payment-kit 1.29.1 → 1.29.2

package/api/src/middlewares/hono/session.ts

@@ -0,0 +1,114 @@
+// Phase 3 (express→hono) — hono fork of @blocklet/sdk/lib/middlewares/session.js
+// (sessionMiddleware). NOT in the Phase 1 fork set, but used by many resource
+// routes (customers, checkout-sessions, payment-currencies, auto-recharge-configs,
+// …) via `sessionMiddleware({ accessKey: true })`. Unlike authenticate(), this is
+// NOT a gate: it POPULATES c.set('user', …) when a login token OR access key is
+// present and otherwise just calls next() (the downstream handler decides). The
+// token verification (verifyLoginToken / verifyAccessKey / verifyComponentCall /
+// verifySignedToken) + the optional blacklist check are reused verbatim; only the
+// req plumbing becomes a thin hono shim for getTokenFromReq.
+import type { MiddlewareHandler } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { getTokenFromReq } from '@abtnode/util/lib/get-token-from-req';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import {
+  verifyLoginToken,
+  verifyAccessKey,
+  verifyComponentCall,
+  verifySignedToken,
+} from '@blocklet/sdk/lib/util/verify-session';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { isLoginToken, isAccessKey } from '@blocklet/sdk/lib/util/login';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import config from '@blocklet/sdk/lib/config';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import serviceApi from '@blocklet/sdk/lib/util/service-api';
+import { isTestEnv } from '../../libs/env';
+
+interface SessionOptions {
+  loginToken?: boolean;
+  componentCall?: boolean;
+  signedToken?: string;
+  strictMode?: boolean;
+  accessKey?: boolean;
+  signedTokenKey?: string;
+}
+
+export function sessionMiddleware(options: SessionOptions = {}): MiddlewareHandler {
+  const {
+    loginToken = true,
+    componentCall = false,
+    signedToken = '',
+    strictMode = false,
+    accessKey = false,
+    signedTokenKey = '__jwt',
+  } = options;
+
+  return async (c, next) => {
+    let result: any = null;
+    // a thin express-req shim covering exactly what getTokenFromReq /
+    // verifyComponentCall read (query / cookie+authorization headers / method / url / body).
+    const url = new URL(c.req.url);
+    const shimReq: any = {
+      query: c.req.query(),
+      headers: { cookie: c.req.header('cookie'), authorization: c.req.header('authorization') },
+      get: (h: string) => c.req.header(h),
+      method: c.req.method,
+      originalUrl: url.pathname + url.search,
+      body: c.get('sanitizedBody') ?? {},
+    };
+
+    try {
+      if (loginToken || accessKey) {
+        const { _duplicate: hasDuplicate, token: loginTokenValue } = await getTokenFromReq(shimReq, {
+          cookie: { key: 'login_token' },
+        });
+        if (hasDuplicate) {
+          return c.text('Access token found in multiple locations', 400);
+        }
+        if (loginTokenValue && typeof loginTokenValue === 'string') {
+          if (!isTestEnv()) {
+            const blockletSettings = config.getBlockletSettings();
+            if (blockletSettings.enableBlacklist) {
+              const { data: checkResult } = await serviceApi.post('/api/user/checkToken', { token: loginTokenValue });
+              if (!checkResult.valid) {
+                if (strictMode) {
+                  return c.text('Access token is blocked', 401);
+                }
+                // not strict → treat as unauthenticated and proceed. NOT awaited
+                // on purpose: awaiting would pull downstream route errors into this
+                // try/catch and wrongly report them as 401 (parity with the express
+                // `next(); return;`, which does not await downstream).
+                // eslint-disable-next-line @typescript-eslint/return-await
+                return next();
+              }
+            }
+          }
+          if (isLoginToken(loginTokenValue)) {
+            result = await verifyLoginToken({ token: loginTokenValue, strictMode });
+          } else if (isAccessKey(loginTokenValue) && accessKey) {
+            result = await verifyAccessKey({ token: loginTokenValue, strictMode });
+          }
+        }
+      }
+
+      if (!result && componentCall) {
+        result = await verifyComponentCall({ req: shimReq, strictMode });
+      }
+
+      if (!result && signedToken) {
+        const token = c.req.query(signedTokenKey) || '';
+        result = await verifySignedToken({ token, strictMode });
+      }
+    } catch (err: any) {
+      return c.json({ error: err.message }, 401);
+    }
+
+    if (result) {
+      c.set('user', result);
+    }
+    return next();
+  };
+}
+
+export default sessionMiddleware;

