fix(volume-browser): address security review findings

Critical fixes:
- IDOR: verify volume belongs to project before resolving path
- Upload: override global 1MB body limit for upload endpoint (100MB)

High-priority fixes:
- Symlink escape: use filepath.EvalSymlinks in safePath validation
- Remove host filesystem path from browse API response
- Sanitize Content-Disposition filenames, force application/octet-stream
- Strip directory components from upload filenames

web/src/lib/types.ts

@@ -196,7 +196,6 @@ export interface FileEntry {
 /** Response from the volume browse endpoint. */
 export interface BrowseResult {
 	path: string;
-	root: string;
 	entries: FileEntry[];
 }
 

web/src/routes/projects/[id]/volumes/[volId]/browse/+page.svelte

@@ -12,7 +12,6 @@
 
 	let entries = $state<FileEntry[]>([]);
 	let currentPath = $state('');
-	let rootPath = $state('');
 	let loading = $state(true);
 	let error = $state('');
 	let uploading = $state(false);
@@ -62,7 +61,6 @@
 			const result = await api.browseVolume(projectId, volId, { path, stage, tag });
 			entries = result.entries;
 			currentPath = result.path || '';
-			rootPath = result.root;
 		} catch (e) {
 			error = e instanceof Error ? e.message : $t('volumeBrowser.loadFailed');
 		} finally {
@@ -153,9 +151,6 @@
 				</label>
 			</div>
 		</div>
-		{#if rootPath}
-			<p class="mt-1 text-xs text-[var(--text-tertiary)] font-mono">{rootPath}</p>
-		{/if}
 	</div>
 
 	<!-- Breadcrumbs -->