create-fluxstack 1.13.0 → 1.14.0

package/core/server/live/StateSignature.ts

@@ -18,6 +18,7 @@ export interface SignedState<T = any> {
   keyId?: string // For key rotation
   compressed?: boolean // For state compression
   encrypted?: boolean // For sensitive data
+  nonce?: string // 🔒 Anti-replay: unique per signed state
 }
 
 export interface StateValidationResult {
@@ -26,6 +27,7 @@ export interface StateValidationResult {
   tampered?: boolean
   expired?: boolean
   keyRotated?: boolean
+  replayed?: boolean // 🔒 Anti-replay: nonce was already consumed
 }
 
 export interface StateBackup<T = any> {
@@ -57,6 +59,10 @@ export class StateSignature {
   private compressionConfig: CompressionConfig
   private backups = new Map<string, StateBackup[]>() // componentId -> backups
   private migrationFunctions = new Map<string, (state: any) => any>() // version -> migration function
+  // 🔒 Anti-replay: track consumed nonces to prevent state replay attacks
+  private consumedNonces = new Set<string>()
+  private readonly nonceMaxAge = 24 * 60 * 60 * 1000 // Nonces expire with the state (24h)
+  private nonceTimestamps = new Map<string, number>() // nonce -> timestamp for cleanup
 
   constructor(secretKey?: string, options?: {
     keyRotation?: Partial<KeyRotationConfig>
@@ -108,10 +114,11 @@ export class StateSignature {
     setInterval(() => {
       this.rotateKey()
     }, this.keyRotationConfig.rotationInterval)
-    
-    // Cleanup old keys
+
+    // Cleanup old keys and expired nonces
     setInterval(() => {
       this.cleanupOldKeys()
+      this.cleanupExpiredNonces()
     }, 24 * 60 * 60 * 1000) // Daily cleanup
   }
 
@@ -159,6 +166,26 @@ export class StateSignature {
     }
   }
 
+  /**
+   * 🔒 Remove expired nonces to prevent unbounded memory growth
+   */
+  private cleanupExpiredNonces(): void {
+    const now = Date.now()
+    let cleaned = 0
+
+    for (const [nonce, timestamp] of this.nonceTimestamps) {
+      if (now - timestamp > this.nonceMaxAge) {
+        this.consumedNonces.delete(nonce)
+        this.nonceTimestamps.delete(nonce)
+        cleaned++
+      }
+    }
+
+    if (cleaned > 0) {
+      liveLog('state', null, `🧹 Cleaned up ${cleaned} expired nonces (${this.consumedNonces.size} active)`)
+    }
+  }
+
   private getKeyById(keyId: string): string | null {
     const keyData = this.keyHistory.get(keyId)
     return keyData ? keyData.key : null
@@ -179,37 +206,38 @@ export class StateSignature {
   ): Promise<SignedState<T>> {
     const timestamp = Date.now()
     const keyId = this.getCurrentKeyId()
-    
+    const nonce = randomBytes(16).toString('hex') // 🔒 Anti-replay nonce
+
     let processedData = data
     let compressed = false
     let encrypted = false
-    
+
     try {
       // Serialize data for processing
       const serializedData = JSON.stringify(data)
-      
+
       // Compress if enabled and data is large enough
-      if (this.compressionConfig.enabled && 
+      if (this.compressionConfig.enabled &&
           (options?.compress !== false) &&
           Buffer.byteLength(serializedData, 'utf8') > this.compressionConfig.threshold) {
-        
+
         const compressedBuffer = await gzipAsync(Buffer.from(serializedData, 'utf8'))
         processedData = compressedBuffer.toString('base64') as any
         compressed = true
-        
+
         liveLog('state', componentId, `🗜️ State compressed: ${Buffer.byteLength(serializedData, 'utf8')} -> ${compressedBuffer.length} bytes`)
       }
-      
+
       // Encrypt sensitive data if requested
       if (options?.encrypt) {
         const encryptedData = await this.encryptData(processedData)
         processedData = encryptedData as any
         encrypted = true
-        
+
         liveLog('state', componentId, `🔒 State encrypted for component: ${componentId}`)
       }
-      
-      // Create payload for signing
+
+      // Create payload for signing (includes nonce for anti-replay)
       const payload = {
         data: processedData,
         componentId,
@@ -217,9 +245,10 @@ export class StateSignature {
         version,
         keyId,
         compressed,
-        encrypted
+        encrypted,
+        nonce
       }
-      
+
       // Generate signature with current key
       const signature = this.createSignature(payload)
       
@@ -235,6 +264,7 @@ export class StateSignature {
         keyId,
         compressed,
         encrypted,
+        nonce: nonce.substring(0, 8) + '...',
         signature: signature.substring(0, 16) + '...'
       })
 
@@ -246,7 +276,8 @@ export class StateSignature {
         version,
         keyId,
         compressed,
-        encrypted
+        encrypted,
+        nonce
       }
       
     } catch (error) {
@@ -258,14 +289,19 @@ export class StateSignature {
   /**
    * Validate signed state integrity with enhanced security checks
    */
-  public async validateState<T>(signedState: SignedState<T>, maxAge?: number): Promise<StateValidationResult> {
-    const { data, signature, timestamp, componentId, version, keyId, compressed, encrypted } = signedState
-    
+  /**
+   * Validate signed state integrity with enhanced security checks.
+   * @param consumeNonce If true (default), the nonce is consumed and the same signed state cannot be reused.
+   *                     Set to false for read-only validation without consuming the nonce.
+   */
+  public async validateState<T>(signedState: SignedState<T>, maxAge?: number, consumeNonce = true): Promise<StateValidationResult> {
+    const { data, signature, timestamp, componentId, version, keyId, compressed, encrypted, nonce } = signedState
+
     try {
       // Check timestamp (prevent replay attacks)
       const age = Date.now() - timestamp
       const ageLimit = maxAge || this.maxAge
-      
+
       if (age > ageLimit) {
         return {
           valid: false,
@@ -274,10 +310,23 @@ export class StateSignature {
         }
       }
 
+      // 🔒 Anti-replay: check if this nonce was already consumed
+      if (nonce && consumeNonce && this.consumedNonces.has(nonce)) {
+        liveWarn('state', componentId, '⚠️ Replay attack detected - nonce already consumed:', {
+          componentId,
+          nonce: nonce.substring(0, 8) + '...'
+        })
+        return {
+          valid: false,
+          error: 'State already consumed - replay attack detected',
+          replayed: true
+        }
+      }
+
       // Determine which key to use for validation
       let validationKey = this.currentKey
       let keyRotated = false
-      
+
       if (keyId) {
         const historicalKey = this.getKeyById(keyId)
         if (historicalKey) {
@@ -292,27 +341,30 @@ export class StateSignature {
         }
       }
 
-      // Recreate payload for verification
-      const payload = {
+      // Recreate payload for verification (must include nonce if present)
+      const payload: Record<string, unknown> = {
         data,
         componentId,
         timestamp,
         version,
         keyId,
         compressed,
-        encrypted
+        encrypted,
+      }
+      if (nonce !== undefined) {
+        payload.nonce = nonce
       }
 
       // Verify signature with appropriate key
       const expectedSignature = this.createSignature(payload, validationKey)
-      
+
       if (!this.constantTimeEquals(signature, expectedSignature)) {
         liveWarn('state', componentId, '⚠️ State signature mismatch:', {
           componentId,
           expected: expectedSignature.substring(0, 16) + '...',
           received: signature.substring(0, 16) + '...'
         })
-        
+
         return {
           valid: false,
           error: 'State signature invalid - possible tampering',
@@ -320,10 +372,17 @@ export class StateSignature {
         }
       }
 
