payment-kit 1.29.1 → 1.29.3

package/api/tests/models/tenant-columns.spec.ts

@@ -0,0 +1,161 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { TENANT_TABLES } from '../../src/store/tenant-tables';
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const TENANT_MIGRATION = '20260610-tenant-columns';
+// pin the chain to phase 1: phase 2 (tenant backfill) intentionally rebuilds
+// some tables with NOT NULL + composite uniques, which this spec must not see
+const upToPhase1 = (umzug: Umzug<any>) => umzug.up({ to: `${TENANT_MIGRATION}.js` } as any);
+
+function createHarness(storagePath: string) {
+  const sequelize = new Sequelize({ dialect: 'sqlite', storage: storagePath, logging: false });
+  const umzug = new Umzug({
+    migrations: {
+      glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+      resolve: ({ name, path: migrationPath, context }) => {
+        // eslint-disable-next-line import/no-dynamic-require, global-require
+        const migration = require(migrationPath!);
+        return {
+          name: name.replace(/\.ts$/, '.js'),
+          up: () => migration.up({ context }),
+          down: () => migration.down({ context }),
+        };
+      },
+    },
+    context: sequelize.getQueryInterface(),
+    storage: new SequelizeStorage({ sequelize }),
+    logger: undefined,
+  });
+  return { sequelize, umzug };
+}
+
+async function tableColumns(sequelize: Sequelize, table: string): Promise<Record<string, any>[]> {
+  const [rows] = await sequelize.query(`PRAGMA table_info(${table})`);
+  return rows as Record<string, any>[];
+}
+
+describe('tenant columns migration (phase 1)', () => {
+  let dir: string;
+  let dbPath: string;
+  let harness: ReturnType<typeof createHarness>;
+
+  beforeEach(() => {
+    dir = fs.mkdtempSync(path.join(os.tmpdir(), 'tenant-columns-'));
+    dbPath = path.join(dir, 'test.db');
+    harness = createHarness(dbPath);
+  });
+
+  afterEach(async () => {
+    await harness.sequelize.close();
+    fs.rmSync(dir, { recursive: true, force: true });
+  });
+
+  describe('happy path', () => {
+    it('adds a nullable instance_did column to all 38 tenant tables', async () => {
+      await upToPhase1(harness.umzug);
+      for (const table of TENANT_TABLES) {
+        // eslint-disable-next-line no-await-in-loop
+        const columns = await tableColumns(harness.sequelize, table);
+        const column = columns.find((c) => c.name === 'instance_did');
+        expect({ table, found: Boolean(column) }).toEqual({ table, found: true });
+        expect({ table, notnull: column!.notnull }).toEqual({ table, notnull: 0 });
+        expect({ table, dflt: column!.dflt_value ?? null }).toEqual({ table, dflt: null });
+      }
+    }, 60000);
+
+    // "model layer exposes instance_did" lives in tenant-columns-model.spec.ts:
+    // initializing the model singletons here would mutate GENESIS_ATTRIBUTES
+    // (associations add FK clauses) and corrupt the migration harness below.
+  });
+
+  describe('bad input: re-running up is idempotent', () => {
+    it('skips existing columns without error and without duplicating them', async () => {
+      await upToPhase1(harness.umzug);
+      // call the migration's up() directly a second time, bypassing umzug bookkeeping
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(path.join(STORE_DIR, 'migrations', `${TENANT_MIGRATION}.ts`));
+      await migration.up({ context: harness.sequelize.getQueryInterface() });
+      const columns = await tableColumns(harness.sequelize, 'customers');
+      expect(columns.filter((c) => c.name === 'instance_did')).toHaveLength(1);
+    }, 60000);
+  });
+
+  describe('security: migration is built from static literals only', () => {
+    it('contains no env/config interpolation into SQL identifiers', () => {
+      const migrationSource = fs.readFileSync(path.join(STORE_DIR, 'migrations', `${TENANT_MIGRATION}.ts`), 'utf8');
+      expect(migrationSource).not.toContain('process.env');
+      expect(migrationSource).not.toContain('globalThis');
+      const listSource = fs.readFileSync(path.join(STORE_DIR, 'tenant-tables.ts'), 'utf8');
+      expect(listSource).not.toContain('process.env');
+      // every table entry is a quoted literal
+      const entries = listSource.match(/^\s*'[a-z_]+',$/gm) || [];
+      expect(entries.length).toBe(38);
+    });
+  });
+
+  describe('data loss / data damage: existing rows survive up and down', () => {
+    it('preserves pre-existing rows and their values through up, and through down', async () => {
+      // migrate to just before the tenant migration, then seed
+      await upToPhase1(harness.umzug);
+      await harness.umzug.down(); // revert the tenant column migration
+
+      const qi = harness.sequelize.getQueryInterface();
+      const now = new Date().toISOString();
+      await qi.bulkInsert('customers', [
+        {
+          id: 'cus_phase1_test1',
+          livemode: 0,
+          did: 'z-did-phase1-1',
+          delinquent: 0,
+          created_at: now,
+          updated_at: now,
+        },
+      ]);
+
+      // up: row survives, all original values intact, instance_did = NULL
+      await upToPhase1(harness.umzug);
+      const [afterUp] = await harness.sequelize.query(
+        "SELECT id, livemode, did, delinquent, instance_did FROM customers WHERE id = 'cus_phase1_test1'"
+      );
+      expect(afterUp).toHaveLength(1);
+      const row = (afterUp as any[])[0];
+      expect(row.did).toBe('z-did-phase1-1');
+      expect(row.livemode).toBe(0);
+      expect(row.instance_did).toBeNull();
+
+      // down: column removed, row and non-tenant values still intact
+      await harness.umzug.down();
+      const columns = await tableColumns(harness.sequelize, 'customers');
+      expect(columns.find((c) => c.name === 'instance_did')).toBeUndefined();
+      const [afterDown] = await harness.sequelize.query("SELECT id, did FROM customers WHERE id = 'cus_phase1_test1'");
+      expect(afterDown).toHaveLength(1);
+      expect((afterDown as any[])[0].did).toBe('z-did-phase1-1');
+    }, 120000);
+  });
+
+  describe('data leak: the new column is never auto-filled', () => {
+    it('defaults to NULL for rows written without an explicit tenant', async () => {
+      await upToPhase1(harness.umzug);
+      const qi = harness.sequelize.getQueryInterface();
+      const now = new Date().toISOString();
+      await qi.bulkInsert('products', [
+        {
+          id: 'prod_phase1_leak',
+          livemode: 0,
+          active: 1,
+          name: 'leak-check',
+          type: 'service',
+          created_at: now,
+          updated_at: now,
+        },
+      ]);
+      const [rows] = await harness.sequelize.query("SELECT instance_did FROM products WHERE id = 'prod_phase1_leak'");
+      expect((rows as any[])[0].instance_did).toBeNull();
+    }, 60000);
+  });
+});

