@hogsend/engine 0.8.0 → 0.10.0

package/src/lib/mailer.ts

@@ -1,8 +1,8 @@
 import type {
   BatchEmailItem,
+  EmailEvent,
+  EmailEventType,
   EmailProvider,
-  WebhookEvent,
-  WebhookEventType,
   WebhookHandlerMap,
 } from "@hogsend/core";
 import type { Database } from "@hogsend/db";
@@ -13,23 +13,23 @@ import type {
   TemplateName,
 } from "@hogsend/email";
 import { getTemplate, renderToHtml, renderToPlainText } from "@hogsend/email";
-import { eq, sql } from "drizzle-orm";
-import type {
-  EmailService,
-  EmailServiceConfig,
-  EmailServiceSendOptions,
-  EmailServiceWebhookOptions,
-  EmailServiceWebhookResult,
-  SendRawOptions,
-  SendResult,
-  TrackedSendResult,
+import { eq, inArray, sql } from "drizzle-orm";
+import {
+  type EmailService,
+  type EmailServiceConfig,
+  type EmailServiceSendOptions,
+  type EmailServiceWebhookResult,
+  type SendRawOptions,
+  type SendResult,
+  type TrackedSendResult,
+  trackedSendResult,
 } from "./email-service-types.js";
 import { hatchet } from "./hatchet.js";
 import { createLogger } from "./logger.js";
 import { emitOutbound } from "./outbound.js";
 import type { PrepareTrackedHtmlFn } from "./tracked.js";
 import { sendTrackedEmail } from "./tracked.js";
-import { resolveEmailSendContextByResendId } from "./tracking-events.js";
+import { resolveEmailSendContextByMessageId } from "./tracking-events.js";
 
 // Fallback logger for the provider-webhook outbound emit — `config.logger` is
 // optional, but `emitOutbound` requires one. Mirrors the engine-lib singleton
@@ -37,7 +37,7 @@ import { resolveEmailSendContextByResendId } from "./tracking-events.js";
 const emitLogger = createLogger(process.env.LOG_LEVEL);
 
 const WEBHOOK_TO_STATUS_FIELD: Partial<
-  Record<WebhookEventType, keyof typeof emailSends.$inferSelect>
+  Record<EmailEventType, keyof typeof emailSends.$inferSelect>
 > = {
   "email.sent": "sentAt",
   "email.delivered": "deliveredAt",
@@ -47,7 +47,7 @@ const WEBHOOK_TO_STATUS_FIELD: Partial<
   "email.complained": "complainedAt",
 };
 
-const WEBHOOK_TO_STATUS: Partial<Record<WebhookEventType, string>> = {
+const WEBHOOK_TO_STATUS: Partial<Record<EmailEventType, string>> = {
   "email.sent": "sent",
   "email.delivered": "delivered",
   "email.opened": "opened",
@@ -56,6 +56,10 @@ const WEBHOOK_TO_STATUS: Partial<Record<WebhookEventType, string>> = {
   "email.complained": "complained",
 };
 
+/** Max recipients we will iterate on a bounce/complaint, to avoid a fan-out
+ * webhook mass-suppressing addresses. Above this we log + skip suppression. */
+const MAX_SUPPRESSION_RECIPIENTS = 100;
+
 /**
  * The engine-owned high-level mailer. It owns the full send pipeline —
  * render → preference/suppression check → tracked-html rewrite → `email_sends`
@@ -78,6 +82,27 @@ export function createTrackedMailer(
     return overrideFrom ?? config.defaultFrom;
   }
 
