@cross-deck/node 1.5.2 → 1.6.0

package/CHANGELOG.md

@@ -4,6 +4,37 @@ All notable changes to `@cross-deck/node` will be documented here. The
 format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.6.0] — 2026-06-10
+
+Event Envelope v1 conformance — server-enforced contract (spec
+`backend/docs/event-envelope-spec-v1.md`).
+
+**Added:**
+
+- **`envelopeVersion: 1`** (integer) on every batch POST body. Both the
+  queue-flush path (`EventQueue.flush()`) and the direct `ingest()` path
+  now emit this field. The server will reject payloads missing this field
+  once ingest enforcement lands.
+- **`seq`** (number) on every wire event — per-session monotonic sequence
+  number. Captured synchronously with the event's `timestamp` at
+  `track()` / enqueue time. Counter starts at 0 when the `CrossdeckServer`
+  instance is constructed (session start) and increments once per event.
+  Matches spec §3: monotonic within a session, never reset between
+  background/foreground (Node has no such lifecycle; the instance lifetime
+  IS the session).
+- **`context`** (object) on every wire event — standardized device/platform
+  context (spec §4), promoted out of `properties`. Common fields: `os`,
+  `osVersion`, `appVersion`, `sdkName`, `sdkVersion`, `locale`, `timezone`.
+  Node-specific: `nodeVersion`, `host`, `region` (the existing
+  `runtime.*` props, promoted).
+
+**Changed:**
+
+- `track()` no longer merges `runtime.*` keys into `properties`. Those
+  facts now live in the top-level `context` object on the wire event.
+  Super-properties registered via `server.register()` continue to appear
+  in `properties` unchanged (caller-supplied values are unaffected).
+
 ## [1.5.1] — 2026-05-27
 
 `crossdeck.contract_failed` is now single-fire to a dedicated

package/dist/auto-events/index.d.mts

@@ -1,4 +1,4 @@
-import { p as CrossdeckServer } from '../crossdeck-server-DhnHvUhh.mjs';
+import { w as CrossdeckServer } from '../crossdeck-server-C1Ue0rv4.mjs';
 import 'node:events';
 
 /**

package/dist/auto-events/index.d.ts

@@ -1,4 +1,4 @@
-import { p as CrossdeckServer } from '../crossdeck-server-DhnHvUhh.js';
+import { w as CrossdeckServer } from '../crossdeck-server-C1Ue0rv4.js';
 import 'node:events';
 
