Playground Uploads & CSRF Hardening

What’s New

• Added multipart file upload support in API playground
• Added image-only upload restrictions with MIME validation
• Added scraper workflow rules to agent execution contract

Improvements

• CSRF middleware now skips stateless API requests using Authorization or X-API-KEY
• Playground POST requests now properly separate query params from body fields
• Upload card shows selected file name, size, and inline progress bar
• Endpoints with request body now hide the separate Parameters section

Fixes

• Fixed CSRF EBADCSRFTOKEN errors mapped to HTTP 403 instead of 500
• Fixed playground multipart parsing to read req.body correctly