@hogsend/engine 0.9.0 → 0.11.0

package/src/lib/mailer.ts

@@ -1,8 +1,8 @@
 import type {
   BatchEmailItem,
+  EmailEvent,
+  EmailEventType,
   EmailProvider,
-  WebhookEvent,
-  WebhookEventType,
   WebhookHandlerMap,
 } from "@hogsend/core";
 import type { Database } from "@hogsend/db";
@@ -13,23 +13,23 @@ import type {
   TemplateName,
 } from "@hogsend/email";
 import { getTemplate, renderToHtml, renderToPlainText } from "@hogsend/email";
-import { eq, sql } from "drizzle-orm";
-import type {
-  EmailService,
-  EmailServiceConfig,
-  EmailServiceSendOptions,
-  EmailServiceWebhookOptions,
-  EmailServiceWebhookResult,
-  SendRawOptions,
-  SendResult,
-  TrackedSendResult,
+import { eq, inArray, sql } from "drizzle-orm";
+import {
+  type EmailService,
+  type EmailServiceConfig,
+  type EmailServiceSendOptions,
+  type EmailServiceWebhookResult,
+  type SendRawOptions,
+  type SendResult,
+  type TrackedSendResult,
+  trackedSendResult,
 } from "./email-service-types.js";
 import { hatchet } from "./hatchet.js";
 import { createLogger } from "./logger.js";
 import { emitOutbound } from "./outbound.js";
 import type { PrepareTrackedHtmlFn } from "./tracked.js";
 import { sendTrackedEmail } from "./tracked.js";
-import { resolveEmailSendContextByResendId } from "./tracking-events.js";
+import { resolveEmailSendContextByMessageId } from "./tracking-events.js";
 
 // Fallback logger for the provider-webhook outbound emit — `config.logger` is
 // optional, but `emitOutbound` requires one. Mirrors the engine-lib singleton
@@ -37,7 +37,7 @@ import { resolveEmailSendContextByResendId } from "./tracking-events.js";
 const emitLogger = createLogger(process.env.LOG_LEVEL);
 
 const WEBHOOK_TO_STATUS_FIELD: Partial<
-  Record<WebhookEventType, keyof typeof emailSends.$inferSelect>
+  Record<EmailEventType, keyof typeof emailSends.$inferSelect>
 > = {
   "email.sent": "sentAt",
   "email.delivered": "deliveredAt",
@@ -47,7 +47,7 @@ const WEBHOOK_TO_STATUS_FIELD: Partial<
   "email.complained": "complainedAt",
 };
 
-const WEBHOOK_TO_STATUS: Partial<Record<WebhookEventType, string>> = {
+const WEBHOOK_TO_STATUS: Partial<Record<EmailEventType, string>> = {
   "email.sent": "sent",
   "email.delivered": "delivered",
   "email.opened": "opened",
@@ -56,6 +56,10 @@ const WEBHOOK_TO_STATUS: Partial<Record<WebhookEventType, string>> = {
   "email.complained": "complained",
 };
 
+/** Max recipients we will iterate on a bounce/complaint, to avoid a fan-out
+ * webhook mass-suppressing addresses. Above this we log + skip suppression. */
+const MAX_SUPPRESSION_RECIPIENTS = 100;
+
 /**
  * The engine-owned high-level mailer. It owns the full send pipeline —
  * render → preference/suppression check → tracked-html rewrite → `email_sends`
@@ -78,6 +82,27 @@ export function createTrackedMailer(
     return overrideFrom ?? config.defaultFrom;
   }
 
+  /**
+   * Drop `scheduledAt` unless the active provider declares
+   * `capabilities.scheduledSend`. A provider that can't natively schedule (e.g.
+   * Postmark/SES) would silently ignore it — so the engine strips it and logs a
+   * WARN pointing at the durable alternative (`ctx.sleepUntil`).
+   */
+  function applyScheduledAtGate<T extends { scheduledAt?: string }>(
+    opts: T,
+  ): T {
+    if (opts.scheduledAt && provider.capabilities?.scheduledSend !== true) {
+      (config.logger ?? emitLogger).warn(
+        `scheduledAt ignored: provider ${
+          provider.meta?.id ?? "resend"
+        } has no native scheduled send; use ctx.sleepUntil`,
+      );
+      const { scheduledAt: _dropped, ...rest } = opts;
+      return rest as T;
+    }
+    return opts;
+  }
+
   const service: EmailService = {
     async send<K extends TemplateName>(
       options: EmailServiceSendOptions<K>,
@@ -118,25 +143,30 @@ export function createTrackedMailer(
         props: options.props,
         registry,
       });
+      // HTML-ONLY wire — the engine ALWAYS renders React → HTML itself before
+      // the provider. React Email stays first-class for authoring/Studio; it
+      // never crosses the provider boundary.
+      const html = await renderToHtml(element);
       const result = await provider.send({
         from,
         to: options.to,
         subject: options.subject ?? defaultSubject,
-        react: element,
+        html,
         tags: options.tags,
         headers: options.headers,
         replyTo: options.replyTo,
       });
 
-      return {
+      return trackedSendResult({
         emailSendId: "",
-        resendId: result.id,
+        messageId: result.id,
         status: "sent",
-      };
+      });
     },
 
     async sendRaw(options: SendRawOptions): Promise<SendResult> {
-      return provider.send({ ...options, from: resolveFrom(options.from) });
+      const gated = applyScheduledAtGate(options);
+      return provider.send({ ...gated, from: resolveFrom(options.from) });
     },
 
     async sendBatch(options: {
@@ -167,23 +197,14 @@ export function createTrackedMailer(
     },
 
     async handleWebhook(
-      options: EmailServiceWebhookOptions,
+      event: EmailEvent,
+      _providerId?: string,
     ): Promise<EmailServiceWebhookResult> {
-      if (!config.webhookSecret) {
-        throw new Error(
-          "webhookSecret is required in EmailServiceConfig to handle webhooks",
-        );
-      }
-
+      // The route owns provider resolution + signature verification and hands us
+      // an already-verified, provider-neutral EmailEvent. No secret gate here —
+      // each provider owns its own webhook secret at construction time.
       const userHandlers: WebhookHandlerMap = config.webhookHandlers ?? {};
-
-      const event = provider.verifyWebhook({
-        payload: options.payload,
-        headers: options.headers,
-      });
-
       const handled = await dispatchWebhook(event, userHandlers);
-
       return { type: event.type, handled };
     },
   };
@@ -191,7 +212,7 @@ export function createTrackedMailer(
   const bounceThreshold = config.bounceThreshold ?? 3;
 
   async function dispatchWebhook(
-    event: WebhookEvent,
+    event: EmailEvent,
     userHandlers: WebhookHandlerMap,
   ): Promise<boolean> {
     switch (event.type) {
@@ -199,13 +220,13 @@ export function createTrackedMailer(
         // `email.sent` is emitted FIRST-PARTY from the tracked mailer's
         // provider-accepted branch (lib/tracked.ts) with the rich payload — the
         // provider-webhook echo only updates the DB status, it does NOT emit.
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.messageId);
         break;
       case "email.delivered":
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.messageId);
         // OUTBOUND `email.delivered` — the provider webhook is the SINGLE source
         // for delivered/bounced (these have no first-party signal).
-        await emitProviderEmailEvent("email.delivered", event.data.email_id);
+        await emitProviderEmailEvent("email.delivered", event.messageId);
         break;
       case "email.opened":
       case "email.clicked":
@@ -213,34 +234,45 @@ export function createTrackedMailer(
         // open/click — it now fires PER-HIT (every open/click → a delivery to
         // every destination, owner decision 1). The provider-webhook echo is
         // SUPPRESSED here: it only updates the DB status, it does NOT emit
-        // outbound (no double-source).
-        await updateEmailStatus(event.type, event.data.email_id);
+        // outbound (no double-source). This is the outbound-echo defence for a
+        // provider with native tracking left ON.
+        await updateEmailStatus(event.type, event.messageId);
         break;
       case "email.bounced":
-        await updateEmailStatus(event.type, event.data.email_id, {
-          bounceType: event.data.bounce?.type,
-          bounceReason: event.data.bounce?.message,
+        // `bounce.class` is stored in `bounceType`, the human reason in
+        // `bounceReason`. Soft/transient bounces are recorded here too (status
+        // `bounced`, `class:'transient'`) — the old transient →
+        // `email.delivery_delayed` no-op is gone.
+        await updateEmailStatus(event.type, event.messageId, {
+          bounceType: event.bounce?.class,
+          bounceReason: event.bounce?.reason,
         });
-        // OUTBOUND `email.bounced` with the bounce detail.
-        await emitProviderEmailEvent("email.bounced", event.data.email_id, {
-          bounceType: event.data.bounce?.type,
-          bounceReason: event.data.bounce?.message,
+        // OUTBOUND `email.bounced` with the bounce detail (class + reason).
+        await emitProviderEmailEvent("email.bounced", event.messageId, {
+          bounceType: event.bounce?.class,
+          bounceReason: event.bounce?.reason,
         });
-        await handleBounce(event.data.to);
+        // Suppress (increment bounceCount toward threshold) ONLY on a permanent
+        // bounce. Transient/unknown are recorded but never auto-suppress.
+        if (event.bounce?.class === "permanent") {
+          await handleBounce(event.recipients);
+        }
         break;
       case "email.complained":
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.messageId);
         // OUTBOUND `email.complained` — the provider webhook is the SINGLE
         // source for complaints (no first-party signal exists).
-        await emitProviderEmailEvent("email.complained", event.data.email_id);
-        await handleComplaint(event.data.to);
+        await emitProviderEmailEvent("email.complained", event.messageId);
+        await handleComplaint(event.recipients);
         break;
       case "email.delivery_delayed":
+        // No-op: providers now map transient bounces to `email.bounced` with
+        // `class:'transient'`, so soft bounces are recorded there instead.
         break;
     }
 
