Beta: in-app "Send feedback" channel (Help menu + palette → API server → Discord)

Open-beta testers can now send free-text feedback from inside the app with zero friction: Help > "Send feedback…" (macOS + Linux) or the palette's "Send feedback" opens a small dialog, and the note lands on the API server and pings Discord, mirroring how error reports already flow (minus the log bundle).

- api-server: new `POST /feedback` (JSON: required `feedback` ≤ 100k code points + `appVersion`/`osVersion`, optional reply-to `email` + `buildMode`). The D1 `feedback` table (migration `0007_feedback.sql`) is the durable sink, so the write is awaited and a failure returns a soft 502 the app surfaces as a retry; the Discord embed (truncated preview, `[DEV]`/`[PROD]` prefix) rides `waitUntil` and prefers the new optional `DISCORD_FEEDBACK_WEBHOOK_URL`, falling back to `DISCORD_WEBHOOK_URL` so it works with no new secret. Abuse guards mirror the sibling routes: `FEEDBACK_LIMITER` at 5/min/IP (IP never stored), 512 KB body cap, strict shape validation. 22 new vitest tests (endpoint + Discord payload).
- Desktop backend: `feedback.rs` (trim + code-point-cap validation, payload assembly, send with the error reporter's CI/E2E skip gates) + thin async `send_feedback` command returning a typed `SendFeedbackResult` (`sent`/`invalid`/`softFailure`), no string matching. Registered in `ipc.rs` + `ipc_collectors.rs`; bindings regenerated.
- Desktop frontend: new `lib/feedback/` feature (flow store + dialog). Same 50k/100k code-point note caps as the error reporter, the same sticky "Attach my email (…) so we can reply" checkbox (gated on `analytics.email`, persisted via `updates.attachEmailToReports`), warm success toast, inline friendly retry on failure with the text preserved. A quiet line links "browse and vote on GitHub" and "book a call" via the new shared `lib/beta-links.ts` (booking URL is a placeholder until release), routed through the opener plugin.
- Command wiring: `feedback.send` in `COMMAND_IDS` + registry (palette-visible) + handler; Help-menu items on both platforms dispatch it through the usual `execute-command` path; `feedback` added to the soft-dialog registry.
- Tests: TDD red-first on the api-server endpoint and the Rust validator (the naive first cut failed exactly on trim + code-point counting); dialog gets tier-3 a11y + behavior tests; flow store and IPC wrapper unit-tested; characterization + registry pins updated. Full `pnpm check` green.
- Docs: api-server CLAUDE.md (route, limiter, data flow, migration pointer), new `lib/feedback/CLAUDE.md`, architecture.md entries, command-count refresh.

Deploy notes: apply the D1 migration (`wrangler d1 migrations apply cmdr-telemetry`) before deploying the Worker; optionally set `DISCORD_FEEDBACK_WEBHOOK_URL` for a dedicated channel.

Author: vdavid

apps/api-server/CLAUDE.md

@@ -17,6 +17,7 @@ app versions).
 | `src/likes.ts`                              | Routes: `/likes/:slug` (GET, POST, DELETE, OPTIONS)                                                         |
 | `src/error-report.ts`                       | Route: `POST /error-report` (multipart upload to R2, Discord notify)                                        |
 | `src/beta-signup.ts`                        | Route: `POST /beta-signup` (email-only Listmonk double-opt-in subscribe; NO install id)                     |
+| `src/feedback.ts`                           | Route: `POST /feedback` (in-app feedback → D1 + Discord notify)                                             |
 | `src/error-report-eviction.ts`              | Eviction logic: 8/6 GB watermarks, KV lock, recompute helper                                                |
 | `src/discord.ts`                            | Discord webhook client (single-retry on 429, drop-on-failure)                                               |
 | `src/scheduled.ts`                          | Cron handler functions (crash notifications, aggregation, DB size, eviction)                                |
@@ -32,6 +33,7 @@ app versions).
 | `src/crash-report.test.ts`                  | Tests for `POST /crash-report` endpoint                                                                     |
 | `src/heartbeat.test.ts`                     | Tests for `POST /heartbeat` (validation, config round-trip, rate limit)                                     |
 | `src/beta-signup.test.ts`                   | Tests for `POST /beta-signup` (Listmonk call, no-install-id invariant, soft failure, rate limit)            |
+| `src/feedback.test.ts`                      | Tests for `POST /feedback` (validation, caps, D1 row, Discord ping, rate limit)                             |
 | `src/download-and-update-check.test.ts`     | Tests for download redirect and update check routes                                                         |
 | `src/scheduled.test.ts`                     | Tests for cron handler (crash notifications, aggregation)                                                   |
 | `scripts/generate-keys.js`                  | Ed25519 key pair generation (run once at setup)                                                             |
@@ -56,6 +58,7 @@ app versions).
 | POST   | `/heartbeat`               | IP rate-limit | Ingest a usage heartbeat (anonymous `anal_id`) to D1                |
 | POST   | `/error-report`            | none          | Multipart upload (zip + meta) → R2, Discord notify                  |
 | POST   | `/beta-signup`             | IP rate-limit | Subscribe a contact email to the Listmonk beta list (NO install id) |
+| POST   | `/feedback`                | IP rate-limit | Ingest in-app feedback to D1, Discord notify                        |
 | GET    | `/update-check/:version`   | none          | Log update check to D1 (deduped), 302 → latest.json                 |
 
