payment-kit 1.29.1 → 1.29.2

package/api/src/store/models/payment-intent.ts

@@ -1,10 +1,12 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
 /* eslint-disable @typescript-eslint/indent */
 import { BN } from '@ocap/util';
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model, Op, Sequelize } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Op, Sequelize } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent, createStatusEvent } from '../../libs/audit';
+import { createEvent, createStatusEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import type { GroupedBN, PaymentBeneficiary, PaymentDetails, PaymentError } from './types';
 
@@ -12,11 +14,12 @@ export const nextPaymentIntentId = createIdGenerator('pi', 24);
 
 // @link https://stripe.com/docs/api/payment_intents
 // eslint-disable-next-line prettier/prettier
-export class PaymentIntent extends Model<InferAttributes<PaymentIntent>, InferCreationAttributes<PaymentIntent>> {
+export class PaymentIntent extends TenantModel<InferAttributes<PaymentIntent>, InferCreationAttributes<PaymentIntent>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare description: string;
 
   declare amount: string;
@@ -244,6 +247,12 @@ export class PaymentIntent extends Model<InferAttributes<PaymentIntent>, InferCr
     this.init(
       {
         ...PaymentIntent.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         beneficiaries: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -258,7 +267,7 @@ export class PaymentIntent extends Model<InferAttributes<PaymentIntent>, InferCr
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: PaymentIntent, options) => {
-            createEvent('PaymentIntent', 'payment_intent.created', model, options).catch(console.error);
+            createEvent('PaymentIntent', 'payment_intent.created', model, options).catch(reportAuditFailure);
           },
           afterUpdate: (model: PaymentIntent, options) => {
             createStatusEvent(
@@ -272,10 +281,10 @@ export class PaymentIntent extends Model<InferAttributes<PaymentIntent>, InferCr
               },
               model,
               options
-            ).catch(console.error);
+            ).catch(reportAuditFailure);
           },
           afterDestroy: (model: PaymentIntent, options) => {
-            createEvent('PaymentIntent', 'payment_intent.deleted', model, options).catch(console.error);
+            createEvent('PaymentIntent', 'payment_intent.deleted', model, options).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/payment-link.ts

@@ -1,8 +1,10 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model, Op } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Op } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import type {
   AfterPayment,
@@ -17,13 +19,14 @@ import type {
 export const nextPaymentLinkId = createIdGenerator('plink', 24);
 
 // @link https://stripe.com/docs/api/payment_links/payment_links
-export class PaymentLink extends Model<InferAttributes<PaymentLink>, InferCreationAttributes<PaymentLink>> {
+export class PaymentLink extends TenantModel<InferAttributes<PaymentLink>, InferCreationAttributes<PaymentLink>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
   // Whether the PaymentLink is currently available for purchase.
   declare active: boolean;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare name: string;
 
@@ -211,6 +214,12 @@ export class PaymentLink extends Model<InferAttributes<PaymentLink>, InferCreati
     this.init(
       {
         ...PaymentLink.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         nft_mint_settings: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -240,13 +249,13 @@ export class PaymentLink extends Model<InferAttributes<PaymentLink>, InferCreati
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: PaymentLink, options) => {
-            createEvent('PaymentLink', 'payment_link.created', model, options).catch(console.error);
+            createEvent('PaymentLink', 'payment_link.created', model, options).catch(reportAuditFailure);
           },
           afterUpdate: (model: PaymentLink, options) => {
-            createEvent('PaymentLink', 'payment_link.updated', model, options).catch(console.error);
+            createEvent('PaymentLink', 'payment_link.updated', model, options).catch(reportAuditFailure);
           },
           afterDestroy: (model: PaymentLink, options) => {
-            createEvent('PaymentLink', 'payment_link.deleted', model, options).catch(console.error);
+            createEvent('PaymentLink', 'payment_link.deleted', model, options).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/payment-method.ts

@@ -1,11 +1,18 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import security from '@blocklet/sdk/lib/security';
 import OcapClient from '@ocap/client';
-import { JsonRpcProvider, ethers } from 'ethers';
+// Phase 13b2: ethers is a TYPE-only import here + lazy-required at the one runtime
+// call site. This model is bound by initialize() during createEmbeddedPaymentService,
+// so an eager `import 'ethers'` loaded ethers at factory time — crashing in a host
+// that force-resolves an incompatible @noble/hashes (arc's `@noble/hashes:^2.2.0`
+// override vs ethers@6.16's pinned 1.3.2). EVM clients build only when used.
+import type { JsonRpcProvider } from 'ethers';
 import cloneDeep from 'lodash/cloneDeep';
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import Stripe from 'stripe';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
+import { encryptSecret, decryptSecret } from '../../libs/secrets';
 
 import { AppStoreClient } from '../../integrations/app-store/client';
 import { GooglePlayClient } from '../../integrations/google-play/client';
@@ -23,12 +30,13 @@ const googlePlayClients = new Map<string, GooglePlayClient>();
 const appStoreClients = new Map<string, AppStoreClient>();
 
 // eslint-disable-next-line prettier/prettier
-export class PaymentMethod extends Model<InferAttributes<PaymentMethod>, InferCreationAttributes<PaymentMethod>> {
+export class PaymentMethod extends TenantModel<InferAttributes<PaymentMethod>, InferCreationAttributes<PaymentMethod>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
   declare active: boolean;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare locked: boolean;
 
   declare type: LiteralUnion<
@@ -130,13 +138,19 @@ export class PaymentMethod extends Model<InferAttributes<PaymentMethod>, InferCr
 
   // eslint-disable-next-line @typescript-eslint/no-shadow
   public static initialize(sequelize: any) {
-    this.init(PaymentMethod.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'PaymentMethod',
-      tableName: 'payment_methods',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...PaymentMethod.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'PaymentMethod',
+        tableName: 'payment_methods',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate(models: any) {
@@ -157,17 +171,17 @@ export class PaymentMethod extends Model<InferAttributes<PaymentMethod>, InferCr
   public static encryptSettings(settings: PaymentMethodSettings) {
     const tmp = cloneDeep(settings);
     if (tmp.stripe) {
-      tmp.stripe.secret_key = security.encrypt(tmp.stripe.secret_key);
-      tmp.stripe.webhook_signing_secret = security.encrypt(tmp.stripe.webhook_signing_secret);
+      tmp.stripe.secret_key = encryptSecret(tmp.stripe.secret_key);
+      tmp.stripe.webhook_signing_secret = encryptSecret(tmp.stripe.webhook_signing_secret);
     }
     if (tmp.google_play) {
-      tmp.google_play.service_account_json = security.encrypt(tmp.google_play.service_account_json);
+      tmp.google_play.service_account_json = encryptSecret(tmp.google_play.service_account_json);
     }
     if (tmp.app_store?.private_key_pem) {
-      tmp.app_store.private_key_pem = security.encrypt(tmp.app_store.private_key_pem);
+      tmp.app_store.private_key_pem = encryptSecret(tmp.app_store.private_key_pem);
     }
     if (tmp.app_store?.shared_secret) {
-      tmp.app_store.shared_secret = security.encrypt(tmp.app_store.shared_secret);
+      tmp.app_store.shared_secret = encryptSecret(tmp.app_store.shared_secret);
     }
 
