Fix asset API security and correctness issues

- Content-Disposition: drop raw filename= parameter, use only RFC 5987
  filename*=UTF-8'' to prevent header injection via ; and special chars
- delete_asset: default delete_content to False (non-destructive) when
  query parameter is omitted
- create_asset_from_hash: return 400 MISSING_INPUT instead of 404 when
  hash not found and no file uploaded (client input error, not missing resource)
- seeder: clear _progress when returning to IDLE so get_status() does not
  return stale progress after scan completion
- hashing: handle non-seekable streams in _hash_file_obj by checking
  seekable() before attempting tell/seek
- bulk_ingest: filter lost_paths to only include paths tied to actually
  inserted asset IDs, preventing inflated counts from ON CONFLICT drops

Amp-Thread-ID: https://ampcode.com/threads/T-019cb67a-9822-7438-ab05-d09991a9f7f3
Co-authored-by: Amp <amp@ampcode.com>

app/assets/services/hashing.py

@@ -1,3 +1,4 @@
+import io
 import os
 from typing import IO
 
@@ -21,12 +22,19 @@ def _hash_file_obj(file_obj: IO, chunk_size: int = DEFAULT_CHUNK) -> str:
     if chunk_size <= 0:
         chunk_size = DEFAULT_CHUNK
 
-    orig_pos = file_obj.tell()
+    seekable = getattr(file_obj, "seekable", lambda: False)()
+    orig_pos = None
+
+    if seekable:
+        try:
+            orig_pos = file_obj.tell()
+            if orig_pos != 0:
+                file_obj.seek(0)
+        except io.UnsupportedOperation:
+            seekable = False
+            orig_pos = None
 
     try:
-        if orig_pos != 0:
-            file_obj.seek(0)
-
         h = blake3()
         while True:
             chunk = file_obj.read(chunk_size)
@@ -35,4 +43,5 @@ def _hash_file_obj(file_obj: IO, chunk_size: int = DEFAULT_CHUNK) -> str:
             h.update(chunk)
         return h.hexdigest()
     finally:
-        file_obj.seek(orig_pos)
+        if seekable and orig_pos is not None:
+            file_obj.seek(orig_pos)