payment-kit 1.29.1 → 1.29.2

package/api/src/store/sql-migrations.ts

@@ -0,0 +1,20 @@
+/* eslint-disable */
+// AUTO-GENERATED — do not edit by hand.
+// Source: cloudflare/migrations/*.sql · Regenerate: node scripts/gen-sql-migrations.js
+//
+// The D1 SQL migration lineage (Path A), inlined so it is bundled into the
+// published @arcblock/payment-service dist. Apply via applyPaymentCoreMigrations()
+// (drivers barrel) or applySqlMigrations(driver, paymentCoreSqlMigrations).
+import type { SqlMigration } from '../libs/drivers/migrate-runner';
+
+export const paymentCoreSqlMigrations: SqlMigration[] = [
+  { name: "0001_initial_schema.sql", sql: "-- Payment Kit: Complete D1 schema\n-- All statements use IF NOT EXISTS for idempotency.\n\nCREATE TABLE IF NOT EXISTS `archive_locks` (`id` VARCHAR(40) NOT NULL PRIMARY KEY, `locked_by` VARCHAR(64), `locked_at` INTEGER, `expires_at` INTEGER, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `archive_metadata` (`id` VARCHAR(40) NOT NULL PRIMARY KEY, `archive_file` VARCHAR(128) NOT NULL, `date_range_start` INTEGER NOT NULL, `date_range_end` INTEGER NOT NULL, `tables` JSON NOT NULL DEFAULT '{}', `total_records` INTEGER NOT NULL DEFAULT 0, `checksum` VARCHAR(128), `file_size` INTEGER, `duration_ms` INTEGER, `triggered_by` TEXT NOT NULL, `triggered_by_user_id` VARCHAR(64), `status` TEXT NOT NULL, `error` TEXT, `query_count` INTEGER NOT NULL DEFAULT 0, `query_actor_ids` JSON DEFAULT '[]', `last_queried_at` INTEGER, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `auto_recharge_configs` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `customer_id` VARCHAR(18) NOT NULL REFERENCES `customers` (`id`), `livemode` TINYINT(1) NOT NULL, `enabled` TINYINT(1) NOT NULL DEFAULT 0, `threshold` VARCHAR(32) NOT NULL, `payment_method_id` VARCHAR(15), `currency_id` VARCHAR(15) NOT NULL, `recharge_currency_id` VARCHAR(15), `price_id` VARCHAR(32) NOT NULL, `quantity` INTEGER NOT NULL DEFAULT 1, `payment_settings` JSON DEFAULT '{\"payment_method_types\":[],\"payment_method_options\":{}}', `payment_details` JSON, `daily_limits` JSON DEFAULT '{\"max_attempts\":0,\"max_amount\":\"0\"}', `last_recharge_date` VARCHAR(10), `daily_stats` JSON NOT NULL DEFAULT '{\"attempt_count\":0,\"total_amount\":\"0\"}', `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `slippage_config` JSON);\n\nCREATE TABLE IF NOT EXISTS `checkout_sessions` (`id` VARCHAR(64) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `client_reference_id` VARCHAR(128), `currency_id` VARCHAR(15) NOT NULL, `invoice_id` VARCHAR(30), `customer_id` VARCHAR(30), `customer_did` VARCHAR(40), `payment_link_id` VARCHAR(30), `subscription_id` VARCHAR(30), `recovered_from` VARCHAR(30), `payment_intent_id` VARCHAR(30), `mode` TEXT NOT NULL, `status` TEXT NOT NULL, `payment_status` TEXT NOT NULL, `line_items` JSON NOT NULL, `amount_subtotal` VARCHAR(32) NOT NULL, `amount_total` VARCHAR(32) NOT NULL, `total_details` JSON NOT NULL, `url` VARCHAR(512), `cancel_url` VARCHAR(512), `success_url` VARCHAR(512), `currency_conversion` JSON, `after_expiration` JSON, `allow_promotion_codes` TINYINT(1) DEFAULT 0, `consent_collection` JSON, `consent` JSON, `custom_fields` JSON DEFAULT '[]', `custom_text` JSON, `customer_creation` TEXT NOT NULL, `customer_update` JSON DEFAULT '{\"address\":\"never\",\"name\":\"never\",\"shipping\":\"never\"}', `expires_at` INTEGER, `invoice_creation` JSON, `payment_method_types` JSON DEFAULT '[]', `phone_number_collection` JSON, `billing_address_collection` TEXT NOT NULL DEFAULT 'auto', `submit_type` TEXT NOT NULL, `subscription_data` JSON, `payment_details` JSON, `metadata` JSON, `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL, `nft_mint_settings` JSON, `payment_intent_data` JSON, `nft_mint_details` JSON, `nft_mint_status` TEXT NOT NULL DEFAULT 'disabled', `cross_sell_behavior` TEXT DEFAULT 'auto', `setup_intent_id` VARCHAR(30), `enable_subscription_grouping` TINYINT(1) DEFAULT 0, `subscription_groups` JSON, `success_subscription_count` INTEGER DEFAULT 0, \"discounts\" JSON, `fulfillment_status` VARCHAR(255), `vendor_info` JSON, `slippage_percent` DECIMAL(5,2) NOT NULL DEFAULT 0.5);\n\nCREATE TABLE IF NOT EXISTS `coupons` (`id` VARCHAR(15) NOT NULL UNIQUE PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `amount_off` VARCHAR(32) DEFAULT '0', `percent_off` INTEGER DEFAULT '0', `currency_id` VARCHAR(15) NOT NULL, `duration` TEXT, `duration_in_months` INTEGER NOT NULL, `name` VARCHAR(64) NOT NULL, `applies_to` JSON, `currency_options` JSON DEFAULT '{}', `max_redemptions` INTEGER, `times_redeemed` INTEGER DEFAULT '0', `valid` TINYINT(1) DEFAULT 0, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `created_via` TEXT, `locked` TINYINT(1) NOT NULL DEFAULT 0, `redeem_by` INTEGER, `redeem_by_new` INTEGER, `description` TEXT);\n\nCREATE TABLE IF NOT EXISTS `credit_grants` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `object` VARCHAR(32) NOT NULL DEFAULT 'credit_grant', `amount` VARCHAR(32) NOT NULL, `currency_id` VARCHAR(15) NOT NULL, `applicability_config` JSON, `category` TEXT NOT NULL, `customer_id` VARCHAR(18) NOT NULL, `effective_at` INTEGER, `expires_at` INTEGER, `livemode` TINYINT(1) NOT NULL, `metadata` JSON, `name` VARCHAR(255), `priority` INTEGER NOT NULL DEFAULT 50, `test_clock` VARCHAR(32), `voided_at` INTEGER, `status` TEXT NOT NULL DEFAULT 'granted', `remaining_amount` VARCHAR(32) NOT NULL, `created_by` VARCHAR(40), `updated_by` VARCHAR(40), `created_via` TEXT NOT NULL, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `chain_status` TEXT, `chain_detail` JSON);\n\nCREATE TABLE IF NOT EXISTS `credit_transactions` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `quantity` VARCHAR(32) NOT NULL, `credit_amount` VARCHAR(32) NOT NULL, `remaining_balance` VARCHAR(32) NOT NULL, `customer_id` VARCHAR(18) NOT NULL, `credit_grant_id` VARCHAR(18) NOT NULL, `meter_id` VARCHAR(18), `subscription_id` VARCHAR(18), `source` VARCHAR(255), `meter_event_name` VARCHAR(128) NOT NULL, `meter_unit` VARCHAR(32) NOT NULL, `description` TEXT, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `transfer_status` TEXT, `transfer_hash` VARCHAR(255));\n\nCREATE TABLE IF NOT EXISTS `customers` (`id` VARCHAR(18) NOT NULL UNIQUE PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `did` VARCHAR(40) NOT NULL, `address` JSON, `description` VARCHAR(512), `name` VARCHAR(64), `email` VARCHAR(128), `phone` VARCHAR(32), `shipping` JSON, `balance` VARCHAR(32) DEFAULT '0', `currency_id` VARCHAR(15), `delinquent` TINYINT(1) NOT NULL, `discount_id` VARCHAR(32), `metadata` JSON, `invoice_credit_balance` JSON, `invoice_prefix` VARCHAR(30), `invoice_settings` JSON, `next_invoice_sequence` NUMBER DEFAULT '1', `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `token_balance` JSON DEFAULT '\"{}\"', `last_sync_at` INTEGER, `preference` JSON DEFAULT '\"{\\\"notification\\\":{\\\"frequency\\\":\\\"monthly\\\",\\\"schedule\\\":{\\\"time\\\":\\\"10:00\\\",\\\"date\\\":1}}}\"');\n\nCREATE TABLE IF NOT EXISTS `discounts` (`id` VARCHAR(15) NOT NULL UNIQUE PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `coupon_id` VARCHAR(30) NOT NULL, `customer_id` VARCHAR(30) NOT NULL, `promotion_code_id` VARCHAR(30), `subscription_id` VARCHAR(30), `checkout_session_id` VARCHAR(30), `invoice_id` VARCHAR(30), `invoice_item_id` VARCHAR(30), `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `verification_method` VARCHAR(50), `verification_data` JSON, `start` INTEGER NOT NULL, `end` INTEGER, `confirmed` TINYINT(1) NOT NULL DEFAULT 1);\n\nCREATE TABLE IF NOT EXISTS `events` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `type` VARCHAR(128) NOT NULL, `object_type` VARCHAR(64) NOT NULL, `object_id` VARCHAR(64) NOT NULL, `data` JSON NOT NULL, `request` JSON, `pending_webhooks` INTEGER NOT NULL DEFAULT 0, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `exchange_rate_providers` (`id` VARCHAR(32) NOT NULL PRIMARY KEY, `name` VARCHAR(64) NOT NULL UNIQUE, `enabled` TINYINT(1) NOT NULL DEFAULT 1, `priority` INTEGER NOT NULL DEFAULT 1, `status` TEXT NOT NULL DEFAULT 'active', `paused_reason` VARCHAR(512), `config` JSON, `last_success_at` DATETIME, `last_failure_at` DATETIME, `failure_count` INTEGER NOT NULL DEFAULT 0, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `type` VARCHAR(32) NOT NULL DEFAULT 'token-data');\n\nCREATE TABLE IF NOT EXISTS `invoice_items` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `amount` VARCHAR(32) NOT NULL, `quantity` INTEGER NOT NULL, `description` VARCHAR(256) NOT NULL, `period` JSON, `customer_id` VARCHAR(18) NOT NULL, `currency_id` VARCHAR(15) NOT NULL, `price_id` VARCHAR(30) NOT NULL, `invoice_id` VARCHAR(30) NOT NULL, `subscription_id` VARCHAR(30), `subscription_item_id` VARCHAR(30), `discountable` TINYINT(1) NOT NULL, `discount_amounts` JSON DEFAULT '[]', `discounts` JSON DEFAULT '[]', `proration` TINYINT(1) DEFAULT 0, `proration_details` JSON, `metadata` JSON DEFAULT '{}', `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `tax_rate_id` VARCHAR(30));\n\nCREATE TABLE IF NOT EXISTS `invoices` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `auto_advance` TINYINT(1) NOT