payment-kit 1.29.1 → 1.29.2

package/api/tests/libs/tenancy-slot-authority.spec.ts

@@ -0,0 +1,209 @@
+// D1 (S3.0) — TenancySlot is the authoritative source for PAYMENT_TENANT_MODE.
+//
+// The factory derives effectiveConfig.PAYMENT_TENANT_MODE from slots.tenancy.mode
+// (so getTenantMode(), which reads the libs/env config boundary, sees the slot
+// mode without any env). A config PAYMENT_TENANT_MODE that disagrees with the
+// slot is a fail-fast. Intending multi must never silently degrade to single:
+// the default identity/secrets drivers ARE single-tenant behaviors, so a
+// multi-mode host that omits them fails closed. The legacy single path (no
+// tenancy slot + BLOCKLET_APP_PID) stays valid.
+
+import { Sequelize } from 'sequelize';
+import { setCoreConfig, getCoreConfig, readConfig } from '../../src/libs/env';
+import { getTenantMode, setDefaultInstanceDid } from '../../src/libs/tenant';
+import {
+  createDefaultIdentityDriver,
+  setIdentityDriver,
+  createDefaultSecretsDriver,
+  setSecretsDriver,
+} from '../../src/libs/drivers';
+import { createEmbeddedPaymentService, PaymentCoreSlotError, TenancySlotError } from '../../src/service';
+
+const ORIG_MODE = process.env.PAYMENT_TENANT_MODE;
+const ORIG_PID = process.env.BLOCKLET_APP_PID;
+
+// minimal slot stubs — only presence matters for D1 (the factory wires them,
+// it does not exercise their methods at construction time).
+const identityStub = { resolveInstanceDidForHost: () => null } as any;
+const secretsStub = createDefaultSecretsDriver();
+// a real in-memory sqlite sequelize: the factory's initialize() defines models
+// on it (no queries at construction), so it must be a genuine Sequelize, not a
+// stub. The data-damage/bad-input cases throw BEFORE initialize() so they never
+// touch it, but the happy/leak cases run the factory to completion.
+const db = { sequelize: new Sequelize({ dialect: 'sqlite', storage: ':memory:', logging: false }) as any };
+
+afterEach(() => {
+  setCoreConfig(undefined);
+  setDefaultInstanceDid(undefined);
+  // restore module-level driver singletons to their defaults so the multi
+  // tests do not leak an injected identity/secrets driver into later specs.
+  setIdentityDriver(createDefaultIdentityDriver());
+  setSecretsDriver(createDefaultSecretsDriver());
+  if (ORIG_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+  else process.env.PAYMENT_TENANT_MODE = ORIG_MODE;
+  if (ORIG_PID === undefined) delete process.env.BLOCKLET_APP_PID;
+  else process.env.BLOCKLET_APP_PID = ORIG_PID;
+});
+
+describe('D1 — happy path: tenancy slot drives getTenantMode without env', () => {
+  it('tenancy.mode=multi makes getTenantMode() === "multi" with no env', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: {},
+      db,
+      tenancy: { mode: 'multi' },
+      identity: identityStub,
+      secrets: secretsStub,
+    });
+    expect(getTenantMode()).toBe('multi');
+  });
+
+  it('tenancy.mode=single makes getTenantMode() === "single" with no env', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: {},
+      db,
+      tenancy: { mode: 'single', instanceDid: 'did:abt:zSINGLEAPP' },
+    });
+    expect(getTenantMode()).toBe('single');
+  });
+});
+
+describe('D1 — bad input: invalid tenancy.mode fails fast', () => {
+  it('an unknown tenancy.mode throws at construction with the legal enum in the message', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    let thrown: any;
+    try {
+      createEmbeddedPaymentService({
+        config: {},
+        db,
+        tenancy: { mode: 'foo' } as any,
+      });
+      throw new Error('expected a TenancySlotError');
+    } catch (err: any) {
+      thrown = err;
+    }
+    expect(thrown).toBeInstanceOf(TenancySlotError);
+    expect(thrown.message).toMatch(/single/);
+    expect(thrown.message).toMatch(/multi/);
+    // fail-fast: it did not silently write a mode into the config boundary
