@cross-deck/node 1.2.0 → 1.3.1

package/dist/index.d.mts

@@ -1,6 +1,25 @@
-export { A as AliasIdentityInput, a as AliasResult, b as AuditDecision, c as AuditEntry, B as Breadcrumb, d as BreadcrumbCategory, e as BreadcrumbLevel, C as CROSSDECK_API_VERSION, f as CapturedError, g as CrossdeckAuthenticationError, h as CrossdeckConfigurationError, i as CrossdeckError, j as CrossdeckErrorPayload, k as CrossdeckErrorType, l as CrossdeckInternalError, m as CrossdeckNetworkError, n as CrossdeckPermissionError, o as CrossdeckRateLimitError, p as CrossdeckServer, q as CrossdeckServerOptions, r as CrossdeckValidationError, D as DEFAULT_BASE_URL, s as DEFAULT_TIMEOUT_MS, t as Diagnostics, E as EntitlementCacheOptions, u as EntitlementMutationResult, v as EntitlementStore, w as EntitlementsListResponse, x as EntitlementsListener, y as Environment, z as ErrorCaptureConfig, F as ErrorLevel, G as EventProperties, H as ForgetResult, I as GrantDuration, J as GrantEntitlementInput, K as GroupMembership, L as HeartbeatResponse, M as HttpRequestInfo, N as HttpResponseInfo, O as HttpRetriesConfig, P as IdentifyOptions, Q as IdentityHints, R as IngestOptions, S as IngestResponse, T as PublicEntitlement, U as PurchaseResult, V as RequestOptions, W as RevokeEntitlementInput, X as RuntimeHost, Y as RuntimeInfo, Z as SDK_NAME, _ as SDK_VERSION, $ as ServerEvent, a0 as StackFrame, a1 as StoredEntitlements, a2 as SyncPurchaseInput, a3 as makeCrossdeckError } from './crossdeck-server-BZVZEuS-.mjs';
+export { A as AliasIdentityInput, a as AliasResult, b as AuditDecision, c as AuditEntry, B as Breadcrumb, d as BreadcrumbCategory, e as BreadcrumbLevel, C as CROSSDECK_API_VERSION, f as CapturedError, g as CrossdeckAuthenticationError, h as CrossdeckConfigurationError, i as CrossdeckError, j as CrossdeckErrorPayload, k as CrossdeckErrorType, l as CrossdeckInternalError, m as CrossdeckNetworkError, n as CrossdeckPermissionError, o as CrossdeckRateLimitError, p as CrossdeckServer, q as CrossdeckServerOptions, r as CrossdeckValidationError, D as DEFAULT_BASE_URL, s as DEFAULT_TIMEOUT_MS, t as Diagnostics, E as EntitlementCacheOptions, u as EntitlementMutationResult, v as EntitlementStore, w as EntitlementsListResponse, x as EntitlementsListener, y as Environment, z as ErrorCaptureConfig, F as ErrorLevel, G as EventProperties, H as ForgetResult, I as GrantDuration, J as GrantEntitlementInput, K as GroupMembership, L as HeartbeatResponse, M as HttpRequestInfo, N as HttpResponseInfo, O as HttpRetriesConfig, P as IdentifyOptions, Q as IdentityHints, R as IngestOptions, S as IngestResponse, T as PublicEntitlement, U as PurchaseResult, V as RequestOptions, W as RevokeEntitlementInput, X as RuntimeHost, Y as RuntimeInfo, Z as ServerEvent, _ as StackFrame, $ as StoredEntitlements, a0 as SyncPurchaseInput, a1 as makeCrossdeckError } from './crossdeck-server-DhnHvUhh.mjs';
 import 'node:events';
 
+/**
+ * SDK version constant — generated by `scripts/sync-sdk-versions.mjs`.
+ *
+ * Single source of truth: the `version` field in this package's
+ * package.json. The sync script writes this file so that
+ * `SDK_VERSION` is a plain TypeScript literal at runtime — no
+ * runtime JSON-import gotcha (Node ESM requires
+ * `with { type: "json" }` to import JSON as ESM, and the published
+ * dist file would otherwise fail to load).
