d47a71a03b
HTTP response bodies were collected with no size limit on both the Tor path (tor::request_once) and the clearnet path (http::clearnet_once), each doing into_body().collect().to_vec() unbounded. A compromised or malicious name-authority, relay-pool gist, NIP-11 relay-info, or price endpoint could stream a multi-GB body and OOM the wallet. The websocket path already caps frames at 4 MiB; HTTP did not. Add a shared collect_body_capped() that rejects an oversized Content-Length up front and bounds the actual streamed read frame by frame (catching a lying/absent Content-Length), returning a clean Err instead of panicking. Cap is 8 MiB: comfortably above every legitimate response (relay-pool gist, NIP-05/.well-known/by-pubkey JSON, NIP-11 info, price/fee JSON are all a few KiB; the 1 MiB avatar PNG is the largest) and a touch above the 4 MiB websocket ceiling, so nothing real is clipped.