payment-kit 1.29.1 → 1.29.3

package/api/tests/integrations/iap-tenant.spec.ts

@@ -0,0 +1,284 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Hono } from 'hono';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+// capture the tenant the verified-event handler runs under
+const handleGooglePlayEvent = jest.fn().mockImplementation(async () => {
+  // eslint-disable-next-line global-require
+  const { getInstanceDid } = require('../../src/libs/context');
+  handlerTenants.push(getInstanceDid());
+});
+const handlerTenants: string[] = [];
+jest.mock('../../src/integrations/google-play/handlers', () => ({
+  __esModule: true,
+  default: (...args: any[]) => handleGooglePlayEvent(...args),
+}));
+
+const handleAppStoreNotification = jest.fn().mockImplementation(async () => {
+  // eslint-disable-next-line global-require
+  const { getInstanceDid } = require('../../src/libs/context');
+  appStoreTenants.push(getInstanceDid());
+});
+const appStoreTenants: string[] = [];
+jest.mock('../../src/integrations/app-store/handlers', () => ({
+  __esModule: true,
+  default: (...args: any[]) => handleAppStoreNotification(...args),
+}));
+// unverified routing peek: bundleId comes straight from our fake payload
+jest.mock('../../src/integrations/app-store/notification-routing', () => ({
+  __esModule: true,
+  peekNotificationRouting: (signedPayload: string) => JSON.parse(signedPayload),
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'iap-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let models: any;
+let app: Hono;
+
+const rtdnEnvelope = (packageName: string) => ({
+  message: {
+    messageId: `msg-${Math.random().toString(36).slice(2)}`,
+    data: Buffer.from(
+      JSON.stringify({
+        version: '1.0',
+        packageName,
+        eventTimeMillis: String(Date.now()),
+        subscriptionNotification: {
+          version: '1.0',
+          notificationType: 4,
+          purchaseToken: 'token-x',
+          subscriptionId: 'sku-x',
+        },
+      })
+    ).toString('base64'),
+  },
+  subscription: 'projects/x/subscriptions/y',
+});
+
+const postWebhook = async (body: any): Promise<{ status: number; json: any }> => {
+  const res = await app.fetch(
+    new Request('http://app.local/api/integrations/google-play/webhook', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+  );
+  return { status: res.status, json: JSON.parse((await res.text()) || '{}') };
+};
+
+const seedMethod = (tenant: string, packageName: string) =>
+  withTenant(tenant, () =>
+    models.PaymentMethod.create({
+      livemode: false,
+      active: true,
+      type: 'google_play',
+      instance_did: tenant,
+      confirmation: { type: 'callback' },
+      features: { recurring: true, refund: true, dispute: false },
+      settings: models.PaymentMethod.encryptSettings({
+        google_play: { package_name: packageName, service_account_json: '{"client_email":"x","private_key":"y"}' },
+      }),
+    })
+  );
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  const googlePlay = require('../../src/routes/hono/integrations/google-play').default;
+  // eslint-disable-next-line global-require
+  const appStore = require('../../src/routes/hono/integrations/app-store').default;
+  // eslint-disable-next-line global-require
+  const { mountResourceGroup } = require('../../src/middlewares/hono/resource-mount');
+  // Mount exactly as production does (app-shell pipeline → sanitizedBody/livemode
+  // populated, csrf skipped without a cookie). Drive via app.fetch — single-mode
+  // test env, so contextMiddleware resolves the default tenant without a Host.
+  app = new Hono();
+  mountResourceGroup(app, '/api/integrations/google-play', googlePlay);
+  mountResourceGroup(app, '/api/integrations/app-store', appStore);
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+beforeEach(async () => {
+  // restoreMocks=true resets spies after each test — re-install per test.
+  // the App Store client is exercised elsewhere; here it must only verify
+  jest
+    .spyOn(models.PaymentMethod.prototype, 'getAppStoreClient')
+    .mockReturnValue({ verifyNotificationPayload: async (p: string) => JSON.parse(p) } as any);
+  handleGooglePlayEvent.mockClear();
+  handleAppStoreNotification.mockClear();
+  handlerTenants.length = 0;
+  appStoreTenants.length = 0;
+  await sequelize.query('DELETE FROM payment_methods');
+  await sequelize.query('DELETE FROM prices');
+  await sequelize.query('DELETE FROM products');
+});
+
+const seedAppStoreMethod = (tenant: string, bundleId: string) =>
+  withTenant(tenant, () =>
+    models.PaymentMethod.create({
+      livemode: false,
+      active: true,
+      type: 'app_store',
+      instance_did: tenant,
+      confirmation: { type: 'callback' },
+      features: { recurring: true, refund: false, dispute: false },
+      settings: models.PaymentMethod.encryptSettings({
+        app_store: { bundle_id: bundleId, environment: 'production' },
+      }),
+    })
+  );
+
