payment-kit 1.29.1 → 1.29.3

package/api/src/queues/credit-consume.ts

@@ -1,11 +1,19 @@
 import { BN, fromUnitToToken } from '@ocap/util';
 import { Op } from 'sequelize';
 import pAll from 'p-all';
+import {
+  isCfWorker,
+  creditLowBalanceThresholdPercentage,
+  creditBatchSize,
+  creditBatchWindowMs,
+  creditQueueConcurrency,
+} from '../libs/env';
+import { systemFindAll, systemFindByPk, systemFindOne } from '../store/scoped';
 
 import { getLock } from '../libs/lock';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
-import { createEvent } from '../libs/audit';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
+import { createEvent, reportAuditFailure } from '../libs/audit';
 import { MeterEvent, CreditGrant, CreditTransaction, Customer, Subscription, TMeterExpanded } from '../store/models';
 import { getCachedMeterExpanded } from '../libs/reference-cache';
 
@@ -20,7 +28,7 @@ import { addTokenTransferJob } from './token-transfer';
 // In Blocklet Server (no Queue ops limit), use the full MAX_RETRY_COUNT.
 // After max retries, mark as requires_action — retryFailedEventsForCustomer()
 // picks them up when credit is granted.
-const CREDIT_MAX_RETRY = (globalThis as any).__CF_ENV__ ? 5 : MAX_RETRY_COUNT;
+const CREDIT_MAX_RETRY = isCfWorker() ? 5 : MAX_RETRY_COUNT;
 
 type CreditConsumptionJob = {
   meterEventId: string;
@@ -82,7 +90,7 @@ async function checkLowBalance(
     if (totalCreditAmountBn.lte(new BN(0))) return;
     const remainingAmountBn = new BN(remainingBalance);
     // Get threshold percentage from env var, default to 10%
-    const thresholdPercentage = parseInt(process.env.CREDIT_LOW_BALANCE_THRESHOLD_PERCENTAGE || '10', 10);
+    const thresholdPercentage = creditLowBalanceThresholdPercentage();
     const threshold = totalCreditAmountBn.mul(new BN(thresholdPercentage)).div(new BN(100));
     if (remainingAmountBn.gt(new BN(0)) && remainingAmountBn.lte(threshold)) {
       const percentage = remainingAmountBn.mul(new BN(100)).div(totalCreditAmountBn).toString();
@@ -94,7 +102,7 @@ async function checkLowBalance(
           percentage,
           subscription_id: context.subscription?.id,
         },
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
     }
   } catch (error: any) {
     logger.error('Failed to check low balance', {
@@ -118,7 +126,7 @@ async function loadReferenceData(
 
   const [meter, customer] = await Promise.all([
     getCachedMeterExpanded(meterEvent.event_name) as Promise<TMeterExpanded | null>,
-    Customer.findByPk(customerId),
+    systemFindByPk(Customer, customerId),
   ]);
 
   if (!meter) {
@@ -163,7 +171,7 @@ async function consumeAvailableCredits(
   const currencyId = context.meter.currency_id!;
   const meterEventId = context.meterEvent.id;
 
-  const existingTransactions = await CreditTransaction.findAll({
+  const existingTransactions = await systemFindAll(CreditTransaction, {
     where: {
       source: meterEventId,
     },
@@ -300,7 +308,7 @@ async function handlePostConsumptionEvents(
           currency_id: currencyId,
           subscription_id: context.subscription?.id,
         },
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
     }
 
     // 如果有关联订阅且订阅活跃，将其标记为逾期
@@ -338,7 +346,7 @@ async function handlePostConsumptionEvents(
         currency_id: currencyId,
         subscription_id: context.subscription?.id,
       },
-    }).catch(console.error);
+    }).catch(reportAuditFailure);
   }
 
   if (!insufficientTriggered) {
@@ -479,7 +487,7 @@ async function createCreditTransaction(
       });
 
       // 重新查询已存在的 transaction
-      const duplicateTransaction = await CreditTransaction.findOne({
+      const duplicateTransaction = await systemFindOne(CreditTransaction, {
         where: {
           source: meterEventId,
           credit_grant_id: creditGrantId,
@@ -508,11 +516,12 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
   logger.info('Starting credit consumption job', { meterEventId });
 
