Add max size validation to envelope.Unmarshal

[lanycrost]

Problem statement

envelope.Unmarshal deserializes JSON into an Envelope struct without any size validation beyond checking for empty input. The Payload and Inputs fields are json.RawMessage (unbounded byte slices). A crafted BinaryFrame with a valid MIME type containing hundreds of megabytes of JSON can exhaust server memory.

For comparison, core/templating enforces maxTemplateValidationJSONBytes = 1MB. The envelope layer that feeds data into it has no equivalent guard.

Proposed change

Add a maximum size constant and check before deserializing:

const MaxEnvelopeSize = 10 * 1024 * 1024 // 10MB

func Unmarshal(data []byte) (*Envelope, error) {
    if len(data) == 0 {
        return nil, fmt.Errorf("envelope payload empty")
    }
    if len(data) > MaxEnvelopeSize {
        return nil, fmt.Errorf("envelope payload exceeds maximum size of %d bytes", MaxEnvelopeSize)
    }
    // ... existing logic
}

Also consider validating that Payload is valid JSON in Marshal:

if len(out.Payload) > 0 && !json.Valid(out.Payload) {
    return nil, fmt.Errorf("envelope payload is not valid JSON")
}

Affected area

• Proto definitions
• Envelope helpers

Compatibility / migration

Envelopes exceeding 10MB were never intended to work correctly. The limit is generous — typical envelopes are under 1MB. Adjust the constant if specific use cases require larger payloads.

Additional context

Identified during security review. The attack surface is: attacker sends BinaryFrame with valid application/vnd.bubu.packet+json MIME type but oversized payload. FromBinaryFrame → Unmarshal → OOM.