payment-kit 1.29.1 → 1.29.3

package/api/tests/service/fail-closed-http.spec.ts

@@ -0,0 +1,79 @@
+// TM-4 (frontend-serve P4) — MANDATORY fail-closed regression lock.
+//
+// Project principle #1: in multi-tenant mode a request with no resolvable
+// Host/tenant context MUST fail closed (4xx), never fall back to APP_PID/default
+// tenant. P4 wires a host static/SPA handler onto the full node hono app (after
+// the api/connect routes). This lock proves that slot did NOT weaken the API
+// gate: with createNodeStaticHandler attached, an /api/* request from an unbound
+// host still 400s with TENANT_HOST_UNRESOLVED. Runs in did-pay (no arc dev
+// runtime) — the same buildHonoApp + contextMiddleware the production svc uses.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { Hono } from 'hono';
+
+import { getInstanceDid } from '../../src/libs/context';
+import { createDefaultIdentityDriver, type IdentityDriver, setIdentityDriver } from '../../src/libs/drivers/identity';
+import { contextMiddleware, ensureI18n } from '../../src/middlewares/hono/context';
+import { createNodeStaticHandler } from '../../src/host-node/serve-static-arc';
+import { buildHonoApp } from '../../src/service';
+
+const BOUND = 'did:abt:zBOUNDTENANTAAAAAAAAAAAAAAAAAA';
+const identity: IdentityDriver = {
+  resolveInstanceDidForHost: (host) => (host === 'bound.example' ? BOUND : null),
+};
+
+let webRoot: string;
+beforeAll(() => {
+  webRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'tm4-web-'));
+  fs.writeFileSync(path.join(webRoot, 'index.html'), '<!doctype html><div id="app"></div>');
+});
+afterAll(() => fs.rmSync(webRoot, { recursive: true, force: true }));
+afterEach(() => {
+  delete process.env.PAYMENT_TENANT_MODE;
+  setIdentityDriver(createDefaultIdentityDriver());
+});
+
+// the production wiring: native pipeline (with the Host→tenant contextMiddleware)
+// + the host static/SPA slot attached last (exactly buildHonoApp's 3rd arg).
+function buildAppWithStatic(): Hono {
+  return buildHonoApp(
+    (native) => {
+      native.use('*', ensureI18n());
+      native.use('*', contextMiddleware());
+      native.get('/api/settings', (c) => c.json({ tenant: getInstanceDid() }));
+    },
+    undefined,
+    createNodeStaticHandler(webRoot)
+  );
+}
+
+describe('TM-4 — static slot must not weaken the multi-tenant API gate (P4)', () => {
+  it('multi mode, UNBOUND host: /api/settings → 400 fail-closed (no default-tenant fallback)', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://unbound.example/api/settings', { headers: { host: 'unbound.example' } }));
+    expect(res.status).toBe(400);
+    expect((await res.json()).error.code).toBe('TENANT_HOST_UNRESOLVED');
+  });
+
+  it('multi mode, BOUND host: /api/settings resolves its tenant (gate passes, slot present)', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://bound.example/api/settings', { headers: { host: 'bound.example' } }));
+    expect(res.status).toBe(200);
+    expect((await res.json()).tenant).toBe(BOUND);
+  });
+
+  it('the static slot still serves the SPA shell (html GET) — coexists with the gate', async () => {
+    process.env.PAYMENT_TENANT_MODE = 'multi';
+    setIdentityDriver(identity);
+    const app = buildAppWithStatic();
+    const res = await app.fetch(new Request('http://bound.example/admin', { headers: { host: 'bound.example', accept: 'text/html' } }));
+    expect(res.status).toBe(200);
+    expect(await res.text()).toContain('<div id="app">');
+  });
+});

package/api/tests/service/static-arc-handler.spec.ts

@@ -0,0 +1,101 @@
+// P3b (README D3 / F3) — arc-node clean static/SPA handler.
+//
+// Drives createNodeStaticHandler over a real temp webRoot through buildHonoApp's
+// staticHandler slot (the same wiring arc uses), via in-process app.fetch.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { buildHonoApp } from '../../src/service';
+import { createNodeStaticHandler } from '../../src/host-node/serve-static-arc';
+
+let webRoot: string;
+
+beforeAll(() => {
+  webRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'arc-webroot-'));
+  fs.mkdirSync(path.join(webRoot, 'assets'), { recursive: true });
+  // index.html with a build-time bootstrap already baked in (P2) — the handler
+  // must serve this VERBATIM, no server-side re-injection.
