Skip to content

feat(security): outbound payload + response-read caps + TLS-on (M3b) #71

Description

@williamdewitt

Part of #9 (M3 epic). Decomposed slice M3b. risk:critical — human-merge + design update. Not agent-labelled yet.

Blocked by #70.

Acceptance criteria

  • Cap the outbound request payload size and bound the bytes read from the receiver's response (no unbounded reads) — prevents resource exhaustion / a hostile receiver.
  • TLS enforced on outbound (no plaintext fallback).
  • Configurable caps with safe defaults; fail-fast options validation.
  • Tests prove the caps are enforced and TLS-on is required.

Definition of done

  • Builds net8.0+net10.0, 0 warnings; tests green; linked design update (docs/concepts/security.md).

Design: docs/concepts/security.md. Shares the delivery HTTP path with M3a (hence blocked-by).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:deliveryDelivery loop / dispatcher / retry / signingarea:securitySSRF guard, signing, secret-at-rest, receiver verifypriority:p2Normal priorityreadyHas acceptance criteria + DoD; pickable by the looprisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)type:featNew feature

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions