- Create validateWorkflowPath() utility to prevent path traversal attacks
- Reject non-absolute paths, traversal sequences, and dangerous system directories
- Apply validation to workflow and workflow-images POST/GET handlers
- Fix workflow-images ENOENT-specific catch block to match workflow route pattern
- Fix workflow mkdir failure status code from 400 to 500 (server error)
- Add comprehensive path traversal tests for both routes
- All malicious path attempts now return 400 Bad Request