fix(kilo-chat): cap request body sizes on inbound webhook and controller proxy

Both the plugin's inbound webhook (readBody) and the controller's
kilo-chat proxy routes previously buffered the full request body into
memory with no size cap. A malformed or adversarial caller could send
a multi-MB body and exhaust the Fly machine's memory budget, taking
down other tenants sharing the instance.

- Plugin webhook readBody: track cumulative bytes and throw
  WebhookBodyTooLargeError once the 1 MB cap is exceeded; handler
  maps this to HTTP 413.
- Controller proxy routes: check Content-Length before c.req.text()
  and reject with 413 if over the cap. 1 MB for send/edit (message
  content can legitimately be large); 8 KB for typing / reactions /
  delete where payloads are tiny.

Caller is already authenticated (OPENCLAW_GATEWAY_TOKEN), but this
is defense-in-depth: a buggy or compromised plugin is the realistic
threat, and the fix is cheap.

Author: iscekic

services/kiloclaw/controller/src/routes/kilo-chat.test.ts

@@ -492,3 +492,65 @@ describe('DELETE /_kilo/kilo-chat/messages/:id/reactions', () => {
     expect(res.status).toBe(401);
   });
 });
+
+describe('body size limits', () => {
+  function makeApp(register: typeof registerKiloChatSendRoute, fetchImpl: typeof fetch) {
+    const app = new Hono();
+    register(app, {
+      expectedToken: TOKEN,
+      sandboxId: SANDBOX_ID,
+      apiToken: 'api_token',
+      baseUrl: 'https://chat.example.test',
+      fetchImpl,
+    });
+    return app;
+  }
+
+  it('send route rejects bodies larger than the 1 MB cap with 413', async () => {
+    let upstreamCalled = false;
+    const fetchImpl = (async () => {
+      upstreamCalled = true;
+      return new Response('{}', { status: 201 });
+    }) as typeof fetch;
+    const app = makeApp(registerKiloChatSendRoute, fetchImpl);
+
+    const oversizedBody = 'x'.repeat(1 * 1024 * 1024 + 10);
+    const res = await app.fetch(
+      new Request('http://x/_kilo/kilo-chat/send', {
+        method: 'POST',
+        headers: {
+          authorization: `Bearer ${TOKEN}`,
+          'content-type': 'application/json',
+          'content-length': String(oversizedBody.length),
+        },
+        body: oversizedBody,
+      })
+    );
+    expect(res.status).toBe(413);
+    expect(upstreamCalled).toBe(false);
+  });
+
+  it('typing route rejects bodies larger than the small cap with 413', async () => {
+    let upstreamCalled = false;
+    const fetchImpl = (async () => {
+      upstreamCalled = true;
+      return new Response('{}', { status: 204 });
+    }) as typeof fetch;
+    const app = makeApp(registerKiloChatTypingRoute, fetchImpl);
+
+    const oversizedBody = JSON.stringify({ conversationId: 'c1', padding: 'x'.repeat(16 * 1024) });
+    const res = await app.fetch(
+      new Request('http://x/_kilo/kilo-chat/typing', {
+        method: 'POST',
+        headers: {
+          authorization: `Bearer ${TOKEN}`,
+          'content-type': 'application/json',
+          'content-length': String(oversizedBody.length),
+        },
+        body: oversizedBody,
+      })
+    );
+    expect(res.status).toBe(413);
+    expect(upstreamCalled).toBe(false);
+  });
+});

services/kiloclaw/controller/src/routes/kilo-chat.ts

@@ -1,4 +1,4 @@
-import type { Hono } from 'hono';
+import type { Context, Hono } from 'hono';
 import { timingSafeTokenEqual } from '../auth';
 import { getBearerToken } from './gateway';
 
@@ -10,6 +10,31 @@ export type KiloChatRouteOptions = {
   fetchImpl?: typeof fetch;
 };
 
+/**
+ * Max accepted body for kilo-chat proxy routes. Message content is small; 1 MB
+ * is already generous. Guards against unbounded buffering in c.req.text().
+ */
+const MAX_BODY_BYTES = 1 * 1024 * 1024;
+/** Reactions/typing/delete carry tiny payloads; cap tighter. */
+const MAX_SMALL_BODY_BYTES = 8 * 1024;
+
+/**
+ * Reject oversized bodies by Content-Length. Returns a 413 Response if the
+ * declared body exceeds `limit`, otherwise `null` to continue. Missing/invalid
+ * Content-Length is allowed (chunked encoding) — the underlying platform
+ * enforces its own per-request memory ceiling.
+ */
+function guardBodySize(c: Context, limit: number): Response | null {
+  const header = c.req.header('content-length');
+  if (!header) return null;
+  const n = Number(header);
+  if (!Number.isFinite(n) || n < 0) return null;
+  if (n > limit) {
+    return c.json({ error: 'Payload too large' }, 413);
+  }
+  return null;
+}
+
 const KILO_CHAT_SEND_PATH = '/_kilo/kilo-chat/send';
 
 export function registerKiloChatSendRoute(app: Hono, options: KiloChatRouteOptions): void {
@@ -21,6 +46,9 @@ export function registerKiloChatSendRoute(app: Hono, options: KiloChatRouteOptio
       return c.json({ error: 'Unauthorized' }, 401);
     }
 