+ *
+ * Drift protection: `node scripts/sync-sdk-versions.mjs --check` (the
+ * CI gate) flags this file when it falls out of sync with package.json.
+ * Bumping `package.json` without re-running the sync script fails CI.
+ *
+ * Do NOT edit by hand — `node scripts/sync-sdk-versions.mjs`.
+ */
+declare const SDK_VERSION = "1.3.1";
+declare const SDK_NAME = "@cross-deck/node";
+
 /**
  * Machine-readable index of every error code `@cross-deck/node` can
  * throw, with a short description and a hint on what action to take.
@@ -289,16 +308,24 @@ declare function signWebhookPayload(payload: string, secret: string, timestampSe
  *     name: "checkout.started",
  *     developerUserId: userId,
  *     properties: scrubPiiFromProperties({
- *       url: req.url, // might contain "/users/wes@…/" — gets [email]
+ *       url: req.url, // might contain "/users/wes@…/" — gets <email>
  *       lastError: e.message, // might contain card numbers
  *     }),
  *   });
  */
 /**
  * Scrub a single string value: replace email-shaped substrings with
- * `[email]` and card-number-shaped substrings with `[card]`. Returns
- * the original string (===) when nothing matched, so callers can do
- * an identity-check to skip allocating a new event copy.
+ * `<email>` and card-number-shaped substrings with `<card>`. Returns
+ * the original string (===) when nothing matched.
+ *
+ * Implementation note: we call `.replace()` unconditionally rather than
+ * gating on `.test()`. The /g regexes are module-level so `.test()`
+ * carries `lastIndex` state between calls — a prior match leaves
+ * `lastIndex` mid-string and the next `.test()` can falsely return
+ * false on a string that DOES match. `.replace(/g)` always scans the
+ * full string regardless of `lastIndex`, so dropping the test-guard
+ * removes the sharp edge at zero cost (when nothing matches, replace
+ * returns the same `(===)` string).
  */
 declare function scrubPii(value: string): string;
 /**
@@ -339,7 +366,7 @@ declare function scrubPiiFromProperties(properties: Record<string, unknown>): Re
  *   - `sdk.no_durable_store`
  *   - `sdk.super_property_registered`
  */
-type DebugSignal = "sdk.configured" | "sdk.first_event_sent" | "sdk.invalid_key" | "sdk.no_identity" | "sdk.entitlement_cache_used" | "sdk.entitlement_cache_warm" | "sdk.entitlement_cache_stale" | "sdk.entitlement_store_recovered" | "sdk.no_durable_store" | "sdk.purchase_evidence_sent" | "sdk.environment_mismatch" | "sdk.sensitive_property_warning" | "sdk.property_coerced" | "sdk.flush_retry_scheduled" | "sdk.flush_on_exit_started" | "sdk.flush_on_exit_completed" | "sdk.webhook_verified" | "sdk.runtime_detected" | "sdk.super_property_registered" | "sdk.boot_heartbeat_failed";
+type DebugSignal = "sdk.configured" | "sdk.first_event_sent" | "sdk.invalid_key" | "sdk.no_identity" | "sdk.entitlement_cache_used" | "sdk.entitlement_cache_warm" | "sdk.entitlement_cache_stale" | "sdk.entitlement_store_recovered" | "sdk.no_durable_store" | "sdk.purchase_evidence_sent" | "sdk.environment_mismatch" | "sdk.sensitive_property_warning" | "sdk.property_coerced" | "sdk.flush_retry_scheduled" | "sdk.flush_permanent_failure" | "sdk.flush_on_exit_started" | "sdk.flush_on_exit_completed" | "sdk.webhook_verified" | "sdk.runtime_detected" | "sdk.super_property_registered" | "sdk.boot_heartbeat_failed";
 interface DebugContext {
     [key: string]: unknown;
 }
@@ -348,4 +375,4 @@ interface DebugLogger {
     emit(signal: DebugSignal, message: string, context?: DebugContext): void;
