Fix path traversal validation and mutation sanitization

- Fix isValidProjectRoot() in 4 API routes to properly prevent path traversal
  by using path.relative() to ensure paths stay within allowed base directory
  (replaces ineffective normalized.includes('..') check)

- Fix readiness-report.mjs to remove misleading path traversal validation
  that was ineffective after path.resolve() removes '..' segments

- Fix asNonEmptyString() in mutations.ts to only remove control characters
  while preserving backslashes (for Windows paths) and punctuation (for user text)

These changes address security review comments about ineffective path traversal
checks and mutation input corruption.

src/app/api/activity/route.ts

@@ -8,10 +8,11 @@ function isValidProjectRoot(root: string): boolean {
     if (!path.isAbsolute(resolved)) {
       return false;
     }
-    // Prevent path traversal by ensuring resolved path doesn't escape the project
-    const normalized = path.normalize(resolved);
-    // Check that the path doesn't contain traversal patterns
-    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
+    // Prevent path traversal by ensuring resolved path stays within the project root
+    const allowedBase = process.cwd();
+    const relative = path.relative(allowedBase, resolved);
+    // If "resolved" is outside "allowedBase", "relative" will start with ".."
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
       return false;
     }
     return true;

src/app/api/agents/[agentId]/stats/route.ts

@@ -10,10 +10,11 @@ function isValidProjectRoot(root: string): boolean {
     if (!path.isAbsolute(resolved)) {
       return false;
     }
-    // Prevent path traversal by ensuring resolved path doesn't escape the project
-    const normalized = path.normalize(resolved);
-    // Check that the path doesn't contain traversal patterns
-    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
+    // Prevent path traversal by ensuring resolved path stays within the project root
+    const allowedBase = process.cwd();
+    const relative = path.relative(allowedBase, resolved);
+    // If "resolved" is outside "allowedBase", "relative" will start with ".."
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
       return false;
     }
     return true;

src/app/api/beads/read/route.ts

@@ -8,10 +8,11 @@ function isValidProjectRoot(root: string): boolean {
     if (!path.isAbsolute(resolved)) {
       return false;
     }
-    // Prevent path traversal by ensuring resolved path doesn't escape the project
-    const normalized = path.normalize(resolved);
-    // Check that the path doesn't contain traversal patterns
-    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
+    // Prevent path traversal by ensuring resolved path stays within the project root
+    const allowedBase = process.cwd();
+    const relative = path.relative(allowedBase, resolved);
+    // If "resolved" is outside "allowedBase", "relative" will start with ".."
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
       return false;
     }
     return true;

src/app/api/sessions/route.ts

@@ -10,10 +10,11 @@ function isValidProjectRoot(root: string): boolean {
     if (!path.isAbsolute(resolved)) {
       return false;
     }
-    // Prevent path traversal by ensuring resolved path doesn't escape the project
-    const normalized = path.normalize(resolved);
-    // Check that the path doesn't contain traversal patterns
-    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
+    // Prevent path traversal by ensuring resolved path stays within the project root
+    const allowedBase = process.cwd();
+    const relative = path.relative(allowedBase, resolved);
+    // If "resolved" is outside "allowedBase", "relative" will start with ".."
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
       return false;
     }
     return true;