Code review fixes: wardrobe migration, response validation, path traversal guard, deduplication

- Migrate 11 character JSONs from old wardrobe keys to _BODY_GROUP_KEYS format
- Add is_favourite/is_nsfw columns to Preset model
- Add HTTP response validation and timeouts to ComfyUI client
- Add path traversal protection on replace cover route
- Deduplicate services/mcp.py (4 functions → 2 generic + 2 wrappers)
- Extract apply_library_filters() and clean_html_text() shared helpers
- Add named constants for 17 ComfyUI workflow node IDs
- Fix bare except clauses in services/llm.py
- Fix tags schema in ensure_default_outfit() (list → dict)
- Convert f-string logging to lazy % formatting
- Add 5-minute polling timeout to frontend waitForJob()
- Improve migration error handling (non-duplicate errors log at WARNING)
- Update CLAUDE.md to reflect all changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

utils.py

@@ -12,8 +12,16 @@ _LORA_DEFAULTS = {
 }
 
 _BODY_GROUP_KEYS = ['base', 'head', 'upper_body', 'lower_body', 'hands', 'feet', 'additional']
-_IDENTITY_KEYS = _BODY_GROUP_KEYS
-_WARDROBE_KEYS = _BODY_GROUP_KEYS
+
+
+def clean_html_text(html_raw):
+    """Strip HTML tags, scripts, styles, and images from raw HTML, returning plain text."""
+    import re
+    text = re.sub(r'<script[^>]*>.*?</script>', '', html_raw, flags=re.DOTALL)
+    text = re.sub(r'<style[^>]*>.*?</style>', '', text, flags=re.DOTALL)
+    text = re.sub(r'<img[^>]*>', '', text)
+    text = re.sub(r'<[^>]+>', ' ', text)
+    return ' '.join(text.split())
 
 
 def allowed_file(filename):