 }
 
-export { CROSSDECK_ERROR_CODES, type CrossdeckErrorCode, type DebugContext, type DebugLogger, type DebugSignal, type ErrorCodeEntry, type VerifyWebhookOptions, getErrorCode, isCrossdeckErrorCode, scrubPii, scrubPiiFromProperties, signWebhookPayload, verifyWebhookSignature };
+export { CROSSDECK_ERROR_CODES, type CrossdeckErrorCode, type DebugContext, type DebugLogger, type DebugSignal, type ErrorCodeEntry, SDK_NAME, SDK_VERSION, type VerifyWebhookOptions, getErrorCode, isCrossdeckErrorCode, scrubPii, scrubPiiFromProperties, signWebhookPayload, verifyWebhookSignature };

package/dist/index.d.ts

@@ -1,6 +1,25 @@
-export { A as AliasIdentityInput, a as AliasResult, b as AuditDecision, c as AuditEntry, B as Breadcrumb, d as BreadcrumbCategory, e as BreadcrumbLevel, C as CROSSDECK_API_VERSION, f as CapturedError, g as CrossdeckAuthenticationError, h as CrossdeckConfigurationError, i as CrossdeckError, j as CrossdeckErrorPayload, k as CrossdeckErrorType, l as CrossdeckInternalError, m as CrossdeckNetworkError, n as CrossdeckPermissionError, o as CrossdeckRateLimitError, p as CrossdeckServer, q as CrossdeckServerOptions, r as CrossdeckValidationError, D as DEFAULT_BASE_URL, s as DEFAULT_TIMEOUT_MS, t as Diagnostics, E as EntitlementCacheOptions, u as EntitlementMutationResult, v as EntitlementStore, w as EntitlementsListResponse, x as EntitlementsListener, y as Environment, z as ErrorCaptureConfig, F as ErrorLevel, G as EventProperties, H as ForgetResult, I as GrantDuration, J as GrantEntitlementInput, K as GroupMembership, L as HeartbeatResponse, M as HttpRequestInfo, N as HttpResponseInfo, O as HttpRetriesConfig, P as IdentifyOptions, Q as IdentityHints, R as IngestOptions, S as IngestResponse, T as PublicEntitlement, U as PurchaseResult, V as RequestOptions, W as RevokeEntitlementInput, X as RuntimeHost, Y as RuntimeInfo, Z as SDK_NAME, _ as SDK_VERSION, $ as ServerEvent, a0 as StackFrame, a1 as StoredEntitlements, a2 as SyncPurchaseInput, a3 as makeCrossdeckError } from './crossdeck-server-BZVZEuS-.js';
+export { A as AliasIdentityInput, a as AliasResult, b as AuditDecision, c as AuditEntry, B as Breadcrumb, d as BreadcrumbCategory, e as BreadcrumbLevel, C as CROSSDECK_API_VERSION, f as CapturedError, g as CrossdeckAuthenticationError, h as CrossdeckConfigurationError, i as CrossdeckError, j as CrossdeckErrorPayload, k as CrossdeckErrorType, l as CrossdeckInternalError, m as CrossdeckNetworkError, n as CrossdeckPermissionError, o as CrossdeckRateLimitError, p as CrossdeckServer, q as CrossdeckServerOptions, r as CrossdeckValidationError, D as DEFAULT_BASE_URL, s as DEFAULT_TIMEOUT_MS, t as Diagnostics, E as EntitlementCacheOptions, u as EntitlementMutationResult, v as EntitlementStore, w as EntitlementsListResponse, x as EntitlementsListener, y as Environment, z as ErrorCaptureConfig, F as ErrorLevel, G as EventProperties, H as ForgetResult, I as GrantDuration, J as GrantEntitlementInput, K as GroupMembership, L as HeartbeatResponse, M as HttpRequestInfo, N as HttpResponseInfo, O as HttpRetriesConfig, P as IdentifyOptions, Q as IdentityHints, R as IngestOptions, S as IngestResponse, T as PublicEntitlement, U as PurchaseResult, V as RequestOptions, W as RevokeEntitlementInput, X as RuntimeHost, Y as RuntimeInfo, Z as ServerEvent, _ as StackFrame, $ as StoredEntitlements, a0 as SyncPurchaseInput, a1 as makeCrossdeckError } from './crossdeck-server-DhnHvUhh.js';
 import 'node:events';
 
+/**
+ * SDK version constant — generated by `scripts/sync-sdk-versions.mjs`.
