feat(security): add MIME type restrictions for resources (US-2) (#3847)

Add content security validation for MIME types on resources:

- ContentSecurityService.validate_resource_mime_type() with configurable
  allowlist (CONTENT_ALLOWED_RESOURCE_MIMETYPES) and strict/log-only modes
  (CONTENT_STRICT_MIME_VALIDATION, default: false)
- Log-only mode checks the allowlist and logs violations at WARNING level
  with Prometheus metrics, enabling monitoring before enforcement
- ContentTypeError exception with HTTP 415 global handler
- URL-detected MIME type priority over user-provided values
- Prometheus counters for size and MIME type violations
- PII-safe audit logging (hashed emails, masked IPs)
- Validation in register_resource, update_resource (including MIME-only
  updates without content changes), and bulk import

Partially closes #538

Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com>

Author: msureshkumar88

.env.example

@@ -98,7 +98,7 @@ ALLOW_PUBLIC_VISIBILITY=true
 # The 100.64.0.0/10 range is Carrier-Grade NAT (CGNAT) which some cloud providers use
 
 # -----------------------------------------------------------------------------
-# Content Security - Size Limits
+# Content Security - Size Limits and MIME Type Restrictions (US-2)
 # -----------------------------------------------------------------------------
 # Maximum content sizes (in bytes) to prevent DoS attacks via large uploads
 
@@ -110,6 +110,19 @@ ALLOW_PUBLIC_VISIBILITY=true
 # Prompts exceeding this limit will be rejected with 413 Payload Too Large
 # CONTENT_MAX_PROMPT_SIZE=10240
 
+# Allowed MIME types for resources (JSON array or comma-separated list)
+# In strict mode, only MIME types explicitly listed here are accepted.
+# Vendor types (application/x-*, text/x-*) and suffix types (+json, +xml) must be
+# explicitly added to this list if needed - they are NOT automatically allowed.
+# Default: text/plain,text/markdown,text/html,text/csv,application/json,application/xml,application/pdf,...
+# Both formats are accepted:
+# CONTENT_ALLOWED_RESOURCE_MIMETYPES=["text/plain","text/markdown","application/json"]
+# CONTENT_ALLOWED_RESOURCE_MIMETYPES=text/plain,text/markdown,application/json
+
+# Enable strict MIME type validation for resources (default: false)
+# Set to true to reject disallowed MIME types; false logs violations without blocking
+# CONTENT_STRICT_MIME_VALIDATION=false
+
 # =============================================================================
 # Project defaults (batteries-included overrides)
 # =============================================================================

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|Cargo.lock|^.secrets.baseline$|scripts/sign_image.sh|scripts/zap|sonar-project.properties|^/Users/brian/dev/github.ibm.com/contextforge-org/sps-pipeline-config/.secrets.baseline$|^./.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-03T10:38:44Z",
+  "generated_at": "2026-04-03T11:21:02Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,87 +92,87 @@
         "hashed_secret": "08cd923367890009657eab812753379bdb321eeb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 509,
+        "line_number": 522,
         "type": "Basic Auth Credentials",
         "verified_result": null
       },
       {
         "hashed_secret": "14f8aa3e560a47851908ab0f04ec856dbc512d93",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 704,
+        "line_number": 717,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 964,
+        "line_number": 977,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 990,
+        "line_number": 1003,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ac371b6dcce28a86c90d12bc57d946a800eebf17",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1070,
+        "line_number": 1083,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0b6ec68df700dec4dcd64babd0eda1edccddace1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1075,
+        "line_number": 1088,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4ad6f0082ee224001beb3ca5c3e81c8ceea5ed86",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1080,
+        "line_number": 1093,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cb32747fcfb55eaa194c8cd8e4ba7d49ada08a94",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1086,
+        "line_number": 1099,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6c178d51b13520496dbc767ed3d9d7aa5803ac72",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1098,
+        "line_number": 1111,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ca45060a53fd8a255d1a83ee8d2f025283ccc66e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1116,
+        "line_number": 1129,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "910fbf00f58e9bcb095ea26a75cc1d9a3355e671",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1177,
+        "line_number": 1190,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -1828,7 +1828,7 @@
         "hashed_secret": "e689846dfc65621eeab3a906bb8b0ddd52f5c514",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 130,
+        "line_number": 158,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5110,7 +5110,7 @@
         "hashed_secret": "85b60d811d16ff56b3654587d4487f713bfa33b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 14931,
+        "line_number": 14976,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5752,15 +5752,15 @@
         "hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 221,
+        "line_number": 222,
         "type": "Basic Auth Credentials",
         "verified_result": null
       },
       {
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2140,
+        "line_number": 2169,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -6082,7 +6082,7 @@
         "hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3290,
+        "line_number": 3404,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -7380,7 +7380,7 @@
         "hashed_secret": "ba9cdae9b74942b8ac45ec20dfc3803a07fe6de9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 58,
+        "line_number": 61,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9854,23 +9854,23 @@
         "hashed_secret": "b0beaa298b4c296ba29df08b919548d17e68d6c8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3496,
+        "line_number": 4017,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3511,
+        "line_number": 4032,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4203,
+        "line_number": 4724,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -10212,119 +10212,119 @@
         "hashed_secret": "206c80413b9a96c1312cc346b7d2517b84463edd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1600,
+        "line_number": 1604,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "5cbd0bf2db07a8f50fa9bbcc5ac720b1911c6380",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1772,
+        "line_number": 1776,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a10b98d7340036e9c8c301704f623eddd733cc1a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2736,
+        "line_number": 2781,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5148,
+        "line_number": 5189,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fe1bae27cb7c1fb823f496f286e78f1d2ae87734",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5795,
+        "line_number": 5842,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "2878cbdbbcfa6feafc04b8889f5ecc8c470ba32e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5859,
+        "line_number": 5906,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a0281cd072cea8e80e7866b05dc124815760b6c9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6111,
+        "line_number": 6158,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a0f4ea7d91495df92bbac2e2149dfb850fe81396",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 9086,
+        "line_number": 9140,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a75a7c7b31474f3f04f3a395228ded8d61ee1ae3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 9135,
+        "line_number": 9189,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "02c593fd9af8254b859d426a76b6cd42847fbec1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 9174,
+        "line_number": 9228,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "1ded3053d0363079a4e681a3b700435d6d880290",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 9231,
+        "line_number": 9285,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "c00dbbc9dadfbe1e232e93a729dd4752fade0abf",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 14001,
+        "line_number": 14058,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 16758,
+        "line_number": 16815,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a4b48a81cdab1e1a5dd37907d6c85ca1c61ddc7c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 16777,
+        "line_number": 16834,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "dc8002865f92070749b264e76045b04fa3b8de71",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 20332,
+        "line_number": 20389,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -10698,23 +10698,23 @@
         "hashed_secret": "cd024c09e5784e941e833bd8fabf1dcfc3fb6cd8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 53,
+        "line_number": 54,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 137,
+        "line_number": 138,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "a10b98d7340036e9c8c301704f623eddd733cc1a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 150,
+        "line_number": 151,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -10724,7 +10724,7 @@
         "hashed_secret": "cd024c09e5784e941e833bd8fabf1dcfc3fb6cd8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 30,
+        "line_number": 35,
         "type": "Secret Keyword",
         "verified_result": null
       }