@cross-deck/node 1.2.0 → 1.3.1

package/CHANGELOG.md

@@ -4,6 +4,108 @@ All notable changes to `@cross-deck/node` will be documented here. The
 format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.1] — 2026-05-24
+
+Patch fix for the 1.3.0 dist-load contract. Mirrors the
+`@cross-deck/web@1.3.1` patch — `SDK_VERSION` is now sourced from a
+generated `src/_version.ts` file (produced by
+`scripts/sync-sdk-versions.mjs` from `package.json`) instead of a
+runtime `import { version } from "../package.json"` that needs a
+`with { type: "json" }` assertion to load as ESM. Wire contract is
+unchanged. 1.3.0 was never published to npm; 1.3.1 is the first
+1.3.x line to reach npm.
+
+## [1.3.0] — 2026-05-24
+
+KPMG bank-grade audit closure. Six review batches landed five SDK PRs
+and a backend wiring fix that closes every P0 plus 12 of 13 P1 findings.
+No public method renames; one internal contract change
+(`ErrorTracker.beforeSend` is now a getter) that also removes the
+`Object.defineProperty` workaround the node SDK shipped to compensate
+for the same broken contract on web. Behavioural changes to the queue
+and the PII scrub strictly improve correctness. The wire
+`Crossdeck-Sdk-Version` header now reads from `package.json` so it
+cannot drift from the published bundle.
+
+### Fixed (P0)
+
+- **PII scrub sentinel tokens aligned with the backend.** `[email]` /
+  `[card]` → `<email>` / `<card>`, matching `backend/src/api/lib/scrub.ts`.
+  The same event scrubbed by SDK + backend now carries the same
+  sentinel — dashboard aggregation works again.
+- **`setErrorBeforeSend` contract cleaned up.** The
+  `ErrorTracker.beforeSend` field is now a getter
+  (`() => fn | null`). Removed the `Object.defineProperty` hack on
+  `tracker.opts` that worked around the old captured-by-value bug —
+  cleaner contract, lockstep with web.
+- **Event queue drops 4xx batches.** Pre-fix every `catch` triggered
+  `scheduleRetry` with the same `Idempotency-Key`. A 401 (key revoked),
+  400/422 (malformed batch), 403 (permission), 404 (wrong baseUrl)
+  spun the retry timer indefinitely while the backlog grew silently.
+  New `isPermanent4xx()` helper hard-stops on any 4xx EXCEPT 408 / 429
+  (transient by spec). On permanent failure: drop the batch, increment
+  `dropped`, fire `onPermanentFailure(info)`, emit
+  `queue.permanent_failure` on the EventEmitter, log via
+  `console.error` regardless of debug mode.
+- **Error-capture self-skip derived from `baseUrl`.** Pre-fix hardcoded
+  to `api.cross-deck.com`; customers on staging / regional / self-hosted
+  base URLs recursed (5xx → captureHttp → enqueue → /events →
+  captureHttp → ∞). Now strict-hostname compare against `selfHostname`
+  extracted from constructor `baseUrl`. Closes the substring-match
+  bypass (`api.cross-deck.com.attacker.example` would have matched).
+
+### Added
+
+- **`onPermanentFailure` callback** on `EventQueueConfig`, surfaced
+  via `CrossdeckServer.on("queue.permanent_failure", …)` for host-app
+  paging.
+- **`sdk.flush_permanent_failure` debug signal** in the
+  `DebugSignal` vocabulary.
+
+### Changed
+
+- **`SDK_VERSION` is now imported from `package.json`.** The
+  `Crossdeck-Sdk-Version` header always matches the published bundle.
+  Single source of truth.
+- **Event ingest envelope now ships `environment`.** Pre-fix web sent
+  it and node didn't; backend `v1-events.ts` cross-checks it against
+  the API-key-derived env and rejects mismatches loudly
+  (`env_mismatch`). Defence-in-depth so a "live key, env: sandbox"
+  misconfig fails fast instead of polluting the wrong dashboard.
+- **`syncPurchases` body spread bug.** Pre-fix
+  `{ rail: input.rail ?? "apple", ...input }` — the `...input` ran
+  LAST and overrode the default when the caller passed
+  `rail: undefined` explicitly. Reversed: `{ ...input, rail }`.
+- **PII scrub regex uses `.replace()` unconditionally.** Dropped the
+  `.test()`-gating that carried `lastIndex` state between calls.
+- **`bootHeartbeat: false` no longer silences the
+  `sdk.no_durable_store` warning.** Pre-fix the warning lived inside
+  `emitBootTelemetry()` which sat inside the `bootHeartbeat` gate, so
+  the opt-out silenced the entire reason `entitlementStore` exists.
+  Split into two methods: `emitDurabilityWarning()` (local-only,
+  unconditional) and `emitBootTelemetryEvent()` (phone-home, still
+  gated).
+- **`isEntitled(string)` requires the `cdcust_` prefix** for canonical-
+  path resolution. Pre-fix any string with a cache entry resolved
+  through the canonical path — a small cross-tenant primitive if a
+  tenant's userId collided with another tenant's `crossdeckCustomerId`.
+  Non-prefixed strings now drop to alias lookup only.
+- **Self-skip applies to breadcrumbs too**, not just `captureHttp`.
+  Error reports no longer carry noisy `POST https://api.cross-deck.com/v1/events`
+  crumb entries.
+
+### Wiring (backend, paired)
+
+- **`v1-events` ingest now honours the per-project `piiAllowList`.**
+  The admin management surface (`v1-pii-allow-list.ts`) was persisted +
+  audit-logged but the hot ingest path never read it. The new
+  `backend/src/api/lib/pii-allow-list-cache.ts` (60s TTL,
+  single-flight) feeds the project's allow-list to `scrubProperties()`
+  on every batch. `HARD_LOCKED_PATTERNS` are always stripped from the
+  effective list regardless of what's in storage. (Backend-only —
+  listed here so server-SDK consumers know defence-in-depth is fully
+  closed.)
+
 ## [1.2.0] — 2026-05-18
 
