fix: Unbounded file upload without validation

internal/api/handlers_delta.go

@@ -2,6 +2,7 @@
 
 import (
 	"encoding/json"
+	"strings"
 	"io"
 	"net/http"
 	"time"
@@ -46,8 +47,15 @@
 	if r.Method != http.MethodPost {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 		return
+	// Validate content type
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {
+		WriteJSONError(w, "Content-Type must be application/json", http.StatusUnsupportedMediaType)
+		return
 	}
 
+	body, err := io.ReadAll(io.LimitReader(r.Body, 50*1024*1024)) // 50MB limit
+
 	start := time.Now()
 
 	// Read body
@@ -101,7 +109,14 @@
 		WriteJSONError(w, "Failed to apply delta: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
+	// Validate content type
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {
+		WriteJSONError(w, "Content-Type must be application/json", http.StatusUnsupportedMediaType)
+		return
+	}
 
+	body, err := io.ReadAll(io.LimitReader(r.Body, 50*1024*1024)) // 50MB limit
 	// Refresh FTS index
 	if err := s.engine.RefreshFTS(ctx); err != nil {
 		warnings = append(warnings, "FTS refresh failed: "+err.Error())
@@ -124,22 +139,22 @@
 }
 
 // handleDeltaValidate handles POST /delta/validate - validate a delta without ingesting
 func (s *Server) handleDeltaValidate(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 
 	// Read body
 	body, err := io.ReadAll(io.LimitReader(r.Body, 50*1024*1024)) // 50MB limit
 	if err != nil {
 		WriteJSONError(w, "Failed to read request body", http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
 
 	// Parse delta
 	delta, err := diff.ParseDelta(body)
 	if err != nil {
 		WriteJSONError(w, "Invalid delta format: "+err.Error(), http.StatusBadRequest)
 		return