OpenGradient · adambalogh · Jun 3, 2026 · Jun 3, 2026
diff --git a/tee_gateway/controllers/ohttp_controller.py b/tee_gateway/controllers/ohttp_controller.py
@@ -88,11 +88,10 @@
 _SSE_CONTENT_TYPE = "text/event-stream"
 
 # Cap on the encapsulated request size. The inner payload is a chat-completion
-# JSON body; even with long conversation history this comfortably fits in a few
-# hundred KB. Rejecting larger bodies up-front prevents a malicious relay from
-# forcing the enclave to allocate and attempt HPKE decapsulation on arbitrarily
-# large blobs.
-_MAX_ENCAPSULATED_REQUEST_BYTES = 512 * 1024
+# JSON body and may include base64 image attachments; 16 MiB covers roughly a
+# 10 MiB raw image after base64/JSON overhead while still bounding enclave
+# memory use for malicious or accidentally huge payloads.
+_MAX_ENCAPSULATED_REQUEST_BYTES = 16 * 1024 * 1024
 
 # Fields that can re-identify a client and have no role in inference. We drop
 # them before forwarding to the inner handler — keeping them inside the

diff --git a/tee_gateway/test/test_ohttp_controller.py b/tee_gateway/test/test_ohttp_controller.py
@@ -127,7 +127,7 @@ def fake_get_tee_keys():
 
 def test_oversized_body_returns_413(monkeypatch):
     sk, _ = ohttp.generate_keypair()
-    # Body is well past _MAX_ENCAPSULATED_REQUEST_BYTES (512 KiB). Werkzeug
+    # Body is well past _MAX_ENCAPSULATED_REQUEST_BYTES. Werkzeug
     # will set Content-Length from the data length, so the up-front check
     # fires before any HPKE work.
     app, captured, fake_keys = _make_app(lambda: ("200 OK", [], iter([])), sk)