backend-manager 5.2.2 → 5.2.5

package/CHANGELOG.md

@@ -14,6 +14,39 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+# [5.2.5] - 2026-05-22
+
+### Added
+
+- **`utilities.trim(input)`** in `src/manager/helpers/utilities.js`. Walks objects/arrays recursively and trims whitespace on every string. Does NOT strip HTML. Middleware uses it to clean up incoming request data without mangling URLs, Markdown, or any payload with `<`/`>`/`&`.
+- **`findContact(email)`** on the SendGrid + Beehiiv providers, and **`findSubscriber(email, publicationId)`** on Beehiiv. Both extracted from the existing `removeContact`/`removeSubscriber` search-by-email logic so tests (and other call sites) can verify provider state without forcing a delete.
+- **`test/marketing/consent-lifecycle.js`** — 5-phase live integration test (gated on `TEST_EXTENDED_MODE=true`) that walks two long-lived sentinel accounts through pre-check → sync → declined-stays-out → unsubscribe → validation-gate, asserting actual SendGrid + Beehiiv state at every step. Uses `pollProvider()` to handle SendGrid's async background jobs (upsert/delete can take 10-60s+ to surface).
+
+### Changed
+
+- **Middleware no longer strips HTML by default.** The auto-`sanitize-html` pass on incoming request data was mangling legitimate input — URL query strings (`?a=1&b=2` → `?a=1&amp;b=2`), Markdown, and any payload containing `<`/`>`/`&`. The middleware now only trims whitespace by default. HTML sanitization is opt-in per route via `Manager.Middleware(req, res).run('route', { sanitize: true })`. Sanitize at the HTML-insertion site (`utilities.sanitize()` in your template/email render) rather than at the request boundary. The existing schema-level `sanitize: false` opt-out still works when route-level sanitize is on.
+- **Test sentinel accounts `consent-granted` and `consent-declined` now use the `_test.allow_*` prefix** (`_test.allow_consent-granted@...`, `_test.allow_consent-declined@...`). The `_test.*` validation block from v5.2.3 also blocks the previous `_test.consent-*` names from reaching providers — `_test.allow_*` is the carved-out exception specifically for live-provider integration tests.
+- **Beehiiv API timeouts bumped to 60s** on the two remaining stragglers (`findSubscriber`, `resolveSegmentIds`) to match the SendGrid+Beehiiv 60s convention from v5.2.3.
+
+### Removed
+
+- **`cleanupMarketingProviders()` function and its pre-run/post-run hooks** in `src/test/test-accounts.js` + `src/test/runner.js`. No longer needed — the validation gate added in v5.2.3 blocks `_test.*` emails from reaching SendGrid + Beehiiv upstream, so there's nothing to clean up. The new `consent-lifecycle.js` test (which intentionally round-trips real contacts via `_test.allow_*`) manages its own pre-check force-clean inline.
+
+# [5.2.3] - 2026-05-22
+
+### Added
+
+- **`marketing.sendgrid.listId` in `templates/backend-manager-config.json`.** Empty-string placeholder for OMEGA's `sendgrid/ensure/list.js` to populate at brand-onboarding time. Mirrors the existing `marketing.beehiiv.publicationId` convention.
+- **`_test.*` local-part block** in `src/manager/libraries/email/data/blocked-local-patterns.js`. Test-suite accounts (`_test.<scenario>@somiibo.com`) are now blocked from reaching SendGrid + Beehiiv. The carved-out exception is `_test.allow_*` — used for live-provider integration tests that intentionally need to round-trip a real contact.
+
+### Changed
+
+- **`Marketing.add()` and `Marketing.sync()` now use the full `validate()` pipeline** instead of just `isCorporate()`. Single SSOT for "is this a valid marketing email" — runs format → disposable → corporate → localPart in one call. Stricter behavior: disposable-domain emails (mailinator etc.) and junk local-parts (`noreply`, `test*`, `_test.*`) are now blocked from marketing lists. They were previously waved through because the gate only checked corporate domains.
+- **SendGrid list-ID lookup is now config-only.** `src/manager/libraries/email/providers/sendgrid.js#getListId()` reads `Manager.config.marketing.sendgrid.listId` and returns null if missing — no more runtime API call, no more fuzzy-match-by-brand-name. Old fuzzy logic kept commented out as `getListIdByFuzzyMatch()` backstop. **Brands must run OMEGA's sendgrid service to populate `listId` before this version sees their list assignments work** (without it, contacts land in SendGrid's global "All Contacts" pool, not the brand list).
+- **Beehiiv publication-ID lookup is now config-only.** `src/manager/libraries/email/providers/beehiiv.js#getPublicationId()` reads `Manager.config.marketing.beehiiv.publicationId` and returns null if missing — same shape as SendGrid above. Old fuzzy logic kept commented out as backstop. Beehiiv side already preferred config when set, but now there's no API fallback.
+- **`marketing.beehiiv.publicationId` is now an always-present empty string in the config template** (was a commented-out hint). Matches the SendGrid `listId` shape and means `Manager.config.marketing.beehiiv.publicationId` always returns `""` (never `undefined`) for legacy brands.
+- **SendGrid API timeouts bumped from 10s → 60s** via a new top-level `SENDGRID_TIMEOUT_MS` constant in `sendgrid.js`. All 9 fetch sites updated. Catches the intermittent SendGrid backend hiccups that were dropping signups silently with "Request timed out".
+
 # [5.2.2] - 2026-05-21
 