+  /**
+   * Drop `scheduledAt` unless the active provider declares
+   * `capabilities.scheduledSend`. A provider that can't natively schedule (e.g.
+   * Postmark/SES) would silently ignore it — so the engine strips it and logs a
+   * WARN pointing at the durable alternative (`ctx.sleepUntil`).
+   */
+  function applyScheduledAtGate<T extends { scheduledAt?: string }>(
+    opts: T,
+  ): T {
+    if (opts.scheduledAt && provider.capabilities?.scheduledSend !== true) {
+      (config.logger ?? emitLogger).warn(
+        `scheduledAt ignored: provider ${
+          provider.meta?.id ?? "resend"
+        } has no native scheduled send; use ctx.sleepUntil`,
+      );
+      const { scheduledAt: _dropped, ...rest } = opts;
+      return rest as T;
+    }
+    return opts;
+  }
+
   const service: EmailService = {
     async send<K extends TemplateName>(
       options: EmailServiceSendOptions<K>,
@@ -118,25 +143,30 @@ export function createTrackedMailer(
         props: options.props,
         registry,
       });
+      // HTML-ONLY wire — the engine ALWAYS renders React → HTML itself before
+      // the provider. React Email stays first-class for authoring/Studio; it
+      // never crosses the provider boundary.
+      const html = await renderToHtml(element);
       const result = await provider.send({
         from,
         to: options.to,
         subject: options.subject ?? defaultSubject,
-        react: element,
+        html,
         tags: options.tags,
         headers: options.headers,
         replyTo: options.replyTo,
       });
 
-      return {
+      return trackedSendResult({
         emailSendId: "",
-        resendId: result.id,
+        messageId: result.id,
         status: "sent",
-      };
+      });
     },
 
     async sendRaw(options: SendRawOptions): Promise<SendResult> {
-      return provider.send({ ...options, from: resolveFrom(options.from) });
+      const gated = applyScheduledAtGate(options);
+      return provider.send({ ...gated, from: resolveFrom(options.from) });
     },
 
     async sendBatch(options: {
@@ -167,23 +197,14 @@ export function createTrackedMailer(
     },
 
     async handleWebhook(
-      options: EmailServiceWebhookOptions,
+      event: EmailEvent,
+      _providerId?: string,
     ): Promise<EmailServiceWebhookResult> {
-      if (!config.webhookSecret) {
-        throw new Error(
-          "webhookSecret is required in EmailServiceConfig to handle webhooks",
-        );
-      }
-
+      // The route owns provider resolution + signature verification and hands us
+      // an already-verified, provider-neutral EmailEvent. No secret gate here —
+      // each provider owns its own webhook secret at construction time.
       const userHandlers: WebhookHandlerMap = config.webhookHandlers ?? {};
-
-      const event = provider.verifyWebhook({
-        payload: options.payload,
-        headers: options.headers,
-      });
-
       const handled = await dispatchWebhook(event, userHandlers);
-
       return { type: event.type, handled };
     },
   };
@@ -191,7 +212,7 @@ export function createTrackedMailer(
   const bounceThreshold = config.bounceThreshold ?? 3;
 
   async function dispatchWebhook(
-    event: WebhookEvent,
+    event: EmailEvent,
     userHandlers: WebhookHandlerMap,
   ): Promise<boolean> {
     switch (event.type) {
@@ -199,44 +220,59 @@ export function createTrackedMailer(
         // `email.sent` is emitted FIRST-PARTY from the tracked mailer's
         // provider-accepted branch (lib/tracked.ts) with the rich payload — the
         // provider-webhook echo only updates the DB status, it does NOT emit.
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.messageId);
         break;
       case "email.delivered":
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.messageId);
         // OUTBOUND `email.delivered` — the provider webhook is the SINGLE source
         // for delivered/bounced (these have no first-party signal).
-        await emitProviderEmailEvent("email.delivered", event.data.email_id);
+        await emitProviderEmailEvent("email.delivered", event.messageId);
         break;
       case "email.opened":
       case "email.clicked":
         // First-party pixel/redirect is the SINGLE outbound emitter for
-        // open/click (gated on the first-touch null→set UPDATE in the tracking
-        // routes — risk 4). The provider-webhook echo is SUPPRESSED here: it only
-        // updates the DB status, it does NOT emit outbound (no double-source).
-        await updateEmailStatus(event.type, event.data.email_id);
+        // open/click — it now fires PER-HIT (every open/click → a delivery to
+        // every destination, owner decision 1). The provider-webhook echo is
+        // SUPPRESSED here: it only updates the DB status, it does NOT emit
+        // outbound (no double-source). This is the outbound-echo defence for a
+        // provider with native tracking left ON.
+        await updateEmailStatus(event.type, event.messageId);
         break;
       case "email.bounced":
-        await updateEmailStatus(event.type, event.data.email_id, {
-          bounceType: event.data.bounce?.type,
-          bounceReason: event.data.bounce?.message,
+        // `bounce.class` is stored in `bounceType`, the human reason in
+        // `bounceReason`. Soft/transient bounces are recorded here too (status
+        // `bounced`, `class:'transient'`) — the old transient →
+        // `email.delivery_delayed` no-op is gone.
+        await updateEmailStatus(event.type, event.messageId, {
+          bounceType: event.bounce?.class,
+          bounceReason: event.bounce?.reason,
         });
-        // OUTBOUND `email.bounced` with the bounce detail.
-        await emitProviderEmailEvent("email.bounced", event.data.email_id, {
-          bounceType: event.data.bounce?.type,
-          bounceReason: event.data.bounce?.message,
+        // OUTBOUND `email.bounced` with the bounce detail (class + reason).
+        await emitProviderEmailEvent("email.bounced", event.messageId, {
+          bounceType: event.bounce?.class,
+          bounceReason: event.bounce?.reason,
         });
-        await handleBounce(event.data.to);
+        // Suppress (increment bounceCount toward threshold) ONLY on a permanent
+        // bounce. Transient/unknown are recorded but never auto-suppress.
+        if (event.bounce?.class === "permanent") {
+          await handleBounce(event.recipients);
+        }
         break;
       case "email.complained":
-        await updateEmailStatus(event.type, event.data.email_id);
-        await handleComplaint(event.data.to);
+        await updateEmailStatus(event.type, event.messageId);
+        // OUTBOUND `email.complained` — the provider webhook is the SINGLE
+        // source for complaints (no first-party signal exists).
+        await emitProviderEmailEvent("email.complained", event.messageId);
+        await handleComplaint(event.recipients);
         break;
       case "email.delivery_delayed":
+        // No-op: providers now map transient bounces to `email.bounced` with
+        // `class:'transient'`, so soft bounces are recorded there instead.
         break;
     }
 
