Merge Agent 1: telemetry hardening (queue, body cap, props schema, JSONB)

# Conflicts:
#	src/main/kotlin/zed/rainxch/githubstore/db/DatabaseFactory.kt
#	src/main/kotlin/zed/rainxch/githubstore/routes/Routing.kt

Author: rainxchzed

src/main/kotlin/zed/rainxch/githubstore/AppModule.kt

@@ -17,6 +17,7 @@ import zed.rainxch.githubstore.ingest.WorkerSupervisor
 import zed.rainxch.githubstore.metrics.SearchMetricsRegistry
 import zed.rainxch.githubstore.badge.BadgeService
 import zed.rainxch.githubstore.badge.FdroidVersionClient
+import zed.rainxch.githubstore.telemetry.TelemetryQueue
 import zed.rainxch.githubstore.telemetry.TelemetryRepository
 
 val appModule = module {
@@ -37,4 +38,5 @@ val appModule = module {
     single { FdroidVersionClient(packageId = "zed.rainxch.githubstore") }
     single { BadgeService(repoRepository = get(), resourceClient = get(), fdroidClient = get()) }
     single { TelemetryRepository() }
+    single { TelemetryQueue(get()) }
 }

src/main/kotlin/zed/rainxch/githubstore/db/DatabaseFactory.kt

@@ -68,6 +68,7 @@ object DatabaseFactory {
                 "V5__resource_cache.sql",
                 "V6__hash_device_id_drop_query_sample.sql",
                 "V7__telemetry_events.sql",
+                "V8__telemetry_props_jsonb.sql",
                 "V9__events_indexes_and_repos_indexed_at.sql",
                 "V11__device_id_hmac_rehash.sql",
             )

src/main/kotlin/zed/rainxch/githubstore/db/Tables.kt

@@ -1,9 +1,31 @@
 package zed.rainxch.githubstore.db
 
+import org.jetbrains.exposed.sql.ColumnType
 import org.jetbrains.exposed.sql.Table
 import org.jetbrains.exposed.sql.TextColumnType
 import org.jetbrains.exposed.sql.kotlin.datetime.date
 import org.jetbrains.exposed.sql.kotlin.datetime.timestampWithTimeZone
+import org.postgresql.util.PGobject
+
+// Postgres JSONB column that round-trips raw JSON strings. The JDBC driver
+// rejects setString on a JSONB target without a cast, so we wrap as PGobject.
+private class JsonbStringColumnType : ColumnType<String>() {
+    override fun sqlType(): String = "JSONB"
+
+    override fun valueFromDB(value: Any): String = when (value) {
+        is PGobject -> value.value ?: "{}"
+        is String -> value
+        else -> value.toString()
+    }
+
+    override fun notNullValueToDB(value: String): Any = PGobject().apply {
+        type = "jsonb"
+        this.value = value
+    }
+}
+
+private fun Table.jsonbString(name: String) =
+    registerColumn<String>(name, JsonbStringColumnType())
 
 object Repos : Table("repos") {
     val id = long("id")
@@ -115,7 +137,7 @@ object TelemetryEvents : Table("telemetry_events") {
     val sessionId = text("session_id")
     val platform = text("platform").nullable()
     val appVersion = text("app_version").nullable()
-    val props = text("props")
+    val props = jsonbString("props")
     val receivedAt = timestampWithTimeZone("received_at")
 
     override val primaryKey = PrimaryKey(id)

src/main/kotlin/zed/rainxch/githubstore/routes/Routing.kt

@@ -15,7 +15,7 @@ import zed.rainxch.githubstore.ingest.GitHubSearchClient
 import zed.rainxch.githubstore.ingest.WorkerSupervisor
 import zed.rainxch.githubstore.metrics.SearchMetricsRegistry
 import zed.rainxch.githubstore.badge.BadgeService
-import zed.rainxch.githubstore.telemetry.TelemetryRepository
+import zed.rainxch.githubstore.telemetry.TelemetryQueue
 
 fun Application.configureRouting() {
     val eventRepository by inject<EventRepository>()
@@ -28,7 +28,7 @@ fun Application.configureRouting() {
     val resourceClient by inject<GitHubResourceClient>()
     val searchMetrics by inject<SearchMetricsRegistry>()
     val badgeService by inject<BadgeService>()
-    val telemetryRepository by inject<TelemetryRepository>()
+    val telemetryQueue by inject<TelemetryQueue>()
     val workerSupervisor by inject<WorkerSupervisor>()
 
