backend-manager 5.2.1 → 5.2.3

package/CHANGELOG.md

@@ -14,6 +14,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+# [5.2.3] - 2026-05-22
+
+### Added
+
+- **`marketing.sendgrid.listId` in `templates/backend-manager-config.json`.** Empty-string placeholder for OMEGA's `sendgrid/ensure/list.js` to populate at brand-onboarding time. Mirrors the existing `marketing.beehiiv.publicationId` convention.
+- **`_test.*` local-part block** in `src/manager/libraries/email/data/blocked-local-patterns.js`. Test-suite accounts (`_test.<scenario>@somiibo.com`) are now blocked from reaching SendGrid + Beehiiv. The carved-out exception is `_test.allow_*` — used for live-provider integration tests that intentionally need to round-trip a real contact.
+
+### Changed
+
+- **`Marketing.add()` and `Marketing.sync()` now use the full `validate()` pipeline** instead of just `isCorporate()`. Single SSOT for "is this a valid marketing email" — runs format → disposable → corporate → localPart in one call. Stricter behavior: disposable-domain emails (mailinator etc.) and junk local-parts (`noreply`, `test*`, `_test.*`) are now blocked from marketing lists. They were previously waved through because the gate only checked corporate domains.
+- **SendGrid list-ID lookup is now config-only.** `src/manager/libraries/email/providers/sendgrid.js#getListId()` reads `Manager.config.marketing.sendgrid.listId` and returns null if missing — no more runtime API call, no more fuzzy-match-by-brand-name. Old fuzzy logic kept commented out as `getListIdByFuzzyMatch()` backstop. **Brands must run OMEGA's sendgrid service to populate `listId` before this version sees their list assignments work** (without it, contacts land in SendGrid's global "All Contacts" pool, not the brand list).
+- **Beehiiv publication-ID lookup is now config-only.** `src/manager/libraries/email/providers/beehiiv.js#getPublicationId()` reads `Manager.config.marketing.beehiiv.publicationId` and returns null if missing — same shape as SendGrid above. Old fuzzy logic kept commented out as backstop. Beehiiv side already preferred config when set, but now there's no API fallback.
+- **`marketing.beehiiv.publicationId` is now an always-present empty string in the config template** (was a commented-out hint). Matches the SendGrid `listId` shape and means `Manager.config.marketing.beehiiv.publicationId` always returns `""` (never `undefined`) for legacy brands.
+- **SendGrid API timeouts bumped from 10s → 60s** via a new top-level `SENDGRID_TIMEOUT_MS` constant in `sendgrid.js`. All 9 fetch sites updated. Catches the intermittent SendGrid backend hiccups that were dropping signups silently with "Request timed out".
+
+# [5.2.2] - 2026-05-21
+
+### Added
+
+- **`consent` is now a protected user field.** `templates/firestore.rules` includes `consent` in `isWritingProtectedUserField()` so a logged-in user cannot retroactively forge their own consent record from the client — only the signup route + webhook processors can mutate it server-side. New rule test in `test/rules/user.js`.
+- **`BaseCommand.getLogsPath(name)` / `getTempPath(name)`** in `src/cli/commands/base-command.js`. Two explicit helpers so the folder convention is the SSOT and easy to change later. `getLogsPath()` writes human-readable logs (`serve.log`, `emulator.log`, `test.log`, `logs.log`) to `<projectDir>/functions/` alongside firebase-tools' own `*-debug.log` files. `getTempPath()` writes transient internal-only stuff (`*.log.reset` sentinels, `bem-reload-trigger.js`, `test-mode.json`) to `<projectDir>/.temp/`.
+- **`BaseCommand.sweepStaleLogs()`** wipes BEM's own `.log` files in `functions/` and `.reset` sentinels in `.temp/` on every emulator/serve boot and on `npx mgr setup`. Deliberately does NOT touch firebase-tools' debug logs (`firestore-debug.log`, `database-debug.log`, etc.) so users can grep them after a crash.
+- **`npx mgr setup` cleanup step.** `cleanupGeneratedArtifacts()` now removes the watch trigger file (existing behavior) plus calls `sweepStaleLogs()` to clean up old BEM-owned logs/sentinels from previous runs.
+
 # [5.2.1] - 2026-05-21
 
