ server: http.Server; url: string }>((resolve) => {
+      const server = http.createServer((req, res) => {
+        let body = '';
+        req.on('data', (chunk) => {
+          body += chunk;
+        });
+        req.on('end', () => {
+          received[key]!.push(JSON.parse(body));
+          res.writeHead(200, { 'content-type': 'application/json' });
+          res.end('{"ok":true}');
+        });
+      });
+      server.listen(0, '127.0.0.1', () => {
+        const { port } = server.address() as any;
+        resolve({ server, url: `http://127.0.0.1:${port}/hook` });
+      });
+    });
+  const receiverA = await makeReceiver('A');
+  const receiverB = await makeReceiver('B');
+
+  const seedEndpoint = (tenant: string, url: string) =>
+    withTenant(tenant, () =>
+      (models.WebhookEndpoint as any).create({
+        instance_did: tenant,
+        livemode: false,
+        url,
+        description: 'e2e',
+        status: 'enabled',
+        enabled_events: ['customer.updated'],
+        secret: 'whsec_e2e',
+        api_version: 'e2e',
+      })
+    );
+  const endpointA = await seedEndpoint(TENANT_A, receiverA.url);
+  await seedEndpoint(TENANT_B, receiverB.url);
+
+  const event: any = await withTenant(TENANT_A, () =>
+    (models.Event as any).create({
+      type: 'customer.updated',
+      instance_did: TENANT_A,
+      api_version: 'e2e',
+      livemode: false,
+      object_id: 'cus_e2e',
+      object_type: 'customer',
+      data: { object: { id: 'cus_e2e', name: 'after-update' } },
+      request: { id: '', idempotency_key: '', requested_by: 'e2e' },
+      metadata: {},
+      pending_webhooks: 99,
+    })
+  );
+
+  // E1: fanout + deliver — only tenant A's receiver gets the event. The real
+  // webhookQueue (scheduled by addWebhookJob inside handleEvent) performs the
+  // delivery asynchronously; endpointA is referenced again in E2b below.
+  void endpointA;
+  await handleEvent({ eventId: event.id });
+  await new Promise((resolve) => {
+    setTimeout(resolve, 2500);
+  });
+
+  console.log('=== E1 dual receivers: A delivered, B silent ===');
+  console.log(
+    JSON.stringify({
+      receiverA: received.A!.map((e) => ({ type: e.type, id: e.id })),
+      receiverB: received.B,
+    })
+  );
+  if (received.A!.length !== 1 || received.B!.length !== 0) process.exit(1);
+
+  const [attempts] = await sequelize.query('SELECT status, instance_did FROM webhook_attempts');
+  console.log(JSON.stringify({ attempts }));
+
+  // E2 (negative): A-tenant caller retries B's event -> TENANT_MISMATCH (the
+  // HTTP route maps this to 403; full curl-level proof needs Phase 10's
+  // Host -> tenant wiring plus admin credentials, so the guard is driven
+  // directly here)
+  console.log('=== E2 cross-tenant manual retry refused (negative) ===');
+  try {
+    await withTenant(TENANT_A, async () => assertEventTenantAccessible({ instance_did: TENANT_B }));
+    console.log(JSON.stringify({ unexpected: 'guard passed' }));
+    process.exit(1);
+  } catch (err: any) {
+    console.log(JSON.stringify({ code: err.code, httpStatus: 403, message: err.message }));
+  }
+
+  // adversarial: forged pair (A event -> B endpoint) refused, zero attempts written
+  console.log('=== E2b forged event/endpoint pair refused (adversarial) ===');
+  await sequelize.query('DELETE FROM webhook_attempts');
+  const endpointBRow: any = await (models.WebhookEndpoint as any).findOne({
+    where: { instance_did: TENANT_B },
+  });
+  await handleWebhook({ eventId: event.id, webhookId: endpointBRow.id });
