payment-kit 1.29.1 → 1.29.2

package/api/src/store/migrations/20230911-seeding.ts

@@ -1,13 +1,14 @@
 import { fromTokenToUnit } from '@ocap/util';
 import Sequelize from 'sequelize';
 import { joinURL } from 'ufo';
+import { blockletMountPoints } from '../../libs/env';
 
 import { createIdGenerator } from '../../libs/util';
 import type { Migration } from '../migrate';
 
 const getUrl = (...parts: string[]): string => {
   const { BLOCKLET_COMPONENT_DID, BLOCKLET_APP_URL } = process.env;
-  const components = JSON.parse(process.env.BLOCKLET_MOUNT_POINTS || '[]');
+  const components = JSON.parse(blockletMountPoints() || '[]');
   const component = components.find((x: any) => [x.title, x.name, x.did].includes(BLOCKLET_COMPONENT_DID));
   const mountPoint = component?.mountPoint || '/';
   return joinURL(BLOCKLET_APP_URL as string, mountPoint === '/' ? '' : mountPoint, ...parts);

package/api/src/store/migrations/20260609-remove-did-space-jobs.ts

@@ -0,0 +1,23 @@
+import { type Migration } from '../migrate';
+
+// The DID Space billing-mirror integration was removed (libs/did-space.ts,
+// queues/space.ts). Rows in `jobs` with queue='did-space' can never be picked
+// up again — the scheduled-job scan only matches registered queue names — so
+// they would sit in the table forever. Delete them.
+//
+// Idempotent: re-running deletes nothing.
+//
+// Dated 20260609 (before the tenant-columns/tenant-backfill pair; written
+// 2026-06-12): the tenant-backfill acceptance spec drives umzug positionally
+// and requires 20260611-tenant-backfill to stay the LAST migration. The jobs
+// table exists since genesis, so running earlier is semantically identical;
+// on already-migrated deployments umzug executes pending migrations
+// regardless of how their names sort against executed ones.
+
+export const up: Migration = async ({ context }) => {
+  await context.sequelize.query("DELETE FROM `jobs` WHERE `queue` = 'did-space'");
+};
+
+export const down: Migration = async () => {
+  // Deleted jobs are not restorable (and the queue no longer exists).
+};

package/api/src/store/migrations/20260610-tenant-columns.ts

@@ -0,0 +1,40 @@
+import { type Migration } from '../migrate';
+import { TENANT_TABLES } from '../tenant-tables';
+
+// Phase 1 (W1-1a): add a nullable instance_did column to all 38 tenant tables.
+// No constraints, no indexes, no backfill — those land in Phase 2 (W1-1b).
+// Until then the column stays NULL and no code reads or writes it, so runtime
+// behavior is byte-for-byte identical to the previous release.
+//
+// Uses PRAGMA table_info + raw ALTER TABLE (mirroring cloudflare/migrations/
+// 0006_tenant_columns.sql) instead of describeTable/removeColumn: sequelize's
+// sqlite describeTable chokes on some of our partial indexes, and removeColumn
+// rebuilds the whole table for no benefit here. Table names are static literals
+// from TENANT_TABLES — nothing is interpolated from config or env.
+
+async function hasInstanceDid(context: any, table: string): Promise<boolean> {
+  const [rows] = await context.sequelize.query(`PRAGMA table_info(${table})`);
+  return (rows as { name: string }[]).some((row) => row.name === 'instance_did');
+}
+
+export const up: Migration = async ({ context }) => {
+  for (const table of TENANT_TABLES) {
+    // eslint-disable-next-line no-await-in-loop
+    if (!(await hasInstanceDid(context, table))) {
+      // eslint-disable-next-line no-await-in-loop
+      await context.sequelize.query(`ALTER TABLE ${table} ADD COLUMN instance_did VARCHAR(64)`);
+    }
+  }
+};
+
+export const down: Migration = async ({ context }) => {
+  for (const table of TENANT_TABLES) {
+    // eslint-disable-next-line no-await-in-loop
+    if (await hasInstanceDid(context, table)) {
+      // SQLite >= 3.35 supports DROP COLUMN; safe here because Phase 1 adds
+      // no indexes or constraints on the column.
+      // eslint-disable-next-line no-await-in-loop
+      await context.sequelize.query(`ALTER TABLE ${table} DROP COLUMN instance_did`);
+    }
+  }
+};

