Content Size & Type Security Limits for Resources & Prompts

[Nayana-R-Gowda]

📌 Summary

What problem does this PR fix and why?
It prevents security risks like XSS, malicious payloads, and DoS attacks from unvalidated resource/prompt content. Without validation, users could upload unsafe content or overwhelm the system with large inputs. This ensures only safe, properly sized, and valid text content is processed.

💡 Fix Description

How did you solve it? Key design points.
I added configurable content size/type limits, UTF-8 and pattern validation, and prompt syntax checks. Built a ContentSecurityService for centralized checks, plus a rate limiter to block abuse. API services now enforce validation on create/update with monitoring for violations.

🧪 Verification

Check	Command	Status
Lint suite	make lint	pass
Unit tests	make test	pass

📐 MCP Compliance (if relevant)

• [] Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[madhav165]

1. Why is rate limiting code in middleware and content validation in services? Check if there is a reason for the suggestion and if it makes it easier to use.
2. Don't remove the top content from files - e.g. prompt_service
3. In admin_reset_rate_limiter, why is rate limit not being reset for a specific user?
4. Fix duplicate definitions for content_max_resource_size in config.py
5. Why is validation_exception_handler removed in main and content_validation_exception_handler added? Update validation_exception_handler if possible
6. Keep .env.example values consistent with what is there in config.py.
7. Test cases are fine

Overall, might be better to do a new PR from current main to avoid merge conflicts, address the issues mentioned above.