fix: address critical security and stability issues

- Fix path traversal vulnerabilities in API route validation functions
- Fix path traversal in readiness-report.mjs artifact validation
- Add file locking to prevent race conditions in agent-reservations.ts
- Fix event ordering in ActivityEventBus by capturing snapshot before modification
- Fix memory leaks in watcher.ts by explicitly removing chokidar listeners
- Add command injection sanitization in mutations.ts

Co-authored-by: openhands <openhands@all-hands.dev>

src/app/api/activity/route.ts

@@ -5,7 +5,16 @@ import { activityEventBus } from '../../../lib/realtime';
 function isValidProjectRoot(root: string): boolean {
   try {
     const resolved = path.resolve(root);
-    return path.isAbsolute(resolved);
+    if (!path.isAbsolute(resolved)) {
+      return false;
+    }
+    // Prevent path traversal by ensuring resolved path doesn't escape the project
+    const normalized = path.normalize(resolved);
+    // Check that the path doesn't contain traversal patterns
+    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
+      return false;
+    }
+    return true;
   } catch {
     return false;
   }