@wopr-network/platform-core 1.0.4 → 1.0.6

package/src/metering/metering.test.ts

@@ -143,7 +143,7 @@ describe("MeterEmitter", () => {
   });
 
   it("buffers events without writing until flush", async () => {
-    emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
     expect(emitter.pending).toBe(1);
 
     const rows = (await db.select({ cnt: sql<number>`COUNT(*)` }).from(meterEvents))[0];
@@ -151,8 +151,8 @@ describe("MeterEmitter", () => {
   });
 
   it("flush writes buffered events to the database", async () => {
-    emitter.emit(makeEvent());
-    emitter.emit(makeEvent({ tenant: "tenant-2" }));
+    await emitter.emit(makeEvent());
+    await emitter.emit(makeEvent({ tenant: "tenant-2" }));
 
     const flushed = await emitter.flush();
     expect(flushed).toBe(2);
@@ -174,7 +174,7 @@ describe("MeterEmitter", () => {
       duration: 5000,
     });
 
-    emitter.emit(event);
+    await emitter.emit(event);
     await emitter.flush();
 
     const rows = await emitter.queryEvents("t-abc");
@@ -190,7 +190,7 @@ describe("MeterEmitter", () => {
   });
 
   it("handles null optional fields", async () => {
-    emitter.emit(makeEvent({ sessionId: undefined, duration: undefined }));
+    await emitter.emit(makeEvent({ sessionId: undefined, duration: undefined }));
     await emitter.flush();
 
     const rows = await emitter.queryEvents("tenant-1");
@@ -199,8 +199,8 @@ describe("MeterEmitter", () => {
   });
 
   it("generates unique IDs for each event", async () => {
-    emitter.emit(makeEvent());
-    emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
     await emitter.flush();
 
     const rows = await emitter.queryEvents("tenant-1");
@@ -210,10 +210,10 @@ describe("MeterEmitter", () => {
 
   it("auto-flushes when batch size is reached", async () => {
     const smallBatch = makeEmitter(db, { flushIntervalMs: 60_000, batchSize: 3 });
-    smallBatch.emit(makeEvent());
-    smallBatch.emit(makeEvent());
+    await smallBatch.emit(makeEvent());
+    await smallBatch.emit(makeEvent());
     // Third event triggers auto-flush.
-    smallBatch.emit(makeEvent());
+    await smallBatch.emit(makeEvent());
 
     const rows = (await db.select({ cnt: sql<number>`COUNT(*)` }).from(meterEvents))[0];
     expect(rows?.cnt).toBe(3);
@@ -222,8 +222,8 @@ describe("MeterEmitter", () => {
   });
 
   it("close flushes remaining events", async () => {
-    emitter.emit(makeEvent());
-    emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
     emitter.close();
 
     const rows = (await db.select({ cnt: sql<number>`COUNT(*)` }).from(meterEvents))[0];
@@ -232,7 +232,7 @@ describe("MeterEmitter", () => {
 
   it("ignores events after close", async () => {
     emitter.close();
-    emitter.emit(makeEvent());
+    await emitter.emit(makeEvent());
     expect(emitter.pending).toBe(0);
   });
 
@@ -246,8 +246,8 @@ describe("MeterEmitter", () => {
       dlqPath: TEST_DLQ_PATH,
     });
 
-    localEmitter.emit(makeEvent());
-    localEmitter.emit(makeEvent());
+    await localEmitter.emit(makeEvent());
+    await localEmitter.emit(makeEvent());
     expect(localEmitter.pending).toBe(2);
 
     await localPool.close();
@@ -261,9 +261,9 @@ describe("MeterEmitter", () => {
   });
 
   it("queryEvents returns events for a specific tenant", async () => {
-    emitter.emit(makeEvent({ tenant: "t-1" }));
-    emitter.emit(makeEvent({ tenant: "t-2" }));
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-2" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
 
     const t1Events = await emitter.queryEvents("t-1");
@@ -306,9 +306,9 @@ describe("MeterEmitter - concurrent multi-provider sessions", () => {
   it("groups multiple providers under one sessionId", async () => {
     const sessionId = "voice-session-1";
 
