refactor(webhooks): extract shared body-size cap to constants module

Address review feedback: hoist WEBHOOK_MAX_BODY_BYTES into a single
lib/webhooks/constants.ts so the trigger receiver and AgentMail route share
one source of truth instead of recomputing the env-derived cap (prevents
drift). Also drop the redundant request clone when the body stream is null.

Author: waleedlatif1

apps/sim/app/api/webhooks/agentmail/route.ts

@@ -19,7 +19,6 @@ import {
   agentMailMessageSchema,
   webhookSvixHeadersSchema,
 } from '@/lib/api/contracts/webhooks'
-import { env } from '@/lib/core/config/env'
 import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import {
   assertContentLengthWithinLimit,
@@ -29,29 +28,27 @@ import {
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { executeInboxTask } from '@/lib/mothership/inbox/executor'
 import type { AgentMailWebhookPayload, RejectionReason } from '@/lib/mothership/inbox/types'
+import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
 
 const logger = createLogger('AgentMailWebhook')
 
 const AUTOMATED_SENDERS = ['mailer-daemon@', 'noreply@', 'no-reply@', 'postmaster@']
 const MAX_EMAILS_PER_HOUR = 20
 
+const AGENTMAIL_BODY_LABEL = 'AgentMail webhook body'
+
 /**
  * Bound the unauthenticated AgentMail webhook body before buffering it for Svix
  * signature verification, so an oversized payload cannot exhaust pod memory.
  */
-const AGENTMAIL_MAX_BODY_BYTES =
-  Number.parseInt(env.WEBHOOK_MAX_REQUEST_BYTES, 10) || 10 * 1024 * 1024
-
-const AGENTMAIL_BODY_LABEL = 'AgentMail webhook body'
-
 async function readAgentMailBody(req: Request): Promise<string> {
-  assertContentLengthWithinLimit(req.headers, AGENTMAIL_MAX_BODY_BYTES, AGENTMAIL_BODY_LABEL)
+  assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, AGENTMAIL_BODY_LABEL)
   const stream = req.body
   if (!stream) {
     return req.text()
   }
   const buffer = await readStreamToBufferWithLimit(stream, {
-    maxBytes: AGENTMAIL_MAX_BODY_BYTES,
+    maxBytes: WEBHOOK_MAX_BODY_BYTES,
     label: AGENTMAIL_BODY_LABEL,
   })
   return new TextDecoder().decode(buffer)
@@ -65,7 +62,7 @@ export const POST = withRouteHandler(async (req: Request) => {
     } catch (bodyError) {
       if (isPayloadSizeLimitError(bodyError)) {
         logger.warn('Rejected oversized AgentMail webhook body', {
-          maxBytes: AGENTMAIL_MAX_BODY_BYTES,
+          maxBytes: WEBHOOK_MAX_BODY_BYTES,
           observedBytes: bodyError.observedBytes,
         })
         return NextResponse.json({ error: 'Request body too large' }, { status: 413 })

apps/sim/lib/webhooks/constants.ts

@@ -0,0 +1,12 @@
+import { env } from '@/lib/core/config/env'
+
+/**
+ * Maximum size of a webhook request body read into memory. The webhook receivers
+ * are public and unauthenticated, so the body must be bounded before it is
+ * buffered to prevent a memory-exhaustion DoS. Provider payloads rarely exceed a
+ * few MB; defaults to 10 MB and is overridable via `WEBHOOK_MAX_REQUEST_BYTES`.
+ *
+ * Shared by every public webhook receiver so the cap is a single source of truth.
+ */
+export const WEBHOOK_MAX_BODY_BYTES =
+  Number.parseInt(env.WEBHOOK_MAX_REQUEST_BYTES, 10) || 10 * 1024 * 1024

apps/sim/lib/webhooks/processor.ts

@@ -9,7 +9,6 @@ import { isOrganizationOnTeamOrEnterprisePlan } from '@/lib/billing/core/subscri
 import { tryAdmit } from '@/lib/core/admission/gate'
 import { getInlineJobQueue, getJobQueue, shouldExecuteInline } from '@/lib/core/async-jobs'
 import type { AsyncExecutionCorrelation } from '@/lib/core/async-jobs/types'
-import { env } from '@/lib/core/config/env'
 import { isProd } from '@/lib/core/config/feature-flags'
 import {
   assertContentLengthWithinLimit,
@@ -18,6 +17,7 @@ import {
 } from '@/lib/core/utils/stream-limits'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
+import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
 import {
   getPendingWebhookVerification,
   matchesPendingWebhookVerificationProbe,
@@ -77,15 +77,6 @@ async function verifyCredentialSetBilling(credentialSetId: string): Promise<{
   return { valid: true }
 }
 
-/**
- * Maximum size of a webhook request body read into memory. The webhook receiver
- * is public and unauthenticated, so the body must be bounded before it is
- * buffered to prevent a memory-exhaustion DoS. Provider payloads rarely exceed a
- * few MB; defaults to 10 MB and is overridable via `WEBHOOK_MAX_REQUEST_BYTES`.
- */
-export const WEBHOOK_MAX_BODY_BYTES =
-  Number.parseInt(env.WEBHOOK_MAX_REQUEST_BYTES, 10) || 10 * 1024 * 1024
-
 const WEBHOOK_BODY_LABEL = 'Webhook request body'
 
 export async function parseWebhookBody(
@@ -104,7 +95,9 @@ export async function parseWebhookBody(
       })
       rawBody = new TextDecoder().decode(buffer)
     } else {
-      rawBody = await request.clone().text()
+      // A null body stream means the request carries no body, so the parsed
+      // body is empty — no second clone needed.
+      rawBody = ''
     }
 
     if (!rawBody || rawBody.length === 0) {