payment-kit 1.29.1 → 1.29.3

package/api/src/queues/exchange-rate-health.ts

@@ -11,6 +11,9 @@ const REPRESENTATIVE_TOKENS = ['ABT', 'ETH'];
 interface HealthCheckJob {
   type: 'health_check';
   timestamp: number;
+  /** D6: the tenant this check belongs to — carried in the payload so the
+   *  re-schedule survives outside any ALS context (multi mode). */
+  instance_did?: string;
 }
 
 interface HealthCheckResult {
@@ -201,43 +204,59 @@ export const exchangeRateHealthQueue = createQueue<HealthCheckJob>({
 // Schedule health checks every 6 hours
 const HEALTH_CHECK_INTERVAL = 6 * 60 * 60; // 6 hours in seconds
 
+// D6: every scheduled health-check job carries its tenant in the PAYLOAD so the
+// re-schedule (on 'finished') preserves it WITHOUT relying on the ALS context —
+// the 'finished' listener fires outside any withTenant() scope. In multi mode a
+// tenant-less push would throw TENANT_CONTEXT_MISSING; here `instance_did` is set
+// on the job, so injectJobTenant honors it instead of reading the (absent) ALS.
+let scheduleListenerBound = false;
+
+function scheduleNextHealthCheck(instanceDid?: string): void {
+  const now = Math.floor(Date.now() / 1000);
+  const nextRun = now + HEALTH_CHECK_INTERVAL;
+
+  exchangeRateHealthQueue.push({
+    job: {
+      type: 'health_check',
+      timestamp: Date.now(),
+      // carry the tenant in the payload (multi mode has no ALS context here)
+      ...(instanceDid ? { instance_did: instanceDid } : {}),
+    } as HealthCheckJob,
+    runAt: nextRun,
+    persist: true,
+  });
+
+  logger.info('Scheduled next exchange rate health check', {
+    nextRunAt: new Date(nextRun * 1000).toISOString(),
+    intervalHours: HEALTH_CHECK_INTERVAL / 3600,
+    instanceDid,
+  });
+}
+
 /**
- * Initialize and schedule periodic health checks
+ * Schedule periodic health checks for a tenant. The initial push AND every
+ * re-schedule carry `instance_did` in the job payload, so the cancel-then-replay
+ * recovery (D2) and the post-restart redispatch stay under the correct tenant.
  */
-export function scheduleHealthChecks(): void {
-  const scheduleNext = () => {
-    const now = Math.floor(Date.now() / 1000);
-    const nextRun = now + HEALTH_CHECK_INTERVAL;
-
-    exchangeRateHealthQueue.push({
-      job: {
-        type: 'health_check',
-        timestamp: Date.now(),
-      },
-      runAt: nextRun,
-      persist: true,
+export function scheduleHealthChecks(instanceDid?: string): void {
+  scheduleNextHealthCheck(instanceDid);
+
+  // bind the re-schedule listener ONCE (idempotent across bootstrapTenant calls);
+  // it reads the finished job's own instance_did to re-schedule under that tenant.
+  if (!scheduleListenerBound) {
+    scheduleListenerBound = true;
+    exchangeRateHealthQueue.on('finished', (data: { job?: HealthCheckJob }) => {
+      scheduleNextHealthCheck(data?.job?.instance_did);
     });
-
-    logger.info('Scheduled next exchange rate health check', {
-      nextRunAt: new Date(nextRun * 1000).toISOString(),
-      intervalHours: HEALTH_CHECK_INTERVAL / 3600,
-    });
-  };
-
-  // Schedule initial check
-  scheduleNext();
-
-  // Listen for completed checks and schedule next one
-  exchangeRateHealthQueue.on('finished', () => {
-    scheduleNext();
-  });
+  }
 
   logger.info('Exchange rate health check scheduling initialized', {
     intervalHours: HEALTH_CHECK_INTERVAL / 3600,
+    instanceDid,
   });
 }
 