 /**

package/dist/contracts.json

@@ -0,0 +1,557 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "generatedAt": "2026-06-10T12:59:27.493Z",
+  "sdk": "@cross-deck/node",
+  "sdkVersion": "1.6.0",
+  "bundledIn": "@cross-deck/node@1.6.0",
+  "count": 10,
+  "contracts": [
+    {
+      "id": "contract-failed-payload-schema-lock",
+      "pillar": "diagnostics",
+      "status": "enforced",
+      "claim": "The `crossdeck.contract_failed` event payload contains ONLY the named diagnostic fields and never any end-user personal data. The wire shape is fixed — adding a new field requires (1) a pull request that updates this contract's `allowedFields` set, (2) a Privacy Policy §6 amendment, and (3) the Customer Disclosure Template / SDK Data Collection Reference §B updates. Per-SDK assertion tests enforce the field set on every release. The `verification_phase` field is a categorical bucket — values are restricted to `boot` (the SDK self-test ran on Crossdeck.start) or `hot_path` (a verifier observed a real customer-triggered operation). The categorical nature is what preserves the diagnostic-only-not-personal classification. This is the structural guarantee that backs the independent-controller lawful basis in the Privacy Policy: the payload remains diagnostic-only, not personal, so the legitimate-interest analysis stays valid as the SDK evolves.",
+      "appliesTo": [
+        "web",
+        "node",
+        "swift",
+        "android",
+        "react-native"
+      ],
+      "allowedFields": {
+        "required": [
+          "contract_id",
+          "sdk_version",
+          "sdk_platform",
+          "failure_reason",
+          "run_context",
+          "run_id"
+        ],
+        "optional": [
+          "test_file",
+          "test_name",
+          "device_class",
+          "verification_phase"
+        ],
+        "forbidden": [
+          "anonymousId",
+          "developerUserId",
+          "crossdeckCustomerId",
+          "email",
+          "ip",
+          "user_agent",
+          "message",
+          "stack",
+          "stack_trace",
+          "frames",
+          "exception_message",
+          "url",
+          "path",
+          "screen",
+          "title",
+          "label",
+          "text",
+          "ariaLabel",
+          "accessibilityLabel",
+          "contentDescription",
+          "session_id",
+          "sessionId"
+        ]
+      },
+      "transport": "Telemetry is single-fire to the Crossdeck reliability endpoint only — NOT the customer's appId. The customer's track() pipeline never carries `crossdeck.*` events; the customer's dashboard never shows individual contract failures. Operational telemetry flows one-way to the Crossdeck operations team for SDK reliability purposes (legitimate interest, independent-controller flow per Privacy Policy §6). The reliability endpoint is hardcoded at SDK build time; the publishable key for the reliability project is embedded as a constant and rejects writes that don't match the schema.",
+      "codeRef": [
+        "sdks/web/src/crossdeck.ts",
+        "sdks/node/src/crossdeck-server.ts",
+        "sdks/swift/Sources/Crossdeck/Crossdeck.swift",
+        "sdks/swift/Sources/Crossdeck/_DiagnosticTelemetry.swift",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/Crossdeck.kt",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/_DiagnosticTelemetry.kt",
+        "sdks/react-native/src/crossdeck.ts",
+        "backend/src/api/v1-sdk-diagnostic.ts",
+        "sdks/web/src/_diagnostic-telemetry.ts",
+        "sdks/node/src/_diagnostic-telemetry.ts",
+        "sdks/react-native/src/_diagnostic-telemetry.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/web/tests/contract-failed-schema-lock.test.ts",
+          "name": "reportContractFailure payload conforms to schema-lock"
+        },
+        {
+          "file": "sdks/node/tests/contract-failed-schema-lock.test.ts",
+          "name": "reportContractFailure payload conforms to schema-lock"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/ContractFailedSchemaLockTests.swift",
+          "name": "test_reportContractFailure_payloadFieldsAreInAllowList"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/ContractFailedSchemaLockTests.swift",
+          "name": "test_reportContractFailure_doesNotEnterCustomerTrackPipeline"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/ContractFailedSchemaLockTest.kt",
+          "name": "reportContractFailure payload conforms to schema-lock"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/ContractFailedSchemaLockTest.kt",
+          "name": "reportContractFailure does not enter customer track pipeline"
+        },
+        {
+          "file": "sdks/react-native/tests/contract-failed-schema-lock.test.ts",
+          "name": "reportContractFailure payload conforms to schema-lock"
