refactor(radar): use path normalization for traversal check

Replace blocklist pattern matching with URL path normalization and
allowlist validation. The URL constructor normalizes paths (resolves
'..' and decodes percent-encoding), so we verify the final pathname
stays within /client/v4/radar/ scope.

This approach handles:
- URL-encoded traversal attempts (%2e%2e, %2f)
- Double encoding and other bypass techniques
- Future unknown bypass patterns (allowlist vs blocklist)

Author: andre-j3sus

apps/radar/src/tools/radar.tools.ts

@@ -127,13 +127,15 @@ async function fetchRadarApi(
 	endpoint: string,
 	params: Record<string, unknown> = {}
 ): Promise<unknown> {
-	// Defense-in-depth: Reject any path traversal attempts
-	if (endpoint.includes('..') || endpoint.includes('//')) {
-		throw new Error('Invalid endpoint path: path traversal sequences are not allowed')
-	}
-
 	const url = new URL(`${RADAR_API_BASE}${endpoint}`)
 
+	// Defense-in-depth: Ensure the resolved path stays within Radar API scope
+	// The URL constructor normalizes the path (resolves '..' and decodes percent-encoding),
+	// so we check the final pathname to prevent path traversal attacks
+	if (!url.pathname.startsWith('/client/v4/radar/')) {
+		throw new Error('Invalid endpoint path: must be within the Radar API scope')
+	}
+
 	for (const [key, value] of Object.entries(params)) {
 		if (value === undefined || value === null) continue