-// Export for explicit initialization in index.ts
-export function startExchangeRateHealthQueue(): void {
-  scheduleHealthChecks();
+// Export for explicit initialization (single mode / per-tenant bootstrap).
+export function startExchangeRateHealthQueue(instanceDid?: string): void {
+  scheduleHealthChecks(instanceDid);
 }

package/api/src/queues/invoice.ts

@@ -1,10 +1,11 @@
 import { Op } from 'sequelize';
+import { systemFindAll, systemFindByPk } from '../store/scoped';
 
 import { getInvoiceShouldPayTotal, handleOverdraftProtectionInvoiceAfterPayment } from '../libs/invoice';
-import { createEvent } from '../libs/audit';
+import { createEvent, reportAuditFailure } from '../libs/audit';
 import dayjs from '../libs/dayjs';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { PaymentMethod, Invoice, InvoiceItem } from '../store/models';
 import { CheckoutSession } from '../store/models/checkout-session';
 import { PaymentIntent } from '../store/models/payment-intent';
@@ -29,11 +30,12 @@ type InvoiceJob = {
 export const handleInvoice = async (job: InvoiceJob) => {
   logger.info('handle invoice', job);
 
-  const invoice = await Invoice.findByPk(job.invoiceId);
+  const invoice = await systemFindByPk(Invoice, job.invoiceId);
   if (!invoice) {
     logger.warn('invoice not found', { invoiceId: job.invoiceId });
     return;
   }
+  assertJobObjectTenant(invoice);
   if (invoice.status !== 'open') {
     logger.warn('invoice not open', { invoiceId: job.invoiceId });
     return;
@@ -63,7 +65,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     logger.info('Invoice updated to paid status', { invoiceId: invoice.id });
 
     if (invoice.subscription_id) {
-      const subscription = await Subscription.findByPk(invoice.subscription_id);
+      const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
       if (subscription) {
         if (subscription.status === 'incomplete') {
           await subscription.start();
@@ -78,17 +80,17 @@ export const handleInvoice = async (job: InvoiceJob) => {
           }
         } else {
           if (invoice.billing_reason === 'subscription_cycle') {
-            createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(console.error);
+            createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(reportAuditFailure);
           }
           if (invoice.billing_reason === 'subscription_update') {
-            createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(console.error);
+            createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(reportAuditFailure);
           }
         }
       }
     }
 
     if (invoice.checkout_session_id) {
-      const checkoutSession = await CheckoutSession.findByPk(invoice.checkout_session_id);
+      const checkoutSession = await systemFindByPk(CheckoutSession, invoice.checkout_session_id);
       if (checkoutSession && checkoutSession.status === 'open') {
         await checkoutSession.update({ status: 'complete', payment_status: 'no_payment_required' });
         logger.info('invoice checkout session updated', { invoice: invoice.id, checkoutSession: checkoutSession.id });
@@ -96,7 +98,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     }
 
     if (invoice.payment_intent_id) {
-      const paymentIntent = await PaymentIntent.findByPk(invoice.payment_intent_id);
+      const paymentIntent = await systemFindByPk(PaymentIntent, invoice.payment_intent_id);
       if (
         paymentIntent &&
         ['requires_action', 'requires_capture', 'requires_payment_method'].includes(paymentIntent.status)
@@ -119,7 +121,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
       invoiceId: job.invoiceId,
       paymentIntent: invoice.payment_intent_id,
     });
-    paymentIntent = await PaymentIntent.findByPk(invoice.payment_intent_id);
+    paymentIntent = await systemFindByPk(PaymentIntent, invoice.payment_intent_id);
     if (paymentIntent && paymentIntent.isImmutable() === false) {
       await paymentIntent.update({ status: 'requires_capture', customer_id: invoice.customer_id });
       logger.info('PaymentIntent updated for invoice', {
@@ -166,7 +168,7 @@ export const handleInvoice = async (job: InvoiceJob) => {
     });
 
     if (invoice.checkout_session_id) {
-      const checkoutSession = await CheckoutSession.findByPk(invoice.checkout_session_id);
+      const checkoutSession = await systemFindByPk(CheckoutSession, invoice.checkout_session_id);
       if (checkoutSession && checkoutSession.status === 'open') {
         await checkoutSession.update({ payment_intent_id: paymentIntent.id });
         logger.info('PaymentIntent attached to invoice checkout session', {
@@ -212,14 +214,14 @@ export const invoiceQueue = createQueue<InvoiceJob>({
 });
 