-    emitter.emit(makeEvent({ capability: "stt", provider: "deepgram", sessionId }));
-    emitter.emit(makeEvent({ capability: "chat", provider: "openai", sessionId }));
-    emitter.emit(makeEvent({ capability: "tts", provider: "elevenlabs", sessionId }));
+    await emitter.emit(makeEvent({ capability: "stt", provider: "deepgram", sessionId }));
+    await emitter.emit(makeEvent({ capability: "chat", provider: "openai", sessionId }));
+    await emitter.emit(makeEvent({ capability: "tts", provider: "elevenlabs", sessionId }));
     await emitter.flush();
 
     const rows = await db.select().from(meterEvents).where(eq(meterEvents.sessionId, sessionId));
@@ -321,9 +321,9 @@ describe("MeterEmitter - concurrent multi-provider sessions", () => {
   });
 
   it("handles events from different sessions simultaneously", async () => {
-    emitter.emit(makeEvent({ sessionId: "sess-a", capability: "stt" }));
-    emitter.emit(makeEvent({ sessionId: "sess-b", capability: "stt" }));
-    emitter.emit(makeEvent({ sessionId: "sess-a", capability: "tts" }));
+    await emitter.emit(makeEvent({ sessionId: "sess-a", capability: "stt" }));
+    await emitter.emit(makeEvent({ sessionId: "sess-b", capability: "stt" }));
+    await emitter.emit(makeEvent({ sessionId: "sess-a", capability: "tts" }));
     await emitter.flush();
 
     const sessA = (
@@ -372,7 +372,7 @@ describe("MeterAggregator", () => {
     // Insert events in a past window.
     const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -380,7 +380,7 @@ describe("MeterAggregator", () => {
         timestamp: pastWindow + 100,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.03),
@@ -403,11 +403,13 @@ describe("MeterAggregator", () => {
   it("groups by tenant, capability, and provider", async () => {
     const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({ tenant: "t-1", capability: "embeddings", provider: "openai", timestamp: pastWindow + 10 }),
     );
-    emitter.emit(makeEvent({ tenant: "t-1", capability: "voice", provider: "deepgram", timestamp: pastWindow + 20 }));
-    emitter.emit(
+    await emitter.emit(
+      makeEvent({ tenant: "t-1", capability: "voice", provider: "deepgram", timestamp: pastWindow + 20 }),
+    );
+    await emitter.emit(
       makeEvent({ tenant: "t-2", capability: "embeddings", provider: "openai", timestamp: pastWindow + 30 }),
     );
     await emitter.flush();
@@ -424,7 +426,7 @@ describe("MeterAggregator", () => {
 
   it("does not aggregate the current (incomplete) window", async () => {
     // Insert an event in the *current* window.
-    emitter.emit(makeEvent({ timestamp: Date.now() }));
+    await emitter.emit(makeEvent({ timestamp: Date.now() }));
     await emitter.flush();
 
     const count = await aggregator.aggregate();
@@ -438,7 +440,7 @@ describe("MeterAggregator", () => {
   it("is idempotent - does not double-aggregate", async () => {
     const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -459,7 +461,7 @@ describe("MeterAggregator", () => {
   it("aggregates duration for session-based capabilities", async () => {
     const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         capability: "voice",
@@ -467,7 +469,7 @@ describe("MeterAggregator", () => {
         timestamp: pastWindow + 10,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         capability: "voice",
@@ -493,7 +495,7 @@ describe("MeterAggregator", () => {
   it("getTenantTotal returns aggregate totals", async () => {
     const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -501,7 +503,7 @@ describe("MeterAggregator", () => {
         timestamp: pastWindow + 10,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.05),
@@ -532,8 +534,8 @@ describe("MeterAggregator", () => {
     const twoWindowsAgo = Math.floor(now / WINDOW) * WINDOW - 2 * WINDOW;
     const oneWindowAgo = Math.floor(now / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: twoWindowsAgo + 10 }));
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: oneWindowAgo + 10 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: twoWindowsAgo + 10 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: oneWindowAgo + 10 }));
     await emitter.flush();
 
