fix(transcription): cap @mention search input at maxlength=100

Soft-cap on the client side mitigates CWE-400 query amplification
(server-side cap remains a separate backend PR).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/src/lib/shared/discussion/MentionDropdown.svelte

@@ -166,6 +166,7 @@ function selectItem(item: Person) {
 				id="mention-search"
 				type="search"
 				data-test-search-input
+				maxlength="100"
 				class="min-h-[44px] w-full bg-transparent font-sans text-sm text-ink placeholder:text-ink-3 focus:outline-none focus-visible:ring-2 focus-visible:ring-brand-navy focus-visible:ring-inset"
 				placeholder={m.person_mention_search_prompt()}
 				bind:value={searchQuery}

frontend/src/lib/shared/discussion/MentionDropdown.svelte.test.ts

@@ -154,6 +154,14 @@ describe('MentionDropdown — search input', () => {
 		expect(input.className).toContain('min-h-[44px]');
 	});
 
+	it('caps the search input at maxlength=100 (CWE-400 amplification — Nora on PR #629)', async () => {
+		render(MentionDropdown, { props: { model: baseModel() } });
+
+		const input = document.querySelector('[data-test-search-input]') as HTMLInputElement;
+		expect(input).not.toBeNull();
+		expect(input.maxLength).toBe(100);
+	});
+
 	it('invokes onSearch with the current value whenever the user types', async () => {
 		const onSearch = vi.fn();
 		render(MentionDropdown, { props: { model: baseModel(), onSearch } });