npm - payment-kit - Versions diffs - 1.29.1 → 1.29.3 - Mend

payment-kit 1.29.1 → 1.29.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (343) hide show

package/api/dev.ts +41 -2
package/api/hono.d.ts +42 -0
package/api/node-sqlite.d.ts +12 -0
package/api/src/bootstrap.ts +47 -0
package/api/src/crons/base.ts +3 -3
package/api/src/crons/currency.ts +1 -1
package/api/src/crons/index.ts +41 -37
package/api/src/crons/metering-subscription-detection.ts +1 -1
package/api/src/crons/overdue-detection.ts +2 -2
package/api/src/crons/retry-pending-events.ts +6 -0
package/api/src/crons/tenant-fanout.ts +82 -0
package/api/src/host-node/did-connect-runtime-node.ts +33 -0
package/api/src/host-node/serve-static-arc.ts +68 -0
package/api/src/host-node/serve-static.ts +41 -0
package/api/src/index.ts +22 -161
package/api/src/integrations/app-store/client.ts +3 -4
package/api/src/integrations/app-store/handlers/subscription.ts +7 -7
package/api/src/integrations/app-store/signed-data-verifier.ts +3 -2
package/api/src/integrations/arcblock/token.ts +21 -7
package/api/src/integrations/google-play/handlers/subscription.ts +6 -6
package/api/src/integrations/google-play/handlers/voided.ts +2 -2
package/api/src/integrations/google-play/verify.ts +3 -2
package/api/src/integrations/iap-reconcile.ts +3 -5
package/api/src/integrations/stripe/handlers/invoice.ts +2 -2
package/api/src/integrations/stripe/handlers/subscription.ts +3 -3
package/api/src/libs/archive/query.ts +19 -0
package/api/src/libs/audit.ts +61 -4
package/api/src/libs/auth.ts +247 -47
package/api/src/libs/context.ts +89 -1
package/api/src/libs/currency.ts +2 -2
package/api/src/libs/dayjs.ts +8 -2
package/api/src/libs/did-connect/runtime-did-connect-js.ts +88 -0
package/api/src/libs/did-connect/tenant-identity.ts +221 -0
package/api/src/libs/drivers/auth-storage.ts +118 -0
package/api/src/libs/drivers/cron.ts +264 -0
package/api/src/libs/drivers/db.ts +170 -0
package/api/src/libs/drivers/identity.ts +142 -0
package/api/src/libs/drivers/index.ts +40 -0
package/api/src/libs/drivers/locks.ts +226 -0
package/api/src/libs/drivers/migrate-runner.ts +70 -0
package/api/src/libs/drivers/queue.ts +104 -0
package/api/src/libs/drivers/secrets.ts +194 -0
package/api/src/libs/env.ts +170 -54
package/api/src/libs/exchange-rate/service.ts +7 -6
package/api/src/libs/http-fetch-adapter.ts +60 -0
package/api/src/libs/invoice.ts +1 -1
package/api/src/libs/lock.ts +51 -47
package/api/src/libs/logger.ts +48 -8
package/api/src/libs/notification/index.ts +1 -1
package/api/src/libs/notification/template/customer-credit-low-balance.ts +2 -1
package/api/src/libs/notification/template/customer-revenue-succeeded.ts +1 -1
package/api/src/libs/notification/template/customer-reward-succeeded.ts +1 -1
package/api/src/libs/overdraft-protection.ts +1 -1
package/api/src/libs/payout.ts +1 -1
package/api/src/libs/queue/index.ts +271 -52
package/api/src/libs/queue/runtime.ts +175 -0
package/api/src/libs/resource.ts +3 -3
package/api/src/libs/secrets.ts +38 -0
package/api/src/libs/session.ts +3 -2
package/api/src/libs/subscription.ts +5 -5
package/api/src/libs/tenant.ts +92 -0
package/api/src/libs/url.ts +3 -3
package/api/src/libs/util.ts +21 -13
package/api/src/middlewares/hono/cdn.ts +63 -0
package/api/src/middlewares/hono/context.ts +80 -0
package/api/src/middlewares/hono/csrf.ts +83 -0
package/api/src/middlewares/hono/fallback.ts +194 -0
package/api/src/middlewares/hono/pipeline.ts +73 -0
package/api/src/middlewares/hono/resource-mount.ts +42 -0
package/api/src/middlewares/hono/resource.ts +63 -0
package/api/src/middlewares/hono/security.ts +209 -0
package/api/src/middlewares/hono/session.ts +114 -0
package/api/src/middlewares/hono/xss.ts +61 -0
package/api/src/queues/auto-recharge.ts +12 -10
package/api/src/queues/checkout-session.ts +38 -21
package/api/src/queues/credit-consume.ts +40 -36
package/api/src/queues/credit-grant.ts +25 -18
package/api/src/queues/credit-reconciliation.ts +7 -5
package/api/src/queues/discount-status.ts +9 -6
package/api/src/queues/event.ts +41 -11
package/api/src/queues/exchange-rate-health.ts +49 -30
package/api/src/queues/invoice.ts +18 -15
package/api/src/queues/notification.ts +14 -7
package/api/src/queues/payment.ts +64 -37
package/api/src/queues/payout.ts +37 -21
package/api/src/queues/refund.ts +36 -18
package/api/src/queues/subscription.ts +83 -53
package/api/src/queues/token-transfer.ts +15 -10
package/api/src/queues/usage-record.ts +8 -5
package/api/src/queues/vendors/commission.ts +7 -5
