fix(tools): normalize .. in resolve_via_ancestors to prevent sandbox bypass

[bug-ops]

Summary

Closes #2125.

resolve_via_ancestors silently dropped .. path components when building the non-existing suffix: Path::file_name() returns None for ParentDir, so the walk advanced existing past sandbox boundaries without recording the .. in the suffix. The final base.join(suffix) then produced a path that looked inside the sandbox to starts_with, while the OS would resolve it outside.

Attack vector:

allowed_paths = ["/tmp/sandbox"]
path = "/tmp/sandbox/nonexistent_dir/../../etc/passwd"

→ starts_with("/tmp/sandbox") returned true, OS opened /etc/passwd.

Fix

Add normalize_path() — a purely lexical stack-based ../. collapse with no filesystem calls — and call it in validate_path before resolve_via_ancestors. All 9 file tool handlers are covered via the single validate_path entry point.

Tests added (9)

• normalize_path_normal_path — no-op on clean path
• normalize_path_collapses_dot — . eliminated
• normalize_path_collapses_dotdot — multi-component .. collapsed
• normalize_path_nested_dotdot — multi-level traversal
• normalize_path_at_sandbox_boundary — exact boundary preserved
• validate_path_dotdot_bypass_nonexistent_blocked — primary CVE scenario blocked
• validate_path_dotdot_nested_bypass_blocked — deeper escape blocked
• validate_path_inside_sandbox_passes — normal access still allowed
• validate_path_dot_components_inside_sandbox_passes — . inside sandbox allowed

Checks

• cargo +nightly fmt --check — PASS
• cargo clippy --workspace --features full -- -D warnings — PASS (0 warnings)
• cargo nextest run --workspace --features full --lib --bins — 6384 passed, 0 failed

Related

• fix(tools): FileExecutor does not expand ~ in allowed_paths, blocking all file access #2115 — tilde expansion in allowed_paths (separate fix, merged)
• test: integration tests for FileExecutor allowed_paths using Docker #2117 — integration tests that exposed this analysis