Operational: Unbounded in-memory request log growth #86

New issue

Open

opened 2026-05-11 13:48:52 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:52 +00:00

Owner

Severity: High

Location

crates/hero_aibroker_lib/src/middleware/request_log.rs — RequestLogger

Finding

The request logger stores entries in a VecDeque with a configured maximum size, but the default is unbounded and the cap is only enforced on insertion:

pub struct RequestLogger {
    entries: Arc<Mutex<VecDeque<RequestLogEntry>>>,
    max_entries: usize,
}

If max_entries is set very high or not enforced during iteration/export, the logger can consume significant memory.

Recommendation

Enforce a hard cap (e.g., 10,000 entries)
Implement automatic rotation to disk
Add a prune() method for age-based cleanup

## Severity: High ## Location `crates/hero_aibroker_lib/src/middleware/request_log.rs` — `RequestLogger` ## Finding The request logger stores entries in a `VecDeque` with a configured maximum size, but the default is unbounded and the cap is only enforced on insertion: ```rust pub struct RequestLogger { entries: Arc<Mutex<VecDeque<RequestLogEntry>>>, max_entries: usize, } ``` If `max_entries` is set very high or not enforced during iteration/export, the logger can consume significant memory. ## Recommendation - Enforce a hard cap (e.g., 10,000 entries) - Implement automatic rotation to disk - Add a `prune()` method for age-based cleanup