 ### Added

package/CLAUDE.md

@@ -76,7 +76,7 @@ See [docs/cli-firestore-auth.md](docs/cli-firestore-auth.md) and [docs/cli-logs.
 - **Firestore shorthand**: `admin.firestore().doc('users/abc123')` (path string) rather than `.collection('users').doc('abc123')`.
 - **Template strings for requires**: `` require(`${functionsDir}/node_modules/backend-manager`) `` rather than string concat.
 - **No backwards compatibility** unless explicitly requested.
-- **Routes receive sanitized data by default** — see [docs/sanitization.md](docs/sanitization.md) for opt-out rules.
+- **Routes receive whitespace-trimmed data; HTML is preserved.** Sanitize at the HTML-insertion site via `utilities.sanitize()`. Opt into middleware-level HTML strip per-route with `{ sanitize: true }`. See [docs/sanitization.md](docs/sanitization.md).
 - **Match schema names to route names** — if route is `myEndpoint`, schema is `myEndpoint`.
 - **Always use `assistant.respond()` for responses** — do NOT use `res.send()` directly.
 - **Add Firestore composite indexes** for any compound query (`where` + `orderBy`, or multiple `where`s) to `src/cli/commands/setup-tests/helpers/required-indexes.js` (the SSOT). Without the index, queries crash with `FAILED_PRECONDITION` in production.
@@ -113,7 +113,7 @@ Deep references live in `docs/`. **Whenever you make a behavioral change, update
 
 - [docs/routes.md](docs/routes.md) — recipes for new API commands, routes, event handlers, cron jobs (with code templates)
 - [docs/schemas.md](docs/schemas.md) — schema definition format, defaults vs premium overrides
-- [docs/sanitization.md](docs/sanitization.md) — automatic XSS sanitization, schema opt-out (`sanitize: false`), route-level opt-out, manual `utilities.sanitize()`
+- [docs/sanitization.md](docs/sanitization.md) — middleware trim-only default; opt-in HTML strip (`{ sanitize: true }`) with per-field opt-out (`sanitize: false`); manual `utilities.sanitize()` for HTML-insertion sites
 - [docs/auth-hooks.md](docs/auth-hooks.md) — consumer hooks for `before-create`/`before-signin`/`on-create`/`on-delete` (blocking + non-blocking examples)
 - [docs/common-operations.md](docs/common-operations.md) — inside-the-handler patterns: authenticate, read/write Firestore, error handling, send response, `bm_api` hook
 
@@ -134,6 +134,6 @@ Deep references live in `docs/`. **Whenever you make a behavioral change, update
 