package/api/src/store/migrations/20260611-tenant-backfill.ts

@@ -0,0 +1,33 @@
+import { type Migration } from '../migrate';
+import { UNIQUE_KEY_REVISIONS, runTenantBackfill } from '../tenant-backfill';
+import { TENANT_TABLES } from '../tenant-tables';
+
+// Phase 2 (W1-1b): backfill instance_did with the deployment app DID, revise
+// business unique keys to (instance_did, ...) composites, add tenant indexes.
+// All heavy lifting lives in ../tenant-backfill.ts, shared with the CF worker
+// runtime compensation path (static D1 SQL cannot know the app DID).
+//
+// Idempotent: backfill touches NULL rows only; rebuilds detect already-rebuilt
+// DDL; index creation is IF NOT EXISTS. Re-running after a crash continues.
+
+export const up: Migration = async ({ context }) => {
+  await runTenantBackfill(context.sequelize as any);
+};
+
+export const down: Migration = async ({ context }) => {
+  const { sequelize } = context as any;
+  // Reverting Phase 2 = dropping the composite uniques and tenant indexes.
+  // Backfilled values stay (the column is nullable in DDL for non-rebuilt
+  // tables and harmless when unused); restoring the old inline single-column
+  // uniques is deliberately NOT done — they would forbid the cross-tenant
+  // duplicates this phase exists to allow, and recreating them on a DB that
+  // already contains such duplicates would corrupt the rollback.
+  for (const revision of UNIQUE_KEY_REVISIONS) {
+    // eslint-disable-next-line no-await-in-loop
+    await sequelize.query(`DROP INDEX IF EXISTS \`${revision.index}\``);
+  }
+  for (const table of TENANT_TABLES) {
+    // eslint-disable-next-line no-await-in-loop
+    await sequelize.query(`DROP INDEX IF EXISTS \`idx_${table}_instance_did\``);
+  }
+};

package/api/src/store/models/auto-recharge-config.ts

@@ -1,17 +1,23 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
-
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import { BN } from '@ocap/util';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
+
 import { createIdGenerator } from '../../libs/util';
 import { PaymentDetails, PaymentSettings } from './types';
 
 const nextId = createIdGenerator('carc', 24);
 
 // eslint-disable-next-line prettier/prettier
-export class AutoRechargeConfig extends Model<InferAttributes<AutoRechargeConfig>, InferCreationAttributes<AutoRechargeConfig>> {
+export class AutoRechargeConfig extends TenantModel<
+  InferAttributes<AutoRechargeConfig>,
+  InferCreationAttributes<AutoRechargeConfig>
+> {
   declare id: CreationOptional<string>;
   declare customer_id: string;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare enabled: boolean;
   declare threshold: string;
@@ -150,13 +156,19 @@ export class AutoRechargeConfig extends Model<InferAttributes<AutoRechargeConfig
   };
 
   public static initialize(sequelize: any) {
-    this.init(AutoRechargeConfig.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'AutoRechargeConfig',
-      tableName: 'auto_recharge_configs',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...AutoRechargeConfig.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'AutoRechargeConfig',
+        tableName: 'auto_recharge_configs',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/checkout-session.ts

@@ -1,17 +1,11 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
 /* eslint-disable @typescript-eslint/indent */
-import {
-  CreationOptional,
-  DataTypes,
-  FindOptions,
-  InferAttributes,
-  InferCreationAttributes,
-  Model,
-  Op,
-} from 'sequelize';
+import { CreationOptional, DataTypes, FindOptions, InferAttributes, InferCreationAttributes, Op } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createCustomEvent, createEvent, createStatusEvent } from '../../libs/audit';
+import { createCustomEvent, createEvent, createStatusEvent, reportAuditFailure } from '../../libs/audit';
 import dayjs from '../../libs/dayjs';
 import { CHECKOUT_SESSION_TTL, createIdGenerator } from '../../libs/util';
 import type {
@@ -35,10 +29,11 @@ export const nextCheckoutSessionId = createIdGenerator('cs', 58);
 
 // @link https://stripe.com/docs/api/checkout/sessions
 // eslint-disable-next-line prettier/prettier
-export class CheckoutSession extends Model<InferAttributes<CheckoutSession>, InferCreationAttributes<CheckoutSession>> {
+export class CheckoutSession extends TenantModel<InferAttributes<CheckoutSession>, InferCreationAttributes<CheckoutSession>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare client_reference_id?: string;
 
