payment-kit 1.29.1 → 1.29.2

package/api/tests/libs/audit-tenant.spec.ts

@@ -0,0 +1,153 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH } from '../../src/libs/tenant';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'audit-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let audit: typeof import('../../src/libs/audit');
+let logger: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  const models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  audit = require('../../src/libs/audit');
+  // eslint-disable-next-line global-require
+  logger = require('../../src/libs/logger').default;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+beforeEach(async () => {
+  await sequelize.query('DELETE FROM events');
+});
+
+const fakeModel = (tenant: string | null, extra: Record<string, any> = {}) => ({
+  id: 'obj_1',
+  livemode: false,
+  instance_did: tenant,
+  dataValues: { id: 'obj_1', instance_did: tenant, ...extra },
+  _previousDataValues: {},
+});
+
+describe('audit tenant resolution (phase 4)', () => {
+  describe('happy path', () => {
+    it('takes the tenant from the model row', async () => {
+      await audit.createEvent('Customer', 'customer.created', fakeModel(TENANT_A));
+      const [rows] = await sequelize.query('SELECT type, instance_did FROM events');
+      expect(rows).toEqual([{ type: 'customer.created', instance_did: TENANT_A }]);
+    });
+
+    it('falls back to the tenant context when the model has none', async () => {
+      await withTenant(TENANT_B, () => audit.createEvent('Customer', 'customer.created', fakeModel(null)));
+      const [rows] = await sequelize.query('SELECT instance_did FROM events');
+      expect(rows).toEqual([{ instance_did: TENANT_B }]);
+    });
+
+    it('createFlexibleEvent (system source) uses the tenant context', async () => {
+      const event: any = await withTenant(TENANT_A, () =>
+        audit.createFlexibleEvent('payout.created', 'payout', 'po_1', { ok: true })
+      );
+      expect(event.instance_did).toBe(TENANT_A);
+    });
+  });
+
+  describe('bad input: both sources missing', () => {
+    it('rejects in multi mode and writes no event row', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      try {
+        await expect(audit.createEvent('Customer', 'customer.created', fakeModel(null))).rejects.toMatchObject({
+          code: TENANT_CONTEXT_MISSING,
+        });
+      } finally {
+        delete process.env.PAYMENT_TENANT_MODE;
+      }
+      const [rows] = await sequelize.query('SELECT COUNT(*) AS n FROM events');
+      expect((rows as any[])[0].n).toBe(0);
+    });
+  });
+
+  describe('security: contradictory sources', () => {
+    it('rejects when model tenant and context tenant disagree', async () => {
+      await withTenant(TENANT_A, async () => {
+        await expect(audit.createEvent('Customer', 'customer.created', fakeModel(TENANT_B))).rejects.toMatchObject({
+          code: TENANT_MISMATCH,
+        });
+      });
+      const [rows] = await sequelize.query('SELECT COUNT(*) AS n FROM events');
+      expect((rows as any[])[0].n).toBe(0);
+    });
+  });
+
+  describe('data loss: rejection never blocks the business write', () => {
+    it('reportAuditFailure is fire-and-forget with a dedicated code', () => {
+      const err = Object.assign(new Error('conflict'), { code: TENANT_MISMATCH });
+      expect(() => audit.reportAuditFailure(err)).not.toThrow();
+      expect(logger.error).toHaveBeenCalledWith(
+        '[audit] event creation failed',
+        expect.objectContaining({ code: TENANT_MISMATCH })
+      );
+
+      audit.reportAuditFailure(new Error('boom'));
+      expect(logger.error).toHaveBeenCalledWith(
+        '[audit] event creation failed',
+        expect.objectContaining({ code: 'EVENT_CREATE_FAILED' })
+      );
+    });
+  });
+
+  describe('data leak: status/custom event paths carry the tenant too', () => {
