Add security fixes: SHA256 hash validation and streaming file size enforcement

- Add field_validator to ResumableUploadInitRequest to validate expected_hash
  is a valid 64-character lowercase hex SHA256 hash (normalizes to lowercase)
- Add FileSizeExceededError exception for file size limit violations
- Enforce file size limits in storage layer during streaming (prevents
  Content-Length header spoofing)
- Add FileSizeExceededError handler in upload endpoint returning HTTP 413
- Add node_modules and frontend/dist to .gitignore

backend/app/schemas.py

@@ -1,6 +1,6 @@
 from datetime import datetime
 from typing import Optional, List, Dict, Any, Generic, TypeVar
-from pydantic import BaseModel
+from pydantic import BaseModel, field_validator
 from uuid import UUID
 
 T = TypeVar("T")
@@ -266,6 +266,18 @@ class ResumableUploadInitRequest(BaseModel):
     size: int
     tag: Optional[str] = None
 
+    @field_validator("expected_hash")
+    @classmethod
+    def validate_sha256_hash(cls, v: str) -> str:
+        """Validate that expected_hash is a valid 64-character lowercase hex SHA256 hash."""
+        import re
+
+        if not re.match(r"^[a-f0-9]{64}$", v.lower()):
+            raise ValueError(
+                "expected_hash must be a valid 64-character lowercase hexadecimal SHA256 hash"
+            )
+        return v.lower()  # Normalize to lowercase
+
 
 class ResumableUploadInitResponse(BaseModel):
     """Response from initiating a resumable upload"""