+  const [forged] = await sequelize.query('SELECT COUNT(*) AS n FROM webhook_attempts');
+  console.log(JSON.stringify({ attemptsAfterForgedPair: (forged as any[])[0].n, receiverB: received.B!.length }));
+  if ((forged as any[])[0].n !== 0 || received.B!.length !== 0) process.exit(1);
+
+  console.log(JSON.stringify({ success: true }));
+  receiverA.server.close();
+  receiverB.server.close();
+  await sequelize.close();
+  process.exit(0);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-s5.ts

@@ -0,0 +1,139 @@
+/* eslint-disable no-console */
+// Phase 5 E2E — queue tenant layer against the real jobs table.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s5-'));
+  Object.assign(process.env, {
+    ABT_NODE_DID: wallet.address,
+    ABT_NODE_PK: wallet.publicKey,
+    ABT_NODE_PORT: '8089',
+    ABT_NODE_SERVICE_PORT: '40406',
+    BLOCKLET_MODE: 'test',
+    NODE_ENV: 'test',
+    BLOCKLET_DID: wallet.address,
+    BLOCKLET_COMPONENT_DID: wallet.address,
+    BLOCKLET_LOG_DIR: tmp,
+    BLOCKLET_DATA_DIR: tmp,
+    BLOCKLET_APP_PK: wallet.publicKey,
+    BLOCKLET_APP_SK: wallet.secretKey,
+    BLOCKLET_APP_PSK: wallet.secretKey,
+    BLOCKLET_APP_EK: wallet.secretKey,
+    BLOCKLET_APP_PID: wallet.address,
+    BLOCKLET_APP_ID: wallet.address,
+    BLOCKLET_APP_IDS: wallet.address,
+    BLOCKLET_APP_NAME: 'payment-kit-e2e',
+    BLOCKLET_APP_DESCRIPTION: 'payment-kit-e2e',
+    BLOCKLET_APP_URL: 'http://127.0.0.1:3030',
+    BLOCKLET_MOUNT_POINTS: JSON.stringify([
+      {
+        title: 'e2e',
+        did: wallet.address,
+        name: 'e2e',
+        version: '0.0.1',
+        mountPoint: '/',
+        status: 6,
+        port: 8181,
+        resources: [],
+      },
+    ]),
+  });
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(tmp, 'e2e.db'), logging: false });
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: storeDir }],
+      resolve: ({ name, path: p, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(p!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+  await umzug.up();
+  const models = await import('../api/src/store/models');
+  models.initialize(sequelize);
+
+  const { withTenant } = await import('../api/src/libs/context');
+  const queueModule = await import('../api/src/libs/queue');
+  const createQueue = queueModule.default;
+  const { assertJobObjectTenant } = queueModule;
+
+  const TENANT_A = 'did:abt:zTenantAAAA';
+  const TENANT_B = 'did:abt:zTenantBBBB';
+
+  // E1: enqueue a delayed job under tenant A, read the raw jobs-table row
+  const delayedQueue = createQueue({
+    name: 'e2e-cycle',
+    onJob: async () => 'ok',
+    options: { enableScheduledJob: true },
+  });
+  await withTenant(TENANT_A, async () =>
+    delayedQueue.push({ job: { subscriptionId: 'sub_e2e_1' }, id: 'sub_e2e_1', delay: 3600 })
+  );
+  await new Promise((resolve) => {
+    setTimeout(resolve, 300);
+  });
+  const [jobRows] = await sequelize.query(
+    "SELECT id, queue, job FROM jobs WHERE queue = 'e2e-cycle' AND id = 'sub_e2e_1'"
+  );
+  console.log('=== E1 delayed subscription-cycle style job row (raw jobs table) ===');
+  console.log(JSON.stringify(jobRows));
+  const payload = JSON.parse((jobRows as any[])[0].job);
+  console.log(JSON.stringify({ payloadInstanceDid: payload.instance_did, expected: TENANT_A, idShape: 'business id, no tenant prefix (see queue-matrix.md)' }));
+  if (payload.instance_did !== TENANT_A) process.exit(1);
+
+  // E2 (negative): forged payload tenant A, object belongs to B
