🔐 fix: Enhance Message & Image Access Security (#3363)

* chore: slight refactor

* fix: prevent message updates unless explicitly owned

* refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests

* fix: Add path normalization and validation to image request middleware

* fix: image validation path security

api/server/services/Runs/StreamRunManager.js

@@ -143,7 +143,7 @@ class StreamRunManager {
    * @returns {Promise<void>}
    */
   async saveInitialMessage() {
-    return saveMessage({
+    return saveMessage(this.req, {
       conversationId: this.finalMessage.conversationId,
       messageId: this.finalMessage.messageId,
       parentMessageId: this.parentMessageId,