+  fs.writeFileSync(
+    path.join(webRoot, 'index.html'),
+    '<!doctype html><html><head><script>window.blocklet={prefix:"/.well-known/payment"}</script></head><body><div id="app"></div></body></html>'
+  );
+  fs.writeFileSync(path.join(webRoot, 'assets', 'app.js'), 'console.log("asset")');
+});
+
+afterAll(() => {
+  fs.rmSync(webRoot, { recursive: true, force: true });
+});
+
+const appWith = () => buildHonoApp(undefined, undefined, createNodeStaticHandler(webRoot));
+
+describe('P3b — createNodeStaticHandler', () => {
+  it('bad-input: throws at construction when webRoot has no index.html', () => {
+    const empty = fs.mkdtempSync(path.join(os.tmpdir(), 'arc-empty-'));
+    expect(() => createNodeStaticHandler(empty)).toThrow(/no index\.html/);
+    fs.rmSync(empty, { recursive: true, force: true });
+  });
+
+  it('happy: root + deep link return index.html, asset hits the file', async () => {
+    const app = appWith();
+    const root = await app.fetch(new Request('http://h/', { headers: { accept: 'text/html' } }));
+    expect(root.status).toBe(200);
+    expect(await root.text()).toContain('<div id="app">');
+
+    const deep = await app.fetch(new Request('http://h/admin', { headers: { accept: 'text/html' } }));
+    expect(deep.status).toBe(200);
+    expect(await deep.text()).toContain('<!doctype html');
+
+    const asset = await app.fetch(new Request('http://h/assets/app.js'));
+    expect(asset.status).toBe(200);
+    expect(await asset.text()).toContain('console.log("asset")');
+  });
+
+  it('bad-input: non-GET / non-html accept does not return index.html', async () => {
+    const app = appWith();
+    const post = await app.fetch(new Request('http://h/admin', { method: 'POST', headers: { accept: 'text/html' } }));
+    expect(post.status).not.toBe(200);
+    const json = await app.fetch(new Request('http://h/admin', { headers: { accept: 'application/json' } }));
+    expect(await json.text()).not.toContain('<!doctype html');
+  });
+
+  it('security: asset miss → 404, NOT index.html (RESOURCE_PATTERN, T3b.2)', async () => {
+    const app = appWith();
+    const miss = await app.fetch(new Request('http://h/assets/nope.js'));
+    expect(miss.status).toBe(404);
+    expect(await miss.text()).not.toContain('<!doctype html');
+  });
+
+  it('security: path traversal never leaks out-of-webRoot files (asset-typed → 404; SPA-typed → index.html, never passwd)', async () => {
+    const app = appWith();
+    const indexHtml = fs.readFileSync(path.join(webRoot, 'index.html'), 'utf8');
+    // asset-typed traversal (serveStatic must reject, never serve outside webRoot)
+    for (const p of ['/assets/..%2f..%2f..%2f..%2fetc%2fpasswd.js', '/assets/../../../../etc/hosts.css']) {
+      const res = await app.fetch(new Request(`http://h${p}`));
+      const body = await res.text();
+      expect(body).not.toMatch(/root:.*:0:0:/); // no /etc/passwd content
+      expect(res.status).toBe(404); // miss, not a leaked file
+    }
+    // SPA-typed traversal (no asset extension) → safe app shell, NOT a host file
+    const spa = await app.fetch(new Request('http://h/../../../../etc/passwd', { headers: { accept: 'text/html' } }));
+    const spaBody = await spa.text();
+    expect(spaBody).not.toMatch(/root:.*:0:0:/);
+    expect(spaBody === indexHtml || spa.status === 404).toBe(true);
+  });
+
+  it('data-loss: /api/* is NOT swallowed by the static handler (wired last)', async () => {
+    const app = appWith();
+    const res = await app.fetch(new Request('http://h/api/healthz'));
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+  });
+
+  it('data-leak: index.html is served VERBATIM — exactly one window.blocklet (no server-side re-inject, TM-3)', async () => {
+    const app = appWith();
+    const res = await app.fetch(new Request('http://h/dashboard', { headers: { accept: 'text/html' } }));
+    const html = await res.text();
+    expect((html.match(/window\.blocklet\s*=/g) || []).length).toBe(1);
+    // byte-identical to the build artifact
+    expect(html).toBe(fs.readFileSync(path.join(webRoot, 'index.html'), 'utf8'));
+  });
+});

package/api/tests/service/static-externalized.spec.ts

@@ -0,0 +1,48 @@
+// S3-CF Phase 1 inversion ① — static/SPA shell externalized from buildHonoApp.