     const userHandler = userHandlers[event.type] as
-      | ((e: WebhookEvent) => void | Promise<void>)
+      | ((e: EmailEvent) => void | Promise<void>)
       | undefined;
     if (userHandler) {
       await userHandler(event);
@@ -250,11 +282,28 @@ export function createTrackedMailer(
     return false;
   }
 
-  async function handleBounce(toAddresses: string[]): Promise<void> {
+  /** Recipients to actually act on: de-duped, falsy-stripped, count-capped. A
+   * fan-out webhook over the cap is logged + skipped to avoid mass-suppression. */
+  function validRecipients(recipients: string[]): string[] {
+    const unique = [...new Set(recipients.filter(Boolean))];
+    if (unique.length > MAX_SUPPRESSION_RECIPIENTS) {
+      (config.logger ?? emitLogger).warn(
+        "suppression skipped: recipient count exceeds cap",
+        { count: unique.length, cap: MAX_SUPPRESSION_RECIPIENTS },
+      );
+      return [];
+    }
+    return unique;
+  }
+
+  async function handleBounce(recipients: string[]): Promise<void> {
     if (!db) return;
-    const email = toAddresses[0];
-    if (!email) return;
+    const emails = validRecipients(recipients);
+    if (emails.length === 0) return;
 
+    // ONE statement for all recipients. The CASE-WHEN auto-suppress at threshold
+    // is evaluated PER ROW inside the single UPDATE, so semantics match the old
+    // per-email loop exactly.
     await db
       .update(emailPreferences)
       .set({
@@ -264,14 +313,15 @@ export function createTrackedMailer(
         suppressedAt: sql`CASE WHEN ${emailPreferences.bounceCount} + 1 >= ${bounceThreshold} THEN NOW() ELSE ${emailPreferences.suppressedAt} END`,
         updatedAt: new Date(),
       })
-      .where(eq(emailPreferences.email, email));
+      .where(inArray(emailPreferences.email, emails));
   }
 
-  async function handleComplaint(toAddresses: string[]): Promise<void> {
+  async function handleComplaint(recipients: string[]): Promise<void> {
     if (!db) return;
-    const email = toAddresses[0];
-    if (!email) return;
+    const emails = validRecipients(recipients);
+    if (emails.length === 0) return;
 
+    // ONE statement for all recipients (same semantics as the old per-email loop).
     await db
       .update(emailPreferences)
       .set({
@@ -279,15 +329,15 @@ export function createTrackedMailer(
         suppressedAt: new Date(),
         updatedAt: new Date(),
       })
-      .where(eq(emailPreferences.email, email));
+      .where(inArray(emailPreferences.email, emails));
   }
 
