Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0
Why this matters
backend/src/app.ts:118 calls express.json() with no limit option, so protection depends entirely on body-parser's implicit 100kb default. The limit is never stated or documented, and the audit-log middleware persists the full req.body to Postgres (auditLog.ts:90-94), so request size directly drives DB write size. There is no test asserting oversized payloads are rejected.
Acceptance criteria
Files to touch
Out of scope
- Per-route size overrides
- Streaming/multipart upload handling
Why this matters
backend/src/app.ts:118 calls express.json() with no limit option, so protection depends entirely on body-parser's implicit 100kb default. The limit is never stated or documented, and the audit-log middleware persists the full req.body to Postgres (auditLog.ts:90-94), so request size directly drives DB write size. There is no test asserting oversized payloads are rejected.
Acceptance criteria
Files to touch
backend/src/app.tsOut of scope