+//
+// The runtime-neutral hono app must NOT wire node-only static serving
+// (@hono/node-server/serve-static + the node:fs fallback) itself — that is what
+// kept `http.fetch` node-bound and forced the CF worker onto a second surface.
+// Instead the HOST injects a `staticHandler` (node blocklet-server replicates
+// today's serving; the CF/standalone worker serves assets via env.ASSETS and
+// injects nothing). This spec locks the delegation.
+import { Hono } from 'hono';
+import { buildHonoApp } from '../../src/service';
+
+describe('Phase 1 (S3-CF) — static/SPA shell externalized from buildHonoApp', () => {
+  it('serves no static itself — an unmatched html GET 404s when no staticHandler is given', async () => {
+    const app = buildHonoApp();
+    const res = await app.fetch(
+      new Request('http://app.local/some/spa/deeplink', { headers: { accept: 'text/html' } })
+    );
+    // No SPA fallback is wired into the neutral app; the host owns it.
+    expect(res.status).toBe(404);
+  });
+
+  it('invokes the host-provided staticHandler exactly once with the app, after the api/connect routes', async () => {
+    let called = 0;
+    let received: unknown;
+    const app = buildHonoApp(undefined, undefined, (a: Hono) => {
+      called += 1;
+      received = a;
+      a.get('/__host_static_probe', (c) => c.text('served-by-host'));
+    });
+
+    expect(called).toBe(1);
+    expect(received).toBe(app);
+
+    const res = await app.fetch(new Request('http://app.local/__host_static_probe'));
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe('served-by-host');
+  });
+
+  it('keeps /api/healthz reachable even with a host staticHandler wired last', async () => {
+    const app = buildHonoApp(undefined, undefined, (a: Hono) => {
+      a.use('*', async (c) => c.text('static-catchall'));
+    });
+    const res = await app.fetch(new Request('http://app.local/api/healthz'));
+    // healthz is registered before the host static catch-all, so it still wins.
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+  });
+});

package/api/tests/store/tenant-crosscut.spec.ts

@@ -0,0 +1,202 @@
+// Phase 6 (W1′) — cross-cutting tenant isolation CI (two engines, blocking).
+//
+// Not per-route: assert the SAME read-isolation invariant over the WHOLE tenant
+// model surface generically, on BOTH engines:
+//   - real Sequelize (Node): every one of the 38 tenant models — a bare
+//     findAll returns only the active tenant's rows, and a cross-tenant
+//     findByPk returns null (§13.1). Rows are seeded with a raw INSERT (driven
+//     by PRAGMA table_info) so the crosscut is model-agnostic — it exercises
+//     the scoping, not each model's business validators/hooks.
+//   - sequelize-d1 shim (worker): the same invariant on the shim base.
+//   - index hit: a WHERE instance_did = ? equality predicate uses the
+//     idx_<table>_instance_did index (SEARCH), not a full SCAN.
+import { DatabaseSync } from 'node:sqlite';
+import { DataTypes, Sequelize } from 'sequelize';
+
+import { getDefaultInstanceDid, withTenant } from '../../src/libs/context';
+import { makeTenantModel } from '../../src/store/tenant-model';
+import realModels, { Coupon, initialize } from '../../src/store/models';
+import { TENANT_TABLES } from '../../src/store/tenant-tables';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+const TENANT_TABLE_SET = new Set(TENANT_TABLES);
+const sequelize = new Sequelize('sqlite::memory:', { logging: false });
+initialize(sequelize);
+
+beforeAll(async () => {
+  await sequelize.sync({ force: true });
+  // raw seeding uses dummy FK values; this test exercises tenant scoping, not
+  // referential integrity, so disable FK enforcement for the inserts.
