fix(Router): localize p_encrypted to prevent recursive-overwrite leak

[nightjoker7]

What this changes

Promotes Router::p_encrypted from a class member to a function-local in handleReceived(), so each invocation owns its own decrypt copy for its full lifetime. ~5 lines of functional change; no behavioral change on the non-recursive path.

Why

Router::handleReceived() re-enters itself: callModules() invokes module replies that go back through MeshService::sendToMesh -> Router::sendLocal, and on a broadcast reply that recursively calls handleReceived(). The inner call writes its own packetPool.allocCopy(*p) into this->p_encrypted, dropping the outer call's pointer with the allocation still live. The inner call also nulls the member on its way out, so when the outer call reaches packetPool.release(p_encrypted) it releases nullptr. The outer's allocation is permanently leaked. ~381 B per recursion event.

Copilot's review of #8999 (the original introduction of the member) flagged this exact pattern at merge time:

Storing p_encrypted as a class member can cause issues with recursive or concurrent calls to handleReceived() since each call would overwrite the previous packet pointer.

The historical justification — a pending S&F path needing to retain the encrypted copy across calls — was satisfied differently by #9799 (ServerAPI converted to std::unique_ptr + cleanup on connection close), so the member is no longer load-bearing.

How this fits with active issues

The recursion-overwrite is one mechanism behind:

• [Bug]: Heap memory leak when enabling MeshMonitor on Heltec V4 (firmware 2.7.15 and 2.7.19) #9632 — Heltec V4 heap leak when MeshMonitor enabled
• [Bug]: Station G2 TCP connection drops repeatedly when MeshMonitor is connected (2.7.21 alpha) #10101 — Station G2 TCP drops repeatedly when MeshMonitor connected (ROUTER_LATE 2.7.20)
• [Bug]: Configuring wifi on LILYGO T-LoRa V2.1-1.6 makes node unreachable for clients #8729 — LILYGO unreachable after wifi config (errno: 11 EAGAIN task-handle exhaustion during ServerAPI dump → abort())

All three share the trigger shape: persistent client + stale-connection timeout reconnects fire while a prior dump is still in flight. This PR closes one path on which that retry storm leaks; it does not claim to close all of them.

Reproduction and evidence

Two Station G2 devices on the same WiFi LAN. Each hammered with a slow-client TCP-API retry storm (open :4403, send want_config_id, read 2.5 s of the ServerAPI dump, close mid-stream, repeat at ~0.6/s). Pure TCP, no LoRa traffic. This is the trigger pattern that #9632 / #10101 attribute to MeshMonitor's STALE_CONNECTION_TIMEOUT=5min reconnect loop.

Build	heapFree drift over ~9 min	rebootCount delta
this patch	-1.5 KB (≈390 B/min, noise floor)	0
stock 2.7.13	-73 KB (8.1 KB/min)	+1 (OOM-class crash at t≈9 min)

Stock's heapTotal also contracted by ~11 KB during the test (allocator pool itself shrinking) — characteristic of a leak the heap can't reclaim. The patched build's heapTotal was stable to within 80 B.

The bench A/B without retry-storm trigger (~4,000 broadcast text sends each, with and without MQTT bridge re-injection) shows no drift on either build — consistent with the corpus, since the recursion window closes when the client is fast.

Why the diff is small

This matches the merge pattern of the recently landed leak fixes (#9799, #9693, #5901, #5328, #9781). Deliberately not bundled with any allocator restructure or other concerns.

Risk

Minimal. Lifetime of the function-local is identical to the prior member usage inside handleReceived (allocated at entry, released before return). All references to p_encrypted were already confined to that function body — verified by grep across src/. No subclass, friend class, or external module accesses the field. The pre-existing null-check at the MQTT publish site (added by #9136 as a workaround) stays in place because allocCopy can still legitimately return nullptr on packetPool exhaustion.

[Copilot]

Pull request overview

Fixes a confirmed heap leak in the mesh Router receive path by making the encrypted packet copy (p_encrypted) invocation-scoped, preventing recursive calls to Router::handleReceived() from overwriting the pointer and skipping the corresponding packetPool.release().

Changes:

• Remove Router::p_encrypted as a class member in favor of a function-local variable in handleReceived().
• Keep the allocation/release lifetime within handleReceived() while making it safe under re-entrant execution.
• Simplify teardown by relying on packetPool.release(nullptr) being a safe no-op.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/mesh/Router.h	Removes the p_encrypted member to eliminate shared mutable state across handleReceived() invocations.
src/mesh/Router.cpp	Introduces a function-local p_encrypted copy and releases it at function exit, preventing recursive overwrite leaks during broadcast-induced re-entry.