     routing {
@@ -38,7 +38,7 @@ fun Application.configureRouting() {
                 eventRoutes(eventRepository)
             }
             rateLimit(RateLimitName("telemetry")) {
-                telemetryRoutes(telemetryRepository)
+                telemetryRoutes(telemetryQueue)
             }
             categoryRoutes(repoRepository)
             topicRoutes(repoRepository)

src/main/kotlin/zed/rainxch/githubstore/routes/TelemetryRoutes.kt

@@ -4,12 +4,14 @@ import io.ktor.http.*
 import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
-import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.withContext
+import kotlinx.serialization.json.JsonObject
 import org.slf4j.LoggerFactory
+import zed.rainxch.githubstore.telemetry.PropsSchema
 import zed.rainxch.githubstore.telemetry.TelemetryAllowlist
 import zed.rainxch.githubstore.telemetry.TelemetryBatchRequest
-import zed.rainxch.githubstore.telemetry.TelemetryRepository
+import zed.rainxch.githubstore.telemetry.TelemetryEvent
+import zed.rainxch.githubstore.telemetry.TelemetryJson
+import zed.rainxch.githubstore.telemetry.TelemetryQueue
 
 private val log = LoggerFactory.getLogger("TelemetryRoutes")
 
@@ -18,9 +20,23 @@ private const val MAX_SESSION_ID_LEN = 128
 private const val MAX_PLATFORM_LEN = 32
 private const val MAX_APP_VERSION_LEN = 32
 private const val MAX_NAME_LEN = 64
+private const val MAX_BODY_BYTES = 256 * 1024L
+private const val MAX_PROPS_BYTES = 2048
 
-fun Route.telemetryRoutes(repository: TelemetryRepository) {
+fun Route.telemetryRoutes(queue: TelemetryQueue) {
     post("/telemetry/events") {
+        // Pre-check before receive() so a megabyte body never gets buffered into
+        // the JVM heap. Missing Content-Length is treated as oversized — we don't
+        // accept chunked uploads for telemetry.
+        val contentLength = call.request.contentLength()
+        if (contentLength == null || contentLength > MAX_BODY_BYTES) {
+            call.respond(
+                HttpStatusCode.PayloadTooLarge,
+                mapOf("error" to "payload_too_large"),
+            )
+            return@post
+        }
+
         val body = call.receive<TelemetryBatchRequest>()
 
         if (body.events.isEmpty()) {
@@ -30,7 +46,15 @@ fun Route.telemetryRoutes(repository: TelemetryRepository) {
         if (body.events.size > MAX_BATCH_SIZE) {
             call.respond(
                 HttpStatusCode.BadRequest,
-                mapOf("error" to "max $MAX_BATCH_SIZE events per batch"),
+                mapOf("error" to "batch_too_large"),
+            )
+            return@post
+        }
+
+        if (body.events.any { it.name.isBlank() }) {
+            call.respond(
+                HttpStatusCode.BadRequest,
+                mapOf("error" to "invalid_event_name"),
             )
             return@post
         }
@@ -47,25 +71,63 @@ fun Route.telemetryRoutes(repository: TelemetryRepository) {
         if (oversized != null) {
             call.respond(
                 HttpStatusCode.BadRequest,
-                mapOf("error" to "field too long"),
+                mapOf("error" to "field_too_long"),
             )
             return@post
         }
 
-        val accepted = body.events.filter { it.name in TelemetryAllowlist.EVENTS }
-        val dropped = body.events.size - accepted.size
-        if (dropped > 0) {
+        // Per-event props size cap. Bound applies AFTER serialization (post-
+        // canonicalization), pre-strip, so a client can't sneak past it by
+        // padding allowed keys.
+        val propsTooBig = body.events.firstOrNull { e ->
+            e.props?.let { TelemetryJson.encodeToString(JsonObject.serializer(), it).encodeToByteArray().size > MAX_PROPS_BYTES } == true
+        }
+        if (propsTooBig != null) {
+            call.respond(
+                HttpStatusCode.BadRequest,
+                mapOf("error" to "props_too_large"),
+            )
+            return@post
+        }
+
+        val nameAccepted = body.events.filter { it.name in TelemetryAllowlist.EVENTS }
+        val nameDropped = body.events.size - nameAccepted.size
+        if (nameDropped > 0) {
             // INFO not WARN — clients on stale builds will trigger this normally
             // when the schema evolves. Operator dashboards can graph the rate.
-            log.info("Telemetry: dropped {} non-allowlisted events of {} submitted", dropped, body.events.size)
+            log.info("Telemetry: dropped {} non-allowlisted events of {} submitted", nameDropped, body.events.size)
         }
 