     // Aggregate both windows.
@@ -586,7 +588,7 @@ describe("MeterAggregator - edge cases", () => {
     const threeWindowsAgo = Math.floor(now / WINDOW) * WINDOW - 3 * WINDOW;
 
     // Place one event 3 windows ago; windows 2-ago and 1-ago are empty.
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: threeWindowsAgo + 10 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: threeWindowsAgo + 10 }));
     await emitter.flush();
 
     await aggregator.aggregate(now);
@@ -613,7 +615,7 @@ describe("MeterAggregator - edge cases", () => {
     const now = Date.now();
     const pastWindow = Math.floor(now / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.123),
@@ -638,7 +640,7 @@ describe("MeterAggregator - edge cases", () => {
     const pastWindow = Math.floor(now / WINDOW) * WINDOW - WINDOW;
 
     // Event at the exact start of the window (timestamp === windowStart).
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -663,7 +665,7 @@ describe("MeterAggregator - edge cases", () => {
     const oneWindowAgo = twoWindowsAgo + WINDOW;
 
     // Event at the exact boundary (end of window 2-ago = start of window 1-ago).
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -687,7 +689,7 @@ describe("MeterAggregator - edge cases", () => {
 
     const tenants = ["alpha", "beta", "gamma"];
     for (const t of tenants) {
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: t,
           cost: Credit.fromDollars(0.01),
@@ -696,7 +698,7 @@ describe("MeterAggregator - edge cases", () => {
           timestamp: pastWindow + 10,
         }),
       );
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: t,
           cost: Credit.fromDollars(0.03),
@@ -726,7 +728,7 @@ describe("MeterAggregator - edge cases", () => {
     const twoWindowsAgo = threeWindowsAgo + WINDOW;
     const oneWindowAgo = twoWindowsAgo + WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.01),
@@ -734,7 +736,7 @@ describe("MeterAggregator - edge cases", () => {
         timestamp: threeWindowsAgo + 100,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.03),
@@ -742,7 +744,7 @@ describe("MeterAggregator - edge cases", () => {
         timestamp: twoWindowsAgo + 100,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.05),
@@ -845,7 +847,7 @@ describe("MeterAggregator - billing accuracy", () => {
     const expectedCostRaw = events.reduce((s, e) => s + e.cost.toRaw(), 0);
     const expectedChargeRaw = events.reduce((s, e) => s + e.charge.toRaw(), 0);
 
-    for (const e of events) emitter.emit(e);
+    for (const e of events) await emitter.emit(e);
     await emitter.flush();
     await aggregator.aggregate(now);
 
@@ -860,7 +862,7 @@ describe("MeterAggregator - billing accuracy", () => {
     const now = Date.now();
     const pastWindow = Math.floor(now / WINDOW) * WINDOW - WINDOW;
 
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.1),
@@ -869,7 +871,7 @@ describe("MeterAggregator - billing accuracy", () => {
         timestamp: pastWindow + 10,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.05),
@@ -878,7 +880,7 @@ describe("MeterAggregator - billing accuracy", () => {
         timestamp: pastWindow + 20,
       }),
     );
-    emitter.emit(
+    await emitter.emit(
       makeEvent({
         tenant: "t-1",
         cost: Credit.fromDollars(0.15),
@@ -929,7 +931,7 @@ describe("MeterEmitter - edge cases", () => {
 
   it("handles large batch of events", async () => {
     for (let i = 0; i < 200; i++) {
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: "bulk-tenant",
           cost: Credit.fromDollars(0.001),
@@ -947,7 +949,7 @@ describe("MeterEmitter - edge cases", () => {
   });
 
