net-core: enforce per-message size limits at codec decode time
Two distinct size guards on the receive path are now correctly layered: 1. **Demuxer buffer cap** (DoS protection): fixed at protocol registration via `ProtocolConfig::ingress_limit`, never narrowed at runtime. Sized to bound runaway accumulation when a protocol consumer falls behind. 2. **Codec per-message cap** (protocol conformance): `Runner::recv` passes `P::size_limit(state)` to `CodecRecv::recv`; after a CBOR value decodes, the consumed-bytes count is checked against the per-state spec limit and `MuxError::MessageTooLarge` is returned (and the connection torn down) for spec-violating peers. The previous design conflated these — `Runner` overrode the demuxer's buffer cap with the current state's per-message cap on every transition, so a fast peer pipelining `MsgStartBatch` + `MsgBlock` into one TCP read could legitimately overflow before the local runner advanced the state. Reverts `BlockFetch::size_limit` to spec (`SIZE_LIMIT_SMALL` for StIdle/StBusy, `SIZE_LIMIT_STREAMING` for StStreaming); the values are now actually enforced at decode time rather than misused as buffer caps. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