 export const startInvoiceQueue = async () => {
-  const lock = getLock('startInvoiceQueue');
+  const lock = getLock('startInvoiceQueue', { scope: 'global' });
   if (lock.locked) {
     return;
   }
 
   try {
     await lock.acquire();
-    const invoices = await Invoice.findAll({
+    const invoices = await systemFindAll(Invoice, {
       where: {
         status: 'open',
         collection_method: 'charge_automatically',
@@ -259,11 +261,12 @@ invoiceQueue.on('failed', ({ id, job, error }) => {
 });
 
 events.on('invoice.paid', async ({ id: invoiceId }) => {
-  const invoice = await Invoice.findByPk(invoiceId);
+  const invoice = await systemFindByPk(Invoice, invoiceId);
   if (!invoice) {
     logger.error('Invoice not found for paid event', { invoiceId });
     return;
   }
+  assertJobObjectTenant(invoice);
   logger.info('Processing paid invoice', { invoiceId, billingReason: invoice.billing_reason });
 
   const checkBillingReason = ['subscription_cycle', 'subscription_cancel'];
@@ -286,7 +289,7 @@ events.on('invoice.paid', async ({ id: invoiceId }) => {
 // Separate listener to mark quotes as paid - independent of other invoice.paid handlers
 events.on('invoice.paid', async ({ id: invoiceId }) => {
   try {
-    const invoiceItems = await InvoiceItem.findAll({
+    const invoiceItems = await systemFindAll(InvoiceItem, {
       where: { invoice_id: invoiceId },
     });
 
@@ -304,7 +307,7 @@ events.on('invoice.paid', async ({ id: invoiceId }) => {
     await Promise.all(
       quoteIds.map(async (quoteId) => {
         try {
-          const quote = await PriceQuote.findByPk(quoteId);
+          const quote = await systemFindByPk(PriceQuote, quoteId);
           if (quote && quote.status !== 'paid') {
             await quote.update({ invoice_id: invoiceId });
             await quoteService.markAsPaid(quoteId);

package/api/src/queues/notification.ts

@@ -1,5 +1,6 @@
 import { Op } from 'sequelize';
 import debounce from 'lodash/debounce';
+import { systemFindByPk } from '../store/scoped';
 /* eslint-disable @typescript-eslint/indent */
 import { events } from '../libs/event';
 import logger from '../libs/logger';
@@ -62,7 +63,7 @@ import {
   SubscriptionStakeSlashSucceededEmailTemplate,
   SubscriptionStakeSlashSucceededEmailTemplateOptions,
 } from '../libs/notification/template/subscription-stake-slash-succeeded';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   CheckoutSession,
   EventType,
@@ -263,7 +264,8 @@ async function getNotificationTemplate(job: NotificationQueueJob): Promise<BaseE
   }
   if (job.type === 'refund.succeeded') {
     const { refundId } = job.options as { refundId: string };
-    const refund = await Refund.findByPk(refundId);
+    const refund = await systemFindByPk(Refund, refundId);
+    if (refund) assertJobObjectTenant(refund);
     if (refund?.subscription_id) {
       return new SubscriptionRefundSucceededEmailTemplate(
         job.options as SubscriptionRefundSucceededEmailTemplateOptions
@@ -570,7 +572,8 @@ export async function startNotificationQueue() {
   // 一次性购买成功
   events.on('checkout.session.completed', async (checkoutSession: CheckoutSession) => {
     if (checkoutSession.mode === 'payment') {
-      const paymentLink = await PaymentLink.findByPk(checkoutSession.payment_link_id);
+      const paymentLink = await systemFindByPk(PaymentLink, checkoutSession.payment_link_id);
+      if (paymentLink) assertJobObjectTenant(paymentLink);
       if (paymentLink?.submit_type === 'donate') {
         addNotificationJob('customer.reward.succeeded', { checkoutSessionId: checkoutSession.id }, [
           checkoutSession.id,
@@ -583,7 +586,8 @@ export async function startNotificationQueue() {
   });
 
