fix(recipe): add server-side image size limit and use .matches() for type check

- @Size(max=7_000_000) on heroImageUrl enforces ~5 MB cap at bean validation
- ALLOWED_IMAGE_PATTERN uses .matches() for unambiguous full-string check
- Tests: oversized image → 400, empty ingredients list → 400

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/com/recipeapp/recipe/RecipeService.java

@@ -191,11 +191,11 @@ public class RecipeService {
     // ── Image validation ──
 
     private static final java.util.regex.Pattern ALLOWED_IMAGE_PATTERN =
-            java.util.regex.Pattern.compile("^data:image/(jpeg|jpg|png|gif|webp);base64,");
+            java.util.regex.Pattern.compile("data:image/(jpeg|jpg|png|gif|webp);base64,.*");
 
     private void validateHeroImageUrl(String heroImageUrl) {
         if (heroImageUrl == null || heroImageUrl.isBlank()) return;
-        if (!ALLOWED_IMAGE_PATTERN.matcher(heroImageUrl).find()) {
+        if (!ALLOWED_IMAGE_PATTERN.matcher(heroImageUrl).matches()) {
             throw new ValidationException("Ungültiger Bildtyp. Erlaubt sind: JPEG, PNG, GIF, WebP.");
         }
     }

backend/src/main/java/com/recipeapp/recipe/dto/RecipeCreateRequest.java

@@ -12,7 +12,7 @@ public record RecipeCreateRequest(
         Integer serves,
         Integer cookTimeMin,
         @NotBlank @Pattern(regexp = "easy|medium|hard") String effort,
-        String heroImageUrl,
+        @Size(max = 7_000_000) String heroImageUrl,
         @NotEmpty @Valid List<IngredientEntry> ingredients,
         @Valid List<StepEntry> steps,
         @NotEmpty List<UUID> tagIds