fix(network): cancel in-flight OkHttp calls when kill switch is disabled (R2 round 7)

KillSwitchInterceptor only rejects NEW requests on chain entry; calls that have already passed the interceptors and are blocked on socket I/O (especially MapLibre online-tile fetches that go through the raw call factory) continued running for the full read timeout after the user toggled offline -- leaking cleartext metadata for up to 30 seconds.

DefaultNetworkGateway.setEnabled(false) now calls client.dispatcher.cancelAll() on the shared OkHttp Dispatcher. Per-request clients built via newBuilder() share that Dispatcher instance, so MapLibre's tile and style requests are cancelled too. The flip is idempotent and only fires on a true enabled->disabled transition.

Updated NetworkGateway.setEnabled KDoc to accurately describe both effects (reject future + cancel in-flight). Added test that enqueues a SocketPolicy.NO_RESPONSE response, launches a synchronous call on a worker thread, flips the switch off, and asserts the call is cancelled within 5s (would otherwise wait the 30s read timeout).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: adsamcik

network/src/main/java/com/adsamcik/tracker/network/DefaultNetworkGateway.kt

@@ -219,7 +219,19 @@ class DefaultNetworkGateway(
 	}
 
 	override fun setEnabled(enabled: Boolean) {
+		val wasEnabled = _isEnabled.value
 		_isEnabled.value = enabled
+		// R2 round 7: when flipping the kill switch OFF, cancel every in-flight
+		// queued + executing call on the shared OkHttp Dispatcher. Without this,
+		// online tile fetches launched a moment before the user toggles offline
+		// continue to completion (potentially several seconds of cleartext
+		// metadata in flight) — the KillSwitchInterceptor only stops NEW calls.
+		// MapLibre uses the same call factory, so its tile/style requests are
+		// cancelled too. Per-request OkHttpClients built via newBuilder() share
+		// this Dispatcher instance, so cancelAll() reaches them as well.
+		if (wasEnabled && !enabled) {
+			runCatching { client.dispatcher.cancelAll() }
+		}
 	}
 
 	override fun setPolicy(policy: NetworkPolicy) {

network/src/main/java/com/adsamcik/tracker/network/NetworkGateway.kt

@@ -71,11 +71,26 @@ interface NetworkGateway {
 	suspend fun request(req: NetworkRequest): NetworkResponse
 
 	/**
-	 * Toggle the kill switch. Pass `false` to immediately reject all in-flight
-	 * and subsequent requests with [NetworkError.GatewayDisabled].
+	 * Toggle the kill switch.
+	 *
+	 * Passing `false` does two things:
+	 *  1. **Future requests** entering [request] or the raw [okhttp3.Call.Factory]
+	 *     (used by MapLibre online tiles) are rejected immediately with
+	 *     [NetworkError.GatewayDisabled] before any DNS / TCP / TLS work.
+	 *  2. **In-flight calls** that have already passed interceptors and are
+	 *     blocked on socket I/O are actively cancelled via
+	 *     `OkHttpClient.dispatcher.cancelAll()`. This prevents an online tile
+	 *     fetch launched a moment before the user toggles offline from
+	 *     continuing to spend cleartext metadata for the full read timeout
+	 *     (interceptors only check on chain entry; they cannot interrupt a
+	 *     blocking read).
+	 *
+	 * Passing `true` simply re-arms the gateway. No in-flight calls exist at
+	 * that moment (they were cancelled when the switch was flipped off, or
+	 * never started), so there is nothing to resume.
 	 *
 	 * Intended to be wired to a user-facing setting and to system events
-	 * (airplane mode, metered network, low battery — at the discretion of the
+	 * (airplane mode, metered network, low battery -- at the discretion of the
 	 * consumer feature).
 	 */
 	fun setEnabled(enabled: Boolean)

network/src/test/java/com/adsamcik/tracker/network/DefaultNetworkGatewayTest.kt

@@ -110,6 +110,67 @@ class DefaultNetworkGatewayTest {
 		response.error shouldBe NetworkError.GatewayDisabled
 	}
 
+	@Test
+	fun `setEnabled(false) cancels in-flight OkHttp calls (R2 round 7)`() {
+		// Before the fix, KillSwitchInterceptor only rejected NEW requests;
+		// any call that had already passed through the application interceptors
+		// and was waiting on socket I/O kept running for the full read timeout
+		// (up to 30s of in-flight cleartext metadata when the user toggles
+		// online tiles off). The fix calls client.dispatcher.cancelAll() inside
+		// setEnabled(false) so MapLibre's pending tile fetches die immediately.
+		val gateway = DefaultNetworkGateway(
+			initialEnabled = true,
+			initialPolicy = NetworkPolicy(
+				allowedHosts = setOf("localhost"),
+				perHostRateLimit = 1_000,
+				perHostRateWindowMs = 60_000L,
+			),
+		)
+		// Make MockWebServer accept the connection but never send any response —
+		// the client blocks on socket read indefinitely. setBodyDelay alone is
+		// not enough because execute() returns once headers arrive; we need the
+		// call to still be in-flight when we toggle the kill switch.
+		httpsServer.enqueue(
+			MockResponse().setSocketPolicy(okhttp3.mockwebserver.SocketPolicy.NO_RESPONSE),
+		)
+		val client = gateway.httpsTestClient()
+		val call = client.newCall(
+			okhttp3.Request.Builder().url("https://localhost:${httpsServer.port}/slow").build(),
+		)
+
+		// Launch the call on a background thread so we can flip the kill switch
+		// from the test thread while it's blocked on socket read.
+		val resultRef = java.util.concurrent.atomic.AtomicReference<Throwable?>(null)
+		val started = java.util.concurrent.CountDownLatch(1)
+		val finished = java.util.concurrent.CountDownLatch(1)
+		val t = Thread {
+			started.countDown()
+			try {
+				call.execute().close()
+			} catch (e: Throwable) {
+				resultRef.set(e)
+			} finally {
+				finished.countDown()
+			}
+		}
+		t.start()
+		// Wait for the worker thread to enter the blocking call.
+		started.await(2, java.util.concurrent.TimeUnit.SECONDS)
+		// Brief sleep so the call actually reaches the socket-read stage.
+		Thread.sleep(200)
+
+		// Flip the kill switch — cancelAll() should kill the in-flight call.
+		gateway.setEnabled(false)
+
+		// The call should finish quickly (cancelled), not wait the 60s delay.
+		val cancelled = finished.await(5, java.util.concurrent.TimeUnit.SECONDS)
+		cancelled shouldBe true
+		call.isCanceled() shouldBe true
+		val err = resultRef.get()
+		err shouldNotBe null
+		// OkHttp surfaces cancellation as IOException("Canceled") (or similar).
+		(err is java.io.IOException) shouldBe true
+	}
 	@Test
 	fun `host not in allowlist returns HostNotAllowed before any network IO`() = runTest {
 		val gateway = DefaultNetworkGateway(