+    it('createStatusEvent stamps the model tenant', async () => {
+      const model = fakeModel(TENANT_A, { status: 'active' });
+      await audit.createStatusEvent('Subscription', 'customer.subscription', { active: 'activated' }, model, {
+        fields: ['status'],
+      });
+      const [rows] = await sequelize.query('SELECT instance_did FROM events');
+      expect(rows).toEqual([{ instance_did: TENANT_A }]);
+    });
+
+    it('createCustomEvent stamps the model tenant', async () => {
+      const model = fakeModel(TENANT_B, { status: 'canceled' });
+      await audit.createCustomEvent('Subscription', 'customer.subscription', () => 'deleted', model, {
+        fields: ['status'],
+      });
+      const [rows] = await sequelize.query('SELECT type, instance_did FROM events');
+      expect(rows).toEqual([{ type: 'customer.subscription.deleted', instance_did: TENANT_B }]);
+    });
+  });
+});

package/api/tests/libs/context.spec.ts

@@ -0,0 +1,204 @@
+import {
+  TENANT_CONTEXT_MISSING,
+  TenantError,
+  context,
+  getDefaultInstanceDid,
+  getInstanceDid,
+  getTenantMode,
+  withTenant,
+} from '../../src/libs/context';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+
+describe('libs/context tenant infrastructure', () => {
+  const originalMode = process.env.PAYMENT_TENANT_MODE;
+
+  afterEach(() => {
+    if (originalMode === undefined) {
+      delete process.env.PAYMENT_TENANT_MODE;
+    } else {
+      process.env.PAYMENT_TENANT_MODE = originalMode;
+    }
+  });
+
+  const asMulti = () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+  };
+
+  describe('tenant mode', () => {
+    it('defaults to single mode', () => {
+      delete process.env.PAYMENT_TENANT_MODE;
+      expect(getTenantMode()).toBe('single');
+    });
+
+    it('reads multi mode from env', () => {
+      asMulti();
+      expect(getTenantMode()).toBe('multi');
+    });
+  });
+
+  describe('happy path', () => {
+    it('returns the tenant inside withTenant and across await boundaries', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await sleep(5);
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await Promise.resolve().then(() => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+        });
+      });
+    });
+
+    it('exposes instanceDid via context.getContext()', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(context.getContext().instanceDid).toBe(TENANT_A);
+      });
+    });
+
+    it('returns the value produced by fn', async () => {
+      const result = await withTenant(TENANT_A, async () => 42);
+      expect(result).toBe(42);
+    });
+
+    it('keeps tenant when context.run is nested inside withTenant', async () => {
+      await withTenant(TENANT_A, () =>
+        context.run({ requestedBy: 'user-x' }, async () => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+          expect(context.getRequestedBy()).toBe('user-x');
+        })
+      );
+    });
+
+    it('keeps tenant when withTenant is nested inside context.run', async () => {
+      await context.run({ requestedBy: 'user-x' }, () =>
+        withTenant(TENANT_A, async () => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+          expect(context.getRequestedBy()).toBe('user-x');
+        })
+      );
+    });
+  });
+
+  describe('bad input', () => {
+    it.each([['' as any], ['   ' as any], [null as any], [undefined as any], [123 as any], ['a b' as any]])(
+      'rejects invalid instanceDid %p',
+      async (bad) => {
+        await expect(withTenant(bad, async () => 'never')).rejects.toMatchObject({
+          code: TENANT_CONTEXT_MISSING,
+        });
+      }
+    );
+
+    it('throws TENANT_CONTEXT_MISSING in multi mode without context', () => {
+      asMulti();
+      try {
+        getInstanceDid();
+        throw new Error('expected getInstanceDid to throw');
+      } catch (err: any) {
+        expect(err).toBeInstanceOf(TenantError);
+        expect(err.code).toBe(TENANT_CONTEXT_MISSING);