 ### Testing & CLI
 
-- [docs/testing.md](docs/testing.md) — running, filtering, log files, test types (standalone/suite/group), context object, assertions, auth levels. **For Firestore/Auth/local state, cleanup runs at the START of every run, never at the end** — if you add a test that writes Firestore data, register the collection/namespace in the runner's pre-test wipe list, don't add a trailing cleanup step. **Exception:** third-party providers we can't wipe at start (e.g. SendGrid/Beehiiv contact lists) get a symmetric pre + post cleanup hook in the runner — see `cleanupMarketingProviders` and [docs/consent.md](docs/consent.md). Don't pattern-match this exception for new Firestore code.
+- [docs/testing.md](docs/testing.md) — running, filtering, log files, test types (standalone/suite/group), context object, assertions, auth levels. **All cleanup runs at the START of every run, never at the end.** If you add a test that writes Firestore data, register the collection/namespace in the runner's pre-test wipe list, don't add a trailing cleanup step. Marketing providers (SendGrid/Beehiiv) don't need a special exception — `_test.*` emails are blocked at the validation layer so test signups never reach providers. The `_test.allow_*` carve-out exists only for the live-provider lifecycle test (`test/marketing/consent-lifecycle.js`), which manages its own teardown.
 - [docs/cli-firestore-auth.md](docs/cli-firestore-auth.md) — `npx mgr firestore:*` and `auth:*` commands, shared flags, examples
 - [docs/cli-logs.md](docs/cli-logs.md) — `npx mgr logs:read` / `logs:tail` with full flag reference and built-in Cloud Function names

package/docs/consent.md

@@ -138,7 +138,7 @@ Each processor's `handleEvent` does the same shape of work:
 | SendGrid | `unsubscribe`, `group_unsubscribe`, `spamreport`, `bounce`, `dropped` |
 | Beehiiv | `subscription.unsubscribed`, `subscription.deleted`, `subscription.paused` |
 
-**Beehiiv publication filter.** Each Beehiiv event includes a `publication_id`. The processor compares this against the result of `beehiivProvider.getPublicationId()` (which reads `Manager.config.marketing.beehiiv.publicationId` or fuzzy-matches against the Beehiiv API by brand name). Mismatch → silent skip. This is how shared-publication events (e.g. devbeans shared by 6 brands) get routed correctly — each brand processes only events matching its own publication.
+**Beehiiv publication filter.** Each Beehiiv event includes a `publication_id`. The processor compares this against `beehiivProvider.getPublicationId()`, which reads `Manager.config.marketing.beehiiv.publicationId` (populated at brand-onboarding time by OMEGA's `beehiiv/ensure/publication.js`). Mismatch → silent skip. This is how shared-publication events (e.g. devbeans shared by 6 brands) get routed correctly — each brand processes only events matching its own publication. Brands without `publicationId` in config silently skip all Beehiiv webhook events. The same convention applies to SendGrid: `marketing.sendgrid.listId` is populated by OMEGA's `sendgrid/ensure/list.js`.
 
 ## Parent forwarder (Phase E)
 
@@ -304,18 +304,13 @@ After the migration: optionally run a re-opt-in drip campaign to legally recover
 
 Run with `npx mgr test` (full suite) or `npx mgr test routes/marketing/webhook` (just the webhook tests).
 
-### Provider-side cleanup (extended mode only)
+### Live-provider tests (extended mode only)
 
-Normally BEM test runs are self-contained because all data lives in the local emulator. Marketing tests are the exception — when `TEST_EXTENDED_MODE=true` is set, the routes make real API calls to SendGrid + Beehiiv and leave real contacts behind.
+Most BEM tests are self-contained against the local emulator. The marketing-consent system has one test that's an exception — [test/marketing/consent-lifecycle.js](../test/marketing/consent-lifecycle.js) — which makes real API calls to SendGrid + Beehiiv to verify the full round-trip works end-to-end.
 