+      // 🔒 Anti-replay: consume the nonce so it cannot be reused
+      if (nonce && consumeNonce) {
+        this.consumedNonces.add(nonce)
+        this.nonceTimestamps.set(nonce, Date.now())
+      }
+
       liveLog('state', componentId, '✅ State signature valid:', {
         componentId,
         age: `${Math.round(age / 1000)}s`,
-        version
+        version,
+        nonceConsumed: !!(nonce && consumeNonce)
       })
 
       return { valid: true }
@@ -622,7 +681,8 @@ export class StateSignature {
       currentKeyId: this.getCurrentKeyId(),
       keyHistoryCount: this.keyHistory.size,
       compressionEnabled: this.compressionConfig.enabled,
-      rotationInterval: this.keyRotationConfig.rotationInterval
+      rotationInterval: this.keyRotationConfig.rotationInterval,
+      activeNonces: this.consumedNonces.size // 🔒 Anti-replay tracking
     }
   }
 }

package/core/server/live/WebSocketConnectionManager.ts

@@ -3,6 +3,7 @@
 
 import { EventEmitter } from 'events'
 import type { FluxStackWebSocket } from '@core/types/types'
+import { liveLog, liveWarn } from './LiveLogger'
 
 export interface ConnectionConfig {
   maxConnections: number
@@ -123,7 +124,7 @@ export class WebSocketConnectionManager extends EventEmitter {
     // Setup connection event handlers
     this.setupConnectionHandlers(ws, connectionId)
 
-    console.log(`🔌 Connection registered: ${connectionId} (Pool: ${poolId || 'default'})`)
+    liveLog('websocket', null, `🔌 Connection registered: ${connectionId} (Pool: ${poolId || 'default'})`)
     this.emit('connectionRegistered', { connectionId, poolId })
   }
 
@@ -193,7 +194,7 @@ export class WebSocketConnectionManager extends EventEmitter {
     }
     
     this.connectionPools.get(poolId)!.add(connectionId)
-    console.log(`🏊 Connection ${connectionId} added to pool ${poolId}`)
+    liveLog('websocket', null, `🏊 Connection ${connectionId} added to pool ${poolId}`)
   }
 
   /**
@@ -331,7 +332,7 @@ export class WebSocketConnectionManager extends EventEmitter {
       queue.splice(insertIndex, 0, queuedMessage)
     }
 
-    console.log(`📬 Message queued for ${connectionId}: ${queuedMessage.id}`)
+    liveLog('messages', null, `📬 Message queued for ${connectionId}: ${queuedMessage.id}`)
     return true
   }
 
@@ -361,10 +362,10 @@ export class WebSocketConnectionManager extends EventEmitter {
             // Re-queue for retry
             queue.push(queuedMessage)
           } else {
-            console.warn(`❌ Message ${queuedMessage.id} exceeded max retries`)
+            liveWarn('messages', null, `❌ Message ${queuedMessage.id} exceeded max retries`)
           }
         } else {
-          console.log(`✅ Queued message delivered: ${queuedMessage.id}`)
+          liveLog('messages', null, `✅ Queued message delivered: ${queuedMessage.id}`)
         }
       } catch (error) {
         console.error(`❌ Error processing queued message ${queuedMessage.id}:`, error)
@@ -445,7 +446,7 @@ export class WebSocketConnectionManager extends EventEmitter {
    * Handle connection close
    */
   private handleConnectionClose(connectionId: string): void {
-    console.log(`🔌 Connection closed: ${connectionId}`)
+    liveLog('websocket', null, `🔌 Connection closed: ${connectionId}`)
     
     // Update metrics
     const metrics = this.connectionMetrics.get(connectionId)
@@ -573,7 +574,7 @@ export class WebSocketConnectionManager extends EventEmitter {
    * Handle unhealthy connection
    */
   private async handleUnhealthyConnection(connectionId: string): Promise<void> {
-    console.warn(`⚠️ Handling unhealthy connection: ${connectionId}`)
+    liveWarn('websocket', null, `⚠️ Handling unhealthy connection: ${connectionId}`)
     
     const ws = this.connections.get(connectionId)
     if (ws) {
@@ -606,7 +607,7 @@ export class WebSocketConnectionManager extends EventEmitter {
       }
     }
 
-    console.log(`🧹 Connection cleaned up: ${connectionId}`)
+    liveLog('websocket', null, `🧹 Connection cleaned up: ${connectionId}`)
   }
 
   /**
@@ -679,7 +680,7 @@ export class WebSocketConnectionManager extends EventEmitter {
    * Shutdown connection manager
    */
   shutdown(): void {
-    console.log('🔌 Shutting down WebSocket Connection Manager...')
+    liveLog('websocket', null, '🔌 Shutting down WebSocket Connection Manager...')
     
     // Clear intervals
     if (this.healthCheckInterval) {
@@ -701,7 +702,7 @@ export class WebSocketConnectionManager extends EventEmitter {
     this.connectionPools.clear()
     this.messageQueues.clear()
 
-    console.log('✅ WebSocket Connection Manager shutdown complete')
+    liveLog('websocket', null, '✅ WebSocket Connection Manager shutdown complete')
   }
 }
 

package/core/server/live/auto-generated-components.ts

@@ -1,6 +1,6 @@
 // 🔥 Auto-generated Live Components Registration
 // This file is automatically generated during build time - DO NOT EDIT MANUALLY
-// Generated at: 2026-02-17T00:55:07.182Z
+// Generated at: 2026-02-21T20:03:53.569Z
 
 import { LiveAdminPanel } from "@app/server/live/LiveAdminPanel"
 import { LiveChat } from "@app/server/live/LiveChat"

package/core/server/live/websocket-plugin.ts

@@ -12,6 +12,7 @@ import type { Plugin, PluginContext } from '@core/index'
 import { t, Elysia } from 'elysia'
 import path from 'path'
 import { liveLog } from './LiveLogger'
+import { liveDebugger } from './LiveDebugger'
 
 // ===== Response Schemas for Live Components Routes =====
 
@@ -116,6 +117,39 @@ const LiveAlertResolveSchema = t.Object({
   description: 'Result of alert resolution operation'
 })
 
+// 🔒 Per-connection rate limiter to prevent WebSocket message flooding
+class ConnectionRateLimiter {
+  private tokens: number
+  private lastRefill: number
+  private readonly maxTokens: number
+  private readonly refillRate: number // tokens per second
+
+  constructor(maxTokens = 100, refillRate = 50) {
+    this.maxTokens = maxTokens
+    this.tokens = maxTokens
+    this.refillRate = refillRate
+    this.lastRefill = Date.now()
+  }
+
+  tryConsume(count = 1): boolean {
+    this.refill()
+    if (this.tokens >= count) {
+      this.tokens -= count
+      return true
+    }
+    return false
+  }
+
+  private refill(): void {
+    const now = Date.now()
+    const elapsed = (now - this.lastRefill) / 1000
+    this.tokens = Math.min(this.maxTokens, this.tokens + elapsed * this.refillRate)
+    this.lastRefill = now
+  }
+}
+
+const connectionRateLimiters = new Map<string, ConnectionRateLimiter>()
+
 export const liveComponentsPlugin: Plugin = {
   name: 'live-components',
   version: '1.0.0',
@@ -143,9 +177,12 @@ export const liveComponentsPlugin: Plugin = {
         
         async open(ws) {
           const socket = ws as unknown as FluxStackWebSocket
-          const connectionId = `ws-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`
+          const connectionId = `ws-${crypto.randomUUID()}`
           liveLog('websocket', null, `🔌 Live Components WebSocket connected: ${connectionId}`)
 
+          // 🔒 Initialize rate limiter for this connection
+          connectionRateLimiters.set(connectionId, new ConnectionRateLimiter())
+
           // Register connection with enhanced connection manager
           connectionManager.registerConnection(ws as unknown as FluxStackWebSocket, connectionId, 'live-components')
 
@@ -177,12 +214,19 @@ export const liveComponentsPlugin: Plugin = {
               if (authContext.authenticated) {
                 socket.data.userId = authContext.user?.id
                 liveLog('websocket', null, `🔒 WebSocket authenticated via query: user=${authContext.user?.id}`)
+              } else {
+                // 🔒 Log failed auth attempts (token was provided but auth failed)
+                liveLog('websocket', null, `🔒 WebSocket authentication failed via query token`)
               }
             }
-          } catch {
-            // Query param auth is optional - continue without auth
+          } catch (authError) {
+            // 🔒 Log auth errors instead of silently ignoring them
+            console.warn('🔒 WebSocket query auth error:', authError instanceof Error ? authError.message : 'Unknown error')
           }
 