package/api/src/queues/vendors/fulfillment-coordinator.ts +17 -13
package/api/src/queues/vendors/fulfillment.ts +4 -2
package/api/src/queues/vendors/return-processor.ts +5 -3
package/api/src/queues/vendors/return-scanner.ts +5 -4
package/api/src/queues/vendors/status-check.ts +10 -7
package/api/src/queues/webhook.ts +60 -32
package/api/src/routes/connect/shared.ts +1 -2
package/api/src/routes/connect/subscribe.ts +3 -3
package/api/src/routes/{archive.ts → hono/archive.ts} +69 -64
package/api/src/routes/{auto-recharge-configs.ts → hono/auto-recharge-configs.ts} +39 -28
package/api/src/routes/{checkout-sessions.ts → hono/checkout-sessions.ts} +790 -923
package/api/src/routes/{coupons.ts → hono/coupons.ts} +93 -76
package/api/src/routes/{credit-grants.ts → hono/credit-grants.ts} +140 -126
package/api/src/routes/hono/credit-tokens.ts +43 -0
package/api/src/routes/{credit-transactions.ts → hono/credit-transactions.ts} +37 -29
package/api/src/routes/{customers.ts → hono/customers.ts} +199 -224
package/api/src/routes/{donations.ts → hono/donations.ts} +41 -32
package/api/src/routes/{entitlements.ts → hono/entitlements.ts} +28 -25
package/api/src/routes/{events.ts → hono/events.ts} +107 -71
package/api/src/routes/{exchange-rate-providers.ts → hono/exchange-rate-providers.ts} +138 -126
package/api/src/routes/hono/exchange-rates.ts +77 -0
package/api/src/routes/hono/index.ts +115 -0
package/api/src/routes/{integrations → hono/integrations}/app-store.ts +68 -48
package/api/src/routes/{integrations → hono/integrations}/google-play.ts +78 -58
package/api/src/routes/hono/integrations/stripe.ts +74 -0
package/api/src/routes/{invoices.ts → hono/invoices.ts} +253 -244
package/api/src/routes/{meter-events.ts → hono/meter-events.ts} +120 -110
package/api/src/routes/hono/meters.ts +288 -0
package/api/src/routes/hono/passports.ts +73 -0
package/api/src/routes/{payment-currencies.ts → hono/payment-currencies.ts} +219 -197
package/api/src/routes/{payment-intents.ts → hono/payment-intents.ts} +136 -132
package/api/src/routes/{payment-links.ts → hono/payment-links.ts} +145 -128
package/api/src/routes/{payment-methods.ts → hono/payment-methods.ts} +125 -93
package/api/src/routes/{payment-stats.ts → hono/payment-stats.ts} +30 -25
package/api/src/routes/{payouts.ts → hono/payouts.ts} +55 -47
package/api/src/routes/{prices.ts → hono/prices.ts} +265 -242
package/api/src/routes/{pricing-table.ts → hono/pricing-table.ts} +94 -87
package/api/src/routes/{products.ts → hono/products.ts} +172 -159
package/api/src/routes/{promotion-codes.ts → hono/promotion-codes.ts} +207 -185
package/api/src/routes/hono/redirect.ts +24 -0
package/api/src/routes/{refunds.ts → hono/refunds.ts} +98 -83
package/api/src/routes/{settings.ts → hono/settings.ts} +64 -55
package/api/src/routes/{subscription-items.ts → hono/subscription-items.ts} +64 -57
package/api/src/routes/{subscriptions.ts → hono/subscriptions.ts} +475 -528
package/api/src/routes/{tax-rates.ts → hono/tax-rates.ts} +71 -70
package/api/src/routes/hono/tool.ts +69 -0
package/api/src/routes/{usage-records.ts → hono/usage-records.ts} +47 -42
package/api/src/routes/{vendor.ts → hono/vendor.ts} +315 -167
package/api/src/routes/{webhook-attempts.ts → hono/webhook-attempts.ts} +17 -13
package/api/src/routes/hono/webhook-endpoints.ts +126 -0
package/api/src/service.ts +814 -0
package/api/src/store/migrations/20230911-seeding.ts +2 -1
package/api/src/store/migrations/20260609-remove-did-space-jobs.ts +23 -0
package/api/src/store/migrations/20260610-tenant-columns.ts +40 -0
package/api/src/store/migrations/20260611-tenant-backfill.ts +33 -0
package/api/src/store/models/auto-recharge-config.ts +22 -10
package/api/src/store/models/checkout-session.ts +15 -14
package/api/src/store/models/coupon.ts +29 -20
package/api/src/store/models/credit-grant.ts +38 -29
package/api/src/store/models/credit-transaction.ts +32 -21
package/api/src/store/models/customer.ts +19 -17
package/api/src/store/models/discount.ts +11 -2
package/api/src/store/models/entitlement-grant.ts +21 -9
package/api/src/store/models/entitlement-product.ts +21 -9
package/api/src/store/models/entitlement.ts +19 -10
package/api/src/store/models/event.ts +18 -9
package/api/src/store/models/exchange-rate-provider.ts +17 -4
package/api/src/store/models/invoice-item.ts +18 -9
package/api/src/store/models/invoice.ts +16 -8
package/api/src/store/models/meter-event.ts +27 -9
package/api/src/store/models/meter.ts +31 -22
package/api/src/store/models/payment-currency.ts +25 -8
