fix(security): cap persisted error-stack length (EXPOSE-001)

Full JS error stacks were stored unbounded in request_logs.error_stack, which
is included in per-user DB exports — leaking internal file paths / code
structure (and bloating the table). Cap stored stacks at 2000 chars (top frames
retained for debugging). Fuller mitigation (path redaction / prod-gating) is a
product decision, noted in REMEDIATION.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: ersinkoc

packages/gateway/src/db/repositories/logs.test.ts

@@ -178,6 +178,18 @@ describe('LogsRepository', () => {
       expect(params[18]).toBeNull(); // userAgent
     });
 
+    it('truncates an oversized error stack to the cap (EXPOSE-001)', async () => {
+      mockAdapter.execute.mockResolvedValueOnce({ changes: 1 });
+      mockAdapter.queryOne.mockResolvedValueOnce(makeLogRow());
+
+      const hugeStack = 'Error: boom\n' + '    at frame\n'.repeat(5000);
+      await repo.log({ type: 'chat', errorStack: hugeStack });
+
+      const params = mockAdapter.execute.mock.calls[0]![1] as unknown[];
+      expect((params[16] as string).length).toBe(2000); // persisted stack capped
+      expect(params[16]).toBe(hugeStack.slice(0, 2000));
+    });
+
     it('should return a fallback log entry when insert fails', async () => {
       mockAdapter.execute.mockRejectedValueOnce(new Error('DB connection lost'));
 

packages/gateway/src/db/repositories/logs.ts

@@ -9,6 +9,12 @@ import { getLog } from '../../services/log.js';
 
 const log = getLog('LogsRepo');
 
+// EXPOSE-001: bound how much of a JS error stack we persist. Full stacks leak
+// internal file paths / code structure into request_logs (which is included in
+// per-user DB exports) and bloat the table. Keep the top frames (enough to
+// debug) and drop the rest.
+const MAX_ERROR_STACK_LEN = 2000;
+
 // =====================================================
 // TYPES
 // =====================================================
@@ -152,6 +158,7 @@ export class LogsRepository extends BaseRepository {
   async log(input: CreateLogInput): Promise<RequestLog> {
     const id = crypto.randomUUID();
     const now = new Date().toISOString();
+    const errorStack = input.errorStack ? input.errorStack.slice(0, MAX_ERROR_STACK_LEN) : null;
 
     try {
       await this.execute(
@@ -177,7 +184,7 @@ export class LogsRepository extends BaseRepository {
           input.totalTokens || null,
           input.durationMs || null,
           input.error || null,
-          input.errorStack || null,
+          errorStack,
           input.ipAddress || null,
           input.userAgent || null,
           now,
@@ -207,7 +214,7 @@ export class LogsRepository extends BaseRepository {
         totalTokens: input.totalTokens || null,
         durationMs: input.durationMs || null,
         error: input.error || null,
-        errorStack: input.errorStack || null,
+        errorStack,
         ipAddress: input.ipAddress || null,
         userAgent: input.userAgent || null,
         createdAt: new Date(now),