feat(security): cumulative decompressed size gate in stream path — Phase 3 of issue #51

Adds _cumulative_decompressed accumulator inside wire_push_stream. After each O/OC object is decoded, the running total is compared against settings.bundle_max_decompressed_bytes; if exceeded, yields ERROR (413) and returns — no write, no branch advance. Mirrors the bundle path gate.

Both O-frame paths (inline and OC-reassembled) are guarded. The cap is read from settings, not hardcoded — monkeypatched to small values in tests.

4 TDD tests green (test_stream_security_phase3.py); 74 regression tests pass.

sha256:16141f5093d996133d5bb396e94cccc25de9dc1651fcb4384650b67d9d7c85ae sha

sha256:f5873efcc9d23e7b1d00f7ddce5ab0b559959aaa1ccb05b5b7ec3bf86cdb37dd parent

sha256:8fb53fa7719d1e62b5ea6ca6398a6de0bc98bbcbeeb5560b4d1defbd29471e82 snapshot

← Older Oldest on task/stream-security-phase3

All commits

Newer → Latest on task/stream-security-phase3

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:16141f5093d996133d5bb396e94cccc25de9dc1651fcb4384650b67d9d7c85ae --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:8fb53fa7719d1e62b5ea6ca6398a6de0bc98bbcbeeb5560b4d1defbd29471e82

Files 0

Browse tree at this commit →

Commit

SHA sha256:16141f5093d996133d5bb396e94cccc25de9dc1651fcb4384650b67d9d7c85ae

Parent

sha256:f5873efcc9d23e7b1d00f7ddce5ab0b559959aaa1ccb05b5b7ec3bf86cdb37dd

Branch task/stream-security-phase3