Fix path traversal validation and mutation sanitization

- Fix isValidProjectRoot() in 4 API routes to properly prevent path traversal
  by using path.relative() to ensure paths stay within allowed base directory
  (replaces ineffective normalized.includes('..') check)

- Fix readiness-report.mjs to remove misleading path traversal validation
  that was ineffective after path.resolve() removes '..' segments

- Fix asNonEmptyString() in mutations.ts to only remove control characters
  while preserving backslashes (for Windows paths) and punctuation (for user text)

These changes address security review comments about ineffective path traversal
checks and mutation input corruption.

src/lib/mutations.ts

@@ -76,8 +76,9 @@ function asNonEmptyString(value: unknown, field: string): string {
     throw new MutationValidationError(`"${field}" is required.`);
   }
   const trimmed = value.trim();
-  // Sanitize to prevent command injection - remove control characters and shell metacharacters
-  const sanitized = trimmed.replace(/[\x00-\x1f\x7f]/g, '').replace(/[;&|`$(){}[\]\\*?<>!#"'%\n\r]/g, '');
+  // Remove control characters that could cause issues in command execution
+  // Preserve backslashes for Windows paths and punctuation for user text
+  const sanitized = trimmed.replace(/[\x00-\x1f\x7f]/g, '');
   if (!sanitized) {
     throw new MutationValidationError(`"${field}" contains only invalid characters.`);
   }