fix(web): path traversal, JWT token expiration handling, input validation - round 58

[dvrd]

Why

Code review round 58 found critical security vulnerabilities and missing input validation that could lead to:

• Directory traversal attacks via unsanitized repository names
• Expired JWT tokens potentially being accepted
• Inadequate token expiration error handling

What

Apply security fixes:

1. Add repository name sanitization in web/blob.go and web/git.go
2. Add explicit check for proto.ErrTokenExpired in JWT validation flow
3. Improve error messages to avoid information disclosure
4. Add input validation across multiple endpoints

Where

• pkg/web/blob.go - blob serving with path traversal vulnerability
• pkg/web/git.go - git operations with path traversal vulnerability
• pkg/web/auth.go - JWT token expiration and error handling
• Multiple files - missing input validation

Plan

1. Sanitize repository name parameter from mux.Vars() using utils.SanitizeRepo()
2. Check for proto.ErrTokenExpired in parseJWT and handle appropriately
3. Add input validation for all URL/form parameters
4. Improve error message verbosity