Add secure media access control with authenticated proxy endpoints

- Add MediaHandler with token-based proxy endpoints for serving media:
  - GET /api/media/document/:id
  - GET /api/media/document-image/:id
  - GET /api/media/completion-image/:id
- Add MediaURL fields to response DTOs for documents and task completions
- Add FindImageByID and FindCompletionImageByID repository methods
- Preload Completions.Images in all task queries for proper media URLs
- Remove public /uploads static file serving for security
- Verify residence access before serving any media files

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

internal/dto/responses/task.go

@@ -58,6 +58,7 @@ type TaskUserResponse struct {
 type TaskCompletionImageResponse struct {
 	ID       uint   `json:"id"`
 	ImageURL string `json:"image_url"`
+	MediaURL string `json:"media_url"` // Authenticated endpoint: /api/media/completion-image/{id}
 	Caption  string `json:"caption"`
 }
 
@@ -213,11 +214,12 @@ func NewTaskCompletionResponse(c *models.TaskCompletion) TaskCompletionResponse
 	if c.CompletedBy.ID != 0 {
 		resp.CompletedBy = NewTaskUserResponse(&c.CompletedBy)
 	}
-	// Convert images
+	// Convert images with authenticated media URLs
 	for _, img := range c.Images {
 		resp.Images = append(resp.Images, TaskCompletionImageResponse{
 			ID:       img.ID,
 			ImageURL: img.ImageURL,
+			MediaURL: fmt.Sprintf("/api/media/completion-image/%d", img.ID), // Authenticated endpoint
 			Caption:  img.Caption,
 		})
 	}