package/api/src/middlewares/hono/xss.ts

@@ -0,0 +1,61 @@
+// Phase 1 (express→hono) — hono fork of @blocklet/xss (cjs/index.js:26).
+//
+// The express version sanitizes body/params/headers/query IN PLACE. hono's
+// Request is immutable and the query/params/headers are never reflected as HTML
+// (pure JSON API → Joi + parameterized Sequelize), so this fork DELIBERATELY
+// NARROWS to body-only sanitization (design §7, decided 2026-06-12). The
+// query/params/headers narrowing is locked by an explicit spec assertion.
+//
+// This middleware is the SINGLE body read-point: it consumes the request body
+// once, sanitizes it, and stores it on c.set('sanitizedBody'). Downstream routes
+// MUST read c.get('sanitizedBody') and NEVER call c.req.json() again — hono's
+// bodyCache holds the UN-sanitized original, so a re-read is a security hole
+// (design §7). The Stripe webhook (raw-body) is mounted so it never passes
+// through this middleware (Phase 3e).
+import type { MiddlewareHandler } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { initSanitize } from '@blocklet/xss';
+
+// allowedKeys: [] matches the express call site `xss({ allowedKeys: [] })`.
+const sanitize = initSanitize({ allowedKeys: [] });
+
+// Raw-body routes whose bytes must reach the handler unconsumed — the Stripe
+// webhook verifies its HMAC signature over the EXACT received bytes. Parity with
+// the express app shell, which routes this path around the json/body middleware
+// (service.ts buildNodeHandler). The route reads c.req.arrayBuffer() itself.
+const RAW_BODY_PREFIXES = ['/api/integrations/stripe/webhook'];
+
+export function xss(): MiddlewareHandler {
+  return async (c, next) => {
+    if (RAW_BODY_PREFIXES.some((p) => c.req.path.startsWith(p))) {
+      c.set('sanitizedBody', undefined);
+      return next();
+    }
+    // Parse the body by CONTENT-TYPE, not method — express's body-parser parses a
+    // json/form body on ANY method (including a GET with a body, which a few
+    // routes use, e.g. customers GET /:id reading body.create). A request with no
+    // parseable content-type yields no sanitizedBody (routes read `?? {}`, matching
+    // express.json()'s empty {} ).
+    const contentType = c.req.header('content-type') || '';
+    let body: unknown;
+    if (contentType.includes('application/json')) {
+      // single read; empty body → {} to match express.json() (which yields {}),
+      // malformed JSON throws (→ app.onError, parity with the express 400 path).
+      const raw = await c.req.text();
+      body = raw === '' ? {} : JSON.parse(raw);
+    } else if (
+      contentType.includes('application/x-www-form-urlencoded') ||
+      contentType.includes('multipart/form-data')
+    ) {
+      body = await c.req.parseBody();
+    } else {
+      // no parseable body content-type (or no body) — nothing to sanitize
+      body = undefined;
+    }
+
+    c.set('sanitizedBody', body === undefined ? undefined : sanitize(body));
+    return next();
+  };
+}
+
+export default xss;

package/api/src/queues/auto-recharge.ts

@@ -1,7 +1,8 @@
 import { BN } from '@ocap/util';
-
 import { Op } from 'sequelize';
-import createQueue from '../libs/queue';
+import { systemFindByPk, systemFindOne } from '../store/scoped';
+
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   AutoRechargeConfig,
   ChainType,
@@ -48,13 +49,14 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   logger.info('Processing auto recharge job', { job });
   const { customer_id: customerId, currency_id: currencyId } = job;
 