NULL, `account_country` VARCHAR(64), `account_name` VARCHAR(64), `charge_id` VARCHAR(30), `collection_method` TEXT NOT NULL, `currency_id` VARCHAR(15) NOT NULL, `customer_id` VARCHAR(18) NOT NULL, `description` VARCHAR(512), `hosted_invoice_url` VARCHAR(512), `payment_intent_id` VARCHAR(30), `period_end` INTEGER DEFAULT 0, `period_start` INTEGER DEFAULT 0, `status` TEXT NOT NULL, `checkout_session_id` VARCHAR(64), `subscription_id` VARCHAR(30), `subscription_details` JSON DEFAULT '{}', `subscription_proration_date` INTEGER, `total` VARCHAR(32) NOT NULL, `subtotal` VARCHAR(32) NOT NULL, `subtotal_excluding_tax` VARCHAR(32) NOT NULL, `tax` VARCHAR(32) DEFAULT '0', `amount_due` VARCHAR(32) NOT NULL, `amount_paid` VARCHAR(32) DEFAULT '0', `amount_remaining` VARCHAR(32) NOT NULL, `amount_shipping` VARCHAR(32) DEFAULT '0', `attempt_count` INTEGER DEFAULT 0, `attempted` TINYINT(1) DEFAULT 0, `next_payment_attempt` INTEGER, `billing_reason` TEXT, `custom_fields` JSON DEFAULT '[]', `customer_address` JSON, `customer_name` VARCHAR(64), `customer_email` VARCHAR(128), `customer_phone` VARCHAR(32), `customer_shipping` JSON, `default_payment_method_id` VARCHAR(30), `discounts` JSON DEFAULT '[]', `due_date` INTEGER, `effective_at` INTEGER, `ending_balance` VARCHAR(32) DEFAULT '0', `footer` VARCHAR(512), `from_invoice_id` VARCHAR(30), `invoice_pdf` VARCHAR(512), `last_finalization_error` JSON, `latest_revision` VARCHAR(30), `number` VARCHAR(64), `paid` TINYINT(1) DEFAULT 0, `paid_out_of_band` TINYINT(1) DEFAULT 0, `payment_settings` JSON, `post_payment_credit_notes_amount` VARCHAR(32) DEFAULT '0', `pre_payment_credit_notes_amount` VARCHAR(32) DEFAULT '0', `quote_id` VARCHAR(30), `receipt_number` VARCHAR(64), `days_until_due` NUMBER, `rendering_options` JSON, `starting_balance` VARCHAR(32) DEFAULT '0', `statement_descriptor` VARCHAR(64), `status_transitions` JSON DEFAULT '{}', `test_clock_id` VARCHAR(30), `threshold_reason` JSON, `total_discount_amounts` JSON DEFAULT '[]', `webhooks_delivered_at` INTEGER, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `starting_token_balance` JSON DEFAULT '\"{}\"', `ending_token_balance` JSON DEFAULT '\"{}\"');\n\nCREATE TABLE IF NOT EXISTS `jobs` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `queue` VARCHAR(32) NOT NULL, `job` JSON NOT NULL, `retry_count` INTEGER DEFAULT 0, `delay` INTEGER DEFAULT -1, `will_run_at` INTEGER DEFAULT -1, `cancelled` TINYINT(1) DEFAULT 0, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `locks` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `lock_at` INTEGER DEFAULT 0, `release_at` INTEGER DEFAULT -1, `reason` VARCHAR(255), `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `meter_events` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `event_name` VARCHAR(128) NOT NULL, `timestamp` INTEGER NOT NULL, `payload` JSON NOT NULL, `identifier` VARCHAR(255) NOT NULL UNIQUE, `livemode` TINYINT(1) NOT NULL, `status` TEXT NOT NULL DEFAULT 'pending', `attempt_count` INTEGER NOT NULL DEFAULT 0, `next_attempt` INTEGER, `processed_at` INTEGER, `credit_consumed` VARCHAR(40) NOT NULL DEFAULT '0', `credit_pending` VARCHAR(40) NOT NULL DEFAULT '0', `metadata` JSON, `created_by` VARCHAR(40), `created_via` TEXT NOT NULL, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `source_data` JSON);\n\nCREATE TABLE IF NOT EXISTS `meters` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `object` VARCHAR(32) NOT NULL DEFAULT 'meter', `name` VARCHAR(255) NOT NULL, `event_name` VARCHAR(128) NOT NULL UNIQUE, `aggregation_method` TEXT NOT NULL DEFAULT 'sum', `status` TEXT NOT NULL DEFAULT 'active', `unit` VARCHAR(32) NOT NULL, `description` TEXT, `component_did` VARCHAR(40), `currency_id` VARCHAR(40), `livemode` TINYINT(1) NOT NULL, `metadata` JSON, `created_by` VARCHAR(40), `updated_by` VARCHAR(40), `created_via` TEXT NOT NULL, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `payment_currencies` (`id` VARCHAR(15) NOT NULL PRIMARY KEY, `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `locked` TINYINT(1) DEFAULT 0, `is_base_currency` TINYINT(1) DEFAULT 0, `payment_method_id` VARCHAR(30) NOT NULL, `name` VARCHAR(64) NOT NULL, `description` VARCHAR(512), `logo` VARCHAR(512) NOT NULL, `symbol` VARCHAR(16) NOT NULL, `decimal` NUMBER DEFAULT 2, `maximum_precision` NUMBER DEFAULT 6, `minimum_payment_amount` VARCHAR(32) DEFAULT '0', `maximum_payment_amount` VARCHAR(32) DEFAULT '0', `contract` VARCHAR(256), `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `vault_config` JSON, `type` TEXT NOT NULL DEFAULT 'standard', `recharge_config` JSON, `token_config` JSON);\n\nCREATE TABLE IF NOT EXISTS `payment_intents` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `amount` VARCHAR(32) NOT NULL, `amount_received` VARCHAR(32), `amount_capturable` VARCHAR(32), `amount_details` JSON, `currency_id` VARCHAR(16) NOT NULL, `customer_id` VARCHAR(30), `description` VARCHAR(512), `last_payment_error` JSON, `last_charge` VARCHAR(30), `metadata` JSON, `invoice_id` VARCHAR(30), `payment_method_id` VARCHAR(30) NOT NULL, `receipt_email` VARCHAR(255), `statement_descriptor` VARCHAR(32), `statement_descriptor_suffix` VARCHAR(32), `status` TEXT NOT NULL, `canceled_at` DATETIME, `cancellation_reason` TEXT, `capture_method` TEXT NOT NULL, `confirmation_method` TEXT NOT NULL, `payment_method_types` JSON DEFAULT '[]', `review` VARCHAR(30), `payment_details` JSON, `setup_future_usage` TEXT, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `beneficiaries` JSON, `quote_locked_at` DATETIME);\n\nCREATE TABLE IF NOT EXISTS `payment_links` (`id` VARCHAR(40) NOT NULL UNIQUE PRIMARY KEY, `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `line_items` JSON DEFAULT '[]', `name` VARCHAR(255), `currency_id` VARCHAR(16), `after_completion` JSON DEFAULT '{\"type\":\"hosted_confirmation\"}', `allow_promotion_codes` TINYINT(1) DEFAULT 0, `consent_collection` JSON, `custom_fields` JSON DEFAULT '[]', `custom_text` JSON, `customer_creation` TEXT NOT NULL, `invoice_creation` JSON, `payment_method_types` JSON DEFAULT '[]', `phone_number_collection` JSON, `billing_address_collection` TEXT NOT NULL DEFAULT 'auto', `submit_type` TEXT NOT NULL, `subscription_data` JSON, `metadata` JSON, `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL, `nft_mint_settings` JSON, `cross_sell_behavior` TEXT DEFAULT 'auto', `donation_settings` JSON, `beneficiaries` JSON, `enable_subscription_grouping` TINYINT(1) DEFAULT 0, `lookup_key` VARCHAR(128));\n\nCREATE TABLE IF NOT EXISTS `payment_methods` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `locked` TINYINT(1) DEFAULT 0, `type` TEXT, `name` VARCHAR(64), `description` VARCHAR(512), `logo` VARCHAR(512), `default_currency_id` VARCHAR(15), `confirmation` JSON NOT NULL, `settings` JSON NOT NULL, `features` JSON NOT NULL, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `payment_stats` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `timestamp` INTEGER DEFAULT 0, `currency_id` VARCHAR(16) NOT NULL, `amount_paid` VARCHAR(64) DEFAULT '0', `amount_payout` VARCHAR(64) DEFAULT '0', `amount_refund` VARCHAR(64) DEFAULT '0', `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `payouts` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `automatic` TINYINT(1) NOT NULL, `description` VARCHAR(512), `amount` VARCHAR(32) NOT NULL, `destination` VARCHAR(512) NOT NULL, `payment_details` JSON, `currency_id` VARCHAR(16) NOT NULL, `customer_id` VARCHAR(30), `payment_intent_id` VARCHAR(16) NOT NULL, `payment_method_id` VARCHAR(30), `metadata` JSON, `status` TEXT NOT NULL, `failure_message` VARCHAR(256), `failure_code` TEXT, `attempt_count` INTEGER DEFAULT 0, `attempted` TINYINT(1) DEFAULT 0, `next_attempt` INTEGER, `last_attempt_error` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `vendor_info` JSON);\n\nCREATE TABLE IF NOT EXISTS `price_quotes` (`id` VARCHAR(32) NOT NULL PRIMARY KEY, `price_id` VARCHAR(32) NOT NULL, `session_id` VARCHAR(32), `invoice_id` VARCHAR(32), `idempotency_key` VARCHAR(128) NOT NULL UNIQUE, `base_currency` VARCHAR(8) NOT NULL DEFAULT 'USD', `base_amount` VARCHAR(32) NOT NULL, `target_currency_id` VARCHAR(16) NOT NULL, `rate_currency_symbol` VARCHAR(16) NOT NULL, `exchange_rate` VARCHAR(32) NOT NULL, `quoted_amount` VARCHAR(64) NOT NULL, `rate_provider_id` VARCHAR(32) NOT NULL, `rate_provider_name` VARCHAR(64) NOT NULL, `rate_timestamp_ms` BIGINT NOT NULL, `expires_at` INTEGER NOT NULL, `status` TEXT NOT NULL DEFAULT 'active', `metadata` JSON, `created_at` DATETIME NOT NULL, `slippage_percent` DECIMAL(5,2), `max_payable_token` VARCHAR(64), `min_acceptable_rate` VARCHAR(32), `slippage_derived_at_ms` BIGINT);\n\nCREATE TABLE IF NOT EXISTS `prices` (`id` VARCHAR(32) NOT NULL PRIMARY KEY, `product_id` VARCHAR(32) NOT NULL, `nickname` VARCHAR(512), `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `locked` TINYINT(1) DEFAULT 0, `type` TEXT NOT NULL, `billing_scheme` TEXT NOT NULL, `unit_amount` VARCHAR(32) NOT NULL, `recurring` JSON, `tiers_mode` TEXT, `tiers` JSON, `custom_unit_amount` JSON, `lookup_key` VARCHAR(128), `metadata` JSON, `transform_quantity` JSON, `currency_id` VARCHAR(16), `currency_options` JSON DEFAULT '[]', `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL, `upsell` JSON, `quantity_available` INTEGER NOT NULL DEFAULT 0, `quantity_sold` INTEGER NOT NULL DEFAULT 0, `quantity_limit_per_checkout` INTEGER NOT NULL DEFAULT 0, `tax_behavior` TEXT NOT NULL DEFAULT 'inclusive', `pricing_type` TEXT NOT NULL DEFAULT 'fixed', `base_currency` VARCHAR(8), `base_amount` VARCHAR(32), `dynamic_pricing_config` JSON);\n\nCREATE TABLE IF NOT EXISTS `pricing_tables` (`id` VARCHAR(42) NOT NULL PRIMARY KEY, `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `locked` TINYINT(1) NOT NULL, `name` VARCHAR(255), `items` JSON DEFAULT '[]', `branding_settings` JSON NOT NULL, `metadata` JSON, `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `product_vendors` (`id` STRING NOT NULL UNIQUE PRIMARY KEY, `vendor_key` STRING NOT NULL, `name` STRING NOT NULL, `description` TEXT, `app_url` STRING NOT NULL, `app_pid` STRING NOT NULL, `app_logo` STRING, `status` STRING NOT NULL DEFAULT 'active', `metadata` JSON DEFAULT '{}', `created_by` STRING, `created_at` DATE NOT NULL DEFAULT 'CURRENT_TIMESTAMP', `updated_at` DATE NOT NULL DEFAULT 'CURRENT_TIMESTAMP', `vendor_type` STRING NOT NULL DEFAULT 'launcher', `vendor_did` STRING, `extends` JSON);\n\nCREATE TABLE IF NOT EXISTS `products` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `active` TINYINT(1) NOT NULL, `livemode` TINYINT(1) NOT NULL, `locked` TINYINT(1) DEFAULT 0, `type` TEXT, `name` VARCHAR(512), `description` VARCHAR(2048), `images` JSON DEFAULT '[]', `features` JSON DEFAULT '[]', `unit_label` VARCHAR(32), `default_price_id` VARCHAR(32), `metadata` JSON, `statement_descriptor` VARCHAR(32), `nft_factory` VARCHAR(40), `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL, `cross_sell` JSON, `vendor_config` JSON, `tax_code` VARCHAR(20));\n\nCREATE TABLE IF NOT EXISTS `promotion_codes` (`id` VARCHAR(30) NOT NULL UNIQUE PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `active` TINYINT(1) DEFAULT 1, `code` VARCHAR(16) NOT NULL, `coupon_id` VARCHAR(30), `max_redemptions` INTEGER, `restrictions` JSON DEFAULT '{}', `customer_id` VARCHAR(30), `times_redeemed` INTEGER DEFAULT '0', `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `verification_type` TEXT NOT NULL DEFAULT 'code', `nft_config` JSON, `vc_config` JSON, `customer_dids` JSON, `created_via` TEXT, `locked` TINYINT(1) NOT NULL DEFAULT 0, `expires_at` INTEGER, `expires_at_new` INTEGER, `description` TEXT);\n\nCREATE TABLE IF NOT EXISTS `refunds` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `description` VARCHAR(512), `livemode` TINYINT(1) NOT NULL, `amount` VARCHAR(32) NOT NULL, `payment_details` JSON, `currency_id` VARCHAR(16) NOT NULL, `customer_id` VARCHAR(30), `payment_intent_id` VARCHAR(16) NOT NULL, `invoice_id` VARCHAR(30), `subscription_id` VARCHAR(30), `metadata` JSON, `status` TEXT NOT NULL, `reason` TEXT, `failure_reason` TEXT, `attempt_count` INTEGER DEFAULT 0, `attempted` TINYINT(1) DEFAULT 0, `next_attempt` INTEGER, `last_attempt_error` JSON, `starting_balance` VARCHAR(32) DEFAULT '0', `ending_balance` VARCHAR(32) DEFAULT '0', `starting_token_balance` JSON DEFAULT '{}', `ending_token_balance` JSON DEFAULT '{}', `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `payment_method_id` VARCHAR(30), `type` TEXT DEFAULT 'refund');\n\nCREATE TABLE IF NOT EXISTS `revenue_snapshots` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `currency_id` VARCHAR(16) NOT NULL, `timestamp` INTEGER NOT NULL, `period_type` TEXT NOT NULL DEFAULT 'monthly', `total_revenue` VARCHAR(64) DEFAULT '0', `refund_amount` VARCHAR(64) DEFAULT '0', `promotion_cost` VARCHAR(64) DEFAULT '0', `credit_grant_cost` VARCHAR(64) DEFAULT '0', `vendor_cost` VARCHAR(64) DEFAULT '0', `taxed_revenue` VARCHAR(64) DEFAULT '0', `net_revenue` VARCHAR(64) DEFAULT '0', `archive_metadata_id` VARCHAR(40), `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `settings` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `active` TINYINT(1) NOT NULL DEFAULT 1, `type` VARCHAR(64) NOT NULL, `mount_location` VARCHAR(255) NOT NULL, `component_did` VARCHAR(255), `description` VARCHAR(255) NOT NULL, `settings` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `setup_intents` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `currency_id` VARCHAR(16) NOT NULL, `customer_id` VARCHAR(30), `description` VARCHAR(512), `last_setup_error` JSON, `last_attempt` VARCHAR(30), `metadata` JSON, `status` TEXT NOT NULL, `usage` TEXT NOT NULL, `canceled_at` INTEGER, `cancellation_reason` TEXT, `flow_directions` JSON DEFAULT '[\"inbound\",\"outbound\"]', `payment_method_types` JSON DEFAULT '[]', `payment_method_options` JSON, `payment_method_id` VARCHAR(30) NOT NULL, `setup_details` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `subscription_items` (`id` VARCHAR(18) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `subscription_id` VARCHAR(30) NOT NULL, `price_id` VARCHAR(30) NOT NULL, `quantity` INTEGER, `metadata` JSON, `billing_threshold` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `subscription_schedules` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `current_phase` JSON NOT NULL, `customer_id` VARCHAR(30) NOT NULL, `subscription_id` VARCHAR(30) NOT NULL, `released_subscription_id` VARCHAR(30), `status` TEXT NOT NULL, `default_settings` JSON, `end_behavior` TEXT NOT NULL, `test_clock_id` VARCHAR(30), `metadata` JSON, `canceled_at` INTEGER, `completed_at` INTEGER, `released_at` INTEGER, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `subscriptions` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `currency_id` VARCHAR(15) NOT NULL, `customer_id` VARCHAR(18) NOT NULL, `cancel_at_period_end` TINYINT(1) NOT NULL, `current_period_end` INTEGER NOT NULL, `current_period_start` INTEGER NOT NULL, `default_payment_method_id` VARCHAR(30), `description` VARCHAR(512), `latest_invoice_id` VARCHAR(30), `pending_setup_intent` VARCHAR(30), `pending_update` JSON, `status` TEXT NOT NULL, `cancel_at` INTEGER, `canceled_at` INTEGER, `cancelation_details` JSON, `billing_cycle_anchor` INTEGER NOT NULL, `billing_thresholds` JSON, `collection_method` TEXT NOT NULL, `days_until_due` NUMBER, `discount_id` VARCHAR(30), `next_pending_invoice_item_invoice_id` VARCHAR(30), `pause_collection` JSON, `payment_settings` JSON, `pending_invoice_item_interval` JSON NOT NULL, `schedule_id` VARCHAR(30), `end_at` INTEGER, `start_date` INTEGER NOT NULL, `payment_details` JSON, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `proration_behavior` TEXT DEFAULT 'none', `payment_behavior` TEXT DEFAULT 'default_incomplete', `days_until_cancel` NUMBER, `service_actions` JSON DEFAULT '\"[]\"', `trial_start` INTEGER, `trial_end` INTEGER, `trial_settings` JSON, `recovered_from` VARCHAR(40), `overdraft_protection` JSON DEFAULT '\"{\\\"enabled\\\":false,\\\"payment_method_id\\\":null,\\\"payment_details\\\":null}\"', `credit_schedule_state` JSON DEFAULT NULL, `slippage_config` JSON);\n\nCREATE TABLE IF NOT EXISTS `tax_rates` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `active` TINYINT(1) DEFAULT 1, `country` VARCHAR(2) NOT NULL, `state` VARCHAR(50), `postal_code` VARCHAR(20), `tax_code` VARCHAR(20), `percentage` DECIMAL(5,4) NOT NULL, `display_name` VARCHAR(100) NOT NULL, `description` VARCHAR(500), `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `usage_records` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `timestamp` INTEGER NOT NULL, `quantity` BIGINT NOT NULL, `subscription_item_id` VARCHAR(30) NOT NULL, `metadata` JSON, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL, `billed` TINYINT(1) DEFAULT 0);\n\nCREATE TABLE IF NOT EXISTS `webhook_attempts` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `event_id` VARCHAR(30) NOT NULL, `webhook_endpoint_id` VARCHAR(30) NOT NULL, `status` TEXT NOT NULL, `response_status` INTEGER NOT NULL, `response_body` JSON NOT NULL, `retry_count` INTEGER DEFAULT 0, `created_at` DATETIME NOT NULL, `updated_at` DATETIME NOT NULL);\n\nCREATE TABLE IF NOT EXISTS `webhook_endpoints` (`id` VARCHAR(30) NOT NULL PRIMARY KEY, `livemode` TINYINT(1) NOT NULL, `api_version` VARCHAR(16) NOT NULL, `url` VARCHAR(512) NOT NULL, `description` VARCHAR(512), `enabled_events` JSON NOT NULL, `metadata` JSON, `status` TEXT NOT NULL, `created_at` DATETIME NOT NULL, `created_via` TEXT, `updated_at` DATETIME NOT NULL);\n" },