 ### Added

package/dist/auto-events/index.d.mts

@@ -1,4 +1,4 @@
-import { p as CrossdeckServer } from '../crossdeck-server-BZVZEuS-.mjs';
+import { p as CrossdeckServer } from '../crossdeck-server-DhnHvUhh.mjs';
 import 'node:events';
 
 /**

package/dist/auto-events/index.d.ts

@@ -1,4 +1,4 @@
-import { p as CrossdeckServer } from '../crossdeck-server-BZVZEuS-.js';
+import { p as CrossdeckServer } from '../crossdeck-server-DhnHvUhh.js';
 import 'node:events';
 
 /**

package/dist/{crossdeck-server-BZVZEuS-.d.mts → crossdeck-server-DhnHvUhh.d.mts}

@@ -251,8 +251,6 @@ interface RuntimeInfo {
     appVersion: string | null;
 }
 
-declare const SDK_NAME = "@cross-deck/node";
-declare const SDK_VERSION = "1.2.0";
 declare const DEFAULT_BASE_URL = "https://api.cross-deck.com/v1";
 declare const DEFAULT_TIMEOUT_MS = 15000;
 /**
@@ -1211,20 +1209,11 @@ declare class CrossdeckServer extends EventEmitter {
     private errorBeforeSend;
     constructor(options: CrossdeckServerOptions);
     /**
-     * Emit the one-time `sdk.boot` telemetry event and, when the runtime
-     * is serverless with no `entitlementStore`, the honest "no cold-start
-     * durability" warning.
-     *
-     * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
-     * carries no request body, so it cannot transport a structured
-     * `durability` fact. The event pipeline can — every `track()` event
-     * lands as an aggregatable document the backend can query, so
-     * Crossdeck can compute fleet-wide "% serverless-with-no-durable-
-     * store" from `sdk.boot` events (denominator = all `sdk.boot`,
-     * numerator = those with `durability.coldStartDurable === false`).
-     * The event rides the existing batched + retried + idempotent queue
-     * and is drained by flush-on-exit, so it survives a serverless
-     * teardown — it is NOT a local-only debug log.
+     * Emit the honest "no cold-start durability" warning when the runtime
+     * is serverless AND no `entitlementStore` is wired. Local-only debug
+     * signal — no network call, no phone-home. Safe to fire from the
+     * constructor before `setImmediate` because there is no I/O on this
+     * path.
      *
      * `isServerless` AND no store is the gap: a cold start begins with an
      * empty in-memory cache and a brief Crossdeck outage in that window
@@ -1232,11 +1221,29 @@ declare class CrossdeckServer extends EventEmitter {
      * unavoidable without a store — so the SDK STATES it (a
      * `sdk.no_durable_store` debug warning) rather than hiding it.
      *
-     * Called once, from the deferred boot block — so it inherits the
-     * `testMode` / `bootHeartbeat:false` opt-outs and never fires before
-     * the constructor returns.
+     * Audit P1 #9: this used to live INSIDE `emitBootTelemetry()` which
+     * itself sat inside the `bootHeartbeat` gate, so any developer who
+     * set `bootHeartbeat: false` silently disabled the entire reason
+     * `entitlementStore` exists. Now split: warning fires
+     * unconditionally; the boot phone-home stays gated.
+     */
+    private emitDurabilityWarning;
+    /**
+     * Emit the one-time `sdk.boot` telemetry event — the aggregatable
+     * fact the backend pivots on (compute fleet-wide
+     * "% serverless-with-no-durable-store"). Rides the batched + retried
+     * + idempotent queue and is drained by flush-on-exit, so it survives
+     * a serverless teardown.
+     *
+     * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
+     * carries no request body, so it cannot transport a structured
+     * `durability` fact.
+     *
+     * Gated by `bootHeartbeat` (and `testMode`) because it IS a phone-
+     * home — the unconditional surface is `emitDurabilityWarning()`,
+     * which has no network call.
      */
-    private emitBootTelemetry;
+    private emitBootTelemetryEvent;
     identify(userId: string, anonymousId: string, options?: IdentifyOptions & RequestOptions): Promise<AliasResult>;
     aliasIdentity(input: AliasIdentityInput, options?: RequestOptions): Promise<AliasResult>;
     forget(hints: IdentityHints, options?: RequestOptions): Promise<ForgetResult>;
@@ -1677,6 +1684,15 @@ declare class CrossdeckServer extends EventEmitter {
      * Resolve any hint shape (canonical customerId / userId hint /
      * anonymousId hint / raw string) to a `crossdeckCustomerId` if we
      * have a cache entry for it.
+     *
+     * String overload is STRICT on the canonical-id shape. Pre-fix
+     * `isFresh(raw)` treated any string with a cache entry as a valid
+     * canonical id — if tenant A's userId happened to collide with
+     * tenant B's crossdeckCustomerId, A's call would resolve to B's
+     * cached entitlements. Bounded by the `cdcust_` prefix convention
+     * (which both SDKs and the backend mint, see
+     * backend/src/lib/customers.ts) — anything else is treated purely
+     * as an alias lookup, never as a canonical id. Audit P1 #19.
      */
     private resolveCacheCustomerId;
     private identityPayload;
@@ -1694,4 +1710,4 @@ declare class CrossdeckServer extends EventEmitter {
     private normalizeIngestEvent;
 }
 