   // Pre-check before acquiring lock
-  const preCheckEvent = await MeterEvent.findByPk(meterEventId);
+  const preCheckEvent = await systemFindByPk(MeterEvent, meterEventId);
   if (!preCheckEvent) {
     logger.warn('Skipping credit consumption job: MeterEvent not found', { meterEventId });
     return;
   }
+  assertJobObjectTenant(preCheckEvent);
   if (preCheckEvent.status === 'completed' || preCheckEvent.status === 'canceled') {
     logger.info('Skipping credit consumption job: MeterEvent already processed', {
       meterEventId,
@@ -554,8 +563,8 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 
     // Fresh loads inside lock for consistency
     const [freshEvent, freshSubscription] = await Promise.all([
-      MeterEvent.findByPk(meterEventId),
-      context._subscriptionId ? Subscription.findByPk(context._subscriptionId) : Promise.resolve(null),
+      systemFindByPk(MeterEvent, meterEventId),
+      context._subscriptionId ? systemFindByPk(Subscription, context._subscriptionId) : Promise.resolve(null),
     ]);
     if (!freshEvent) {
       logger.warn('MeterEvent disappeared after lock acquired', { meterEventId });
@@ -691,7 +700,7 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 
     // Handle retry logic with more robust error handling
     try {
-      const meterEvent = await MeterEvent.findByPk(meterEventId);
+      const meterEvent = await systemFindByPk(MeterEvent, meterEventId);
       if (meterEvent && !['completed', 'canceled', 'requires_action'].includes(meterEvent.status)) {
         const attemptCount = meterEvent.attempt_count + 1;
         const nonRetryable = isNonRetryableCreditError(error);
@@ -762,9 +771,6 @@ export async function handleCreditConsumption(job: CreditConsumptionJob) {
 // ============================================================================
 // Batch credit consumption
 // ============================================================================
-const CREDIT_BATCH_SIZE = Math.max(1, parseInt(process.env.CREDIT_BATCH_SIZE || '50', 10));
-const CREDIT_BATCH_WINDOW_MS = Math.max(10, parseInt(process.env.CREDIT_BATCH_WINDOW_MS || '3000', 10));
-
 type PendingBatch = { eventIds: string[]; timer: NodeJS.Timeout | null };
 const pendingBatches = new Map<string, PendingBatch>();
 // Track in-flight batch jobs per key to avoid head-of-line blocking.
@@ -785,13 +791,13 @@ function addToBatch(customerId: string, eventName: string, meterEventId: string,
 
   batch.eventIds.push(meterEventId);
 
-  if (batch.eventIds.length >= CREDIT_BATCH_SIZE) {
+  if (batch.eventIds.length >= creditBatchSize()) {
     flushBatch(key);
     return;
   }
 
   if (!batch.timer) {
-    batch.timer = setTimeout(() => flushBatch(key), CREDIT_BATCH_WINDOW_MS);
+    batch.timer = setTimeout(() => flushBatch(key), creditBatchWindowMs());
   }
 }
 
@@ -864,7 +870,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
   // ==========================================
   // Pre-check: filter already-processed events
   // ==========================================
-  const preCheckEvents = await MeterEvent.findAll({
+  const preCheckEvents = await systemFindAll(MeterEvent, {
     where: { id: { [Op.in]: meterEventIds } },
   });
 
@@ -894,7 +900,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
   // ==========================================
   const [meter, customer] = await Promise.all([
     getCachedMeterExpanded(eventName) as Promise<TMeterExpanded | null>,
-    Customer.findByPk(customerId),
+    systemFindByPk(Customer, customerId),
   ]);
 
   if (!meter || !meter.currency_id || !customer) {
@@ -925,7 +931,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     // Fresh read inside lock
     // ==========================================
     const processableIds = processableEvents.map((e) => e.id);
-    const freshEvents = await MeterEvent.findAll({
+    const freshEvents = await systemFindAll(MeterEvent, {
       where: { id: { [Op.in]: processableIds } },
     });
 