+ *
+ * Single source of truth: the `version` field in this package's
+ * package.json. The sync script writes this file so that
+ * `SDK_VERSION` is a plain TypeScript literal at runtime — no
+ * runtime JSON-import gotcha (Node ESM requires
+ * `with { type: "json" }` to import JSON as ESM, and the published
+ * dist file would otherwise fail to load).
+ *
+ * Drift protection: `node scripts/sync-sdk-versions.mjs --check` (the
+ * CI gate) flags this file when it falls out of sync with package.json.
+ * Bumping `package.json` without re-running the sync script fails CI.
+ *
+ * Do NOT edit by hand — `node scripts/sync-sdk-versions.mjs`.
+ */
+declare const SDK_VERSION = "1.3.1";
+declare const SDK_NAME = "@cross-deck/node";
+
 /**
  * Machine-readable index of every error code `@cross-deck/node` can
  * throw, with a short description and a hint on what action to take.
@@ -289,16 +308,24 @@ declare function signWebhookPayload(payload: string, secret: string, timestampSe
  *     name: "checkout.started",
  *     developerUserId: userId,
  *     properties: scrubPiiFromProperties({
- *       url: req.url, // might contain "/users/wes@…/" — gets [email]
+ *       url: req.url, // might contain "/users/wes@…/" — gets <email>
  *       lastError: e.message, // might contain card numbers
  *     }),
  *   });
  */
 /**
  * Scrub a single string value: replace email-shaped substrings with
- * `[email]` and card-number-shaped substrings with `[card]`. Returns
- * the original string (===) when nothing matched, so callers can do
- * an identity-check to skip allocating a new event copy.
+ * `<email>` and card-number-shaped substrings with `<card>`. Returns
+ * the original string (===) when nothing matched.
+ *
+ * Implementation note: we call `.replace()` unconditionally rather than
+ * gating on `.test()`. The /g regexes are module-level so `.test()`
+ * carries `lastIndex` state between calls — a prior match leaves
+ * `lastIndex` mid-string and the next `.test()` can falsely return
+ * false on a string that DOES match. `.replace(/g)` always scans the
+ * full string regardless of `lastIndex`, so dropping the test-guard
+ * removes the sharp edge at zero cost (when nothing matches, replace
+ * returns the same `(===)` string).
  */
 declare function scrubPii(value: string): string;
 /**
@@ -339,7 +366,7 @@ declare function scrubPiiFromProperties(properties: Record<string, unknown>): Re
  *   - `sdk.no_durable_store`
  *   - `sdk.super_property_registered`
  */
-type DebugSignal = "sdk.configured" | "sdk.first_event_sent" | "sdk.invalid_key" | "sdk.no_identity" | "sdk.entitlement_cache_used" | "sdk.entitlement_cache_warm" | "sdk.entitlement_cache_stale" | "sdk.entitlement_store_recovered" | "sdk.no_durable_store" | "sdk.purchase_evidence_sent" | "sdk.environment_mismatch" | "sdk.sensitive_property_warning" | "sdk.property_coerced" | "sdk.flush_retry_scheduled" | "sdk.flush_on_exit_started" | "sdk.flush_on_exit_completed" | "sdk.webhook_verified" | "sdk.runtime_detected" | "sdk.super_property_registered" | "sdk.boot_heartbeat_failed";
+type DebugSignal = "sdk.configured" | "sdk.first_event_sent" | "sdk.invalid_key" | "sdk.no_identity" | "sdk.entitlement_cache_used" | "sdk.entitlement_cache_warm" | "sdk.entitlement_cache_stale" | "sdk.entitlement_store_recovered" | "sdk.no_durable_store" | "sdk.purchase_evidence_sent" | "sdk.environment_mismatch" | "sdk.sensitive_property_warning" | "sdk.property_coerced" | "sdk.flush_retry_scheduled" | "sdk.flush_permanent_failure" | "sdk.flush_on_exit_started" | "sdk.flush_on_exit_completed" | "sdk.webhook_verified" | "sdk.runtime_detected" | "sdk.super_property_registered" | "sdk.boot_heartbeat_failed";