 ### Added

package/README.md

@@ -850,12 +850,13 @@ npx mgr test user/ admin/       # Multiple paths
 
 ### Log Files
 
-BEM CLI commands automatically save output to log files in the project directory:
-- **`emulator.log`** — Full emulator + Cloud Functions output (`npx mgr emulator`)
-- **`test.log`** — Test runner output (`npx mgr test`, when running against an existing emulator)
-- **`logs.log`** — Cloud Function logs (`npx mgr logs:read` or `npx mgr logs:tail`)
+BEM CLI commands automatically save output to log files in the project's `functions/` directory (alongside firebase-tools' own `*-debug.log` files so everything is grep-able from one place):
+- **`functions/serve.log`** — Output from `npx mgr serve`
+- **`functions/emulator.log`** — Full emulator + Cloud Functions output (`npx mgr emulator`)
+- **`functions/test.log`** — Test runner output (`npx mgr test`, when running against an existing emulator)
+- **`functions/logs.log`** — Cloud Function logs (`npx mgr logs:read` or `npx mgr logs:tail`)
 
-Logs are overwritten on each run. Use them to debug failing tests or review function output.
+Logs are overwritten on each run and gitignored via `*.log`. Use them to debug failing tests or review function output. Transient internal artifacts (reset sentinels, watch trigger, `test-mode.json`) live separately in `<projectDir>/.temp/`.
 
 ### Test Locations
 

package/docs/testing.md

@@ -94,7 +94,7 @@ npx mgr test ...                                 # ← this still flips it back
 
 ## Log Files
 
-BEM CLI commands automatically save all output to log files in `functions/` while still streaming to the console:
+BEM CLI commands automatically save all output to log files in `<projectDir>/functions/` while still streaming to the console — co-located with firebase-tools' own `*-debug.log` files so everything can be grepped from one directory:
 - **`functions/serve.log`** — Output from `npx mgr serve` (Firebase serve)
 - **`functions/emulator.log`** — Full emulator output (Firebase emulator + Cloud Functions logs)
 - **`functions/test.log`** — Test runner output (when running against an existing emulator)
@@ -102,7 +102,7 @@ BEM CLI commands automatically save all output to log files in `functions/` whil
 
 When `npx mgr test` starts its own emulator, logs go to `emulator.log` (since it delegates to the emulator command). When running against an already-running emulator, logs go to `test.log`.
 
-These files are overwritten on each run and are gitignored (`*.log`). Use them to search for errors, debug webhook pipelines, or review full function output after a test run.
+These files are overwritten on each run and are gitignored via `*.log`. Reset sentinels (`*.log.reset`), the watch trigger file, and `test-mode.json` live separately in `<projectDir>/.temp/` because they're transient internal signals with no debugging value.
 
 ## Filtering Tests
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.2.1",
+  "version": "5.2.3",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/cli/commands/base-command.js

@@ -16,6 +16,73 @@ class BaseCommand {
     throw new Error('Execute method must be implemented');
   }
 
+  /**
+   * Resolve a path inside the consumer project's `.temp/` directory. Used for
+   * TRULY internal artifacts that have no debugging value: reset sentinels
+   * (*.log.reset), the watch command's reload trigger, and `test-mode.json`.
+   *
+   * For human-readable log files, use `getLogsPath()` instead — those live in
+   * `functions/` next to firebase-tools' own *-debug.log files so all log
+   * output can be grepped from one directory.
+   *
+   * Ensures the directory exists.
+   * @param {string} [filename] - File name to append (omit to get the dir path).
+   * @returns {string} Absolute path.
+   */
+  getTempPath(filename) {
+    const projectDir = this.main.firebaseProjectPath;
+    const tempDir = path.join(projectDir, '.temp');
+    jetpack.dir(tempDir);
+    return filename ? path.join(tempDir, filename) : tempDir;
+  }
+
+  /**
+   * Resolve a path for a human-readable log file. BEM-owned logs (serve.log,
+   * emulator.log, test.log, logs.log) live in `functions/` alongside
+   * firebase-tools' own *-debug.log files so all log output is grep-able from
+   * one place. Reset sentinels and other internal-only artifacts use
+   * `getTempPath()` instead.
+   *
+   * @param {string} [filename] - File name to append (omit to get the dir path).
+   * @returns {string} Absolute path.
+   */
+  getLogsPath(filename) {
+    const projectDir = this.main.firebaseProjectPath;
+    const logsDir = path.join(projectDir, 'functions');
+    return filename ? path.join(logsDir, filename) : logsDir;
+  }
+
+  /**
+   * Sweep stale BEM-owned logs out of `functions/`. Catches `.log` files
+   * from previous runs so each emulator/serve/test boot starts with a clean
+   * slate. Also catches stale `.reset` sentinels in `.temp/` that a crashed
+   * process may have left behind.
+   *
+   * Firebase-tools writes its own debug logs (firestore-debug.log,
+   * database-debug.log, pubsub-debug.log, firebase-debug.log, ui-debug.log) to
+   * cwd and we can't redirect them — we deliberately do NOT touch those, so
+   * users can grep them after a crash.
+   */
+  sweepStaleLogs() {
+    const logFiles = [
+      'serve.log',
+      'emulator.log',
+      'test.log',
+      'logs.log',
+    ];
+    const resetSentinels = [
+      'serve.log.reset',
+      'emulator.log.reset',
+    ];
+
+    for (const name of logFiles) {
+      try { jetpack.remove(this.getLogsPath(name)); } catch (e) { /* best-effort */ }
+    }
+    for (const name of resetSentinels) {
+      try { jetpack.remove(this.getTempPath(name)); } catch (e) { /* best-effort */ }
+    }
+  }
+
   log(...args) {
     console.log(...args);
   }

package/src/cli/commands/emulator.js

@@ -73,6 +73,10 @@ class EmulatorCommand extends BaseCommand {
       throw new Error('Port conflicts could not be resolved');
     }
 
