fix: handle invalid image payloads from Read tool

[LIU9293]

Issue for this PR

Closes #15264

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

A malformed image attachment from Read could reach the provider as an image/file part and trigger a hard provider error ("image data does not represent a valid image"), which then caused follow-up turns to keep failing in the same session.

This PR validates image payloads before provider send:

• checks base64 shape for data URLs
• checks image signatures for png/jpeg/gif/webp
• applies to both image parts and file parts carrying image media (data or data-url url)
• downgrades invalid payloads to a safe text error message so the session continues

Also adds regression tests for invalid base64 image parts and invalid image file data.

How did you verify your code works?

• Ran bun test test/provider/transform.test.ts in packages/opencode
• Added and ran regression tests covering:
  • invalid base64 in image part
  • invalid bytes in image file part
• Ran bun run typecheck in packages/opencode

Screenshots / recordings

N/A (non-UI change)

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Based on my search, I found one potentially related PR that might be addressing similar image handling concerns:

Related PR:

• fix(tui): read tool uppercase/mixed case image extensions #11333 - fix(tui): read tool uppercase/mixed case image extensions (fix(tui): read tool uppercase/mixed case image extensions #11333)

This PR also deals with image handling in the Read tool context, though it focuses on file extension casing rather than payload validation. It might be worth checking if there's any overlap in scope.

The current PR (#15262) appears to be unique in its focus on validating image payloads with binary signature checks and base64 sanity checks before provider submission - a more comprehensive validation approach than what I found in the search results.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