 interface DebugContext {
     [key: string]: unknown;
 }
@@ -348,4 +375,4 @@ interface DebugLogger {
     emit(signal: DebugSignal, message: string, context?: DebugContext): void;
 }
 
-export { CROSSDECK_ERROR_CODES, type CrossdeckErrorCode, type DebugContext, type DebugLogger, type DebugSignal, type ErrorCodeEntry, type VerifyWebhookOptions, getErrorCode, isCrossdeckErrorCode, scrubPii, scrubPiiFromProperties, signWebhookPayload, verifyWebhookSignature };
+export { CROSSDECK_ERROR_CODES, type CrossdeckErrorCode, type DebugContext, type DebugLogger, type DebugSignal, type ErrorCodeEntry, SDK_NAME, SDK_VERSION, type VerifyWebhookOptions, getErrorCode, isCrossdeckErrorCode, scrubPii, scrubPiiFromProperties, signWebhookPayload, verifyWebhookSignature };

package/dist/index.mjs

@@ -316,9 +316,11 @@ function byteLength(s) {
   return s.length * 4;
 }
 
-// src/http.ts
+// src/_version.ts
+var SDK_VERSION = "1.3.1";
 var SDK_NAME = "@cross-deck/node";
-var SDK_VERSION = "1.2.0";
+
+// src/http.ts
 var DEFAULT_BASE_URL = "https://api.cross-deck.com/v1";
 var DEFAULT_TIMEOUT_MS = 15e3;
 var CROSSDECK_API_VERSION = "2025-01-01";
@@ -831,6 +833,7 @@ var EventQueue = class {
         sdk: env.sdk
       };
       if (env.appId) body.appId = env.appId;
+      if (env.environment) body.environment = env.environment;
       const result = await this.cfg.http.request("POST", "/events", {
         body,
         idempotencyKey: batchId
@@ -849,6 +852,20 @@ var EventQueue = class {
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       this.lastError = message;
+      if (isPermanent4xx(err)) {
+        const droppedCount = batch.length;
+        this.pendingBatch = null;
+        this.pendingBatchId = null;
+        this.inFlight -= droppedCount;
+        this.dropped += droppedCount;
+        this.cfg.onDrop?.(droppedCount);
+        this.cfg.onPermanentFailure?.({
+          status: err.status ?? 0,
+          droppedCount,
+          lastError: message
+        });
+        return null;
+      }
       const retryAfterMs = extractRetryAfterMs(err);
       const delay = this.retry.nextDelay(retryAfterMs);
       this.scheduleRetry(delay);
@@ -927,6 +944,14 @@ function extractRetryAfterMs(err) {
   }
   return void 0;
 }
+function isPermanent4xx(err) {
+  if (!err || typeof err !== "object") return false;
+  const status = err.status;
+  if (typeof status !== "number" || !Number.isFinite(status)) return false;
+  if (status < 400 || status >= 500) return false;
+  if (status === 408 || status === 429) return false;
+  return true;
+}
 function defaultScheduler(fn, ms) {
   const id = setTimeout(fn, ms);
   if (typeof id.unref === "function") {
@@ -1216,16 +1241,18 @@ var ErrorTracker = class {
       const url = typeof input === "string" ? input : input?.url ?? "";
       const method = (init.method || "GET").toUpperCase();
       const start = Date.now();
-      tracker.opts.breadcrumbs.add({
-        timestamp: start,
-        category: "http",
-        message: `${method} ${url}`,
-        data: { url, method }
-      });
+      if (!isSelfRequest(url, tracker.opts.selfHostname)) {
+        tracker.opts.breadcrumbs.add({
+          timestamp: start,
+          category: "http",
+          message: `${method} ${url}`,
+          data: { url, method }
+        });
+      }
       try {
         const response = await origFetch(...args);
         if (response.status >= 500 && tracker.opts.isConsented()) {
-          if (!url.includes("api.cross-deck.com")) {
+          if (!isSelfRequest(url, tracker.opts.selfHostname)) {
             tracker.captureHttp({