+const postAppStoreWebhook = async (routing: {
+  bundleId: string;
+  environment?: string;
+}): Promise<{ status: number; json: any }> => {
+  const res = await app.fetch(
+    new Request('http://app.local/api/integrations/app-store/webhook', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ signedPayload: JSON.stringify(routing) }),
+    })
+  );
+  return { status: res.status, json: JSON.parse((await res.text()) || '{}') };
+};
+
+describe('IAP channel-identifier tenant reverse lookup (phase 6)', () => {
+  it('happy path: RTDN routes to the tenant that registered the package_name', async () => {
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    await seedMethod(TENANT_B, 'com.tenant.b');
+
+    const res = await postWebhook(rtdnEnvelope('com.tenant.b'));
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ received: true });
+    expect(handleGooglePlayEvent).toHaveBeenCalledTimes(1);
+    expect(handlerTenants).toEqual([TENANT_B]);
+  });
+
+  it('bad input: unregistered package_name is acked-skipped without touching any tenant', async () => {
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    const res = await postWebhook(rtdnEnvelope('com.unknown.app'));
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ skipped: true });
+    expect(handleGooglePlayEvent).not.toHaveBeenCalled();
+  });
+
+  it('security: ambiguous registration (same package under two tenants) is refused', async () => {
+    await seedMethod(TENANT_A, 'com.shared.app');
+    await seedMethod(TENANT_B, 'com.shared.app');
+    const res = await postWebhook(rtdnEnvelope('com.shared.app'));
+    expect(res.status).toBe(200);
+    expect(res.json.reason).toContain('ambiguous');
+    expect(handleGooglePlayEvent).not.toHaveBeenCalled();
+  });
+
+  it('app-store: JWS bundleId routes to the registering tenant; ambiguity refused', async () => {
+    await seedAppStoreMethod(TENANT_A, 'com.ios.a');
+    await seedAppStoreMethod(TENANT_B, 'com.ios.b');
+
+    const res = await postAppStoreWebhook({ bundleId: 'com.ios.b', environment: 'production' });
+    expect(res.status).toBe(200);
+    expect(res.json).toEqual({ received: true });
+    expect(appStoreTenants).toEqual([TENANT_B]);
+
+    // ambiguity: register the SAME bundle under another tenant -> refused
+    await seedAppStoreMethod(TENANT_A, 'com.ios.b');
+    const dup = await postAppStoreWebhook({ bundleId: 'com.ios.b', environment: 'production' });
+    expect(dup.json.reason).toContain('ambiguous');
+    expect(appStoreTenants).toHaveLength(1); // no second delivery
+  });
+
+  it('data damage: two tenants with the same SKU resolve to their own Price via bundle scoping', async () => {
+    const seedPrice = (tenant: string, bundleId: string, marker: string) =>
+      withTenant(tenant, async () => {
+        const product = await models.Product.create({
+          livemode: false,
+          active: true,
+          instance_did: tenant,
+          name: marker,
+          type: 'service',
+        });
+        return models.Price.create({
+          livemode: false,
+          active: true,
+          instance_did: tenant,
+          product_id: product.id,
+          type: 'recurring',
+          billing_scheme: 'per_unit',
+          unit_amount: '100',
+          currency_options: [],
+          metadata: { app_store_product_id: 'sku.shared', bundle_id: bundleId },
+          nickname: marker,
+        });
+      });
+    const priceA = await seedPrice(TENANT_A, 'com.ios.a', 'price-a');
+    const priceB = await seedPrice(TENANT_B, 'com.ios.b', 'price-b');
+
+    // the (sku, bundle_id) lookup used by the IAP handlers. The handler first
+    // reverse-resolves the tenant from the registering PaymentMethod, then runs
+    // the price lookup under withTenant(tenant) — TenantModel scopes it to that
+    // tenant's row even though both share the SKU.
+    const foundA: any = await withTenant(TENANT_A, () =>
+      models.Price.findOne({
+        where: { 'metadata.app_store_product_id': 'sku.shared', 'metadata.bundle_id': 'com.ios.a' } as any,
+      })
+    );
+    const foundB: any = await withTenant(TENANT_B, () =>
+      models.Price.findOne({
+        where: { 'metadata.app_store_product_id': 'sku.shared', 'metadata.bundle_id': 'com.ios.b' } as any,
+      })
+    );
+    expect(foundA.id).toBe(priceA.id);
+    expect(foundA.instance_did).toBe(TENANT_A);
+    expect(foundB.id).toBe(priceB.id);
+    expect(foundB.instance_did).toBe(TENANT_B);
+  });
+
+  it('data leak: a forged notification can only ever land in the registering tenant', async () => {
+    // even if an attacker controls the payload entirely, the tenant is chosen
+    // by the server-side registration, never by payload contents
+    await seedMethod(TENANT_A, 'com.tenant.a');
+    const res = await postWebhook({
+      ...rtdnEnvelope('com.tenant.a'),
+      attacker: { wants: TENANT_B },
+    });
+    expect(res.status).toBe(200);
+    expect(handlerTenants).toEqual([TENANT_A]);
+  });
+});