+          // Debug: track connection
+          liveDebugger.trackConnection(connectionId)
+
           // Send connection confirmation
           ws.send(JSON.stringify({
             type: 'CONNECTION_ESTABLISHED',
@@ -203,6 +247,20 @@ export const liveComponentsPlugin: Plugin = {
         async message(ws: unknown, rawMessage: LiveMessage | ArrayBuffer | Uint8Array) {
           const socket = ws as FluxStackWebSocket
           try {
+            // 🔒 Rate limiting: reject messages if connection exceeds rate limit
+            const connId = socket.data?.connectionId
+            if (connId) {
+              const limiter = connectionRateLimiters.get(connId)
+              if (limiter && !limiter.tryConsume()) {
+                socket.send(JSON.stringify({
+                  type: 'ERROR',
+                  error: 'Rate limit exceeded. Please slow down.',
+                  timestamp: Date.now()
+                }))
+                return
+              }
+            }
+
             let message: LiveMessage
             let binaryChunkData: Buffer | null = null
 
@@ -313,6 +371,17 @@ export const liveComponentsPlugin: Plugin = {
           const connectionId = socket.data?.connectionId
           liveLog('websocket', null, `🔌 Live Components WebSocket disconnected: ${connectionId}`)
 
+          // Debug: track disconnection
+          const componentCount = socket.data?.components?.size ?? 0
+          if (connectionId) {
+            liveDebugger.trackDisconnection(connectionId, componentCount)
+          }
+
+          // 🔒 Cleanup rate limiter
+          if (connectionId) {
+            connectionRateLimiters.delete(connectionId)
+          }
+
           // Cleanup connection in connection manager
           if (connectionId) {
             connectionManager.cleanupConnection(connectionId)
@@ -511,6 +580,132 @@ export const liveComponentsPlugin: Plugin = {
         response: LiveAlertResolveSchema
       })
 
+      // ===== Live Component Debugger Routes =====
+
+      // Debug WebSocket - streams debug events in real-time
+      .ws('/debug/ws', {
+        body: t.Any(),
+
+        open(ws) {
+          const socket = ws as unknown as FluxStackWebSocket
+          liveLog('websocket', null, '🔍 Debug client connected')
+          liveDebugger.registerDebugClient(socket)
+        },
+
+        message() {
+          // Debug clients are read-only, no incoming messages to handle
+        },
+
+        close(ws) {
+          const socket = ws as unknown as FluxStackWebSocket
+          liveLog('websocket', null, '🔍 Debug client disconnected')
+          liveDebugger.unregisterDebugClient(socket)
+        }
+      })
+
+      // Debug snapshot - current state of all components
+      .get('/debug/snapshot', () => {
+        return {
+          success: true,
+          snapshot: liveDebugger.getSnapshot(),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Snapshot',
+          description: 'Returns current state of all active Live Components for debugging',
+          tags: ['Live Components', 'Debug']
+        }
+      })
+
+      // Debug events - recent event history
+      .get('/debug/events', ({ query }) => {
+        const filter: { componentId?: string; type?: any; limit?: number } = {}
+        if (query.componentId) filter.componentId = query.componentId as string
+        if (query.type) filter.type = query.type
+        if (query.limit) filter.limit = parseInt(query.limit as string, 10)
+
+        return {
+          success: true,
+          events: liveDebugger.getEvents(filter),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Events',
+          description: 'Returns recent debug events, optionally filtered by component or type',
+          tags: ['Live Components', 'Debug']
+        },
+        query: t.Object({
+          componentId: t.Optional(t.String()),
+          type: t.Optional(t.String()),
+          limit: t.Optional(t.String())
+        })
+      })
+
+      // Debug toggle - enable/disable debugger at runtime
+      .post('/debug/toggle', ({ body }) => {
+        const enabled = (body as any)?.enabled
+        if (typeof enabled === 'boolean') {
+          liveDebugger.enabled = enabled
+        } else {
+          liveDebugger.enabled = !liveDebugger.enabled
+        }
+        return {
+          success: true,
+          enabled: liveDebugger.enabled,
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Toggle Debugger',
+          description: 'Enable or disable the Live Component debugger at runtime',
+          tags: ['Live Components', 'Debug']
+        }
+      })
+
+      // Debug component state - get specific component state
+      .get('/debug/components/:componentId', ({ params }) => {
+        const snapshot = liveDebugger.getComponentState(params.componentId)
+        if (!snapshot) {
+          return { success: false, error: 'Component not found' }
+        }
+        return {
+          success: true,
+          component: snapshot,
+          events: liveDebugger.getEvents({
+            componentId: params.componentId,
+            limit: 50
+          }),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Component State',
+          description: 'Returns current state and recent events for a specific component',
+          tags: ['Live Components', 'Debug']
+        },
+        params: t.Object({
+          componentId: t.String()
+        })
+      })
+
+      // Clear debug events
+      .post('/debug/clear', () => {
+        liveDebugger.clearEvents()
+        return {
+          success: true,
+          message: 'Debug events cleared',
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Clear Debug Events',
+          description: 'Clears the debug event history buffer',
+          tags: ['Live Components', 'Debug']
+        }
+      })
+
     // Register the grouped routes with the main app
     context.app.use(liveRoutes)
   },
@@ -717,9 +912,11 @@ async function handleAuth(ws: FluxStackWebSocket, message: LiveMessage) {
 // File Upload Handler Functions
 async function handleFileUploadStart(ws: FluxStackWebSocket, message: FileUploadStartMessage) {
   liveLog('messages', message.componentId || null, '📤 Starting file upload:', message.uploadId)
-  
-  const result = await fileUploadManager.startUpload(message)
-  
+
+  // 🔒 Pass userId for per-user upload quota enforcement
+  const userId = ws.data?.userId || ws.data?.authContext?.user?.id
+  const result = await fileUploadManager.startUpload(message, userId)
+
   const response = {
     type: 'FILE_UPLOAD_START_RESPONSE',
     componentId: message.componentId,
@@ -729,7 +926,7 @@ async function handleFileUploadStart(ws: FluxStackWebSocket, message: FileUpload
     requestId: message.requestId,
     timestamp: Date.now()
   }
-  
+
   ws.send(JSON.stringify(response))
 }
 