   // ID of the payment currency
@@ -445,6 +440,12 @@ export class CheckoutSession extends Model<InferAttributes<CheckoutSession>, Inf
     this.init(
       {
         ...CheckoutSession.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         discounts: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -503,7 +504,7 @@ export class CheckoutSession extends Model<InferAttributes<CheckoutSession>, Inf
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: CheckoutSession, options) => {
-            createEvent('CheckoutSession', 'checkout.session.created', model, options).catch(console.error);
+            createEvent('CheckoutSession', 'checkout.session.created', model, options).catch(reportAuditFailure);
           },
           afterUpdate: (model: CheckoutSession, options) => {
             createStatusEvent(
@@ -512,7 +513,7 @@ export class CheckoutSession extends Model<InferAttributes<CheckoutSession>, Inf
               { complete: 'completed', expired: 'expired' },
               model,
               options
-            ).catch(console.error);
+            ).catch(reportAuditFailure);
             createCustomEvent(
               'CheckoutSession',
               'checkout.session',
@@ -524,7 +525,7 @@ export class CheckoutSession extends Model<InferAttributes<CheckoutSession>, Inf
               },
               model,
               options
-            ).catch(console.error);
+            ).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/coupon.ts

@@ -1,9 +1,11 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
 import { fromTokenToUnit } from '@ocap/util';
+import { getInstanceDid } from '../../libs/context';
+import { TenantModel } from '../tenant-model';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createCodeGenerator, formatMetadata } from '../../libs/util';
 import { trimDecimals } from '../../libs/math-utils';
 import logger from '../../libs/logger';
@@ -12,9 +14,10 @@ import type { TPaymentCurrency } from './payment-currency';
 const nextId = createCodeGenerator('', 8);
 
 // eslint-disable-next-line prettier/prettier
-export class Coupon extends Model<InferAttributes<Coupon>, InferCreationAttributes<Coupon>> {
+export class Coupon extends TenantModel<InferAttributes<Coupon>, InferCreationAttributes<Coupon>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare locked: CreationOptional<boolean>;
 
   declare amount_off: string;
@@ -146,24 +149,30 @@ export class Coupon extends Model<InferAttributes<Coupon>, InferCreationAttribut
   };
 
   public static initialize(sequelize: any) {
-    this.init(Coupon.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'Coupon',
-      tableName: 'coupons',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-      hooks: {
-        afterCreate: (model: Coupon, options) => {
-          createEvent('Coupon', 'coupon.created', model, options).catch(console.error);
-        },
-        afterUpdate: (model: Coupon, options) => {
-          createEvent('Coupon', 'coupon.updated', model, options).catch(console.error);
-        },
-        afterDestroy: (model: Coupon, options) => {
-          createEvent('Coupon', 'coupon.deleted', model, options).catch(console.error);
-        },
+    this.init(
+      {
+        ...Coupon.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
       },
-    });
+      {
+        sequelize,
+        modelName: 'Coupon',
+        tableName: 'coupons',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+        hooks: {
+          afterCreate: (model: Coupon, options) => {
+            createEvent('Coupon', 'coupon.created', model, options).catch(reportAuditFailure);
+          },
+          afterUpdate: (model: Coupon, options) => {
+            createEvent('Coupon', 'coupon.updated', model, options).catch(reportAuditFailure);
+          },
+          afterDestroy: (model: Coupon, options) => {
+            createEvent('Coupon', 'coupon.deleted', model, options).catch(reportAuditFailure);
+          },
+        },
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/credit-grant.ts

@@ -1,9 +1,11 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
 import { BN } from '@ocap/util';
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, literal, Model, Op } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, literal, Op } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import dayjs from '../../libs/dayjs';
 import { CreditGrantApplicabilityConfig, CreditGrantChainDetail, CreditGrantChainStatus } from './types';
@@ -43,7 +45,7 @@ async function createCreditGrantStatusEvent(model: CreditGrant, options: any): P
 
 export const nextCreditGrantId = createIdGenerator('credgr', 14);
 
-export class CreditGrant extends Model<InferAttributes<CreditGrant>, InferCreationAttributes<CreditGrant>> {
+export class CreditGrant extends TenantModel<InferAttributes<CreditGrant>, InferCreationAttributes<CreditGrant>> {
   declare id: CreationOptional<string>;
   declare object: CreationOptional<string>;
   declare amount: string;
@@ -54,6 +56,7 @@ export class CreditGrant extends Model<InferAttributes<CreditGrant>, InferCreati
   declare effective_at?: number;
   declare expires_at?: number;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare metadata?: Record<string, any>;
   declare name?: string;
   declare priority: number; // 0-100, 0为最高优先级
@@ -265,7 +268,7 @@ export class CreditGrant extends Model<InferAttributes<CreditGrant>, InferCreati
       // Fire-and-forget: audit event should not block the consumption hot path.
       // Trade-off: if the process crashes between save() and this call, the audit event is lost,
       // but grant state is already persisted and can be reconciled from DB.
-      createEvent('CreditGrant', 'customer.credit_grant.consumed', this).catch(console.error);
+      createEvent('CreditGrant', 'customer.credit_grant.consumed', this).catch(reportAuditFailure);
     }
 