+        },
+        {
+          "file": "backend/tests/unit/v1-sdk-diagnostic.test.ts",
+          "name": "forbidden fields are enumerated in the schema-lock contract"
+        },
+        {
+          "file": "backend/tests/unit/v1-sdk-diagnostic.test.ts",
+          "name": "required fields are enumerated in the schema-lock contract"
+        },
+        {
+          "file": "backend/tests/unit/v1-sdk-diagnostic.test.ts",
+          "name": "regression guard: never returns a raw IP"
+        },
+        {
+          "file": "backend/tests/unit/v1-sdk-diagnostic.test.ts",
+          "name": "verification_phase is in the optional field set"
+        }
+      ],
+      "registeredAt": "2026-05-27",
+      "firstRegisteredIn": "Diagnostic telemetry single-fire + schema-lock — independent-controller flow",
+      "privacyReferences": [
+        "legal/privacy/index.html#sdk-diagnostic",
+        "legal/customer-disclosure/index.html#flow-b",
+        "legal/security/index.html#diagnostic",
+        "legal/sdk-data/index.html#b-diagnostic"
+      ],
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "documentation-honesty",
+      "pillar": "webhooks",
+      "status": "enforced",
+      "claim": "Customer-facing documentation honestly tags outbound webhook delivery as ROADMAP (no signer, no worker, no scheduler in backend/src yet). The Node verifier helper exists today for fixture authoring + locking the validation contract surface BEFORE delivery ships — its jsdoc carries an explicit `[ROADMAP]` disclaimer so a developer reading the source doesn't assume Crossdeck sends webhooks today. The rail-webhooks doc no longer claims state surfaces 'through the dashboard, SDKs, and outbound webhooks' — outbound is gated to the explicit roadmap section.",
+      "appliesTo": [
+        "node",
+        "backend"
+      ],
+      "codeRef": [
+        "sdks/node/src/webhooks.ts",
+        "docs/rail-webhooks/index.html",
+        "docs/webhooks-receive/index.html"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/node/src/webhooks.ts",
+          "name": "[ROADMAP — v1.4.0 honesty note]"
+        },
+        {
+          "file": "docs/rail-webhooks/index.html",
+          "name": "Outbound push-to-your-backend webhooks are <strong>roadmap</strong>"
+        },
+        {
+          "file": "docs/webhooks-receive/index.html",
+          "name": "This feature is on the roadmap"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 7.1",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "error-envelope-shape",
+      "pillar": "errors",
+      "status": "enforced",
+      "claim": "Every v1 REST endpoint returns errors in a Stripe-shape envelope: `{ error: { type, code, message, request_id } }` where `type` is one of authentication_error / permission_error / invalid_request_error / rate_limit_error / internal_error (the wire vocabulary in backend/src/api/v1-errors.ts ApiErrorType). HTTP status parity: invalid_request_error → 400, authentication_error → 401, permission_error → 403, rate_limit_error → 429, internal_error → 500. SDK-side clients parse this shape via `crossdeckErrorFromResponse` (Web/Node/RN) / `crossdeckErrorFrom(response:)` (Swift) / `crossdeckErrorFromResponse` (Android) and surface the request_id verbatim so support traces are end-to-end joinable. Firebase callable endpoints (managed-keys / dashboard auth) use the Firebase HttpsError envelope instead — this contract applies to REST /v1/* only.",
+      "appliesTo": [
+        "web",
+        "node",
+        "react-native",
+        "swift",
+        "android",
+        "backend"
+      ],
+      "codeRef": [
+        "backend/src/api/v1-errors.ts",
+        "sdks/web/src/errors.ts",
+        "sdks/node/src/errors.ts",
+        "sdks/react-native/src/errors.ts",
+        "sdks/swift/Sources/Crossdeck/Errors.swift",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/Errors.kt"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/ErrorsTests.swift",
+          "name": "test_errorEnvelope_fallsBackOnGarbageBody"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/ErrorsTests.swift",
+          "name": "test_errorEnvelope_reads_XRequestId_fallback"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/ErrorTypeWireVocabTest.kt",
+          "name": "backend 500 response parses to INTERNAL_ERROR"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 8 (codifies existing contract)",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "flush-interval-parity",
+      "pillar": "analytics",
+      "status": "enforced",
+      "claim": "Every Crossdeck SDK defaults its event-queue flush interval to 2000ms — the Stripe-adjacent industry norm. Pre-v1.4.0 the defaults disagreed (Web/Node 1500ms; RN/Swift/Android 5000ms), so cross-platform funnels saw events landing at different cadences. Per-instance override stays — call sites can still tune it freely.",
