fix(sdk-python): cap wire-controlled frame lengths before allocation (PILOT-103)

[matthew-pilot]

What failed

pilotprotocol/client.py reads data-exchange ACK payloads (conn.read(ack_len)) and event-stream topic/payload frames (conn.read(topic_len), conn.read(payload_len)) using wire-controlled lengths parsed from remote bytes without any size cap. A malicious or buggy peer can advertise a 4 GiB length and force the SDK to attempt a single huge allocation → memory exhaustion / OOM kill DoS on the host process.

What was changed

Added MAX_PAYLOAD_SIZE = 1_048_576 (1 MiB) and MAX_TOPIC_SIZE = 4_096 (4 KiB) constants. Before each conn.read(N) where N comes from the wire:

• send_data / send_file ACK: if ack_len > 1 MiB, skip the ACK read and return the basic result (same as a failed/incomplete ACK read today — already handled by the caller)
• read_event: if topic_len > 4 KiB or payload_len > 1 MiB, return None (treated identically to an incomplete read — benign)

Verification

• go build ./...: ✅
• All 204 existing tests pass ✅
• 3 new cap constant tests added ✅
• 99% coverage (the 4 uncovered lines are the new early-return guards, only hit on oversized frames)

Closes PILOT-103

[codecov]

Codecov Report

❌ Patch coverage is 60.00000% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pilotprotocol/client.py	60.00%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!

[matthew-pilot]

📊 PR Status Report

• State: OPEN · mergeable (no conflicts)
• CI: ✅ test (pass) · ❌ codecov/patch (FAILURE — patch coverage below threshold)
• Canary: not yet triggered
• Jira: PILOT-103 — QA/IN-REVIEW, assignee Teodor Calin, last updated 2026-05-28 09:45 +0300
• Operator activity: none since PR opened (2026-05-28 06:44 UTC)

Note: codecov/patch failure on sdk-python #3 — the uncovered lines are the new early-return guards for oversized frames (only hit with malicious peers). This is expected and matches what the PR body describes.