From e5294ec7127e6fe58d010c499dfe9425442eccf0 Mon Sep 17 00:00:00 2001
From: Michael Freno <michaelt.freno@gmail.com>
Date: Sat, 9 May 2026 16:44:56 -0400
Subject: [PATCH] Add WebSocket maxPayload limit (64KB) (FRE-4747)

Set maxPayload: 65536 on WebSocketServer constructor to bound
per-message memory usage, addressing security review
recommendation M1 from FRE-4474.
---
 services/spamshield/src/websocket/alert-server.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/spamshield/src/websocket/alert-server.ts b/services/spamshield/src/websocket/alert-server.ts
index 239dca9..12a961c 100644
--- a/services/spamshield/src/websocket/alert-server.ts
+++ b/services/spamshield/src/websocket/alert-server.ts
@@ -58,6 +58,7 @@ export class AlertServer {
     this.wss = new WebSocketServer({
       port: this.config.port,
       host: this.config.host,
+      maxPayload: 65536, // 64KB limit to prevent memory exhaustion attacks
     });
     
     this.setupWebSocketHandlers();