Add payload and timeout limits to HTTP/SSE servers

Addresses security audit issue #3: Unbounded request body parsing

- Set 10MB max payload length to prevent memory exhaustion
- Add 30 second read/write timeouts to prevent slowloris attacks
- Applied to both HttpServerWrapper and SseServerWrapper

This prevents DoS attacks via large request bodies or slow clients.

Author: 0xeb

src/server/http_server.cpp

@@ -24,6 +24,12 @@ bool HttpServerWrapper::start()
     if (running_)
         return false;
     svr_ = std::make_unique<httplib::Server>();
+
+    // Security: Set payload and timeout limits to prevent DoS
+    svr_->set_payload_max_length(10 * 1024 * 1024);  // 10MB max payload
+    svr_->set_read_timeout(30, 0);   // 30 second read timeout
+    svr_->set_write_timeout(30, 0);  // 30 second write timeout
+
     // Generic POST: /<route>
     svr_->Post(R"(/(.*))",
                [this](const httplib::Request& req, httplib::Response& res)

src/server/sse_server.cpp

@@ -136,6 +136,11 @@ bool SseServerWrapper::start()
 
     svr_ = std::make_unique<httplib::Server>();
 
+    // Security: Set payload and timeout limits to prevent DoS
+    svr_->set_payload_max_length(10 * 1024 * 1024);  // 10MB max payload
+    svr_->set_read_timeout(30, 0);   // 30 second read timeout
+    svr_->set_write_timeout(30, 0);  // 30 second write timeout
+
     // Set up SSE endpoint (GET)
     svr_->Get(sse_path_,
               [this](const httplib::Request&, httplib::Response& res)