fix(gateway): enforce request body size limits

src/config/schema.test.ts

@@ -28,6 +28,26 @@ describe('configSchema — sandbox', () => {
   });
 });
 
+describe('configSchema — server', () => {
+  const minimalConfig = {
+    telegram: { bot_token: 'test', allowed_chat_ids: [1] },
+    models: { default: { provider: 'anthropic', model: 'claude-3' } },
+  };
+
+  it('defaults max_request_body_bytes', () => {
+    const result = configSchema.parse(minimalConfig);
+    expect(result.server.max_request_body_bytes).toBe(1_048_576);
+  });
+
+  it('accepts custom max_request_body_bytes', () => {
+    const result = configSchema.parse({
+      ...minimalConfig,
+      server: { max_request_body_bytes: 2048 },
+    });
+    expect(result.server.max_request_body_bytes).toBe(2048);
+  });
+});
+
 describe('configSchema — agent_configs', () => {
   const minimalConfig = {
     telegram: { bot_token: 'test', allowed_chat_ids: [1] },

src/config/schema.ts

@@ -36,6 +36,8 @@ const serverSchema = z.object({
   auth_http: z.boolean().default(true),
   /** Single-client gateway lock. When true, only one WebSocket client can be connected at a time. */
   lock: z.boolean().default(false),
+  /** Maximum size (bytes) for inbound HTTP request bodies (webhooks/Gmail push). */
+  max_request_body_bytes: z.number().min(1024).max(10 * 1024 * 1024).default(1_048_576),
 });
 
 /** All supported model provider identifiers. Used by the config schema and TUI autocompletion. */