refactor: integrate secure file system operations across services

This commit replaces direct file system operations with a secure file system adapter to enhance security by enforcing path validation. The changes include:

- Replaced `fs` imports with `secureFs` in various services and utilities.
- Updated file operations in `agent-service`, `auto-mode-service`, `feature-loader`, and `settings-service` to use the secure file system methods.
- Ensured that all file I/O operations are validated against the ALLOWED_ROOT_DIRECTORY.

This refactor aims to prevent unauthorized file access and improve overall security posture.

Tests: All unit tests passing.

🤖 Generated with Claude Code

apps/server/src/routes/settings/index.ts

@@ -14,6 +14,7 @@
 
 import { Router } from "express";
 import type { SettingsService } from "../../services/settings-service.js";
+import { validatePathParams } from "../../middleware/validate-paths.js";
 import { createGetGlobalHandler } from "./routes/get-global.js";
 import { createUpdateGlobalHandler } from "./routes/update-global.js";
 import { createGetCredentialsHandler } from "./routes/get-credentials.js";
@@ -57,8 +58,8 @@ export function createSettingsRoutes(settingsService: SettingsService): Router {
   router.put("/credentials", createUpdateCredentialsHandler(settingsService));
 
   // Project settings
-  router.post("/project", createGetProjectHandler(settingsService));
-  router.put("/project", createUpdateProjectHandler(settingsService));
+  router.post("/project", validatePathParams("projectPath"), createGetProjectHandler(settingsService));
+  router.put("/project", validatePathParams("projectPath"), createUpdateProjectHandler(settingsService));
 
   // Migration from localStorage
   router.post("/migrate", createMigrateHandler(settingsService));