@@ -940,7 +946,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     let priceIds: string[] | undefined;
 
     if (subscriptionId) {
-      subscription = await Subscription.findByPk(subscriptionId);
+      subscription = await systemFindByPk(Subscription, subscriptionId);
       if (!subscription) {
         logger.warn('Batch: Subscription not found inside lock, skipping', {
           customerId,
@@ -965,7 +971,7 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
     // Batch idempotency check
     // ==========================================
     const allEventIds = freshProcessable.map((e) => e.id);
-    const existingTransactions = await CreditTransaction.findAll({
+    const existingTransactions = await systemFindAll(CreditTransaction, {
       where: { source: { [Op.in]: allEventIds } },
     });
     const txBySource = new Map<string, CreditTransaction[]>();
@@ -1249,11 +1255,6 @@ async function handleBatchCreditConsumptionInner(meterEventIds: string[], batchS
 // Queue setup
 // ============================================================================
 
-const creditQueueConcurrency = Math.max(
-  1,
-  Math.min(20, parseInt(process.env.CREDIT_QUEUE_CONCURRENCY || '5', 10) || 5)
-);
-
 export const creditQueue = createQueue<CreditConsumptionJob | BatchCreditConsumptionJob>({
   name: 'credit-consumption',
   onJob: (job) => {
@@ -1263,7 +1264,7 @@ export const creditQueue = createQueue<CreditConsumptionJob | BatchCreditConsump
     return handleCreditConsumption(job as CreditConsumptionJob);
   },
   options: {
-    concurrency: creditQueueConcurrency,
+    concurrency: creditQueueConcurrency(),
     maxRetries: 0,
     enableScheduledJob: true,
   },
@@ -1308,11 +1309,12 @@ const addCreditConsumptionJob = async (
     }
 
     if (!options.skipStatusCheck) {
-      const meterEvent = await MeterEvent.findByPk(meterEventId);
+      const meterEvent = await systemFindByPk(MeterEvent, meterEventId);
       if (!meterEvent) {
         logger.warn('Cannot add credit consumption job: MeterEvent not found', { meterEventId });
         return;
       }
+      assertJobObjectTenant(meterEvent);
 
       if (meterEvent.status === 'completed' || meterEvent.status === 'canceled') {
         logger.debug('Skipping credit consumption job: MeterEvent already processed', {
@@ -1342,7 +1344,7 @@ creditQueue.on('retry', ({ id, job }) => {
 });
 
 export async function startCreditConsumeQueue(): Promise<void> {
-  const lock = getLock('startCreditConsumeQueue');
+  const lock = getLock('startCreditConsumeQueue', { scope: 'global' });
   if (lock.locked) {
     return;
   }
@@ -1359,7 +1361,7 @@ export async function startCreditConsumeQueue(): Promise<void> {
 
     do {
       // eslint-disable-next-line no-await-in-loop
-      batchEvents = await MeterEvent.findAll({
+      batchEvents = await systemFindAll(MeterEvent, {
         where: {
           status: ['pending', 'requires_capture', 'processing'],
         },
@@ -1491,13 +1493,14 @@ events.on('customer.credit_grant.granted', async (creditGrant: CreditGrant) => {
 });
 
 async function retryFailedEventsForCustomer(creditGrant: CreditGrant): Promise<void> {
-  const grant = await CreditGrant.findByPk(creditGrant.id);
+  const grant = await systemFindByPk(CreditGrant, creditGrant.id);
   if (!grant) {
     logger.error('Credit grant not found', {
       creditGrantId: creditGrant.id,
     });
     return;
   }
+  assertJobObjectTenant(grant);
 
   const customerId = grant.customer_id;
   const currencyId = grant.currency_id;
@@ -1583,8 +1586,9 @@ async function retryFailedEventsForCustomer(creditGrant: CreditGrant): Promise<v
 
       let chunkIndex = 0;
       for (const [, subEventIds] of bySubscription) {
-        for (let i = 0; i < subEventIds.length; i += CREDIT_BATCH_SIZE) {
-          const chunk = subEventIds.slice(i, i + CREDIT_BATCH_SIZE);
+        const batchSize = creditBatchSize();
+        for (let i = 0; i < subEventIds.length; i += batchSize) {
+          const chunk = subEventIds.slice(i, i + batchSize);
           creditQueue.push({
             id: `retry-batch-${customerId}-${Date.now()}-${chunkIndex++}`,
             job: { meterEventIds: chunk } as any,

