보안 강화: CORS 제한, Path Traversal 방어, 헬스체크 추가

- travel-proxy: get_thumb NameError 수정 및 경로 조작 방어
- stock-lab, music-lab: CORS allow_origins=* → 환경변수 기반 도메인 제한
- travel-proxy, deployer: /health 엔드포인트 추가
- 전 서비스 .dockerignore 추가 (.git, __pycache__, .env 제외)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

travel-proxy/app/main.py

@@ -168,6 +168,10 @@ def scan_album(album: str) -> List[Dict[str, Any]]:
 # -----------------------------
 # Routes
 # -----------------------------
+@app.get("/health")
+def health():
+    return {"status": "healthy", "service": "travel-proxy"}
+
 @app.get("/api/travel/regions")
 def regions():
     _meta_changed_invalidate_cache()
@@ -239,12 +243,18 @@ def photos(
 
 @app.get("/media/travel/.thumb/{album}/{filename}")
 def get_thumb(album: str, filename: str):
+    if ".." in album or ".." in filename:
+        raise HTTPException(400, "Invalid path")
+
     src = (ROOT / album / filename).resolve()
+    if not str(src).startswith(str(ROOT)):
+        raise HTTPException(403, "Access denied")
+    if not src.exists() or not src.is_file():
+        raise HTTPException(404, "Source not found")
+
+    p = ensure_thumb(src, album)
     if not p.exists() or not p.is_file():
         raise HTTPException(404, "Thumbnail not found")
-
-    # src로부터 thumb 생성/확인 (원본 확장자 유지)
-    p = ensure_thumb(src, album)
     return FileResponse(str(p))
 
 @app.get("/api/version")