package/api/src/store/models/payment-intent.ts +15 -6
package/api/src/store/models/payment-link.ts +15 -6
package/api/src/store/models/payment-method.ts +38 -22
package/api/src/store/models/payment-stat.ts +18 -9
package/api/src/store/models/payout.ts +15 -6
package/api/src/store/models/price-quote.ts +17 -8
package/api/src/store/models/price.ts +24 -12
package/api/src/store/models/pricing-table.ts +29 -20
package/api/src/store/models/product-vendor.ts +20 -10
package/api/src/store/models/product.ts +15 -6
package/api/src/store/models/promotion-code.ts +14 -6
package/api/src/store/models/refund.ts +15 -6
package/api/src/store/models/revenue-snapshot.ts +21 -9
package/api/src/store/models/setting.ts +18 -9
package/api/src/store/models/setup-intent.ts +36 -27
package/api/src/store/models/subscription-item.ts +21 -9
package/api/src/store/models/subscription-schedule.ts +21 -9
package/api/src/store/models/subscription.ts +21 -10
package/api/src/store/models/tax-rate.ts +29 -21
package/api/src/store/models/usage-record.ts +11 -2
package/api/src/store/models/webhook-attempt.ts +18 -9
package/api/src/store/models/webhook-endpoint.ts +18 -9
package/api/src/store/scoped-core.ts +55 -0
package/api/src/store/scoped.ts +247 -0
package/api/src/store/sequelize.ts +82 -23
package/api/src/store/sql-migrations.ts +20 -0
package/api/src/store/tenant-backfill.ts +260 -0
package/api/src/store/tenant-model.ts +124 -0
package/api/src/store/tenant-tables.ts +50 -0
package/api/tests/bootstrap/bootstrap.spec.ts +162 -0
package/api/tests/crons/tenant-fanout.spec.ts +158 -0
package/api/tests/embedded/embedded-multi-mode-d3.spec.ts +257 -0
package/api/tests/fixtures/bare-query-violation.ts +13 -0
package/api/tests/fixtures/core-env-violation.ts +10 -0
package/api/tests/fixtures/host-read-violation.ts +19 -0
package/api/tests/fixtures/tenants.ts +4 -0
package/api/tests/integrations/iap-tenant.spec.ts +284 -0
package/api/tests/libs/archive-query.spec.ts +26 -0
package/api/tests/libs/audit-tenant.spec.ts +153 -0
package/api/tests/libs/context.spec.ts +204 -0
package/api/tests/libs/core-config.spec.ts +115 -0
package/api/tests/libs/cron-driver-d2.spec.ts +237 -0
package/api/tests/libs/crons-conservation-d2.spec.ts +52 -0
package/api/tests/libs/did-connect-runtime-js.spec.ts +98 -0
package/api/tests/libs/did-connect-tenant-identity.spec.ts +159 -0
package/api/tests/libs/lock-tenant.spec.ts +66 -0
package/api/tests/libs/scoped.spec.ts +222 -0
package/api/tests/libs/secrets-facade.spec.ts +52 -0
package/api/tests/libs/service-host.spec.ts +37 -0
package/api/tests/libs/tenancy-slot-authority.spec.ts +209 -0
package/api/tests/libs/tenant-middleware.spec.ts +42 -0
package/api/tests/libs/tenant-scanner.spec.ts +120 -0
package/api/tests/middlewares/hono/cdn.spec.ts +70 -0
package/api/tests/middlewares/hono/context.spec.ts +113 -0
package/api/tests/middlewares/hono/csrf.spec.ts +136 -0
package/api/tests/middlewares/hono/fallback.spec.ts +67 -0
package/api/tests/middlewares/hono/pipeline.spec.ts +47 -0
package/api/tests/middlewares/hono/security.spec.ts +181 -0
package/api/tests/middlewares/hono/session.spec.ts +42 -0
package/api/tests/middlewares/hono/xss.spec.ts +81 -0
package/api/tests/models/tenant-backfill.spec.ts +287 -0
package/api/tests/models/tenant-columns-model.spec.ts +46 -0
package/api/tests/models/tenant-columns.spec.ts +161 -0
package/api/tests/queues/credit-consume-batch.spec.ts +8 -1
package/api/tests/queues/credit-consume.spec.ts +8 -1
package/api/tests/queues/event-tenant.spec.ts +292 -0
package/api/tests/queues/exchange-rate-health-tenant-d6.spec.ts +62 -0
package/api/tests/queues/queue-parity.spec.ts +249 -0
package/api/tests/queues/queue-runtime-surface.spec.ts +277 -0
package/api/tests/queues/queue-teardown-d2.spec.ts +127 -0
package/api/tests/queues/tenant-matrix-a.spec.ts +245 -0
package/api/tests/queues/tenant-matrix-b.spec.ts +168 -0
package/api/tests/routes/connect/hono-attach.spec.ts +107 -0
package/api/tests/service/collapse.spec.ts +96 -0
package/api/tests/service/didconnect-storage-slot.spec.ts +60 -0
package/api/tests/service/fail-closed-http.spec.ts +79 -0
package/api/tests/service/static-arc-handler.spec.ts +101 -0
package/api/tests/service/static-externalized.spec.ts +48 -0
package/api/tests/store/tenant-crosscut.spec.ts +202 -0
package/api/tests/store/tenant-model-spike.spec.ts +177 -0
package/api/tests/store/tenant-model.spec.ts +162 -0
package/api/tests/store/tenant-residual.spec.ts +196 -0
package/api/third.d.ts +4 -0
package/blocklet.yml +1 -1