package/api/tests/queues/credit-consume-batch.spec.ts

@@ -68,7 +68,14 @@ jest.mock('../../src/libs/queue', () => {
     delete: jest.fn().mockResolvedValue(undefined),
     on: jest.fn(),
   };
-  return jest.fn().mockReturnValue(mockQueue);
+  const factory: any = jest.fn().mockReturnValue(mockQueue);
+  return {
+    __esModule: true,
+    default: factory,
+    // phase 5/6: tenant invariant helper — pass-through in these unit tests
+    // (tenant enforcement has its own suites: tenant-matrix-a/b)
+    assertJobObjectTenant: jest.fn(),
+  };
 });
 
 jest.mock('../../src/store/models', () => ({

package/api/tests/queues/credit-consume.spec.ts

@@ -71,7 +71,14 @@ jest.mock('../../src/libs/queue', () => {
     delete: jest.fn().mockResolvedValue(undefined),
     on: jest.fn(),
   };
-  return jest.fn().mockReturnValue(mockQueue);
+  const factory: any = jest.fn().mockReturnValue(mockQueue);
+  return {
+    __esModule: true,
+    default: factory,
+    // phase 5/6: tenant invariant helper — pass-through in these unit tests
+    // (tenant enforcement has its own suites: tenant-matrix-a/b)
+    assertJobObjectTenant: jest.fn(),
+  };
 });
 