     const userHandler = userHandlers[event.type] as
-      | ((e: WebhookEvent) => void | Promise<void>)
+      | ((e: EmailEvent) => void | Promise<void>)
       | undefined;
     if (userHandler) {
       await userHandler(event);
@@ -246,11 +282,28 @@ export function createTrackedMailer(
     return false;
   }
 
-  async function handleBounce(toAddresses: string[]): Promise<void> {
+  /** Recipients to actually act on: de-duped, falsy-stripped, count-capped. A
+   * fan-out webhook over the cap is logged + skipped to avoid mass-suppression. */
+  function validRecipients(recipients: string[]): string[] {
+    const unique = [...new Set(recipients.filter(Boolean))];
+    if (unique.length > MAX_SUPPRESSION_RECIPIENTS) {
+      (config.logger ?? emitLogger).warn(
+        "suppression skipped: recipient count exceeds cap",
+        { count: unique.length, cap: MAX_SUPPRESSION_RECIPIENTS },
+      );
+      return [];
+    }
+    return unique;
+  }
+
+  async function handleBounce(recipients: string[]): Promise<void> {
     if (!db) return;
-    const email = toAddresses[0];
-    if (!email) return;
+    const emails = validRecipients(recipients);
+    if (emails.length === 0) return;
 
+    // ONE statement for all recipients. The CASE-WHEN auto-suppress at threshold
+    // is evaluated PER ROW inside the single UPDATE, so semantics match the old
+    // per-email loop exactly.
     await db
       .update(emailPreferences)
       .set({
@@ -260,14 +313,15 @@ export function createTrackedMailer(
         suppressedAt: sql`CASE WHEN ${emailPreferences.bounceCount} + 1 >= ${bounceThreshold} THEN NOW() ELSE ${emailPreferences.suppressedAt} END`,
         updatedAt: new Date(),
       })
-      .where(eq(emailPreferences.email, email));
+      .where(inArray(emailPreferences.email, emails));
   }
 
-  async function handleComplaint(toAddresses: string[]): Promise<void> {
+  async function handleComplaint(recipients: string[]): Promise<void> {
     if (!db) return;
-    const email = toAddresses[0];
-    if (!email) return;
+    const emails = validRecipients(recipients);
+    if (emails.length === 0) return;
 
+    // ONE statement for all recipients (same semantics as the old per-email loop).
     await db
       .update(emailPreferences)
       .set({
@@ -275,32 +329,34 @@ export function createTrackedMailer(
         suppressedAt: new Date(),
         updatedAt: new Date(),
       })
-      .where(eq(emailPreferences.email, email));
+      .where(inArray(emailPreferences.email, emails));
   }
 
