Cap generated media file size before delivery

[crankshift]

Summary

Add a safe size cap for generated media delivery so OpenCode Remote rejects oversized generated image files before reading the full file into memory.

Context

Generated media delivery currently validates and sends local image files from the allowed generated-media cache. A review of the meme runtime PR noted a non-blocking risk: a very large file inside the allowed cache directory could be read fully into memory before Telegram rejects it. The fix should preserve the existing path-safety and privacy behavior while bounding memory exposure.

Acceptance Criteria

• Generated media delivery enforces a documented maximum file size before reading file contents into memory.
• Oversized generated media is skipped with a safe user-facing fallback and sanitized structured logging.
• Logs and user-facing messages do not include raw local paths, Telegram identifiers, provider bodies, or secrets.
• Tests cover oversized media rejection and confirm valid media under the cap still sends.

Notes

Raised during review of PR #44. Consider aligning the cap with Telegram photo/document limits or choosing a conservative image-specific limit.