-To keep this self-contained, the runner calls [`cleanupMarketingProviders`](../src/test/test-accounts.js) **twice** per run:
+The validation pipeline (`src/manager/libraries/email/validation.js`) blocks all `_test.*` emails from reaching providers via the `/^_test\.(?!allow_)/` pattern in `blocked-local-patterns.js`. The two `_test.allow_*` sentinels (`_test.allow_consent-granted` and `_test.allow_consent-declined`) used by the lifecycle test bypass that gate intentionally, and the test cleans up after itself (phase-3 removes the granted contact via `Manager.Email().remove()`).
 
-1. **Pre-run** — scrubs leftovers from any previous run that crashed mid-suite.
-2. **Post-run** — scrubs everything this run created. Best-effort (wrapped in try/catch — cleanup failures don't change the test result).
-
-Both fire ONLY when `TEST_EXTENDED_MODE=true`. In normal mode (the default), no provider calls happen and no cleanup is needed.
-
-This is the one exception to the "Firestore cleanup runs at start only" rule documented in [docs/testing.md](testing.md) — we can't wipe SendGrid/Beehiiv state in our own Firestore wipe, so we have to ask the providers to do it for us, twice for defense in depth.
+The "all cleanup runs at start, never at the end" rule documented in [docs/testing.md](testing.md) applies to all test data, including third-party providers.
 
 ## Frontend pieces (cross-references)
 

package/docs/sanitization.md

@@ -1,16 +1,25 @@
 # Sanitization (XSS Prevention)
 
-BEM automatically sanitizes all incoming request data — stripping HTML tags and trimming whitespace from every string field. This happens in the middleware pipeline before route handlers execute, so **routes receive clean data by default**.
+BEM middleware always **trims** whitespace on incoming string fields (via `utilities.trim()`). HTML sanitization is **opt-in** — it's not run by default because it mangles legitimate input like URL query strings (`&` → `&`) and Markdown.
+
+The expectation is that you sanitize at the **HTML-insertion site** (in the template, in the email body, etc.) — not at the request boundary.
 
 ## How It Works
 
-1. **Schema fields**: Sanitized per-field during the middleware pipeline. Fields can opt out with `sanitize: false` in the schema.
-2. **Non-schema fields** (when `setupSettings: false` or `includeNonSchemaSettings: true`): All strings are sanitized with no opt-out.
-3. The middleware uses `Manager.Utilities().sanitize()` under the hood.
+1. **Trimming**: Every string in `settings` is whitespace-trimmed by the middleware (objects + arrays walked recursively). Always on.
+2. **HTML sanitization**: Off by default. Opt in per-route with `{ sanitize: true }` on `Manager.Middleware(...).run(...)`.
+3. **Schemas** can mark individual fields with `sanitize: false` to skip the HTML strip for that field when route-level sanitize is enabled (used for fields that legitimately need raw HTML — rich-text editors, email templates).
+
+## Route-Level Opt-In
+
+```javascript
+// In functions/index.js — enable HTML strip for a specific route
+Manager.Middleware(req, res).run('my-route', { sanitize: true });
+```
 
-## Schema Opt-Out
+When enabled, every string in `settings` is run through `sanitize-html` (strip all tags) unless the schema marks the field with `sanitize: false`.
 
-For fields that legitimately need HTML (rich text, email templates, etc.), set `sanitize: false` in the schema:
+## Schema Field Opt-Out (when route-level sanitize is on)
 
 ```javascript
 // This field will NOT be sanitized — raw HTML is preserved
@@ -19,43 +28,42 @@ htmlContent: {
   default: '',
   sanitize: false,
 },
-// This field IS sanitized (default behavior, no flag needed)
+// This field IS sanitized when route-level sanitize is enabled
 name: {
   types: ['string'],
   default: '',
 },
 ```
 
-## Route-Level Opt-Out
+## Manual Sanitization (Recommended)
 
