Code review fixes: wardrobe migration, response validation, path traversal guard, deduplication

- Migrate 11 character JSONs from old wardrobe keys to _BODY_GROUP_KEYS format
- Add is_favourite/is_nsfw columns to Preset model
- Add HTTP response validation and timeouts to ComfyUI client
- Add path traversal protection on replace cover route
- Deduplicate services/mcp.py (4 functions → 2 generic + 2 wrappers)
- Extract apply_library_filters() and clean_html_text() shared helpers
- Add named constants for 17 ComfyUI workflow node IDs
- Fix bare except clauses in services/llm.py
- Fix tags schema in ensure_default_outfit() (list → dict)
- Convert f-string logging to lazy % formatting
- Add 5-minute polling timeout to frontend waitForJob()
- Improve migration error handling (non-duplicate errors log at WARNING)
- Update CLAUDE.md to reflect all changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

routes/checkpoints.py

@@ -14,8 +14,8 @@ from services.prompts import build_prompt, _resolve_character, _ensure_character
 from services.sync import sync_checkpoints, _default_checkpoint_data
 from services.file_io import get_available_checkpoints
 from services.llm import load_prompt, call_llm
-from utils import allowed_file
-from routes.shared import register_common_routes
+from utils import allowed_file, clean_html_text
+from routes.shared import register_common_routes, apply_library_filters
 
 logger = logging.getLogger('gaze')
 
@@ -58,17 +58,8 @@ def register_routes(app):
 
     @app.route('/checkpoints')
     def checkpoints_index():
-        query = Checkpoint.query
-        fav = request.args.get('favourite')
-        nsfw = request.args.get('nsfw', 'all')
-        if fav == 'on':
-            query = query.filter_by(is_favourite=True)
-        if nsfw == 'sfw':
-            query = query.filter_by(is_nsfw=False)
-        elif nsfw == 'nsfw':
-            query = query.filter_by(is_nsfw=True)
-        checkpoints = query.order_by(Checkpoint.is_favourite.desc(), Checkpoint.name).all()
-        return render_template('checkpoints/index.html', checkpoints=checkpoints, favourite_filter=fav or '', nsfw_filter=nsfw)
+        checkpoints, fav, nsfw = apply_library_filters(Checkpoint.query, Checkpoint)
+        return render_template('checkpoints/index.html', checkpoints=checkpoints, favourite_filter=fav, nsfw_filter=nsfw)
 
     @app.route('/checkpoints/rescan', methods=['POST'])
     def rescan_checkpoints():
@@ -179,11 +170,7 @@ def register_routes(app):
                     try:
                         with open(html_path, 'r', encoding='utf-8', errors='ignore') as hf:
                             html_raw = hf.read()
-                            clean_html = re.sub(r'<script[^>]*>.*?</script>', '', html_raw, flags=re.DOTALL)
-                            clean_html = re.sub(r'<style[^>]*>.*?</style>', '', clean_html, flags=re.DOTALL)
-                            clean_html = re.sub(r'<img[^>]*>', '', clean_html)
-                            clean_html = re.sub(r'<[^>]+>', ' ', clean_html)
-                            html_content = ' '.join(clean_html.split())
+                            html_content = clean_html_text(html_raw)
                     except Exception as e:
                         logger.error("Error reading HTML for %s: %s", filename, e)