 ## Environments
@@ -98,6 +101,7 @@ API key the server uses. Set to `"sandbox"` by default (from `wrangler.toml`). T
 | `ERROR_REPORT_META`    | KV namespace | `total_bytes` counter + `eviction_in_progress` lock for the eviction logic           |
 | `HEARTBEAT_LIMITER`    | Rate limit   | Gates `POST /heartbeat` at 12 req/min/IP (`[[ratelimits]]`, type `RateLimit`)        |
 | `BETA_SIGNUP_LIMITER`  | Rate limit   | Gates `POST /beta-signup` at 5 req/min/IP (signups are rare; tighter than heartbeat) |
+| `FEEDBACK_LIMITER`     | Rate limit   | Gates `POST /feedback` at 5 req/min/IP (real feedback is rare; spam loops aren't)    |
 
 **Paddle dashboards**: [sandbox](https://sandbox-vendors.paddle.com) | [live](https://vendors.paddle.com)
 
@@ -193,6 +197,8 @@ Heartbeat: POST /heartbeat → rate-limit by IP (HEARTBEAT_LIMITER, 429 if over)
 
 Beta signup: POST /beta-signup → rate-limit by IP (BETA_SIGNUP_LIMITER, 429 if over) → read ONLY the email (no install id) → validate shape → Listmonk POST /api/subscribers (list = LISTMONK_BETA_LIST_ID, status "unconfirmed", NO preconfirm = double opt-in) → 204 on 2xx or 409 (existing; no enumeration), soft 502 on Listmonk error
 
+Feedback: POST /feedback → rate-limit by IP (FEEDBACK_LIMITER, 429 if over) → validate shape (required feedback text ≤ 100k code points + appVersion/osVersion, optional email/buildMode) → AWAITED D1 write to `feedback` (failure → soft 502 so the app offers a retry) → Discord ping in waitUntil (DISCORD_FEEDBACK_WEBHOOK_URL, falls back to DISCORD_WEBHOOK_URL) → 204
+
 Update check proxy: GET /update-check/:version → hash IP with daily salt → INSERT OR IGNORE into D1 (fire-and-forget) → 302 to latest.json
 
 Cron (every 12h): scheduled handler runs three jobs:
@@ -249,12 +255,12 @@ Read by `/admin/stats`. The counter starts from zero when deployed; initialize v
 needed.
 
 **D1 for telemetry:** Crash reports, downloads, update checks, and heartbeats are stored in D1 (binding: `TELEMETRY_DB`,
-database: `cmdr-telemetry`). Migrations live in `migrations/` (latest: `0006_crash_diag_email.sql`, which adds the
-nullable `diag_id` + `email` columns to `crash_reports`; `0005_heartbeat.sql` adds the `heartbeat` table). Apply with
-`wrangler d1 migrations apply cmdr-telemetry` before deploying changes that add new tables or columns. The only
-remaining Analytics Engine dataset is `DEVICE_COUNTS` for fair-use monitoring. All other state (license codes,
-activation counter, device sets) lives in Cloudflare KV. Short codes never expire (perpetual licenses last forever);
-subscription validity is checked live via Paddle API.
+database: `cmdr-telemetry`). Migrations live in `migrations/` (latest: `0007_feedback.sql`, which adds the `feedback`
+table for in-app feedback; `0006_crash_diag_email.sql` adds the nullable `diag_id` + `email` columns to `crash_reports`;
+`0005_heartbeat.sql` adds the `heartbeat` table). Apply with `wrangler d1 migrations apply cmdr-telemetry` before
+deploying changes that add new tables or columns. The only remaining Analytics Engine dataset is `DEVICE_COUNTS` for
+fair-use monitoring. All other state (license codes, activation counter, device sets) lives in Cloudflare KV. Short
+codes never expire (perpetual licenses last forever); subscription validity is checked live via Paddle API.
 