-Disable sanitization entirely for a route (rare — only for routes that handle raw HTML everywhere):
-
-```javascript
-// In functions/index.js
-Manager.Middleware(req, res).run('my-route', { sanitize: false });
-```
-
-## Manual Sanitization (Outside Middleware)
-
-For cron jobs, event handlers, or anywhere outside the request pipeline, use `utilities.sanitize()` directly:
+For most use cases — particularly anywhere you're inserting user-supplied content into HTML — call `utilities.sanitize()` directly at the insertion site:
 
 ```javascript
 // Available in route context
-const clean = utilities.sanitize(untrustedData);
+const safeHtml = utilities.sanitize(untrustedData);
 
 // Or via Manager
-const clean = Manager.Utilities().sanitize(untrustedData);
+const safeHtml = Manager.Utilities().sanitize(untrustedData);
 ```
 
 Accepts any data type — strings, objects, arrays, primitives. Walks objects/arrays recursively, strips HTML from strings, passes everything else through unchanged.
 
-## Route Handler Context
+## Why HTML Sanitization Is Not the Middleware Default
+
+Stripping HTML from every incoming string at the request boundary is too aggressive — it corrupts legitimate input:
 
-The middleware injects these into every route handler:
+- URL query strings: `https://example.com/?a=1&b=2` becomes `https://example.com/?a=1&b=2`
+- Markdown / code snippets with `<`, `>`, `&` characters get mangled
+- API payloads round-tripped through the system get silently rewritten
+
+Stored XSS comes from rendering, not from receiving. Sanitize at the render site (where you know the output context — HTML body, attribute, URL, JSON) instead of at the front door.
+
+## Route Handler Context
 
 ```javascript
 module.exports = async ({ Manager, assistant, analytics, usage, user, settings, libraries, utilities }) => {
-  // settings    — already sanitized by middleware
-  // utilities   — Manager.Utilities() instance for manual sanitization
+  // settings    — whitespace-trimmed by middleware; HTML preserved unless route opts in via { sanitize: true }
+  // utilities   — Manager.Utilities() instance for manual sanitize()/trim()
 };
 ```

package/docs/schemas.md

@@ -36,4 +36,4 @@ module.exports = function (assistant, settings, options) {
 
 ## Field Sanitization
 
-By default, every string field in a schema is sanitized (HTML tags stripped, whitespace trimmed) during the middleware pipeline. To preserve raw HTML (rich text, email templates), set `sanitize: false` on the field. See [docs/sanitization.md](sanitization.md).
+Middleware always trims whitespace on string fields. HTML sanitization is **opt-in per route** — `Manager.Middleware(req, res).run('my-route', { sanitize: true })`. When opted in, fields can individually opt back out with `sanitize: false`. See [docs/sanitization.md](sanitization.md).

package/docs/testing.md

@@ -19,18 +19,19 @@ What the runner wipes pre-test (in [src/test/test-accounts.js](../src/test/test-
 
 1. **`meta/stats`** doc ensured (required for on-create batch writes).
 2. **`users/_test-*`** Firebase Auth users + Firestore docs (delete).
-3. **Marketing providers** (SendGrid + Beehiiv) — leftover test contacts removed. Runs only under `TEST_EXTENDED_MODE`. Runs **before** test users are recreated so a killed run can't leave a contact pinned to an about-to-be-recreated uid.
-4. **Mixed Firestore collections** — `payments-orders`, `payments-webhooks`, `payments-intents`, `payments-disputes`, `marketing-webhooks`. Two-pass cleanup per collection:
+3. **Mixed Firestore collections** — `payments-orders`, `payments-webhooks`, `payments-intents`, `payments-disputes`, `marketing-webhooks`. Two-pass cleanup per collection:
    - Pass 1 — owner-keyed: `where('owner', 'in', [...testUids])` (batched at 30 uids per `in` query).
    - Pass 2 — id-keyed: any doc whose ID starts with `_test-` (catches ownerless test docs like dispute alerts and raw test webhooks).
-5. **Test-only Firestore collections** — `_test`, `_test_query` — wiped in full.
-6. **Realtime Database** — the `_test` namespace removed in full (`admin.database().ref('_test').remove()`).
+4. **Test-only Firestore collections** — `_test`, `_test_query` — wiped in full.
+5. **Realtime Database** — the `_test` namespace removed in full (`admin.database().ref('_test').remove()`).
 