+    // Wipe stale firebase-tools debug logs + any leftover BEM logs from older
+    // versions. Keeps the project tree clean across runs.
+    this.sweepStaleLogs();
+
     // BEM_TESTING=true is passed so Functions skip external API calls (emails, SendGrid)
     // hosting is included so localhost:5002 rewrites work (e.g., /backend-manager -> bm_api)
     // pubsub is included so scheduled functions (bm_cronDaily) can be triggered in tests
@@ -87,8 +91,8 @@ class EmulatorCommand extends BaseCommand {
     // by touching emulator.log.reset — the watcher below detects it, closes the
     // current stream, reopens with flags: 'w' (truncating cleanly from our process'
     // perspective, no sparse-file issue), and deletes the sentinel.
-    const logPath = path.join(projectDir, 'functions', 'emulator.log');
-    const resetSentinelPath = `${logPath}.reset`;
+    const logPath = this.getLogsPath('emulator.log');
+    const resetSentinelPath = this.getTempPath('emulator.log.reset');
     const stripAnsi = (str) => str.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '');
 
     let currentStream = fs.createWriteStream(logPath, { flags: 'w' });

package/src/cli/commands/logs.js

@@ -72,9 +72,8 @@ class LogsCommand extends BaseCommand {
       `--order=${order}`,
     ].filter(Boolean).join(' ');
 
-    // Set up log file in the project directory
-    const projectDir = this.main.firebaseProjectPath;
-    const logPath = path.join(projectDir, 'functions', 'logs.log');
+    // Set up log file in the project's functions/ directory
+    const logPath = this.getLogsPath('logs.log');
 
     this.log(chalk.gray(`  Filter: ${filter || '(none)'}`));
     this.log(chalk.gray(`  Limit: ${limit}`));
@@ -126,9 +125,8 @@ class LogsCommand extends BaseCommand {
     const seenIds = new Set();
     let stopped = false;
 
-    // Set up log file in the project directory
-    const projectDir = this.main.firebaseProjectPath;
-    const logPath = path.join(projectDir, 'functions', 'logs.log');
+    // Set up log file in the project's functions/ directory
+    const logPath = this.getLogsPath('logs.log');
     const logStream = fs.createWriteStream(logPath, { flags: 'w' });
 
     const filter = this.buildFilter(argv, { excludeTimestamp: true });

package/src/cli/commands/serve.js

@@ -18,6 +18,10 @@ class ServeCommand extends BaseCommand {
       throw new Error('Port conflicts could not be resolved');
     }
 
+    // Wipe stale firebase-tools debug logs + any leftover BEM logs from older
+    // versions. Keeps the project tree clean across runs.
+    this.sweepStaleLogs();
+
     // Start BEM watcher in background
     const watcher = new WatchCommand(self);
     watcher.startBackground();
@@ -40,8 +44,8 @@ class ServeCommand extends BaseCommand {
     //      lines on the first cycle (subsequent cycles route those elsewhere), so
     //      we'd end up with a near-empty log. Rolling at the START of the cycle
     //      lets us capture whatever firebase-tools does emit, complete-or-not.
-    const logPath = path.join(projectDir, 'functions', 'serve.log');
-    const resetSentinelPath = `${logPath}.reset`;
+    const logPath = this.getLogsPath('serve.log');
+    const resetSentinelPath = this.getTempPath('serve.log.reset');
     // Match any node version: "Using node@22 from host.", "Using node@20 from host.", etc.
     const RELOAD_MARKER = /Using node@\d+ from host\./;
     const stripAnsi = (str) => str.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '');

package/src/cli/commands/setup.js

@@ -104,8 +104,8 @@ class SetupCommand extends BaseCommand {
       throw new Error('Missing <engines.node> in package.json');
     }
 
-    // Clean up leftover trigger files from watch command
-    this.cleanupTriggerFiles();
+    // Clean up leftover trigger files + stale log files from older BEM versions
+    this.cleanupGeneratedArtifacts();
 