-        if (accepted.isNotEmpty()) {
-            withContext(Dispatchers.IO) {
-                repository.insertBatch(accepted)
+        var strippedKeyCount = 0
+        val accepted: List<TelemetryEvent> = nameAccepted.map { e ->
+            val props = e.props ?: return@map e
+            val allowed = PropsSchema.allowedKeys(e.name)
+            val filtered = props.filterKeys { it in allowed }
+            if (filtered.size == props.size) {
+                e
+            } else {
+                strippedKeyCount += props.size - filtered.size
+                e.copy(props = JsonObject(filtered))
             }
         }
+        if (strippedKeyCount > 0) {
+            log.info("Telemetry: stripped {} disallowed prop keys", strippedKeyCount)
+        }
 
-        call.respond(HttpStatusCode.NoContent)
+        if (accepted.isNotEmpty()) {
+            queue.submit(accepted)
+        }
+
+        // 204 only when every submitted event was accepted with no key
+        // stripping. Otherwise return 200 + counts so clients can detect
+        // schema drift without reading the body.
+        if (nameDropped == 0 && strippedKeyCount == 0) {
+            call.respond(HttpStatusCode.NoContent)
+        } else {
+            call.respond(
+                HttpStatusCode.OK,
+                mapOf("accepted" to accepted.size, "dropped" to nameDropped),
+            )
+        }
     }
 }

src/main/kotlin/zed/rainxch/githubstore/telemetry/TelemetryEvent.kt

@@ -1,8 +1,11 @@
 package zed.rainxch.githubstore.telemetry
 
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.JsonObject
 
+internal val TelemetryJson = Json { encodeDefaults = false }
+
 @Serializable
 data class TelemetryEvent(
     val name: String,
@@ -59,3 +62,45 @@ object TelemetryAllowlist {
         "details_viewed",
     )
 }
+
+// Per-event allowed-prop-key allowlist. Keys outside the list are stripped
+// silently (symmetric with the event-name drop-on-floor design — schema drift
+// from a stale client must not 4xx). Mirrors roadmap/E6_CLIENT_HANDOFF.md §3
+// — keep both in sync when adding a new event or prop.
+object PropsSchema {
+    val BY_EVENT: Map<String, Set<String>> = mapOf(
+        // session
+        "app_launched" to emptySet(),
+        "session_duration" to setOf("seconds"),
+
+        // import (E1 / E2)
+        "import_scan_started" to setOf("platform"),
+        "import_scan_completed" to setOf("candidate_count", "duration_ms"),
+        "import_match_attempted" to setOf("strategy", "confidence_bucket"),
+        "import_auto_linked" to setOf("count"),
+        "import_manually_linked" to setOf("count"),
+        "import_skipped" to setOf("count"),
+
+        // reliability (E3)
+        "crash" to setOf("category", "platform"),
+        "operation_failed" to setOf("op", "error_code"),
+
+        // performance (E4)
+        "cold_start_ms" to setOf("platform", "bucket"),
+        "first_paint_ms" to setOf("screen", "bucket"),
+        "cache_hit" to setOf("cache_name"),
+        "cache_miss" to setOf("cache_name"),
+
+        // proxy (E5)
+        "proxy_configured" to setOf("type"),
+        "proxy_used" to setOf("success"),
+        "mirror_used" to setOf("preset", "success"),
+
+        // discovery / engagement
+        "update_installed" to emptySet(),
+        "search_executed" to setOf("result_count_bucket"),
+        "details_viewed" to setOf("from"),
+    )
+
+    fun allowedKeys(event: String): Set<String> = BY_EVENT[event] ?: emptySet()
+}