@@ -781,11 +978,23 @@ async function handleRoomJoin(ws: FluxStackWebSocket, message: RoomMessage) {
   liveLog('rooms', message.componentId, `🚪 Component ${message.componentId} joining room ${message.roomId}`)
 
   try {
+    // 🔒 Validate room name format (alphanumeric, hyphens, underscores, max 64 chars)
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name. Must be 1-64 alphanumeric characters, hyphens, underscores, dots, or colons.')
+    }
+
+    // 🔒 Room authorization check
+    const authContext = ws.data?.authContext || ANONYMOUS_CONTEXT
+    const authResult = await liveAuthManager.authorizeRoom(authContext, message.roomId)
+    if (!authResult.allowed) {
+      throw new Error(`Room access denied: ${authResult.reason}`)
+    }
+
     const result = liveRoomManager.joinRoom(
       message.componentId,
       message.roomId,
       ws,
-      message.data?.initialState
+      undefined // 🔒 Don't allow client to set initial room state - server controls this
     )
 
     const response = {
@@ -843,6 +1052,11 @@ async function handleRoomEmit(ws: FluxStackWebSocket, message: RoomMessage) {
   liveLog('rooms', message.componentId, `📡 Component ${message.componentId} emitting '${message.event}' to room ${message.roomId}`)
 
   try {
+    // 🔒 Validate room name
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name')
+    }
+
     const count = liveRoomManager.emitToRoom(
       message.roomId,
       message.event!,
@@ -866,6 +1080,17 @@ async function handleRoomStateSet(ws: FluxStackWebSocket, message: RoomMessage)
   liveLog('rooms', message.componentId, `📝 Component ${message.componentId} updating state in room ${message.roomId}`)
 
   try {
+    // 🔒 Validate room name
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name')
+    }
+
+    // 🔒 Validate state size (max 1MB per update to prevent memory attacks)
+    const stateStr = JSON.stringify(message.data ?? {})
+    if (stateStr.length > 1024 * 1024) {
+      throw new Error('Room state update too large (max 1MB)')
+    }
+
     liveRoomManager.setRoomState(
       message.roomId,
       message.data ?? {},