+      "appliesTo": [
+        "web",
+        "node",
+        "react-native",
+        "swift",
+        "android"
+      ],
+      "codeRef": [
+        "sdks/web/src/crossdeck.ts",
+        "sdks/node/src/crossdeck-server.ts",
+        "sdks/react-native/src/crossdeck.ts",
+        "sdks/swift/Sources/Crossdeck/EventQueue.swift",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/EventQueue.kt"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/swift/Sources/Crossdeck/EventQueue.swift",
+          "name": "flushIntervalMs: Int = 2_000"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/EventQueue.kt",
+          "name": "flushIntervalMs: Long = 2_000L"
+        },
+        {
+          "file": "sdks/web/src/crossdeck.ts",
+          "name": "options.eventFlushIntervalMs ?? 2000"
+        },
+        {
+          "file": "sdks/node/src/crossdeck-server.ts",
+          "name": "options.eventFlushIntervalMs ?? 2000"
+        },
+        {
+          "file": "sdks/react-native/src/crossdeck.ts",
+          "name": "options.eventFlushIntervalMs ?? 2000"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 3.3",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "idempotency-key-deterministic",
+      "pillar": "revenue",
+      "status": "enforced",
+      "claim": "syncPurchases() on every SDK derives a deterministic Idempotency-Key from the request body (UUID-shaped SHA-256 of `crossdeck:purchases/sync:<rail>:<jws|token>`). Same input -> same key. Backend short-circuits same-key-same-body retries by returning the cached response (status + body) with `idempotent_replay: true` flag in the body AND `Idempotent-Replayed: true` response header. Same-key-different-body returns 400 `idempotency_key_in_use`. 24-hour TTL matches Stripe. Cache only stores 2xx responses — 4xx/5xx pass through so callers can fix bugs and retry. Helper returns nil/throws on missing identifier (no silent random fallback). Cross-SDK parity is CI-pinned: deriveForPurchase('apple', 'eyJ.jws.sig') MUST equal 'a66b1640-efaf-bb4d-1261-6650033bf111' on every SDK.",
+      "appliesTo": [
+        "web",
+        "node",
+        "react-native",
+        "swift",
+        "android",
+        "backend"
+      ],
+      "codeRef": [
+        "sdks/web/src/idempotency-key.ts",
+        "sdks/web/src/crossdeck.ts",
+        "sdks/react-native/src/idempotency-key.ts",
+        "sdks/react-native/src/crossdeck.ts",
+        "sdks/node/src/idempotency-key.ts",
+        "sdks/node/src/crossdeck-server.ts",
+        "sdks/swift/Sources/Crossdeck/IdempotencyKey.swift",
+        "sdks/swift/Sources/Crossdeck/Crossdeck.swift",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/IdempotencyKey.kt",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/Crossdeck.kt",
+        "backend/src/lib/idempotency-response-cache.ts",
+        "backend/src/api/v1-purchases.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/web/tests/idempotency-key.test.ts",
+          "name": "cross-SDK oracle — apple JWS pins canonical vector"
+        },
+        {
+          "file": "sdks/web/tests/idempotency-key.test.ts",
+          "name": "is deterministic: same body twice -> identical key"
+        },
+        {
+          "file": "sdks/web/tests/idempotency-key.test.ts",
+          "name": "same identifier under different rails -> different keys"
+        },
+        {
+          "file": "sdks/web/tests/idempotency-key.test.ts",
+          "name": "never silently falls back to a random key on missing identifier"
+        },
+        {
+          "file": "sdks/react-native/tests/idempotency-key.test.ts",
+          "name": "is deterministic"
+        },
+        {
+          "file": "sdks/react-native/tests/idempotency-key.test.ts",
+          "name": "cross-SDK oracle — apple JWS pins canonical vector"
+        },
+        {
+          "file": "sdks/node/tests/idempotency-key.test.ts",
+          "name": "is deterministic"
+        },
+        {
+          "file": "sdks/node/tests/idempotency-key.test.ts",
+          "name": "rail namespacing prevents cross-rail collisions"
+        },
+        {
+          "file": "sdks/node/tests/idempotency-key.test.ts",
+          "name": "apple JWS produces the canonical pinned UUID across all 5 SDKs"
+        },
+        {
+          "file": "backend/tests/unit/idempotency-response-cache.test.ts",
+          "name": "is deterministic for the same input"
+        },
+        {
+          "file": "backend/tests/unit/idempotency-response-cache.test.ts",
+          "name": "injects idempotent_replay: true into a JSON object body"
+        },
+        {
+          "file": "backend/tests/unit/idempotency-response-cache.test.ts",
+          "name": "matches Stripe's 24-hour idempotency window"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/IdempotencyKeyTests.swift",
