feat: implement secure file upload system with JWT authentication

- Add JWT-based secure file access for local storage with 1-hour expiry
- Implement GORM repository methods for attachment CRUD operations
- Add secure file serving endpoint with token validation
- Update storage interface to support user context in URL generation
- Add comprehensive security features including path traversal protection
- Update documentation with security model and configuration examples
- Add utility functions for hex/byte conversion and UUID validation
- Configure secure file permissions (0600) for uploaded files

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/storage/interface.go

@@ -19,6 +19,9 @@ type Storage interface {
 	// GetURL returns a URL for accessing the file (may be signed/temporary)
 	GetURL(path string, expiry time.Duration) (string, error)
 	
+	// GetURLWithContext returns a URL for accessing the file with user context (for JWT tokens)
+	GetURLWithContext(path string, expiry time.Duration, userID, orgID string) (string, error)
+	
 	// Exists checks if a file exists at the given path
 	Exists(path string) (bool, error)
 	
@@ -53,6 +56,9 @@ type LocalConfig struct {
 	
 	// Base URL for serving files (optional)
 	BaseURL string `mapstructure:"base_url"`
+	
+	// Signing key for JWT tokens (optional, will be auto-generated if empty)
+	SigningKey string `mapstructure:"signing_key"`
 }
 
 // S3Config configures S3-compatible storage (AWS S3, Backblaze B2, Cloudflare R2, etc.)