package/api/src/queues/credit-grant.ts

@@ -4,7 +4,8 @@ import { Op } from 'sequelize';
 import { BN, fromTokenToUnit, fromUnitToToken } from '@ocap/util';
 import pAll from 'p-all';
 import dayjs from '../libs/dayjs';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 import {
   AutoRechargeConfig,
   CreditGrant,
@@ -48,7 +49,7 @@ type CreditGrantJob =
  * Non on-chain credits finish immediately; on-chain credits wait for mint success
  */
 async function activateGrant(creditGrant: CreditGrant) {
-  const paymentCurrency = await PaymentCurrency.findByPk(creditGrant.currency_id);
+  const paymentCurrency = await systemFindByPk(PaymentCurrency, creditGrant.currency_id);
   const isOnChainCredit = paymentCurrency && PaymentCurrency.isOnChainCredit(paymentCurrency);
 
   logger.info('Activating credit grant', {
@@ -76,10 +77,11 @@ async function activateGrant(creditGrant: CreditGrant) {
   }
 
   // Verify customer
-  const customer = await Customer.findByPk(creditGrant.customer_id);
+  const customer = await systemFindByPk(Customer, creditGrant.customer_id);
   if (!customer) {
     throw new Error(`Customer DID not found for credit grant ${creditGrant.id}`);
   }
+  assertJobObjectTenant(customer);
 
   const customerState = await getAccountState(paymentCurrency, customer.did);
 
@@ -161,7 +163,7 @@ export async function expireGrant(creditGrant: CreditGrant) {
     return;
   }
 
-  const paymentCurrency = await PaymentCurrency.findByPk(creditGrant.currency_id);
+  const paymentCurrency = await systemFindByPk(PaymentCurrency, creditGrant.currency_id);
   if (!paymentCurrency) {
     logger.error('Payment currency not found for credit grant transfer', {
       creditGrantId: creditGrant.id,
@@ -171,9 +173,10 @@ export async function expireGrant(creditGrant: CreditGrant) {
     await creditGrant.update({ status: 'expired' });
     return;
   }
+  assertJobObjectTenant(paymentCurrency);
 
   // Get customer DID
-  const customer = await Customer.findByPk(creditGrant.customer_id);
+  const customer = await systemFindByPk(Customer, creditGrant.customer_id);
   if (!customer?.did) {
     logger.error('Customer DID not found for credit grant transfer', {
       creditGrantId: creditGrant.id,
@@ -280,11 +283,12 @@ const handleCreditGrantJob = async (job: CreditGrantJob) => {
 
   const { creditGrantId, action } = job as { creditGrantId: string; action: 'activate' | 'expire' };
 
-  const creditGrant = await CreditGrant.findByPk(creditGrantId);
+  const creditGrant = await systemFindByPk(CreditGrant, creditGrantId);
   if (!creditGrant) {
     logger.error('Credit grant not found', { creditGrantId });
     return;
   }
+  assertJobObjectTenant(creditGrant);
 
   const now = dayjs().unix();
 
@@ -411,7 +415,7 @@ export async function scheduleCreditGrantJobs(creditGrant: CreditGrant) {
 export const startCreditGrantQueue = async () => {
   logger.info('Starting credit grant queue...');
 
-  const grantsToSchedule = await CreditGrant.findAll({
+  const grantsToSchedule = await systemFindAll(CreditGrant, {
     where: {
       [Op.or]: [
         { status: 'pending' },
@@ -424,7 +428,7 @@ export const startCreditGrantQueue = async () => {
     order: [['created_at', 'ASC']],
   });
 
-  const invoicesToSchedule = await Invoice.findAll({
+  const invoicesToSchedule = await systemFindAll(Invoice, {
     where: {
       status: 'paid',
       metadata: {
@@ -482,7 +486,7 @@ async function recoverCreditScheduleJobs(): Promise<void> {
   try {
     // Find subscriptions with active credit schedules
     // We filter for non-null credit_schedule_state in application code
-    const allActiveSubscriptions = await Subscription.findAll({
+    const allActiveSubscriptions = await systemFindAll(Subscription, {
       where: {
         status: ['active', 'trialing'],
       },
@@ -589,7 +593,7 @@ creditGrantQueue.on('finished', ({ id }) => {
 