+  await sequelize.query('PRAGMA foreign_keys = OFF');
+});
+afterAll(() => sequelize.close());
+
+function dummyForSqlType(type: string, seed: string): string | number {
+  const t = (type || '').toUpperCase();
+  if (/INT/.test(t)) return 0;
+  if (/REAL|FLOA|DOUB|DEC|NUM/.test(t)) return 0;
+  if (/BOOL|TINYINT/.test(t)) return 0;
+  if (/DATE|TIME/.test(t)) return '2024-01-01 00:00:00.000 +00:00';
+  if (/JSON/.test(t)) return '{}';
+  // unique per row+column so a standalone UNIQUE column can't collide across the
+  // two tenant rows we insert.
+  return seed;
+}
+
+// raw-insert one row for `tenant` into `table`. Returns the value of the
+// single-column `id` PK (null when the table has a composite PK — those skip
+// the findByPk assertion and rely on findAll isolation).
+async function seedRaw(table: string, tenant: string, idVal: string): Promise<string | null> {
+  const cols = (await sequelize.query(`PRAGMA table_info("${table}")`, {
+    type: (DataTypes as any).SELECT ?? 'SELECT',
+  })) as any[];
+  const pkCols = cols.filter((c) => c.pk).map((c) => c.name);
+  const values: Record<string, any> = { instance_did: tenant };
+  for (const c of cols) {
+    if (c.name === 'instance_did') continue;
+    const required = c.notnull === 1 && c.dflt_value === null;
+    if (c.pk) values[c.name] = idVal;
+    else if (required) values[c.name] = dummyForSqlType(c.type, `${idVal}-${c.name}`);
+  }
+  const names = Object.keys(values);
+  await sequelize.query(
+    `INSERT INTO "${table}" (${names.map((n) => `"${n}"`).join(',')}) VALUES (${names.map((n) => `:${n}`).join(',')})`,
+    { replacements: values }
+  );
+  return pkCols.length === 1 && pkCols[0] === 'id' ? idVal : null;
+}
+
+const tenantModels = Object.values<any>(realModels).filter((m) => TENANT_TABLE_SET.has(m.tableName));
+
+describe('cross-cut read isolation over all tenant models (real Sequelize)', () => {
+  it('covers all 38 tenant tables', () => {
+    expect(tenantModels.length).toBe(38);
+  });
+
+  it.each(tenantModels.map((m) => [m.tableName, m]))(
+    '%s: bare findAll returns only active tenant rows; cross-tenant findByPk -> null',
+    async (table: string, Model: any) => {
+      const idA = await seedRaw(table, TENANT_A, `a-${table}`);
+      const idB = await seedRaw(table, TENANT_B, `b-${table}`);
+
+      // bare findAll under A returns ONLY A's rows — no B row leaks
+      const aRows: any[] = await withTenant(TENANT_A, () => Model.findAll());
+      expect(aRows.length).toBeGreaterThan(0);
+      expect(aRows.every((r) => r.instance_did === TENANT_A)).toBe(true);
+
+      // cross-tenant findByPk -> null (not-found, §13.1); same-tenant works.
+      // composite-PK tables (idA/idB null) rely on the findAll isolation above.
+      if (idA && idB) {
+        expect(await withTenant(TENANT_A, () => Model.findByPk(idB))).toBeNull();
+        expect(await withTenant(TENANT_A, () => Model.findByPk(idA))).not.toBeNull();
+      }
+    }
+  );
+});
+
+// ---------------------------------------------------------------------------
+// Second engine: the sequelize-d1 shim (worker runtime) over a node:sqlite fake
+// D1 — the SAME makeTenantModel mechanism on the OTHER base class.
