Code review fixes: wardrobe migration, response validation, path traversal guard, deduplication

- Migrate 11 character JSONs from old wardrobe keys to _BODY_GROUP_KEYS format
- Add is_favourite/is_nsfw columns to Preset model
- Add HTTP response validation and timeouts to ComfyUI client
- Add path traversal protection on replace cover route
- Deduplicate services/mcp.py (4 functions → 2 generic + 2 wrappers)
- Extract apply_library_filters() and clean_html_text() shared helpers
- Add named constants for 17 ComfyUI workflow node IDs
- Fix bare except clauses in services/llm.py
- Fix tags schema in ensure_default_outfit() (list → dict)
- Convert f-string logging to lazy % formatting
- Add 5-minute polling timeout to frontend waitForJob()
- Improve migration error handling (non-duplicate errors log at WARNING)
- Update CLAUDE.md to reflect all changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

routes/styles.py

@@ -14,8 +14,8 @@ from services.prompts import build_prompt, _resolve_character, _ensure_character
 from services.sync import sync_styles
 from services.file_io import get_available_loras
 from services.llm import load_prompt, call_llm
-from routes.shared import register_common_routes
-from utils import _WARDROBE_KEYS
+from routes.shared import register_common_routes, apply_library_filters
+from utils import _BODY_GROUP_KEYS, clean_html_text
 
 logger = logging.getLogger('gaze')
 
@@ -47,7 +47,7 @@ def register_routes(app):
                         selected_fields.append(f'identity::{key}')
                 selected_fields.append('special::name')
                 wardrobe = character.get_active_wardrobe()
-                for key in _WARDROBE_KEYS:
+                for key in _BODY_GROUP_KEYS:
                     if wardrobe.get(key):
                         selected_fields.append(f'wardrobe::{key}')
                 selected_fields.extend(['style::artist_name', 'style::artistic_style', 'lora::lora_triggers'])
@@ -82,17 +82,8 @@ def register_routes(app):
 
     @app.route('/styles')
     def styles_index():
-        query = Style.query
-        fav = request.args.get('favourite')
-        nsfw = request.args.get('nsfw', 'all')
-        if fav == 'on':
-            query = query.filter_by(is_favourite=True)
-        if nsfw == 'sfw':
-            query = query.filter_by(is_nsfw=False)
-        elif nsfw == 'nsfw':
-            query = query.filter_by(is_nsfw=True)
-        styles = query.order_by(Style.is_favourite.desc(), Style.name).all()
-        return render_template('styles/index.html', styles=styles, favourite_filter=fav or '', nsfw_filter=nsfw)
+        styles, fav, nsfw = apply_library_filters(Style.query, Style)
+        return render_template('styles/index.html', styles=styles, favourite_filter=fav, nsfw_filter=nsfw)
 
     @app.route('/styles/rescan', methods=['POST'])
     def rescan_styles():
@@ -323,11 +314,7 @@ def register_routes(app):
                 try:
                     with open(html_path, 'r', encoding='utf-8', errors='ignore') as hf:
                         html_raw = hf.read()
-                        clean_html = re.sub(r'<script[^>]*>.*?</script>', '', html_raw, flags=re.DOTALL)
-                        clean_html = re.sub(r'<style[^>]*>.*?</style>', '', clean_html, flags=re.DOTALL)
-                        clean_html = re.sub(r'<img[^>]*>', '', clean_html)
-                        clean_html = re.sub(r'<[^>]+>', ' ', clean_html)
-                        html_content = ' '.join(clean_html.split())
+                        html_content = clean_html_text(html_raw)
                 except Exception:
                     pass