     return {
@@ -302,32 +305,38 @@ export class CreditGrant extends Model<InferAttributes<CreditGrant>, InferCreati
   }
 
   public static initialize(sequelize: any) {
-    this.init(this.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'CreditGrant',
-      tableName: 'credit_grants',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-      indexes: [
-        { fields: ['status'], name: 'idx_credit_grant_status' },
-        { fields: ['effective_at'], name: 'idx_credit_grant_effective_at' },
-        { fields: ['expires_at'], name: 'idx_credit_grant_expires_at' },
-      ],
-      hooks: {
-        afterCreate: (model: CreditGrant, options) => {
-          createEvent('CreditGrant', 'customer.credit_grant.created', model, options).catch(console.error);
-        },
-        afterUpdate: (model: CreditGrant, options) => {
-          createEvent('CreditGrant', 'customer.credit_grant.updated', model, options).catch(console.error);
-
-          if (model.changed('status')) {
-            createCreditGrantStatusEvent(model, options).catch(console.error);
-          }
-        },
-        afterDestroy: (model: CreditGrant, options) =>
-          createEvent('CreditGrant', 'customer.credit_grant.deleted', model, options).catch(console.error),
+    this.init(
+      {
+        ...this.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
       },
-    });
+      {
+        sequelize,
+        modelName: 'CreditGrant',
+        tableName: 'credit_grants',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+        indexes: [
+          { fields: ['status'], name: 'idx_credit_grant_status' },
+          { fields: ['effective_at'], name: 'idx_credit_grant_effective_at' },
+          { fields: ['expires_at'], name: 'idx_credit_grant_expires_at' },
+        ],
+        hooks: {
+          afterCreate: (model: CreditGrant, options) => {
+            createEvent('CreditGrant', 'customer.credit_grant.created', model, options).catch(reportAuditFailure);
+          },
+          afterUpdate: (model: CreditGrant, options) => {
+            createEvent('CreditGrant', 'customer.credit_grant.updated', model, options).catch(reportAuditFailure);
+
+            if (model.changed('status')) {
+              createCreditGrantStatusEvent(model, options).catch(reportAuditFailure);
+            }
+          },
+          afterDestroy: (model: CreditGrant, options) =>
+            createEvent('CreditGrant', 'customer.credit_grant.deleted', model, options).catch(reportAuditFailure),
+        },
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/credit-transaction.ts

@@ -1,18 +1,21 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { col, CreationOptional, DataTypes, fn, InferAttributes, InferCreationAttributes, Model, Op } from 'sequelize';
-
+import { col, CreationOptional, DataTypes, fn, InferAttributes, InferCreationAttributes, Op } from 'sequelize';
 import { BN } from '@ocap/util';
-import { createEvent } from '../../libs/audit';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
+
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import { CreditGrant } from './credit-grant';
 
 export const nextCreditTransactionId = createIdGenerator('cbtxn', 14);
 
-export class CreditTransaction extends Model<
+export class CreditTransaction extends TenantModel<
   InferAttributes<CreditTransaction>,
   InferCreationAttributes<CreditTransaction>
 > {
   declare id: CreationOptional<string>;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare quantity: string;
   declare credit_amount: string;
   declare remaining_balance: string;
@@ -113,24 +116,32 @@ export class CreditTransaction extends Model<
   };
 
   public static initialize(sequelize: any) {
-    this.init(this.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'CreditTransaction',
-      tableName: 'credit_transactions',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-      indexes: [
-        { fields: ['customer_id'] },
-        { fields: ['credit_grant_id'] },
-        { fields: ['source'] },
-        { fields: ['transfer_status'] },
-      ],
-      hooks: {
-        afterCreate: (model: CreditTransaction, options) => {
-          createEvent('CreditTransaction', 'customer.credit_transaction.created', model, options).catch(console.error);
-        },
+    this.init(
+      {
+        ...this.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
       },
-    });
+      {
+        sequelize,
+        modelName: 'CreditTransaction',
+        tableName: 'credit_transactions',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+        indexes: [
+          { fields: ['customer_id'] },
+          { fields: ['credit_grant_id'] },
+          { fields: ['source'] },
+          { fields: ['transfer_status'] },
+        ],
+        hooks: {
+          afterCreate: (model: CreditTransaction, options) => {
+            createEvent('CreditTransaction', 'customer.credit_transaction.created', model, options).catch(
+              reportAuditFailure
+            );
+          },
+        },
+      }
+    );
   }
 