   /**
-   * Emit the provider-funnel outbound event (`email.delivered` / `email.bounced`)
-   * for a Resend `email_id`. Enriches via {@link resolveEmailSendContextByResendId}
-   * (the only handle a provider webhook holds is the Resend id). Fire-and-forget:
+   * Emit the provider-funnel outbound event (`email.delivered` /
+   * `email.bounced` / `email.complained`) for a provider `messageId`. These three
+   * have no first-party signal — the provider webhook is their single source.
+   * Enriches via {@link resolveEmailSendContextByMessageId}
+   * (the only handle a provider webhook holds is the message id). Fire-and-forget:
    * a missing context (webhook racing the send-row commit) or a transient outbound
    * error is logged and swallowed — never failing the webhook handler. No
    * `dedupeKey`: the provider path is not a Hatchet-retryable producer, and the
    * shared `Webhook-Id` is the subscriber-side dedup for any provider redelivery.
    */
   function emitProviderEmailEvent(
-    event: "email.delivered" | "email.bounced",
-    resendId: string,
+    event: "email.delivered" | "email.bounced" | "email.complained",
+    messageId: string,
     bounce?: { bounceType?: string; bounceReason?: string },
   ): void {
     if (!db) return;
     const log = config.logger ?? emitLogger;
     const database = db;
-    void resolveEmailSendContextByResendId(database, resendId)
+    void resolveEmailSendContextByMessageId(database, messageId)
       .then((ctx) => {
         if (!ctx) return;
         const base = {
           emailSendId: ctx.emailSendId,
-          resendId,
+          messageId,
           templateKey: ctx.templateKey,
           userId: ctx.userId,
           to: ctx.to,
@@ -321,6 +377,15 @@ export function createTrackedMailer(
             },
           });
         }
+        if (event === "email.complained") {
+          return emitOutbound({
+            db: database,
+            hatchet,
+            logger: log,
+            event: "email.complained",
+            payload: base,
+          });
+        }
         return emitOutbound({
           db: database,
           hatchet,
@@ -331,15 +396,15 @@ export function createTrackedMailer(
       })
       .catch((err: unknown) => {
         log.warn(`emitOutbound ${event} failed`, {
-          resendId,
+          messageId,
           error: err instanceof Error ? err.message : String(err),
         });
       });
   }
 
   async function updateEmailStatus(
-    eventType: WebhookEventType,
-    resendId: string,
+    eventType: EmailEventType,
+    messageId: string,
     extra?: { bounceType?: string; bounceReason?: string },
   ): Promise<void> {
     if (!db) return;
@@ -357,7 +422,7 @@ export function createTrackedMailer(
         ...(extra?.bounceReason ? { bounceReason: extra.bounceReason } : {}),
         updatedAt: new Date(),
       })
-      .where(eq(emailSends.resendId, resendId));
+      .where(eq(emailSends.messageId, messageId));
   }
 
   return service;

package/src/lib/outbound.ts

@@ -15,7 +15,16 @@ import {
 } from "./webhook-signing.js";
 
 export {
+  type EmailSendContextByMessageId,
+  /**
+   * @deprecated Kept for one minor; use {@link EmailSendContextByMessageId}.
+   */
   type ResendEmailSendContext,
+  resolveEmailSendContextByMessageId,
+  /**
+   * @deprecated Kept for one minor; use
+   * {@link resolveEmailSendContextByMessageId}.
+   */
   resolveEmailSendContextByResendId,
 } from "./tracking-events.js";
 
@@ -28,11 +37,14 @@ export type OutboundEventName = WebhookEventType;
 
 interface EmailEventPayload {
   emailSendId: string;
-  resendId: string | null;
+  messageId: string | null;
   templateKey: string | null;
   userId: string | null;
   to: string;
   at: string;
+  // Optional enrichment (additive — older subscribers ignore absent keys).
+  category?: string;
+  subject?: string;
 }
 
 interface BucketEventPayload {
@@ -66,7 +78,7 @@ export interface OutboundPayloads {
   };
   "email.sent": {
     emailSendId: string;
-    resendId: string;
+    messageId: string;
     templateKey: string | null;
     to: string;
     userId: string | null;
@@ -82,6 +94,10 @@ export interface OutboundPayloads {
     bounceType?: string;
     bounceReason?: string;
   };
+  "email.complained": EmailEventPayload & {
+    complaintType?: string;
+    reason?: string;
+  };
   "journey.completed": {
     journeyId: string;
     journeyName: string;