               url,
               method,
@@ -1343,9 +1370,10 @@ var ErrorTracker = class {
     if (!this.passesSample(err)) return;
     if (!this.passesRateLimit(err)) return;
     let finalErr = err;
-    if (this.opts.beforeSend) {
+    const hook = this.opts.beforeSend?.();
+    if (hook) {
       try {
-        finalErr = this.opts.beforeSend(err);
+        finalErr = hook(err);
       } catch {
         finalErr = err;
       }
@@ -1571,6 +1599,22 @@ function safeClone(v) {
 function safeStringify3(v) {
   return coerceErrorPayload(v).message;
 }
+function extractSelfHostname(baseUrl) {
+  if (!baseUrl || typeof baseUrl !== "string") return null;
+  try {
+    return new URL(baseUrl).hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function isSelfRequest(requestUrl, selfHostname) {
+  if (!selfHostname || !requestUrl) return false;
+  try {
+    return new URL(requestUrl).hostname.toLowerCase() === selfHostname;
+  } catch {
+    return false;
+  }
+}
 
 // src/runtime-info.ts
 import { hostname as osHostname, platform as osPlatform, release as osRelease } from "os";
@@ -2465,6 +2509,11 @@ var CrossdeckServer = class extends EventEmitter {
       intervalMs: options.eventFlushIntervalMs ?? 1500,
       envelope: () => ({
         appId: this.appId,
+        // Ship env on every batch so the backend can cross-check
+        // against the API-key-derived env and reject mismatches
+        // loudly (env_mismatch). Web has always done this; node now
+        // matches so defence-in-depth is symmetric across SDKs.
+        environment: this.env,
         sdk: { name: SDK_NAME, version: this.sdkVersion }
       }),
       onDrop: (count) => {
@@ -2480,6 +2529,20 @@ var CrossdeckServer = class extends EventEmitter {
           nextRetryMs: info.delayMs
         });
       },
+      onPermanentFailure: (info) => {
+        const headline = `[crossdeck] Event batch DROPPED (status ${info.status}): ${info.lastError}. ${info.droppedCount} event(s) lost \u2014 check your secret key + app config.`;
+        console.error(headline);
+        this.debug.emit(
+          "sdk.flush_permanent_failure",
+          headline,
+          { ...info }
+        );
+        this.emit("queue.permanent_failure", {
+          status: info.status,
+          droppedCount: info.droppedCount,
+          error: info.lastError
+        });
+      },
       onFirstFlushSuccess: () => {
         this.debug.emit("sdk.first_event_sent", "First batch landed.");
       }
@@ -2494,14 +2557,20 @@ var CrossdeckServer = class extends EventEmitter {
         report: (err) => this.reportCapturedError(err),
         getContext: () => ({ ...this.errorContext }),
         getTags: () => ({ ...this.errorTags }),
-        beforeSend: null,
-        // wired via setErrorBeforeSend; ErrorTracker reads it through the live ref below
-        isConsented: () => true
-      });
-      const trackerOpts = this.errorTracker.opts;
-      Object.defineProperty(trackerOpts, "beforeSend", {
-        get: () => this.errorBeforeSend,
-        configurable: true
+        // GETTER, not a captured value — `setErrorBeforeSend()` mutates
+        // `this.errorBeforeSend` after init() and the tracker MUST pick
+        // up the new hook on the next error. Pre-fix we worked around
+        // a captured-by-value field with `Object.defineProperty` on the
+        // tracker's private opts; the contract is now a real getter so
+        // we just hand it the closure and the hack is gone.
+        beforeSend: () => this.errorBeforeSend,
+        isConsented: () => true,
+        // Derived from the configured baseUrl at construction time.