   /**
    * Emit the provider-funnel outbound event (`email.delivered` /
-   * `email.bounced` / `email.complained`) for a Resend `email_id`. These three
+   * `email.bounced` / `email.complained`) for a provider `messageId`. These three
    * have no first-party signal — the provider webhook is their single source.
-   * Enriches via {@link resolveEmailSendContextByResendId}
-   * (the only handle a provider webhook holds is the Resend id). Fire-and-forget:
+   * Enriches via {@link resolveEmailSendContextByMessageId}
+   * (the only handle a provider webhook holds is the message id). Fire-and-forget:
    * a missing context (webhook racing the send-row commit) or a transient outbound
    * error is logged and swallowed — never failing the webhook handler. No
    * `dedupeKey`: the provider path is not a Hatchet-retryable producer, and the
@@ -295,18 +345,18 @@ export function createTrackedMailer(
    */
   function emitProviderEmailEvent(
     event: "email.delivered" | "email.bounced" | "email.complained",
-    resendId: string,
+    messageId: string,
     bounce?: { bounceType?: string; bounceReason?: string },
   ): void {
     if (!db) return;
     const log = config.logger ?? emitLogger;
     const database = db;
-    void resolveEmailSendContextByResendId(database, resendId)
+    void resolveEmailSendContextByMessageId(database, messageId)
       .then((ctx) => {
         if (!ctx) return;
         const base = {
           emailSendId: ctx.emailSendId,
-          resendId,
+          messageId,
           templateKey: ctx.templateKey,
           userId: ctx.userId,
           to: ctx.to,
@@ -346,15 +396,15 @@ export function createTrackedMailer(
       })
       .catch((err: unknown) => {
         log.warn(`emitOutbound ${event} failed`, {
-          resendId,
+          messageId,
           error: err instanceof Error ? err.message : String(err),
         });
       });
   }
 
   async function updateEmailStatus(
-    eventType: WebhookEventType,
-    resendId: string,
+    eventType: EmailEventType,
+    messageId: string,
     extra?: { bounceType?: string; bounceReason?: string },
   ): Promise<void> {
     if (!db) return;
@@ -372,7 +422,7 @@ export function createTrackedMailer(
         ...(extra?.bounceReason ? { bounceReason: extra.bounceReason } : {}),
         updatedAt: new Date(),
       })
-      .where(eq(emailSends.resendId, resendId));
+      .where(eq(emailSends.messageId, messageId));
   }
 
   return service;

package/src/lib/outbound.ts

@@ -15,7 +15,16 @@ import {
 } from "./webhook-signing.js";
 
 export {
+  type EmailSendContextByMessageId,
+  /**
+   * @deprecated Kept for one minor; use {@link EmailSendContextByMessageId}.
+   */
   type ResendEmailSendContext,
+  resolveEmailSendContextByMessageId,
+  /**
+   * @deprecated Kept for one minor; use
+   * {@link resolveEmailSendContextByMessageId}.
+   */
   resolveEmailSendContextByResendId,
 } from "./tracking-events.js";
 
@@ -28,7 +37,7 @@ export type OutboundEventName = WebhookEventType;
 
 interface EmailEventPayload {
   emailSendId: string;
-  resendId: string | null;
+  messageId: string | null;
   templateKey: string | null;
   userId: string | null;
   to: string;
@@ -69,7 +78,7 @@ export interface OutboundPayloads {
   };
   "email.sent": {
     emailSendId: string;
-    resendId: string;
+    messageId: string;
     templateKey: string | null;
     to: string;
     userId: string | null;