+// ---------------------------------------------------------------------------
+function makeFakeD1(db: DatabaseSync) {
+  const prepare = (sql: string) => {
+    let bound: any[] = [];
+    const stmt: any = {
+      __sql: sql,
+      bind: (...vals: any[]) => {
+        bound = vals;
+        return stmt;
+      },
+      all: () => ({ results: db.prepare(sql).all(...bound), meta: {} }),
+      run: () => {
+        const r = db.prepare(sql).run(...bound);
+        return { meta: { changes: Number(r.changes), last_row_id: Number(r.lastInsertRowid) } };
+      },
+      first: () => db.prepare(sql).get(...bound) ?? null,
+    };
+    return stmt;
+  };
+  return {
+    prepare,
+    batch: async (stmts: any[]) =>
+      stmts.map((s) => {
+        if (/^\s*SELECT/i.test(s.__sql)) return s.all();
+        s.run();
+        return { results: [], meta: {} };
+      }),
+  };
+}
+
+describe('cross-cut read isolation on the sequelize-d1 shim engine', () => {
+  let ShimWidget: any;
+  const TABLE = 'coupons'; // a real tenant table so isTenantTable() is true and the shim scopes
+
+  beforeAll(() => {
+    // eslint-disable-next-line global-require, import/no-dynamic-require, @typescript-eslint/no-var-requires
+    const shim = require('../../../cloudflare/shims/sequelize-d1');
+    const db = new DatabaseSync(':memory:');
+    db.exec(`CREATE TABLE ${TABLE} (id TEXT PRIMARY KEY, instance_did TEXT, name TEXT)`);
+    shim.setDB(makeFakeD1(db));
+    ShimWidget = class extends makeTenantModel(shim.Model) {};
+    ShimWidget.init(
+      { id: {}, instance_did: {}, name: {} },
+      { sequelize: { models: {} }, modelName: 'CrosscutWidget', tableName: TABLE }
+    );
+  });
+
+  it('shim: bare findAll returns only active tenant; cross-tenant findByPk -> null', async () => {
+    await withTenant(TENANT_A, () => ShimWidget.create({ id: 'a1', name: 'a' }));
+    await withTenant(TENANT_B, () => ShimWidget.create({ id: 'b1', name: 'b' }));
+
+    const aRows: any[] = await withTenant(TENANT_A, () => ShimWidget.findAll());
+    expect(aRows.map((r) => r.id)).toEqual(['a1']);
+    expect(aRows.every((r) => r.instance_did === TENANT_A)).toBe(true);
+
+    expect(await withTenant(TENANT_A, () => ShimWidget.findByPk('b1'))).toBeNull();
+    expect(await withTenant(TENANT_A, () => ShimWidget.findByPk('a1'))).not.toBeNull();
+  });
+});
+
+describe('single mode is NOT a passthrough — it injects instance_did = APP_PID', () => {
+  // The single-tenant blocklet-server safety rope: single mode does not "let
+  // bare queries through because there is only one tenant" — it scopes every
+  // query to the default tenant (BLOCKLET_APP_PID). A row stamped with a
+  // DIFFERENT instance_did must NOT be visible in single mode.
+  it('single-mode bare findAll only returns default-tenant rows, not a foreign-stamped row', async () => {
+    const savedMode = process.env.PAYMENT_TENANT_MODE;
+    process.env.PAYMENT_TENANT_MODE = 'single';
+    try {
+      const appPid = getDefaultInstanceDid(); // BLOCKLET_APP_PID in the test env
+      expect(appPid).toBeTruthy();
+      await sequelize.query('DELETE FROM coupons');
+      // one row in the default tenant, one foreign-stamped row (raw, bypassing stamp)
+      await sequelize.query(
+        `INSERT INTO coupons (id, instance_did, livemode, duration, name, created_via, created_at, updated_at)
+         VALUES ('own', :pid, 0, 'once', 'own', 'api', :ts, :ts), ('foreign', :other, 0, 'once', 'foreign', 'api', :ts, :ts)`,
+        { replacements: { pid: appPid, other: TENANT_B, ts: '2024-01-01 00:00:00.000 +00:00' } }
+      );
+      // no withTenant -> single mode default fill = APP_PID, NOT a passthrough
+      const rows: any[] = await Coupon.findAll();
+      expect(rows.map((r) => r.id)).toEqual(['own']);
+      expect(await Coupon.findByPk('foreign')).toBeNull();
+    } finally {
+      if (savedMode === undefined) delete process.env.PAYMENT_TENANT_MODE;
+      else process.env.PAYMENT_TENANT_MODE = savedMode;
+    }
+  });
+});
+
+describe('index hit: instance_did equality uses an index, not a full scan', () => {
+  it('EXPLAIN QUERY PLAN on WHERE instance_did = ? uses the idx_<table>_instance_did index', async () => {
+    // sync() does not create the migration index; create it as the Phase 2
+    // backfill migration does (idx_<table>_instance_did) and prove it is used.