 jest.mock('../../src/store/models', () => ({

package/api/tests/queues/event-tenant.spec.ts

@@ -0,0 +1,292 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH } from '../../src/libs/tenant';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+// neutralize the queue engine: real createQueue scans the jobs table on
+// import (crash-recovery), which races against this suite's temp DB lifecycle
+jest.mock('../../src/libs/queue', () => ({
+  __esModule: true,
+  default: () => ({
+    push: jest.fn(),
+    pushAndWait: jest.fn(),
+    cancel: jest.fn(),
+    on: jest.fn(),
+    get: jest.fn().mockResolvedValue(null),
+  }),
+}));
+
+// the five delivery paths are exercised against mocks for transport pieces
+const addWebhookJob = jest.fn().mockResolvedValue(true);
+jest.mock('../../src/queues/webhook', () => {
+  const actual = jest.requireActual('../../src/queues/webhook');
+  return { ...actual, addWebhookJob: (...args: any[]) => addWebhookJob(...args) };
+});
+
+const componentRequest = jest.fn().mockResolvedValue({ status: 200, data: { ok: true } });
+jest.mock('@blocklet/sdk/lib/util/component-api', () => ({
+  __esModule: true,
+  default: { request: (...args: any[]) => componentRequest(...args) },
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'event-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let models: any;
+let handleEvent: any;
+let handleWebhook: any;
+let assertEventTenantAccessible: any;
+let startEventQueue: any;
+let eventQueue: any;
+let getInstanceDid: any;
+let logger: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  ({ handleEvent, startEventQueue, eventQueue } = require('../../src/queues/event'));
+  // eslint-disable-next-line global-require
+  ({ getInstanceDid } = require('../../src/libs/context'));
+  // eslint-disable-next-line global-require
+  ({ handleWebhook } = jest.requireActual('../../src/queues/webhook'));
+  // eslint-disable-next-line global-require
+  ({ assertEventTenantAccessible } = require('../../src/routes/hono/events'));
+  // eslint-disable-next-line global-require
+  logger = require('../../src/libs/logger').default;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+const seedEvent = (tenant: string, type = 'customer.updated') =>
+  withTenant(tenant, () =>
+    models.Event.create({
+      type,
+      instance_did: tenant,
+      api_version: 'test',
+      livemode: false,
+      object_id: 'obj_1',
+      object_type: 'customer',
+      data: { object: { id: 'obj_1' } },
+      request: { id: '', idempotency_key: '', requested_by: 'test' },
+      metadata: {},
+      pending_webhooks: 99,
+    })
+  );
+
+const seedEndpoint = (tenant: string, url: string) =>
+  withTenant(tenant, () =>
+    models.WebhookEndpoint.create({
+      instance_did: tenant,
+      livemode: false,
+      url,
+      description: 'test',
+      status: 'enabled',
+      enabled_events: ['customer.updated'],
+      secret: 'whsec_test',
+      api_version: 'test',
+    })
+  );
+
+beforeEach(async () => {
+  jest.clearAllMocks();
+  await sequelize.query('DELETE FROM events');
+  await sequelize.query('DELETE FROM webhook_endpoints');
+  await sequelize.query('DELETE FROM webhook_attempts');
+});
+
+describe('event delivery tenant isolation (phase 4)', () => {
+  describe('path 1 fanout (queues/event.ts): only same-tenant endpoints scheduled', () => {
+    it('A event fans out to A endpoint only, B endpoint untouched', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleEvent({ eventId: event.id });
+
+      expect(addWebhookJob).toHaveBeenCalledTimes(1);
+      expect(addWebhookJob).toHaveBeenCalledWith(event.id, endpointA.id, expect.anything());
+    });
+  });
+
+  describe('path 2 delivery handler (queues/webhook.ts): tenant invariant', () => {
+    it('forged job pairing A event with B endpoint is refused without an attempt row', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointB = await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointB.id });
+
+      expect(componentRequest).not.toHaveBeenCalled();
+      const [attempts] = await sequelize.query('SELECT COUNT(*) AS n FROM webhook_attempts');
+      expect((attempts as any[])[0].n).toBe(0);
+      expect(logger.error).toHaveBeenCalledWith(
+        expect.stringContaining('tenant mismatch'),
+        expect.objectContaining({ code: TENANT_MISMATCH })
+      );
+    });
+
+    it('same-tenant delivery succeeds and the attempt row carries the tenant', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointA.id });
+
+      expect(componentRequest).toHaveBeenCalledTimes(1);
+      const [attempts] = await sequelize.query('SELECT status, instance_did FROM webhook_attempts');
+      expect(attempts).toEqual([{ status: 'succeeded', instance_did: TENANT_A }]);
+    });
+  });
+
+  describe('paths 3+4 manual retry routes: caller tenant guard', () => {
+    it('A caller cannot retry a B event (TENANT_MISMATCH -> 4xx mapping)', async () => {
