fix(api): reject oversized request bodies with 413

test/api-router_test.ts

@@ -1,4 +1,5 @@
 import { assertEquals } from 'jsr:@std/assert@^1.0.0';
+import { EventEmitter } from 'node:events';
 import { ApiRouter } from '../ts/api/router.ts';
 
 class TestResponse {
@@ -18,6 +19,29 @@ class TestResponse {
   }
 }
 
+class TestRequest extends EventEmitter {
+  public method: string;
+  public headers: Record<string, string>;
+  public destroyed = false;
+  public paused = false;
+
+  constructor(method: string, headers: Record<string, string>) {
+    super();
+    this.method = method;
+    this.headers = headers;
+  }
+
+  public pause(): this {
+    this.paused = true;
+    return this;
+  }
+
+  public destroy(): this {
+    this.destroyed = true;
+    return this;
+  }
+}
+
 function createRouter(): ApiRouter {
   return new ApiRouter(
     {} as never,
@@ -55,3 +79,20 @@ Deno.test('ApiRouter rejects protected endpoints without a bearer token', async
   assertEquals(response.statusCode, 401);
   assertEquals(JSON.parse(response.body).error.type, 'authentication_error');
 });
+
+Deno.test('ApiRouter returns 413 for oversized request bodies', async () => {
+  const router = createRouter();
+  const request = new TestRequest('POST', {
+    authorization: 'Bearer valid-key',
+  });
+  const response = new TestResponse();
+
+  const routePromise = router.route(request as never, response as never, '/v1/chat/completions');
+  request.emit('data', 'x'.repeat(10 * 1024 * 1024 + 1));
+  await routePromise;
+
+  assertEquals(response.statusCode, 413);
+  assertEquals(request.paused, true);
+  assertEquals(request.destroyed, true);
+  assertEquals(JSON.parse(response.body).error.message, 'Request body too large');
+});