package/src/lib/seed-posthog-destination.ts

@@ -0,0 +1,93 @@
+import { type Database, webhookEndpoints } from "@hogsend/db";
+import { and, eq, isNull, sql } from "drizzle-orm";
+import type { Logger } from "./logger.js";
+
+/**
+ * Transaction-scoped advisory-lock key serializing the single-tenant PostHog
+ * seed across concurrent API + worker boots. An arbitrary fixed constant within
+ * int4 range (the single-arg `pg_advisory_xact_lock` overload casts to bigint).
+ */
+const SEED_ADVISORY_LOCK_KEY = 1426198835;
+
+/**
+ * The email funnel a seeded PostHog destination subscribes to — the full
+ * lifecycle that reaches PostHog on NO path before this destination existed.
+ */
+const POSTHOG_FUNNEL_EVENTS = [
+  "email.sent",
+  "email.delivered",
+  "email.opened",
+  "email.clicked",
+  "email.bounced",
+  "email.complained",
+] as const;
+
+/**
+ * Idempotently seed ONE `kind="posthog"` webhook endpoint subscribed to the
+ * email funnel, so the full email lifecycle fans out to PostHog DURABLY on the
+ * delivery spine.
+ *
+ * Guarded against duplicates: it inserts only when no single-tenant
+ * (`organization_id IS NULL`) `kind="posthog"` endpoint already exists. Safe to
+ * call from BOTH the API and worker boots (both build the client) — the second
+ * caller finds the row and no-ops. Fire-and-forget at the call site: a transient
+ * seed failure must never block boot.
+ */
+export async function seedPostHogDestination(opts: {
+  db: Database;
+  logger: Logger;
+  apiKey: string;
+  host?: string;
+}): Promise<{ seeded: boolean }> {
+  const { db, logger, apiKey, host } = opts;
+
+  // Serialize the check-then-insert across concurrent API + worker boots (both
+  // build the client) with a transaction-scoped advisory lock, so the race can
+  // never double-seed. A per-endpoint unique constraint is intentionally avoided
+  // — operators may legitimately create multiple PostHog endpoints by hand.
+  return db.transaction(async (tx) => {
+    await tx.execute(
+      sql`SELECT pg_advisory_xact_lock(${SEED_ADVISORY_LOCK_KEY})`,
+    );
+
+    const existing = await tx
+      .select({ id: webhookEndpoints.id })
+      .from(webhookEndpoints)
+      .where(
+        and(
+          isNull(webhookEndpoints.organizationId),
+          eq(webhookEndpoints.kind, "posthog"),
+        ),
+      )
+      .limit(1);
+
+    if (existing.length > 0) {
+      return { seeded: false };
+    }
+
+    await tx.insert(webhookEndpoints).values({
+      url: "posthog://capture",
+      description:
+        "Auto-seeded PostHog destination (ENABLE_POSTHOG_DESTINATION)",
+      kind: "posthog",
+      config: {
+        apiKey,
+        ...(host ? { host } : {}),
+        // Preserve continuity with the legacy fire-and-forget PostHog path,
+        // which captured clicks as "email.link_clicked"; the posthog transform
+        // remaps the canonical "email.clicked" back so existing PostHog funnels
+        // keep working after the cutover.
+        eventNames: { "email.clicked": "email.link_clicked" },
+      },
+      eventTypes: [...POSTHOG_FUNNEL_EVENTS],
+      secret: null,
+      secretPrefix: null,
+      disabled: false,
+    });
+
+    logger.info("Seeded PostHog destination on the outbound spine", {
+      events: POSTHOG_FUNNEL_EVENTS.length,
+    });
+    return { seeded: true };
+  });
+}

