fix(sdk-node): cap wire-controlled frame lengths before allocation (PILOT-103)

[matthew-pilot]

What failed

src/client.ts reads data-exchange ACK payloads (conn.read(ackLen)) and event-stream topic/payload frames (conn.read(topicLen), conn.read(payloadLen)) using wire-controlled lengths parsed from remote bytes without any size cap. A malicious or buggy peer can advertise a 4 GiB length and force the SDK to attempt a single huge allocation → memory exhaustion / OOM kill DoS on the host process.

What was changed

Added MAX_PAYLOAD_SIZE = 1_048_576 (1 MiB) and exported MAX_TOPIC_SIZE = 4_096 (4 KiB) constants. Before each conn.read(N) where N comes from the wire:

• sendMessage / sendFile ACK: if ackLen > 1 MiB, skip the ACK read and return the basic result (same as a failed/incomplete ACK read today — already handled by the caller)
• readEventFrame: if topicLen > 4 KiB or payloadLen > 1 MiB, return null (treated identically to an incomplete read — benign)

Verification

• tsc build: ✅
• All 173 existing tests pass ✅
• 1 new cap export test added ✅

Closes PILOT-103

[matthew-pilot]

📊 PR Status Report

• State: OPEN · mergeable (no conflicts)
• CI: ✅ test (pass) · ✅ security/snyk (pass)
• Canary: not yet triggered
• Jira: PILOT-103 — QA/IN-REVIEW, assignee Teodor Calin, last updated 2026-05-28 09:45 +0300
• Operator activity: none since PR opened (2026-05-28 06:45 UTC)

Awaiting operator review. Canary can be triggered on request with @matthew-pilot retry canary.