+      }
+    });
+  });
+
+  describe('security: concurrent isolation', () => {
+    it('does not leak tenant between interleaved concurrent withTenant scopes', async () => {
+      const observed: Record<string, string[]> = { a: [], b: [] };
+      await Promise.all([
+        withTenant(TENANT_A, async () => {
+          observed.a!.push(getInstanceDid());
+          await sleep(10);
+          observed.a!.push(getInstanceDid());
+          await sleep(20);
+          observed.a!.push(getInstanceDid());
+        }),
+        withTenant(TENANT_B, async () => {
+          observed.b!.push(getInstanceDid());
+          await sleep(15);
+          observed.b!.push(getInstanceDid());
+          await sleep(5);
+          observed.b!.push(getInstanceDid());
+        }),
+      ]);
+      expect(observed.a).toEqual([TENANT_A, TENANT_A, TENANT_A]);
+      expect(observed.b).toEqual([TENANT_B, TENANT_B, TENANT_B]);
+    });
+  });
+
+  describe('data loss: context survives async scheduling primitives', () => {
+    it('keeps tenant across setTimeout', async () => {
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          setTimeout(() => resolve(getInstanceDid()), 5);
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+
+    it('keeps tenant across queueMicrotask', async () => {
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          queueMicrotask(() => resolve(getInstanceDid()));
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+
+    it('keeps tenant inside event emitter callbacks registered within the scope', async () => {
+      // eslint-disable-next-line global-require
+      const { EventEmitter } = require('events');
+      const emitter = new EventEmitter();
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          emitter.on('ping', () => resolve(getInstanceDid()));
+          emitter.emit('ping');
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+  });
+
+  describe('data damage: nesting and immutability', () => {
+    it('restores outer tenant after a nested withTenant exits', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await withTenant(TENANT_B, async () => {
+          expect(getInstanceDid()).toBe(TENANT_B);
+        });
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+    });
+
+    it('prevents fn from mutating the stored context to affect sibling calls', async () => {
+      await withTenant(TENANT_A, async () => {
+        const ctx = context.getContext() as any;
+        try {
+          ctx.instanceDid = TENANT_B;
+        } catch {
+          // frozen object throws in strict mode — either way the mutation must not stick
+        }
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+    });
+  });
+
+  describe('data leak: single mode default fill', () => {
+    it('falls back to the configured app DID in single mode', () => {
+      delete process.env.PAYMENT_TENANT_MODE;
+      // jest globalSetup configures BLOCKLET_APP_PID with the test wallet address
+      expect(getInstanceDid()).toBe(getDefaultInstanceDid());
+      expect(getDefaultInstanceDid()).toBe(process.env.BLOCKLET_APP_PID);
+      expect(getDefaultInstanceDid()).not.toBe(TENANT_A);
+      expect(getDefaultInstanceDid()).not.toBe(TENANT_B);
+    });
+
+    it('never leaks a tenant injected by another scope into the default', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+      // outside any scope, single mode returns the app DID again
+      expect(getInstanceDid()).toBe(getDefaultInstanceDid());
+    });
+  });
+});

package/api/tests/libs/core-config.spec.ts

@@ -0,0 +1,115 @@
+// Phase 8 (W2′): the injected-config slot is authoritative. libs/env.ts is the
+// single boundary; the factory wires setCoreConfig(config) and core reads prefer
+// the injected config over process.env (the worker mirror / blocklet server
+// native fallback). getTenantMode's mode-source reads the injected config too.