-  const customer = await Customer.findByPk(customerId);
+  const customer = await systemFindByPk(Customer, customerId);
   if (!customer) {
     logger.error('Customer not found', { customerId });
     return;
   }
+  assertJobObjectTenant(customer);
 
-  const currency = await PaymentCurrency.findByPk(currencyId);
+  const currency = await systemFindByPk(PaymentCurrency, currencyId);
   if (!currency) {
     logger.error('Currency not found', { currencyId });
     return;
@@ -63,7 +65,7 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   // Check if the associated meter is inactive
   if (currency.type === 'credit') {
     // Find meter by currency_id (meter.currency_id -> PaymentCurrency) or by metadata.meter_id
-    const meter = await Meter.findOne({
+    const meter = await systemFindOne(Meter, {
       where: { currency_id: currencyId },
     });
     if (meter && meter.status === 'inactive') {
@@ -77,7 +79,7 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   }
 
   // 1. find auto recharge config
-  const config = (await AutoRechargeConfig.findOne({
+  const config = (await systemFindOne(AutoRechargeConfig, {
     where: {
       customer_id: customerId,
       currency_id: currencyId,
@@ -378,7 +380,7 @@ async function createInvoiceForAutoRecharge({
   }
 
   // Check for existing invoice
-  const existInvoice = await Invoice.findOne({
+  const existInvoice = await systemFindOne(Invoice, {
     where: {
       customer_id: customer.id,
       currency_id: rechargeCurrency.id,
@@ -633,21 +635,21 @@ export async function checkAndTriggerAutoRecharge(
     }
 
     // T2b: Reuse caller-provided currency to avoid redundant DB query
-    const currency = options?.currency ?? (await PaymentCurrency.findByPk(currencyId));
+    const currency = options?.currency ?? (await systemFindByPk(PaymentCurrency, currencyId));
 
     // Reuse caller-provided meter when available to avoid redundant DB query
     let meterPromise: Promise<any>;
     if (options?.meter != null) {
       meterPromise = Promise.resolve(options.meter);
     } else if (currency?.type === 'credit') {
-      meterPromise = Meter.findOne({ where: { currency_id: currencyId } });
+      meterPromise = systemFindOne(Meter, { where: { currency_id: currencyId } });
     } else {
       meterPromise = Promise.resolve(null);
     }
 
     const [meter, config] = await Promise.all([
       meterPromise,
-      AutoRechargeConfig.findOne({
+      systemFindOne(AutoRechargeConfig, {
         where: {
           customer_id: customer.id,
           currency_id: currencyId,

package/api/src/queues/checkout-session.ts

@@ -1,5 +1,6 @@
 /* eslint-disable no-await-in-loop */
 import { Op } from 'sequelize';
+import { systemFindAll, systemFindByPk, systemFindOne } from '../store/scoped';
 
 import { mintNftForCheckoutSession } from '../integrations/arcblock/nft';
 import { ensurePassportIssued } from '../integrations/blocklet/passport';
@@ -7,7 +8,7 @@ import { ensureInvoiceForCheckout } from '../routes/connect/shared';
 import dayjs from '../libs/dayjs';
 import { events } from '../libs/event';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   CheckoutSession,
   Customer,
@@ -40,11 +41,12 @@ export const checkoutSessionQueue = createQueue<CheckoutSessionJob>({
 });
 
 export async function handleCheckoutSessionJob(job: CheckoutSessionJob): Promise<void> {
-  const checkoutSession = await CheckoutSession.findByPk(job.id);
+  const checkoutSession = await systemFindByPk(CheckoutSession, job.id);
   if (!checkoutSession) {
     logger.warn('CheckoutSession not found', { id: job.id });
     return;
   }
+  assertJobObjectTenant(checkoutSession);
   if (job.action === 'expire') {
     if (checkoutSession.status !== 'open') {
       logger.info('Skip expire CheckoutSession since status is not open', {
@@ -80,7 +82,7 @@ export async function handleCheckoutSessionJob(job: CheckoutSessionJob): Promise
 export async function startCheckoutSessionQueue() {
   // Auto populate subscription queue
   const now = dayjs().unix();
-  const checkoutSessions = await CheckoutSession.findAll({
+  const checkoutSessions = await systemFindAll(CheckoutSession, {
     where: {
       status: 'open',
       expires_at: { [Op.lte]: now },
@@ -146,7 +148,7 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
     });
   } else {
     // Do some reverse lookup if invoice is not related to checkout session
-    const invoice = await Invoice.findOne({ where: { checkout_session_id: checkoutSession.id } });
+    const invoice = await systemFindOne(Invoice, { where: { checkout_session_id: checkoutSession.id } });
     if (invoice) {
       await destroyExistingInvoice(invoice);
       logger.info('Invoice and InvoiceItem for checkout session deleted on expire', {
@@ -165,10 +167,10 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
   }
 
