Validate and store user uploads

Use filevalidator to reject untrusted files before they touch storage, then hand the safe payload to filekit for persistence.

ok, err := filevalidator.Validate(reader, filevalidator.Options{
    AllowedTypes: []string{"image/png", "image/jpeg"},
    MaxSize:      5 << 20,
})
if err != nil || !ok {
    return errors.New("invalid upload")
}

if _, err := fs.Write(ctx, key, payload); err != nil {
    return err
}