-### The one exception: third-party provider cleanup runs at start AND end
+### Marketing-provider cleanup
 
-The `cleanupMarketingProviders` call also fires **after** the suite completes (extended mode only). Reason: pre-run cleanup catches what a crashed previous run left behind, but during a normal-completion run we'd still leak real SendGrid/Beehiiv contacts until the NEXT run cleaned them up. By running cleanup post-suite too, each extended-mode run leaves the provider lists in the same state it found them.
+Test signups never reach SendGrid + Beehiiv. The validation pipeline (`src/manager/libraries/email/validation.js`) blocks all `_test.*` emails at the marketing-library layer via the `/^_test\.(?!allow_)/` pattern in `blocked-local-patterns.js`.
 
-This is **specifically** for third-party state that lives outside the local emulator. **Do not use trailing cleanup for Firestore or Auth data** — those follow the start-only rule because we control the local state and pre-run cleanup is enough.
+The single exception is the `_test.allow_*` prefix. Two long-lived test accounts (`_test.allow_consent-granted@...` and `_test.allow_consent-declined@...`) intentionally round-trip through SendGrid + Beehiiv as the live-provider integration sentinels. They are exercised by `test/marketing/consent-lifecycle.js`, which manages its own setup, assertions, and teardown.
+
+All cleanup follows the start-only rule. No trailing-cleanup exception.
 
 ### When adding a new test that writes data
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.2.2",
+  "version": "5.2.5",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/manager/helpers/middleware.js

@@ -35,7 +35,7 @@ Middleware.prototype.run = function (libPath, options) {
     options.setupAnalytics = typeof options.setupAnalytics === 'boolean' ? options.setupAnalytics : true;
     options.setupUsage = typeof options.setupUsage === 'boolean' ? options.setupUsage : true;
     options.setupSettings = typeof options.setupSettings === 'undefined' ? true : options.setupSettings;
-    options.sanitize = typeof options.sanitize === 'undefined' ? true : options.sanitize;
+    options.sanitize = typeof options.sanitize === 'undefined' ? false : options.sanitize;
     options.includeNonSchemaSettings = typeof options.includeNonSchemaSettings === 'undefined' ? false : options.includeNonSchemaSettings;
     options.schema = typeof options.schema === 'undefined' ? libPath : options.schema;
     options.parseMultipartFormData = typeof options.parseMultipartFormData === 'undefined' ? true : options.parseMultipartFormData;
@@ -177,13 +177,16 @@ Middleware.prototype.run = function (libPath, options) {
       assistant.settings = data;
     }
 
-    // Sanitize settings — trim whitespace and strip HTML from all strings
-    // Respects sanitize: false on individual schema fields
+    // Trim whitespace on all string settings (always on — harmless and useful).
+    assistant.settings = Manager.Utilities().trim(assistant.settings);
+
+    // Optional HTML strip (off by default — opt in with `{ sanitize: true }`).
+    // Sanitize at the HTML-insertion site instead unless you need a belt-and-suspenders pass here.
+    // Respects sanitize: false on individual schema fields.
     if (options.sanitize) {
       const schema = options.setupSettings ? Manager.Settings().schema : null;
       const utilities = Manager.Utilities();
 
-      // Walk settings, skipping fields the schema marks as sanitize: false
       assistant.settings = sanitizeWithSchema(utilities, assistant.settings, schema);
     }
 

package/src/manager/helpers/utilities.js

@@ -528,4 +528,35 @@ Utilities.prototype.sanitize = function (input) {
   return input;
 };
 
