fix(browser): block upload symlink escapes

[mbelinky]

Summary\n- add resolveExistingPathsWithinRoot() to validate upload paths via safe file-open under root\n- reject symlink and non-regular file escapes while preserving existing not-found behavior\n- update browser upload call sites to await the new validator\n- add dedicated tests for traversal and symlink-escape cases\n\n## Why\nThis lands the browser path-hardening piece from #21268 separately from app deep-link changes.

Greptile Summary

Added resolveExistingPathsWithinRoot() to validate file upload paths via safe file-open operations, preventing symlink escapes and path traversal attacks while preserving existing behavior for non-existent files.

• Introduced new async path validator using openFileWithinRoot() from fs-safe.ts
• Updated all three upload call sites to use the new async validator
• Added comprehensive tests covering traversal, symlink escapes, and edge cases
• Maintains backward compatibility by allowing non-existent files to pass through validation

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it strengthens security without breaking existing functionality
• The implementation correctly addresses symlink escape vulnerabilities using well-tested openFileWithinRoot() from fs-safe.ts. All call sites properly await the new async function, error handling follows project conventions, and comprehensive tests validate the security improvements. The backward-compatible handling of non-existent files preserves existing behavior.
• No files require special attention

_{Last reviewed commit: 9520890}

[bmendonca3]

Do the tests cover “non-regular file” cases (f.e. directories/FIFOs) across platforms, or is that intentionally out of scope for now? Happy to help add coverage if needed

[mbelinky]

Merged via squash.

• Prepared head SHA: 4381ef9
• Merge commit: 8e4f6c0

Thanks @mbelinky!