package/api/tests/libs/archive-query.spec.ts

@@ -124,6 +124,32 @@ describe('archive/query', () => {
       expect(mockClose).toHaveBeenCalled();
     });
 
+    it('洞 G: the data SELECT on a tenant table is instance_did-guarded', async () => {
+      const mockClose = jest.fn();
+      let dataSql = '';
+      let dataOpts: any = null;
+      const mockQuery = jest.fn().mockImplementation((sql: string, opts: any) => {
+        if (sql.includes('sqlite_master')) return [[{ name: 'invoices' }]];
+        dataSql = sql;
+        dataOpts = opts;
+        return [];
+      });
+      mockListArchiveFiles.mockReturnValue(['/tmp/archive-2024.db']);
+      mockOpenArchiveSequelize.mockReturnValue({ query: mockQuery, close: mockClose } as any);
+      mockArchiveMetadataFindAll.mockResolvedValue([]);
+
+      await queryArchive({
+        table: 'invoices',
+        from: Math.floor(new Date('2024-01-01').getTime() / 1000),
+        page: 1,
+        limit: 10,
+      });
+
+      // the archived tenant-table read carries an instance_did predicate + bind
+      expect(dataSql).toMatch(/instance_did/);
+      expect(dataOpts?.replacements?.instance_did).toBeTruthy();
+    });
+
     it('should skip archive files that do not have the requested table', async () => {
       const mockClose = jest.fn();
       // Return empty array for sqlite_master query (table doesn't exist)

