- F-01: derive the dedupe key from submission content (form id + mapped values)
instead of a per-request token, so identical re-POSTs / retry-after-error
collapse to the existing quote. Keeps the per-request lock; adds a content lock
race guard and a 30-min recent_delivered_by_dedupe short-circuit.
- F-12: refuse resubmit of an already-delivered transaction (AJAX + worker).
- F-18: scope the resubmit self-recovery guard to the content dedupe key so a
customer's different event is no longer skipped.
- F-05: anonymize PII on stale failed/pending rows via the cron; add delete_by_email
and wire WP's Erase Personal Data eraser.
- F-13: exempt stranded delivered rows (no entry_id) from the retention purge.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- F-03: switch_to_live() now sets espinstanda_env=live so environment() actually
resolves to Live after go-live (was leaving real quotes on the Test endpoint).
- F-04: correct the class-config docblock overstating the at-rest guarantee; it
only holds when SPG_INSTANDA_KEY is a constant (else the key is self-provisioned
into the same DB as the ciphertext).
- F-02: add advisory A5 "exactly one active INSTANDA feed" to catch a stray
test-form feed that also creates quotes.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>