security: improve path validation in get_file handler

The previous check only looked for ".." substring, which missed:
- Absolute paths (/etc/passwd)
- URL-encoded traversal patterns
- Paths that clean to traversal (./../../etc)

Now uses filepath.Clean() and filepath.IsAbs() for robust validation:
- Rejects absolute paths
- Cleans paths before checking for traversal
- Uses cleaned path for database lookup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

internal/mcp/handlers.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -177,10 +178,17 @@ func (s *Server) handleGetFile(ctx context.Context, args map[string]interface{})
 		return ErrorContent(fmt.Errorf("path is required")), nil
 	}
 
-	// Security: validate path
-	if strings.Contains(path, "..") {
+	// Security: validate path to prevent traversal attacks
+	// Clean the path and check for dangerous patterns
+	cleanPath := filepath.Clean(path)
+	if filepath.IsAbs(cleanPath) {
+		return ErrorContent(fmt.Errorf("invalid path: absolute paths not allowed")), nil
+	}
+	if strings.HasPrefix(cleanPath, "..") {
 		return ErrorContent(fmt.Errorf("invalid path: directory traversal not allowed")), nil
 	}
+	// Use the cleaned path for lookup
+	path = cleanPath
 
 	revision, _ := args["revision"].(string)
 	rev, err := s.resolveRevision(ctx, revision)