+  { name: "0002_indexes.sql", sql: "-- Payment Kit: All indexes\n-- Matches the indexes from the original Sequelize migrations.\n\nCREATE INDEX IF NOT EXISTS `idx_auto_recharge_configs_currency_id` ON `auto_recharge_configs` (`currency_id`);\nCREATE INDEX IF NOT EXISTS `idx_auto_recharge_configs_customer_id` ON `auto_recharge_configs` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_fulfillment_status` ON `checkout_sessions` (`fulfillment_status`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_payment_intent` ON `checkout_sessions` (`payment_intent_id`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_payment_link_status_livemode` ON `checkout_sessions` (`payment_link_id`, `status`, `livemode`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_status` ON `checkout_sessions` (`status`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_subscription` ON `checkout_sessions` (`subscription_id`);\nCREATE INDEX IF NOT EXISTS idx_credit_grant_stats_by_grantor ON credit_grants(json_extract(metadata, '$.granted_by'), currency_id, created_at) WHERE json_extract(metadata, '$.granted_by') IS NOT NULL;\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_chain_status` ON `credit_grants` (`chain_status`);\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_currency` ON `credit_grants` (`currency_id`);\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_customer` ON `credit_grants` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_customer_currency_status` ON `credit_grants` (`customer_id`, `currency_id`, `status`);\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_status` ON `credit_grants` (`status`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_created` ON `credit_transactions` (`created_at`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_customer_created` ON `credit_transactions` (`customer_id`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_event_created` ON `credit_transactions` (`meter_event_name`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_meter_created` ON `credit_transactions` (`meter_id`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_subscription_created` ON `credit_transactions` (`subscription_id`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_transfer_status` ON `credit_transactions` (`transfer_status`);\nCREATE INDEX IF NOT EXISTS `idx_customers_did` ON `customers` (`did`);\nCREATE INDEX IF NOT EXISTS `idx_erp_enabled_priority` ON `exchange_rate_providers` (`enabled`, `priority`);\nCREATE UNIQUE INDEX IF NOT EXISTS `idx_erp_name` ON `exchange_rate_providers` (`name`);\nCREATE INDEX IF NOT EXISTS `idx_events_object_id_created` ON `events` (`object_id`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_events_object_type_id_created` ON `events` (`object_type`, `object_id`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_events_type_created` ON `events` (`type`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_currency_id` ON `invoices` (`currency_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_customer_id` ON `invoices` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_customer_total` ON `invoices` (`customer_id`, `total`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_items_invoice_id` ON `invoice_items` (`invoice_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_items_tax_rate_id_invoice_id` ON `invoice_items` (`tax_rate_id`, `invoice_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_status_collection` ON `invoices` (`status`, `collection_method`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_status_total` ON `invoices` (`status`, `total`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_subscription_id` ON `invoices` (`subscription_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_subtotal` ON `invoices` (`subtotal`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_total` ON `invoices` (`total`);\nCREATE INDEX IF NOT EXISTS `idx_invoices_created_at` ON `invoices` (`created_at`);\nCREATE INDEX IF NOT EXISTS `idx_invoices_status` ON `invoices` (`status`);\nCREATE INDEX IF NOT EXISTS `idx_jobs_cancelled_run_at` ON `jobs` (`cancelled`, `will_run_at`);\nCREATE INDEX IF NOT EXISTS `idx_jobs_queue_cancelled_run_at_delay` ON `jobs` (`queue`, `cancelled`, `will_run_at`, `delay`);\nCREATE INDEX IF NOT EXISTS `idx_jobs_queue_id` ON `jobs` (`queue`, `id`);\nCREATE INDEX IF NOT EXISTS `idx_jobs_queue_run_at` ON `jobs` (`queue`, `will_run_at`);\nCREATE INDEX IF NOT EXISTS idx_meter_events_customer_status ON meter_events(json_extract(payload, '$.customer_id'), status, livemode, created_at);\nCREATE INDEX IF NOT EXISTS `idx_meter_events_event_livemode_created` ON `meter_events` (`event_name`, `livemode`, `created_at`);\nCREATE INDEX IF NOT EXISTS `idx_meter_events_livemode_event_timestamp` ON `meter_events` (`livemode`, `event_name`, `timestamp`);\nCREATE INDEX IF NOT EXISTS `idx_meter_events_status_created` ON `meter_events` (`status`, `created_at`);\nCREATE INDEX IF NOT EXISTS idx_meter_events_subscription_status ON meter_events(json_extract(payload, '$.subscription_id'), status, livemode, created_at);\nCREATE INDEX IF NOT EXISTS `idx_meters_livemode_status` ON `meters` (`livemode`, `status`);\nCREATE INDEX IF NOT EXISTS `idx_payment_currencies_base_livemode` ON `payment_currencies` (`is_base_currency`, `livemode`);\nCREATE INDEX IF NOT EXISTS `idx_payment_intent_currency_id` ON `payment_intents` (`currency_id`);\nCREATE INDEX IF NOT EXISTS `idx_payment_intent_customer_id` ON `payment_intents` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_payment_intent_invoice_id` ON `payment_intents` (`invoice_id`);\nCREATE INDEX IF NOT EXISTS `idx_payment_intent_status_updated_at` ON `payment_intents` (`status`, `updated_at`);\nCREATE INDEX IF NOT EXISTS `idx_payment_stats_timestamp_currency_id` ON `payment_stats` (`timestamp`, `currency_id`);\nCREATE INDEX IF NOT EXISTS `idx_payouts_updated_at_status` ON `payouts` (`updated_at`, `status`);\nCREATE INDEX IF NOT EXISTS `idx_pq_created` ON `price_quotes` (`created_at`);\nCREATE INDEX IF NOT EXISTS `idx_pq_currency_created` ON `price_quotes` (`rate_currency_symbol`, `created_at`);\nCREATE UNIQUE INDEX IF NOT EXISTS `idx_pq_idempotency` ON `price_quotes` (`idempotency_key`);\nCREATE INDEX IF NOT EXISTS `idx_pq_invoice_status` ON `price_quotes` (`invoice_id`, `status`);\nCREATE INDEX IF NOT EXISTS `idx_pq_session_status_expires` ON `price_quotes` (`session_id`, `status`, `expires_at`);\nCREATE INDEX IF NOT EXISTS `idx_refunds_payment_intent_id_type` ON `refunds` (`payment_intent_id`, `type`);\nCREATE INDEX IF NOT EXISTS `idx_refunds_status_type_updated_at` ON `refunds` (`status`, `type`, `updated_at`);\nCREATE INDEX IF NOT EXISTS `idx_refunds_subscription_id_type` ON `refunds` (`subscription_id`, `type`);\nCREATE UNIQUE INDEX IF NOT EXISTS `idx_revenue_snapshots_unique` ON `revenue_snapshots` (`timestamp`, `currency_id`, `livemode`, `period_type`);\nCREATE INDEX IF NOT EXISTS `idx_subscription_item_subscription_id_price_id` ON `subscription_items` (`subscription_id`, `price_id`);\nCREATE INDEX IF NOT EXISTS `idx_subscription_period` ON `subscriptions` (`current_period_start`, `current_period_end`);\nCREATE INDEX IF NOT EXISTS `idx_subscription_status` ON `subscriptions` (`status`);\nCREATE INDEX IF NOT EXISTS `idx_subscriptions_customer_id` ON `subscriptions` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_usage_records_subscription_item_id_timestamp` ON `usage_records` (`subscription_item_id`, `timestamp`);\nCREATE INDEX IF NOT EXISTS `idx_webhook_attempts_event_id` ON `webhook_attempts` (`event_id`);\nCREATE INDEX IF NOT EXISTS `idx_webhook_attempts_webhook_endpoint_id` ON `webhook_attempts` (`webhook_endpoint_id`);\nCREATE INDEX IF NOT EXISTS `idx_webhook_endpoint_status_livemode` ON `webhook_endpoints` (`status`, `livemode`);\nCREATE INDEX IF NOT EXISTS `tax_rates_query_index` ON `tax_rates` (`country`, `state`, `postal_code`, `tax_code`);\n" },
+  { name: "0003_locks_and_constraints.sql", sql: "-- Distributed locks table for D1-based locking across CF Worker isolates\nCREATE TABLE IF NOT EXISTS _locks (\n  name TEXT PRIMARY KEY,\n  owner TEXT NOT NULL,\n  expires_at INTEGER NOT NULL\n);\n\n-- Unique index on Stripe invoice ID to prevent duplicate mirroring\nCREATE UNIQUE INDEX IF NOT EXISTS idx_invoices_stripe_id\n  ON invoices(json_extract(metadata, '$.stripe_id'))\n  WHERE json_extract(metadata, '$.stripe_id') IS NOT NULL;\n\n-- DID Connect token storage (D1 for strong consistency instead of KV)\nCREATE TABLE IF NOT EXISTS _did_connect_tokens (\n  token TEXT PRIMARY KEY,\n  data TEXT NOT NULL,\n  expires_at INTEGER NOT NULL\n);\n" },