package/api/tests/libs/audit-tenant.spec.ts

@@ -0,0 +1,153 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH } from '../../src/libs/tenant';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'audit-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let audit: typeof import('../../src/libs/audit');
+let logger: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  const models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  audit = require('../../src/libs/audit');
+  // eslint-disable-next-line global-require
+  logger = require('../../src/libs/logger').default;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+beforeEach(async () => {
+  await sequelize.query('DELETE FROM events');
+});
+
+const fakeModel = (tenant: string | null, extra: Record<string, any> = {}) => ({
+  id: 'obj_1',
+  livemode: false,
+  instance_did: tenant,
+  dataValues: { id: 'obj_1', instance_did: tenant, ...extra },
+  _previousDataValues: {},
+});
+
+describe('audit tenant resolution (phase 4)', () => {
+  describe('happy path', () => {
+    it('takes the tenant from the model row', async () => {
+      await audit.createEvent('Customer', 'customer.created', fakeModel(TENANT_A));
+      const [rows] = await sequelize.query('SELECT type, instance_did FROM events');
+      expect(rows).toEqual([{ type: 'customer.created', instance_did: TENANT_A }]);
+    });
+
+    it('falls back to the tenant context when the model has none', async () => {
+      await withTenant(TENANT_B, () => audit.createEvent('Customer', 'customer.created', fakeModel(null)));
+      const [rows] = await sequelize.query('SELECT instance_did FROM events');
+      expect(rows).toEqual([{ instance_did: TENANT_B }]);
+    });
+
+    it('createFlexibleEvent (system source) uses the tenant context', async () => {
+      const event: any = await withTenant(TENANT_A, () =>
+        audit.createFlexibleEvent('payout.created', 'payout', 'po_1', { ok: true })
+      );
+      expect(event.instance_did).toBe(TENANT_A);
+    });
+  });
+
+  describe('bad input: both sources missing', () => {
+    it('rejects in multi mode and writes no event row', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      try {
+        await expect(audit.createEvent('Customer', 'customer.created', fakeModel(null))).rejects.toMatchObject({
+          code: TENANT_CONTEXT_MISSING,
+        });
+      } finally {
+        delete process.env.PAYMENT_TENANT_MODE;
+      }
+      const [rows] = await sequelize.query('SELECT COUNT(*) AS n FROM events');
+      expect((rows as any[])[0].n).toBe(0);
+    });
+  });
+
+  describe('security: contradictory sources', () => {
+    it('rejects when model tenant and context tenant disagree', async () => {
+      await withTenant(TENANT_A, async () => {
+        await expect(audit.createEvent('Customer', 'customer.created', fakeModel(TENANT_B))).rejects.toMatchObject({
+          code: TENANT_MISMATCH,
+        });
+      });
+      const [rows] = await sequelize.query('SELECT COUNT(*) AS n FROM events');
+      expect((rows as any[])[0].n).toBe(0);
+    });
+  });
+
+  describe('data loss: rejection never blocks the business write', () => {
+    it('reportAuditFailure is fire-and-forget with a dedicated code', () => {
+      const err = Object.assign(new Error('conflict'), { code: TENANT_MISMATCH });
+      expect(() => audit.reportAuditFailure(err)).not.toThrow();
+      expect(logger.error).toHaveBeenCalledWith(
+        '[audit] event creation failed',
+        expect.objectContaining({ code: TENANT_MISMATCH })
+      );
+
+      audit.reportAuditFailure(new Error('boom'));
+      expect(logger.error).toHaveBeenCalledWith(
+        '[audit] event creation failed',
+        expect.objectContaining({ code: 'EVENT_CREATE_FAILED' })
+      );
+    });
+  });
+
+  describe('data leak: status/custom event paths carry the tenant too', () => {
+    it('createStatusEvent stamps the model tenant', async () => {
+      const model = fakeModel(TENANT_A, { status: 'active' });
+      await audit.createStatusEvent('Subscription', 'customer.subscription', { active: 'activated' }, model, {
+        fields: ['status'],
+      });
+      const [rows] = await sequelize.query('SELECT instance_did FROM events');
+      expect(rows).toEqual([{ instance_did: TENANT_A }]);
+    });
+
+    it('createCustomEvent stamps the model tenant', async () => {
+      const model = fakeModel(TENANT_B, { status: 'canceled' });
+      await audit.createCustomEvent('Subscription', 'customer.subscription', () => 'deleted', model, {
+        fields: ['status'],
+      });
+      const [rows] = await sequelize.query('SELECT type, instance_did FROM events');
+      expect(rows).toEqual([{ type: 'customer.subscription.deleted', instance_did: TENANT_B }]);
+    });
+  });
+});