     return tmp;
@@ -176,17 +190,17 @@ export class PaymentMethod extends Model<InferAttributes<PaymentMethod>, InferCr
   public static decryptSettings(settings: PaymentMethodSettings) {
     const tmp = cloneDeep(settings);
     if (tmp.stripe) {
-      tmp.stripe.secret_key = security.decrypt(tmp.stripe.secret_key);
-      tmp.stripe.webhook_signing_secret = security.decrypt(tmp.stripe.webhook_signing_secret);
+      tmp.stripe.secret_key = decryptSecret(tmp.stripe.secret_key);
+      tmp.stripe.webhook_signing_secret = decryptSecret(tmp.stripe.webhook_signing_secret);
     }
     if (tmp.google_play) {
-      tmp.google_play.service_account_json = security.decrypt(tmp.google_play.service_account_json);
+      tmp.google_play.service_account_json = decryptSecret(tmp.google_play.service_account_json);
     }
     if (tmp.app_store?.private_key_pem) {
-      tmp.app_store.private_key_pem = security.decrypt(tmp.app_store.private_key_pem);
+      tmp.app_store.private_key_pem = decryptSecret(tmp.app_store.private_key_pem);
     }
     if (tmp.app_store?.shared_secret) {
-      tmp.app_store.shared_secret = security.decrypt(tmp.app_store.shared_secret);
+      tmp.app_store.shared_secret = decryptSecret(tmp.app_store.shared_secret);
     }
 
     return tmp;
@@ -258,8 +272,10 @@ export class PaymentMethod extends Model<InferAttributes<PaymentMethod>, InferCr
     }
 
     const settings = PaymentMethod.decryptSettings(this.settings);
+    // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+    const { JsonRpcProvider: EthersJsonRpcProvider } = require('ethers');
     // @ts-ignore
-    const client = new ethers.JsonRpcProvider(settings[this.type as keyof PaymentMethodSettings]?.api_host);
+    const client = new EthersJsonRpcProvider(settings[this.type as keyof PaymentMethodSettings]?.api_host);
     evmClients.set(this.id, client);
 
     return client as JsonRpcProvider;

package/api/src/store/models/payment-stat.ts

@@ -1,14 +1,17 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
 import { createIdGenerator } from '../../libs/util';
 
 const nextId = createIdGenerator('ps', 24);
 
 // eslint-disable-next-line prettier/prettier
-export class PaymentStat extends Model<InferAttributes<PaymentStat>, InferCreationAttributes<PaymentStat>> {
+export class PaymentStat extends TenantModel<InferAttributes<PaymentStat>, InferCreationAttributes<PaymentStat>> {
   declare id: CreationOptional<string>;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
 
   declare timestamp: number;
   declare currency_id: string;
@@ -64,13 +67,19 @@ export class PaymentStat extends Model<InferAttributes<PaymentStat>, InferCreati
   };
 
   public static initialize(sequelize: any) {
-    this.init(PaymentStat.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'PaymentStat',
-      tableName: 'payment_stats',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    });
+    this.init(
+      {
+        ...PaymentStat.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
+      },
+      {
+        sequelize,
+        modelName: 'PaymentStat',
+        tableName: 'payment_stats',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+      }
+    );
   }
 
   public static associate() {}

package/api/src/store/models/payout.ts

@@ -1,21 +1,24 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
 /* eslint-disable @typescript-eslint/indent */
 import { BN } from '@ocap/util';
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model, Op, Sequelize } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Op, Sequelize } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent, createStatusEvent } from '../../libs/audit';
+import { createEvent, createStatusEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import type { GroupedBN, PaymentDetails, PaymentError } from './types';
 
 export const nextPayoutId = createIdGenerator('po', 24);
 