     // Copy / merge defaults into consumer project root (matches EM/BXM/UJM pattern).
     // Runs BEFORE tests so any test that inspects scaffolded files sees the merged state.
@@ -219,13 +219,19 @@ class SetupCommand extends BaseCommand {
     }
   }
 
-  cleanupTriggerFiles() {
+  cleanupGeneratedArtifacts() {
     const self = this.main;
-    const triggerFile = `${self.firebaseProjectPath}/functions/bem-reload-trigger.js`;
 
+    // Remove the BEM reload-trigger file (transient artifact from `npx mgr watch`)
+    const triggerFile = `${self.firebaseProjectPath}/functions/bem-reload-trigger.js`;
     if (jetpack.exists(triggerFile)) {
       jetpack.remove(triggerFile);
     }
+
+    // Sweep stale firebase-tools debug logs + leftover BEM logs from older
+    // versions (pre-5.2.2 they lived in functions/; now in .temp/). Shared
+    // implementation in base-command.js so emulator/serve boot also runs it.
+    this.sweepStaleLogs();
   }
 
   async runTests() {

package/src/cli/commands/test.js

@@ -199,8 +199,7 @@ class TestCommand extends BaseCommand {
    * log just won't be reset for this run.
    */
   async requestEmulatorLogReset(projectDir) {
-    const logPath = path.join(projectDir, 'functions', 'emulator.log');
-    const sentinelPath = `${logPath}.reset`;
+    const sentinelPath = this.getTempPath('emulator.log.reset');
 
     try {
       fs.writeFileSync(sentinelPath, '');
@@ -242,8 +241,8 @@ class TestCommand extends BaseCommand {
     this.log(chalk.gray(`  Auth: 127.0.0.1:${emulatorPorts.auth}`));
     this.log(chalk.gray(`  UI: http://127.0.0.1:${emulatorPorts.ui}`));
 
-    // Set up log file in the project directory
-    const logPath = path.join(projectDir, 'functions', 'test.log');
+    // Set up log file in the project's functions/ directory (alongside firebase-tools logs)
+    const logPath = this.getLogsPath('test.log');
     const logStream = fs.createWriteStream(logPath, { flags: 'w' });
     const stripAnsi = (str) => str.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '');
 

package/src/cli/commands/watch.js

@@ -60,8 +60,8 @@ class WatchCommand extends BaseCommand {
     // command isn't watching, the file is harmless and gets cleaned up by the next
     // boot's stale-sentinel sweep.
     const triggerFile = config.triggerFile;
-    const serveLogResetPath = path.join(config.functionsDir, 'serve.log.reset');
-    const emulatorLogResetPath = path.join(config.functionsDir, 'emulator.log.reset');
+    const serveLogResetPath = this.getTempPath('serve.log.reset');
+    const emulatorLogResetPath = this.getTempPath('emulator.log.reset');
     const nodemon = spawn(nodemonPath, [
       '--on-change-only',
       '--delay', '1',
@@ -104,8 +104,8 @@ class WatchCommand extends BaseCommand {
     // Use nodemon to watch the BEM src directory and touch the trigger file on changes.
     // Also drop <log>.reset sentinels so any sibling serve/emulator command rolls its
     // log file on each reload (mirrors the test runner's log-roll pattern).
-    const serveLogResetPath = path.join(config.functionsDir, 'serve.log.reset');
-    const emulatorLogResetPath = path.join(config.functionsDir, 'emulator.log.reset');
+    const serveLogResetPath = this.getTempPath('serve.log.reset');
+    const emulatorLogResetPath = this.getTempPath('emulator.log.reset');
     const nodemon = spawn(nodemonPath, [
       '--watch', config.bemSrcDir,
       '--ext', 'js,json',

package/src/manager/libraries/email/data/blocked-local-patterns.js

@@ -3,9 +3,14 @@
  * Kept as JS (not JSON) so patterns stay as native RegExp literals.
  */
 module.exports = [
-  /^\d+$/,           // All numeric: 123456
-  /^(.)\1{2,}$/,     // Repeating single char: aaaa, xxxx
-  /^[a-z]{1,2}\d+$/, // Single letter + numbers: a123, x999
-  /^test/,           // Starts with test: test, testuser, test123, test.user
-  /^example/,        // Starts with example: example, exampleuser, example.user
+  /^\d+$/,                // All numeric: 123456
+  /^(.)\1{2,}$/,          // Repeating single char: aaaa, xxxx
+  /^[a-z]{1,2}\d+$/,      // Single letter + numbers: a123, x999
+  /^test/,                // Starts with test: test, testuser, test123, test.user
+  /^example/,             // Starts with example: example, exampleuser, example.user
+  // Test-suite accounts use `_test.<scenario>@...` so they don't collide with
+  // real signups. Block them from reaching SendGrid/Beehiiv so live lists stay
+  // clean. `_test.allow_*` is the carved-out exception for live-provider
+  // integration tests that intentionally need to round-trip a real contact.
+  /^_test\.(?!allow_)/,
 ];

package/src/manager/libraries/email/marketing/index.js

@@ -29,7 +29,7 @@ const md = new MarkdownIt({ html: true, breaks: true, linkify: true });
 
 const { TEMPLATES, GROUPS, SENDERS } = require('../constants.js');
 const { tagLinks } = require('../utm.js');
-const { isCorporate } = require('../validation.js');
+const { validate } = require('../validation.js');
 const sendgridProvider = require('../providers/sendgrid.js');
 const beehiivProvider = require('../providers/beehiiv.js');
 