+    await sequelize.query('CREATE INDEX IF NOT EXISTS idx_subscriptions_instance_did ON subscriptions(instance_did)');
+    const plan = (await sequelize.query('EXPLAIN QUERY PLAN SELECT * FROM subscriptions WHERE instance_did = :did', {
+      replacements: { did: TENANT_A },
+      type: (DataTypes as any).SELECT ?? 'SELECT',
+    })) as any[];
+    const text = JSON.stringify(plan);
+    expect(text).toMatch(/USING (COVERING )?INDEX idx_subscriptions_instance_did/);
+    expect(text).not.toMatch(/SCAN subscriptions(?! USING)/);
+  });
+});

package/api/tests/store/tenant-model-spike.spec.ts

@@ -0,0 +1,177 @@
+// SPIKE: validate the TenantModel base-class mechanism against BOTH query
+// engines in one run — real Sequelize (Node) and the sequelize-d1 shim
+// (worker). Go/No-Go for `TENANT-ISOLATION-DESIGN.md` §12.
+//
+// Proves: (a) static override + super works on both bases; (b) `this`
+// resolves to the concrete model through the extra inheritance layer (shim);
+// (c) scopeWhere idempotency absorbs the findByPk->findOne->findAll double
+// injection; (d) cross-tenant read/write/aggregate are isolated; (e) the
+// worker reads the tenant via ALS (withTenant).
+import { DatabaseSync } from 'node:sqlite';
+import { DataTypes, Model as RealModel, Sequelize } from 'sequelize';
+
+import { withTenant } from '../../src/libs/context';
+import { makeTenantModel } from '../../src/store/tenant-model';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+// 'coupons' is a real tenant table (in TENANT_TABLES) -> _isTenantTable() true.
+// We give it a minimal schema we fully control, on a throwaway DB.
+const TABLE = 'coupons';
+
+// ---------------------------------------------------------------------------
+// Base 1: real Sequelize (Node runtime)
+// ---------------------------------------------------------------------------
+describe('TenantModel over real Sequelize', () => {
+  let sequelize: Sequelize;
+  let Widget: any;
+
+  beforeAll(async () => {
+    sequelize = new Sequelize({ dialect: 'sqlite', storage: ':memory:', logging: false });
+    Widget = class extends makeTenantModel(RealModel) {};
+    Widget.init(
+      {
+        id: { type: DataTypes.STRING, primaryKey: true },
+        instance_did: { type: DataTypes.STRING },
+        name: { type: DataTypes.STRING },
+        qty: { type: DataTypes.INTEGER },
+      },
+      { sequelize, modelName: 'Widget', tableName: TABLE, timestamps: false }
+    );
+    await sequelize.sync();
+  });
+
+  afterAll(async () => {
+    await sequelize.close();
+  });
+
+  beforeEach(async () => {
+    await sequelize.query(`DELETE FROM ${TABLE}`);
+    await withTenant(TENANT_A, () => Widget.create({ id: 'a1', name: 'a-one', qty: 10 }));
+    await withTenant(TENANT_A, () => Widget.create({ id: 'a2', name: 'a-two', qty: 5 }));
+    await withTenant(TENANT_B, () => Widget.create({ id: 'b1', name: 'b-one', qty: 100 }));
+  });
+
+  it('findAll returns only the active tenant', async () => {
+    const a = await withTenant(TENANT_A, () => Widget.findAll());
+    expect(a.map((r: any) => r.id).sort()).toEqual(['a1', 'a2']);
+    const b = await withTenant(TENANT_B, () => Widget.findAll());
+    expect(b.map((r: any) => r.id)).toEqual(['b1']);
+  });
+
+  it('findByPk across tenants returns null (delegation + idempotent double-scope)', async () => {
+    expect(await withTenant(TENANT_A, () => Widget.findByPk('a1'))).not.toBeNull();
+    expect(await withTenant(TENANT_A, () => Widget.findByPk('b1'))).toBeNull();
+  });
+
+  it('create stamps the active tenant', async () => {
+    const row = await withTenant(TENANT_A, () => Widget.findByPk('a1'));
+    expect(row.instance_did).toBe(TENANT_A);
+  });
+
+  it('sum aggregates only the active tenant', async () => {
+    expect(await withTenant(TENANT_A, () => Widget.sum('qty'))).toBe(15);
+    expect(await withTenant(TENANT_B, () => Widget.sum('qty'))).toBe(100);
+  });
+
+  it('update never crosses tenants', async () => {
+    await withTenant(TENANT_A, () => Widget.update({ name: 'a-upd' }, { where: {} }));
+    const b1 = await withTenant(TENANT_B, () => Widget.findByPk('b1'));
+    expect(b1.name).toBe('b-one');
+  });
+
+  it('explicit matching instance_did is idempotent; conflicting fails closed', async () => {
+    await expect(withTenant(TENANT_A, () => Widget.findAll({ where: { instance_did: TENANT_A } }))).resolves.toHaveLength(2);
+    await expect(withTenant(TENANT_A, () => Widget.findAll({ where: { instance_did: TENANT_B } }))).rejects.toThrow(/conflicts with the active tenant/);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Base 2: sequelize-d1 shim (worker runtime), backed by node:sqlite as a
+// minimal D1-compatible fake.