package/cloudflare/MIGRATION-RUNBOOK.md +3 -8
package/cloudflare/README.md +34 -27
package/cloudflare/STAGING-MIGRATION-GUIDE.md +3 -15
package/cloudflare/build.ts +33 -13
package/cloudflare/cf-adapter.ts +419 -0
package/cloudflare/did-connect-runtime.ts +96 -0
package/cloudflare/did-connect-token-storage.ts +151 -0
package/cloudflare/esbuild-cf-config.cjs +407 -0
package/cloudflare/migrations/0006_tenant_columns.sql +46 -0
package/cloudflare/migrations/0007_tenant_backfill_indexes.sql +65 -0
package/cloudflare/migrations/0008_schema_parity.sql +16 -0
package/cloudflare/migrations/0009_remove_did_space_jobs.sql +5 -0
package/cloudflare/queue-runtime-mode.ts +13 -0
package/cloudflare/run-build.js +33 -403
package/cloudflare/scripts/cf-package-import-probe.mjs +90 -0
package/cloudflare/scripts/didconnect-mock-smoke.mjs +140 -0
package/cloudflare/shims/blocklet-sdk/asset-host-transformer.ts +20 -0
package/cloudflare/shims/blocklet-sdk/config.ts +8 -1
package/cloudflare/shims/blocklet-sdk/login.ts +12 -0
package/cloudflare/shims/blocklet-sdk/service-api.ts +14 -0
package/cloudflare/shims/blocklet-sdk/session.ts +4 -2
package/cloudflare/shims/blocklet-sdk/util-constants.ts +8 -0
package/cloudflare/shims/blocklet-sdk/wallet-authenticator.ts +16 -1
package/cloudflare/shims/blocklet-sdk/wallet-handler.ts +18 -3
package/cloudflare/shims/cron.ts +38 -158
package/cloudflare/shims/events.ts +124 -0
package/cloudflare/shims/fastq.ts +15 -1
package/cloudflare/shims/nedb-storage.ts +16 -8
package/cloudflare/shims/xss.ts +8 -0
package/cloudflare/tenant-middleware.ts +36 -0
package/cloudflare/tests/cf-adapter.spec.ts +244 -0
package/cloudflare/tests/did-connect-token-storage.spec.ts +105 -0
package/cloudflare/tests/tenant-middleware.spec.ts +160 -0
package/cloudflare/tests/worker-handler-gate.spec.ts +69 -0
package/cloudflare/vite.config.ts +53 -45
package/cloudflare/worker.ts +261 -448
package/cloudflare/wrangler.json +0 -6
package/cloudflare/wrangler.jsonc +0 -6
package/cloudflare/wrangler.local-e2e.jsonc +25 -0
package/cloudflare/wrangler.staging.json +0 -6
package/jest.config.js +3 -1
package/package.json +33 -38
package/scripts/bootstrap-inject.ts +166 -0
package/scripts/core-env-whitelist.json +1 -0
package/scripts/e2e-12b-runtime.ts +149 -0
package/scripts/e2e-core-config.ts +125 -0
package/scripts/e2e-d1-tenancy.ts +116 -0
package/scripts/e2e-d2-cron-queue.ts +139 -0
package/scripts/e2e-d3-embedded-multi.ts +171 -0
package/scripts/e2e-hono-s2.ts +125 -0
package/scripts/e2e-hono-s3e.ts +135 -0
package/scripts/e2e-hono-s4.ts +114 -0
package/scripts/e2e-migration-contract.ts +100 -0
package/scripts/e2e-s0.ts +61 -0
package/scripts/e2e-s1.ts +107 -0
package/scripts/e2e-s2.ts +178 -0
package/scripts/e2e-s3.ts +110 -0
package/scripts/e2e-s4.ts +191 -0
package/scripts/e2e-s5.ts +139 -0
package/scripts/e2e-s6.ts +127 -0
package/scripts/e2e-tenant-model.ts +119 -0
package/scripts/e2e-tenant-worker.ts +199 -0
package/scripts/gen-sql-migrations.js +46 -0
package/scripts/phase8-codemod.js +219 -0
package/scripts/phase9a-env-getters-codemod.js +82 -0
package/scripts/scan-core-env.js +109 -0
package/scripts/scan-tenant-queries.js +235 -0
package/scripts/schema-drift-guard.ts +210 -0
package/scripts/tenant-scan-whitelist.json +1 -0
package/src/app.tsx +2 -1
package/src/env.d.ts +13 -1
package/src/libs/service-host.ts +13 -0
package/tsconfig.json +1 -1
package/vite.arc.config.ts +159 -0
package/api/src/libs/did-space.ts +0 -235
package/api/src/libs/middleware.ts +0 -50
package/api/src/libs/security.ts +0 -192
package/api/src/queues/space.ts +0 -662
package/api/src/routes/credit-tokens.ts +0 -38
package/api/src/routes/exchange-rates.ts +0 -87
package/api/src/routes/index.ts +0 -142
package/api/src/routes/integrations/stripe.ts +0 -61
package/api/src/routes/meters.ts +0 -274
package/api/src/routes/passports.ts +0 -68
package/api/src/routes/redirect.ts +0 -20
package/api/src/routes/tool.ts +0 -65
package/api/src/routes/webhook-endpoints.ts +0 -126
package/api/tests/routes/credit-grants.spec.ts +0 -1261
package/cloudflare/did-connect-auth.ts +0 -527
package/cloudflare/shims/did-space-js.ts +0 -17
package/cloudflare/shims/did-space.ts +0 -11
package/cloudflare/shims/express-compat/index.ts +0 -80
package/cloudflare/shims/express-compat/types.ts +0 -41
package/cloudflare/shims/lock.ts +0 -115
package/cloudflare/shims/queue.ts +0 -611
package/cloudflare/tests/shims/queue-delayed-persist.spec.ts +0 -87
package/cloudflare/tests/shims/queue-scheduled.spec.ts +0 -186