   it("handles zero-cost events", async () => {
-    emitter.emit(makeEvent({ tenant: "free-tier", cost: Credit.ZERO, charge: Credit.ZERO }));
+    await emitter.emit(makeEvent({ tenant: "free-tier", cost: Credit.ZERO, charge: Credit.ZERO }));
     await emitter.flush();
 
     const rows = await emitter.queryEvents("free-tier");
@@ -958,9 +960,9 @@ describe("MeterEmitter - edge cases", () => {
 
   it("preserves event ordering within a tenant", async () => {
     const base = 1700000000000;
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 300 }));
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 100 }));
-    emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 200 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 300 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 100 }));
+    await emitter.emit(makeEvent({ tenant: "t-1", timestamp: base + 200 }));
     await emitter.flush();
 
     // queryEvents orders by timestamp DESC.
@@ -972,11 +974,11 @@ describe("MeterEmitter - edge cases", () => {
   });
 
   it("handles multiple flushes without losing events", async () => {
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
 
     const rows = (
@@ -993,7 +995,7 @@ describe("append-only guarantee", () => {
     const { db, pool } = await createTestDb();
     const emitter = makeEmitter(db, { flushIntervalMs: 60_000 });
 
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
 
     // Verify the event exists.
@@ -1001,7 +1003,7 @@ describe("append-only guarantee", () => {
     expect(before?.cnt).toBe(1);
 
     // Emit more -- never replaces.
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     await emitter.flush();
 
     const after = (await db.select({ cnt: sql<number>`COUNT(*)` }).from(meterEvents))[0];
@@ -1064,7 +1066,7 @@ describe("MeterEmitter - fail-closed policy", () => {
   });
 
   it("writes events to WAL before buffering", async () => {
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
 
     // WAL should exist immediately.
     expect(existsSync(TEST_WAL_PATH)).toBe(true);
@@ -1079,7 +1081,7 @@ describe("MeterEmitter - fail-closed policy", () => {
   });
 
   it("clears WAL after successful flush", async () => {
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
     expect(existsSync(TEST_WAL_PATH)).toBe(true);
 
     await emitter.flush();
@@ -1089,7 +1091,7 @@ describe("MeterEmitter - fail-closed policy", () => {
   });
 
   it("moves events to DLQ after max retries", async () => {
-    emitter.emit(makeEvent({ tenant: "t-1" }));
+    await emitter.emit(makeEvent({ tenant: "t-1" }));
 
     // Close the database to force flush failures.
     pool.close();
@@ -1179,7 +1181,7 @@ describe("MeterEmitter - fail-closed policy", () => {
 
   describe("generic usage fields (WOP-512)", () => {
     it("persists usage, tier, and metadata fields", async () => {
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: "t-1",
           capability: "tts",
@@ -1198,7 +1200,7 @@ describe("MeterEmitter - fail-closed policy", () => {
     });
 
     it("handles null usage/tier/metadata (backwards compatibility)", async () => {
-      emitter.emit(makeEvent({ tenant: "t-1" }));
+      await emitter.emit(makeEvent({ tenant: "t-1" }));
       await emitter.flush();
       const rows = await emitter.queryEvents("t-1");
       expect(rows[0].usage_units).toBeNull();
@@ -1208,7 +1210,7 @@ describe("MeterEmitter - fail-closed policy", () => {
     });
 
     it("works with multiple capability types in the same flush", async () => {
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           capability: "tts",
           provider: "elevenlabs",
@@ -1216,7 +1218,7 @@ describe("MeterEmitter - fail-closed policy", () => {
           tier: "branded",
         }),
       );
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           capability: "chat-completions",
           provider: "openrouter",
@@ -1224,7 +1226,7 @@ describe("MeterEmitter - fail-closed policy", () => {
           tier: "branded",
         }),
       );
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           capability: "transcription",
           provider: "self-hosted-whisper",
@@ -1232,7 +1234,7 @@ describe("MeterEmitter - fail-closed policy", () => {
           tier: "wopr",
         }),
       );
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           capability: "image-generation",
           provider: "replicate",
@@ -1249,7 +1251,7 @@ describe("MeterEmitter - fail-closed policy", () => {
     });
 