 **Validation error granularity:** `/validate` distinguishes "Paddle says invalid" (HTTP 200 + `status: "invalid"`) from
 "Paddle is unreachable" (HTTP 502 + `{ error: "upstream_error" }`). `paddle-api.ts` throws `PaddleApiError` on
@@ -313,6 +319,15 @@ the address existed: no enumeration). On a Listmonk network/5xx failure it retur
 as a gentle "try again" (NOT fire-and-forget: we want the user to know it didn't land). Missing Listmonk config
 returns 500. The list id is set as a wrangler secret at deploy time; see `docs/tooling/listmonk.md`.
 
+**In-app feedback:** `POST /feedback` is the open-beta "Send feedback" channel. JSON body: required `feedback` text
+(trimmed, 1–100 000 Unicode code points; the cap matches the desktop dialog and the Rust validator) plus `appVersion` /
+`osVersion`, optional reply-to `email` (loose shape check) and `buildMode`. Body capped at 512 KB. The D1 `feedback`
+table is the durable sink, so unlike the other telemetry writes this one is AWAITED: a D1 failure returns a soft 502 the
+desktop app surfaces as a gentle retry. The Discord ping (truncated preview, `[DEV]`/`[PROD]` title prefix from
+`buildMode`) rides `waitUntil` after the 204; it prefers `DISCORD_FEEDBACK_WEBHOOK_URL` and falls back to
+`DISCORD_WEBHOOK_URL` so feedback works with no new secret. No install id of any kind is read or stored, so feedback
+can't be joined to the analytics stream. Rate-limited at 5/min/IP via `FEEDBACK_LIMITER` (IP never stored).
+
 **Device tracking (fair use):** On each `/validate` call with a `deviceId`, the server tracks the device in KV
 (`devices:{seatTransactionId}`) and logs to Analytics Engine (binding: `DEVICE_COUNTS`, dataset: `cmdr_device_counts`).
 Devices older than 90 days are pruned on each write. If 6+ devices are active and no alert was sent in the past 30 days,

apps/api-server/migrations/0007_feedback.sql

@@ -0,0 +1,16 @@
+-- In-app "Send feedback" messages (open beta). One row per submission, written by
+-- POST /feedback. This table is the durable sink: the Discord notification only carries
+-- a truncated preview. `email` is the optional reply-to address the sender chose to
+-- attach; no install id of any kind is stored, so feedback can't be joined to the
+-- analytics stream.
+CREATE TABLE feedback (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    feedback TEXT NOT NULL,
+    email TEXT,                      -- optional reply-to, nullable
+    app_version TEXT NOT NULL,
+    os_version TEXT NOT NULL,
+    build_mode TEXT                  -- 'release' | 'debug', nullable
+);
+
+CREATE INDEX idx_feedback_created ON feedback(created_at);

apps/api-server/src/discord.test.ts

@@ -2,10 +2,12 @@ import { describe, expect, it, vi, beforeEach, afterEach } from 'vitest'
 import {
   buildErrorReportPayload,
   buildEvictionPayload,
+  buildFeedbackPayload,
   formatBytes,
   postErrorReportNotification,
   postEvictionNotification,
   type ErrorReportNotification,
+  type FeedbackNotification,
 } from './discord'
 
 const baseNotification: ErrorReportNotification = {
@@ -112,6 +114,42 @@ describe('buildErrorReportPayload', () => {
   })
 })
 