src/main/kotlin/zed/rainxch/githubstore/telemetry/TelemetryQueue.kt

@@ -0,0 +1,36 @@
+package zed.rainxch.githubstore.telemetry
+
+import kotlinx.coroutines.CoroutineExceptionHandler
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.SupervisorJob
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.sync.Semaphore
+import kotlinx.coroutines.sync.withPermit
+import org.slf4j.LoggerFactory
+
+open class TelemetryQueue(private val repository: TelemetryRepository) {
+
+    private val log = LoggerFactory.getLogger(TelemetryQueue::class.java)
+
+    private val scope = CoroutineScope(
+        Dispatchers.IO + SupervisorJob() + CoroutineExceptionHandler { _, e ->
+            log.warn("Telemetry insert failed", e)
+        }
+    )
+
+    // Bounds in-flight inserts so a traffic burst can't queue unbounded
+    // coroutines, each holding a Hikari connection (pool size 20). 2 is
+    // enough headroom for normal load while leaving the rest of the pool
+    // for live request handlers.
+    private val gate = Semaphore(permits = 2)
+
+    open fun submit(events: List<TelemetryEvent>) {
+        if (events.isEmpty()) return
+        scope.launch {
+            gate.withPermit {
+                repository.insertBatch(events)
+            }
+        }
+    }
+}

src/main/kotlin/zed/rainxch/githubstore/telemetry/TelemetryRepository.kt

@@ -1,21 +1,19 @@
 package zed.rainxch.githubstore.telemetry
 
-import kotlinx.serialization.json.Json
+import kotlinx.coroutines.Dispatchers
 import org.jetbrains.exposed.sql.batchInsert
-import org.jetbrains.exposed.sql.transactions.transaction
+import org.jetbrains.exposed.sql.transactions.experimental.newSuspendedTransaction
 import zed.rainxch.githubstore.db.TelemetryEvents
 import java.time.Instant
 import java.time.OffsetDateTime
 import java.time.ZoneOffset
 
 open class TelemetryRepository {
 
-    private val json = Json { encodeDefaults = false }
-
-    open fun insertBatch(events: List<TelemetryEvent>) {
+    open suspend fun insertBatch(events: List<TelemetryEvent>) {
         if (events.isEmpty()) return
         val now = OffsetDateTime.now(ZoneOffset.UTC)
-        transaction {
+        newSuspendedTransaction(Dispatchers.IO) {
             TelemetryEvents.batchInsert(events) { event ->
                 this[TelemetryEvents.ts] = OffsetDateTime.ofInstant(
                     Instant.ofEpochMilli(event.timestamp),
@@ -25,7 +23,7 @@ open class TelemetryRepository {
                 this[TelemetryEvents.sessionId] = event.sessionId
                 this[TelemetryEvents.platform] = event.platform
                 this[TelemetryEvents.appVersion] = event.appVersion
-                this[TelemetryEvents.props] = event.props?.let { json.encodeToString(it) } ?: "{}"
+                this[TelemetryEvents.props] = event.props?.let { TelemetryJson.encodeToString(it) } ?: "{}"
                 this[TelemetryEvents.receivedAt] = now
             }
         }

src/main/resources/db/migration/V8__telemetry_props_jsonb.sql

@@ -0,0 +1,30 @@
+-- V8: convert telemetry_events.props from TEXT to JSONB.
+--
+-- V7 stored props as TEXT pending a hot-dashboard need. The E6 hardening pass
+-- adds per-event allowed-key allowlists and operator dashboards will start
+-- key-extracting (e.g. CATEGORY rollups) in the next iteration. JSONB pays for
+-- itself once any query does ->/->> on these rows.
+--
+-- USING props::jsonb succeeds because every existing row was written by
+-- TelemetryRepository which encodes via kotlinx Json (always valid JSON), or
+-- defaulted to '{}' at the column level.
+--
+-- Idempotent via DO block: a second run is a no-op because Postgres errors
+-- on TYPE-changes when source and target types match, and the IGNORABLE
+-- list in DatabaseFactory does not cover that error.
+
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_name = 'telemetry_events'
+          AND column_name = 'props'
+          AND data_type = 'text'
+    ) THEN
+        ALTER TABLE telemetry_events
+            ALTER COLUMN props TYPE JSONB USING props::jsonb;
+        ALTER TABLE telemetry_events
+            ALTER COLUMN props SET DEFAULT '{}'::jsonb;
+    END IF;
+END $$;