fix(admin): eliminate GoTrue empty-body 500s under bulk load (retry-all + undici keep-alive + sequential bulk), CSV formula-injection guard

app/api/admin/users/[id]/route.ts

@@ -119,11 +119,24 @@ export async function DELETE(
 
   // Delete the AUTH USER first. Only if that succeeds do we remove the tunnel
   // row, so a mid-failure never leaves an orphaned auth user with a dangling
-  // tunnel (or half-deletes the tunnel of an already-gone user).
-  const { error: delErr } = await admin.auth.admin.deleteUser(id);
+  // tunnel (or half-deletes the tunnel of an already-gone user). Retry the
+  // delete on transient empty-body / poisoned-keep-alive responses.
+  const { error: delErr } = await withAdminRetry(() =>
+    admin.auth.admin.deleteUser(id),
+  );
   if (delErr) {
-    console.error('admin user.delete: deleteUser failed', delErr);
-    return jsonNoStore({ error: 'internal error' }, { status: 500 });
+    // The delete may have actually succeeded with a truncated/empty response
+    // body (the transient failure mode). Re-check existence before reporting a
+    // 500: if the user is now gone, the deletion is effectively complete.
+    const { data: recheck, error: recheckErr } = await withAdminRetry(() =>
+      admin.auth.admin.getUserById(id),
+    );
+    if (recheckErr || !recheck?.user) {
+      // User is gone -> delete succeeded despite the truncated body.
+    } else {
+      console.error('admin user.delete: deleteUser failed', delErr);
+      return jsonNoStore({ error: 'internal error' }, { status: 500 });
+    }
   }
 
   // The auth user is gone, so no orphaned-user state is possible. Removing the