+        // Used by the fetch wrapper to skip captureHttp on Crossdeck's
+        // own requests — pre-fix the skip was hardcoded to
+        // `api.cross-deck.com` and broke for customers on staging /
+        // regional / self-hosted base URLs (recursive capture loop).
+        selfHostname: extractSelfHostname(this.baseUrl)
       });
       this.errorTracker.install();
     }
@@ -2514,6 +2583,7 @@ var CrossdeckServer = class extends EventEmitter {
       });
       this.flushOnExit.install();
     }
+    this.emitDurabilityWarning();
     if (options.testMode !== true && options.bootHeartbeat !== false) {
       setImmediate(() => {
         void this.heartbeat().catch((err) => {
@@ -2523,25 +2593,16 @@ var CrossdeckServer = class extends EventEmitter {
             { message: err instanceof Error ? err.message : String(err) }
           );
         });
-        this.emitBootTelemetry();
+        this.emitBootTelemetryEvent();
       });
     }
   }
   /**
-   * Emit the one-time `sdk.boot` telemetry event and, when the runtime
-   * is serverless with no `entitlementStore`, the honest "no cold-start
-   * durability" warning.
-   *
-   * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
-   * carries no request body, so it cannot transport a structured
-   * `durability` fact. The event pipeline can — every `track()` event
-   * lands as an aggregatable document the backend can query, so
-   * Crossdeck can compute fleet-wide "% serverless-with-no-durable-
-   * store" from `sdk.boot` events (denominator = all `sdk.boot`,
-   * numerator = those with `durability.coldStartDurable === false`).
-   * The event rides the existing batched + retried + idempotent queue
-   * and is drained by flush-on-exit, so it survives a serverless
-   * teardown — it is NOT a local-only debug log.
+   * Emit the honest "no cold-start durability" warning when the runtime
+   * is serverless AND no `entitlementStore` is wired. Local-only debug
+   * signal — no network call, no phone-home. Safe to fire from the
+   * constructor before `setImmediate` because there is no I/O on this
+   * path.
    *
    * `isServerless` AND no store is the gap: a cold start begins with an
    * empty in-memory cache and a brief Crossdeck outage in that window
@@ -2549,14 +2610,15 @@ var CrossdeckServer = class extends EventEmitter {
    * unavoidable without a store — so the SDK STATES it (a
    * `sdk.no_durable_store` debug warning) rather than hiding it.
    *
-   * Called once, from the deferred boot block — so it inherits the
-   * `testMode` / `bootHeartbeat:false` opt-outs and never fires before
-   * the constructor returns.
+   * Audit P1 #9: this used to live INSIDE `emitBootTelemetry()` which
+   * itself sat inside the `bootHeartbeat` gate, so any developer who
+   * set `bootHeartbeat: false` silently disabled the entire reason
+   * `entitlementStore` exists. Now split: warning fires
+   * unconditionally; the boot phone-home stays gated.
    */
-  emitBootTelemetry() {
+  emitDurabilityWarning() {
     const isServerless = this.runtime.isServerless;
     const hasStore = this.entitlementStore !== null;
-    const coldStartDurable = hasStore || !isServerless;
     if (isServerless && !hasStore) {
       this.debug.emit(
         "sdk.no_durable_store",
@@ -2564,6 +2626,26 @@ var CrossdeckServer = class extends EventEmitter {
         { host: this.runtime.host, isServerless, durableStore: false }
       );
     }
+  }
+  /**
+   * Emit the one-time `sdk.boot` telemetry event — the aggregatable
+   * fact the backend pivots on (compute fleet-wide
+   * "% serverless-with-no-durable-store"). Rides the batched + retried
+   * + idempotent queue and is drained by flush-on-exit, so it survives
+   * a serverless teardown.
+   *
+   * Why a `track()` event and not the heartbeat: `GET /v1/sdk/heartbeat`
+   * carries no request body, so it cannot transport a structured
+   * `durability` fact.
