Production readiness: repo cleanup, input validation, upload security

[Copilot]

Tighten the codebase for production use — remove tracked artifacts that should never have been committed, add missing input validation, and harden file upload security.

Repo cleanup

• Remove 43 tracked files from git history: .env with secrets, log files, .mp4 uploads, temp copilot session data
• Update .gitignore to cover *.log, *.mp4/*.avi/*.mkv/*.mov, apps/backend/projects/, apps/backend/tmp-copilot/

Upload security

• Add path traversal protection via isSafeFileId() — rejects separators, .., null bytes, hidden files, and verifies resolved path stays within upload dir
• Add MIME type whitelist (ALLOWED_MIME_TYPES) restricting uploads to video/audio/image
• Add typed multer error handler for proper 400/413 responses on rejection

function isSafeFileId(fileId: string): boolean {
    if (fileId.includes('/') || fileId.includes('\\') || fileId.includes('\0') || fileId.startsWith('.')) {
        return false;
    }
    const normalized = path.normalize(fileId);
    if (normalized !== fileId || normalized.includes('..')) return false;
    return path.resolve(uploadDir, normalized).startsWith(path.resolve(uploadDir));
}

Input validation

• Copilot REST POST /chat: reject requests missing content string
• WebSocket copilot.message: validate content before processing, return error frame if missing

Config hardening

• Add startup warnings when API key is missing for the selected LLM provider
• Remove hardcoded Windows path from verify-copilot-tools.ts, use portable path.resolve() from node_modules
• Update .env.example to document all 5 provider options and GEMINI_API_KEY

Misc

• Remove stale comment from health endpoint

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.