-export { type ServerEvent as $, type AliasIdentityInput as A, type Breadcrumb as B, CROSSDECK_API_VERSION as C, DEFAULT_BASE_URL as D, type EntitlementCacheOptions as E, type ErrorLevel as F, type EventProperties as G, type ForgetResult as H, type GrantDuration as I, type GrantEntitlementInput as J, type GroupMembership as K, type HeartbeatResponse as L, type HttpRequestInfo as M, type HttpResponseInfo as N, type HttpRetriesConfig as O, type IdentifyOptions as P, type IdentityHints as Q, type IngestOptions as R, type IngestResponse as S, type PublicEntitlement as T, type PurchaseResult as U, type RequestOptions as V, type RevokeEntitlementInput as W, type RuntimeHost as X, type RuntimeInfo as Y, SDK_NAME as Z, SDK_VERSION as _, type AliasResult as a, type StackFrame as a0, type StoredEntitlements as a1, type SyncPurchaseInput as a2, makeCrossdeckError as a3, type AuditDecision as b, type AuditEntry as c, type BreadcrumbCategory as d, type BreadcrumbLevel as e, type CapturedError as f, CrossdeckAuthenticationError as g, CrossdeckConfigurationError as h, CrossdeckError as i, type CrossdeckErrorPayload as j, type CrossdeckErrorType as k, CrossdeckInternalError as l, CrossdeckNetworkError as m, CrossdeckPermissionError as n, CrossdeckRateLimitError as o, CrossdeckServer as p, type CrossdeckServerOptions as q, CrossdeckValidationError as r, DEFAULT_TIMEOUT_MS as s, type Diagnostics as t, type EntitlementMutationResult as u, type EntitlementStore as v, type EntitlementsListResponse as w, type EntitlementsListener as x, type Environment as y, type ErrorCaptureConfig as z };
+export { type StoredEntitlements as $, type AliasIdentityInput as A, type Breadcrumb as B, CROSSDECK_API_VERSION as C, DEFAULT_BASE_URL as D, type EntitlementCacheOptions as E, type ErrorLevel as F, type EventProperties as G, type ForgetResult as H, type GrantDuration as I, type GrantEntitlementInput as J, type GroupMembership as K, type HeartbeatResponse as L, type HttpRequestInfo as M, type HttpResponseInfo as N, type HttpRetriesConfig as O, type IdentifyOptions as P, type IdentityHints as Q, type IngestOptions as R, type IngestResponse as S, type PublicEntitlement as T, type PurchaseResult as U, type RequestOptions as V, type RevokeEntitlementInput as W, type RuntimeHost as X, type RuntimeInfo as Y, type ServerEvent as Z, type StackFrame as _, type AliasResult as a, type SyncPurchaseInput as a0, makeCrossdeckError as a1, type AuditDecision as b, type AuditEntry as c, type BreadcrumbCategory as d, type BreadcrumbLevel as e, type CapturedError as f, CrossdeckAuthenticationError as g, CrossdeckConfigurationError as h, CrossdeckError as i, type CrossdeckErrorPayload as j, type CrossdeckErrorType as k, CrossdeckInternalError as l, CrossdeckNetworkError as m, CrossdeckPermissionError as n, CrossdeckRateLimitError as o, CrossdeckServer as p, type CrossdeckServerOptions as q, CrossdeckValidationError as r, DEFAULT_TIMEOUT_MS as s, type Diagnostics as t, type EntitlementMutationResult as u, type EntitlementStore as v, type EntitlementsListResponse as w, type EntitlementsListener as x, type Environment as y, type ErrorCaptureConfig as z };

