refactor: streamline ALLOWED_ROOT_DIRECTORY handling and remove legacy support

This commit refactors the handling of ALLOWED_ROOT_DIRECTORY by removing legacy support for ALLOWED_PROJECT_DIRS and simplifying the security logic. Key changes include:

- Removed deprecated ALLOWED_PROJECT_DIRS references from .env.example and security.ts.
- Updated initAllowedPaths() to focus solely on ALLOWED_ROOT_DIRECTORY and DATA_DIR.
- Enhanced logging for ALLOWED_ROOT_DIRECTORY configuration status.
- Adjusted route handlers to utilize the new workspace directory logic.
- Introduced a centralized storage module for localStorage operations to improve consistency and error handling.

These changes aim to enhance security and maintainability by consolidating directory management into a single variable.

Tests: All unit tests passing.

apps/server/src/routes/workspace/routes/config.ts

@@ -5,18 +5,25 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath, getAllowedRootDirectory } from "../../../lib/security.js";
+import {
+  addAllowedPath,
+  getAllowedRootDirectory,
+  getDataDirectory,
+} from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createConfigHandler() {
   return async (_req: Request, res: Response): Promise<void> => {
     try {
       const allowedRootDirectory = getAllowedRootDirectory();
+      const dataDirectory = getDataDirectory();
 
       if (!allowedRootDirectory) {
+        // When ALLOWED_ROOT_DIRECTORY is not set, return DATA_DIR as default directory
         res.json({
           success: true,
           configured: false,
+          defaultDir: dataDirectory || null,
         });
         return;
       }
@@ -41,6 +48,7 @@ export function createConfigHandler() {
           success: true,
           configured: true,
           workspaceDir: resolvedWorkspaceDir,
+          defaultDir: resolvedWorkspaceDir,
         });
       } catch {
         res.json({