package/src/lib/tracked.ts

@@ -14,10 +14,11 @@ import {
 } from "@hogsend/email";
 import { eq } from "drizzle-orm";
 import { getListRegistry } from "../lists/registry-singleton.js";
-import type {
-  FrequencyCapConfig,
-  SendTrackedEmailOptions,
-  TrackedSendResult,
+import {
+  type FrequencyCapConfig,
+  type SendTrackedEmailOptions,
+  type TrackedSendResult,
+  trackedSendResult,
 } from "./email-service-types.js";
 import { isFrequencyCapped } from "./frequency-cap.js";
 import { hatchet } from "./hatchet.js";
@@ -71,12 +72,12 @@ export async function sendTrackedEmail<K extends TemplateName>(
     id: string;
     status: string;
   }): TrackedSendResult =>
-    ({
+    trackedSendResult({
       emailSendId: prior.id,
-      resendId: "",
+      messageId: "",
       status: prior.status === "sent" ? "sent" : "skipped",
       ...(prior.status === "sent" ? {} : { reason: "frequency_capped" }),
-    }) as TrackedSendResult;
+    } as Omit<TrackedSendResult, "resendId">);
 
   // Idempotency short-circuit (POST /v1/emails): a retry with the same key
   // returns the prior send instead of dispatching a duplicate provider call /
@@ -135,15 +136,15 @@ export async function sendTrackedEmail<K extends TemplateName>(
       const suppressedRow = rows[0];
       if (!suppressedRow) throw new Error("Failed to insert email_sends row");
 
-      return {
+      return trackedSendResult({
         emailSendId: suppressedRow.id,
-        resendId: "",
+        messageId: "",
         status:
           suppression === "unsubscribed" ||
           suppression === "category_unsubscribed"
             ? "unsubscribed"
             : "suppressed",
-      };
+      });
     }
 
     // Frequency cap — consulted only for non-system sends (system mail sets
@@ -165,12 +166,12 @@ export async function sendTrackedEmail<K extends TemplateName>(
           to: options.to,
           category: options.category,
         });
-        return {
+        return trackedSendResult({
           emailSendId: "",
-          resendId: "",
+          messageId: "",
           status: "skipped",
           reason: "frequency_capped",
-        };
+        });
       }
     }
   }
@@ -257,22 +258,26 @@ export async function sendTrackedEmail<K extends TemplateName>(
   const emailSendId = insertedRow.id;
 
   try {
-    let html: string | undefined;
-    if (options.baseUrl && prepareTrackedHtml) {
-      const rawHtml = await renderToHtml(sendElement);
-      html = await prepareTrackedHtml({
-        html: rawHtml,
-        emailSendId,
-        baseUrl: options.baseUrl,
-        db,
-      });
-    }
+    // HTML-ONLY wire — the engine ALWAYS renders React → HTML itself. When
+    // tracking is on (baseUrl + prepareTrackedHtml) we render then rewrite
+    // links/inject the open pixel; otherwise we render plain HTML. React Email
+    // stays first-class for authoring/Studio; it never crosses the wire.
+    const rawHtml = await renderToHtml(sendElement);
+    const html =
+      options.baseUrl && prepareTrackedHtml
+        ? await prepareTrackedHtml({
+            html: rawHtml,
+            emailSendId,
+            baseUrl: options.baseUrl,
+            db,
+          })
+        : rawHtml;
 
     const result = await provider.send({
       from: options.from,
       to: options.to,
       subject,
-      ...(html ? { html } : { react: sendElement }),
+      html,
       tags: options.tags,
       headers: sendHeaders,
       replyTo: options.replyTo,
@@ -282,7 +287,7 @@ export async function sendTrackedEmail<K extends TemplateName>(
     await db
       .update(emailSends)
       .set({
-        resendId: result.id,
+        messageId: result.id,
         status: "sent",
         sentAt,
         updatedAt: sentAt,
@@ -306,7 +311,7 @@ export async function sendTrackedEmail<K extends TemplateName>(
       dedupeKey: `email.sent:${emailSendId}`,
       payload: {
         emailSendId,
-        resendId: result.id,
+        messageId: result.id,
         templateKey: options.templateKey,
         to: options.to,
         userId: options.userId ?? null,
@@ -322,11 +327,11 @@ export async function sendTrackedEmail<K extends TemplateName>(
       });
     });
 
-    return {
+    return trackedSendResult({
       emailSendId,
-      resendId: result.id,
+      messageId: result.id,
       status: "sent",
-    };
+    });
   } catch (error) {
     // A provider send failed (transient SMTP/network/429). Stamp `failed` AND
     // RELEASE the idempotency key (set it null), exactly like the suppression