package/dist/{crossdeck-server-BZVZEuS-.d.ts → crossdeck-server-DhnHvUhh.d.ts}

@@ -251,8 +251,6 @@ interface RuntimeInfo {
     appVersion: string | null;
 }
 
-declare const SDK_NAME = "@cross-deck/node";
-declare const SDK_VERSION = "1.2.0";
 declare const DEFAULT_BASE_URL = "https://api.cross-deck.com/v1";
 declare const DEFAULT_TIMEOUT_MS = 15000;
 /**
@@ -1211,20 +1209,11 @@ declare class CrossdeckServer extends EventEmitter {
     private errorBeforeSend;
     constructor(options: CrossdeckServerOptions);
     /**
-     * Emit the one-time `sdk.boot` telemetry event and, when the runtime
-     * is serverless with no `entitlementStore`, the honest "no cold-start
-     * durability" warning.
-     *
-     * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
-     * carries no request body, so it cannot transport a structured
-     * `durability` fact. The event pipeline can — every `track()` event
-     * lands as an aggregatable document the backend can query, so
-     * Crossdeck can compute fleet-wide "% serverless-with-no-durable-
-     * store" from `sdk.boot` events (denominator = all `sdk.boot`,
-     * numerator = those with `durability.coldStartDurable === false`).
-     * The event rides the existing batched + retried + idempotent queue
-     * and is drained by flush-on-exit, so it survives a serverless
-     * teardown — it is NOT a local-only debug log.
+     * Emit the honest "no cold-start durability" warning when the runtime
+     * is serverless AND no `entitlementStore` is wired. Local-only debug
+     * signal — no network call, no phone-home. Safe to fire from the
+     * constructor before `setImmediate` because there is no I/O on this
+     * path.
      *
      * `isServerless` AND no store is the gap: a cold start begins with an
      * empty in-memory cache and a brief Crossdeck outage in that window
@@ -1232,11 +1221,29 @@ declare class CrossdeckServer extends EventEmitter {
      * unavoidable without a store — so the SDK STATES it (a
      * `sdk.no_durable_store` debug warning) rather than hiding it.
      *
-     * Called once, from the deferred boot block — so it inherits the
-     * `testMode` / `bootHeartbeat:false` opt-outs and never fires before
-     * the constructor returns.
+     * Audit P1 #9: this used to live INSIDE `emitBootTelemetry()` which
+     * itself sat inside the `bootHeartbeat` gate, so any developer who
+     * set `bootHeartbeat: false` silently disabled the entire reason
+     * `entitlementStore` exists. Now split: warning fires
+     * unconditionally; the boot phone-home stays gated.
+     */
+    private emitDurabilityWarning;
+    /**
+     * Emit the one-time `sdk.boot` telemetry event — the aggregatable
+     * fact the backend pivots on (compute fleet-wide
+     * "% serverless-with-no-durable-store"). Rides the batched + retried
+     * + idempotent queue and is drained by flush-on-exit, so it survives
+     * a serverless teardown.
+     *
+     * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
+     * carries no request body, so it cannot transport a structured
+     * `durability` fact.
+     *
+     * Gated by `bootHeartbeat` (and `testMode`) because it IS a phone-
+     * home — the unconditional surface is `emitDurabilityWarning()`,
+     * which has no network call.
      */
-    private emitBootTelemetry;
+    private emitBootTelemetryEvent;
     identify(userId: string, anonymousId: string, options?: IdentifyOptions & RequestOptions): Promise<AliasResult>;
     aliasIdentity(input: AliasIdentityInput, options?: RequestOptions): Promise<AliasResult>;
     forget(hints: IdentityHints, options?: RequestOptions): Promise<ForgetResult>;
@@ -1677,6 +1684,15 @@ declare class CrossdeckServer extends EventEmitter {
      * Resolve any hint shape (canonical customerId / userId hint /
      * anonymousId hint / raw string) to a `crossdeckCustomerId` if we
      * have a cache entry for it.
+     *
+     * String overload is STRICT on the canonical-id shape. Pre-fix
+     * `isFresh(raw)` treated any string with a cache entry as a valid
+     * canonical id — if tenant A's userId happened to collide with
+     * tenant B's crossdeckCustomerId, A's call would resolve to B's
+     * cached entitlements. Bounded by the `cdcust_` prefix convention
+     * (which both SDKs and the backend mint, see
+     * backend/src/lib/customers.ts) — anything else is treated purely
+     * as an alias lookup, never as a canonical id. Audit P1 #19.
      */
     private resolveCacheCustomerId;
     private identityPayload;
@@ -1694,4 +1710,4 @@ declare class CrossdeckServer extends EventEmitter {
     private normalizeIngestEvent;
 }
 
