security(evidence): enforce size/type/count limits, magic-number chec…

[yunus-dev-codecrafter]

closes #465
Summary:

• What: Enforce strict limits and validation on POST /api/evidence/upload to prevent DoS and storage abuse.
• Why: Prevent unbounded uploads (size/count/type) and ensure content matches declared MIME before persisting.

Changes:

• Route: evidence.ts — add multer limits (10MB/file, max 5 files, 1MB field), extension + MIME allow-list, post-upload magic-number (content sniff) validation, memory storage, and detailed error handling.
• Metrics: add evidence_upload_rejected_total (labelled by reason) and evidence_upload_accepted_total.
• Tests: evidence.test.ts — cover oversized files, too many files, disallowed MIME/extension, magic-number mismatch, empty file, success path, and metric assertions.
• Docs: update evidence-upload-security.md with limits, responses, and testing notes.

Testing:

• Unit/integration tests added and passing locally: npm exec -- vitest run src/routes/evidence.test.ts (17/17).
• Manual smoke: upload valid JPEG/PNG/PDF accepted; invalid types/sizes rejected with appropriate status and metric increments.

Risk & Rollout:

• Low risk — validation is enforced at the edge and uses memory storage to avoid temp-file leaks. Verify production memory budget for concurrent uploads; consider switching to streaming or disk-backed handling if large concurrent uploads are expected.

Notes / Follow-up:

• Preserve existing proof-of-erasure flow (erasureProof.ts) — unchanged.
• Recommend monitoring evidence_upload_rejected_total{reason} for false positives after rollout and adjusting allow-list/signatures if needed.

Acceptance:

• Limits enforced pre-persist, rejected uploads cleaned (no temp-file leak), metrics emitted, tests cover validation paths.

[Baskarayelu]

good hardening - size/type/count limits plus magic-number sniffing on evidence uploads closes a real DoS/abuse vector at the edge. merging 🔒