feat: Introduce safeResolve and deployment name validation to preve…

[codxbrexx]

Summary

Adds a safeResolve utility and a deployment name allowlist to make sure recursive deletes can't escape the app directory. Also includes two CI fixes that were blocking local integration tests.

Related issue

Part of tracking epic #99
Fixes #121

Type of change

• Bug fix
• New feature
• Documentation
• Chore / CI
• Breaking change

How to test

1. Checkout fix/path-traversal-delete-guards
2. Run npm ci
3. Run npm test , all 20 tests should pass including the new safeResolve() suite
4. Try DELETE /api/deploy with suffix: "../etc" , expect a 400
5. Try a normal valid delete , should still work

Checklist

• I have read the contributing guidelines
• I added tests that prove my fix is effective or that my feature works
• I updated documentation if necessary

Notes for reviewers

Three things changed in this PR:

Issue 8 (path traversal):

• New src/utils/safePath.ts — safeResolve(baseDir, child) resolves the target path and throws 400 if it escapes baseDir
• delete.ts — validates suffix against ^[a-zA-Z0-9._-]+$ before any path work; uses safeResolve instead of raw join
• repository.ts — repositoryDelete helper now uses safeResolve so the cleanup can't escape appsDirectory even if repositoryName degrades

Note: The CI integration tests on this PR will only pass after #122 (CI fix — healthcheck, busboy race, protocol patch) is merged first. The path traversal change itself is isolated and has no code dependency on those fixes.

Release notes

Added path boundary validation to the delete endpoint and repository cleanup. A crafted deployment name can no longer cause rm to delete files outside the app directory.

Test