-export { type ServerEvent as $, type AliasIdentityInput as A, type Breadcrumb as B, CROSSDECK_API_VERSION as C, DEFAULT_BASE_URL as D, type EntitlementCacheOptions as E, type ErrorLevel as F, type EventProperties as G, type ForgetResult as H, type GrantDuration as I, type GrantEntitlementInput as J, type GroupMembership as K, type HeartbeatResponse as L, type HttpRequestInfo as M, type HttpResponseInfo as N, type HttpRetriesConfig as O, type IdentifyOptions as P, type IdentityHints as Q, type IngestOptions as R, type IngestResponse as S, type PublicEntitlement as T, type PurchaseResult as U, type RequestOptions as V, type RevokeEntitlementInput as W, type RuntimeHost as X, type RuntimeInfo as Y, SDK_NAME as Z, SDK_VERSION as _, type AliasResult as a, type StackFrame as a0, type StoredEntitlements as a1, type SyncPurchaseInput as a2, makeCrossdeckError as a3, type AuditDecision as b, type AuditEntry as c, type BreadcrumbCategory as d, type BreadcrumbLevel as e, type CapturedError as f, CrossdeckAuthenticationError as g, CrossdeckConfigurationError as h, CrossdeckError as i, type CrossdeckErrorPayload as j, type CrossdeckErrorType as k, CrossdeckInternalError as l, CrossdeckNetworkError as m, CrossdeckPermissionError as n, CrossdeckRateLimitError as o, CrossdeckServer as p, type CrossdeckServerOptions as q, CrossdeckValidationError as r, DEFAULT_TIMEOUT_MS as s, type Diagnostics as t, type EntitlementMutationResult as u, type EntitlementStore as v, type EntitlementsListResponse as w, type EntitlementsListener as x, type Environment as y, type ErrorCaptureConfig as z };
+export { type StoredEntitlements as $, type AliasIdentityInput as A, type Breadcrumb as B, CROSSDECK_API_VERSION as C, DEFAULT_BASE_URL as D, type EntitlementCacheOptions as E, type ErrorLevel as F, type EventProperties as G, type ForgetResult as H, type GrantDuration as I, type GrantEntitlementInput as J, type GroupMembership as K, type HeartbeatResponse as L, type HttpRequestInfo as M, type HttpResponseInfo as N, type HttpRetriesConfig as O, type IdentifyOptions as P, type IdentityHints as Q, type IngestOptions as R, type IngestResponse as S, type PublicEntitlement as T, type PurchaseResult as U, type RequestOptions as V, type RevokeEntitlementInput as W, type RuntimeHost as X, type RuntimeInfo as Y, type ServerEvent as Z, type StackFrame as _, type AliasResult as a, type SyncPurchaseInput as a0, makeCrossdeckError as a1, type AuditDecision as b, type AuditEntry as c, type BreadcrumbCategory as d, type BreadcrumbLevel as e, type CapturedError as f, CrossdeckAuthenticationError as g, CrossdeckConfigurationError as h, CrossdeckError as i, type CrossdeckErrorPayload as j, type CrossdeckErrorType as k, CrossdeckInternalError as l, CrossdeckNetworkError as m, CrossdeckPermissionError as n, CrossdeckRateLimitError as o, CrossdeckServer as p, type CrossdeckServerOptions as q, CrossdeckValidationError as r, DEFAULT_TIMEOUT_MS as s, type Diagnostics as t, type EntitlementMutationResult as u, type EntitlementStore as v, type EntitlementsListResponse as w, type EntitlementsListener as x, type Environment as y, type ErrorCaptureConfig as z };