   events.on('customer.subscription.renewed', async (subscription: Subscription) => {
-    const customer = await Customer.findByPk(subscription.customer_id);
+    const customer = await systemFindByPk(Customer, subscription.customer_id);
+    if (customer) assertJobObjectTenant(customer);
     const preference = customer?.preference?.notification;
     if (!subscription.latest_invoice_id) {
       logger.warn('Missing latest_invoice_id for subscription', { subscriptionId: subscription.id });
@@ -619,7 +623,8 @@ export async function startNotificationQueue() {
   });
 
   events.on('customer.subscription.renew_failed', async (subscription: Subscription, { invoiceId }) => {
-    const invoice = await Invoice.findByPk(invoiceId || subscription.latest_invoice_id);
+    const invoice = await systemFindByPk(Invoice, invoiceId || subscription.latest_invoice_id);
+    if (invoice) assertJobObjectTenant(invoice);
 
     logger.info('events.on', 'customer.subscription.renew_failed', {
       subscriptionId: subscription.id,
@@ -731,7 +736,8 @@ export async function startNotificationQueue() {
   events.on(
     'customer.auto_recharge.failed',
     async (customer: Customer, { autoRechargeConfigId, invoiceId, paymentIntentId }) => {
-      const invoice = await Invoice.findByPk(invoiceId);
+      const invoice = await systemFindByPk(Invoice, invoiceId);
+      if (invoice) assertJobObjectTenant(invoice);
       logger.info('addNotificationJob:customer.auto_recharge.failed', autoRechargeConfigId);
       if (invoice && autoRechargeConfigId && invoice.metadata?.auto_recharge_failed_reason) {
         addNotificationJob(
@@ -819,7 +825,8 @@ export async function startNotificationQueue() {
 
       // Reuse customer.auto_recharge.failed notification with skipped reason
       // This ensures users are notified when auto-recharge cannot proceed
-      const customer = await Customer.findByPk(data.customer_id);
+      const customer = await systemFindByPk(Customer, data.customer_id);
+      if (customer) assertJobObjectTenant(customer);
       if (customer) {
         addNotificationJob(
           'customer.auto_recharge.failed',

package/api/src/queues/payment.ts

@@ -1,10 +1,13 @@
 import isEmpty from 'lodash/isEmpty';
-
 import { BN } from '@ocap/util';
+import { isCfWorker } from '../libs/env';
+import { systemFindAll, systemFindByPk, systemFindOne } from '../store/scoped';
+
 import { ensureStakedForGas } from '../integrations/arcblock/stake';
 import { transferErc20FromUser } from '../integrations/ethereum/token';
-import { createEvent } from '../libs/audit';
+import { createEvent, reportAuditFailure } from '../libs/audit';
 import { blocklet, wallet } from '../libs/auth';
+import { withTenant } from '../libs/context';
 import dayjs from '../libs/dayjs';
 import CustomError from '../libs/error';
 import { events } from '../libs/event';
@@ -41,7 +44,7 @@ import { notificationQueue } from './notification';
 import { ensureOverdraftProtectionInvoiceAndItems } from '../libs/invoice';
 import { AutoRechargeConfig, Lock, MeterEvent } from '../store/models';
 import { ensureOverdraftProtectionPrice } from '../libs/overdraft-protection';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import { CHARGE_SUPPORTED_CHAIN_TYPES, EVM_CHAIN_TYPES } from '../libs/constants';
 import { getCheckoutSessionSubscriptionIds, getSubscriptionCreateSetup, SlippageOptions } from '../libs/session';
 import { syncStripeSubscriptionAfterRecovery } from '../integrations/stripe/handlers/subscription';
@@ -170,11 +173,11 @@ export async function updateSubscriptionOnPaymentSuccess(
   // Trigger renewal and upgrade events
   if (triggerRenew && (!invoice || invoice.billing_reason !== 'subscription_update')) {
     if (!invoice || invoice.billing_reason === 'subscription_cycle' || paymentIntent?.capture_method === 'manual') {
-      createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(console.error);
+      createEvent('Subscription', 'customer.subscription.renewed', subscription).catch(reportAuditFailure);
     }
   }
   if (invoice?.billing_reason === 'subscription_update') {
-    createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(reportAuditFailure);
   }
 }
 