package/api/src/index.ts CHANGED Viewed

@@ -1,168 +1,29 @@
-import 'express-async-errors';
-import path from 'path';
-import { fallback } from '@blocklet/sdk/lib/middlewares/fallback';
-import cookieParser from 'cookie-parser';
-import cors from 'cors';
+// Blocklet server shell — Phase 7 (W2-0); express→hono Phase 4.
+//
+// Service assembly lives in ./bootstrap (shared with the dev shell ../dev.ts).
+// This file is the PRODUCTION entry (api/dist/index.js): build the service and
+// LISTEN the hono app via @hono/node-server `serve({ fetch })`, then start
+// background services in the listen callback. Other hosts import
+// @arcblock/payment-service and own listen/lifecycle themselves.
+//
+// Phase 4: the loopback bridge + express app shell are gone — the hono app
+// (service.fetch) serves every route natively (resource domains + DID-Connect +
+// production static/SPA fallback). The dev client + HMR are served by ../dev.ts
+// (a connect shell), never by this production entry.
 import dotenv from 'dotenv-flow';
-import express, { ErrorRequestHandler } from 'express';
-// eslint-disable-next-line import/no-extraneous-dependencies
-import { CustomError, formatError, getStatusFromError } from '@blocklet/error';
-import { csrf } from '@blocklet/sdk/lib/middlewares';
-import { cdn } from '@blocklet/sdk/lib/middlewares/cdn';
-import { xss } from '@blocklet/xss';
-import { syncCurrencyLogo } from './crons/currency';
-import crons from './crons/index';
-import { ensureStakedForGas } from './integrations/arcblock/stake';
-import { initResourceHandler } from './integrations/blocklet/resource';
-import { initUserHandler } from './integrations/blocklet/user';
-import { ensureWebhookRegistered } from './integrations/stripe/setup';
-import { handlers } from './libs/auth';
-import logger, { setupAccessLogger } from './libs/logger';
-import { contextMiddleware, ensureI18n } from './libs/middleware';
-import { ensureCreateOverdraftProtectionPrices } from './libs/overdraft-protection';
-import { initEventBroadcast } from './libs/ws';
-import { startCheckoutSessionQueue } from './queues/checkout-session';
-import { startCreditConsumeQueue } from './queues/credit-consume';
-import { startCreditGrantQueue } from './queues/credit-grant';
-import { startReconciliationQueue } from './queues/credit-reconciliation';
-import { startDiscountStatusQueue } from './queues/discount-status';
-import { startEventQueue } from './queues/event';
-import { startExchangeRateHealthQueue } from './queues/exchange-rate-health';
-import { startInvoiceQueue } from './queues/invoice';
-import { startNotificationQueue } from './queues/notification';
-import { startPaymentQueue } from './queues/payment';
-import { startPayoutQueue } from './queues/payout';
-import { startRefundQueue } from './queues/refund';
-import { startUploadBillingInfoListener } from './queues/space';
-import { startSubscriptionQueue } from './queues/subscription';
-import { startTokenTransferQueue } from './queues/token-transfer';
-import { startVendorCommissionQueue } from './queues/vendors/commission';
-import { startVendorFulfillmentQueue } from './queues/vendors/fulfillment';
-import { startCoordinatedFulfillmentQueue } from './queues/vendors/fulfillment-coordinator';
-import routes from './routes';
-import autoRechargeAuthorizationHandlers from './routes/connect/auto-recharge-auth';
-import changePaymentHandlers from './routes/connect/change-payment';
-import changePlanHandlers from './routes/connect/change-plan';
-import collectHandlers from './routes/connect/collect';
-import collectBatchHandlers from './routes/connect/collect-batch';
-import delegationHandlers from './routes/connect/delegation';
-import overdraftProtectionHandlers from './routes/connect/overdraft-protection';
-import payHandlers from './routes/connect/pay';
-import reStakeHandlers from './routes/connect/re-stake';
-import rechargeHandlers from './routes/connect/recharge';
-import rechargeAccountHandlers from './routes/connect/recharge-account';
-import setupHandlers from './routes/connect/setup';
-import subscribeHandlers from './routes/connect/subscribe';
-import changePayerHandlers from './routes/connect/change-payer';
-import { initialize } from './store/models';
-import { sequelize } from './store/sequelize';
+import { serve } from '@hono/node-server';
 dotenv.config();
-initialize(sequelize);
-export const app = express();
-setupAccessLogger(app);
-app.set('trust proxy', true);
-app.use(cookieParser());
-app.use((req, res, next) => {
-  if (req.originalUrl.startsWith('/api/integrations/stripe/webhook')) {
-    next();
-  } else {
-    express.json({ limit: '1 mb' })(req, res, next);
-  }
-});
-app.use(express.urlencoded({ extended: true, limit: '1 mb' }));
-app.use(cors());
-app.use(xss({ allowedKeys: [] }));
-app.use(csrf());
-app.use(ensureI18n());
-app.use(cdn());
-const router = express.Router();
-handlers.attach(Object.assign({ app: router }, collectHandlers));
-handlers.attach(Object.assign({ app: router }, collectBatchHandlers));
-handlers.attach(Object.assign({ app: router }, payHandlers));
-handlers.attach(Object.assign({ app: router }, setupHandlers));
-handlers.attach(Object.assign({ app: router }, subscribeHandlers));
-handlers.attach(Object.assign({ app: router }, changePaymentHandlers));
-handlers.attach(Object.assign({ app: router }, changePlanHandlers));
-handlers.attach(Object.assign({ app: router }, rechargeHandlers));
-handlers.attach(Object.assign({ app: router }, rechargeAccountHandlers));
-handlers.attach(Object.assign({ app: router }, delegationHandlers));
-handlers.attach(Object.assign({ app: router }, overdraftProtectionHandlers));
-handlers.attach(Object.assign({ app: router }, reStakeHandlers));
-handlers.attach(Object.assign({ app: router }, autoRechargeAuthorizationHandlers));
-handlers.attach(Object.assign({ app: router }, changePayerHandlers));
-router.use('/api', routes);
-const isProduction = process.env.BLOCKLET_MODE === 'production';
-app.use(contextMiddleware);
-app.use(router);
-if (isProduction) {
-  const staticDir = path.resolve(process.env.BLOCKLET_APP_DIR!, 'dist');
-  app.use(express.static(staticDir, { maxAge: '30d', index: false }));
-  app.use(fallback('index.html', { root: staticDir }));
-}
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
-app.use(<ErrorRequestHandler>((err, req, res, _next) => {
-  logger.error('handle router error', err);
-  if (err instanceof CustomError) {
-    res.status(getStatusFromError(err)).json({ error: formatError(err) });
-    return;
-  }
-  if (req.accepts('json')) {
-    res.status(500).send({ error: err.message });
-  } else {
-    res.status(500).send('Something broke!');
-  }
-}));
-const port = parseInt(process.env.BLOCKLET_PORT!, 10);
-export const server = app.listen(port, (err?: any) => {
-  if (err) throw err;
-  logger.info(`> payment-kit ready on ${port}`);
-  syncCurrencyLogo();
-  ensureCreateOverdraftProtectionPrices();
-  startPaymentQueue().then(() => logger.info('payment queue started'));
-  startInvoiceQueue().then(() => logger.info('invoice queue started'));
-  startSubscriptionQueue().then(() => logger.info('subscription queue started'));
-  startEventQueue().then(() => logger.info('event queue started'));
-  startPayoutQueue().then(() => logger.info('payout queue started'));
-  startVendorCommissionQueue().then(() => logger.info('vendor commission queue started'));
-  startVendorFulfillmentQueue().then(() => logger.info('vendor fulfillment queue started'));
-  startCoordinatedFulfillmentQueue().then(() => logger.info('coordinated fulfillment queue started'));
-  startCheckoutSessionQueue().then(() => logger.info('checkoutSession queue started'));
-  startNotificationQueue().then(() => logger.info('notification queue started'));
-  startRefundQueue().then(() => logger.info('refund queue started'));
-  startCreditConsumeQueue().then(() => logger.info('credit queue started'));
-  startCreditGrantQueue().then(() => logger.info('credit grant queue started'));
-  startTokenTransferQueue().then(() => logger.info('token transfer queue started'));
-  startReconciliationQueue().then(() => logger.info('credit reconciliation queue started'));
-  startDiscountStatusQueue().then(() => logger.info('discount status queue started'));
-  startExchangeRateHealthQueue();
-  logger.info('exchange rate health queue started');
-  startUploadBillingInfoListener();
-  if (process.env.BLOCKLET_MODE === 'production') {
-    ensureWebhookRegistered().catch(console.error);
-  }
-  ensureStakedForGas().catch(console.error);
-  crons.init();
+// eslint-disable-next-line import/first
+import { buildService, onListening } from './bootstrap';
-  initEventBroadcast();
+const { service, port } = buildService();
-  initResourceHandler();
+// @hono/node-server serve(): the listeningListener is the exact equivalent of the
+// old express app.listen(port, cb) — it fires once the socket is bound, which is
+// where background services start. serve() returns the underlying Node Server
+// (used by dev tooling for HMR upgrades and by lifecycle teardown).
+export const server = serve({ fetch: service.fetch, port }, (info) => onListening(service, info.port));
-  initUserHandler();
-});
+export { service };

