fix: Address CodeRabbit security and robustness review comments

- Guard against NaN ports from non-numeric env variables in constants.ts
- Validate IPC sender before returning API key to prevent leaking to
  untrusted senders (webviews, additional windows)
- Filter dialog properties to maintain file-only intent and prevent
  renderer from requesting directories via OPEN_FILE
- Fix Windows VS Code URL paths by ensuring leading slash after 'file'

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/ui/src/electron/ipc/auth-handlers.ts

@@ -14,7 +14,12 @@ import { state } from '../state';
 export function registerAuthHandlers(): void {
   // Get API key for authentication
   // Returns null in external server mode to trigger session-based auth
-  ipcMain.handle(IPC_CHANNELS.AUTH.GET_API_KEY, () => {
+  // Only returns API key to the main window to prevent leaking to untrusted senders
+  ipcMain.handle(IPC_CHANNELS.AUTH.GET_API_KEY, (event) => {
+    // Validate sender is the main window
+    if (event.sender !== state.mainWindow?.webContents) {
+      return null;
+    }
     if (state.isExternalServerMode) {
       return null;
     }