* fix: use realpath to validate filesystem paths against traversal
- add string_prefix helper to check path containment
- compute root_canonical once per add_vfs_ call
- use realpath only for filesystem (on_fs=true), keeping simple
contains_dot_dot check for VFS
- paths are already URL-decoded by Route.rest_of_path_urlencoded
* fix: add header size limits to prevent memory exhaustion
add optional limits to Headers.parse_:
- max_headers: 100 (default)
- max_header_size: 16KiB per header (default)
- max_total_size: 256KiB total (default)
returns 431 status code when limits exceeded per RFC 6585.