+  const victim: any = await withTenant(TENANT_B, () =>
+    (models.Customer as any).create({ livemode: false, did: 'z-victim-e2e', delinquent: false, instance_did: TENANT_B })
+  );
+  const beforeName = victim.name ?? null;
+  const forgedQueue = createQueue({
+    name: 'e2e-forged',
+    onJob: async (job: any) => {
+      const row = await (models.Customer as any).findByPk(job.customerId);
+      assertJobObjectTenant(row);
+      await row.update({ name: 'pwned' });
+    },
+  });
+  console.log('=== E2 forged payload (tenant A, object B) refused; B object unchanged (negative) ===');
+  const outcome: any = await new Promise((resolve) => {
+    withTenant(TENANT_A, async () => {
+      const handle = forgedQueue.push({ job: { customerId: victim.id }, persist: true });
+      handle.on('failed', (data: any) => resolve({ event: 'failed', error: { code: data.error?.code, message: data.error?.message } }));
+      handle.on('finished', () => resolve({ event: 'finished' }));
+    });
+  });
+  console.log(JSON.stringify(outcome));
+  const reloaded: any = await (models.Customer as any).findByPk(victim.id);
+  console.log(
+    JSON.stringify({ victimNameAfter: reloaded.name ?? null, beforeName, victimTenant: reloaded.instance_did })
+  );
+  if (outcome.event !== 'failed' || outcome.error.code !== 'TENANT_MISMATCH' || reloaded.name !== beforeName) {
+    process.exit(1);
+  }
+
+  console.log(JSON.stringify({ success: true }));
+  await sequelize.close();
+  process.exit(0);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-s6.ts

@@ -0,0 +1,127 @@
+/* eslint-disable no-console */
+// Phase 6 E2E (E3) — a pre-tenant legacy job driven in single and multi mode.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+async function main() {
+  const { fromRandom } = await import('@ocap/wallet');
+  const { types } = await import('@ocap/mcrypto');
+  const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'e2e-s6-'));
+  Object.assign(process.env, {
+    ABT_NODE_DID: wallet.address,
+    ABT_NODE_PK: wallet.publicKey,
+    ABT_NODE_PORT: '8089',
+    ABT_NODE_SERVICE_PORT: '40406',
+    BLOCKLET_MODE: 'test',
+    NODE_ENV: 'test',
+    BLOCKLET_DID: wallet.address,
+    BLOCKLET_COMPONENT_DID: wallet.address,
+    BLOCKLET_LOG_DIR: tmp,
+    BLOCKLET_DATA_DIR: tmp,
+    BLOCKLET_APP_PK: wallet.publicKey,
+    BLOCKLET_APP_SK: wallet.secretKey,
+    BLOCKLET_APP_PSK: wallet.secretKey,
+    BLOCKLET_APP_EK: wallet.secretKey,
+    BLOCKLET_APP_PID: wallet.address,
+    BLOCKLET_APP_ID: wallet.address,
+    BLOCKLET_APP_IDS: wallet.address,
+    BLOCKLET_APP_NAME: 'payment-kit-e2e',
+    BLOCKLET_APP_DESCRIPTION: 'payment-kit-e2e',
+    BLOCKLET_APP_URL: 'http://127.0.0.1:3030',
+    BLOCKLET_MOUNT_POINTS: JSON.stringify([
+      {
+        title: 'e2e',
+        did: wallet.address,
+        name: 'e2e',
+        version: '0.0.1',
+        mountPoint: '/',
+        status: 6,
+        port: 8181,
+        resources: [],
+      },
+    ]),
+  });
+
+  const { Sequelize } = await import('sequelize');
+  const { SequelizeStorage, Umzug } = await import('umzug');
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(tmp, 'e2e.db'), logging: false });
+  const storeDir = path.resolve(__dirname, '../api/src/store');
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: storeDir }],
+      resolve: ({ name, path: p, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(p!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+  await umzug.up();
+  const models = await import('../api/src/store/models');
