refactor(server): replace custom remote clients with macro-based implementation

- Replaced manual remote client functions with remote_client! macro for archive, blame, branch, commit, and diff services
- Simplified remote client creation logic using declarative macro approach
- Maintained same functionality while reducing code duplication across services

security(bare): enhance path traversal protection with comprehensive validation

- Added early relative_path validation to prevent path traversal attacks
- Implemented unified path validation to avoid TOCTOU race conditions
- Enhanced canonicalization checks for both existing and non-existent paths
- Added detailed logging for path traversal detection attempts

feat(cache): migrate from CLruCache to Moka with TTL and invalidation support

- Replaced clru dependency with moka for improved caching capabilities
- Added 300-second time-to-live for cache entries
- Implemented repository-specific cache invalidation mechanism
- Enhanced cache operations with thread-safe async support

refactor(commit): improve security validation for commit operations

- Added ref name validation to prevent command injection in cherry_pick_commit
- Implemented revision validation for commit selectors
- Added comprehensive input validation for create_commit parameters
- Enhanced file path validation to prevent traversal

actor/message.rs

@@ -1,7 +1,7 @@
+use crate::pb::RepositoryHeader;
 use ractor::RpcReplyPort;
 use ractor_cluster::BytesConvertable;
 use ractor_cluster::RactorClusterMessage;
-use crate::pb::RepositoryHeader;
 
 impl BytesConvertable for RepositoryHeader {
     fn into_bytes(self) -> Vec<u8> {
@@ -73,7 +73,10 @@ impl BytesConvertable for NodeHealth {
         let values = decode_strings(bytes);
         Self {
             storage_name: values.first().cloned().unwrap_or_default(),
-            repo_count: values.get(1).and_then(|v| v.parse().ok()).unwrap_or_default(),
+            repo_count: values
+                .get(1)
+                .and_then(|v| v.parse().ok())
+                .unwrap_or_default(),
             healthy: values.get(2).is_some_and(|v| v == "1"),
             version: values.get(3).cloned().unwrap_or_default(),
         }
@@ -156,17 +159,69 @@ fn encode_strings(values: &[String]) -> Vec<u8> {
     buf
 }
 
+// Maximum allowed length for a single string in the message
+const MAX_STRING_LEN: usize = 10 * 1024 * 1024; // 10MB
+// Maximum total message size
+const MAX_TOTAL_SIZE: usize = 50 * 1024 * 1024; // 50MB
+
 fn decode_strings(bytes: Vec<u8>) -> Vec<String> {
     let mut values = Vec::new();
     let mut offset = 0;
+
+    // Check total message size
+    if bytes.len() > MAX_TOTAL_SIZE {
+        tracing::warn!(
+            total = bytes.len(),
+            max = MAX_TOTAL_SIZE,
+            "message exceeds maximum size, truncating"
+        );
+        return values;
+    }
+
     while offset + 8 <= bytes.len() {
-        let len = u64::from_be_bytes(bytes[offset..offset + 8].try_into().unwrap()) as usize;
-        offset += 8;
-        if offset + len > bytes.len() {
+        let len_bytes: [u8; 8] = bytes[offset..offset + 8].try_into().unwrap_or([0u8; 8]);
+        let len_u64 = u64::from_be_bytes(len_bytes);
+
+        // Prevent DoS via extremely large length values
+        if len_u64 > MAX_STRING_LEN as u64 {
+            tracing::warn!(
+                offset,
+                claimed_len = len_u64,
+                max = MAX_STRING_LEN,
+                "string length exceeds maximum, stopping decode"
+            );
             break;
         }
-        values.push(String::from_utf8_lossy(&bytes[offset..offset + len]).into_owned());
-        offset += len;
+
+        let len = len_u64 as usize;
+        offset += 8;
+
+        // Prevent integer overflow in offset calculation
+        let end_offset = match offset.checked_add(len) {
+            Some(end) => end,
+            None => {
+                tracing::warn!(
+                    offset,
+                    len,
+                    "integer overflow in offset calculation, stopping decode"
+                );
+                break;
+            }
+        };
+
+        if len == 0 || end_offset > bytes.len() {
+            // Invalid length — stop decoding, return what we have so far
+            tracing::warn!(
+                offset,
+                claimed_len = len,
+                total = bytes.len(),
+                "malformed bytes in decode_strings, stopping early"
+            );
+            break;
+        }
+
+        values.push(String::from_utf8_lossy(&bytes[offset..end_offset]).into_owned());
+        offset = end_offset;
     }
     values
 }