Prevent CSV formula injection in the usage export

[mikewheeleer]

Harden the CSV export against formula injection

Description

GET /api/v1/usage/export.csv in src/index.ts escapes quotes, commas, and newlines, but does not guard against CSV/formula injection: an agent value beginning with =, +, -, or @ is interpreted as a formula when the file is opened in a spreadsheet, enabling data exfiltration or command execution on the viewer's machine. This issue neutralises that vector.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-backend only.
• In the CSV escape function, prefix any field starting with =, +, -, @, tab, or carriage-return with a safe character (e.g. a leading apostrophe) so spreadsheets treat it as text.
• Keep the existing quote/comma/newline escaping behaviour.
• Apply only to the CSV path; the JSON export (usage/export.json) is unaffected.
• Ensure the header row and well-formedness are preserved.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/security-22-csv-formula-injection
• Implement changes
  • Write code in: the escape helper in the CSV export handler in src/index.ts.
  • Write comprehensive tests in: new src/csv-injection.test.ts — fields starting with =/+/-/@ are neutralised; normal fields unchanged.
  • Add documentation: note the CSV-injection mitigation in docs/security.md.
  • Add TSDoc on the escape helper.
  • Validate security assumptions: no formula evaluation possible from exported values.
• Test and commit

Test and commit

• Run npm run build, npm test, and npm run lint.
• Cover edge cases: =cmd, +1, -1, @ref, value with both quote and leading =.
• Include the full npm test output in the PR description.

Example commit message

security: neutralise csv formula injection in usage export

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.