Misc: drop JSON.stringify token estimate + crypto.randomBytes for slug suffix

2026-05-07

What We Built

(1) Community-tier token estimation called JSON.stringify(messages) allocating ~400KB intermediate string for a 100-message conversation purely to measure length. Replaced with in-place reduce — same estimate, zero allocation. (2) randomSuffix() for tenant slug used Math.random(); slug uniqueness enforced by DB UNIQUE, but predictable suffix lets adversary pre-register slugs to cause repeated collisions for targeted email domains. Replaced with crypto.randomBytes(2).toString('hex').

Why It Matters

Allocation reduction on a hot path; predictability removal on a security-adjacent path.

How It Works

Tests assert (a) JSON.stringify NOT called for token estimation, (b) randomSuffix output matches [0-9a-f]{4} (hex only).

Lockstep Checklist

• [x] No API route changes (middleware/internal — lockstep N/A)
• [x] No SDK changes
• [x] No MCP tool changes
• [x] Regression test included (test-first invariant per /quality-fleet protocol)
• [x] Linked to /quality-fleet R1 dashboard at .quality/dashboard.md

Provenance

Auto-found by /quality-fleet R1 (2026-05-07) scanner round, fixed in fix-agent batch under "go for all of it" autonomy grant. PR #211 merged to main as commit 35dd300c4. Finding(s) tracked at .quality/findings.jsonl (entries: "a3d8f2b4c917", "1a6f3d9c2b74"). Production-deployed via ECS task-def revision 732 series.