package/src/lib/redis.ts

@@ -28,3 +28,71 @@ export function getRedis(): Redis {
 export function getRedisIfConnected(): Redis | undefined {
   return _redis;
 }
+
+/**
+ * Namespace for better-auth's secondary-storage keys so they never collide with
+ * the PostHog person-property cache or the worker heartbeat sharing this Redis.
+ */
+const AUTH_STORAGE_PREFIX = "hogsend:auth:";
+
+/**
+ * The minimal shape better-auth's `secondaryStorage` option expects. Mirrors
+ * `@better-auth/core`'s `SecondaryStorage` so we don't pull a type out of a deep
+ * subpath: `get` returns the raw stored string (better-auth `JSON.parse`s it),
+ * `set` takes an optional TTL in SECONDS, `delete` removes the key.
+ */
+export interface AuthSecondaryStorage {
+  get: (key: string) => Promise<string | null>;
+  set: (key: string, value: string, ttl?: number) => Promise<void>;
+  delete: (key: string) => Promise<void>;
+}
+
+/**
+ * Adapt an ioredis client to better-auth's `secondaryStorage` contract so all
+ * better-auth session AND rate-limit counters live in Redis — shared across
+ * Railway replicas and surviving restarts. Without this, better-auth defaults
+ * `rateLimit.storage` to in-memory (per-instance, reset on redeploy), so the
+ * sign-in / request-password-reset limits are materially weaker than they look
+ * on a multi-replica deploy (security finding #2).
+ *
+ * Reuses the SHARED engine Redis singleton ({@link getRedis}) — it never opens a
+ * second pool. better-auth gives `set` a TTL in SECONDS, which we honour with
+ * `EX`; entries with no TTL persist (matching better-auth's own behaviour).
+ *
+ * Every operation is wrapped so a Redis blip degrades gracefully instead of
+ * crashing the auth flow: `get` returns `null` (better-auth treats it as a
+ * miss), `set`/`delete` no-op. We never want a transient cache fault to take
+ * down sign-in.
+ */
+export function createRedisSecondaryStorage(
+  redis: Redis,
+): AuthSecondaryStorage {
+  const k = (key: string) => `${AUTH_STORAGE_PREFIX}${key}`;
+  return {
+    async get(key) {
+      try {
+        return await redis.get(k(key));
+      } catch {
+        return null;
+      }
+    },
+    async set(key, value, ttl) {
+      try {
+        if (typeof ttl === "number" && ttl > 0) {
+          await redis.set(k(key), value, "EX", ttl);
+        } else {
+          await redis.set(k(key), value);
+        }
+      } catch {
+        // Degrade to no-op — never fail the auth flow on a cache write.
+      }
+    },
+    async delete(key) {
+      try {
+        await redis.del(k(key));
+      } catch {
+        // Degrade to no-op.
+      }
+    },
+  };
+}

