fix: path traversal in listDirectory

Fixes security vulnerability #463

The original check using startsWith(projectPath) could be bypassed
with sibling directories that share a prefix with the project path.

Example: projectPath=/home/user/project, directoryPath=../project-evil
resolves to /home/user/project-evil which passes startsWith('/home/user/project')
because 'project-evil' starts with 'project'.

This fix adds path.sep to ensure we're checking for proper directory
boundary, and also checks for exact match to allow listing the project
root itself. This matches the pattern already used in code-search.ts.

Author: SparkLabScout

sdk/src/tools/list-directory.ts

@@ -13,7 +13,10 @@ export async function listDirectory(params: {
   try {
     const resolvedPath = path.resolve(projectPath, directoryPath)
 
-    if (!resolvedPath.startsWith(projectPath)) {
+    if (
+      !resolvedPath.startsWith(projectPath + path.sep) &&
+      resolvedPath !== projectPath
+    ) {
       return [
         {
           type: 'json',