+  { name: "0004_iap_foundation.sql", sql: "-- Payment Kit: IAP foundation\n-- Adds schema needed for App Store + Google Play subscription channels.\n-- Mirrors blocklets/core/api/src/store/migrations/20260526-iap-foundation.ts.\n--\n-- NOTE: SQLite does not support `ALTER TABLE ADD COLUMN IF NOT EXISTS`.\n-- Wrangler tracks applied migrations in the `d1_migrations` table and skips\n-- re-application by filename, so re-running this file via `wrangler d1\n-- migrations apply` is safe. Do not invoke via `wrangler d1 execute` more\n-- than once on the same database.\n\n-- 1. Customer: per-channel UUID for IAP appAccountToken / obfuscatedAccountId mapping (D-004)\nALTER TABLE customers ADD COLUMN app_store_uuid VARCHAR(36);\nALTER TABLE customers ADD COLUMN google_play_uuid VARCHAR(36);\nCREATE UNIQUE INDEX IF NOT EXISTS idx_customers_app_store_uuid\n  ON customers(app_store_uuid)\n  WHERE app_store_uuid IS NOT NULL;\nCREATE UNIQUE INDEX IF NOT EXISTS idx_customers_google_play_uuid\n  ON customers(google_play_uuid)\n  WHERE google_play_uuid IS NOT NULL;\n\n-- 2. Subscription: channel + environment (D-005)\nALTER TABLE subscriptions ADD COLUMN channel VARCHAR(20);\nALTER TABLE subscriptions ADD COLUMN environment VARCHAR(20) DEFAULT 'production';\n\n-- 3. Invoice: three-segment amounts (D-001 A)\nALTER TABLE invoices ADD COLUMN gross_amount VARCHAR(32);\nALTER TABLE invoices ADD COLUMN platform_fee VARCHAR(32) DEFAULT '0';\nALTER TABLE invoices ADD COLUMN net_amount VARCHAR(32);\nUPDATE invoices SET gross_amount = total, net_amount = total WHERE gross_amount IS NULL;\n\n-- 4. Refund: origin source (merchant_initiated | platform_initiated)\nALTER TABLE refunds ADD COLUMN source VARCHAR(30) DEFAULT 'merchant_initiated';\n\n-- 5. Entitlement tables (D-003 B)\nCREATE TABLE IF NOT EXISTS `entitlements` (\n  `id` VARCHAR(30) NOT NULL PRIMARY KEY,\n  `livemode` TINYINT(1) NOT NULL,\n  `key` VARCHAR(64) NOT NULL UNIQUE,\n  `name` VARCHAR(255),\n  `description` TEXT,\n  `metadata` JSON,\n  `created_at` DATETIME NOT NULL,\n  `updated_at` DATETIME NOT NULL\n);\nCREATE UNIQUE INDEX IF NOT EXISTS `idx_entitlements_key` ON `entitlements` (`key`);\n\nCREATE TABLE IF NOT EXISTS `entitlement_products` (\n  `entitlement_id` VARCHAR(30) NOT NULL,\n  `product_id` VARCHAR(30) NOT NULL,\n  `created_at` DATETIME NOT NULL,\n  `updated_at` DATETIME NOT NULL,\n  PRIMARY KEY (`entitlement_id`, `product_id`)\n);\n\nCREATE TABLE IF NOT EXISTS `entitlement_grants` (\n  `id` VARCHAR(30) NOT NULL PRIMARY KEY,\n  `livemode` TINYINT(1) NOT NULL,\n  `entitlement_id` VARCHAR(30) NOT NULL,\n  `customer_id` VARCHAR(18) NOT NULL,\n  `source_subscription_id` VARCHAR(30),\n  `source_channel` VARCHAR(20) NOT NULL,\n  `active_from` INTEGER NOT NULL,\n  `active_until` INTEGER NOT NULL,\n  `status` VARCHAR(20) NOT NULL DEFAULT 'active',\n  `metadata` JSON,\n  `created_at` DATETIME NOT NULL,\n  `updated_at` DATETIME NOT NULL\n);\nCREATE INDEX IF NOT EXISTS `idx_entitlement_grants_lookup`\n  ON `entitlement_grants` (`customer_id`, `entitlement_id`, `status`);\nCREATE INDEX IF NOT EXISTS `idx_entitlement_grants_source_sub`\n  ON `entitlement_grants` (`source_subscription_id`);\n" },
+  { name: "0005_iap_tenant_backfill.sql", sql: "-- Payment Kit: IAP multi-tenant backfill\n-- Backfills metadata.bundle_id / metadata.package_name on existing Prices and\n-- payment_details.app_store.bundle_id / payment_details.google_play.package_name\n-- on existing Subscriptions, so Payment Kit can be wired into multiple iOS /\n-- Android apps without same-SKU collisions across App Store / Play Console\n-- namespaces (each store's SKU space is per-app, not global).\n--\n-- Backend code already filters Price.findOne by (sku, bundle_id) / (sku,\n-- package_name); without this backfill, every pre-existing Price would stop\n-- resolving the moment the new lookup ships.\n--\n-- Safety: tenant value is DERIVED from the configured PaymentMethods (which\n-- store bundle_id / package_name as plain text under settings JSON — only\n-- private keys are encrypted). The migration deliberately refuses to guess in\n-- ambiguous setups:\n--\n--   * For Subscriptions we always use the sub's own\n--     `default_payment_method_id` to resolve the tenant, which is a 1:1 map —\n--     never ambiguous as long as the row points at a real PaymentMethod.\n--   * For Prices we update only when EXACTLY ONE active PaymentMethod of the\n--     matching type + livemode exists with a non-null tenant. Multi-tenant\n--     installations (two iOS apps sharing one Payment Kit, etc.) skip the\n--     Price backfill — admin must set bundle_id / package_name explicitly\n--     because the migration can't safely guess which app a Price belongs to.\n--\n-- Idempotent. The IS NULL guards make re-runs a no-op for already-backfilled\n-- rows, and the subquery filters skip rows that can't be resolved safely.\n\n-- 1. Prices with App Store SKU → set bundle_id (only when one active\n--    app_store PaymentMethod for the same livemode unambiguously identifies\n--    the tenant).\nUPDATE prices\nSET metadata = json_set(\n  metadata,\n  '$.bundle_id',\n  (SELECT json_extract(pm.settings, '$.app_store.bundle_id')\n   FROM payment_methods pm\n   WHERE pm.type = 'app_store'\n     AND pm.livemode = prices.livemode\n     AND pm.active = 1\n     AND json_extract(pm.settings, '$.app_store.bundle_id') IS NOT NULL\n   LIMIT 1)\n)\nWHERE json_extract(metadata, '$.app_store_product_id') IS NOT NULL\n  AND json_extract(metadata, '$.bundle_id') IS NULL\n  AND (\n    SELECT COUNT(*) FROM payment_methods pm\n    WHERE pm.type = 'app_store'\n      AND pm.livemode = prices.livemode\n      AND pm.active = 1\n      AND json_extract(pm.settings, '$.app_store.bundle_id') IS NOT NULL\n  ) = 1;\n\n-- 2. Prices with Google Play SKU → set package_name (same single-tenant guard).\nUPDATE prices\nSET metadata = json_set(\n  metadata,\n  '$.package_name',\n  (SELECT json_extract(pm.settings, '$.google_play.package_name')\n   FROM payment_methods pm\n   WHERE pm.type = 'google_play'\n     AND pm.livemode = prices.livemode\n     AND pm.active = 1\n     AND json_extract(pm.settings, '$.google_play.package_name') IS NOT NULL\n   LIMIT 1)\n)\nWHERE json_extract(metadata, '$.google_play_product_id') IS NOT NULL\n  AND json_extract(metadata, '$.package_name') IS NULL\n  AND (\n    SELECT COUNT(*) FROM payment_methods pm\n    WHERE pm.type = 'google_play'\n      AND pm.livemode = prices.livemode\n      AND pm.active = 1\n      AND json_extract(pm.settings, '$.google_play.package_name') IS NOT NULL\n  ) = 1;\n\n-- 3. App Store Subscriptions → set payment_details.app_store.bundle_id from\n--    the sub's own default_payment_method (1:1 — always safe).\nUPDATE subscriptions\nSET payment_details = json_set(\n  payment_details,\n  '$.app_store.bundle_id',\n  (SELECT json_extract(pm.settings, '$.app_store.bundle_id')\n   FROM payment_methods pm\n   WHERE pm.id = subscriptions.default_payment_method_id)\n)\nWHERE channel = 'app_store'\n  AND json_extract(payment_details, '$.app_store.bundle_id') IS NULL\n  AND default_payment_method_id IS NOT NULL\n  AND (\n    SELECT json_extract(pm.settings, '$.app_store.bundle_id')\n    FROM payment_methods pm\n    WHERE pm.id = subscriptions.default_payment_method_id\n  ) IS NOT NULL;\n\n-- 4. Google Play Subscriptions → set payment_details.google_play.package_name.\nUPDATE subscriptions\nSET payment_details = json_set(\n  payment_details,\n  '$.google_play.package_name',\n  (SELECT json_extract(pm.settings, '$.google_play.package_name')\n   FROM payment_methods pm\n   WHERE pm.id = subscriptions.default_payment_method_id)\n)\nWHERE channel = 'google_play'\n  AND json_extract(payment_details, '$.google_play.package_name') IS NULL\n  AND default_payment_method_id IS NOT NULL\n  AND (\n    SELECT json_extract(pm.settings, '$.google_play.package_name')\n    FROM payment_methods pm\n    WHERE pm.id = subscriptions.default_payment_method_id\n  ) IS NOT NULL;\n" },
+  { name: "0006_tenant_columns.sql", sql: "-- Payment Kit: tenant columns (Phase 1, W1-1a)\n-- Adds a nullable instance_did column to all 38 tenant tables.\n-- Mirrors blocklets/core/api/src/store/migrations/20260610-tenant-columns.ts.\n-- No constraints / indexes / backfill here — those land in 0007 (Phase 2).\n--\n-- NOTE: wrangler tracks applied migrations in `d1_migrations` by filename,\n-- so this file is applied exactly once via `wrangler d1 migrations apply`.\n\nALTER TABLE customers ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE products ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE prices ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE pricing_tables ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payment_methods ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE checkout_sessions ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payment_intents ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payment_links ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE setup_intents ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE price_quotes ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE subscriptions ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE subscription_items ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE subscription_schedules ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE invoices ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE invoice_items ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE refunds ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE credit_grants ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE credit_transactions ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE meters ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE meter_events ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE usage_records ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE coupons ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE promotion_codes ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE discounts ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE entitlements ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE entitlement_grants ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE entitlement_products ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE events ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE webhook_endpoints ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE webhook_attempts ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payouts ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payment_stats ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE revenue_snapshots ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE auto_recharge_configs ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE tax_rates ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE settings ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE payment_currencies ADD COLUMN instance_did VARCHAR(64);\nALTER TABLE product_vendors ADD COLUMN instance_did VARCHAR(64);\n" },