@@ -232,11 +235,11 @@ export async function handlePastDueSubscriptionRecovery(
     }
 
     // Reset billing cycle
-    const subscriptionItems = await SubscriptionItem.findAll({ where: { subscription_id: subscription.id } });
+    const subscriptionItems = await systemFindAll(SubscriptionItem, { where: { subscription_id: subscription.id } });
     const lineItems = await Price.expand(subscriptionItems.map((x) => x.toJSON()));
     // Use the subscription's slippage config if available, otherwise use default 0.5%
     const slippageConfig = subscription.slippage_config;
-    const currency = await PaymentCurrency.findByPk(subscription.currency_id);
+    const currency = await systemFindByPk(PaymentCurrency, subscription.currency_id);
     const slippageOptions: SlippageOptions = {
       percent: slippageConfig?.percent ?? 0.5,
       minAcceptableRate: slippageConfig?.min_acceptable_rate,
@@ -255,7 +258,7 @@ export async function handlePastDueSubscriptionRecovery(
       cancelation_details: null,
     });
 
-    createEvent('Subscription', 'customer.subscription.recovered', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.recovered', subscription).catch(reportAuditFailure);
     const recoveryReason =
       subscription.cancelation_details?.reason === 'insufficient_credit' ? 'credit replenished' : 'payment done';
     logger.info(
@@ -405,20 +408,20 @@ export const handlePaymentSucceed = async (
 
   let invoice;
   if (paymentIntent.invoice_id) {
-    invoice = await Invoice.findByPk(paymentIntent.invoice_id);
+    invoice = await systemFindByPk(Invoice, paymentIntent.invoice_id);
   }
 
   // Handle checkout session when no invoice exists
   if (!invoice && !slashStake) {
-    const checkoutSession = await CheckoutSession.findOne({ where: { payment_intent_id: paymentIntent.id } });
+    const checkoutSession = await systemFindOne(CheckoutSession, { where: { payment_intent_id: paymentIntent.id } });
     if (checkoutSession) {
       if (
-        (globalThis as any).__CF_ENV__ &&
+        isCfWorker() &&
         checkoutSession.mode === 'payment' &&
         checkoutSession.invoice_creation?.enabled &&
         !checkoutSession.invoice_id
       ) {
-        const customer = await Customer.findByPk(checkoutSession.customer_id);
+        const customer = await systemFindByPk(Customer, checkoutSession.customer_id);
         if (customer) {
           try {
             const result = await ensureInvoiceForCheckout({
@@ -480,7 +483,7 @@ export const handlePaymentSucceed = async (
   }
   // Update subscription status
   if (invoice && invoice.subscription_id && !slashStake) {
-    const subscription = await Subscription.findByPk(invoice.subscription_id);
+    const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
     if (subscription) {
       await updateSubscriptionOnPaymentSuccess(paymentIntent, subscription, invoice, triggerRenew);
     }
@@ -488,7 +491,7 @@ export const handlePaymentSucceed = async (
 
   // Update checkout session
   if (invoice && invoice.checkout_session_id && !slashStake) {
-    const checkoutSession = await CheckoutSession.findByPk(invoice.checkout_session_id);
+    const checkoutSession = await systemFindByPk(CheckoutSession, invoice.checkout_session_id);
     if (checkoutSession) {
       await updateCheckoutSessionOnPaymentSuccess(paymentIntent, checkoutSession, invoice);
     }
@@ -508,7 +511,7 @@ export const doOverdraftProtection = async (
     });
     return;
   }
-  const existProtectedInvoice = await Invoice.findOne({
+  const existProtectedInvoice = await systemFindOne(Invoice, {
     where: {
       subscription_id: subscription.id,
       billing_reason: 'overdraft_protection',
@@ -593,10 +596,11 @@ export const handlePaymentFailed = async (
   if (!invoice.subscription_id) {
     return updates.retry;
   }
-  const subscription = await Subscription.findByPk(invoice.subscription_id);
+  const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
   if (!subscription) {
     return updates.retry;
   }
+  assertJobObjectTenant(subscription);
 