   if (checkoutSession.payment_intent_id && checkoutSession.payment_status !== 'paid') {
-    const paymentIntent = await PaymentIntent.findByPk(checkoutSession.payment_intent_id);
+    const paymentIntent = await systemFindByPk(PaymentIntent, checkoutSession.payment_intent_id);
     const stripePaymentId = paymentIntent?.payment_details?.stripe?.payment_intent_id;
     if (paymentIntent && stripePaymentId) {
-      const method = await PaymentMethod.findByPk(paymentIntent.payment_method_id);
+      const method = await systemFindByPk(PaymentMethod, paymentIntent.payment_method_id);
       if (method?.type === 'stripe') {
         const client = method.getStripeClient();
         try {
@@ -198,12 +200,12 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 
   const subscriptionIds = getCheckoutSessionSubscriptionIds(checkoutSession);
   if (subscriptionIds.length > 0) {
-    const subscriptions = await Subscription.findAll({ where: { id: { [Op.in]: subscriptionIds } } });
+    const subscriptions = await systemFindAll(Subscription, { where: { id: { [Op.in]: subscriptionIds } } });
     await Promise.all(
       subscriptions.map(async (subscription) => {
         const stripeSubscriptionId = subscription?.payment_details?.stripe?.subscription_id;
         if (subscription && stripeSubscriptionId) {
-          const method = await PaymentMethod.findByPk(subscription.default_payment_method_id);
+          const method = await systemFindByPk(PaymentMethod, subscription.default_payment_method_id);
           if (method?.type === 'stripe') {
             const client = method.getStripeClient();
             try {
@@ -245,7 +247,7 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 
   // update price lock status
   for (const item of checkoutSession.line_items) {
-    const price = await Price.findByPk(item.price_id);
+    const price = await systemFindByPk(Price, item.price_id);
     if (price?.locked) {
       const used = await price.isUsed(false);
       logger.info('Price used status recheck on expire', {
@@ -269,11 +271,12 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 events.on(
   'checkout.session.pending_invoice',
   async ({ checkoutSessionId, paymentIntentId }: { checkoutSessionId: string; paymentIntentId: string }) => {
-    const checkoutSession = await CheckoutSession.findByPk(checkoutSessionId);
+    const checkoutSession = await systemFindByPk(CheckoutSession, checkoutSessionId);
     if (!checkoutSession) {
       logger.warn('CheckoutSession not found for pending invoice', { checkoutSessionId });
       return;
     }
+    assertJobObjectTenant(checkoutSession);
     if (checkoutSession.invoice_id) {
       logger.info('Invoice already exists for checkout session', {
         checkoutSessionId,
@@ -293,15 +296,17 @@ events.on(
       return;
     }
 
-    const paymentIntent = await PaymentIntent.findByPk(paymentIntentId);
+    const paymentIntent = await systemFindByPk(PaymentIntent, paymentIntentId);
     if (!paymentIntent) {
       return;
     }
+    assertJobObjectTenant(paymentIntent);
 
