Potential fix for code scanning alert no. 33: Uncontrolled data used in path expression

[ArshVermaGit]

Potential fix for https://github.com/ArshVermaGit/SentinelOps-Autonomous-DevOps-AI/security/code-scanning/33

General fix: validate and canonicalize untrusted path input as early as possible (router boundary), and only pass sanitized values into filesystem operations. Keep normalization + containment checks in the service as defense-in-depth.

Best fix here without changing functionality:

• In sentinelops-backend/app/routers/local_dev.py, update /repos/link to validate req.local_path using the existing _validated_linked_repo_path helper pattern isn’t suitable for link (it requires already linked), so call the service sanitizer for linking and reject invalid input before calling link_repo.
• Pass the validated path (not raw req.local_path) into local_git.link_repo(...).
• Return the validated canonical path in response.

This keeps behavior (linking repos) while ensuring path input is sanitized at the trust boundary and reduces taint flow to filesystem sinks.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[ArshVermaGit]

This PR proposes a sensible defense-in-depth improvement for handling uncontrolled path input by shifting validation closer to the router boundary while preserving existing functionality. Validating and canonicalizing req.local_path before invoking link_repo() helps reduce taint propagation into filesystem operations and makes the trust boundary much clearer. Reusing the service-level sanitizer for linking is a practical choice since the existing helper pattern does not fit this flow, and returning the validated canonical path improves consistency in the API response. Overall, the change strengthens input handling without altering the repo-linking behavior and complements the service-layer checks effectively.