     it("BYOK tier records zero cost/charge with tier='byok'", async () => {
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           cost: Credit.ZERO,
           charge: Credit.ZERO,
@@ -1271,7 +1273,7 @@ describe("MeterEmitter - fail-closed policy", () => {
       const WINDOW = 60_000; // 1 minute
       const aggregator = new MeterAggregator(new DrizzleUsageSummaryRepository(db), { windowMs: WINDOW });
       const pastWindow = Math.floor(Date.now() / WINDOW) * WINDOW - WINDOW;
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: "t-1",
           cost: Credit.fromDollars(0.01),
@@ -1281,7 +1283,7 @@ describe("MeterEmitter - fail-closed policy", () => {
           tier: "branded",
         }),
       );
-      emitter.emit(
+      await emitter.emit(
         makeEvent({
           tenant: "t-1",
           cost: Credit.fromDollars(0.03),
@@ -1305,7 +1307,7 @@ describe("MeterEmitter - fail-closed policy", () => {
         tier: "wopr",
         metadata: { foo: "bar" },
       });
-      emitter.emit(event);
+      await emitter.emit(event);
       // WAL should persist new fields
       const walContent = readFileSync(TEST_WAL_PATH, "utf8");
       const walEvent = JSON.parse(walContent.trim());

package/src/metering/wal.test.ts

@@ -161,6 +161,32 @@ describe("MeterWAL", () => {
     expect(tenants).not.toContain("t-2");
     expect(events).toHaveLength(2);
   });
+
+  it("concurrent appends and remove are serialized without data loss", async () => {
+    // Seed 2 events to remove
+    const e1 = await wal.append(makeEvent({ tenant: "seed-1" }));
+    const e2 = await wal.append(makeEvent({ tenant: "seed-2" }));
+
+    // Fire remove + 3 concurrent appends
+    const removePromise = wal.remove(new Set([e1.id, e2.id]));
+    const a1 = wal.append(makeEvent({ tenant: "new-1" }));
+    const a2 = wal.append(makeEvent({ tenant: "new-2" }));
+    const a3 = wal.append(makeEvent({ tenant: "new-3" }));
+
+    await Promise.all([removePromise, a1, a2, a3]);
+
+    const events = wal.readAll();
+    const tenants = events.map((e) => e.tenant);
+
+    // Seeded events must be gone
+    expect(tenants).not.toContain("seed-1");
+    expect(tenants).not.toContain("seed-2");
+    // All 3 new appends must survive
+    expect(tenants).toContain("new-1");
+    expect(tenants).toContain("new-2");
+    expect(tenants).toContain("new-3");
+    expect(events).toHaveLength(3);
+  });
 });
 
 describe("MeterDLQ", () => {

package/src/metering/wal.ts

@@ -40,19 +40,23 @@ export class MeterWAL {
   }
 
   /**
-   * Append an event to the WAL. appendFileSync is atomic on POSIX (O_APPEND),
-   * so no mutex is needed here. Returns the event with a generated ID.
+   * Append an event to the WAL. Mutex-guarded to prevent TOCTOU races
+   * with remove(), which does a read-filter-rewrite that would clobber
+   * concurrent appends. Uses appendFileSync inside the lock for
+   * fail-closed crash safety (POSIX O_APPEND atomic write).
    */
-  append(event: MeterEvent & { id?: string }): MeterEvent & { id: string } {
-    const eventWithId = {
-      ...event,
-      id: event.id ?? crypto.randomUUID(),
-    };
+  async append(event: MeterEvent & { id?: string }): Promise<MeterEvent & { id: string }> {
+    return this.withLock(() => {
+      const eventWithId = {
+        ...event,
+        id: event.id ?? crypto.randomUUID(),
+      };
 
