test(attachment): use type-safe mock<T>() instead of `as unknown as` casts

Replace hand-built `as unknown as Request/Response` casts in the
deny-uploads-direct-access spec with vitest-mock-extended's mock<T>(), so the
mock is type-checked and survives Express API drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/app/src/server/middlewares/deny-uploads-direct-access.spec.ts

@@ -1,19 +1,21 @@
 import type { Request, Response } from 'express';
+import { mock } from 'vitest-mock-extended';
 
 import { denyUploadsDirectAccess } from './deny-uploads-direct-access';
 
 describe('denyUploadsDirectAccess', () => {
   test('responds with 403 Forbidden', () => {
-    const send = vi.fn();
-    const status = vi.fn().mockReturnValue({ send });
-    const req = {
-      originalUrl: '/uploads/attachment/evil.html',
-    } as unknown as Request;
-    const res = { status } as unknown as Response;
+    const req = mock<Request>();
+    req.originalUrl = '/uploads/attachment/evil.html';
+
+    const res = mock<Response>();
+    // res.status(...) returns `this` (Response) in Express, enabling the
+    // status().send() chain. Mirror that so the chained send() can be asserted.
+    res.status.mockReturnValue(res);
 
     denyUploadsDirectAccess(req, res);
 
-    expect(status).toHaveBeenCalledWith(403);
-    expect(send).toHaveBeenCalledWith('Forbidden');
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.send).toHaveBeenCalledWith('Forbidden');
   });
 });