 // @link https://stripe.com/docs/api/payouts
-export class Payout extends Model<InferAttributes<Payout>, InferCreationAttributes<Payout>> {
+export class Payout extends TenantModel<InferAttributes<Payout>, InferCreationAttributes<Payout>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare automatic: boolean;
   declare description: string;
   declare destination: string;
@@ -178,6 +181,12 @@ export class Payout extends Model<InferAttributes<Payout>, InferCreationAttribut
     this.init(
       {
         ...Payout.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         vendor_info: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -191,9 +200,9 @@ export class Payout extends Model<InferAttributes<Payout>, InferCreationAttribut
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: Payout, options) => {
-            createEvent('Payout', 'payout.created', model, options).catch(console.error);
+            createEvent('Payout', 'payout.created', model, options).catch(reportAuditFailure);
             if (model.status === 'paid') {
-              createEvent('Payout', 'payout.paid', model, options).catch(console.error);
+              createEvent('Payout', 'payout.paid', model, options).catch(reportAuditFailure);
             }
           },
           afterUpdate: (model: Payout, options) => {
@@ -203,7 +212,7 @@ export class Payout extends Model<InferAttributes<Payout>, InferCreationAttribut
               { canceled: 'canceled', failed: 'failed', paid: 'paid' },
               model,
               options
-            ).catch(console.error);
+            ).catch(reportAuditFailure);
           },
         },
       }

package/api/src/store/models/price-quote.ts

@@ -1,7 +1,9 @@
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model, Transaction } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Transaction } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator } from '../../libs/util';
 import { QuoteMetadata, QuoteStatus } from './types';
 
@@ -33,8 +35,9 @@ export interface CreateQuoteInput {
   metadata?: QuoteMetadata;
 }
 
-export class PriceQuote extends Model<InferAttributes<PriceQuote>, InferCreationAttributes<PriceQuote>> {
+export class PriceQuote extends TenantModel<InferAttributes<PriceQuote>, InferCreationAttributes<PriceQuote>> {
   declare id: CreationOptional<string>;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a); scoped queries land in Phase 3
   declare price_id: string;
   declare session_id?: string;
   declare invoice_id?: string;
@@ -79,6 +82,12 @@ export class PriceQuote extends Model<InferAttributes<PriceQuote>, InferCreation
           allowNull: false,
           defaultValue: nextPriceQuoteId,
         },
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         price_id: {
           type: DataTypes.STRING(32),
           allowNull: false,
@@ -94,7 +103,7 @@ export class PriceQuote extends Model<InferAttributes<PriceQuote>, InferCreation
         idempotency_key: {
           type: DataTypes.STRING(128),
           allowNull: false,
-          unique: true,
+          // uniqueness is per tenant since Phase 2: see uq_* composite indexes in tenant-backfill.ts
         },
         base_currency: {
           type: DataTypes.STRING(8),
@@ -181,11 +190,11 @@ export class PriceQuote extends Model<InferAttributes<PriceQuote>, InferCreation
             if (options.transaction) {
               // Defer until after transaction commits
               options.transaction.afterCommit(() => {
-                createEvent('PriceQuote', 'price_quote.created', model, options).catch(console.error);
+                createEvent('PriceQuote', 'price_quote.created', model, options).catch(reportAuditFailure);
               });
             } else {
               // No transaction, create immediately
-              createEvent('PriceQuote', 'price_quote.created', model, options).catch(console.error);
+              createEvent('PriceQuote', 'price_quote.created', model, options).catch(reportAuditFailure);
             }
           },
           afterUpdate: (model: PriceQuote, options) => {
@@ -193,11 +202,11 @@ export class PriceQuote extends Model<InferAttributes<PriceQuote>, InferCreation
             if (options.transaction) {
               // Defer until after transaction commits
               options.transaction.afterCommit(() => {
-                createEvent('PriceQuote', 'price_quote.updated', model, options).catch(console.error);
+                createEvent('PriceQuote', 'price_quote.updated', model, options).catch(reportAuditFailure);
               });
             } else {
               // No transaction, create immediately
-              createEvent('PriceQuote', 'price_quote.updated', model, options).catch(console.error);
+              createEvent('PriceQuote', 'price_quote.updated', model, options).catch(reportAuditFailure);
             }
           },
         },

package/api/src/store/models/price.ts

@@ -8,13 +8,14 @@ import {
   FindOptions,
   InferAttributes,
   InferCreationAttributes,
-  Model,
   Op,
   QueryTypes,
 } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import logger from '../../libs/logger';
 import { createIdGenerator, formatMetadata } from '../../libs/util';
 import { sequelize } from '../sequelize';
@@ -38,7 +39,7 @@ type TPriceExpanded = TPrice & {
 type TLineItemExpanded = LineItem & { price: TPriceExpanded; upsell_price: TPriceExpanded };
 
