feat: enhance symlink detection and cache invalidation

- Add `_entry_is_symlink` method to detect symlinks and Windows junctions
- Include first-level symlinks in fingerprint for better cache invalidation
- Re-enable preview path validation for security
- Update tests to verify retargeted symlinks trigger rescan

py/routes/handlers/preview_handlers.py

@@ -41,10 +41,8 @@ class PreviewHandler:
             raise web.HTTPBadRequest(text="Unable to resolve preview path") from exc
 
         resolved_str = str(resolved)
-        # TODO: Temporarily disabled path validation due to issues #772 and #774
-        # Re-enable after fixing preview root path handling
-        # if not self._config.is_preview_path_allowed(resolved_str):
-        #     raise web.HTTPForbidden(text="Preview path is not within an allowed directory")
+        if not self._config.is_preview_path_allowed(resolved_str):
+            raise web.HTTPForbidden(text="Preview path is not within an allowed directory")
 
         if not resolved.is_file():
             logger.debug("Preview file not found at %s", resolved_str)