feat(grpc): add keepalive, LimitListener, and MaxRecvMsgSize to gRPC server :9090 (PLT-705)

[amir-deris]

Summary

The gRPC server at :9090 was created with only grpc.MaxConcurrentStreams(100) and an unbounded net.Listen. It had no cap on connection count, no bound on inbound message size, and no keepalive policy. This PR adds all three and exposes every parameter as an operator config field under [grpc] in app.toml. (PLT-705)

MaxRecvMsgSize

Sets grpc.MaxRecvMsgSize() explicitly (default 4 MB, matching gRPC's own default). This bounds per-request memory allocation before the rate limiter fires, so an oversized request can't allocate first and rate-limit second.

MaxOpenConnections

Wraps the listener with netutil.LimitListener to cap simultaneously-open TCP connections (mirrors the gRPC-Web change in #3605 and the EVM LimitListener pattern). Keepalive alone bounds neither connection count nor message size — this is the actual DoS bound.

• Default: 1000 (matches the API and gRPC-Web defaults)
• Set to 0 to disable the cap.

Keepalive

Adds keepalive.ServerParameters and keepalive.EnforcementPolicy. Defaults mirror gRPC's own (i.e. opt-in, no behavior change) with one deliberate exception:

Field	Default	Rationale
MaxConnectionIdle	5m	Bounded by default — reclaims abandoned connection slots, which matter now that the listener is capped. Only closes connections with zero in-flight RPCs, so it never interrupts active work. 5m (not 30s) avoids churning clients that poll on a sub-minute cadence.
MaxConnectionAge	0 (∞)	Applies to active connections too and would cut long-lived streams; its main benefit (LB rebalancing) is topology-specific. Left off by default, exposed for fleet operators.
MaxConnectionAgeGrace	0 (∞)	Paired with MaxConnectionAge; meaningless until age is set.
Time	2h	gRPC default.
Timeout	20s	gRPC default.
EnforcementPolicy.MinTime	5m	gRPC default.
EnforcementPolicy.PermitWithoutStream	false	gRPC default.

MaxSendMsgSize is intentionally not added — PageGuard already bounds row count at the query layer. Revisit if large unpaginated responses surface in the handler inventory.

Config plumbing

All fields are exposed under [grpc] in app.toml and wired through DefaultConfig() and GetConfig(). For the bounded defaults (max-recv-msg-size, max-open-connections, max-connection-idle, and the keepalive durations), GetConfig applies the in-code default when the key is absent, so a node upgrading with an older app.toml stays bounded rather than reverting to unlimited/infinity.

Files changed: sei-cosmos/server/grpc/server.go, sei-cosmos/server/config/config.go, sei-cosmos/server/config/toml.go, sei-cosmos/server/start.go, sei-cosmos/testutil/network/util.go

Tests

• TestDefaultGRPCConfig — asserts all new defaults.
• TestGetConfigGRPCDefaultsWhenAbsent — a legacy app.toml (missing the new keys) still resolves to the bounded in-code defaults, including the 5m idle default.
• TestGetConfigGRPCOverrides — operator-provided values override the defaults.

Test plan

• go test ./sei-cosmos/server/config/... ./sei-cosmos/server/grpc/... passes
• gofmt -s -l . prints nothing
• make build succeeds

🤖 Generated with Claude Code

[cursor]

PR Summary

Medium Risk
Default connection cap (1000) and 5m idle close change live gRPC behavior for all nodes unless overridden; mis-tuning could drop legitimate long-lived or high-fanout clients.

Overview
Adds operator-tunable gRPC server limits in app.toml and wires them into node startup. GRPCConfig now includes max receive message size (default 4 MB), max open connections (default 1000), idle connection timeout (default 5m), connection age/grace, and keepalive parameters; the config template documents each key.

StartGRPCServer takes the full GRPCConfig instead of only an address. It applies grpc.MaxRecvMsgSize, server keepalive params and enforcement policy, and wraps the TCP listener with netutil.LimitListener when max-open-connections is positive.

GetConfig applies in-code defaults when new grpc.* keys are missing so upgraded nodes with older app.toml files still get bounded limits instead of zero/unlimited values. Call sites in start.go and test network utilities pass config.GRPC. Tests cover default config, legacy TOML, and overrides.

^{Reviewed by Cursor Bugbot for commit aea7c9d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Jun 24, 2026, 9:08 PM

[codecov]

Codecov Report

❌ Patch coverage is 92.42424% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.16%. Comparing base (c528303) to head (aea7c9d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
sei-cosmos/server/grpc/server.go	84.00%	2 Missing and 2 partials ⚠️
sei-cosmos/server/start.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3641      +/-   ##
==========================================
- Coverage   59.12%   58.16%   -0.96%     
==========================================
  Files        2259     2176      -83     
  Lines      186489   176950    -9539     
==========================================
- Hits       110255   102925    -7330     
+ Misses      66353    64931    -1422     
+ Partials     9881     9094     -787     

Flag	Coverage Δ
sei-chain-pr	53.93% <92.42%> (?)
sei-db	70.41% <ø> (ø)
sei-db-state-db	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
sei-cosmos/server/config/config.go	91.45% <100.00%> (+1.55%)	⬆️
sei-cosmos/server/config/toml.go	57.14% <ø> (ø)
sei-cosmos/server/start.go	24.51% <0.00%> (ø)
sei-cosmos/server/grpc/server.go	74.46% <84.00%> (+6.46%)	⬆️

... and 83 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.