+   *
+   * Gated by `bootHeartbeat` (and `testMode`) because it IS a phone-
+   * home — the unconditional surface is `emitDurabilityWarning()`,
+   * which has no network call.
+   */
+  emitBootTelemetryEvent() {
+    const isServerless = this.runtime.isServerless;
+    const hasStore = this.entitlementStore !== null;
+    const coldStartDurable = hasStore || !isServerless;
     try {
       this.track({
         name: "sdk.boot",
@@ -2875,7 +2957,13 @@ var CrossdeckServer = class extends EventEmitter {
     const normalized = events.map((event) => this.normalizeIngestEvent(event));
     const body = {
       events: normalized,
-      sdk: { name: SDK_NAME, version: this.sdkVersion }
+      sdk: { name: SDK_NAME, version: this.sdkVersion },
+      // Match the queue's batch envelope (see event-queue.ts) — backend
+      // cross-checks `environment` against the API-key-derived env and
+      // rejects mismatches loudly (env_mismatch). Pre-fix this direct
+      // ingest path skipped env, so a "live key, env: sandbox"
+      // misconfig fell through silently for the bulk-import path.
+      environment: this.env
     };
     if (this.appId) body.appId = this.appId;
     return this.http.request("POST", "/events", {
@@ -2940,8 +3028,9 @@ var CrossdeckServer = class extends EventEmitter {
         message: "syncPurchases requires a signedTransactionInfo string."
       });
     }
+    const rail = input.rail ?? "apple";
     return this.http.request("POST", "/purchases/sync", {
-      body: { rail: input.rail ?? "apple", ...input },
+      body: { ...input, rail },
       signal: options?.signal,
       timeoutMs: options?.timeoutMs
     });
@@ -3536,10 +3625,21 @@ var CrossdeckServer = class extends EventEmitter {
    * Resolve any hint shape (canonical customerId / userId hint /
    * anonymousId hint / raw string) to a `crossdeckCustomerId` if we
    * have a cache entry for it.
+   *
+   * String overload is STRICT on the canonical-id shape. Pre-fix
+   * `isFresh(raw)` treated any string with a cache entry as a valid
+   * canonical id — if tenant A's userId happened to collide with
+   * tenant B's crossdeckCustomerId, A's call would resolve to B's
+   * cached entitlements. Bounded by the `cdcust_` prefix convention
+   * (which both SDKs and the backend mint, see
+   * backend/src/lib/customers.ts) — anything else is treated purely
+   * as an alias lookup, never as a canonical id. Audit P1 #19.
    */
   resolveCacheCustomerId(hint) {
     if (typeof hint === "string") {
-      if (this.entitlementCache.isFresh(hint)) return hint;
+      if (hint.startsWith("cdcust_") && this.entitlementCache.isFresh(hint)) {
+        return hint;
+      }
       return this.customerIdAliases.get(hint) ?? null;
     }
     if (hint.customerId) return hint.customerId;
@@ -3915,20 +4015,11 @@ function normaliseSecrets(input) {
 // src/consent.ts
 var EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
 var CARD_PATTERN = /\b\d(?:[ -]?\d){12,18}\b/g;
-var REPLACEMENT_EMAIL = "[email]";
-var REPLACEMENT_CARD = "[card]";
+var REPLACEMENT_EMAIL = "<email>";
+var REPLACEMENT_CARD = "<card>";
 function scrubPii(value) {
   if (!value) return value;
-  let out = value;
-  if (EMAIL_PATTERN.test(out)) {
-    out = out.replace(EMAIL_PATTERN, REPLACEMENT_EMAIL);
-  }
-  EMAIL_PATTERN.lastIndex = 0;
-  if (CARD_PATTERN.test(out)) {
-    out = out.replace(CARD_PATTERN, REPLACEMENT_CARD);
-  }
-  CARD_PATTERN.lastIndex = 0;
-  return out;
+  return value.replace(EMAIL_PATTERN, REPLACEMENT_EMAIL).replace(CARD_PATTERN, REPLACEMENT_CARD);
 }
 function scrubPiiFromProperties(properties) {
   const out = {};