package/api/src/integrations/app-store/client.ts CHANGED Viewed

@@ -18,6 +18,7 @@
 // Tests replace this class via jest mocks.
 import { config as configApple, validate as validateAppleReceipt } from 'node-apple-receipt-verify';
+import { appStoreWriteEnabled } from '../../libs/env';
 import logger from '../../libs/logger';
 import {
@@ -112,8 +113,6 @@ export type AppStoreSettings = {
   private_key_pem?: string;
 };
-const WRITE_ENABLED = process.env.APP_STORE_WRITE_ENABLED === 'true';
 export class AppStoreClient {
   declare readonly bundleId: string;
@@ -348,7 +347,7 @@ export class AppStoreClient {
   /** Refund — Apple actually doesn't let third parties refund subscriptions; this is here for symmetry with GooglePlayClient. */
   // eslint-disable-next-line class-methods-use-this, require-await
   public async refundSubscription(originalTransactionId: string): Promise<void> {
-    if (!WRITE_ENABLED) {
+    if (!appStoreWriteEnabled()) {
       throw new Error(
         `refundSubscription(${originalTransactionId}) is gated behind APP_STORE_WRITE_ENABLED env. Note: Apple Server API has no third-party refund endpoint — refunds must be requested by the end user via reportProblem.apple.com or by Apple support.`
       );
@@ -359,7 +358,7 @@ export class AppStoreClient {
   /** Cancel — same caveat as refund: Apple expects the user to cancel via App Store > Subscriptions. */
   // eslint-disable-next-line class-methods-use-this, require-await
   public async cancelSubscription(originalTransactionId: string): Promise<void> {
-    if (!WRITE_ENABLED) {
+    if (!appStoreWriteEnabled()) {
       throw new Error(
         `cancelSubscription(${originalTransactionId}) is gated behind APP_STORE_WRITE_ENABLED env. Apple does not expose a server-initiated cancel — the user must cancel from their device.`
       );

package/api/src/integrations/app-store/handlers/subscription.ts CHANGED Viewed

@@ -10,7 +10,7 @@
 // `transactionId` changes per charge. We store both in payment_details for
 // audit, but uniqueness/de-dup keys off originalTransactionId.
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Customer, PaymentMethod, Price, Subscription, SubscriptionItem } from '../../../store/models';
 import {
@@ -156,7 +156,7 @@ export async function ingestVerifiedAppStorePurchase({
         }
       }
       await existing.update(updatePatch);
-      createEvent('Subscription', 'customer.subscription.started', existing).catch(console.error);
+      createEvent('Subscription', 'customer.subscription.started', existing).catch(reportAuditFailure);
       logger.info('app_store verify: reactivated lapsed subscription from fresh transaction', {
         subscriptionId: existing.id,
         originalTransactionId: transaction.originalTransactionId,
@@ -331,7 +331,7 @@ export async function ingestVerifiedAppStorePurchase({
     } as any);
   }
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('app_store verify: subscription created', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -545,7 +545,7 @@ async function handleAppStoreSubscribed({
     pending_invoice_item_interval: { interval: 'month', interval_count: 1 } as any,
   } as any);
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('app_store SUBSCRIBED — subscription created from webhook', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -574,13 +574,13 @@ async function handleAppStoreRenewed(
       },
     },
   });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 async function markAppStoreExpired(subscription: Subscription): Promise<void> {
   if (['canceled', 'incomplete_expired'].includes(subscription.status as string)) return;
   await subscription.update({ status: 'canceled', ended_at: Math.floor(Date.now() / 1000) });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }
 async function markAppStorePastDue(subscription: Subscription): Promise<void> {
@@ -631,5 +631,5 @@ async function handleAppStoreRevoked(
     refunded: isRefund,
   });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }

package/api/src/integrations/app-store/signed-data-verifier.ts CHANGED Viewed

@@ -26,6 +26,7 @@ import type {
 } from '@apple/app-store-server-library';
 import logger from '../../libs/logger';
+import { appStoreSkipSignatureVerify, isProduction } from '../../libs/env';
 import { APPLE_ROOT_CERTS } from './apple-root-certs';
 const verifierCache = new Map<string, SignedDataVerifier>();
@@ -46,13 +47,13 @@ async function getVerifier(bundleId: string, environment: 'production' | 'sandbo
 }
 export function isSignatureVerificationSkipped(): boolean {
-  if (process.env.APP_STORE_SKIP_SIGNATURE_VERIFY !== 'true') return false;
+  if (!appStoreSkipSignatureVerify()) return false;
   // Production fail-closed: even when the bypass flag is set we refuse to
   // honor it in production, and log loudly so the misconfiguration is
   // visible. The flag exists for unit tests / local sandbox debugging where
   // the synthetic JWS isn't signed by Apple; in production it would silently
   // downgrade a critical trust boundary to decode-only (CWE-347).
-  if (process.env.BLOCKLET_MODE === 'production') {
+  if (isProduction()) {
     logger.error(
       'app_store: APP_STORE_SKIP_SIGNATURE_VERIFY=true ignored in production — JWS signature verification stays enabled'
     );

