Add Input Length Limit guardrail plugin against DoW attacks
>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3582856. --> Reported by: [marcus_johansson](https://www.drupal.org/user/385947) Related to !1407 >>> <p>[Tracker]<br> <strong>Update Summary: </strong>[One-line status update for stakeholders]<br> <strong>Short Description: </strong>Add Input Length Limit guardrail plugin<br> <strong>Check-in Date: </strong>MM/DD/YYYY<br> [/Tracker]</p> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>There is currently no guardrail to limit the length of user input sent to AI providers. Excessively long inputs can be used for context stuffing attacks, denial-of-wallet attacks (consuming expensive API tokens), or to overwhelm the AI model's context window.</p> <p>A simple input length limit guardrail would provide a configurable safety net that blocks requests exceeding a character or token count before they reach the provider API.</p> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <ul> <li>Create a new <code>InputLengthLimit</code> guardrail plugin that implements <code>processInput()</code>.</li> <li>Allow configuring a maximum length in characters, with an option to use the <code>ai.tokenizer</code> service for token-based counting instead.</li> <li>The limit should apply to the last user message by default, with a configurable option to apply to the total conversation length (all messages combined).</li> <li>Return a <code>StopResult</code> when the input exceeds the limit, with a configurable violation message.</li> <li>Add tests covering both character-based and token-based limits.</li> </ul> <h3 id="summary-ai-usage">AI usage (if applicable)</h3> <p>[x] AI Assisted Issue<br> This issue was generated with AI assistance, but was reviewed and refined by the creator.</p> <p>[ ] AI Assisted Code<br> [x] AI Generated Code<br> [ ] Vibe Coded</p> <p>- <strong>This issue was created with the help of AI</strong></p>
issue