   public static associate(models: any) {

package/api/src/store/models/customer.ts

@@ -2,19 +2,14 @@
 import { BN } from '@ocap/util';
 import cloneDeep from 'lodash/cloneDeep';
 import padStart from 'lodash/padStart';
-import {
-  CreationOptional,
-  DataTypes,
-  FindOptions,
-  InferAttributes,
-  InferCreationAttributes,
-  Model,
-  Op,
-} from 'sequelize';
-
+import { CreationOptional, DataTypes, FindOptions, InferAttributes, InferCreationAttributes, Op } from 'sequelize';
 import merge from 'lodash/merge';
+import { cfEnv } from '../../libs/env';
+import { TenantModel } from '../tenant-model';
+
+import { getInstanceDid } from '../../libs/context';
 import { getLock } from '../../libs/lock';
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import CustomError from '../../libs/error';
 import { createCodeGenerator, createIdGenerator } from '../../libs/util';
 import type { CustomerAddress, CustomerPreferences, CustomerShipping } from './types';
@@ -23,9 +18,10 @@ export const nextCustomerId = createIdGenerator('cus', 14);
 export const nextInvoicePrefix = createCodeGenerator('', 8);
 
 // eslint-disable-next-line prettier/prettier
-export class Customer extends Model<InferAttributes<Customer>, InferCreationAttributes<Customer>> {
+export class Customer extends TenantModel<InferAttributes<Customer>, InferCreationAttributes<Customer>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare did: string;
   declare description: string;
@@ -85,7 +81,7 @@ export class Customer extends Model<InferAttributes<Customer>, InferCreationAttr
     did: {
       type: DataTypes.STRING(40),
       allowNull: false,
-      unique: true,
+      // uniqueness is per tenant since Phase 2: see uq_* composite indexes in tenant-backfill.ts
     },
     address: {
       type: DataTypes.JSON,
@@ -177,7 +173,7 @@ export class Customer extends Model<InferAttributes<Customer>, InferCreationAttr
     //
     // SQLite serializes writes at the DB level, so the application-level lock is
     // redundant for both D1 and Blocklet Server's SQLite.
-    const d1 = (globalThis as any).__CF_ENV__?.DB;
+    const d1 = cfEnv()?.DB;
     if (d1) {
       try {
         const sql =
@@ -265,6 +261,12 @@ export class Customer extends Model<InferAttributes<Customer>, InferCreationAttr
     this.init(
       {
         ...Customer.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         token_balance: {
           type: DataTypes.JSON,
           defaultValue: {},
@@ -295,13 +297,13 @@ export class Customer extends Model<InferAttributes<Customer>, InferCreationAttr
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: Customer, options) => {
-            createEvent('Customer', 'customer.created', model, options).catch(console.error);
+            createEvent('Customer', 'customer.created', model, options).catch(reportAuditFailure);
           },
           afterUpdate: (model: Customer, options) => {
-            createEvent('Customer', 'customer.updated', model, options).catch(console.error);
+            createEvent('Customer', 'customer.updated', model, options).catch(reportAuditFailure);
           },
           afterDestroy: (model: Customer, options) => {
-            createEvent('Customer', 'customer.deleted', model, options).catch(console.error);
+            createEvent('Customer', 'customer.deleted', model, options).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/discount.ts

@@ -1,5 +1,7 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createCodeGenerator } from '../../libs/util';
 
@@ -7,9 +9,10 @@ const nextId = createCodeGenerator('', 8);
 
 // @link https://stripe.com/docs/api/discounts
 // eslint-disable-next-line prettier/prettier
-export class Discount extends Model<InferAttributes<Discount>, InferCreationAttributes<Discount>> {
+export class Discount extends TenantModel<InferAttributes<Discount>, InferCreationAttributes<Discount>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare coupon_id: string;
   declare promotion_code_id?: string;
@@ -105,6 +108,12 @@ export class Discount extends Model<InferAttributes<Discount>, InferCreationAttr
     this.init(
       {
         ...Discount.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         confirmed: {
           type: DataTypes.BOOLEAN,
           defaultValue: true,