 // @link https://stripe.com/docs/api/prices
-export class Price extends Model<InferAttributes<Price>, InferCreationAttributes<Price>> {
+export class Price extends TenantModel<InferAttributes<Price>, InferCreationAttributes<Price>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
@@ -51,6 +52,7 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
   // Whether the price can be used for new purchases.
   declare active: boolean;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare locked: CreationOptional<boolean>;
 
   // One of one_time or recurring depending on whether the price is for a one-time purchase or a recurring (subscription) purchase.
@@ -200,6 +202,12 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
     this.init(
       {
         ...Price.GENESIS_ATTRIBUTES,
+        instance_did: {
+          type: DataTypes.STRING(64),
+          allowNull: true,
+          // bare creates must still land in the active tenant (single mode = app DID)
+          defaultValue: () => getInstanceDid(),
+        },
         upsell: {
           type: DataTypes.JSON,
           allowNull: true,
@@ -250,13 +258,13 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
         updatedAt: 'updated_at',
         hooks: {
           afterCreate: (model: Price, options) => {
-            createEvent('Price', 'price.created', model, options).catch(console.error);
+            createEvent('Price', 'price.created', model, options).catch(reportAuditFailure);
           },
           afterUpdate: (model: Price, options) => {
-            createEvent('Price', 'price.updated', model, options).catch(console.error);
+            createEvent('Price', 'price.updated', model, options).catch(reportAuditFailure);
           },
           afterDestroy: (model: Price, options) => {
-            createEvent('Price', 'price.deleted', model, options).catch(console.error);
+            createEvent('Price', 'price.deleted', model, options).catch(reportAuditFailure);
           },
         },
       }
@@ -522,10 +530,14 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
       return true;
     }
 
+    // 洞 G (Phase 4): raw reads on tenant tables (pricing_tables / payment_links /
+    // checkout_sessions) — guard with instance_did so "is this price used?" only
+    // ever counts the price's own tenant. price_id is now a bound param too.
+    const guard = { price_id: this.id, instance_did: getInstanceDid() };
     // @ts-ignore
     let [{ count }] = await this.sequelize.query(
-      `SELECT count(*) AS count FROM pricing_tables JOIN json_each(items) AS item ON json_extract(item.value, '$.price_id') = '${this.id}'`,
-      { type: QueryTypes.SELECT }
+      "SELECT count(*) AS count FROM pricing_tables JOIN json_each(items) AS item ON json_extract(item.value, '$.price_id') = :price_id WHERE pricing_tables.instance_did = :instance_did",
+      { replacements: guard, type: QueryTypes.SELECT }
     );
     used = count > 0;
     if (used) {
@@ -535,8 +547,8 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
 
     // @ts-ignore
     [{ count }] = await this.sequelize.query(
-      `SELECT count(*) AS count FROM payment_links JOIN json_each(line_items) AS item ON json_extract(item.value, '$.price_id') = '${this.id}'`,
-      { type: QueryTypes.SELECT }
+      "SELECT count(*) AS count FROM payment_links JOIN json_each(line_items) AS item ON json_extract(item.value, '$.price_id') = :price_id WHERE payment_links.instance_did = :instance_did",
+      { replacements: guard, type: QueryTypes.SELECT }
     );
     used = count > 0;
     if (used) {
@@ -546,8 +558,8 @@ export class Price extends Model<InferAttributes<Price>, InferCreationAttributes
 
