fix: patch path traversal and baseUrl normalization in scene generator

- server.js: sanitize static file paths to prevent directory traversal
  (GET /../../sgclaw_config.json would expose API key)
- config-loader.js: fix normalizeBaseUrl to strip /v1 before appending,
  preventing double /v1 for non-standard base URLs

🤖 Generated with [Qoder][https://qoder.com]

frontend/scene-generator/config-loader.js

@@ -64,8 +64,8 @@ function loadConfig() {
 
 function normalizeBaseUrl(url) {
   url = url.replace(/\/+$/, "");
-  if (!url.endsWith("/v1")) url = url + "/v1";
-  return url;
+  url = url.replace(/\/v1\/?$/, "");
+  return url + "/v1";
 }
 
 function getDefaults() {