+  { name: "0007_tenant_backfill_indexes.sql", sql: "-- Payment Kit: tenant unique keys + indexes (Phase 2, W1-1b)\n-- Mirrors the index/unique-key part of api/src/store/migrations/20260611-tenant-backfill.ts.\n--\n-- IMPORTANT: the instance_did BACKFILL is NOT here. Static migration SQL\n-- cannot know the deployment app DID, so the backfill (and the table rebuilds\n-- that drop old inline single-column UNIQUE constraints) runs through the\n-- shared runtime routine `runTenantBackfill()` (api/src/store/tenant-backfill.ts),\n-- invoked idempotently from the worker's scheduled() handler.\n--\n-- Everything below is NULL-safe before that backfill runs: SQLite treats each\n-- NULL as distinct in unique indexes, and existing single-column uniqueness\n-- (identifier / did / key / idempotency_key) guarantees no composite dupes.\n\n-- composite tenant unique keys (W1 §2.1, decisions D1/D3)\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_customers_tenant_did` ON `customers` (`instance_did`, `did`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_meter_events_tenant_identifier` ON `meter_events` (`instance_did`, `identifier`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_meters_tenant_event_name` ON `meters` (`instance_did`, `event_name`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_entitlements_tenant_key` ON `entitlements` (`instance_did`, `key`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_price_quotes_tenant_idem` ON `price_quotes` (`instance_did`, `idempotency_key`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_promotion_codes_tenant_code` ON `promotion_codes` (`instance_did`, `livemode`, `code`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_product_vendors_tenant_key` ON `product_vendors` (`instance_did`, `vendor_key`);\nCREATE UNIQUE INDEX IF NOT EXISTS `uq_revenue_snapshots_tenant` ON `revenue_snapshots` (`instance_did`, `timestamp`, `currency_id`, `livemode`, `period_type`);\nDROP INDEX IF EXISTS `idx_revenue_snapshots_unique`;\nDROP INDEX IF EXISTS `idx_entitlements_key`;\nDROP INDEX IF EXISTS `idx_pq_idempotency`;\n\n-- plain tenant indexes for scoped queries (Phase 3+); meter_events is served\n-- by its composite unique above (high-write table, avoid a second index)\nCREATE INDEX IF NOT EXISTS `idx_customers_instance_did` ON `customers` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_products_instance_did` ON `products` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_prices_instance_did` ON `prices` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_pricing_tables_instance_did` ON `pricing_tables` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payment_methods_instance_did` ON `payment_methods` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_checkout_sessions_instance_did` ON `checkout_sessions` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payment_intents_instance_did` ON `payment_intents` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payment_links_instance_did` ON `payment_links` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_setup_intents_instance_did` ON `setup_intents` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_price_quotes_instance_did` ON `price_quotes` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_subscriptions_instance_did` ON `subscriptions` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_subscription_items_instance_did` ON `subscription_items` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_subscription_schedules_instance_did` ON `subscription_schedules` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_invoices_instance_did` ON `invoices` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_items_instance_did` ON `invoice_items` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_refunds_instance_did` ON `refunds` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_credit_grants_instance_did` ON `credit_grants` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_credit_transactions_instance_did` ON `credit_transactions` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_meters_instance_did` ON `meters` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_usage_records_instance_did` ON `usage_records` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_coupons_instance_did` ON `coupons` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_promotion_codes_instance_did` ON `promotion_codes` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_discounts_instance_did` ON `discounts` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_entitlements_instance_did` ON `entitlements` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_entitlement_grants_instance_did` ON `entitlement_grants` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_entitlement_products_instance_did` ON `entitlement_products` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_events_instance_did` ON `events` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_webhook_endpoints_instance_did` ON `webhook_endpoints` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_webhook_attempts_instance_did` ON `webhook_attempts` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payouts_instance_did` ON `payouts` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payment_stats_instance_did` ON `payment_stats` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_revenue_snapshots_instance_did` ON `revenue_snapshots` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_auto_recharge_configs_instance_did` ON `auto_recharge_configs` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_tax_rates_instance_did` ON `tax_rates` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_settings_instance_did` ON `settings` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_payment_currencies_instance_did` ON `payment_currencies` (`instance_did`);\nCREATE INDEX IF NOT EXISTS `idx_product_vendors_instance_did` ON `product_vendors` (`instance_did`);\n" },
+  { name: "0008_schema_parity.sql", sql: "-- Phase 11 (W2′) schema parity: close the D1-lineage gaps the schema-drift guard\n-- (scripts/schema-drift-guard.ts) found versus the Umzug canonical schema.\n-- Additive only — safe to apply on a deployed D1 (no drops, no rewrites).\n\n-- events: the Umzug genesis creates `events` with api_version (NOT NULL) and\n-- metadata (JSON); the D1 0001 events table predates both, so the worker could\n-- not write them. Backfill api_version with the app constant\n-- (api/src/libs/audit.ts API_VERSION = '2023-09-05'); new rows carry the same.\nALTER TABLE `events` ADD COLUMN `api_version` VARCHAR(16) NOT NULL DEFAULT '2023-09-05';\nALTER TABLE `events` ADD COLUMN `metadata` JSON;\n\n-- Indexes present in the canonical but missing in the D1 lineage (perf parity;\n-- names match the Umzug migrations 20250904-discount / 20251007-relate-tax-rate).\nCREATE INDEX IF NOT EXISTS `idx_discounts_customer_id` ON `discounts` (`customer_id`);\nCREATE INDEX IF NOT EXISTS `idx_invoice_items_tax_rate_id` ON `invoice_items` (`tax_rate_id`);\nCREATE INDEX IF NOT EXISTS `idx_promotion_codes_verification_type_coupon_id` ON `promotion_codes` (`verification_type`, `coupon_id`);\n" },
+  { name: "0009_remove_did_space_jobs.sql", sql: "-- The DID Space billing-mirror integration was removed (libs/did-space.ts,\n-- queues/space.ts). Rows in `jobs` with queue='did-space' can never be picked\n-- up again (the scheduled scan only matches registered queue names), so they\n-- would sit in the table forever. Delete them. Idempotent.\nDELETE FROM jobs WHERE queue = 'did-space';\n" },
+];

package/api/src/store/tenant-backfill.ts

@@ -0,0 +1,260 @@
+/* eslint-disable no-await-in-loop */
+import type { Sequelize } from 'sequelize';
+
+import { getDefaultInstanceDid } from '../libs/tenant';
+import { TENANT_TABLES } from './tenant-tables';
+
+// Phase 2 (W1-1b): backfill instance_did + revise business unique keys.
+//
+// This module is the single implementation for BOTH rails:
+//  - Node: called from the Umzug migration 20260611-tenant-backfill.ts
+//  - CF/D1: called from the worker as an idempotent boot/cron compensation
+//    step (static D1 migration SQL cannot know the deployment app DID, so
+//    the backfill must run through the driver at runtime; the additive
+//    NULL-safe indexes live in cloudflare/migrations/0007_*.sql)
+//
+// The tenant value comes EXCLUSIVELY from getDefaultInstanceDid() — the
+// Phase 0 single source for "this deployment's app DID". Nothing is ever
+// inferred from request data or row contents (except payment_currencies,
+// whose tenant is defined as its payment_method's tenant — decision D1).
