feat(ipuaro): add PathValidator security utility (v0.13.0)

Add centralized path validation to prevent path traversal attacks.

- PathValidator class with sync/async validation methods
- Protects against '..' and '~' traversal patterns
- Validates paths are within project root
- Refactored all 7 file tools to use PathValidator
- 51 new tests for PathValidator

packages/ipuaro/src/infrastructure/tools/read/GetClassTool.ts

@@ -1,5 +1,4 @@
 import { promises as fs } from "node:fs"
-import * as path from "node:path"
 import type { ITool, ToolContext, ToolParameterSchema } from "../../../domain/services/ITool.js"
 import type { ClassInfo } from "../../../domain/value-objects/FileAST.js"
 import {
@@ -7,6 +6,7 @@ import {
     createSuccessResult,
     type ToolResult,
 } from "../../../domain/value-objects/ToolResult.js"
+import { PathValidator } from "../../security/PathValidator.js"
 
 /**
  * Result data from get_class tool.
@@ -67,16 +67,17 @@ export class GetClassTool implements ITool {
         const startTime = Date.now()
         const callId = `${this.name}-${String(startTime)}`
 
-        const relativePath = params.path as string
+        const inputPath = params.path as string
         const className = params.name as string
-        const absolutePath = path.resolve(ctx.projectRoot, relativePath)
+        const pathValidator = new PathValidator(ctx.projectRoot)
 
-        if (!absolutePath.startsWith(ctx.projectRoot)) {
-            return createErrorResult(
-                callId,
-                "Path must be within project root",
-                Date.now() - startTime,
-            )
+        let absolutePath: string
+        let relativePath: string
+        try {
+            ;[absolutePath, relativePath] = pathValidator.resolveOrThrow(inputPath)
+        } catch (error) {
+            const message = error instanceof Error ? error.message : String(error)
+            return createErrorResult(callId, message, Date.now() - startTime)
         }
 
         try {