Fix path traversal vulnerability in media server

The /media/:id endpoint was vulnerable to path traversal attacks.
Since this endpoint is exposed via Tailscale Funnel (unlike the
WhatsApp webhook which requires Twilio signature validation),
attackers could directly request paths like /media/%2e%2e%2fwarelay.json
to access sensitive files in ~/.warelay/ (e.g. warelay.json), or even
escape further to the user's home directory via multiple ../ sequences.

Fix: validate resolved paths stay within the media directory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/media/server.test.ts

@@ -49,4 +49,14 @@ describe("media server", () => {
     await expect(fs.stat(file)).rejects.toThrow();
     await new Promise((r) => server.close(r));
   });
+
+  it("blocks path traversal attempts", async () => {
+    const server = await startMediaServer(0, 5_000);
+    const port = (server.address() as AddressInfo).port;
+    // URL-encoded "../" to bypass client-side path normalization
+    const res = await fetch(`http://localhost:${port}/media/%2e%2e%2fpackage.json`);
+    expect(res.status).toBe(400);
+    expect(await res.text()).toBe("invalid path");
+    await new Promise((r) => server.close(r));
+  });
 });

src/media/server.ts

@@ -17,7 +17,12 @@ export function attachMediaRoutes(
 
   app.get("/media/:id", async (req, res) => {
     const id = req.params.id;
-    const file = path.join(mediaDir, id);
+    const file = path.resolve(mediaDir, id);
+    const mediaRoot = path.resolve(mediaDir) + path.sep;
+    if (!file.startsWith(mediaRoot)) {
+      res.status(400).send("invalid path");
+      return;
+    }
     try {
       const stat = await fs.stat(file);
       if (Date.now() - stat.mtimeMs > ttlMs) {