Security hardening.
- Local list() skips symlinks and treats prefix as a path-segment boundary (CWE-200/CWE-22)
- Azure SAS URLs URL-encode the object key (CWE-150)
- Secret config fields excluded from dataclass repr (CWE-532)
- put() accepts an optional max_size across all backends (CWE-770)
- Content-type guard helpers for stored-XSS defense (CWE-79)
- S3 signed DELETE URLs require explicit allow_delete=True (CWE-285)
- LocalStorage warns when no signing secret or base URL is set