feat(CPL-323): raise jsParams limit, enforce combined 16 MB code + jsParams budget

[GTC6244]

Summary

Replaces the 64 KB documented (but unenforced) js_params cap with a single 16 MB combined budget for code + js_params against max_code_length. The 16 MB budget is enforced server-side in execute_js_inner by serializing js_params once and summing its length with code.len() before dispatching to the lit-actions runtime. Rocket's JSON body limit is raised from 10 MiB to 20 MiB so a full 16 MB combined payload fits after JSON-encoding overhead. Docs (docs/lit-actions/limits.mdx, lit-static/SKILL.md) updated to describe the shared budget; the (currently disabled) max_code_length test assertion updated to match the new error string.

Test plan

• cargo check --tests clean (verified locally)
• cargo fmt --check clean (verified locally)
• Submit a request where code + js_params is just under 16 MB and confirm it executes
• Submit a request where code + js_params exceeds 16 MB and confirm the new combined-size error fires
• Confirm a ~15 MB JSON body is no longer rejected by Rocket at the body-limit layer

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR updates Lit Actions request size handling by replacing the previously documented (but unenforced) js_params limit with a single shared size budget for code + js_params, enforced in the API server before dispatching to the lit-actions runtime. It also raises Rocket’s JSON body limit and updates docs/tests to match the new combined-limit semantics.

Changes:

• Enforce a combined code + js_params size check against max_code_length in execute_js_inner.
• Increase Rocket JSON body limit to allow larger Lit Action requests.
• Update limits documentation and adjust the max-length test assertion string.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
lit-api-server/src/actions/client/execution.rs	Adds combined-size enforcement and reuses serialized js_params bytes for dispatch.
lit-api-server/Rocket.toml	Raises the global Rocket JSON body limit from 10 MiB to 20 MiB.
lit-api-server/src/actions/tests.rs	Updates expected error string for max-length enforcement.
docs/lit-actions/limits.mdx	Documents the shared 16 MB budget for code + js_params.
lit-static/SKILL.md	Updates the published limit table to reflect the combined budget.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[GTC6244]

CI failure analysis

The lit-actions job failed with 5 test failures in lit-actions/tests/it.rs:

• set_response, webcrypto, wasm, timeout — all transport error: Connection refused (os error 111)
• pool_warm_hit — expected pool hit (hits before=0, after=0, target=10)

Investigation:

• This PR touches zero lit-actions/ code (only lit-api-server/, docs/, lit-static/SKILL.md).
• All 5 tests pass locally on this branch: cargo test --test integration -- set_response webcrypto wasm timeout pool_warm_hit → 5 passed; 0 failed.
• The CI log shows a ResourceExhausted event from the OOM test immediately before the connection-refused cluster, suggesting the lit-actions test server lost connectivity on the CI runner after the OOM-test scenario.

Treating these as flaky CI; rerunning the failed job. Will reassess if it reproduces on the next run.

Copilot review feedback:

• execution.rs: dropped .ok().unwrap_or_default() swallowing — now uses .transpose()? so a js_params serialization failure propagates and the Option<Vec<u8>> stays in sync with globals (36b22f8)
• Rocket.toml: replied — global 20 MiB is intentional; only /lit_action legitimately needs >10 MiB, and a per-route limit can be a follow-up
• tests.rs: replied — the actions::tests module is currently disabled at actions/mod.rs:8-9, so expanding it doesn't run in CI; combined-budget logic is exercised by lit-actions/tests/it.rs::js_params