   const { interval } = subscription.pending_invoice_item_interval;
   updates.retry.minRetryMail = getMinRetryMail(interval);
@@ -636,7 +640,7 @@ export const handlePaymentFailed = async (
     return updates.terminate;
   }
   // check overdraft protection, if protected, no need to check due
-  const customer = await Customer.findByPk(invoice.customer_id);
+  const customer = await systemFindByPk(Customer, invoice.customer_id);
 
   const { enabled: enableOverdraftProtection, unused: unusedAmount } =
     await isSubscriptionOverdraftProtectionEnabled(subscription);
@@ -649,7 +653,9 @@ export const handlePaymentFailed = async (
     const isLock = await Lock.isLocked(lockKey);
     if (!isLock) {
       await Lock.acquire(lockKey, subscription.current_period_end);
-      createEvent('Subscription', 'subscription.overdraft_protection.exhausted', subscription).catch(console.error);
+      createEvent('Subscription', 'subscription.overdraft_protection.exhausted', subscription).catch(
+        reportAuditFailure
+      );
     }
   }
 
@@ -735,7 +741,10 @@ export const handlePaymentFailed = async (
     });
 
     if (invoice.billing_reason === 'auto_recharge' && invoice.metadata?.recharge_config?.recharge_id) {
-      const autoRechargeConfig = await AutoRechargeConfig.findByPk(invoice.metadata?.recharge_config?.recharge_id);
+      const autoRechargeConfig = await systemFindByPk(
+        AutoRechargeConfig,
+        invoice.metadata?.recharge_config?.recharge_id
+      );
       if (autoRechargeConfig && autoRechargeConfig.enabled) {
         autoRechargeConfig.update({
           enabled: false,
@@ -760,7 +769,7 @@ const handleStakeSlash = async (
   customer: Customer,
   paymentCurrency: PaymentCurrency
 ) => {
-  const subscription = await Subscription.findByPk(invoice.subscription_id);
+  const subscription = await systemFindByPk(Subscription, invoice.subscription_id);
   if (!subscription) {
     logger.warn('Stake slashing skipped because Subscription not found', {
       subscription: invoice.subscription_id,
@@ -769,6 +778,7 @@ const handleStakeSlash = async (
     });
     return;
   }
+  assertJobObjectTenant(subscription);
   if (!subscription.cancelation_details?.slash_stake || subscription.status !== 'canceled') {
     logger.warn('Stake slashing skipped because subscription not canceled or slash_stake is false', {
       subscription: invoice.subscription_id,
@@ -871,22 +881,24 @@ const handleStakeSlash = async (
 export const handlePayment = async (job: PaymentJob) => {
   logger.info('handle payment', job);
 
-  const paymentIntent = await PaymentIntent.findByPk(job.paymentIntentId);
+  const paymentIntent = await systemFindByPk(PaymentIntent, job.paymentIntentId);
   if (!paymentIntent) {
     logger.warn('PaymentIntent not found', { id: job.paymentIntentId });
     return;
   }
+  assertJobObjectTenant(paymentIntent);
 
   if (['requires_capture', 'processing'].includes(paymentIntent.status) === false) {
     logger.warn('PaymentIntent status not expected', { id: paymentIntent.id, status: paymentIntent.status });
     return;
   }
 
-  const paymentMethod = await PaymentMethod.findByPk(paymentIntent.payment_method_id);
+  const paymentMethod = await systemFindByPk(PaymentMethod, paymentIntent.payment_method_id);
   if (!paymentMethod) {
     logger.warn('PaymentMethod not found', { id: paymentIntent.payment_method_id });
     return;
   }
+  assertJobObjectTenant(paymentMethod);
 
   const supportAutoCharge = await PaymentMethod.supportAutoCharge(paymentIntent.payment_method_id);
   if (supportAutoCharge === false) {
@@ -894,26 +906,28 @@ export const handlePayment = async (job: PaymentJob) => {
     return;
   }
 