package/api/src/integrations/arcblock/token.ts CHANGED Viewed

@@ -5,16 +5,30 @@ import { BN, fromTokenToUnit, fromUnitToToken, toBN, toBase58, toBase64 } from '
 import { types } from '@ocap/mcrypto';
 import { verify as verifyVC } from '@arcblock/vc';
 import { BlockletService } from '@blocklet/sdk/service/blocklet';
+import env, { blockletAppHost } from '../../libs/env';
 import { PaymentMethod } from '../../store/models';
 import type { TPaymentCurrency } from '../../store/models';
 import { wallet } from '../../libs/auth';
 import logger from '../../libs/logger';
-import env from '../../libs/env';
 import { sleep } from '../../libs/util';
 import { getGasPayerExtra } from '../../libs/payment';
-const blockletService = new BlockletService();
+// Lazy singleton: `new BlockletService()` runs `checkBlockletEnvironment()`,
+// which throws unless BLOCKLET_APP_ID/DID/EK/ABT_NODE_* are present. Those env
+// vars only exist inside a blocklet runtime — when payment-core is embedded in
+// a host like arc, constructing this at module-init crashes the whole graph on
+// import. Defer to first use so the import is environment-agnostic; the routing
+// -rule feature (the only consumer) simply requires the host to supply that env
+// when it is actually exercised.
+// eslint-disable-next-line @typescript-eslint/naming-convention -- intentional _-prefixed module singleton
+let _blockletService: InstanceType<typeof BlockletService> | undefined;
+function getBlockletService(): InstanceType<typeof BlockletService> {
+  if (!_blockletService) {
+    _blockletService = new BlockletService();
+  }
+  return _blockletService;
+}
 export function isOnchainCredit(paymentCurrency: TPaymentCurrency) {
   return paymentCurrency.type === 'credit' && !!paymentCurrency.token_config;
@@ -154,7 +168,7 @@ async function createTokenVC(data: { tokenAddress: string; symbol: string; websi
  * Step 2: Publish VC (Verifiable Credential) for token via routing rule
  */
 async function publishTokenVC(vc: any) {
-  const { blocklet: blockletInfo } = await blockletService.getBlocklet();
+  const { blocklet: blockletInfo } = await getBlockletService().getBlocklet();
   const site = blockletInfo?.site;
   if (!site?.id) {
@@ -226,7 +240,7 @@ async function publishTokenVC(vc: any) {
   try {
     let result;
     if (isUpdate) {
-      result = await blockletService.updateRoutingRule({
+      result = await getBlockletService().updateRoutingRule({
         id: site.id,
         rule: {
           id: existingRule.id,
@@ -234,7 +248,7 @@ async function publishTokenVC(vc: any) {
         },
       });
     } else {
-      result = await blockletService.addRoutingRule({
+      result = await getBlockletService().addRoutingRule({
         id: site.id,
         rule,
       });
@@ -279,7 +293,7 @@ export async function createToken(data: { name: string; symbol: string; decimal?
         name: data.name,
         symbol: data.symbol,
         description: `Token created by ${env.appName || 'Payment Kit'}`,
-        website: env.appUrl || process.env.BLOCKLET_APP_HOST,
+        website: env.appUrl || blockletAppHost(),
         icon: '',
         maxTotalSupply: null,
         decimal: data.decimal ?? 10,
@@ -307,7 +321,7 @@ export async function createToken(data: { name: string; symbol: string; decimal?
     const vc = await createTokenVC({
       tokenAddress: factoryItx.token.address,
       symbol: data.symbol,
-      website: env.appUrl || process.env.BLOCKLET_APP_HOST!,
+      website: env.appUrl || blockletAppHost()!,
       chainId,
     });

package/api/src/integrations/google-play/handlers/subscription.ts CHANGED Viewed

@@ -7,7 +7,7 @@
 import { Op } from 'sequelize';
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Customer, PaymentMethod, Price, Subscription, SubscriptionItem } from '../../../store/models';
 import { GooglePlayClient, GooglePlaySubscriptionPurchase } from '../client';
@@ -268,12 +268,12 @@ async function handleRenewedOrDeferred({
       },
     },
   });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 async function handleResumed(subscription: Subscription): Promise<void> {
   await subscription.update({ status: 'active' });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 async function markPastDue(subscription: Subscription): Promise<void> {
@@ -293,7 +293,7 @@ async function scheduleCancelAtPeriodEnd(subscription: Subscription): Promise<vo
 async function markExpired(subscription: Subscription): Promise<void> {
   if (['canceled', 'incomplete_expired'].includes(subscription.status as string)) return;
   await subscription.update({ status: 'canceled', canceled_at: Math.floor(Date.now() / 1000) });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }
 /**
@@ -526,7 +526,7 @@ export async function ingestVerifiedGooglePlayPurchase({
     return { subscription: winner, isFirstSubscribe: false, purchase };
   }
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('google_play verify: subscription created', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -561,5 +561,5 @@ async function handleRevoked(subscription: Subscription): Promise<void> {
     subscriptionId: subscription.id,
   });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }

package/api/src/integrations/google-play/handlers/voided.ts CHANGED Viewed

@@ -11,7 +11,7 @@
 //     refundType:  1 = FULL,     2 = QUANTITY_BASED
 //   }
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Subscription } from '../../../store/models';
@@ -91,7 +91,7 @@ export async function handleGooglePlayVoidedPurchase({
         google_play_voided_refund_type: refundType,
       },
     });
-    createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
   }
   // TODO: create a Refund row for audit. Blocked on payment_intent_id schema —

