Username has no maximum length enforced

[windoze95]

Summary

In internal/service/user.go:170-250, ValidateUsername enforces a minimum length of 3 characters but no maximum. A user can submit a username of arbitrary length, which:

• Wastes database storage (unbounded VARCHAR)
• Slows down the profanity detector (goaway) which processes the full string
• Can cause UI rendering issues in clients expecting short display names
• Could be used as a minor DoS vector

Suggested Fix

Add a max length check:

const maxUsernameLength = 30
if len(username) > maxUsernameLength {
    return fmt.Errorf("username must be at most %d characters", maxUsernameLength)
}

Also consider adding a DB-level constraint if not already present.