Potential fix for code scanning alert no. 18: Uncontrolled data used in path expression

[ArshVermaGit]

Potential fix for https://github.com/ArshVermaGit/SentinelOps-Autonomous-DevOps-AI/security/code-scanning/18

Best fix: validate and canonicalize local_path at the API boundary, and reject requests early if the path is not one of the linked repositories. This creates an explicit trust boundary sanitizer and prevents tainted paths from reaching git/path sinks.

Single best approach here:

1. In sentinelops-backend/app/routers/local_dev.py, add a small helper that:
   • normalizes local_path using local_git._normalize_repo_path(...)
   • checks local_git._is_linked_repo_path(...)
   • raises HTTPException(400) when invalid/unlinked.
2. Use this helper in all endpoints receiving path input from users:
   • unlink_repo(local_path: str)
   • get_repo_status(local_path: str)
   • commit_repo(req: CommitRequest)
   • commit_legacy(req: CommitRequest)
3. Pass only the validated normalized path into service calls.

No behavior change for valid linked repos; invalid/unlinked paths now fail earlier and explicitly.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[ArshVermaGit]

This is a really solid and thoughtful fix that clearly strengthens the trust boundary around filesystem access. I really like how the validation and canonicalization of local_path is handled right at the API boundary — it keeps tainted input from ever reaching deeper git/path operations, which is exactly where we want the guardrails. Using local_git._normalize_repo_path(...) together with local_git._is_linked_repo_path(...) makes the intent explicit and easy to reason about, and applying the helper consistently across unlink_repo, get_repo_status, commit_repo, and commit_legacy ensures there aren’t any gaps. The early HTTPException(400) response also makes the behavior predictable and transparent for clients without impacting valid linked repo flows. Overall, this feels like a clean, minimal, and security-conscious improvement that improves confidence in the path handling logic without adding unnecessary complexity. Great work tightening this up.