Introduces path-guard.ts with guardPath (symlink-aware) and guardPathUnsafe
(lexical-only) that throw SandboxEscapeError on any escape attempt. Replaces
weak containment checks in file-tools, git-tools, and shell-tools with strict
guards. Adds 12 unit tests covering traversal, absolute-path, and sibling-dir
escape vectors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Jason Woltje
8d511ddb67