fix(upload): harden upload flow — sanitize filenames, refresh CF cookies, deduplicate handlers

- Sanitize Content-Disposition filenames to prevent header injection (strip control chars, quotes, semicolons)
- Add CloudFront cookie refresh middleware so cookies are re-issued when expired
- Log errors in groupAttachments instead of silently swallowing them
- Move useFileUpload hook to shared/hooks/ per project architecture conventions
- Add uploadWithToast helper to deduplicate try/catch/toast pattern across 3 components
- Refactor ApiClient.uploadFile to reuse auth headers, 401 handling, and error parsing
- Allow empty MIME types client-side (let server sniff and decide)
- Constrain Image extension max-width in rich-text-editor to prevent layout overflow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/internal/middleware/cloudfront.go

@@ -0,0 +1,28 @@
+package middleware
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/multica-ai/multica/server/internal/auth"
+)
+
+// RefreshCloudFrontCookies is middleware that refreshes CloudFront signed cookies
+// on authenticated requests when the cookie is missing (expired or first request
+// after login). This prevents 403s from the CDN when cookies expire before the
+// user's session does.
+func RefreshCloudFrontCookies(signer *auth.CloudFrontSigner) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		if signer == nil {
+			return next
+		}
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, err := r.Cookie("CloudFront-Policy"); err != nil {
+				for _, cookie := range signer.SignedCookies(time.Now().Add(72 * time.Hour)) {
+					http.SetCookie(w, cookie)
+				}
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}