+    const oversized = guardBodySize(c, MAX_BODY_BYTES);
+    if (oversized) return oversized;
+
     const rawBody = await c.req.text();
 
     const upstream = await fetchImpl(`${options.baseUrl}/v1/messages`, {
@@ -52,6 +80,10 @@ export function registerKiloChatEditRoute(app: Hono, options: KiloChatRouteOptio
     if (!token || !timingSafeTokenEqual(token, options.expectedToken)) {
       return c.json({ error: 'Unauthorized' }, 401);
     }
+
+    const oversized = guardBodySize(c, MAX_BODY_BYTES);
+    if (oversized) return oversized;
+
     const messageId = c.req.param('messageId');
     const rawBody = await c.req.text();
 
@@ -88,6 +120,9 @@ export function registerKiloChatTypingRoute(app: Hono, options: KiloChatRouteOpt
       return c.json({ error: 'Unauthorized' }, 401);
     }
 
+    const oversized = guardBodySize(c, MAX_SMALL_BODY_BYTES);
+    if (oversized) return oversized;
+
     let body: { conversationId?: unknown };
     try {
       body = (await c.req.json()) as { conversationId?: unknown };
@@ -130,6 +165,10 @@ export function registerKiloChatReactionPostRoute(app: Hono, options: KiloChatRo
     if (!token || !timingSafeTokenEqual(token, options.expectedToken)) {
       return c.json({ error: 'Unauthorized' }, 401);
     }
+
+    const oversized = guardBodySize(c, MAX_SMALL_BODY_BYTES);
+    if (oversized) return oversized;
+
     const messageId = c.req.param('messageId');
     const rawBody = await c.req.text();
 
@@ -166,6 +205,10 @@ export function registerKiloChatReactionDeleteRoute(
     if (!token || !timingSafeTokenEqual(token, options.expectedToken)) {
       return c.json({ error: 'Unauthorized' }, 401);
     }
+
+    const oversized = guardBodySize(c, MAX_SMALL_BODY_BYTES);
+    if (oversized) return oversized;
+
     const messageId = c.req.param('messageId');
     const rawBody = await c.req.text();
 
@@ -199,6 +242,10 @@ export function registerKiloChatDeleteRoute(app: Hono, options: KiloChatRouteOpt
     if (!token || !timingSafeTokenEqual(token, options.expectedToken)) {
       return c.json({ error: 'Unauthorized' }, 401);
     }
+
+    const oversized = guardBodySize(c, MAX_SMALL_BODY_BYTES);
+    if (oversized) return oversized;
+
     const messageId = c.req.param('messageId');
     const rawBody = await c.req.text();
 

services/kiloclaw/plugins/kilo-chat/src/webhook.test.ts

@@ -82,6 +82,16 @@ describe('createKiloChatWebhookHandler', () => {
     await handler(makeReq(body), res);
     expect(getStatus()).toBe(400);
   });
+
+  it('returns 413 when the inbound body exceeds the size cap', async () => {
+    // 1 MB + 1 byte: well over the 1 MB cap. readBody must reject before parsing.
+    const body = 'x'.repeat(1 * 1024 * 1024 + 1);
+    const handler = createKiloChatWebhookHandler({ api: {} as never });
+    const { res, getStatus, getBody } = makeRes();
+    await handler(makeReq(body), res);
+    expect(getStatus()).toBe(413);
+    expect(getBody()).toContain('Payload too large');
+  });
 });
 
 function fakeClient(calls: { type: string; args: unknown }[]): KiloChatClient {

services/kiloclaw/plugins/kilo-chat/src/webhook.ts

@@ -249,10 +249,25 @@ async function dispatchInbound(
 // HTTP body reader
 // ---------------------------------------------------------------------------
 
+/** Max accepted inbound webhook body. Messages are small — 1 MB is already generous. */
+const MAX_WEBHOOK_BODY_BYTES = 1 * 1024 * 1024;
+
+export class WebhookBodyTooLargeError extends Error {
+  constructor(public readonly limit: number) {
+    super(`kilo-chat: webhook body exceeds ${limit} bytes`);
+  }
+}
+
 async function readBody(req: IncomingMessage): Promise<string> {
   const chunks: Buffer[] = [];
+  let total = 0;
   for await (const chunk of req) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk as string));
+    const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk as string);
+    total += buf.length;
+    if (total > MAX_WEBHOOK_BODY_BYTES) {
+      throw new WebhookBodyTooLargeError(MAX_WEBHOOK_BODY_BYTES);
+    }
+    chunks.push(buf);
   }
   return Buffer.concat(chunks).toString('utf8');
 }
@@ -263,7 +278,18 @@ async function readBody(req: IncomingMessage): Promise<string> {
 
 export function createKiloChatWebhookHandler(deps: KiloChatWebhookDeps) {
   return async (req: IncomingMessage, res: ServerResponse): Promise<boolean> => {
-    const rawBody = await readBody(req);
+    let rawBody: string;
+    try {
+      rawBody = await readBody(req);
+    } catch (err) {
+      if (err instanceof WebhookBodyTooLargeError) {
+        res.statusCode = 413;
+        res.setHeader('content-type', 'application/json');
+        res.end(JSON.stringify({ error: 'Payload too large' }));
+        return true;
+      }
+      throw err;
+    }
 
     let parsed: unknown;
     try {