+  models.initialize(sequelize);
+
+  const queueModule = await import('../api/src/libs/queue');
+  const createQueue = queueModule.default;
+  const { getDefaultInstanceDid } = await import('../api/src/libs/tenant');
+
+  const runLegacy = (mode: 'single' | 'multi') =>
+    new Promise<any>((resolve) => {
+      if (mode === 'multi') process.env.PAYMENT_TENANT_MODE = 'multi';
+      else delete process.env.PAYMENT_TENANT_MODE;
+      const seen: string[] = [];
+      const queue = createQueue({
+        name: `e2e-legacy-${mode}`,
+        onJob: async () => {
+          // eslint-disable-next-line global-require
+          const { getInstanceDid } = await import('../api/src/libs/context').then((m) => m);
+          seen.push(getInstanceDid());
+          return 'ok';
+        },
+      });
+      const handle = queue.push({
+        job: { legacy: true }, // NO instance_did — simulates a pre-upgrade row
+        id: `legacy-${mode}`,
+        persist: false,
+        fromStore: true,
+      } as any);
+      handle.on('finished', () => resolve({ mode, outcome: 'executed', tenants: seen }));
+      handle.on('failed', (data: any) =>
+        resolve({
+          mode,
+          outcome: 'refused',
+          error: { code: data.error?.code, nonRetryable: data.error?.nonRetryable },
+        })
+      );
+    });
+
+  console.log('=== E3 legacy (pre-tenant) job: single vs multi mode ===');
+  const single = await runLegacy('single');
+  console.log(JSON.stringify({ ...single, defaultTenant: getDefaultInstanceDid() }));
+  const multi = await runLegacy('multi');
+  console.log(JSON.stringify(multi));
+  delete process.env.PAYMENT_TENANT_MODE;
+
+  const ok =
+    single.outcome === 'executed' &&
+    single.tenants[0] === getDefaultInstanceDid() &&
+    multi.outcome === 'refused' &&
+    multi.error.code === 'TENANT_CONTEXT_MISSING' &&
+    multi.error.nonRetryable === true;
+  console.log(JSON.stringify({ success: ok }));
+  await sequelize.close();
+  process.exit(ok ? 0 : 1);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/e2e-tenant-model.ts

@@ -0,0 +1,119 @@
+/* eslint-disable no-console */
+// Phase 3 (W1′) Layer-2 E2E: drive the REAL models through TenantModel under
+// two tenants against a real (in-memory) sqlite DB and emit JSON-shaped results.
+// Self-contained: sets the blocklet env from a generated wallet BEFORE importing
+// the models (mirrors tools/jest-setup), so it runs without a blocklet server.
+// The live Host->tenant curl E2E depends on Phase 7/10 wiring; this proves the
+// production scoping path deterministically.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { types } from '@ocap/mcrypto';
+import { fromRandom } from '@ocap/wallet';
+
+const wallet = fromRandom({ role: types.RoleType.ROLE_APPLICATION });
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'p3-e2e-'));
+process.env.BLOCKLET_MODE = 'test';
+process.env.NODE_ENV = 'test';
+process.env.BLOCKLET_LOG_DIR = tmpDir;
+process.env.BLOCKLET_DATA_DIR = tmpDir;
+process.env.BLOCKLET_APP_SK = wallet.secretKey;
+process.env.BLOCKLET_APP_PSK = wallet.secretKey;
+process.env.BLOCKLET_APP_PK = wallet.publicKey;
+process.env.BLOCKLET_APP_EK = wallet.secretKey;
+process.env.BLOCKLET_APP_ID = wallet.address;
+process.env.BLOCKLET_APP_PID = wallet.address;
+process.env.BLOCKLET_APP_IDS = wallet.address;
+process.env.ABT_NODE_DID = wallet.address;
+process.env.ABT_NODE_PK = wallet.publicKey;
+process.env.ABT_NODE_PORT = '8089';
+process.env.ABT_NODE_SERVICE_PORT = '40406';