+      await withTenant(TENANT_A, () => {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).toThrow(
+          expect.objectContaining({ code: TENANT_MISMATCH })
+        );
+      });
+    });
+
+    it('multi mode without caller context fails closed', () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      try {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).toThrow(
+          expect.objectContaining({ code: TENANT_CONTEXT_MISSING })
+        );
+      } finally {
+        delete process.env.PAYMENT_TENANT_MODE;
+      }
+    });
+
+    it('same-tenant caller passes the guard', async () => {
+      await withTenant(TENANT_B, () => {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).not.toThrow();
+      });
+    });
+
+    it('retry fanout never schedules the other tenant endpoint (paths 3+4 data leak)', async () => {
+      // same shape the retry routes use after their tenant guard: endpoint
+      // query scoped by caller tenant -> B endpoint invisible to A
+      await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+      const visible = await withTenant(TENANT_A, () =>
+        models.WebhookEndpoint.findAll({
+          where: { status: 'enabled', livemode: false, instance_did: TENANT_A },
+        })
+      );
+      expect(visible).toHaveLength(1);
+      expect(visible[0].url).toBe('http://a.example.com/hook');
+    });
+  });
+
+  describe('path 5 pending scan (crons/retry-pending-events.ts)', () => {
+    it('re-enqueued events still fan out tenant-filtered (transitively via handleEvent)', async () => {
+      // the cron only re-enqueues IDs; prove the downstream filter holds for a
+      // B event when both tenants have endpoints
+      const event = await seedEvent(TENANT_B);
+      await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      const endpointB = await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleEvent({ eventId: event.id });
+
+      expect(addWebhookJob).toHaveBeenCalledTimes(1);
+      expect(addWebhookJob).toHaveBeenCalledWith(event.id, endpointB.id, expect.anything());
+    });
+  });
+
+  describe('startup recovery (startEventQueue): pending-webhook events re-enqueued under their tenant', () => {
+    const ORIGINAL_MODE = process.env.PAYMENT_TENANT_MODE;
+    afterEach(() => {
+      if (ORIGINAL_MODE === undefined) delete process.env.PAYMENT_TENANT_MODE;
+      else process.env.PAYMENT_TENANT_MODE = ORIGINAL_MODE;
+    });
+
+    // Regression: in multi mode startup has NO ambient tenant. The old recovery
+    // pushed outside withTenant (and fetched only id), so injectJobTenant ->
+    // getInstanceDid threw TENANT_CONTEXT_MISSING — a FATAL unhandledRejection
+    // that crashed the daemon. The push must run inside withTenant(event tenant).
+    it('multi mode: recovers a pending event INSIDE its tenant context (no crash)', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      const event = await seedEvent(TENANT_A);
+
+      let tenantAtPush: string | undefined;
+      let threwAtPush = false;
+      (eventQueue.push as jest.Mock).mockImplementationOnce(() => {
+        try {
+          tenantAtPush = getInstanceDid(); // would THROW in multi mode if outside withTenant
+        } catch {
+          threwAtPush = true;
+        }
+      });
+
+      await expect(startEventQueue()).resolves.toBeUndefined();
+      expect(eventQueue.push).toHaveBeenCalledWith(
+        expect.objectContaining({ id: event.id, job: { eventId: event.id } })
+      );
+      expect(threwAtPush).toBe(false);
+      expect(tenantAtPush).toBe(TENANT_A);
+    });
+
+    // A row with no tenant cannot be re-stamped — skip it (warn), never crash.
+    it('multi mode: a tenant-less pending event is skipped, not pushed', async () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      const event = await seedEvent(TENANT_A);
+      // null out the tenant directly (bypass the scoped writer)
+      await sequelize.query('UPDATE events SET instance_did = NULL WHERE id = $id', {
+        bind: { id: event.id },
+      });
+
+      await expect(startEventQueue()).resolves.toBeUndefined();
+      expect(eventQueue.push).not.toHaveBeenCalled();
+      expect(logger.warn).toHaveBeenCalledWith(
+        'skip pending-webhook event with no tenant',
+        expect.objectContaining({ id: event.id })
+      );
+    });
+  });
+
+  describe('data damage: retry keeps the original tenant', () => {
+    it('failed delivery writes a failed attempt under the event tenant', async () => {
+      componentRequest.mockRejectedValueOnce(Object.assign(new Error('boom'), { response: { status: 500 } }));
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointA.id });
+
+      const [attempts] = await sequelize.query('SELECT status, instance_did FROM webhook_attempts');
+      expect(attempts).toEqual([{ status: 'failed', instance_did: TENANT_A }]);
+    });
+  });
+});