+    expect(getCoreConfig()).toBeUndefined();
+  });
+});
+
+describe('D1 — security: intending multi never silently degrades to single', () => {
+  it('multi mode without an identity slot fails closed', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    expect(() =>
+      createEmbeddedPaymentService({
+        config: {},
+        db,
+        tenancy: { mode: 'multi' },
+        secrets: secretsStub,
+        // identity omitted
+      })
+    ).toThrow(PaymentCoreSlotError);
+  });
+
+  it('multi mode without a secrets slot fails closed', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    expect(() =>
+      createEmbeddedPaymentService({
+        config: {},
+        db,
+        tenancy: { mode: 'multi' },
+        identity: identityStub,
+        // secrets omitted
+      })
+    ).toThrow(PaymentCoreSlotError);
+  });
+
+  it('multi mode with both slots does NOT fall back to single', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: {},
+      db,
+      tenancy: { mode: 'multi' },
+      identity: identityStub,
+      secrets: secretsStub,
+    });
+    expect(getTenantMode()).toBe('multi');
+    expect(getTenantMode()).not.toBe('single');
+  });
+});
+
+describe('D1 — data loss surrogate: legacy single compat preserved', () => {
+  it('no tenancy slot + BLOCKLET_APP_PID present resolves as a valid single deployment', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    process.env.BLOCKLET_APP_PID = 'did:abt:zLEGACYAPP';
+    expect(() =>
+      createEmbeddedPaymentService({
+        config: { BLOCKLET_APP_PID: 'did:abt:zLEGACYAPP' },
+        db,
+      })
+    ).not.toThrow();
+    expect(getTenantMode()).toBe('single');
+  });
+});
+
+describe('D1 — data damage: config<->slot conflict fails fast with no half config', () => {
+  it('config.PAYMENT_TENANT_MODE that disagrees with tenancy.mode throws and writes nothing', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    let thrown: any;
+    try {
+      createEmbeddedPaymentService({
+        config: { PAYMENT_TENANT_MODE: 'single' },
+        db,
+        tenancy: { mode: 'multi' },
+        identity: identityStub,
+        secrets: secretsStub,
+      });
+      throw new Error('expected a TenancySlotError');
+    } catch (err: any) {
+      thrown = err;
+    }
+    expect(thrown).toBeInstanceOf(TenancySlotError);
+    // no mode was written into the config boundary (setCoreConfig never ran)
+    expect(getCoreConfig()).toBeUndefined();
+  });
+
+  it('a config that AGREES with the slot is accepted (no false conflict)', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: { PAYMENT_TENANT_MODE: 'multi' },
+      db,
+      tenancy: { mode: 'multi' },
+      identity: identityStub,
+      secrets: secretsStub,
+    });
+    expect(getTenantMode()).toBe('multi');
+  });
+});
+
+describe('D1 — data leak surrogate: mode has a single source (the config boundary)', () => {
+  it('setDefaultInstanceDid does not flip the resolved tenant mode', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: {},
+      db,
+      tenancy: { mode: 'multi' },
+      identity: identityStub,
+      secrets: secretsStub,
+    });
+    expect(getTenantMode()).toBe('multi');
+    setDefaultInstanceDid('did:abt:zSOMEONE'); // the only other tenancy setter
+    expect(getTenantMode()).toBe('multi'); // mode is unaffected — config is the one source
+  });
+
+  it('effectiveConfig carries the slot mode through the readConfig boundary', () => {
+    delete process.env.PAYMENT_TENANT_MODE;
+    createEmbeddedPaymentService({
+      config: {},
+      db,
+      tenancy: { mode: 'multi' },
+      identity: identityStub,
+      secrets: secretsStub,
+    });
+    expect(readConfig('PAYMENT_TENANT_MODE')).toBe('multi');
+  });
+});

package/api/tests/libs/tenant-middleware.spec.ts

@@ -0,0 +1,42 @@
+// Phase 10 (W2-2): libs/tenant default-tenant + row-tenant resolution.