     // @ts-ignore
     [{ count }] = await this.sequelize.query(
-      `SELECT count(cs.id) AS count FROM checkout_sessions AS cs JOIN json_each(line_items) AS item ON json_extract(item.value, '$.price_id') = '${this.id}' WHERE cs.status != 'expired'`,
-      { type: QueryTypes.SELECT }
+      "SELECT count(cs.id) AS count FROM checkout_sessions AS cs JOIN json_each(line_items) AS item ON json_extract(item.value, '$.price_id') = :price_id WHERE cs.status != 'expired' AND cs.instance_did = :instance_did",
+      { replacements: guard, type: QueryTypes.SELECT }
     );
     used = count > 0;
     if (used) {

package/api/src/store/models/pricing-table.ts

@@ -1,23 +1,26 @@
 /* eslint-disable @typescript-eslint/lines-between-class-members */
 import pick from 'lodash/pick';
 import uniq from 'lodash/uniq';
-import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes, Model } from 'sequelize';
+import { CreationOptional, DataTypes, InferAttributes, InferCreationAttributes } from 'sequelize';
 import type { LiteralUnion } from 'type-fest';
+import { TenantModel } from '../tenant-model';
+import { getInstanceDid } from '../../libs/context';
 
-import { createEvent } from '../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
 import { createIdGenerator, formatMetadata } from '../../libs/util';
 import type { BrandSettings, PricingTableItem } from './types';
 
 export const nextPricingTableId = createIdGenerator('prctbl', 24);
 
 // @link https://stripe.com/docs/api/payment_links/payment_links
-export class PricingTable extends Model<InferAttributes<PricingTable>, InferCreationAttributes<PricingTable>> {
+export class PricingTable extends TenantModel<InferAttributes<PricingTable>, InferCreationAttributes<PricingTable>> {
   // Unique identifier for the object.
   declare id: CreationOptional<string>;
 
   // Whether the PricingTable is currently available for purchase.
   declare active: boolean;
   declare livemode: boolean;
+  declare instance_did?: string; // tenant column (Phase 1, W1-1a), nullable until Phase 2 backfill; scoped queries land in Phase 3
   declare locked: boolean;
 
   declare name: string;
@@ -84,24 +87,30 @@ export class PricingTable extends Model<InferAttributes<PricingTable>, InferCrea
   };
 
   public static initialize(sequelize: any) {
-    this.init(PricingTable.GENESIS_ATTRIBUTES, {
-      sequelize,
-      modelName: 'PricingTable',
-      tableName: 'pricing_tables',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-      hooks: {
-        afterCreate: (model: PricingTable, options) => {
-          createEvent('PricingTable', 'pricing_table.created', model, options).catch(console.error);
-        },
-        afterUpdate: (model: PricingTable, options) => {
-          createEvent('PricingTable', 'pricing_table.updated', model, options).catch(console.error);
-        },
-        afterDestroy: (model: PricingTable, options) => {
-          createEvent('PricingTable', 'pricing_table.deleted', model, options).catch(console.error);
-        },
+    this.init(
+      {
+        ...PricingTable.GENESIS_ATTRIBUTES,
+        instance_did: { type: DataTypes.STRING(64), allowNull: true, defaultValue: () => getInstanceDid() },
       },
-    });
+      {
+        sequelize,
+        modelName: 'PricingTable',
+        tableName: 'pricing_tables',
+        createdAt: 'created_at',
+        updatedAt: 'updated_at',
+        hooks: {
+          afterCreate: (model: PricingTable, options) => {
+            createEvent('PricingTable', 'pricing_table.created', model, options).catch(reportAuditFailure);
+          },
+          afterUpdate: (model: PricingTable, options) => {
+            createEvent('PricingTable', 'pricing_table.updated', model, options).catch(reportAuditFailure);
+          },
+          afterDestroy: (model: PricingTable, options) => {
+            createEvent('PricingTable', 'pricing_table.deleted', model, options).catch(reportAuditFailure);
+          },
+        },
+      }
+    );
   }
 
   public static associate() {