fix: add path traversal validation to all server actions

[Copilot]

All "use server" actions accepted projectName/sessionId/agentId with no validation, allowing path traversal attacks where projectName = "../../etc" flows directly into join(projectsPath, projectName, sessionId + ".jsonl").

Changes

lib/validate-params.ts — new shared validation utility mirroring the pattern already in app/api/download/[project]/[session]/route.ts:

• validateProjectName() — rejects empty or path traversal sequences (..)
• validateSessionId() — enforces lowercase UUID format
• validateAgentId() — rejects empty or path traversal sequences (agentId is also used in file path construction via hashSubagentFile)

11 server actions — validation injected at the top of each:

// actions returning { ok: false, error: string }
const err = validateProjectName(projectName) ?? validateSessionId(sessionId)
  ?? (agentId !== undefined ? validateAgentId(agentId) : null);
if (err) return { ok: false, error: err };

// void-returning actions (clearAlertMarker, invalidateSessionItemCaches)
if (err) throw new Error(err);

Tests:

• New __tests__/lib/validate-params.test.ts covering all three validators
• Updated check-eval-cache.test.ts and check-enrichment-cache.test.ts to use valid UUIDs and added validation-rejection test cases

Type of Change

• Bug fix
• New feature
• Refactor
• Documentation

Checklist

• npm run lint passes
• npx tsc --noEmit passes
• npm run test:run passes
• npm run build succeeds

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Critical/Security] Path traversal vulnerability in server actions</issue_title>
<issue_description>## Description

All "use server" actions accept projectName/sessionId parameters with zero validation, enabling path traversal attacks.

Affected Files

• app/actions/process-session-evals.ts
• app/actions/process-session-enrichments.ts
• app/actions/process-session-actions.ts
• app/actions/process-subagent-evals.ts
• app/actions/process-subagent-enrichments.ts
• app/actions/process-subagent-actions.ts
• app/actions/check-eval-cache.ts
• app/actions/check-enrichment-cache.ts
• app/actions/check-action-cache.ts
• app/actions/invalidate-session-caches.ts
• app/actions/clear-alert-marker.ts

Root Cause

projectName = "../../etc" reaches hashSessionFile() → join(projectsPath, projectName, sessionId + ".jsonl") → path traversal outside intended directory.

Existing Pattern

The download route (app/api/download/) already has proper validation (UUID regex + traversal check) — server actions should match this pattern.

Proposed Fix

Create a shared validateProjectName() / validateSessionId() utility and call it at the top of every server action. Reject any input containing .., /, or characters outside a safe allowlist.

Related Issues

• Related to #issue14 (DRY server actions) — validation could be part of the extracted factories</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Critical/Security] Path traversal vulnerability in server actions #48

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.