package/api/tests/libs/context.spec.ts

@@ -0,0 +1,204 @@
+import {
+  TENANT_CONTEXT_MISSING,
+  TenantError,
+  context,
+  getDefaultInstanceDid,
+  getInstanceDid,
+  getTenantMode,
+  withTenant,
+} from '../../src/libs/context';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+
+describe('libs/context tenant infrastructure', () => {
+  const originalMode = process.env.PAYMENT_TENANT_MODE;
+
+  afterEach(() => {
+    if (originalMode === undefined) {
+      delete process.env.PAYMENT_TENANT_MODE;
+    } else {
+      process.env.PAYMENT_TENANT_MODE = originalMode;
+    }
+  });
+
+  const asMulti = () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+  };
+
+  describe('tenant mode', () => {
+    it('defaults to single mode', () => {
+      delete process.env.PAYMENT_TENANT_MODE;
+      expect(getTenantMode()).toBe('single');
+    });
+
+    it('reads multi mode from env', () => {
+      asMulti();
+      expect(getTenantMode()).toBe('multi');
+    });
+  });
+
+  describe('happy path', () => {
+    it('returns the tenant inside withTenant and across await boundaries', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await sleep(5);
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await Promise.resolve().then(() => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+        });
+      });
+    });
+
+    it('exposes instanceDid via context.getContext()', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(context.getContext().instanceDid).toBe(TENANT_A);
+      });
+    });
+
+    it('returns the value produced by fn', async () => {
+      const result = await withTenant(TENANT_A, async () => 42);
+      expect(result).toBe(42);
+    });
+
+    it('keeps tenant when context.run is nested inside withTenant', async () => {
+      await withTenant(TENANT_A, () =>
+        context.run({ requestedBy: 'user-x' }, async () => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+          expect(context.getRequestedBy()).toBe('user-x');
+        })
+      );
+    });
+
+    it('keeps tenant when withTenant is nested inside context.run', async () => {
+      await context.run({ requestedBy: 'user-x' }, () =>
+        withTenant(TENANT_A, async () => {
+          expect(getInstanceDid()).toBe(TENANT_A);
+          expect(context.getRequestedBy()).toBe('user-x');
+        })
+      );
+    });
+  });
+
+  describe('bad input', () => {
+    it.each([['' as any], ['   ' as any], [null as any], [undefined as any], [123 as any], ['a b' as any]])(
+      'rejects invalid instanceDid %p',
+      async (bad) => {
+        await expect(withTenant(bad, async () => 'never')).rejects.toMatchObject({
+          code: TENANT_CONTEXT_MISSING,
+        });
+      }
+    );
+
+    it('throws TENANT_CONTEXT_MISSING in multi mode without context', () => {
+      asMulti();
+      try {
+        getInstanceDid();
+        throw new Error('expected getInstanceDid to throw');
+      } catch (err: any) {
+        expect(err).toBeInstanceOf(TenantError);
+        expect(err.code).toBe(TENANT_CONTEXT_MISSING);
+      }
+    });
+  });
+
+  describe('security: concurrent isolation', () => {
+    it('does not leak tenant between interleaved concurrent withTenant scopes', async () => {
+      const observed: Record<string, string[]> = { a: [], b: [] };
+      await Promise.all([
+        withTenant(TENANT_A, async () => {
+          observed.a!.push(getInstanceDid());
+          await sleep(10);
+          observed.a!.push(getInstanceDid());
+          await sleep(20);
+          observed.a!.push(getInstanceDid());
+        }),
+        withTenant(TENANT_B, async () => {
+          observed.b!.push(getInstanceDid());
+          await sleep(15);
+          observed.b!.push(getInstanceDid());
+          await sleep(5);
+          observed.b!.push(getInstanceDid());
+        }),
+      ]);
+      expect(observed.a).toEqual([TENANT_A, TENANT_A, TENANT_A]);
+      expect(observed.b).toEqual([TENANT_B, TENANT_B, TENANT_B]);
+    });
+  });
+
+  describe('data loss: context survives async scheduling primitives', () => {
+    it('keeps tenant across setTimeout', async () => {
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          setTimeout(() => resolve(getInstanceDid()), 5);
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+
+    it('keeps tenant across queueMicrotask', async () => {
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          queueMicrotask(() => resolve(getInstanceDid()));
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+
+    it('keeps tenant inside event emitter callbacks registered within the scope', async () => {
+      // eslint-disable-next-line global-require
+      const { EventEmitter } = require('events');
+      const emitter = new EventEmitter();
+      await withTenant(TENANT_A, async () => {
+        const seen = await new Promise((resolve) => {
+          emitter.on('ping', () => resolve(getInstanceDid()));
+          emitter.emit('ping');
+        });
+        expect(seen).toBe(TENANT_A);
+      });
+    });
+  });
+
+  describe('data damage: nesting and immutability', () => {
+    it('restores outer tenant after a nested withTenant exits', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+        await withTenant(TENANT_B, async () => {
+          expect(getInstanceDid()).toBe(TENANT_B);
+        });
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+    });
+
+    it('prevents fn from mutating the stored context to affect sibling calls', async () => {
+      await withTenant(TENANT_A, async () => {
+        const ctx = context.getContext() as any;
+        try {
+          ctx.instanceDid = TENANT_B;
+        } catch {
+          // frozen object throws in strict mode — either way the mutation must not stick
+        }
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+    });
+  });
+
+  describe('data leak: single mode default fill', () => {
+    it('falls back to the configured app DID in single mode', () => {
+      delete process.env.PAYMENT_TENANT_MODE;
+      // jest globalSetup configures BLOCKLET_APP_PID with the test wallet address
+      expect(getInstanceDid()).toBe(getDefaultInstanceDid());
+      expect(getDefaultInstanceDid()).toBe(process.env.BLOCKLET_APP_PID);
+      expect(getDefaultInstanceDid()).not.toBe(TENANT_A);
+      expect(getDefaultInstanceDid()).not.toBe(TENANT_B);
+    });
+
+    it('never leaks a tenant injected by another scope into the default', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(getInstanceDid()).toBe(TENANT_A);
+      });
+      // outside any scope, single mode returns the app DID again
+      expect(getInstanceDid()).toBe(getDefaultInstanceDid());
+    });
+  });
+});