+
+import { setCoreConfig, readConfig, hasConfig } from '../../src/libs/env';
+import { getTenantMode, getDefaultInstanceDid, setDefaultInstanceDid } from '../../src/libs/tenant';
+import { createDefaultSecretsDriver } from '../../src/libs/drivers';
+import { createEmbeddedPaymentService, MissingConfigError } from '../../src/service';
+
+const ORIG_MODE = process.env.PAYMENT_TENANT_MODE;
+const ORIG_PID = process.env.BLOCKLET_APP_PID;
+
+afterEach(() => {
+  setCoreConfig(undefined); // clear the injected config singleton between tests
+  setDefaultInstanceDid(undefined); // clear any tenancy-slot override
+  if (ORIG_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+  else process.env.PAYMENT_TENANT_MODE = ORIG_MODE;
+  if (ORIG_PID === undefined) delete process.env.BLOCKLET_APP_PID;
+  else process.env.BLOCKLET_APP_PID = ORIG_PID;
+});
+
+describe('Phase 8 — injected config is authoritative (happy path)', () => {
+  it('readConfig prefers injected config over process.env', () => {
+    process.env.PHASE8_FOO = 'from-env';
+    setCoreConfig({ PHASE8_FOO: 'from-config' });
+    expect(readConfig('PHASE8_FOO')).toBe('from-config');
+    delete process.env.PHASE8_FOO;
+  });
+
+  it('readConfig falls back to process.env when the key is absent from injected config', () => {
+    process.env.PHASE8_BAR = 'env-only';
+    setCoreConfig({ OTHER: 'x' });
+    expect(readConfig('PHASE8_BAR')).toBe('env-only');
+    delete process.env.PHASE8_BAR;
+  });
+
+  it('hasConfig is true for injected and env keys, false for absent', () => {
+    setCoreConfig({ PHASE8_PRESENT: 'v' });
+    expect(hasConfig('PHASE8_PRESENT')).toBe(true);
+    expect(hasConfig('PHASE8_DEFINITELY_ABSENT_KEY')).toBe(false);
+  });
+});
+
+describe('Phase 8 — getTenantMode mode-source from injected config (data isolation)', () => {
+  it('reads tenant mode from the injected config', () => {
+    delete process.env.PAYMENT_TENANT_MODE; // no env fallback — prove config is the source
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+    expect(getTenantMode()).toBe('multi');
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'single' });
+    expect(getTenantMode()).toBe('single');
+  });
+
+  it('injected config wins over a conflicting process.env (single source of truth)', () => {
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'multi' });
+    expect(getTenantMode()).toBe('multi'); // config wins, not the env mirror
+  });
+
+  it('SECURITY: getTenantMode takes no request input — only config/env decide the mode', () => {
+    setCoreConfig({ PAYMENT_TENANT_MODE: 'single' });
+    // getTenantMode() has no parameters; there is no request-level surface to tamper.
+    expect(getTenantMode.length).toBe(0);
+    expect(getTenantMode()).toBe('single');
+  });
+
+  it('getDefaultInstanceDid reads the app DID from injected config', () => {
+    delete process.env.BLOCKLET_APP_PID;
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    setCoreConfig({ BLOCKLET_APP_PID: 'did:abt:zCONFIGAPP' });
+    expect(getDefaultInstanceDid()).toBe('did:abt:zCONFIGAPP');
+  });
+});
+
+describe('Phase 8 — fail-fast on a missing required config field (bad input)', () => {
+  it('single-mode factory with no BLOCKLET_APP_PID (config + env both absent) throws MissingConfigError', () => {
+    delete process.env.BLOCKLET_APP_PID;
+    expect(() =>
+      createEmbeddedPaymentService({
+        config: {}, // no BLOCKLET_APP_PID
+        db: { sequelize: {} as any },
+        // no tenancy slot -> defaults to single mode
+      })
+    ).toThrow(MissingConfigError);
+  });
+
+  it('the thrown error names the missing field (not a silent default)', () => {
+    delete process.env.BLOCKLET_APP_PID;
+    try {
+      createEmbeddedPaymentService({ config: {}, db: { sequelize: {} as any } });
+      throw new Error('expected MissingConfigError');
+    } catch (err: any) {
+      expect(err).toBeInstanceOf(MissingConfigError);
+      expect(err.code).toBe('MISSING_CONFIG_FIELD');
+      expect(err.field).toBe('BLOCKLET_APP_PID');
+    }
+  });
+
+  it('multi mode does NOT require BLOCKLET_APP_PID (tenant resolved per request)', () => {
+    delete process.env.BLOCKLET_APP_PID;
+    // multi mode passes the config fail-fast; it fails later on the db slot only
+    // if absent — here we give a truthy sequelize so the config check is what we
+    // assert. D1: multi also requires identity + secrets slots (else it would
+    // silently degrade to single), so provide minimal stubs.
+    expect(() =>
+      createEmbeddedPaymentService({
+        config: { PAYMENT_TENANT_MODE: 'multi' },
+        db: { sequelize: {} as any },
+        tenancy: { mode: 'multi' },
+        identity: { resolveInstanceDidForHost: () => null } as any,
+        secrets: createDefaultSecretsDriver(),
+      })
+    ).not.toThrow(MissingConfigError);
+  });
+});