+//
+// The HTTP-driven tenant-middleware scenarios (single mode, multi-mode Host→tenant,
+// fail-closed, X-Forwarded-Host security, malformed Host) moved to the hono
+// middlewares/hono/context.spec.ts when the express contextMiddleware was deleted
+// (express→hono Phase 4). What remains here is the framework-agnostic libs/tenant
+// unit coverage that has no HTTP surface.
+import { getDefaultInstanceDid, setDefaultInstanceDid, resolveRowTenant } from '../../src/libs/tenant';
+
+const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+
+// Data damage — the single-mode tenancy slot value drives the default tenant, and
+// pre-backfill (null instance_did) rows resolve to it (upgrade path intact).
+describe('single-mode tenancy slot value (no "tenant swap" on upgrade)', () => {
+  const ORIG = (() => {
+    const saved = process.env.PAYMENT_TENANT_MODE;
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    const v = getDefaultInstanceDid();
+    if (saved === undefined) delete process.env.PAYMENT_TENANT_MODE;
+    else process.env.PAYMENT_TENANT_MODE = saved;
+    return v;
+  })();
+
+  beforeEach(() => {
+    process.env.PAYMENT_TENANT_MODE = 'single';
+  });
+  afterEach(() => {
+    setDefaultInstanceDid(ORIG); // restore to the env-derived default
+    if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+    else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+  });
+
+  it('the configured instanceDid becomes the default tenant and old null rows map to it', () => {
+    setDefaultInstanceDid('did:abt:zCONFIGURED');
+    expect(getDefaultInstanceDid()).toBe('did:abt:zCONFIGURED');
+    // a pre-backfill row (instance_did = null) resolves to the configured default,
+    // not some other tenant — old data stays visible, no corruption
+    expect(resolveRowTenant({ instance_did: null })).toBe('did:abt:zCONFIGURED');
+    // a row that already carries a tenant is unaffected
+    expect(resolveRowTenant({ instance_did: 'did:abt:zEXISTING' })).toBe('did:abt:zEXISTING');
+  });
+});

package/api/tests/libs/tenant-scanner.spec.ts

@@ -0,0 +1,120 @@
+// Phase 5 (W1′) — the tenant scanner is now a STRUCTURAL backstop, not a
+// fail-open denylist. These tests pin the new behavior:
+//   - the live api/src scan passes with ZERO violations and an EMPTY whitelist
+//     (the 151-file fail-open whitelist collapsed because Phase 3/4 made the
+//     invariants load-bearing);
+//   - assertion ② (raw query on a tenant table must bind a tenant) fires on an
+//     unguarded raw read and stays quiet on a guarded one / a non-tenant table.
+// Assertion ① (model must extend TenantModel) is exercised by the test-the-test
+// in logs/s5-e2e.log (revert a model to `extends Model` -> scanner exits 1).
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+const SCANNER = path.join(__dirname, '../../../scripts/scan-tenant-queries.js');
+const WHITELIST = path.join(__dirname, '../../../scripts/tenant-scan-whitelist.json');
+
+function runScanner(args: string[], env: Record<string, string> = {}): { exit: number; result: any } {
+  try {
+    const out = execFileSync('node', [SCANNER, '--json', ...args], {
+      encoding: 'utf8',
+      env: { ...process.env, ...env },
+    });
+    return { exit: 0, result: JSON.parse(out) };
+  } catch (err: any) {
+    return { exit: err.status ?? 1, result: JSON.parse(err.stdout || '{}') };
+  }
+}
+
+function writeFixture(name: string, content: string): string {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'scan-'));
+  const file = path.join(dir, name);
+  fs.writeFileSync(file, content);
+  return file;
+}
+
+describe('tenant scanner — structural backstop (phase 5)', () => {
+  it('the live api/src scan passes with zero violations and an empty whitelist', () => {
+    const { exit, result } = runScanner([]);
+    expect(exit).toBe(0);
+    expect(result.violations).toEqual([]);