-    const line = `${JSON.stringify(eventWithId)}\n`;
-    appendFileSync(this.walPath, line, { encoding: "utf8", flag: "a" });
+      const line = `${JSON.stringify(eventWithId)}\n`;
+      appendFileSync(this.walPath, line, { encoding: "utf8", flag: "a" });
 
-    return eventWithId;
+      return eventWithId;
+    });
   }
 
   /**

package/src/security/redirect-allowlist.test.ts

@@ -46,6 +46,47 @@ describe("assertSafeRedirectUrl", () => {
     expect(() => assertSafeRedirectUrl("")).toThrow("Invalid redirect URL");
   });
 
+  it("rejects https://example.com", () => {
+    expect(() => assertSafeRedirectUrl("https://example.com/callback")).toThrow("Invalid redirect URL");
+  });
+
+  describe("EXTRA_ALLOWED_REDIRECT_ORIGINS env-driven entries", () => {
+    beforeEach(() => {
+      vi.resetModules();
+    });
+
+    afterEach(() => {
+      delete process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS;
+      vi.resetModules();
+    });
+
+    it("allows origins listed in EXTRA_ALLOWED_REDIRECT_ORIGINS", async () => {
+      process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS = "https://staging.wopr.bot";
+      const { assertSafeRedirectUrl: assertSafe } = await import("./redirect-allowlist.js");
+      expect(() => assertSafe("https://staging.wopr.bot/billing")).not.toThrow();
+    });
+
+    it("allows multiple comma-separated origins", async () => {
+      process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS = "https://staging.wopr.bot,https://preview.wopr.bot";
+      const { assertSafeRedirectUrl: assertSafe } = await import("./redirect-allowlist.js");
+      expect(() => assertSafe("https://staging.wopr.bot/billing")).not.toThrow();
+      expect(() => assertSafe("https://preview.wopr.bot/dashboard")).not.toThrow();
+    });
+
+    it("ignores empty/whitespace entries in comma-separated list", async () => {
+      process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS = "https://staging.wopr.bot, , ,";
+      const { assertSafeRedirectUrl: assertSafe } = await import("./redirect-allowlist.js");
+      expect(() => assertSafe("https://staging.wopr.bot/billing")).not.toThrow();
+      expect(() => assertSafe("https://evil.com/phishing")).toThrow("Invalid redirect URL");
+    });
+
+    it("defaults to empty when env var is unset", async () => {
+      delete process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS;
+      const { assertSafeRedirectUrl: assertSafe } = await import("./redirect-allowlist.js");
+      expect(() => assertSafe("https://random.example.org")).toThrow("Invalid redirect URL");
+    });
+  });
+
   describe("PLATFORM_UI_URL env-driven entry", () => {
     beforeEach(() => {
       process.env.PLATFORM_UI_URL = "https://platform.example.com";

package/src/security/redirect-allowlist.ts

@@ -1,11 +1,29 @@
 const STATIC_ORIGINS: string[] = ["https://app.wopr.bot", "https://wopr.network"];
 
+function parseExtraOrigins(): string[] {
+  const raw = process.env.EXTRA_ALLOWED_REDIRECT_ORIGINS;
+  if (!raw) return [];
+  return raw
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean)
+    .filter((entry) => {
+      try {
+        new URL(entry);
+        return true;
+      } catch {
+        console.warn(`[redirect-allowlist] Malformed entry in EXTRA_ALLOWED_REDIRECT_ORIGINS, skipping: ${entry}`);
+        return false;
+      }
+    });
+}
+
 function getAllowedOrigins(): string[] {
   return [
     ...STATIC_ORIGINS,
     ...(process.env.NODE_ENV !== "production" ? ["http://localhost:3000", "http://localhost:3001"] : []),
     ...(process.env.PLATFORM_UI_URL ? [process.env.PLATFORM_UI_URL] : []),
-    ...(process.env.NODE_ENV !== "production" ? ["https://example.com"] : []),
+    ...(process.env.NODE_ENV !== "production" ? parseExtraOrigins() : []),
   ];
 }