@@ -73,9 +73,13 @@ Marketing.prototype.add = async function (options) {
     return {};
   }
 
-  if (isCorporate(email)) {
-    assistant.warn(`Marketing.add(): Blocked corporate/social-media domain, skipping: ${email}`);
-    return { blocked: 'corporate', email };
+  // SSOT for what "valid marketing email" means — format, disposable, corporate,
+  // localPart junk (incl. _test.* test-suite accounts). Single validate() call
+  // catches all of these before we hit SendGrid/Beehiiv.
+  const validation = await validate(email);
+  if (!validation.valid) {
+    assistant.warn(`Marketing.add(): Validation failed, skipping: ${email}`, validation.checks);
+    return { blocked: 'validation', email, checks: validation.checks };
   }
 
   if (assistant.isTesting() && !process.env.TEST_EXTENDED_MODE) {
@@ -157,9 +161,13 @@ Marketing.prototype.sync = async function (userDocOrUid) {
     return {};
   }
 
-  if (isCorporate(email)) {
-    assistant.warn(`Marketing.sync(): Blocked corporate/social-media domain, skipping: ${email}`);
-    return { blocked: 'corporate', email };
+  // SSOT for what "valid marketing email" means — format, disposable, corporate,
+  // localPart junk (incl. _test.* test-suite accounts). Single validate() call
+  // catches all of these before we hit SendGrid/Beehiiv.
+  const validation = await validate(email);
+  if (!validation.valid) {
+    assistant.warn(`Marketing.sync(): Validation failed, skipping: ${email}`, validation.checks);
+    return { blocked: 'validation', email, checks: validation.checks };
   }
 
   if (assistant.isTesting() && !process.env.TEST_EXTENDED_MODE) {

package/src/manager/libraries/email/providers/beehiiv.js

@@ -131,80 +131,96 @@ async function removeSubscriber(email, publicationId) {
 }
 
 /**
- * Get a Beehiiv publication ID by brand name (fuzzy match).
+ * Get this brand's Beehiiv publication ID.
  *
- * @param {string} brandName
- * @returns {string|null} Publication ID or null
+ * Reads `Manager.config.marketing.beehiiv.publicationId` — populated by
+ * OMEGA's `beehiiv/ensure/publication.js` at brand-onboarding time. No
+ * runtime API call, no fuzzy-match fragility.
+ *
+ * If the brand hasn't been onboarded yet (publicationId missing/empty), logs
+ * a warning and returns null — the marketing sync will skip Beehiiv for this
+ * brand. Fix: run OMEGA's beehiiv service to populate.
+ *
+ * @returns {string|null} Publication ID or null if not configured
  */
-let _publicationIdCache = null;
-
-async function getPublicationId() {
-  if (_publicationIdCache) {
-    return _publicationIdCache;
-  }
-
-  // Use publicationId from config if set (skips API call)
-  const configPubId = Manager.config?.marketing?.beehiiv?.publicationId;
-
-  if (configPubId) {
-    _publicationIdCache = configPubId;
-    return configPubId;
-  }
-
-  // Fuzzy-match by brand name (guard against uninitialized Manager singleton —
-  // happens in test stubs that build their own Manager without init()).
-  const brandName = Manager.config?.brand?.name;
+function getPublicationId() {
+  const publicationId = Manager.config?.marketing?.beehiiv?.publicationId;
 
-  if (!brandName) {
-    console.error('Beehiiv: Brand name is required to find publication');
+  if (!publicationId) {
+    console.warn(
+      'Beehiiv: marketing.beehiiv.publicationId is not set in config. '
+      + 'Subscriber will NOT be added to a publication. '
+      + 'Run OMEGA to populate.',
+    );
     return null;
   }
 