+    expect(result.staleWhitelistEntries).toEqual([]);
+    // the fail-open 151-file whitelist has collapsed
+    const whitelist = JSON.parse(fs.readFileSync(WHITELIST, 'utf8'));
+    expect(whitelist).toEqual([]);
+  });
+
+  it('assertion ②: an unguarded raw read on a tenant table is flagged', () => {
+    const file = writeFixture(
+      'unguarded.ts',
+      `export const f = (s: any) => s.query("SELECT * FROM coupons WHERE livemode = 1");`
+    );
+    const { exit, result } = runScanner([file]);
+    expect(exit).toBe(1);
+    expect(result.violations[0].kind).toBe('raw-unguarded');
+  });
+
+  it('assertion ②: a tenant-bound raw read is NOT flagged', () => {
+    const file = writeFixture(
+      'guarded.ts',
+      `export const f = (s: any) => s.query("SELECT * FROM coupons WHERE instance_did = :instance_did");`
+    );
+    const { exit, result } = runScanner([file]);
+    expect(exit).toBe(0);
+    expect(result.violations).toEqual([]);
+  });
+
+  it('assertion ②: a DDL statement on a tenant table is exempt (not flagged)', () => {
+    const file = writeFixture(
+      'ddl.ts',
+      `export const f = (s: any) => s.query('ALTER TABLE "coupons" ADD COLUMN foo TEXT');`
+    );
+    const { exit } = runScanner([file]);
+    expect(exit).toBe(0);
+  });
+
+  it('assertion ②: a raw read on a NON-tenant table is not flagged', () => {
+    const file = writeFixture('jobs.ts', `export const f = (s: any) => s.query("SELECT * FROM jobs WHERE id = 1");`);
+    const { exit } = runScanner([file]);
+    expect(exit).toBe(0);
+  });
+
+  it('Security: DDL is judged by the statement verb — a SELECT cannot hide behind /* CREATE */', () => {
+    const file = writeFixture(
+      'evasion.ts',
+      `export const f = (s: any) => s.query("SELECT * FROM coupons WHERE id=1 /* CREATE */");`
+    );
+    const { exit, result } = runScanner([file]);
+    expect(exit).toBe(1);
+    expect(result.violations[0].kind).toBe('raw-unguarded');
+  });
+
+  it('Bad input: an unparseable (binary / non-utf8) file fails loudly, never a silent skip', () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'scan-'));
+    const file = path.join(dir, 'binary.ts');
+    fs.writeFileSync(file, Buffer.from([0x53, 0x45, 0x00, 0x01, 0xff, 0xfe]));
+    const { exit, result } = runScanner([file]);
+    expect(exit).toBe(1);
+    expect(result.violations[0].kind).toBe('unreadable');
+  });
+
+  it('Bad input: a whitelist entry pointing at a non-existent file is reported stale (exit 1)', () => {
+    const wl = writeFixture('wl.json', JSON.stringify([{ file: 'api/src/store/models/does-not-exist.ts', reason: 'x' }]));
+    const { exit, result } = runScanner([], { TENANT_SCAN_WHITELIST: wl });
+    expect(exit).toBe(1);
+    expect(result.staleWhitelistEntries).toContain('api/src/store/models/does-not-exist.ts');
+  });
+
+  it('Security: a wildcard whitelist entry cannot swallow a real violation (exact-path match only)', () => {
+    const violating = writeFixture(
+      'leak.ts',
+      `export const f = (s: any) => s.query("SELECT * FROM coupons WHERE id=1");`
+    );
+    // a glob-looking entry must NOT match the violating file by prefix/wildcard
+    const wl = writeFixture('wl2.json', JSON.stringify([{ file: 'api/src/**', reason: 'wildcard attempt' }]));
+    const { exit, result } = runScanner([violating], { TENANT_SCAN_WHITELIST: wl });
+    expect(exit).toBe(1);
+    expect(result.violations.some((v: any) => v.kind === 'raw-unguarded')).toBe(true);
+  });
+});

package/api/tests/middlewares/hono/cdn.spec.ts

@@ -0,0 +1,70 @@
+// Phase 1 (express→hono) — hono cdn fork. Rewrites asset URLs to the CDN host on
+// outgoing HTML in production; inert for JSON /api responses (the only surface in
+// Phases 1-3). The transform core (AssetHostTransformer) is the real SDK util;
+// only the config env (assetCdnHost / componentDid) is mocked here.
