fix: harden IPC, screenshot, paging, and tab filter error handling

- tabs.py: validate screenshot data URL prefix and catch binascii.Error
  instead of silently writing a zero-byte file or crashing with a raw traceback
- serve.py: add 30 s recv timeout on client connections to prevent unbounded
  thread accumulation; use hmac.compare_digest for constant-time token check
- native_host.py: bind Unix socket before _registry_add to eliminate the
  window where the registry points to an unbound path; cap paging loop at
  ceil(10000/PAGE_SIZE) iterations to guard against a misbehaving extension;
  remove dead no-hello fast-path queue that was registered but never consumed
- __init__.py: narrow _apply_tab_filter except to (AttributeError, TypeError)
  so broken filter functions raise instead of silently returning wrong results

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

browser_cli/commands/serve.py

@@ -1,4 +1,4 @@
-import threading, secrets, socket, struct, click, json, sys
+import hmac, threading, secrets, socket, struct, click, json, sys
 from rich.console import Console
 from datetime import datetime
 
@@ -51,7 +51,7 @@ def _proxy_request(client_sock:socket.socket, addr:tuple, profile:str|None, serv
   command = msg.get("command", "?")
 
   if server_token is not None:
-    if msg.get("token") != server_token:
+    if not hmac.compare_digest(msg.get("token") or "", server_token):
       _send_error(msg_id, "unauthorized: invalid or missing token")
       _log(addr, command, None, "DENIED", "bad token")
       return
@@ -110,6 +110,7 @@ def _proxy_request(client_sock:socket.socket, addr:tuple, profile:str|None, serv
     _log(addr, command, resolved_profile, "ERROR", str(e))
 
 def _handle_client(client_sock:socket.socket, addr:tuple, profile:str|None, server_token:str|None) -> None:
+  client_sock.settimeout(30)
   with client_sock:
     _proxy_request(client_sock, addr, profile, server_token)