+describe('buildFeedbackPayload', () => {
+  const baseFeedback: FeedbackNotification = {
+    buildMode: 'release',
+    appVersion: '0.14.0',
+    osVersion: 'macOS 26.0',
+    feedback: 'Love the app! The Brief mode columns are perfect.',
+  }
+
+  it('puts the feedback text in the embed description with a [PROD] title prefix', () => {
+    const payload = buildFeedbackPayload(baseFeedback) as {
+      embeds: { title: string; description: string; fields: { name: string; value: string }[] }[]
+    }
+    expect(payload.embeds[0].title).toBe('[PROD] Feedback')
+    expect(payload.embeds[0].description).toBe(baseFeedback.feedback)
+    expect(payload.embeds[0].fields.map((f) => f.name)).toEqual(['App version', 'OS'])
+  })
+
+  it('prefixes [DEV] for debug builds and adds a reply-to field when an email is attached', () => {
+    const payload = buildFeedbackPayload({
+      ...baseFeedback,
+      buildMode: 'debug',
+      email: 'tester@example.com',
+    }) as { embeds: { title: string; fields: { name: string; value: string }[] }[] }
+    expect(payload.embeds[0].title).toBe('[DEV] Feedback')
+    expect(payload.embeds[0].fields).toContainEqual({ name: 'Reply to', value: 'tester@example.com', inline: true })
+  })
+
+  it('truncates very long feedback below the Discord description cap', () => {
+    const payload = buildFeedbackPayload({ ...baseFeedback, feedback: 'x'.repeat(10_000) }) as {
+      embeds: { description: string }[]
+    }
+    expect(payload.embeds[0].description.length).toBeLessThanOrEqual(4096)
+    expect(payload.embeds[0].description).toContain('full text in the feedback table')
+  })
+})
+
 describe('buildEvictionPayload', () => {
   it('formats a plain content message', () => {
     const payload = buildEvictionPayload({

apps/api-server/src/discord.ts

@@ -25,6 +25,19 @@ export interface ErrorReportNotification {
   userNote?: string
 }
 
+export interface FeedbackNotification {
+  /**
+   * `[DEV]`/`[PROD]` prefix logic mirrors error reports: dev-build feedback (mostly
+   * the maintainer testing) stays visually separate from real beta-tester traffic.
+   */
+  buildMode: 'release' | 'debug'
+  appVersion: string
+  osVersion: string
+  /** Reply-to email the sender chose to attach; absent means they want to stay anonymous. */
+  email?: string
+  feedback: string
+}
+
 export interface EvictionInfo {
   evictedCount: number
   freedBytes: number
@@ -33,6 +46,12 @@ export interface EvictionInfo {
 
 const ERROR_REPORT_EMBED_COLOR = 0xff6b6b
 const USER_NOTE_EMBED_CAP = 500
+const FEEDBACK_EMBED_COLOR = 0x5bc0de
+/**
+ * Discord caps embed descriptions at 4096 chars. The full text always lives in the
+ * D1 `feedback` table, so a truncated embed never loses data.
+ */
+const FEEDBACK_EMBED_CAP = 3500
 
 /** "1.23 GB", "456 MB", "789 KB", "12 B". */
 export function formatBytes(bytes: number): string {
@@ -79,6 +98,34 @@ export function buildErrorReportPayload(n: ErrorReportNotification): unknown {
   }
 }
 
+/** Build the Discord webhook JSON body for a new in-app feedback message. */
+export function buildFeedbackPayload(n: FeedbackNotification): unknown {
+  const truncated =
+    n.feedback.length > FEEDBACK_EMBED_CAP
+      ? n.feedback.slice(0, FEEDBACK_EMBED_CAP) + '… (full text in the feedback table)'
+      : n.feedback
+
+  const fields: { name: string; value: string; inline?: boolean }[] = [
+    { name: 'App version', value: n.appVersion, inline: true },
+    { name: 'OS', value: n.osVersion, inline: true },
+  ]
+  if (n.email) {
+    fields.push({ name: 'Reply to', value: n.email, inline: true })
+  }
+
+  const titlePrefix = n.buildMode === 'debug' ? '[DEV] ' : '[PROD] '
+  return {
+    embeds: [
+      {
+        title: `${titlePrefix}Feedback`,
+        description: truncated,
+        color: FEEDBACK_EMBED_COLOR,
+        fields,
+      },
+    ],
+  }
+}
+
 /** Build the Discord webhook JSON body for an eviction summary. */
 export function buildEvictionPayload(info: EvictionInfo): unknown {
   return {
@@ -127,3 +174,7 @@ export async function postErrorReportNotification(
 export async function postEvictionNotification(webhookUrl: string, info: EvictionInfo): Promise<void> {
   await postWithRetry(webhookUrl, buildEvictionPayload(info), 'eviction')
 }
+
+export async function postFeedbackNotification(webhookUrl: string, notification: FeedbackNotification): Promise<void> {
+  await postWithRetry(webhookUrl, buildFeedbackPayload(notification), 'feedback')
+}