improvements: cap read_file at 10 MiB to avoid multi-hundred-MB string round-trips

[matiaspalmac]

[Improvement]: Cap read_file at 10 MiB to avoid multi-hundred-MB string round-trips

Description

read_file returned the entire file body as a String with no size
gate. Opening a 200 MB log pipes ~500 MB+ through the pipeline: disk
read → owned String allocation → serde_json encode → IPC → JS string
decode → Monaco buffer. That is enough to OOM the renderer on
low-memory machines and causes a visible freeze on anything
substantially larger than the available RAM.

Change

apps/desktop/src-tauri/src/lib.rs — read_file now stats the file
first and rejects up front when metadata.len() exceeds
READ_FILE_MAX_BYTES = 10 * 1024 * 1024 (10 MiB). The error message
includes the actual file size and the limit so the frontend can
surface an actionable message to the user instead of a generic I/O
error.

const READ_FILE_MAX_BYTES: u64 = 10 * 1024 * 1024;

#[tauri::command]
fn read_file(path: String) -> Result<String, String> {
    let metadata = fs::metadata(&path)…?;
    if metadata.len() > READ_FILE_MAX_BYTES {
        return Err(format!(
            "File {path} is {actual} bytes, which exceeds the {limit}-byte read_file limit; use a streaming reader for files this large",
            …
        ));
    }
    fs::read_to_string(&path)…
}

Trade-offs

• Why 10 MiB. Monaco, the AI-chat context window and the
  git-explorer diff viewer are all the realistic consumers of
  read_file today; none of them handle files larger than a few MiB
  well in practice. 10 MiB is comfortably above every legitimate
  source file / package.json / skill-MD / project file in the tree
  and still an order of magnitude below the "renderer falls over"
  region.
• Streaming path deferred. Point 2 of the issue (chunked streaming
  via Tauri v2 channels) requires a new command, a new frontend
  consumer UI, and teaching Monaco to render chunks incrementally —
  all bigger than this PR. Consumers that genuinely need large files
  (log tailer, binary viewer) should use a dedicated command rather
  than lift this cap.
• User-visible setting deferred. Point 3 (expose the limit as a
  setting) needs a settings-schema addition and a docs update. The
  current behaviour — fail fast with a clear number in the error —
  is the part that matters for the memory-safety fix; making it
  tunable can land separately without reopening the safety question.
• get_recursive_file_list and get_git_file_diff. The issue
  also mentions both as carrying similar patterns. They are kept out
  of this PR: the first returns an in-memory Vec<String> of paths
  (risk is cardinality, not per-file size — a different shape of
  fix), and the second shells out to git diff, where the right
  bound is on the diff output rather than any single source file.

Verification

• cargo check and cargo clippy -- -D warnings on src-tauri →
  clean.
• Manual trace:
  • Existing callers (awareness.ts, AgentContext.tsx skill/index
    reads, AiChatComponent.tsx tool path, GitExplorerComponent.tsx
    diff/search file open) all pass small text paths → unaffected.
  • Path to a non-existent file → now returns Failed to stat file
    instead of Failed to read file. Same Result::Err branch for
    the frontend, friendlier message.
  • Path to a >10 MiB file → File … is N bytes, which exceeds the 10485760-byte read_file limit; use a streaming reader….

Related Issue

Closes #87

Checklist

• I have checked for existing feature requests.
• I have followed the project's coding guidelines.
• Documentation has been updated (if applicable).
• My changes generate no new warnings or errors.

[github-actions]

Thanks for the contribution! I'll review it as soon as possible. If you have still changes, please mark this PR as draft and all reviews will be cancelled. Tests reviews will be re-run only when the PR is marked as ready for review.

[Copilot]

Pull request overview

This PR adds a size limit to the Tauri read_file command to prevent large file reads from being fully buffered into a String and sent over IPC, which can lead to renderer freezes/OOMs in the desktop app.

Changes:

• Introduce a READ_FILE_MAX_BYTES constant (10 MiB) for read_file.
• read_file now stats the target first and returns a clear error when the file exceeds the limit.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.