refactor: integrate secure file system operations across services

This commit replaces direct file system operations with a secure file system adapter to enhance security by enforcing path validation. The changes include:

- Replaced `fs` imports with `secureFs` in various services and utilities.
- Updated file operations in `agent-service`, `auto-mode-service`, `feature-loader`, and `settings-service` to use the secure file system methods.
- Ensured that all file I/O operations are validated against the ALLOWED_ROOT_DIRECTORY.

This refactor aims to prevent unauthorized file access and improve overall security posture.

Tests: All unit tests passing.

🤖 Generated with Claude Code

apps/server/src/lib/fs-utils.ts

@@ -2,7 +2,7 @@
  * File system utilities that handle symlinks safely
  */
 
-import fs from "fs/promises";
+import * as secureFs from "./secure-fs.js";
 import path from "path";
 
 /**
@@ -14,7 +14,7 @@ export async function mkdirSafe(dirPath: string): Promise<void> {
 
   // Check if path already exists using lstat (doesn't follow symlinks)
   try {
-    const stats = await fs.lstat(resolvedPath);
+    const stats = await secureFs.lstat(resolvedPath);
     // Path exists - if it's a directory or symlink, consider it success
     if (stats.isDirectory() || stats.isSymbolicLink()) {
       return;
@@ -36,7 +36,7 @@ export async function mkdirSafe(dirPath: string): Promise<void> {
 
   // Path doesn't exist, create it
   try {
-    await fs.mkdir(resolvedPath, { recursive: true });
+    await secureFs.mkdir(resolvedPath, { recursive: true });
   } catch (error: any) {
     // Handle race conditions and symlink issues
     if (error.code === "EEXIST" || error.code === "ELOOP") {
@@ -52,7 +52,7 @@ export async function mkdirSafe(dirPath: string): Promise<void> {
  */
 export async function existsSafe(filePath: string): Promise<boolean> {
   try {
-    await fs.lstat(filePath);
+    await secureFs.lstat(filePath);
     return true;
   } catch (error: any) {
     if (error.code === "ENOENT") {