Skip to content

Streamed result chunks have no size cap (§14 memory exhaustion) #56

Open
Open
Streamed result chunks have no size cap (§14 memory exhaustion)#56
Labels
audit/spec-conformanceAudit: ARCP v1.1 spec non-conformancesev/majorSeverity: major
@nficano

Description

@nficano
nficano
opened on May 28, 2026

Category: spec-conformance Severity: major
Location: lib/arcp/runtime/job_context.rb:151-165
Spec: ARCP v1.1 §14

What

Spec §14 says runtimes SHOULD cap individual chunk size and total streamed result size, and exceeding either MUST result in INTERNAL_ERROR. ChunkWriter#write enforces no per-chunk or cumulative cap, exposing memory exhaustion on both ends.

Evidence

def write(chunk, more: true)
  raise Arcp::Errors::ProtocolViolation, 'stream closed' if @closed
  data = case @encoding
         when 'base64' then Base64.strict_encode64(chunk)
         else chunk.dup.force_encoding('UTF-8')
         end
  @bytes += chunk.bytesize
  ...
end

Proposed fix

Add configurable per-chunk and total-result size caps; raise INTERNAL_ERROR when exceeded.

Acceptance criteria

  • Writing a chunk larger than the cap (or exceeding the total cap) raises INTERNAL_ERROR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    audit/spec-conformanceAudit: ARCP v1.1 spec non-conformancesev/majorSeverity: major

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions