Making a local-first tool's CSV export audit-ready (and why charts don't belong in a CSV)

When creating an audit-ready CSV export for local-first tools, be aware of formula injection vulnerabilities and ensure that values starting with =, +, -, @, tab, or carriage return are prefixed with a single quote. Also, use a UTF-8 byte-order mark at the beginning of the file to prevent encoding issues. Include metadata such as exportedAt, filters, row count, and a SHA-256 hash of the CSV bytes. Ensure a stable sort order to guarantee byte-identical files across runs. Finally, explicitly indicate truncation to prevent incomplete exports.