+// ---------------------------------------------------------------------------
+function makeFakeD1(db: DatabaseSync) {
+  const prepare = (sql: string) => {
+    let bound: any[] = [];
+    const stmt: any = {
+      __sql: sql,
+      bind: (...vals: any[]) => {
+        bound = vals;
+        return stmt;
+      },
+      all: () => ({ results: db.prepare(sql).all(...bound), meta: {} }),
+      run: () => {
+        const r = db.prepare(sql).run(...bound);
+        return { meta: { changes: Number(r.changes), last_row_id: Number(r.lastInsertRowid) } };
+      },
+      first: () => db.prepare(sql).get(...bound) ?? null,
+    };
+    return stmt;
+  };
+  return {
+    prepare,
+    batch: async (stmts: any[]) =>
+      stmts.map((s) => {
+        if (/^\s*SELECT/i.test(s.__sql)) return s.all();
+        s.run();
+        return { results: [], meta: {} };
+      }),
+  };
+}
+
+describe('TenantModel over sequelize-d1 shim', () => {
+  let ShimModel: any;
+  let setDB: any;
+  let Widget: any;
+
+  beforeAll(() => {
+    // eslint-disable-next-line global-require, @typescript-eslint/no-var-requires
+    const shim = require('../../../cloudflare/shims/sequelize-d1');
+    ShimModel = shim.Model;
+    setDB = shim.setDB;
+
+    const db = new DatabaseSync(':memory:');
+    db.exec(`CREATE TABLE ${TABLE} (id TEXT PRIMARY KEY, instance_did TEXT, name TEXT, qty INTEGER)`);
+    setDB(makeFakeD1(db));
+
+    Widget = class extends makeTenantModel(ShimModel) {};
+    Widget.init(
+      { id: {}, instance_did: {}, name: {}, qty: {} },
+      { sequelize: { models: {} }, modelName: 'Widget', tableName: TABLE }
+    );
+  });
+
+  beforeEach(async () => {
+    await withTenant(TENANT_A, () => Widget.destroy({ where: {} }));
+    await withTenant(TENANT_B, () => Widget.destroy({ where: {} }));
+    await withTenant(TENANT_A, () => Widget.create({ id: 'a1', name: 'a-one', qty: 10 }));
+    await withTenant(TENANT_A, () => Widget.create({ id: 'a2', name: 'a-two', qty: 5 }));
+    await withTenant(TENANT_B, () => Widget.create({ id: 'b1', name: 'b-one', qty: 100 }));
+  });
+
+  it('findAll returns only the active tenant', async () => {
+    const a = await withTenant(TENANT_A, () => Widget.findAll());
+    expect(a.map((r: any) => r.id).sort()).toEqual(['a1', 'a2']);
+    const b = await withTenant(TENANT_B, () => Widget.findAll());
+    expect(b.map((r: any) => r.id)).toEqual(['b1']);
+  });
+
+  it('findByPk across tenants returns null (this-resolution + delegation through extra layer)', async () => {
+    expect(await withTenant(TENANT_A, () => Widget.findByPk('a1'))).not.toBeNull();
+    expect(await withTenant(TENANT_A, () => Widget.findByPk('b1'))).toBeNull();
+  });
+
+  it('create stamps the active tenant', async () => {
+    const row = await withTenant(TENANT_A, () => Widget.findByPk('a1'));
+    expect(row.instance_did).toBe(TENANT_A);
+  });
+
+  it('update never crosses tenants', async () => {
+    await withTenant(TENANT_A, () => Widget.update({ name: 'a-upd' }, { where: {} }));
+    const b1 = await withTenant(TENANT_B, () => Widget.findByPk('b1'));
+    expect(b1.name).toBe('b-one');
+  });
+
+  it('conflicting explicit instance_did fails closed', async () => {
+    await expect(withTenant(TENANT_A, () => Widget.findAll({ where: { instance_did: TENANT_B } }))).rejects.toThrow(/conflicts with the active tenant/);
+  });
+});