package/api/src/integrations/google-play/verify.ts CHANGED Viewed

@@ -9,6 +9,7 @@
 // Cloudflare Workers（payment-kit 是统一代码）。
 import logger from '../../libs/logger';
+import { googlePubsubSkipSignatureVerify, isProduction } from '../../libs/env';
 export type PubSubJwtClaims = {
   iss: string;
@@ -80,7 +81,7 @@ export type VerifyOptions = {
 };
 function defaultSkipSignature(): boolean {
-  return process.env.GOOGLE_PUBSUB_SKIP_SIGNATURE_VERIFY === 'true';
+  return googlePubsubSkipSignatureVerify();
 }
 /**
@@ -93,7 +94,7 @@ function defaultSkipSignature(): boolean {
  */
 function effectiveSkipSignature(requested: boolean): boolean {
   if (!requested) return false;
-  if (process.env.BLOCKLET_MODE === 'production') {
+  if (isProduction()) {
     logger.error(
       'google_play: signature verification skip refused in production — Pub/Sub JWT signature verification stays enabled'
     );

package/api/src/integrations/iap-reconcile.ts CHANGED Viewed

@@ -20,6 +20,7 @@
 // every 5 minutes by default; tuneable via `IAP_RECONCILE_CRON_TIME`.
 import { Op } from 'sequelize';
+import { iapReconcileBatchSize } from '../libs/env';
 import { createEvent } from '../libs/audit';
 import logger from '../libs/logger';
@@ -30,9 +31,6 @@ import { GooglePlayClient, GooglePlaySubscriptionPurchase } from './google-play/
 /** Don't re-check subs that were updated by a webhook within the last 5 minutes. */
 const RECENT_UPDATE_GUARD_MS = 5 * 60 * 1000;
-/** Per-channel batch cap so a single cron tick can't stall on Apple/Google rate limits. */
-const DEFAULT_BATCH_SIZE = Number(process.env.IAP_RECONCILE_BATCH_SIZE ?? '100');
 type ReconcileStats = { checked: number; updated: number; errors: number };
 const emptyStats = (): ReconcileStats => ({ checked: 0, updated: 0, errors: 0 });
@@ -149,7 +147,7 @@ async function backfillMissingSubscriptionItems(): Promise<void> {
 // App Store
 // ---------------------------------------------------------------------------
-export async function reconcileAppStore(batchSize = DEFAULT_BATCH_SIZE): Promise<ReconcileStats> {
+export async function reconcileAppStore(batchSize = iapReconcileBatchSize()): Promise<ReconcileStats> {
   const stats = emptyStats();
   const methods = await PaymentMethod.findAll({ where: { type: 'app_store' } });
   if (methods.length === 0) return stats;
@@ -293,7 +291,7 @@ export async function applyAppStoreTransactionDrift(
 // Google Play
 // ---------------------------------------------------------------------------
-export async function reconcileGooglePlay(batchSize = DEFAULT_BATCH_SIZE): Promise<ReconcileStats> {
+export async function reconcileGooglePlay(batchSize = iapReconcileBatchSize()): Promise<ReconcileStats> {
   const stats = emptyStats();
   const methods = await PaymentMethod.findAll({ where: { type: 'google_play' } });
   if (methods.length === 0) return stats;

package/api/src/integrations/stripe/handlers/invoice.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import type Stripe from 'stripe';
 import type { WhereOptions } from 'sequelize';
 import { checkUsageReportEmpty } from '../../../libs/subscription';
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import { getLock } from '../../../libs/lock';
 import logger from '../../../libs/logger';
 import {
@@ -361,7 +361,7 @@ export async function handleStripeInvoiceCreated(event: TEventExpanded, client:
       createEvent('Subscription', 'usage.report.empty', subscription, {
         usageReportStart,
         usageReportEnd,
-      }).catch(console.error);
+      }).catch(reportAuditFailure);
       logger.info('create usage report empty event', {
         subscriptionId: subscription.id,
         usageReportStart,

package/api/src/integrations/stripe/handlers/subscription.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import {
 } from '../../../libs/subscription';
 import { CheckoutSession, PaymentMethod, Subscription, TEventExpanded } from '../../../store/models';
 import { getCheckoutSessionSubscriptionIds } from '../../../libs/session';
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 export async function handleStripeSubscriptionSucceed(subscription: Subscription, status: string) {
   if (!subscription.payment_details?.stripe?.subscription_id) {
@@ -51,9 +51,9 @@ export async function handleStripeSubscriptionSucceed(subscription: Subscription
   await subscription.update({ status });
   if (subscription.trial_end && subscription.trial_end > Date.now() / 1000 && subscription.status === 'trialing') {
-    createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(reportAuditFailure);
   } else if (subscription.status === 'active') {
-    createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+    createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   }
   logger.info('subscription become active on stripe event', { id: subscription.id, status: subscription.status });

package/api/src/libs/archive/query.ts CHANGED Viewed

@@ -5,9 +5,14 @@ import path from 'path';
 import { QueryTypes, Op } from 'sequelize';
 import logger from '../logger';
+import { getInstanceDid } from '../context';
+import { getTenantMode } from '../tenant';
+import { TENANT_TABLES } from '../../store/tenant-tables';
 import { ArchiveMetadata } from '../../store/models/archive-metadata';
 import { listArchiveFiles, openArchiveSequelize } from './store';
+const TENANT_TABLE_SET: ReadonlySet<string> = new Set(TENANT_TABLES);
 type ArchiveQueryParams = {
   table: string;
   id?: string;
@@ -52,6 +57,20 @@ function buildWhereClause(params: ArchiveQueryParams) {
     replacements.customerId = params.customer_id;
   }
+  // 洞 G (Phase 4): archived rows are snapshots of tenant tables — scope the
+  // read by instance_did so an admin can't query another tenant's archive.
+  // multi mode is strict (fail-closed); single mode also accepts legacy
+  // pre-backfill snapshots (instance_did NULL), which all belong to the one
+  // deployment tenant (mirrors the resolveRowTenant single-mode default).
+  if (TENANT_TABLE_SET.has(params.table)) {
+    replacements.instance_did = getInstanceDid();
+    if (getTenantMode() === 'single') {
+      conditions.push('(instance_did = :instance_did OR instance_did IS NULL)');
+    } else {
+      conditions.push('instance_did = :instance_did');
+    }
+  }
   return { clause: conditions.join(' AND '), replacements };
 }