# Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)

## Metrics to emit
- `vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}`
- `vuln_api_payload_bytes_bucket{direction="request|response"}`

## Hashing rules
- Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
- Salt: deployment-specific (e.g., `Telemetry:QueryHashSalt`), 32 bytes hex.
- Store only hash; never log raw filters.
- Truncate any string field >128 chars before hashing to control cardinality.

## Logging filter
- Drop fields named `email`, `userId`, `principalName`; replace with `[redacted]` before metrics/logging.
- Retain `tenant`, `route`, `status`, `durationMs`, `query_hash`.

## Prometheus exemplar tags (optional)
- Add `trace_id` as exemplar if traces enabled; do not add request bodies.

## Acceptance checks
- Unit test: hashed query string changes when salt changes; raw query not present in logs.
- Prometheus snapshot test: scrape and assert presence of `vuln_query_hashes_total` and payload histograms.