-  const brandNameLower = brandName.toLowerCase();
-  const allPublications = [];
-  let page = 1;
-  const limit = 100;
-
-  try {
-    while (true) {
-      const data = await fetch(`${BASE_URL}/publications?limit=${limit}&page=${page}`, {
-        response: 'json',
-        headers: headers(),
-        timeout: 10000,
-      });
-
-      if (!data.data || data.data.length === 0) {
-        break;
-      }
-
-      const matchedPub = data.data.find(pub =>
-        pub.name.toLowerCase() === brandNameLower
-        || pub.name.toLowerCase().includes(brandNameLower)
-        || brandNameLower.includes(pub.name.toLowerCase())
-      );
-
-      if (matchedPub) {
-        _publicationIdCache = matchedPub.id;
-        return matchedPub.id;
-      }
-
-      allPublications.push(...data.data);
-
-      if (data.data.length < limit) {
-        break;
-      }
-
-      page++;
-    }
-
-    console.error(`Beehiiv: No publication matched brand "${brandName}". Available: ${allPublications.map(p => p.name).join(', ')}`);
-  } catch (e) {
-    console.error('Beehiiv publication lookup error:', e);
-  }
-
-  return null;
+  return publicationId;
 }
 
+// LEGACY: Fuzzy-match-by-brand-name fallback. Kept commented out as a backstop
+// in case the config-based approach has an edge case we haven't seen yet.
+// Delete once we've verified the config-based approach works across all brands.
+//
+// let _publicationIdCache = null;
+//
+// async function getPublicationIdByFuzzyMatch() {
+//   if (_publicationIdCache) {
+//     return _publicationIdCache;
+//   }
+//
+//   const brandName = Manager.config?.brand?.name;
+//
+//   if (!brandName) {
+//     console.error('Beehiiv: Brand name is required to find publication');
+//     return null;
+//   }
+//
+//   const brandNameLower = brandName.toLowerCase();
+//   const allPublications = [];
+//   let page = 1;
+//   const limit = 100;
+//
+//   try {
+//     while (true) {
+//       const data = await fetch(`${BASE_URL}/publications?limit=${limit}&page=${page}`, {
+//         response: 'json',
+//         headers: headers(),
+//         timeout: 10000,
+//       });
+//
+//       if (!data.data || data.data.length === 0) {
+//         break;
+//       }
+//
+//       const matchedPub = data.data.find(pub =>
+//         pub.name.toLowerCase() === brandNameLower
+//         || pub.name.toLowerCase().includes(brandNameLower)
+//         || brandNameLower.includes(pub.name.toLowerCase())
+//       );
+//
+//       if (matchedPub) {
+//         _publicationIdCache = matchedPub.id;
+//         return matchedPub.id;
+//       }
+//
+//       allPublications.push(...data.data);
+//
+//       if (data.data.length < limit) {
+//         break;
+//       }
+//
+//       page++;
+//     }
+//
+//     console.error(`Beehiiv: No publication matched brand "${brandName}". Available: ${allPublications.map(p => p.name).join(', ')}`);
+//   } catch (e) {
+//     console.error('Beehiiv publication lookup error:', e);
+//   }
+//
+//   return null;
+// }
+
 /**
  * Add a contact to Beehiiv — resolves publication, adds subscriber with optional custom fields.
  *
@@ -217,7 +233,7 @@ async function getPublicationId() {
  * @returns {{ success: boolean, id?: string, error?: string }}
  */
 async function addContact({ email, firstName, lastName, company, source, customFields }) {
-  const publicationId = await getPublicationId();
+  const publicationId = getPublicationId();
 
   if (!publicationId) {
     return { success: false, error: 'Publication not found' };
@@ -245,7 +261,7 @@ async function addContact({ email, firstName, lastName, company, source, customF
  * @returns {{ success: boolean, deleted?: boolean, skipped?: boolean, error?: string }}
  */
 async function removeContact(email) {
-  const publicationId = await getPublicationId();
+  const publicationId = getPublicationId();
 
   if (!publicationId) {
     return { success: false, error: 'Publication not found' };
@@ -290,7 +306,7 @@ async function resolveSegmentIds() {
     return _segmentIdCache;
   }
 
-  const publicationId = await getPublicationId();
+  const publicationId = getPublicationId();
 
   if (!publicationId) {
     return {};
@@ -337,7 +353,7 @@ async function resolveSegmentIds() {
  * @returns {{ success: boolean, id?: string, scheduled?: boolean, error?: string }}
  */
 async function createPost(options) {
-  const publicationId = options.publicationId || await getPublicationId();
+  const publicationId = options.publicationId || getPublicationId();
 
   if (!publicationId) {
     return { success: false, error: 'Publication not found' };

package/src/manager/libraries/email/providers/sendgrid.js

@@ -9,6 +9,12 @@ const { resolveFieldValues } = require('../constants.js');
 
 const BASE_URL = 'https://api.sendgrid.com/v3';
 
