fix(gateway): make api_server body-size cap configurable, raise default to 100 MiB

[DataAdvisory]

Summary

• The OpenAI-compat HTTP API server (gateway/platforms/api_server.py) enforced a hardcoded 1 MB POST body limit in two places — the body_limit_middleware Content-Length pre-check and aiohttp's own transport-level cap (which defaulted to its 1 MiB client_max_size because web.Application(...) was constructed without an override). Together they made any non-trivial image attachment fail with Request body too large (HTTP 413) before the request could ever reach the backend model — even when the model itself supports vision and would accept the payload (e.g. gemma3:27b / gemma4:26b on a local Ollama).
• This PR makes the limit configurable (matching the precedence pattern already used in the same constructor for host/port/api_key, and the max_body_bytes knob in gateway/platforms/webhook.py) and raises the default to 100 MiB so a Retina screenshot or a small PDF passes through without operator intervention.
• No behaviour change for deployments that don't override the new key beyond the larger default. Tighter caps (e.g. for hardened public deployments) remain available via the new config key or env var.

Details

• MAX_REQUEST_BYTES → renamed to DEFAULT_MAX_REQUEST_BYTES, value 100 * 1024 * 1024.
• APIServerAdapter.__init__ reads the effective limit from, in order of precedence:
  1. extra.max_request_bytes in the platform config (i.e. ~/.hermes/config.yaml under the api_server platform's extra: block)
  2. API_SERVER_MAX_REQUEST_BYTES environment variable
  3. DEFAULT_MAX_REQUEST_BYTES (100 MiB)
• The configured value is stored on request.app[\"max_request_bytes\"] so the module-level body_limit_middleware reads it from the app instead of a stale module global.
• web.Application(...) is now constructed with client_max_size=self._max_request_bytes so the aiohttp transport layer agrees with the middleware. Without this fix, raising the middleware constant alone would still leave bodies rejected one layer down by aiohttp's 1 MiB default.

Repro of the original bug

# config.yaml has model.base_url pointing at a local Ollama
hermes gateway start
# from any OpenAI-compat client, POST a chat completion containing a base64'd
# image attachment > 1 MB
#   → 413 {"error": {"message": "Request body too large", "code": "body_too_large"}}
# (the image never reaches the model)

After this PR the same request goes through, all the way to the backend model.

Test plan

• python -c \"from gateway.platforms import api_server as a; print(a.DEFAULT_MAX_REQUEST_BYTES); assert not hasattr(a, 'MAX_REQUEST_BYTES')\" — module imports cleanly, default is 104857600, old constant is gone.
• hermes gateway restart then hermes gateway status — gateway boots cleanly with the refactored code.
• Reviewer: POST a > 1 MB body to /v1/chat/completions against an api_server-platform gateway and confirm it now reaches the backend.
• Reviewer: set API_SERVER_MAX_REQUEST_BYTES=2000000 and confirm the cap drops back to 2 MB (the env var override path).
• Reviewer: confirm existing tests still pass (no MAX_REQUEST_BYTES references found in tests/).

🤖 Generated with Claude Code

[sunxyless]

+1 on this. Just closed my own PR (#12329) that was also addressing the 1 MiB wall — I'll let this one carry the body-size fix since the design here is cleaner (config-key + env, raw bytes, proper DI via request.app["max_request_bytes"] instead of a module-level constant).

Two things I dug into that may be useful if you want to add coverage:

1. The failure mode is not just 413 — it's opaque. Without client_max_size on the Application, aiohttp raises when request.json() reads past its internal cap; the handler's except (json.JSONDecodeError, Exception) collapses that into "Invalid JSON in request body". Users see the vague error and have no hint that the real cause is a size limit. Worth a one-liner regression test asserting 2 MiB body doesn't turn into "Invalid JSON" post-fix.

2. Field names in existing envs. The repo already has API_SERVER_HOST / API_SERVER_PORT / API_SERVER_KEY registered in hermes_cli/config.py's env-var catalog (that's where Setup wizard and docs pick up descriptions). If this lands, API_SERVER_MAX_REQUEST_BYTES wants a catalog entry too so operators discover it via hermes config.

(I had test cases for both in #12329; happy to cherry-pick them into here if it'd save you time.)