package/src/lib/reset-email.ts

@@ -0,0 +1,139 @@
+import { getEmailService } from "./email.js";
+import type { EmailService } from "./email-service-types.js";
+import { createLogger, type Logger } from "./logger.js";
+
+// Fallback logger for the no-provider warning — callers may not pass one. Mirrors
+// the engine-lib singleton pattern (mailer, define-journey, tracked).
+const fallbackLogger = createLogger(process.env.LOG_LEVEL);
+
+/**
+ * The TTL the reset link advertises in its copy. Mirrors the
+ * `resetPasswordTokenExpiresIn` we configure in `createAuth` (15 minutes) so the
+ * email never claims a window that doesn't match the server's enforcement.
+ */
+const RESET_TTL_MINUTES = 15;
+
+/**
+ * The engine-owned, self-contained password-reset email. The engine ships NO
+ * business templates (those live in the consumer's `src/emails/`), so a reset
+ * email that required a consumer template would break the "works out of the box"
+ * guarantee. This builds a tiny inline HTML + plaintext body — no React Email
+ * dependency, no template-registry lookup — and sends it through the resolved
+ * provider via the mailer's RAW path.
+ *
+ * `sendRaw` is correct here (not `send`): a password reset is strictly
+ * transactional and must bypass template resolution AND the
+ * preference/suppression check — a recovering operator must always receive it,
+ * marketing opt-out or not. There is no tracking pixel and no unsubscribe footer
+ * for the same reason.
+ *
+ * Security:
+ * - NEVER logs the `url` or the token. On a delivery failure we log a generic
+ *   warning (pointing the operator at the CLI) and RESOLVE without throwing, so
+ *   better-auth's neutral "if this email exists…" response is preserved (no user
+ *   enumeration, no leak of whether the address was real).
+ * - The `from` resolves from `EMAIL_FROM ?? RESEND_FROM_EMAIL` — but we don't
+ *   pass it explicitly: the mailer's `sendRaw` defaults `from` to its configured
+ *   `defaultFrom`, which is exactly that pair.
+ */
+export async function sendResetPasswordEmail(opts: {
+  to: string;
+  url: string;
+  /**
+   * The mailer to send through. Optional: defaults to the container-installed
+   * singleton (`getEmailService()`). Injectable so tests can pass a spy and
+   * assert the send fires without touching a real provider.
+   */
+  emailService?: EmailService;
+  /** Optional structured logger; defaults to a stdout logger. */
+  logger?: Logger;
+}): Promise<void> {
+  const { to, url } = opts;
+  const log = opts.logger ?? fallbackLogger;
+
+  let service: EmailService;
+  try {
+    service = opts.emailService ?? getEmailService();
+  } catch {
+    // The mailer singleton hasn't been installed (container never booted). Steer
+    // the operator to the guaranteed recovery path; never throw (preserves the
+    // neutral response). Do NOT log the url/token.
+    log.warn(
+      "password reset requested but no email service is configured — use `hogsend studio admin reset`",
+    );
+    return;
+  }
+
+  const subject = "Reset your Hogsend Studio password";
+  const html = buildResetHtml(url);
+  const text = buildResetText(url);
+
+  try {
+    await service.sendRaw({ to, subject, html, text });
+  } catch (error) {
+    // A provider error (missing/invalid key, network) must not surface to the
+    // caller — better-auth's neutral response stays intact. Log a generic
+    // warning that points at the CLI fallback. NEVER include the url/token.
+    log.warn(
+      "password reset email failed to send (no usable email provider?) — use `hogsend studio admin reset`",
+      { error: error instanceof Error ? error.message : String(error) },
+    );
+  }
+}
+
+/** Minimal, dependency-free HTML body. The URL appears as a button and a raw
+ * link (so it works even when buttons are stripped). No tracking, no footer. */
+function buildResetHtml(url: string): string {
+  const safeUrl = escapeHtmlAttr(url);
+  const safeText = escapeHtml(url);
+  return `<!doctype html>
+<html lang="en">
+  <body style="margin:0;padding:24px;background:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;color:#18181b;">
+    <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="max-width:480px;margin:0 auto;background:#ffffff;border-radius:8px;padding:32px;">
+      <tr><td>
+        <h1 style="margin:0 0 16px;font-size:20px;font-weight:600;">Reset your password</h1>
+        <p style="margin:0 0 24px;font-size:14px;line-height:1.6;color:#3f3f46;">
+          We received a request to reset your Hogsend Studio password. Click the
+          button below to choose a new one.
+        </p>
+        <p style="margin:0 0 24px;">
+          <a href="${safeUrl}" style="display:inline-block;background:#18181b;color:#ffffff;text-decoration:none;font-size:14px;font-weight:600;padding:12px 20px;border-radius:6px;">Reset password</a>
+        </p>
+        <p style="margin:0 0 16px;font-size:13px;line-height:1.6;color:#71717a;">
+          Or paste this link into your browser:<br />
+          <a href="${safeUrl}" style="color:#2563eb;word-break:break-all;">${safeText}</a>
+        </p>
+        <p style="margin:0;font-size:12px;line-height:1.6;color:#a1a1aa;">
+          This link expires in ${RESET_TTL_MINUTES} minutes and can be used once.
+          If you didn't request a password reset, you can safely ignore this email.
+        </p>
+      </td></tr>
+    </table>
+  </body>
+</html>`;
+}
+
+/** Plain-text alternative (same content, no markup). */
+function buildResetText(url: string): string {
+  return [
+    "Reset your password",
+    "",
+    "We received a request to reset your Hogsend Studio password.",
+    "Open this link to choose a new one:",
+    "",
+    url,
+    "",
+    `This link expires in ${RESET_TTL_MINUTES} minutes and can be used once.`,
+    "If you didn't request a password reset, you can safely ignore this email.",
+  ].join("\n");
+}
+
+/** Escape for an HTML text node. */
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+
+/** Escape for a double-quoted HTML attribute (e.g. an `href`). */
+function escapeHtmlAttr(s: string): string {
+  return escapeHtml(s).replace(/"/g, "&quot;");
+}