-    const customer = await Customer.findByPk(checkoutSession.customer_id);
+    const customer = await systemFindByPk(Customer, checkoutSession.customer_id);
     if (!customer) {
       return;
     }
+    assertJobObjectTenant(customer);
 
     await ensureInvoiceForCheckout({
       checkoutSession,

package/api/src/queues/credit-consume.ts

@@ -1,11 +1,19 @@
 import { BN, fromUnitToToken } from '@ocap/util';
 import { Op } from 'sequelize';
 import pAll from 'p-all';
+import {
+  isCfWorker,
+  creditLowBalanceThresholdPercentage,
+  creditBatchSize,
+  creditBatchWindowMs,
+  creditQueueConcurrency,
+} from '../libs/env';
+import { systemFindAll, systemFindByPk, systemFindOne } from '../store/scoped';
 
 import { getLock } from '../libs/lock';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
-import { createEvent } from '../libs/audit';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
+import { createEvent, reportAuditFailure } from '../libs/audit';
 import { MeterEvent, CreditGrant, CreditTransaction, Customer, Subscription, TMeterExpanded } from '../store/models';
 import { getCachedMeterExpanded } from '../libs/reference-cache';
 
@@ -20,7 +28,7 @@ import { addTokenTransferJob } from './token-transfer';
 // In Blocklet Server (no Queue ops limit), use the full MAX_RETRY_COUNT.
 // After max retries, mark as requires_action — retryFailedEventsForCustomer()
 // picks them up when credit is granted.
-const CREDIT_MAX_RETRY = (globalThis as any).__CF_ENV__ ? 5 : MAX_RETRY_COUNT;
+const CREDIT_MAX_RETRY = isCfWorker() ? 5 : MAX_RETRY_COUNT;
 
 type CreditConsumptionJob = {
   meterEventId: string;
@@ -82,7 +90,7 @@ async function checkLowBalance(
     if (totalCreditAmountBn.lte(new BN(0))) return;
     const remainingAmountBn = new BN(remainingBalance);
     // Get threshold percentage from env var, default to 10%
-    const thresholdPercentage = parseInt(process.env.CREDIT_LOW_BALANCE_THRESHOLD_PERCENTAGE || '10', 10);
+    const thresholdPercentage = creditLowBalanceThresholdPercentage();
     const threshold = totalCreditAmountBn.mul(new BN(thresholdPercentage)).div(new BN(100));
     if (remainingAmountBn.gt(new BN(0)) && remainingAmountBn.lte(threshold)) {
       const percentage = remainingAmountBn.mul(new BN(100)).div(totalCreditAmountBn).toString();
@@ -94,7 +102,7 @@ async function checkLowBalance(
           percentage,
           subscription_id: context.subscription?.id,
         },
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
     }
   } catch (error: any) {
     logger.error('Failed to check low balance', {
@@ -118,7 +126,7 @@ async function loadReferenceData(
 
   const [meter, customer] = await Promise.all([
     getCachedMeterExpanded(meterEvent.event_name) as Promise<TMeterExpanded | null>,
-    Customer.findByPk(customerId),
+    systemFindByPk(Customer, customerId),
   ]);
 
   if (!meter) {
@@ -163,7 +171,7 @@ async function consumeAvailableCredits(
   const currencyId = context.meter.currency_id!;
   const meterEventId = context.meterEvent.id;
 
-  const existingTransactions = await CreditTransaction.findAll({
+  const existingTransactions = await systemFindAll(CreditTransaction, {
     where: {
       source: meterEventId,
     },
@@ -300,7 +308,7 @@ async function handlePostConsumptionEvents(
           currency_id: currencyId,
           subscription_id: context.subscription?.id,
         },
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
     }
 
     // 如果有关联订阅且订阅活跃，将其标记为逾期
@@ -338,7 +346,7 @@ async function handlePostConsumptionEvents(
         currency_id: currencyId,
         subscription_id: context.subscription?.id,
       },
-    }).catch(console.error);
+    }).catch(reportAuditFailure);
   }
 
   if (!insufficientTriggered) {
@@ -479,7 +487,7 @@ async function createCreditTransaction(
       });
 
       // 重新查询已存在的 transaction
-      const duplicateTransaction = await CreditTransaction.findOne({
+      const duplicateTransaction = await systemFindOne(CreditTransaction, {
         where: {
           source: meterEventId,
           credit_grant_id: creditGrantId,
@@ -508,11 +516,12 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
   logger.info('Starting credit consumption job', { meterEventId });
 