 async function handleInvoiceCredit(invoiceId: string) {
   try {
-    const invoice = (await Invoice.findByPk(invoiceId, {
+    const invoice = (await systemFindByPk(Invoice, invoiceId, {
       include: [
         {
           model: Customer,
@@ -619,7 +623,7 @@ async function handleInvoiceCredit(invoiceId: string) {
         customerId: invoice.customer.id,
       });
       if (invoice.metadata?.auto_recharge?.config_id) {
-        const autoRechargeConfig = await AutoRechargeConfig.findByPk(invoice.metadata?.auto_recharge?.config_id);
+        const autoRechargeConfig = await systemFindByPk(AutoRechargeConfig, invoice.metadata?.auto_recharge?.config_id);
         if (autoRechargeConfig) {
           await autoRechargeConfig.updateDailyStats(invoice.total);
         }
@@ -635,7 +639,7 @@ async function handleInvoiceCredit(invoiceId: string) {
 
     const items = await Promise.all(
       lineItems.map(async (lineItem) => {
-        const price = (await Price.findByPk(lineItem.price_id, {
+        const price = (await systemFindByPk(Price, lineItem.price_id, {
           include: [{ model: Product, as: 'product' }],
         })) as TPriceExpanded | null;
 
@@ -664,7 +668,7 @@ async function handleInvoiceCredit(invoiceId: string) {
         }
 
         const quantity = lineItem.quantity || 1;
-        const currency = await PaymentCurrency.findByPk(creditConfig.currency_id);
+        const currency = await systemFindByPk(PaymentCurrency, creditConfig.currency_id);
 
         if (!currency) {
           logger.error('Currency not found', { currencyId: creditConfig.currency_id, invoiceId });
@@ -726,7 +730,7 @@ async function handleInvoiceCredit(invoiceId: string) {
       return;
     }
 
-    const existingGrants = await CreditGrant.findAll({
+    const existingGrants = await systemFindAll(CreditGrant, {
       where: {
         customer_id: invoice.customer.id,
         metadata: {
@@ -972,7 +976,7 @@ events.on('invoice.paid', async (invoice: Invoice) => {
   try {
     await addInvoiceCreditJob(invoice.id);
     if (invoice.subscription_id) {
-      const subscription = await Subscription.findByPk(invoice.subscription_id);
+      const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
       if (subscription) {
         const jobs = await activateAfterFirstPaymentSchedules(subscription, invoice.status_transitions?.paid_at);
         await Promise.all(jobs.map((job) => addScheduledCreditJob(job.jobId, job.job, job.runAt, true)));
@@ -989,11 +993,12 @@ events.on('invoice.paid', async (invoice: Invoice) => {
 events.on('customer.credit_grant.created', async (data: { id: string }) => {
   try {
     // Fetch instance since event emits dataValues (plain object)
-    const creditGrant = await CreditGrant.findByPk(data.id);
+    const creditGrant = await systemFindByPk(CreditGrant, data.id);
     if (!creditGrant) {
       logger.error('Credit grant not found for scheduling', { creditGrantId: data.id });
       return;
     }
+    assertJobObjectTenant(creditGrant);
     await scheduleCreditGrantJobs(creditGrant);
     logger.info('Credit grant jobs scheduled', {
       creditGrantId: creditGrant.id,
@@ -1053,7 +1058,7 @@ events.on('credit-grant.queued', async (id, job, args = {}) => {
  * Used by both subscription.created and subscription.started events
  */
 async function initializeAndScheduleCreditJobs(subscriptionId: string, eventName: string): Promise<void> {
-  const sub = await Subscription.findByPk(subscriptionId);
+  const sub = await systemFindByPk(Subscription, subscriptionId);
   if (!sub) {
     logger.warn('Subscription not found for credit schedule initialization', {
       subscriptionId,
@@ -1061,6 +1066,7 @@ async function initializeAndScheduleCreditJobs(subscriptionId: string, eventName
     });
     return;
   }
+  assertJobObjectTenant(sub);
 
   // initializeCreditSchedule only works for active/trialing subscriptions
   // and skips if already initialized
@@ -1147,10 +1153,11 @@ events.on('customer.subscription.trial_start', async (subscription: Subscription
  */
 events.on('customer.subscription.deleted', async (subscription: Subscription) => {
   try {
-    const sub = await Subscription.findByPk(subscription.id);
+    const sub = await systemFindByPk(Subscription, subscription.id);
     if (!sub) {
       return;
     }
+    assertJobObjectTenant(sub);
 
     const jobIds = await stopCreditSchedule(sub);
 

