Add Input Length Limit guardrail plugin against DoW attacks
>>> [!note] Migrated issue
<!-- Drupal.org comment -->
<!-- Migrated from issue #3582856. -->
Reported by: [marcus_johansson](https://www.drupal.org/user/385947)
Related to !1407
>>>
<p>[Tracker]<br>
<strong>Update Summary: </strong>[One-line status update for stakeholders]<br>
<strong>Short Description: </strong>Add Input Length Limit guardrail plugin<br>
<strong>Check-in Date: </strong>MM/DD/YYYY<br>
[/Tracker]</p>
<h3 id="summary-problem-motivation">Problem/Motivation</h3>
<p>There is currently no guardrail to limit the length of user input sent to AI providers. Excessively long inputs can be used for context stuffing attacks, denial-of-wallet attacks (consuming expensive API tokens), or to overwhelm the AI model's context window.</p>
<p>A simple input length limit guardrail would provide a configurable safety net that blocks requests exceeding a character or token count before they reach the provider API.</p>
<h3 id="summary-proposed-resolution">Proposed resolution</h3>
<ul>
<li>Create a new <code>InputLengthLimit</code> guardrail plugin that implements <code>processInput()</code>.</li>
<li>Allow configuring a maximum length in characters, with an option to use the <code>ai.tokenizer</code> service for token-based counting instead.</li>
<li>The limit should apply to the last user message by default, with a configurable option to apply to the total conversation length (all messages combined).</li>
<li>Return a <code>StopResult</code> when the input exceeds the limit, with a configurable violation message.</li>
<li>Add tests covering both character-based and token-based limits.</li>
</ul>
<h3 id="summary-ai-usage">AI usage (if applicable)</h3>
<p>[x] AI Assisted Issue<br>
This issue was generated with AI assistance, but was reviewed and refined by the creator.</p>
<p>[ ] AI Assisted Code<br>
[x] AI Generated Code<br>
[ ] Vibe Coded</p>
<p>- <strong>This issue was created with the help of AI</strong></p>
issue