+// SendGrid's API is normally fast (<2s) but spikes past 10s during their
+// hiccups, dropping signups silently. 60s is generous but harmless — the
+// metadata calls (resolveFieldIds, getListId) are cached for the process
+// lifetime so a slow first call costs nothing in steady state.
+const SENDGRID_TIMEOUT_MS = 60000;
+
 // --- Internal helpers ---
 
 function headers() {
@@ -35,7 +41,7 @@ async function resolveFieldIds() {
     const data = await fetch(`${BASE_URL}/marketing/field_definitions`, {
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     _fieldIdCache = {};
@@ -70,7 +76,7 @@ async function resolveSegmentIds() {
     const data = await fetch(`${BASE_URL}/marketing/segments/2.0`, {
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     _segmentIdCache = {};
@@ -137,7 +143,7 @@ async function removeContact(email) {
       method: 'post',
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
       body: { emails: [email] },
     });
 
@@ -152,7 +158,7 @@ async function removeContact(email) {
       method: 'delete',
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     if (deleteData.job_id) {
@@ -167,69 +173,96 @@ async function removeContact(email) {
 }
 
 /**
- * Get a SendGrid list ID by brand name (fuzzy match).
+ * Get this brand's SendGrid Marketing list ID.
+ *
+ * Reads `Manager.config.marketing.sendgrid.listId` — populated by OMEGA's
+ * `sendgrid/ensure/list.js` at brand-onboarding time, same as how Beehiiv's
+ * `publicationId` works. No runtime API call, no fuzzy-match fragility.
  *
- * @param {string} brandName
- * @returns {string|null} List ID or null
+ * If the brand hasn't been onboarded yet (listId missing/empty), logs a
+ * warning and returns null — the marketing sync will still succeed, but the
+ * contact lands in SendGrid's global pool instead of the brand's list. Fix:
+ * run OMEGA's sendgrid service to populate the config.
+ *
+ * @returns {string|null} List ID or null if not configured
  */
-async function getListId() {
-  const brandName = Manager.config.brand?.name;
-  const brandNameLower = (brandName || '').toLowerCase();
-  const allLists = [];
-  let pageToken = '';
-  const pageSize = 1000;
-
-  try {
-    while (true) {
-      const url = `${BASE_URL}/marketing/lists?page_size=${pageSize}${pageToken ? `&page_token=${pageToken}` : ''}`;
-      const data = await fetch(url, {
-        response: 'json',
-        headers: headers(),
-        timeout: 10000,
-      });
-
-      if (!data.result || data.result.length === 0) {
-        break;
-      }
-
-      const matchedList = data.result.find(list =>
-        list.name.toLowerCase() === brandNameLower
-        || list.name.toLowerCase().includes(brandNameLower)
-        || brandNameLower.includes(list.name.toLowerCase())
-      );
-
-      if (matchedList) {
-        return matchedList.id;
-      }
-
-      allLists.push(...data.result);
-
-      if (!data._metadata?.next) {
-        break;
-      }
-
-      const nextUrl = new URL(data._metadata.next);
-      pageToken = nextUrl.searchParams.get('page_token');
-
-      if (!pageToken) {
-        break;
-      }
-    }
-
-    if (allLists.length === 1) {
-      return allLists[0].id;
-    }
-
-    if (allLists.length > 0) {
-      console.error(`SendGrid: No list matched brand "${brandName}". Available: ${allLists.map(l => l.name).join(', ')}`);
-    }
-  } catch (e) {
-    console.error('SendGrid list lookup error:', e);
+function getListId() {
+  const listId = Manager.config.marketing?.sendgrid?.listId;
+
+  if (!listId) {
+    console.warn(
+      'SendGrid: marketing.sendgrid.listId is not set in config. '
+      + 'Contact will be added to All Contacts only, not the brand list. '
+      + 'Run OMEGA to populate.',
+    );
+    return null;
   }
 
-  return null;
+  return listId;
 }
 
+// LEGACY: Fuzzy-match-by-brand-name fallback. Kept commented out as a backstop
+// in case the config-based approach has an edge case we haven't seen yet.
+// Delete once we've verified the config-based approach works across all brands.
+//
+// async function getListIdByFuzzyMatch() {
+//   const brandName = Manager.config.brand?.name;
+//   const brandNameLower = (brandName || '').toLowerCase();
+//   const allLists = [];
+//   let pageToken = '';
+//   const pageSize = 1000;
+//
+//   try {
+//     while (true) {
+//       const url = `${BASE_URL}/marketing/lists?page_size=${pageSize}${pageToken ? `&page_token=${pageToken}` : ''}`;
+//       const data = await fetch(url, {
+//         response: 'json',
+//         headers: headers(),
+//         timeout: SENDGRID_TIMEOUT_MS,
+//       });
+//
+//       if (!data.result || data.result.length === 0) {
+//         break;
+//       }
+//
+//       const matchedList = data.result.find(list =>
+//         list.name.toLowerCase() === brandNameLower
+//         || list.name.toLowerCase().includes(brandNameLower)
+//         || brandNameLower.includes(list.name.toLowerCase())
+//       );
+//
+//       if (matchedList) {
+//         return matchedList.id;
+//       }
+//
+//       allLists.push(...data.result);
+//
+//       if (!data._metadata?.next) {
+//         break;
+//       }
+//
+//       const nextUrl = new URL(data._metadata.next);
+//       pageToken = nextUrl.searchParams.get('page_token');
+//
+//       if (!pageToken) {
+//         break;
+//       }
+//     }
+//
+//     if (allLists.length === 1) {
+//       return allLists[0].id;
+//     }
+//
+//     if (allLists.length > 0) {
+//       console.error(`SendGrid: No list matched brand "${brandName}". Available: ${allLists.map(l => l.name).join(', ')}`);
+//     }
+//   } catch (e) {
+//     console.error('SendGrid list lookup error:', e);
+//   }
+//
+//   return null;
+// }
+
 // --- Single Sends (Campaigns) ---
 