+import { Hono } from 'hono';
+
+jest.mock('@blocklet/sdk/lib/config', () => ({
+  __esModule: true,
+  env: { assetCdnHost: 'cdn.example.com', componentDid: 'z-comp' },
+}));
+
+// eslint-disable-next-line import/first
+import { cdn } from '../../../src/middlewares/hono/cdn';
+
+const ASSET = '/.blocklet/proxy/z-comp/app.js';
+const HTML = `<html><head><script src="${ASSET}"></script></head><body>hi</body></html>`;
+
+const prevServiceEnv = process.env.ABT_NODE_SERVICE_ENV;
+beforeAll(() => {
+  process.env.ABT_NODE_SERVICE_ENV = 'production';
+});
+afterAll(() => {
+  if (prevServiceEnv === undefined) delete process.env.ABT_NODE_SERVICE_ENV;
+  else process.env.ABT_NODE_SERVICE_ENV = prevServiceEnv;
+});
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', cdn());
+  app.get('/page', (c) => c.html(HTML));
+  app.get('/api/data', (c) => c.json({ asset: ASSET })); // JSON must NOT be rewritten
+  return app;
+}
+
+const get = (app: Hono, p: string, accept = 'text/html') =>
+  app.fetch(new Request(`http://x${p}`, { headers: { accept } }));
+
+describe('hono cdn — happy path', () => {
+  it('rewrites HTML asset URLs to the CDN host in production', async () => {
+    const res = await get(buildApp(), '/page');
+    const body = await res.text();
+    expect(body).toContain('//cdn.example.com/.blocklet/proxy/z-comp/app.js');
+    expect(body).not.toMatch(/"\/\.blocklet\/proxy\/z-comp\/app\.js"/); // original quoted path is gone
+  });
+});
+
+describe('hono cdn — security / inert for API', () => {
+  it('does NOT rewrite a JSON response (content-type guard — inert for /api)', async () => {
+    const res = await get(buildApp(), '/api/data', 'application/json');
+    const body = await res.json();
+    expect(body.asset).toBe(ASSET); // untouched
+  });
+
+  it('does NOT rewrite when the client does not accept html', async () => {
+    const res = await get(buildApp(), '/page', 'application/json');
+    const body = await res.text();
+    // not html-accepting → shouldProcess false → original asset path retained
+    expect(body).toContain(`"${ASSET}"`);
+  });
+});
+
+describe('hono cdn — bad input (non-production inert)', () => {
+  it('does NOT rewrite outside production', async () => {
+    delete process.env.ABT_NODE_SERVICE_ENV;
+    const res = await get(buildApp(), '/page');
+    const body = await res.text();
+    expect(body).toContain(`"${ASSET}"`); // original retained
+    process.env.ABT_NODE_SERVICE_ENV = 'production';
+  });
+});

package/api/tests/middlewares/hono/context.spec.ts

@@ -0,0 +1,113 @@
+// Phase 1 (express→hono) — hono ensureI18n + contextMiddleware fork. Mirrors the
+// express tenant-middleware spec: single-point Host→tenant resolution, raw Host
+// only, multi-mode fail-closed. Driven via app.fetch with an explicit host
+// header (the fork reads c.req.header('host') — never a proxy header).