-  const paymentCurrency = await PaymentCurrency.findByPk(paymentIntent.currency_id);
+  const paymentCurrency = await systemFindByPk(PaymentCurrency, paymentIntent.currency_id);
   if (!paymentCurrency) {
     logger.warn('PaymentCurrency not found', { id: paymentIntent.currency_id });
     return;
   }
+  assertJobObjectTenant(paymentCurrency);
 
   if (paymentCurrency.isCredit()) {
     logger.info('PaymentIntent capture skipped because paymentCurrency is credit', { id: paymentIntent.id });
     return;
   }
 
-  const customer = await Customer.findByPk(paymentIntent.customer_id);
+  const customer = await systemFindByPk(Customer, paymentIntent.customer_id);
   if (!customer) {
     logger.warn('Customer not found', { id: paymentIntent.customer_id });
     return;
   }
+  assertJobObjectTenant(customer);
 
-  const invoice = await Invoice.findByPk(paymentIntent.invoice_id);
+  const invoice = await systemFindByPk(Invoice, paymentIntent.invoice_id);
   // Fetch subscription early for migration fallback support and overdraft protection check
-  const subscription = invoice?.subscription_id ? await Subscription.findByPk(invoice.subscription_id) : null;
+  const subscription = invoice?.subscription_id ? await systemFindByPk(Subscription, invoice.subscription_id) : null;
 
   if (invoice?.status === 'void') {
     await paymentIntent.update({
@@ -1359,23 +1373,36 @@ export const paymentQueue = createQueue<PaymentJob>({
 });
 
 export const startPaymentQueue = async () => {
-  const payments = await PaymentIntent.findAll({
+  const payments = await systemFindAll(PaymentIntent, {
     where: {
       status: ['requires_capture', 'processing'],
       capture_method: 'automatic',
     },
   });
 
-  payments.forEach(async (x) => {
-    const supportAutoCharge = await PaymentMethod.supportAutoCharge(x.payment_method_id);
-    if (supportAutoCharge === false) {
-      return;
-    }
-    const exist = await paymentQueue.get(x.id);
-    if (!exist) {
-      paymentQueue.push({ id: x.id, job: { paymentIntentId: x.id } });
+  // Each pending intent belongs to a tenant: the scoped supportAutoCharge query
+  // and the queue push (push stamps the job tenant via getInstanceDid) must run in
+  // that tenant's context — multi mode fails closed otherwise. for-of + await,
+  // NOT forEach(async): a fire-and-forget rejection here becomes an
+  // unhandledRejection → FATAL on boot. Per-record try/catch isolates one bad row.
+  for (const x of payments) {
+    const dispatch = async () => {
+      const supportAutoCharge = await PaymentMethod.supportAutoCharge(x.payment_method_id);
+      if (supportAutoCharge === false) {
+        return;
+      }
+      const exist = await paymentQueue.get(x.id);
+      if (!exist) {
+        paymentQueue.push({ id: x.id, job: { paymentIntentId: x.id } });
+      }
+    };
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      await (x.instance_did ? withTenant(x.instance_did, dispatch) : dispatch());
+    } catch (error) {
+      logger.error('startPaymentQueue: re-queue failed', { id: x.id, error });
     }
-  });
+  }
 };
 
 paymentQueue.on('failed', ({ id, job, error }) => {
@@ -1384,7 +1411,7 @@ paymentQueue.on('failed', ({ id, job, error }) => {
 
 // Do gas stake as soon as possible after payment succeed
 events.on('payment_intent.succeeded', async (paymentIntent: PaymentIntent) => {
-  const paymentMethod = await PaymentMethod.findByPk(paymentIntent.payment_method_id);
+  const paymentMethod = await systemFindByPk(PaymentMethod, paymentIntent.payment_method_id);
   if (paymentMethod && paymentMethod.type === 'arcblock') {
     ensureStakedForGas();
   }