fix(0128): XSS scheme allowlist + drop dead fileID

review findings:
- MessageBody: only http(s) and relative paths allowed for links;
  data:image/* allowed for inline images. Rejects javascript:,
  data:text/html, vbscript: which would execute via <a href>.
  Unsafe matches fall back to plain text.
- files.go: remove unused fileID var generated then discarded.

backend/files.go

@@ -197,7 +197,6 @@ func handleUploadCardFile(db *DB, workdir string) http.HandlerFunc {
 		}
 
 		fname := safeFilename(header.Filename)
-		fileID := newID()
 		storedPath := filepath.Join(dir, randomFilePrefix()+"__"+fname)
 
 		out, err := os.Create(storedPath)
@@ -237,16 +236,12 @@ func handleUploadCardFile(db *DB, workdir string) http.HandlerFunc {
 
 		actor, _ := infra.UserIDFromContext(r.Context(), userCtxKey)
 
-		// Use the random-prefixed path on disk but a stable file id in the DB.
 		cf, err := db.CreateCardFile(cardID, actor, fname, mimeType, storedPath, source, written)
 		if err != nil {
 			os.Remove(storedPath)
 			serverError(w, err)
 			return
 		}
-		// We generated newID() in CreateCardFile; align the on-disk filename with that id
-		// is not required since stored_path is what we serve from.
-		_ = fileID
 
 		infra.HTTPJSONResponse(w, http.StatusCreated, cf)
 	}