package/api/tests/queues/exchange-rate-health-tenant-d6.spec.ts

@@ -0,0 +1,62 @@
+// D6 — the exchange-rate-health schedule carries its tenant in the job PAYLOAD,
+// so the re-schedule (on 'finished', which fires OUTSIDE any withTenant scope)
+// stays under the correct tenant without relying on the ALS context. In multi
+// mode a tenant-less push would throw TENANT_CONTEXT_MISSING.
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const pushed: any[] = [];
+let finishedListener: ((data: any) => void) | undefined;
+
+jest.mock('../../src/libs/queue', () => ({
+  __esModule: true,
+  default: () => ({
+    push: (p: any) => {
+      pushed.push(p);
+      return { on: jest.fn() };
+    },
+    on: (ev: string, cb: any) => {
+      if (ev === 'finished') finishedListener = cb;
+    },
+    pushAndWait: jest.fn(),
+    cancel: jest.fn(),
+    get: jest.fn(),
+    store: { addJob: jest.fn(), getScheduledJobs: jest.fn().mockResolvedValue([]) },
+    stop: jest.fn(),
+  }),
+}));
+
+import { scheduleHealthChecks } from '../../src/queues/exchange-rate-health';
+
+describe('D6 — exchange-rate-health carries the tenant in the job payload', () => {
+  beforeEach(() => {
+    pushed.length = 0;
+  });
+
+  it('the initial schedule pushes a job tagged with instance_did', () => {
+    scheduleHealthChecks('did:abt:zHEALTHA');
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBe('did:abt:zHEALTHA');
+    expect(pushed[0].persist).toBe(true);
+  });
+
+  it('the re-schedule preserves the FINISHED job’s tenant (no ALS reliance)', () => {
+    scheduleHealthChecks('did:abt:zHEALTHA');
+    expect(finishedListener).toBeDefined();
+    pushed.length = 0;
+    // simulate a finished job that belonged to tenant B — the next schedule must
+    // be for B, taken from the job payload, NOT from any ambient context.
+    finishedListener!({ job: { type: 'health_check', timestamp: 1, instance_did: 'did:abt:zHEALTHB' } });
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBe('did:abt:zHEALTHB');
+  });
+
+  it('single mode (no instanceDid) pushes without a forced tenant (default-tenant fallback applies)', () => {
+    scheduleHealthChecks(undefined);
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBeUndefined(); // injectJobTenant uses the default tenant in single
+  });
+});