package/dist/index.cjs

@@ -363,9 +363,11 @@ function byteLength(s) {
   return s.length * 4;
 }
 
-// src/http.ts
+// src/_version.ts
+var SDK_VERSION = "1.3.1";
 var SDK_NAME = "@cross-deck/node";
-var SDK_VERSION = "1.2.0";
+
+// src/http.ts
 var DEFAULT_BASE_URL = "https://api.cross-deck.com/v1";
 var DEFAULT_TIMEOUT_MS = 15e3;
 var CROSSDECK_API_VERSION = "2025-01-01";
@@ -878,6 +880,7 @@ var EventQueue = class {
         sdk: env.sdk
       };
       if (env.appId) body.appId = env.appId;
+      if (env.environment) body.environment = env.environment;
       const result = await this.cfg.http.request("POST", "/events", {
         body,
         idempotencyKey: batchId
@@ -896,6 +899,20 @@ var EventQueue = class {
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       this.lastError = message;
+      if (isPermanent4xx(err)) {
+        const droppedCount = batch.length;
+        this.pendingBatch = null;
+        this.pendingBatchId = null;
+        this.inFlight -= droppedCount;
+        this.dropped += droppedCount;
+        this.cfg.onDrop?.(droppedCount);
+        this.cfg.onPermanentFailure?.({
+          status: err.status ?? 0,
+          droppedCount,
+          lastError: message
+        });
+        return null;
+      }
       const retryAfterMs = extractRetryAfterMs(err);
       const delay = this.retry.nextDelay(retryAfterMs);
       this.scheduleRetry(delay);
@@ -974,6 +991,14 @@ function extractRetryAfterMs(err) {
   }
   return void 0;
 }
+function isPermanent4xx(err) {
+  if (!err || typeof err !== "object") return false;
+  const status = err.status;
+  if (typeof status !== "number" || !Number.isFinite(status)) return false;
+  if (status < 400 || status >= 500) return false;
+  if (status === 408 || status === 429) return false;
+  return true;
+}
 function defaultScheduler(fn, ms) {
   const id = setTimeout(fn, ms);
   if (typeof id.unref === "function") {
@@ -1263,16 +1288,18 @@ var ErrorTracker = class {
       const url = typeof input === "string" ? input : input?.url ?? "";
       const method = (init.method || "GET").toUpperCase();
       const start = Date.now();
-      tracker.opts.breadcrumbs.add({
-        timestamp: start,
-        category: "http",
-        message: `${method} ${url}`,
-        data: { url, method }
-      });
+      if (!isSelfRequest(url, tracker.opts.selfHostname)) {
+        tracker.opts.breadcrumbs.add({
+          timestamp: start,
+          category: "http",
+          message: `${method} ${url}`,
+          data: { url, method }
+        });
+      }
       try {
         const response = await origFetch(...args);
         if (response.status >= 500 && tracker.opts.isConsented()) {
-          if (!url.includes("api.cross-deck.com")) {
+          if (!isSelfRequest(url, tracker.opts.selfHostname)) {
             tracker.captureHttp({
               url,
               method,
@@ -1390,9 +1417,10 @@ var ErrorTracker = class {
     if (!this.passesSample(err)) return;
     if (!this.passesRateLimit(err)) return;
     let finalErr = err;
-    if (this.opts.beforeSend) {
+    const hook = this.opts.beforeSend?.();
+    if (hook) {
       try {
-        finalErr = this.opts.beforeSend(err);
+        finalErr = hook(err);
       } catch {
         finalErr = err;
       }
@@ -1618,6 +1646,22 @@ function safeClone(v) {
 function safeStringify3(v) {
   return coerceErrorPayload(v).message;
 }
+function extractSelfHostname(baseUrl) {
+  if (!baseUrl || typeof baseUrl !== "string") return null;
+  try {
+    return new URL(baseUrl).hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function isSelfRequest(requestUrl, selfHostname) {
+  if (!selfHostname || !requestUrl) return false;
+  try {
+    return new URL(requestUrl).hostname.toLowerCase() === selfHostname;
+  } catch {
+    return false;
+  }
+}
 