+process.env.BLOCKLET_DID = wallet.address;
+process.env.BLOCKLET_COMPONENT_DID = wallet.address;
+process.env.BLOCKLET_APP_NAME = 'did-pay-e2e';
+process.env.BLOCKLET_APP_DESCRIPTION = 'phase3 e2e';
+process.env.BLOCKLET_APP_URL = 'http://127.0.0.1:3030';
+process.env.BLOCKLET_MOUNT_POINTS = JSON.stringify([
+  {
+    title: 'did-pay-e2e',
+    did: wallet.address,
+    name: 'did-pay',
+    version: '0.0.0',
+    mountPoint: '/',
+    status: 6,
+    port: 8181,
+    resources: [],
+  },
+]);
+
+async function main() {
+  // import AFTER env is set so module-level wallet/logger init succeeds
+  /* eslint-disable global-require, @typescript-eslint/no-var-requires */
+  const { Sequelize } = require('sequelize');
+  const { withTenant } = require('../api/src/libs/context');
+  const { Coupon, initialize } = require('../api/src/store/models');
+  /* eslint-enable global-require, @typescript-eslint/no-var-requires */
+
+  const TENANT_A = 'did:abt:zE2ETenantAAAAAAAAAAAAAAAAAAAAA';
+  const TENANT_B = 'did:abt:zE2ETenantBBBBBBBBBBBBBBBBBBBBB';
+
+  const sequelize = new Sequelize('sqlite::memory:', { logging: false });
+  initialize(sequelize);
+  await sequelize.sync({ force: true });
+
+  const mk = (name: string) => ({ livemode: false, duration: 'once', name, created_via: 'api' });
+  const a1: any = await withTenant(TENANT_A, () => Coupon.create(mk('a-coupon')));
+  const b1: any = await withTenant(TENANT_B, () => Coupon.create(mk('b-coupon')));
+
+  const out: Record<string, any> = {};
+
+  const aList: any = await withTenant(TENANT_A, () => Coupon.findAll());
+  out['S3.1 list under tenant A — only A rows'] = {
+    count: aList.length,
+    rows: aList.map((r: any) => ({ id: r.id, name: r.name, instance_did: r.instance_did })),
+  };
+
+  const leak = await withTenant(TENANT_A, () => Coupon.findByPk(b1.id));
+  out['S3.2 cross-tenant findByPk (A reads B id)'] = { result: leak, expect: 'null = not-found (§13.1)' };
+
+  let negCreate: any;
+  try {
+    await withTenant(TENANT_A, () => Coupon.create({ ...mk('forged'), instance_did: TENANT_B }));
+    negCreate = { rejected: false };
+  } catch (err: any) {
+    negCreate = { rejected: true, code: err.code };
+  }
+  out['S3.3 NEGATIVE create with foreign instance_did'] = negCreate;
+
+  let negFind: any;
+  try {
+    await withTenant(TENANT_A, () => Coupon.findOne({ where: { instance_did: TENANT_B } }));
+    negFind = { rejected: false };
+  } catch (err: any) {
+    negFind = { rejected: true, code: err.code };
+  }
+  out['S3.4 NEGATIVE find with foreign where.instance_did'] = negFind;
+
+  const aCount = await withTenant(TENANT_A, () => Coupon.count());
+  const bCount = await withTenant(TENANT_B, () => Coupon.count());
+  out['S3.5 count isolation'] = { aCount, bCount, a1_stamp: a1.instance_did, b1_stamp: b1.instance_did };
+
+  // aggregate isolation: A adds a 30% coupon, B adds 99% — A's sum/max exclude B
+  await withTenant(TENANT_A, () => Coupon.create({ ...mk('a-30'), percent_off: 30 }));
+  await withTenant(TENANT_B, () => Coupon.create({ ...mk('b-99'), percent_off: 99 }));
+  const aSum = await withTenant(TENANT_A, () => Coupon.sum('percent_off'));
+  const aMax = await withTenant(TENANT_A, () => Coupon.max('percent_off'));
+  out['S3.6 sum/max aggregate isolation (A excludes B 99)'] = { aSum, aMax, expect: 'sum=30 max=30, not 99' };
+
+  for (const [k, v] of Object.entries(out)) {
+    console.log(`=== ${k} ===`);
+    console.log(JSON.stringify(v));
+  }
+
+  await sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});