+
+export const BACKFILL_BATCH_SIZE = 5000;
+
+/**
+ * Tables whose single-column business unique keys must become
+ * (instance_did, ...) composites (W1 §2.1 / decision D3). The inline
+ * single-column UNIQUE constraints are removed via table rebuild.
+ */
+export const UNIQUE_KEY_REVISIONS: { table: string; index: string; columns: string[]; dropInline?: string }[] = [
+  // inline UNIQUE in table DDL -> needs rebuild
+  { table: 'customers', index: 'uq_customers_tenant_did', columns: ['instance_did', 'did'], dropInline: 'did' },
+  {
+    table: 'meter_events',
+    index: 'uq_meter_events_tenant_identifier',
+    columns: ['instance_did', 'identifier'],
+    dropInline: 'identifier',
+  },
+  {
+    table: 'meters',
+    index: 'uq_meters_tenant_event_name',
+    columns: ['instance_did', 'event_name'],
+    dropInline: 'event_name',
+  },
+  { table: 'entitlements', index: 'uq_entitlements_tenant_key', columns: ['instance_did', 'key'], dropInline: 'key' },
+  {
+    table: 'price_quotes',
+    index: 'uq_price_quotes_tenant_idem',
+    columns: ['instance_did', 'idempotency_key'],
+    dropInline: 'idempotency_key',
+  },
+  // no existing DB-level constraint -> plain new composite unique index
+  // (livemode included for promotion codes: the app has always allowed the
+  // same code in live and test mode, see routes/promotion-codes.ts)
+  { table: 'promotion_codes', index: 'uq_promotion_codes_tenant_code', columns: ['instance_did', 'livemode', 'code'] },
+  { table: 'product_vendors', index: 'uq_product_vendors_tenant_key', columns: ['instance_did', 'vendor_key'] },
+  // explicit unique index gains the tenant column (recreated below); no
+  // inline UNIQUE to drop, so no rebuild and no NOT NULL DDL on this table
+  {
+    table: 'revenue_snapshots',
+    index: 'uq_revenue_snapshots_tenant',
+    columns: ['instance_did', 'timestamp', 'currency_id', 'livemode', 'period_type'],
+  },
+];
+
+/** Explicit single-column unique indexes superseded by the composites above. */
+const SUPERSEDED_INDEXES = ['idx_entitlements_key', 'idx_pq_idempotency', 'idx_revenue_snapshots_unique'];
+
+// table/column arguments must be static identifiers from this module
+// (TENANT_TABLES / UNIQUE_KEY_REVISIONS) — never external input. SQLite
+// cannot bind identifiers, hence the (caller-constrained) interpolation.
+async function tableExists(sequelize: Sequelize, table: string): Promise<boolean> {
+  const [rows] = await sequelize.query(`SELECT name FROM sqlite_master WHERE type = 'table' AND name = '${table}'`);
+  return (rows as any[]).length > 0;
+}
+
+async function columnExists(sequelize: Sequelize, table: string, column: string): Promise<boolean> {
+  const [rows] = await sequelize.query(`SELECT name FROM pragma_table_info('${table}') WHERE name = '${column}'`);
+  return (rows as any[]).length > 0;
+}
+
+// D1 exposes meta.changes; node-sqlite3 via sequelize does not, so fall back
+// to SELECT changes() (safe: sequelize reuses one cached sqlite connection)
+async function affectedRows(sequelize: Sequelize, meta: unknown): Promise<number> {
+  if (typeof (meta as any)?.changes === 'number') return (meta as any).changes;
+  const [rows] = await sequelize.query('SELECT changes() AS n');
+  return Number((rows as any[])[0]?.n ?? 0);
+}
+
+/**
+ * Batched, idempotent backfill of one table. Only NULL rows are touched, so
+ * re-running after a crash simply continues where the previous run stopped.
+ */
+async function backfillTable(sequelize: Sequelize, table: string, instanceDid: string): Promise<number> {
+  if (!(await tableExists(sequelize, table))) return 0;
+  if (!(await columnExists(sequelize, table, 'instance_did'))) {
+    throw new Error(`tenant-backfill: column instance_did missing on ${table} — run the Phase 1 migration first`);
+  }
+  let total = 0;
+  for (;;) {
+    const [, meta] = await sequelize.query(
+      `UPDATE ${table} SET instance_did = $did WHERE rowid IN (SELECT rowid FROM ${table} WHERE instance_did IS NULL LIMIT ${BACKFILL_BATCH_SIZE})`,
+      { bind: { did: instanceDid } }
+    );
+    const changed = await affectedRows(sequelize, meta);
+    total += changed;
+    if (!changed) break;
+  }
+  return total;
+}
+
+/**
+ * payment_currencies follows its payment_method's tenant (decision D1).
+ * Falls back to the deployment default when the method link is dangling
+ * (same value in single mode anyway).
+ */
+async function backfillPaymentCurrencies(sequelize: Sequelize, instanceDid: string): Promise<number> {
+  if (!(await tableExists(sequelize, 'payment_currencies'))) return 0;
+  if (!(await columnExists(sequelize, 'payment_currencies', 'instance_did'))) {
+    throw new Error(
+      'tenant-backfill: column instance_did missing on payment_currencies — run the Phase 1 migration first'
+    );
+  }
+  const [, meta] = await sequelize.query(
+    `UPDATE payment_currencies SET instance_did = COALESCE(
+       (SELECT pm.instance_did FROM payment_methods pm WHERE pm.id = payment_currencies.payment_method_id),
+       $did
+     ) WHERE instance_did IS NULL`,
+    { bind: { did: instanceDid } }
+  );
+  return affectedRows(sequelize, meta);
+}
+
+/**
+ * Rebuild a table to drop an inline single-column UNIQUE constraint and mark
+ * instance_did NOT NULL. SQLite cannot do either via ALTER, so: copy DDL from
+ * sqlite_master, transform, create {t}__rebuild, INSERT SELECT, swap, then
+ * recreate the explicit indexes that the drop discarded.
+ *
+ * Crash-safe: {t}__rebuild leftovers from a dead run are dropped on entry;
+ * if a crash hit between DROP and RENAME, the rename is completed on entry.
+ */
+async function rebuildTableForUnique(
+  sequelize: Sequelize,
+  table: string,
+  dropInlineUniqueOn: string,
+  instanceDid: string
+) {
+  const rebuildName = `${table}__rebuild`;
+
+  // recover from a crash between DROP old and RENAME new
+  if (!(await tableExists(sequelize, table)) && (await tableExists(sequelize, rebuildName))) {
+    await sequelize.query(`ALTER TABLE ${rebuildName} RENAME TO ${table}`);
+    return;
+  }
+  if (await tableExists(sequelize, rebuildName)) {
+    await sequelize.query(`DROP TABLE ${rebuildName}`);
+  }
+
+  const [ddlRows] = await sequelize.query(`SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '${table}'`);
+  const ddl: string = (ddlRows as any[])[0]?.sql || '';
+  // [^,] (not [^,)]): type names like VARCHAR(128) contain parens, but column
+  // definitions never contain commas, so the comma is the safe boundary
+  const inlineUnique = new RegExp(`(\`?${dropInlineUniqueOn}\`?\\s+[^,]*?)\\s+UNIQUE`, 'i');
+  const needsUniqueDrop = inlineUnique.test(ddl);
+  const needsNotNull = !/instance_did[^,]*NOT NULL/i.test(ddl);
+  if (!needsUniqueDrop && !needsNotNull) return; // already rebuilt — idempotent
+
+  let newDdl = ddl.replace(inlineUnique, '$1');
+  // NOT NULL with the deployment DID as DDL default: pre-Phase-3 code paths
+  // that insert without instance_did keep working and land in the default
+  // tenant (single-tenant behavior unchanged); scoped creates (Phase 3) set
+  // the value explicitly so the default never fires in multi mode.
+  if (!/^[A-Za-z0-9:_-]+$/.test(instanceDid)) {
+    throw new Error(`tenant-backfill: refusing to embed suspicious instanceDid in DDL: ${JSON.stringify(instanceDid)}`);
+  }
+  newDdl = newDdl.replace(
+    /instance_did\s+VARCHAR\(64\)/i,
+    `instance_did VARCHAR(64) NOT NULL DEFAULT '${instanceDid}'`
+  );
+  // CREATE TABLE `name` ... -> CREATE TABLE `name__rebuild` ...
+  newDdl = newDdl.replace(new RegExp(`CREATE TABLE\\s+(["\`]?)${table}\\1`, 'i'), `CREATE TABLE \`${rebuildName}\``);
+
+  // capture explicit index DDL before the table (and its indexes) are dropped
+  const [indexRows] = await sequelize.query(
+    `SELECT name, sql FROM sqlite_master WHERE type = 'index' AND tbl_name = '${table}' AND sql IS NOT NULL`
+  );
+
+  const [cols] = await sequelize.query(`SELECT name FROM pragma_table_info('${table}')`);
+  const columnList = (cols as any[]).map((c) => `\`${c.name}\``).join(', ');
+
+  await sequelize.query(newDdl);
+  await sequelize.query(`INSERT INTO ${rebuildName} (${columnList}) SELECT ${columnList} FROM ${table}`);
+  await sequelize.query(`DROP TABLE ${table}`);
+  await sequelize.query(`ALTER TABLE ${rebuildName} RENAME TO ${table}`);
+
+  for (const idx of indexRows as { name: string; sql: string }[]) {
+    if (!SUPERSEDED_INDEXES.includes(idx.name)) {
+      await sequelize.query(idx.sql.replace(/CREATE (UNIQUE )?INDEX/i, 'CREATE $1INDEX IF NOT EXISTS'));
+    }
+  }
+}
+
+async function ensureIndex(sequelize: Sequelize, table: string, name: string, columns: string[], unique: boolean) {
+  if (!(await tableExists(sequelize, table))) return;
+  await sequelize.query(
+    `CREATE ${unique ? 'UNIQUE ' : ''}INDEX IF NOT EXISTS \`${name}\` ON \`${table}\` (${columns
+      .map((c) => `\`${c}\``)
+      .join(', ')})`
+  );
+}
+
+async function dropIndexIfExists(sequelize: Sequelize, name: string) {
+  await sequelize.query(`DROP INDEX IF EXISTS \`${name}\``);
+}
+
+export interface TenantBackfillResult {
+  instanceDid: string;
+  backfilled: Record<string, number>;
+}
+
+/**
+ * The full Phase 2 routine: backfill -> unique key revisions -> indexes.