package/api/src/queues/credit-reconciliation.ts

@@ -7,10 +7,11 @@
 
 import { BN } from '@ocap/util';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { getAccountState, getCustomerTokenBalance } from '../integrations/arcblock/token';
 import { CreditGrant, CreditTransaction, Customer, PaymentCurrency } from '../store/models';
 import { events } from '../libs/event';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 type ReconciliationJob = {
   customerId: string;
@@ -39,7 +40,7 @@ type BalanceInfo = {
  */
 async function getBalanceInfo(customerId: string, currencyId: string): Promise<BalanceInfo> {
   // Get all granted credit grants that have been minted on-chain
-  const grants = await CreditGrant.findAll({
+  const grants = await systemFindAll(CreditGrant, {
     where: {
       customer_id: customerId,
       currency_id: currencyId,
@@ -53,7 +54,7 @@ async function getBalanceInfo(customerId: string, currencyId: string): Promise<B
     .toString();
 
   // Get pending transfers (consumed but token not yet transferred on-chain)
-  const pendingTransactions = await CreditTransaction.findAll({
+  const pendingTransactions = await systemFindAll(CreditTransaction, {
     where: {
       customer_id: customerId,
       transfer_status: 'pending',
@@ -98,13 +99,14 @@ async function handleReconciliation(job: ReconciliationJob) {
   });
 
   try {
-    const currency = await PaymentCurrency.findByPk(currencyId);
+    const currency = await systemFindByPk(PaymentCurrency, currencyId);
     if (!currency || !currency.isOnChainCredit()) {
       logger.warn('Currency not found or not on-chain credit', { currencyId });
       return;
     }
 
-    const customer = await Customer.findByPk(customerId);
+    const customer = await systemFindByPk(Customer, customerId);
+    assertJobObjectTenant(customer);
     if (!customer?.did) {
       logger.warn('Customer not found for reconciliation', { customerId });
       return;

package/api/src/queues/discount-status.ts

@@ -1,9 +1,10 @@
 import pAll from 'p-all';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { Coupon, PromotionCode } from '../store/models';
 import logger from '../libs/logger';
 import { events } from '../libs/event';
 import { validCoupon, validPromotionCode } from '../libs/discount/coupon';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 export type DiscountType = 'coupon' | 'promotion-code';
 
@@ -30,10 +31,11 @@ export async function processDiscountStatus(job: DiscountStatusJobData) {
  * Process coupon status check
  */
 async function processCouponStatus(couponId: string) {
-  const coupon = await Coupon.findByPk(couponId);
+  const coupon = await systemFindByPk(Coupon, couponId);
   if (!coupon) {
     return;
   }
+  assertJobObjectTenant(coupon);
 
   // Skip if already invalid
   if (!coupon.valid) {
@@ -54,7 +56,7 @@ async function processCouponStatus(couponId: string) {
       max_redemptions: coupon.max_redemptions,
       times_redeemed: coupon.times_redeemed,
     });
-    const promotionCodes = await PromotionCode.findAll({ where: { coupon_id: couponId, active: true } });
+    const promotionCodes = await systemFindAll(PromotionCode, { where: { coupon_id: couponId, active: true } });
     await pAll(
       promotionCodes.map(
         (promotionCode) => () =>
@@ -76,11 +78,12 @@ async function processCouponStatus(couponId: string) {
  * Process promotion code status check
  */
 async function processPromotionCodeStatus(promotionCodeId: string) {
-  const promotionCode = await PromotionCode.findByPk(promotionCodeId);
+  const promotionCode = await systemFindByPk(PromotionCode, promotionCodeId);
   if (!promotionCode) {
     logger.warn('Promotion code not found for status check', { promotionCodeId });
     return;
   }
+  assertJobObjectTenant(promotionCode);
 
   // Skip if already inactive
   if (!promotionCode.active) {
@@ -146,8 +149,8 @@ export const discountStatusQueue = createQueue<DiscountStatusJobData>({
 export const startDiscountStatusQueue = async () => {
   logger.info('Starting discount status queue...');
 