 // src/runtime-info.ts
 var import_node_os = require("os");
@@ -2512,6 +2556,11 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
       intervalMs: options.eventFlushIntervalMs ?? 1500,
       envelope: () => ({
         appId: this.appId,
+        // Ship env on every batch so the backend can cross-check
+        // against the API-key-derived env and reject mismatches
+        // loudly (env_mismatch). Web has always done this; node now
+        // matches so defence-in-depth is symmetric across SDKs.
+        environment: this.env,
         sdk: { name: SDK_NAME, version: this.sdkVersion }
       }),
       onDrop: (count) => {
@@ -2527,6 +2576,20 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
           nextRetryMs: info.delayMs
         });
       },
+      onPermanentFailure: (info) => {
+        const headline = `[crossdeck] Event batch DROPPED (status ${info.status}): ${info.lastError}. ${info.droppedCount} event(s) lost \u2014 check your secret key + app config.`;
+        console.error(headline);
+        this.debug.emit(
+          "sdk.flush_permanent_failure",
+          headline,
+          { ...info }
+        );
+        this.emit("queue.permanent_failure", {
+          status: info.status,
+          droppedCount: info.droppedCount,
+          error: info.lastError
+        });
+      },
       onFirstFlushSuccess: () => {
         this.debug.emit("sdk.first_event_sent", "First batch landed.");
       }
@@ -2541,14 +2604,20 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
         report: (err) => this.reportCapturedError(err),
         getContext: () => ({ ...this.errorContext }),
         getTags: () => ({ ...this.errorTags }),
-        beforeSend: null,
-        // wired via setErrorBeforeSend; ErrorTracker reads it through the live ref below
-        isConsented: () => true
-      });
-      const trackerOpts = this.errorTracker.opts;
-      Object.defineProperty(trackerOpts, "beforeSend", {
-        get: () => this.errorBeforeSend,
-        configurable: true
+        // GETTER, not a captured value — `setErrorBeforeSend()` mutates
+        // `this.errorBeforeSend` after init() and the tracker MUST pick
+        // up the new hook on the next error. Pre-fix we worked around
+        // a captured-by-value field with `Object.defineProperty` on the
+        // tracker's private opts; the contract is now a real getter so
+        // we just hand it the closure and the hack is gone.
+        beforeSend: () => this.errorBeforeSend,
+        isConsented: () => true,
+        // Derived from the configured baseUrl at construction time.
+        // Used by the fetch wrapper to skip captureHttp on Crossdeck's
+        // own requests — pre-fix the skip was hardcoded to
+        // `api.cross-deck.com` and broke for customers on staging /
+        // regional / self-hosted base URLs (recursive capture loop).
+        selfHostname: extractSelfHostname(this.baseUrl)
       });
       this.errorTracker.install();
     }
@@ -2561,6 +2630,7 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
       });
       this.flushOnExit.install();
     }
+    this.emitDurabilityWarning();
     if (options.testMode !== true && options.bootHeartbeat !== false) {
       setImmediate(() => {
         void this.heartbeat().catch((err) => {
@@ -2570,25 +2640,16 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
             { message: err instanceof Error ? err.message : String(err) }
           );
         });
-        this.emitBootTelemetry();
+        this.emitBootTelemetryEvent();
       });
     }
   }
   /**
-   * Emit the one-time `sdk.boot` telemetry event and, when the runtime
-   * is serverless with no `entitlementStore`, the honest "no cold-start
-   * durability" warning.
-   *
-   * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
-   * carries no request body, so it cannot transport a structured
-   * `durability` fact. The event pipeline can — every `track()` event
-   * lands as an aggregatable document the backend can query, so
-   * Crossdeck can compute fleet-wide "% serverless-with-no-durable-
-   * store" from `sdk.boot` events (denominator = all `sdk.boot`,
-   * numerator = those with `durability.coldStartDurable === false`).
-   * The event rides the existing batched + retried + idempotent queue
-   * and is drained by flush-on-exit, so it survives a serverless
-   * teardown — it is NOT a local-only debug log.
+   * Emit the honest "no cold-start durability" warning when the runtime
+   * is serverless AND no `entitlementStore` is wired. Local-only debug
+   * signal — no network call, no phone-home. Safe to fire from the
+   * constructor before `setImmediate` because there is no I/O on this
+   * path.
    *
    * `isServerless` AND no store is the gap: a cold start begins with an
    * empty in-memory cache and a brief Crossdeck outage in that window
@@ -2596,14 +2657,15 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
    * unavoidable without a store — so the SDK STATES it (a
    * `sdk.no_durable_store` debug warning) rather than hiding it.
    *