 /**
@@ -354,7 +387,7 @@ async function cancelSingleSend(singleSendId) {
       method: 'delete',
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     return { success: true };
@@ -375,7 +408,7 @@ async function getSingleSend(singleSendId) {
     const data = await fetch(`${BASE_URL}/marketing/singlesends/${singleSendId}`, {
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     return data.id ? data : null;
@@ -400,7 +433,7 @@ async function listSingleSends(options) {
     const data = await fetch(url, {
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     return data.result || [];
@@ -437,7 +470,7 @@ async function addContact({ email, firstName, lastName, company, customFields })
     }
   }
 
-  const listId = await getListId();
+  const listId = getListId();
   const result = await upsertContacts({
     contacts: [contact],
     listIds: listId ? [listId] : [],
@@ -508,7 +541,7 @@ async function getSegmentContacts(segmentId, maxWaitMs = 60000) {
       const statusData = await fetch(`${BASE_URL}/marketing/contacts/exports/${exportData.id}`, {
         response: 'json',
         headers: headers(),
-        timeout: 10000,
+        timeout: SENDGRID_TIMEOUT_MS,
       });
 
       console.log(`SendGrid getSegmentContacts: Poll #${pollCount} — ${statusData.status} (${Date.now() - startTime}ms)`);

package/templates/backend-manager-config.json

@@ -138,10 +138,11 @@
   marketing: {
     sendgrid: {
       enabled: true,
+      listId: '',  // SendGrid Marketing list UUID. Populated by OMEGA's sendgrid/ensure/list.js. Skips runtime list-discovery API call.
     },
     beehiiv: {
       enabled: false,
-      // publicationId: 'pub_xxxxx',  // Set to skip fuzzy-match API call
+      publicationId: '',  // Beehiiv publication ID (e.g., 'pub_xxxxx'). Populated by OMEGA's beehiiv/ensure/publication.js. Required for marketing sync to Beehiiv.
       // Content pipeline. Lives under the provider that publishes the result —
       // Beehiiv for newsletters, eventually SendGrid for promo blasts. The
       // shape is the same regardless of provider: sources, tone, template,

package/templates/firestore.rules

@@ -69,7 +69,8 @@ service cloud.firestore {
         || isWritingField('affiliate')
         || isWritingField('api')
         || isWritingField('metadata')
-        || isWritingField('usage');
+        || isWritingField('usage')
+        || isWritingField('consent');
     }
 
     function isCreatingField(field) {

package/test/rules/user.js

@@ -6,7 +6,7 @@
  * - Users can read their own document
  * - Users can write to their own document (non-protected fields only)
  * - Users cannot read/write other users' documents
- * - Protected fields (auth, roles, flags, subscription, affiliate, api, usage) cannot be written by users
+ * - Protected fields (auth, roles, flags, subscription, affiliate, api, metadata, usage, consent) cannot be written by users
  *
  * @see templates/firestore.rules
  */
@@ -234,6 +234,28 @@ module.exports = {
       },
     },
 
+    // Test 11.5: User cannot write 'consent' field (protected - server-only)
+    {
+      name: 'user-cannot-write-consent-field',
+      auth: 'none',
+
+      async run({ rules, accounts }) {
+        const uid = accounts.basic.uid;
+        const db = rules.asAccount('basic');
+
+        // Should fail - consent is protected (only signup route + webhook
+        // processors can mutate it server-side; a client write would let a
+        // user retroactively forge their own consent record).
+        await rules.expectFailure(
+          db.doc(`users/${uid}`).set({
+            consent: {
+              marketing: { status: 'granted' },
+            },
+          }, { merge: true })
+        );
+      },
+    },
+
     // Test 12: User cannot write to another user's document
     {
       name: 'user-cannot-write-other-doc',