-  const coupons = await Coupon.findAll({ where: { valid: true } });
-  const promotionCodes = await PromotionCode.findAll({ where: { active: true } });
+  const coupons = await systemFindAll(Coupon, { where: { valid: true } });
+  const promotionCodes = await systemFindAll(PromotionCode, { where: { active: true } });
   await pAll(
     coupons.map(
       (coupon) => () =>

package/api/src/queues/event.ts

@@ -1,8 +1,12 @@
 import { Op } from 'sequelize';
+import { isCfWorker } from '../libs/env';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
+import { withTenant } from '../libs/context';
 import { events } from '../libs/event';
 import logger from '../libs/logger';
 import createQueue from '../libs/queue';
+import { resolveRowTenant } from '../libs/tenant';
 import { Event } from '../store/models/event';
 import { WebhookAttempt } from '../store/models/webhook-attempt';
 import { WebhookEndpoint } from '../store/models/webhook-endpoint';
@@ -15,7 +19,7 @@ type EventJob = {
 export const handleEvent = async (job: EventJob) => {
   logger.info('Starting to handle event', job);
 
-  const event = await Event.findByPk(job.eventId);
+  const event = await systemFindByPk(Event, job.eventId);
   if (!event) {
     logger.warn('Event not found', job);
     return;
@@ -26,7 +30,12 @@ export const handleEvent = async (job: EventJob) => {
     return;
   }
 
-  const webhooks = await WebhookEndpoint.findAll({ where: { status: 'enabled', livemode: event.livemode } });
+  // Phase 4 (W1-3): fanout only to endpoints of the event's own tenant.
+  // resolveRowTenant fails closed for NULL-tenant events in multi mode.
+  const eventTenant = resolveRowTenant(event);
+  const webhooks = await systemFindAll(WebhookEndpoint, {
+    where: { status: 'enabled', livemode: event.livemode, instance_did: eventTenant },
+  });
   const eventWebhooks = webhooks.filter((webhook) => webhook.enabled_events.includes(event.type));
   if (eventWebhooks.length === 0) {
     logger.info('no webhook endpoint for event', job);
@@ -75,22 +84,43 @@ export const eventQueue = createQueue<EventJob>({
 });
 
 export const startEventQueue = async () => {
-  const docs = await Event.findAll({
+  // Cross-tenant recovery scan: fetch instance_did too so the recovered push
+  // carries its tenant. In multi mode startup runs with NO tenant context, so a
+  // push without instance_did would hit injectJobTenant -> getInstanceDid ->
+  // TENANT_CONTEXT_MISSING (a FATAL unhandledRejection from the async forEach
+  // below). The handler re-derives the tenant from the row, but the PUSH itself
+  // must already be tenant-stamped to survive multi mode.
+  const docs = await systemFindAll(Event, {
     where: {
       pending_webhooks: { [Op.gt]: 0 },
     },
-    attributes: ['id'],
+    attributes: ['id', 'instance_did'],
   });
 
   logger.info(`Found ${docs.length} events with pending webhooks`);
 
-  docs.forEach(async (x) => {
-    const exist = await eventQueue.get(x.id);
-    if (!exist) {
-      logger.info(`Pushing event ${x.id} to queue`);
-      eventQueue.push({ id: x.id, job: { eventId: x.id }, persist: false });
+  // Sequential + per-doc try/catch: one bad row must never crash startup
+  // recovery (await in the original forEach left rejections unhandled). The
+  // push runs inside withTenant(event.instance_did) so injectJobTenant stamps
+  // the correct tenant — in multi mode there is no ambient context at startup.
+  for (const x of docs) {
+    if (!x.instance_did) {
+      logger.warn('skip pending-webhook event with no tenant', { id: x.id });
+    } else {
+      try {
+        // eslint-disable-next-line no-await-in-loop -- bounded startup recovery
+        await withTenant(x.instance_did, async () => {
+          const exist = await eventQueue.get(x.id);
+          if (!exist) {
+            logger.info(`Pushing event ${x.id} to queue`);
+            eventQueue.push({ id: x.id, job: { eventId: x.id }, persist: false });
+          }
+        });
+      } catch (error) {
+        logger.error('failed to recover pending-webhook event', { id: x.id, error });
+      }
     }
-  });
+  }
 
   logger.info('Finished starting event queue');
 };
@@ -100,7 +130,7 @@ eventQueue.on('failed', ({ id, job, error }) => {
 });
 
 events.on('event.created', async (event) => {
-  if ((globalThis as any).__CF_ENV__) {
+  if (isCfWorker()) {
     // CF Workers: execute inline to save 2 CF Queue ops per event.
     // eventQueue only dispatches webhooks — lightweight DB lookup + webhookQueue.push.
     // Webhook delivery still goes through webhookQueue with full retry guarantees.