-   * Called once, from the deferred boot block — so it inherits the
-   * `testMode` / `bootHeartbeat:false` opt-outs and never fires before
-   * the constructor returns.
+   * Audit P1 #9: this used to live INSIDE `emitBootTelemetry()` which
+   * itself sat inside the `bootHeartbeat` gate, so any developer who
+   * set `bootHeartbeat: false` silently disabled the entire reason
+   * `entitlementStore` exists. Now split: warning fires
+   * unconditionally; the boot phone-home stays gated.
    */
-  emitBootTelemetry() {
+  emitDurabilityWarning() {
     const isServerless = this.runtime.isServerless;
     const hasStore = this.entitlementStore !== null;
-    const coldStartDurable = hasStore || !isServerless;
     if (isServerless && !hasStore) {
       this.debug.emit(
         "sdk.no_durable_store",
@@ -2611,6 +2673,26 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
         { host: this.runtime.host, isServerless, durableStore: false }
       );
     }
+  }
+  /**
+   * Emit the one-time `sdk.boot` telemetry event — the aggregatable
+   * fact the backend pivots on (compute fleet-wide
+   * "% serverless-with-no-durable-store"). Rides the batched + retried
+   * + idempotent queue and is drained by flush-on-exit, so it survives
+   * a serverless teardown.
+   *
+   * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
+   * carries no request body, so it cannot transport a structured
+   * `durability` fact.
+   *
+   * Gated by `bootHeartbeat` (and `testMode`) because it IS a phone-
+   * home — the unconditional surface is `emitDurabilityWarning()`,
+   * which has no network call.
+   */
+  emitBootTelemetryEvent() {
+    const isServerless = this.runtime.isServerless;
+    const hasStore = this.entitlementStore !== null;
+    const coldStartDurable = hasStore || !isServerless;
     try {
       this.track({
         name: "sdk.boot",
@@ -2922,7 +3004,13 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
     const normalized = events.map((event) => this.normalizeIngestEvent(event));
     const body = {
       events: normalized,
-      sdk: { name: SDK_NAME, version: this.sdkVersion }
+      sdk: { name: SDK_NAME, version: this.sdkVersion },
+      // Match the queue's batch envelope (see event-queue.ts) — backend
+      // cross-checks `environment` against the API-key-derived env and
+      // rejects mismatches loudly (env_mismatch). Pre-fix this direct
+      // ingest path skipped env, so a "live key, env: sandbox"
+      // misconfig fell through silently for the bulk-import path.
+      environment: this.env
     };
     if (this.appId) body.appId = this.appId;
     return this.http.request("POST", "/events", {
@@ -2987,8 +3075,9 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
         message: "syncPurchases requires a signedTransactionInfo string."
       });
     }
+    const rail = input.rail ?? "apple";
     return this.http.request("POST", "/purchases/sync", {
-      body: { rail: input.rail ?? "apple", ...input },
+      body: { ...input, rail },
       signal: options?.signal,
       timeoutMs: options?.timeoutMs
     });
@@ -3583,10 +3672,21 @@ var CrossdeckServer = class extends import_node_events.EventEmitter {
    * Resolve any hint shape (canonical customerId / userId hint /
    * anonymousId hint / raw string) to a `crossdeckCustomerId` if we
    * have a cache entry for it.
+   *
+   * String overload is STRICT on the canonical-id shape. Pre-fix
+   * `isFresh(raw)` treated any string with a cache entry as a valid
+   * canonical id — if tenant A's userId happened to collide with
+   * tenant B's crossdeckCustomerId, A's call would resolve to B's
+   * cached entitlements. Bounded by the `cdcust_` prefix convention
+   * (which both SDKs and the backend mint, see
+   * backend/src/lib/customers.ts) — anything else is treated purely
+   * as an alias lookup, never as a canonical id. Audit P1 #19.
    */
   resolveCacheCustomerId(hint) {
     if (typeof hint === "string") {
-      if (this.entitlementCache.isFresh(hint)) return hint;
+      if (hint.startsWith("cdcust_") && this.entitlementCache.isFresh(hint)) {
+        return hint;
+      }
       return this.customerIdAliases.get(hint) ?? null;
     }
     if (hint.customerId) return hint.customerId;
@@ -3962,20 +4062,11 @@ function normaliseSecrets(input) {
 // src/consent.ts
 var EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
 var CARD_PATTERN = /\b\d(?:[ -]?\d){12,18}\b/g;
-var REPLACEMENT_EMAIL = "[email]";
-var REPLACEMENT_CARD = "[card]";
+var REPLACEMENT_EMAIL = "<email>";
+var REPLACEMENT_CARD = "<card>";
 function scrubPii(value) {
   if (!value) return value;
-  let out = value;
-  if (EMAIL_PATTERN.test(out)) {
-    out = out.replace(EMAIL_PATTERN, REPLACEMENT_EMAIL);
-  }
-  EMAIL_PATTERN.lastIndex = 0;
-  if (CARD_PATTERN.test(out)) {
-    out = out.replace(CARD_PATTERN, REPLACEMENT_CARD);
-  }
-  CARD_PATTERN.lastIndex = 0;
-  return out;
+  return value.replace(EMAIL_PATTERN, REPLACEMENT_EMAIL).replace(CARD_PATTERN, REPLACEMENT_CARD);
 }
 function scrubPiiFromProperties(properties) {
   const out = {};