+          "name": "test_crossSdkOracle_appleJWS"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/IdempotencyKeyTests.swift",
+          "name": "test_railNamespacing_preventsCrossRailCollisions"
+        },
+        {
+          "file": "sdks/swift/Tests/CrossdeckTests/IdempotencyKeyTests.swift",
+          "name": "test_missingIdentifier_returnsNil"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/IdempotencyKeyTest.kt",
+          "name": "cross-SDK oracle for apple JWS"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/IdempotencyKeyTest.kt",
+          "name": "rail namespacing prevents cross-rail collisions"
+        },
+        {
+          "file": "sdks/android/crossdeck/src/test/kotlin/com/crossdeck/IdempotencyKeyTest.kt",
+          "name": "missing identifier returns null - never silent random fallback"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 2.2.a + 2.2.b + 2.2.c",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "node-pii-scrubber",
+      "pillar": "analytics",
+      "status": "enforced",
+      "claim": "Node SDK's track() applies scrubPiiFromProperties on the enqueue path — parity with Web/RN/Swift. Pre-v1.4.0 the Node SDK was the ONLY one that skipped this, shipping every track() payload UNREDACTED despite the README promising parity. CrossdeckServerOptions.scrubPii defaults to true; explicit false opts out for regulator-required audit trails with a documented blast-radius warning.",
+      "appliesTo": [
+        "node"
+      ],
+      "codeRef": [
+        "sdks/node/src/crossdeck-server.ts",
+        "sdks/node/src/types.ts",
+        "sdks/node/src/consent.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/node/tests/track-pii-scrub.test.ts",
+          "name": "by default redacts email-shaped values to <email>"
+        },
+        {
+          "file": "sdks/node/tests/track-pii-scrub.test.ts",
+          "name": "redacts card-number-shaped values to <card>"
+        },
+        {
+          "file": "sdks/node/tests/track-pii-scrub.test.ts",
+          "name": "walks nested maps + arrays"
+        },
+        {
+          "file": "sdks/node/tests/track-pii-scrub.test.ts",
+          "name": "scrubPii: false preserves the raw payload (opt-out)"
+        },
+        {
+          "file": "sdks/node/tests/track-pii-scrub.test.ts",
+          "name": "scrubPii: true is the default when option is omitted"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 3.1",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "node-shutdown-awaits-flush",
+      "pillar": "lifecycle",
+      "status": "enforced",
+      "claim": "Node SDK's async shutdown() awaits the internal flush() before tearing down the queue. A queue with pending events at sync-shutdown time (shutdownSync() or [Symbol.dispose]) logs a console.warn with the dropped-event count — silent loss is incompatible with the bank-grade contract. [Symbol.asyncDispose] is equivalent to await server.shutdown().",
+      "appliesTo": [
+        "node"
+      ],
+      "codeRef": [
+        "sdks/node/src/crossdeck-server.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/node/tests/shutdown-flush.test.ts",
+          "name": "async shutdown() flushes queued events before clearing"
+        },
+        {
+          "file": "sdks/node/tests/shutdown-flush.test.ts",
+          "name": "async shutdown() proceeds with teardown even if flush fails"
+        },
+        {
+          "file": "sdks/node/tests/shutdown-flush.test.ts",
+          "name": "sync shutdownSync() warns when the buffer has events at teardown"
+        },
+        {
+          "file": "sdks/node/tests/shutdown-flush.test.ts",
+          "name": "[Symbol.asyncDispose] equals await server.shutdown()"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 5.4",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "sdk-error-codes-catalogue",
+      "pillar": "errors",
+      "status": "enforced",
+      "claim": "Web + Node SDK error-codes catalogues include EVERY backend-emitted ApiErrorCode with a description + resolution. Pre-v1.4.0 the catalogues documented codes the SDK threw ITSELF but ZERO backend codes — a developer hitting `invalid_api_key` / `origin_not_allowed` / `bundle_id_not_allowed` / `env_mismatch` / `idempotency_key_in_use` etc. got `undefined` from getErrorCode() and had to hunt for guidance. v1.4.0 backfills the catalogue from backend/src/api/v1-errors.ts so every wire code has a canonical 'what does this mean / what should I do' answer Stripe-style.",
+      "appliesTo": [
+        "web",
+        "node"
+      ],
+      "codeRef": [
+        "sdks/web/src/error-codes.ts",
+        "sdks/node/src/error-codes.ts",
+        "sdks/web/src/_contract-verifiers.ts",
+        "backend/src/api/v1-errors.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/web/tests/contract-verifiers.test.ts",
