203e63edc2
Addresses Copilot review on PR #9: - /api/vision: add MAX_ANNOTATED_BYTES (3 MB) cap on annotatedImageBase64, plus an explicit type/non-empty check. Browser annotator resizes to 768 wide (typically 200-800 KB base64), so 3 MB rejects abusive direct-API payloads that would otherwise inflate upstream vision LLM costs. - annotateClient: replace `img.src = ""` on timeout with removeAttribute to avoid the legacy browser behavior of treating empty src as a navigation to the current document URL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>