feat(gateway): tool path hardening + sandbox escape prevention (P8-016)

Introduces path-guard.ts with guardPath (symlink-aware) and guardPathUnsafe
(lexical-only) that throw SandboxEscapeError on any escape attempt. Replaces
weak containment checks in file-tools, git-tools, and shell-tools with strict
guards. Adds 12 unit tests covering traversal, absolute-path, and sibling-dir
escape vectors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/TASKS.md

@@ -85,7 +85,7 @@
 | P8-013 | not-started | Phase 8   | Gateway Phase 5 — MosaicPlugin lifecycle, ReloadService, hot reload, system:reload TUI             | —    | #166          |
 | P8-014 | not-started | Phase 8   | Gateway Phase 6 — SessionGCService (all tiers), /gc command, cron integration                      | —    | #167          |
 | P8-015 | not-started | Phase 8   | Gateway Phase 7 — WorkspaceService, ProjectBootstrapService, teams project ownership               | —    | #168          |
-| P8-016 | not-started | Phase 8   | Security — file/git/shell tool strict path hardening, sandbox escape prevention                    | —    | #169          |
+| P8-016 | done        | Phase 8   | Security — file/git/shell tool strict path hardening, sandbox escape prevention                    | —    | #169          |
 | P8-017 | not-started | Phase 8   | TUI Phase 8 — autocomplete sidebar, fuzzy match, arg hints, up-arrow history                       | —    | #170          |
 | P8-018 | done        | Phase 8   | Spin-off plan stubs — Gatekeeper, Task Queue Unification, Chroot Sandboxing                        | —    | #171          |
 | P8-019 | not-started | Phase 8   | Verify Platform Architecture — integration + E2E verification                                      | —    | #172          |