+/**
+ * Trim whitespace from all strings in input. Walks objects/arrays recursively.
+ * Does NOT strip HTML — use sanitize() for that.
+ *
+ * @param {*} input - The data to trim (string, object, array, or primitive)
+ * @returns {*} Trimmed copy (objects/arrays) or trimmed value (strings)
+ */
+Utilities.prototype.trim = function (input) {
+  if (input == null) {
+    return input;
+  }
+
+  if (typeof input === 'string') {
+    return input.trim();
+  }
+
+  if (Array.isArray(input)) {
+    return input.map(item => this.trim(item));
+  }
+
+  if (typeof input === 'object') {
+    const result = {};
+    for (const [key, value] of Object.entries(input)) {
+      result[key] = this.trim(value);
+    }
+    return result;
+  }
+
+  return input;
+};
+
 module.exports = Utilities;

package/src/manager/libraries/email/data/blocked-local-patterns.js

@@ -3,9 +3,14 @@
  * Kept as JS (not JSON) so patterns stay as native RegExp literals.
  */
 module.exports = [
-  /^\d+$/,           // All numeric: 123456
-  /^(.)\1{2,}$/,     // Repeating single char: aaaa, xxxx
-  /^[a-z]{1,2}\d+$/, // Single letter + numbers: a123, x999
-  /^test/,           // Starts with test: test, testuser, test123, test.user
-  /^example/,        // Starts with example: example, exampleuser, example.user
+  /^\d+$/,                // All numeric: 123456
+  /^(.)\1{2,}$/,          // Repeating single char: aaaa, xxxx
+  /^[a-z]{1,2}\d+$/,      // Single letter + numbers: a123, x999
+  /^test/,                // Starts with test: test, testuser, test123, test.user
+  /^example/,             // Starts with example: example, exampleuser, example.user
+  // Test-suite accounts use `_test.<scenario>@...` so they don't collide with
+  // real signups. Block them from reaching SendGrid/Beehiiv so live lists stay
+  // clean. `_test.allow_*` is the carved-out exception for live-provider
+  // integration tests that intentionally need to round-trip a real contact.
+  /^_test\.(?!allow_)/,
 ];

package/src/manager/libraries/email/marketing/index.js

@@ -29,7 +29,7 @@ const md = new MarkdownIt({ html: true, breaks: true, linkify: true });
 
 const { TEMPLATES, GROUPS, SENDERS } = require('../constants.js');
 const { tagLinks } = require('../utm.js');
-const { isCorporate } = require('../validation.js');
+const { validate } = require('../validation.js');
 const sendgridProvider = require('../providers/sendgrid.js');
 const beehiivProvider = require('../providers/beehiiv.js');
 
@@ -73,9 +73,13 @@ Marketing.prototype.add = async function (options) {
     return {};
   }
 
-  if (isCorporate(email)) {
-    assistant.warn(`Marketing.add(): Blocked corporate/social-media domain, skipping: ${email}`);
-    return { blocked: 'corporate', email };
+  // SSOT for what "valid marketing email" means — format, disposable, corporate,
+  // localPart junk (incl. _test.* test-suite accounts). Single validate() call
+  // catches all of these before we hit SendGrid/Beehiiv.
+  const validation = await validate(email);
+  if (!validation.valid) {
+    assistant.warn(`Marketing.add(): Validation failed, skipping: ${email}`, validation.checks);
+    return { blocked: 'validation', email, checks: validation.checks };
   }
 
   if (assistant.isTesting() && !process.env.TEST_EXTENDED_MODE) {
@@ -157,9 +161,13 @@ Marketing.prototype.sync = async function (userDocOrUid) {
     return {};
   }
 
-  if (isCorporate(email)) {
-    assistant.warn(`Marketing.sync(): Blocked corporate/social-media domain, skipping: ${email}`);
-    return { blocked: 'corporate', email };
+  // SSOT for what "valid marketing email" means — format, disposable, corporate,
+  // localPart junk (incl. _test.* test-suite accounts). Single validate() call
+  // catches all of these before we hit SendGrid/Beehiiv.
+  const validation = await validate(email);
+  if (!validation.valid) {
+    assistant.warn(`Marketing.sync(): Validation failed, skipping: ${email}`, validation.checks);
+    return { blocked: 'validation', email, checks: validation.checks };
   }
 
   if (assistant.isTesting() && !process.env.TEST_EXTENDED_MODE) {