   // Pre-check before acquiring lock
-  const preCheckEvent = await MeterEvent.findByPk(meterEventId);
+  const preCheckEvent = await systemFindByPk(MeterEvent, meterEventId);
   if (!preCheckEvent) {
     logger.warn('Skipping credit consumption job: MeterEvent not found', { meterEventId });
     return;
   }
+  assertJobObjectTenant(preCheckEvent);
   if (preCheckEvent.status === 'completed' || preCheckEvent.status === 'canceled') {
     logger.info('Skipping credit consumption job: MeterEvent already processed', {
       meterEventId,
@@ -554,8 +563,8 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 
     // Fresh loads inside lock for consistency
     const [freshEvent, freshSubscription] = await Promise.all([
-      MeterEvent.findByPk(meterEventId),
-      context._subscriptionId ? Subscription.findByPk(context._subscriptionId) : Promise.resolve(null),
+      systemFindByPk(MeterEvent, meterEventId),
+      context._subscriptionId ? systemFindByPk(Subscription, context._subscriptionId) : Promise.resolve(null),
     ]);
     if (!freshEvent) {
       logger.warn('MeterEvent disappeared after lock acquired', { meterEventId });
@@ -691,7 +700,7 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 
     // Handle retry logic with more robust error handling
     try {
-      const meterEvent = await MeterEvent.findByPk(meterEventId);
+      const meterEvent = await systemFindByPk(MeterEvent, meterEventId);
       if (meterEvent && !['completed', 'canceled', 'requires_action'].includes(meterEvent.status)) {
         const attemptCount = meterEvent.attempt_count + 1;
         const nonRetryable = isNonRetryableCreditError(error);
@@ -762,9 +771,6 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 // ============================================================================
 // Batch credit consumption
 // ============================================================================
-const CREDIT_BATCH_SIZE = Math.max(1, parseInt(process.env.CREDIT_BATCH_SIZE || '50', 10));
-const CREDIT_BATCH_WINDOW_MS = Math.max(10, parseInt(process.env.CREDIT_BATCH_WINDOW_MS || '3000', 10));
-
 type PendingBatch = { eventIds: string[]; timer: NodeJS.Timeout | null };
 const pendingBatches = new Map<string, PendingBatch>();
 // Track in-flight batch jobs per key to avoid head-of-line blocking.
@@ -785,13 +791,13 @@ function addToBatch(customerId: string, eventName: string, meterEventId: string,
 
   batch.eventIds.push(meterEventId);
 
-  if (batch.eventIds.length >= CREDIT_BATCH_SIZE) {
+  if (batch.eventIds.length >= creditBatchSize()) {
     flushBatch(key);
     return;
   }
 
   if (!batch.timer) {
-    batch.timer = setTimeout(() => flushBatch(key), CREDIT_BATCH_WINDOW_MS);
+    batch.timer = setTimeout(() => flushBatch(key), creditBatchWindowMs());
   }
 }
 
@@ -864,7 +870,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
   // ==========================================
   // Pre-check: filter already-processed events
   // ==========================================
-  const preCheckEvents = await MeterEvent.findAll({
+  const preCheckEvents = await systemFindAll(MeterEvent, {
     where: { id: { [Op.in]: meterEventIds } },
   });
 
@@ -894,7 +900,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
   // ==========================================
   const [meter, customer] = await Promise.all([
     getCachedMeterExpanded(eventName) as Promise<TMeterExpanded | null>,
-    Customer.findByPk(customerId),
+    systemFindByPk(Customer, customerId),
   ]);
 
   if (!meter || !meter.currency_id || !customer) {
@@ -925,7 +931,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     // Fresh read inside lock
     // ==========================================
     const processableIds = processableEvents.map((e) => e.id);
-    const freshEvents = await MeterEvent.findAll({
+    const freshEvents = await systemFindAll(MeterEvent, {
       where: { id: { [Op.in]: processableIds } },
     });
 