+ * Idempotent and re-runnable; safe to call from worker boot/cron.
+ */
+export async function runTenantBackfill(sequelize: Sequelize): Promise<TenantBackfillResult> {
+  const instanceDid = getDefaultInstanceDid();
+  const backfilled: Record<string, number> = {};
+
+  // 1. backfill — payment_methods before payment_currencies (D1 join source)
+  for (const table of TENANT_TABLES) {
+    if (table !== 'payment_currencies') {
+      backfilled[table] = await backfillTable(sequelize, table, instanceDid);
+    }
+  }
+  backfilled.payment_currencies = await backfillPaymentCurrencies(sequelize, instanceDid);
+
+  // 2. unique key revisions — rebuilds drop the old inline single-column
+  //    uniques; composites enforce per-tenant uniqueness from here on
+  for (const revision of UNIQUE_KEY_REVISIONS) {
+    if (await tableExists(sequelize, revision.table)) {
+      if (revision.dropInline) {
+        await rebuildTableForUnique(sequelize, revision.table, revision.dropInline, instanceDid);
+      }
+      await ensureIndex(sequelize, revision.table, revision.index, revision.columns, true);
+    }
+  }
+  for (const name of SUPERSEDED_INDEXES) {
+    await dropIndexIfExists(sequelize, name);
+  }
+
+  // 3. plain tenant indexes for scoped queries (Phase 3+). meter_events is
+  //    served by the (instance_did, identifier) composite above — high-write
+  //    table, one extra index is deliberate cost; see W1 §2.1 note.
+  for (const table of TENANT_TABLES) {
+    if (table !== 'meter_events') {
+      await ensureIndex(sequelize, table, `idx_${table}_instance_did`, ['instance_did'], false);
+    }
+  }
+
+  return { instanceDid, backfilled };
+}

package/api/src/store/tenant-model.ts

@@ -0,0 +1,124 @@
+// TenantModel base-class mechanism (W1 tenant-isolation).
+//
+// Inserts one tenant-scoping layer between the 38 tenant models and the
+// per-runtime `Model` (real Sequelize on Node, sequelize-d1 shim on the
+// worker — the `'sequelize'` import is aliased at build time). Overrides the
+// query surface once so `X.findAll(...)` is transparently tenant-scoped; the
+// 480 "bare" call sites become structurally safe with zero per-call changes.
+//
+// `makeTenantModel(Base)` is a factory so the spike can validate the SAME
+// source against BOTH bases in one Node test run. Production uses the
+// `TenantModel` convenience export (Base = the build-aliased `Model`).
+//
+// The scope primitives (scopeWhere/stampTenant/isTenantTable) live in
+// ./scoped-core, shared with scoped.ts so there is exactly one copy.
+//
+// eslint-disable require-await: the query overrides are INTENTIONALLY `async`
+// even though some only `return super.xxx(...)` — a synchronous fail-closed
+// throw from `$scope`/scopeWhere must surface as a promise REJECTION so callers
+// `await`/`.catch` it (tenant-design §12 hard-constraint 2). Dropping `async`
+// would let the throw escape synchronously and bypass `.catch`.
+/* eslint-disable require-await */
+import { Model } from 'sequelize';
+
+import { isSystemContext } from '../libs/context';
+import { isTenantTable, scopeWhere, stampTenant } from './scoped-core';
+
+export { isTenantTable, scopeWhere, stampTenant } from './scoped-core';
+
+export function makeTenantModel(Base: any): any {
+  // NOTE: `_scope` is a RESERVED Sequelize internal (init sets an own static
+  // `_scope` object = the model's scope state). Helper names MUST avoid
+  // Sequelize's `_`-prefixed surface — `$`-prefixed names are collision-free.
+  //
+  // Query overrides are `async` so a synchronous fail-closed throw from
+  // scopeWhere/stampTenant surfaces as a promise rejection (callers
+  // await/.catch — mirrors scoped.ts asAsync).
+  return class TenantModel extends Base {
+    static $isTenantTable(this: any): boolean {
+      return isTenantTable(this.tableName);
+    }
+
+    // A row should be scoped unless this is not a tenant table OR we are inside
+    // an explicit system operation (legitimate cross-tenant read).
+    static $shouldScope(this: any): boolean {
+      return this.$isTenantTable() && !isSystemContext();
+    }
+
+    static $scope(this: any, options: any): any {
+      return this.$shouldScope() ? { ...options, where: scopeWhere(options?.where) } : options;
+    }
+
+    // reads -----------------------------------------------------------------
+    static async findAll(this: any, o?: any) {
+      return super.findAll(this.$scope(o));
+    }
+    static async findOne(this: any, o?: any) {
+      return super.findOne(this.$scope(o));
+    }
+    static async findByPk(this: any, id: any, o?: any) {
+      // route through findOne so the scope (and tenant check) applies as a
+      // WHERE predicate -> cross-tenant returns null (not-found), never throws.
+      return this.findOne({ ...o, where: { ...(o?.where || {}), id } });
+    }
+    static async findAndCountAll(this: any, o?: any) {
+      return super.findAndCountAll(this.$scope(o));
+    }
+    static async findOrCreate(this: any, o?: any) {
+      // scope the lookup AND stamp the defaults so a freshly-created row lands
+      // in the active tenant (the scoped where also carries instance_did, but
+      // stamping defaults is explicit and survives shim/real differences).
+      // Honors $shouldScope so a system-context findOrCreate neither scopes nor
+      // stamps — consistent with create/bulkCreate/update.
+      if (!this.$shouldScope()) return super.findOrCreate(o);
+      const scoped = this.$scope(o);
+      return super.findOrCreate({ ...scoped, defaults: stampTenant(scoped?.defaults || {}) });
+    }
+    static async count(this: any, o?: any) {
+      return super.count(this.$scope(o));
+    }
+    static async sum(this: any, field: any, o?: any) {
+      return super.sum(field, this.$scope(o));
+    }
+    static async max(this: any, field: any, o?: any) {
+      return super.max(field, this.$scope(o));
+    }
+    static async min(this: any, field: any, o?: any) {
+      // Node-only surface (real Sequelize). The worker never calls min.
+      return super.min(field, this.$scope(o));
+    }
+    static async aggregate(this: any, field: any, fn: any, o?: any) {
+      // Node-only surface. sum/max/min delegate here internally on real
+      // Sequelize; the second scope injection is absorbed by scopeWhere's
+      // idempotency.
+      return super.aggregate(field, fn, this.$scope(o));
+    }
+
+    // writes ----------------------------------------------------------------
+    static async create(this: any, values: any, o?: any) {
+      return super.create(this.$shouldScope() ? stampTenant(values) : values, o);
+    }
+    static async bulkCreate(this: any, records: any[], o?: any) {
+      const stamped = this.$shouldScope() ? (records || []).map((r: any) => stampTenant(r)) : records;
+      return super.bulkCreate(stamped, o);
+    }
+    static async update(this: any, values: any, o?: any) {
+      return super.update(values, this.$scope(o));
+    }
+    static async increment(this: any, fields: any, o?: any) {
+      return super.increment(fields, this.$scope(o));
+    }
+    static async decrement(this: any, fields: any, o?: any) {
+      return super.decrement(fields, this.$scope(o));
+    }
+    static async destroy(this: any, o?: any) {
+      return super.destroy(this.$scope(o));
+    }
+  };
+}
+
+// Production convenience: Base = the build-aliased Model. Cast to `typeof Model`
+// so the 38 tenant models can `extends TenantModel<InferAttributes<X>, ...>`
+// exactly as they did `extends Model<...>` — the generic constructor surface is
+// preserved; the runtime instance is the scoped subclass.
+export const TenantModel = makeTenantModel(Model) as typeof Model;

package/api/src/store/tenant-tables.ts

@@ -0,0 +1,50 @@
+/**
+ * The 38 tenant-scoped tables (W1 §2.1, decisions D1/D3 included).
+ * Single source of truth — consumed by the tenant-columns migration, the
+ * scoped query helpers and the CI bare-query scanner. Do not duplicate.
+ *
+ * Exempt (W1 §2.2): jobs, locks, archive_locks, archive_metadata,
+ * exchange_rate_providers.
+ */
+export const TENANT_TABLES = [
+  'customers',
+  'products',
+  'prices',
+  'pricing_tables',
+  'payment_methods',
+  'checkout_sessions',
+  'payment_intents',
+  'payment_links',
+  'setup_intents',
+  'price_quotes',
+  'subscriptions',
+  'subscription_items',
+  'subscription_schedules',
+  'invoices',
+  'invoice_items',
+  'refunds',
+  'credit_grants',
+  'credit_transactions',
+  'meters',
+  'meter_events',
+  'usage_records',
+  'coupons',
+  'promotion_codes',
+  'discounts',
+  'entitlements',
+  'entitlement_grants',
+  'entitlement_products',
+  'events',
+  'webhook_endpoints',
+  'webhook_attempts',
+  'payouts',
+  'payment_stats',
+  'revenue_snapshots',
+  'auto_recharge_configs',
+  'tax_rates',
+  'settings',
+  'payment_currencies',
+  'product_vendors',
+] as const;
+
+export type TenantTable = (typeof TENANT_TABLES)[number];