feat(01-02): add request body size limits (1MB) to webhook and tag handlers

- Add maxBodyBytes constant (1 << 20 = 1 MB)
- Add errors import to production file
- Apply http.MaxBytesReader + errors.As(err, *http.MaxBytesError) pattern in:
  WebhookHandler, TagsHandler POST, TagAssignmentHandler PUT and DELETE
- Return HTTP 413 RequestEntityTooLarge when body exceeds limit
- Fix oversized body test strategy: use JSON prefix so decoder reads past limit
  (Rule 1 deviation: all-x body fails at byte 1 before MaxBytesReader triggers)

pkg/diunwebhook/diunwebhook.go

@@ -4,6 +4,7 @@ import (
 	"crypto/subtle"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"log"
 	"net/http"
 	"strconv"
@@ -14,6 +15,8 @@ import (
 	_ "modernc.org/sqlite"
 )
 
+const maxBodyBytes = 1 << 20 // 1 MB
+
 type DiunEvent struct {
 	DiunVersion string    `json:"diun_version"`
 	Hostname    string    `json:"hostname"`
@@ -199,9 +202,15 @@ func WebhookHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	r.Body = http.MaxBytesReader(w, r.Body, maxBodyBytes)
 	var event DiunEvent
 
 	if err := json.NewDecoder(r.Body).Decode(&event); err != nil {
+		var maxBytesErr *http.MaxBytesError
+		if errors.As(err, &maxBytesErr) {
+			http.Error(w, "request body too large", http.StatusRequestEntityTooLarge)
+			return
+		}
 		log.Printf("WebhookHandler: failed to decode request: %v", err)
 		http.Error(w, "bad request", http.StatusBadRequest)
 		return
@@ -296,10 +305,20 @@ func TagsHandler(w http.ResponseWriter, r *http.Request) {
 		}
 
 	case http.MethodPost:
+		r.Body = http.MaxBytesReader(w, r.Body, maxBodyBytes)
 		var req struct {
 			Name string `json:"name"`
 		}
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Name == "" {
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			var maxBytesErr *http.MaxBytesError
+			if errors.As(err, &maxBytesErr) {
+				http.Error(w, "request body too large", http.StatusRequestEntityTooLarge)
+				return
+			}
+			http.Error(w, "bad request: name required", http.StatusBadRequest)
+			return
+		}
+		if req.Name == "" {
 			http.Error(w, "bad request: name required", http.StatusBadRequest)
 			return
 		}
@@ -358,11 +377,21 @@ func TagByIDHandler(w http.ResponseWriter, r *http.Request) {
 func TagAssignmentHandler(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodPut:
+		r.Body = http.MaxBytesReader(w, r.Body, maxBodyBytes)
 		var req struct {
 			Image string `json:"image"`
 			TagID int    `json:"tag_id"`
 		}
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Image == "" {
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			var maxBytesErr *http.MaxBytesError
+			if errors.As(err, &maxBytesErr) {
+				http.Error(w, "request body too large", http.StatusRequestEntityTooLarge)
+				return
+			}
+			http.Error(w, "bad request", http.StatusBadRequest)
+			return
+		}
+		if req.Image == "" {
 			http.Error(w, "bad request", http.StatusBadRequest)
 			return
 		}
@@ -383,10 +412,20 @@ func TagAssignmentHandler(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 
 	case http.MethodDelete:
+		r.Body = http.MaxBytesReader(w, r.Body, maxBodyBytes)
 		var req struct {
 			Image string `json:"image"`
 		}
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Image == "" {
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			var maxBytesErr *http.MaxBytesError
+			if errors.As(err, &maxBytesErr) {
+				http.Error(w, "request body too large", http.StatusRequestEntityTooLarge)
+				return
+			}
+			http.Error(w, "bad request", http.StatusBadRequest)
+			return
+		}
+		if req.Image == "" {
 			http.Error(w, "bad request", http.StatusBadRequest)
 			return
 		}