@@ -940,7 +946,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     let priceIds: string[] | undefined;
 
     if (subscriptionId) {
-      subscription = await Subscription.findByPk(subscriptionId);
+      subscription = await systemFindByPk(Subscription, subscriptionId);
       if (!subscription) {
         logger.warn('Batch: Subscription not found inside lock, skipping', {
           customerId,
@@ -965,7 +971,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     // Batch idempotency check
     // ==========================================
     const allEventIds = freshProcessable.map((e) => e.id);
-    const existingTransactions = await CreditTransaction.findAll({
+    const existingTransactions = await systemFindAll(CreditTransaction, {
       where: { source: { [Op.in]: allEventIds } },
     });
     const txBySource = new Map<string, CreditTransaction[]>();
@@ -1249,11 +1255,6 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
 // Queue setup
 // ============================================================================
 
-const creditQueueConcurrency = Math.max(
-  1,
-  Math.min(20, parseInt(process.env.CREDIT_QUEUE_CONCURRENCY || '5', 10) || 5)
-);
-
 export const creditQueue = createQueue<CreditConsumptionJob | BatchCreditConsumptionJob>({
   name: 'credit-consumption',
   onJob: (job) => {
@@ -1263,7 +1264,7 @@ export const creditQueue = createQueue<CreditConsumptionJob | BatchCreditConsump
     return handleCreditConsumption(job as CreditConsumptionJob);
   },
   options: {
-    concurrency: creditQueueConcurrency,
+    concurrency: creditQueueConcurrency(),
     maxRetries: 0,
     enableScheduledJob: true,
   },
@@ -1308,11 +1309,12 @@ const addCreditConsumptionJob = async (
     }
 
     if (!options.skipStatusCheck) {
-      const meterEvent = await MeterEvent.findByPk(meterEventId);
+      const meterEvent = await systemFindByPk(MeterEvent, meterEventId);
       if (!meterEvent) {
         logger.warn('Cannot add credit consumption job: MeterEvent not found', { meterEventId });
         return;
       }
+      assertJobObjectTenant(meterEvent);
 
       if (meterEvent.status === 'completed' || meterEvent.status === 'canceled') {
         logger.debug('Skipping credit consumption job: MeterEvent already processed', {
@@ -1342,7 +1344,7 @@ creditQueue.on('retry', ({ id, job }) => {
 });
 
 export async function startCreditConsumeQueue(): Promise<void> {
-  const lock = getLock('startCreditConsumeQueue');
+  const lock = getLock('startCreditConsumeQueue', { scope: 'global' });
   if (lock.locked) {
     return;
   }
@@ -1359,7 +1361,7 @@ export async function startCreditConsumeQueue(): Promise<void> {
 
     do {
       // eslint-disable-next-line no-await-in-loop
-      batchEvents = await MeterEvent.findAll({
+      batchEvents = await systemFindAll(MeterEvent, {
         where: {
           status: ['pending', 'requires_capture', 'processing'],
         },
@@ -1491,13 +1493,14 @@ events.on('customer.credit_grant.granted', async (creditGrant: CreditGrant) => {
 });
 
 async function retryFailedEventsForCustomer(creditGrant: CreditGrant): Promise<void> {
-  const grant = await CreditGrant.findByPk(creditGrant.id);
+  const grant = await systemFindByPk(CreditGrant, creditGrant.id);
   if (!grant) {
     logger.error('Credit grant not found', {
       creditGrantId: creditGrant.id,
     });
     return;
   }
+  assertJobObjectTenant(grant);
 
   const customerId = grant.customer_id;
   const currencyId = grant.currency_id;
@@ -1583,8 +1586,9 @@ async function retryFailedEventsForCustomer(creditGrant: CreditGrant): Promise<v
 
       let chunkIndex = 0;
       for (const [, subEventIds] of bySubscription) {
-        for (let i = 0; i < subEventIds.length; i += CREDIT_BATCH_SIZE) {
-          const chunk = subEventIds.slice(i, i + CREDIT_BATCH_SIZE);
+        const batchSize = creditBatchSize();
+        for (let i = 0; i < subEventIds.length; i += batchSize) {
+          const chunk = subEventIds.slice(i, i + batchSize);
           creditQueue.push({
             id: `retry-batch-${customerId}-${Date.now()}-${chunkIndex++}`,
             job: { meterEventIds: chunk } as any,