+          "name": "sdk-error-codes-catalogue covers every backend wire code with remediation"
+        },
+        {
+          "file": "sdks/web/tests/error-codes-backfill.test.ts",
+          "name": "includes backend code"
+        },
+        {
+          "file": "sdks/web/tests/error-codes-backfill.test.ts",
+          "name": "invalid_api_key resolution points at the dashboard"
+        },
+        {
+          "file": "sdks/web/tests/error-codes-backfill.test.ts",
+          "name": "idempotency_key_in_use resolution mentions Stripe-grade contract"
+        },
+        {
+          "file": "sdks/web/tests/error-codes-backfill.test.ts",
+          "name": "identity-lock codes carry permission_error type"
+        },
+        {
+          "file": "sdks/web/tests/error-codes-backfill.test.ts",
+          "name": "no entry has an empty description or resolution"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 6.2",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "sync-purchases-funnel-parity",
+      "pillar": "analytics",
+      "status": "enforced",
+      "claim": "Manual syncPurchases() emits a `purchase.completed` analytics event on success across ALL SDKs (Web / Node / RN / Swift / Android). Pre-v1.4.0 only Swift/Android auto-track emitted it — Web/Node/RN manual calls + Swift/Android manual calls fired ZERO analytics. Schema mirrors the auto-track event name + rail/productId/subscriptionId so cross-platform funnels reconcile on every payment path. When the backend short-circuits via the v1.4.0 idempotency cache, the event also carries `idempotent_replay: true`.",
+      "appliesTo": [
+        "web",
+        "node",
+        "react-native",
+        "swift",
+        "android"
+      ],
+      "codeRef": [
+        "sdks/web/src/crossdeck.ts",
+        "sdks/node/src/crossdeck-server.ts",
+        "sdks/react-native/src/crossdeck.ts",
+        "sdks/swift/Sources/Crossdeck/Crossdeck.swift",
+        "sdks/android/crossdeck/src/main/kotlin/com/crossdeck/Crossdeck.kt"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/web/tests/sync-purchases-funnel.test.ts",
+          "name": "emits purchase.completed after a successful sync"
+        },
+        {
+          "file": "sdks/web/tests/sync-purchases-funnel.test.ts",
+          "name": "carries idempotent_replay=true when backend replied from cache"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 3.5",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    },
+    {
+      "id": "verifier-timestamp-mandatory",
+      "pillar": "webhooks",
+      "status": "enforced",
+      "claim": "Node verifyWebhookSignature() enforces a MANDATORY timestamp window. Pre-v1.4.0 the helper silently disabled replay protection on tolerance=0 (`if (tolerance > 0)` skipped the check) and on Infinity/NaN/null (`Math.abs(...) > Infinity = false`). v1.4.0 rejects non-finite / negative / above-24h-cap tolerances at the boundary with typed `webhook_invalid_tolerance` and always runs the drift check. Verification failures are surfaced via distinguishable codes: `webhook_signature_mismatch` (wrong-secret signal), `webhook_timestamp_outside_tolerance` (replay-attack signal — alert separately), `webhook_timestamp_missing` (header absent/malformed), `webhook_payload_not_json` (tampered post-signing), `webhook_missing_secret`, `webhook_invalid_tolerance` — replaces the pre-1.4.0 single `webhook_invalid_signature` catch-all.",
+      "appliesTo": [
+        "node"
+      ],
+      "codeRef": [
+        "sdks/node/src/webhooks.ts",
+        "sdks/node/src/error-codes.ts"
+      ],
+      "testRef": [
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "tolerance of 0 still enforces the replay window (v1.4.0 — cannot disable)"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "rejects Infinity tolerance (would silently disable replay protection)"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "rejects NaN tolerance"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "rejects negative tolerance"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "rejects tolerance above the 24h cap"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "rejects non-number tolerance (null / string)"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "accepts tolerance exactly at the 24h cap"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "malformed header (no t= or no v1=) throws webhook_timestamp_missing"
+        },
+        {
+          "file": "sdks/node/tests/webhooks.test.ts",
+          "name": "valid signature but non-JSON payload throws webhook_payload_not_json"
+        }
+      ],
+      "registeredAt": "2026-05-26",
+      "firstRegisteredIn": "bank-grade reconciliation v1.4.0 — phase 7.2",
+      "bundledIn": "@cross-deck/node@1.6.0"
+    }
+  ]
+}