+import { Hono } from 'hono';
+import { ensureI18n, contextMiddleware } from '../../../src/middlewares/hono/context';
+import { getInstanceDid } from '../../../src/libs/context';
+import { getDefaultInstanceDid } from '../../../src/libs/tenant';
+import {
+  setIdentityDriver,
+  createDefaultIdentityDriver,
+  type IdentityDriver,
+} from '../../../src/libs/drivers/identity';
+
+const TENANT_A = 'did:abt:zHOSTA';
+const TENANT_B = 'did:abt:zHOSTB';
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', ensureI18n());
+  app.use('*', contextMiddleware());
+  app.get('/whoami', (c) => c.json({ tenant: getInstanceDid(), locale: c.get('locale') }));
+  return app;
+}
+
+const get = (app: Hono, host: string, extra: Record<string, string> = {}, path = '/whoami') =>
+  app.fetch(new Request(`http://${host}${path}`, { headers: { host, ...extra } }));
+
+afterEach(() => {
+  delete process.env.PAYMENT_TENANT_MODE;
+  setIdentityDriver(createDefaultIdentityDriver());
+});
+
+describe('hono ensureI18n', () => {
+  it('sets locale from ?locale and defaults to en', async () => {
+    const app = buildApp();
+    expect((await (await get(app, 'x.example.com', {}, '/whoami?locale=zh')).json()).locale).toBe('zh');
+    expect((await (await get(app, 'x.example.com')).json()).locale).toBe('en');
+  });
+});
+
+describe('hono contextMiddleware — single mode (default test env)', () => {
+  it('resolves to the default tenant regardless of host', async () => {
+    const app = buildApp();
+    const expected = getDefaultInstanceDid();
+    expect((await (await get(app, 'a.example.com')).json()).tenant).toBe(expected);
+    expect((await (await get(app, 'other.example.com')).json()).tenant).toBe(expected);
+  });
+});
+
+describe('hono contextMiddleware — multi mode (Host→tenant, fail-closed)', () => {
+  const identity: IdentityDriver = {
+    resolveInstanceDidForHost(host) {
+      if (host === 'a.example.com') return TENANT_A;
+      if (host === 'b.example.com') return TENANT_B;
+      return null;
+    },
+  };
+
+  beforeEach(() => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+  });
+
+  it('two hosts see two tenants (data isolation)', async () => {
+    const app = buildApp();
+    expect((await (await get(app, 'a.example.com')).json()).tenant).toBe(TENANT_A);
+    expect((await (await get(app, 'b.example.com')).json()).tenant).toBe(TENANT_B);
+  });
+
+  it('unknown host fails closed 400 + error code, no tenant leak', async () => {
+    const r = await get(buildApp(), 'unknown.example.com');
+    expect(r.status).toBe(400);
+    const body = await r.json();
+    expect(body.error.code).toBe('TENANT_HOST_UNRESOLVED');
+    expect(body.tenant).toBeUndefined();
+  });
+
+  it('SECURITY: a forged X-Forwarded-Host cannot change resolution (raw Host only)', async () => {
+    const r = await get(buildApp(), 'a.example.com', { 'x-forwarded-host': 'b.example.com' });
+    expect((await r.json()).tenant).toBe(TENANT_A);
+  });
+
+  it('SECURITY: X-Forwarded-Host pointing at a known tenant cannot rescue an unknown raw Host', async () => {
+    const r = await get(buildApp(), 'unknown.example.com', { 'x-forwarded-host': 'a.example.com' });
+    expect(r.status).toBe(400);
+  });
+
+  it('an empty / malformed Host fails closed without crashing', async () => {
+    // host supplied via the Host header (fixed URL) so an empty/garbage value
+    // does not break URL construction; the fork reads c.req.header('host').
+    const app = buildApp();
+    const empty = await app.fetch(new Request('http://req.local/whoami', { headers: { host: '' } }));
+    expect(empty.status).toBe(400);
+    const garbage = await app.fetch(new Request('http://req.local/whoami', { headers: { host: ':::garbage:::' } }));
+    expect(garbage.status).toBe(400);
+  });
+
+  it('a 4xx-rejected request never reaches the route handler (no write)', async () => {
+    let handlerRuns = 0;
+    const app = new Hono();
+    app.use('*', contextMiddleware());
+    app.get('/whoami', (c) => {
+      handlerRuns += 1;
+      return c.json({ tenant: getInstanceDid() });
+    });
+    const r = await app.fetch(
+      new Request('http://unknown.example.com/whoami', { headers: { host: 'unknown.example.com' } })
+    );
+    expect(r.status).toBe(400);
+    expect(handlerRuns).toBe(0);
+  });
+});