Implement comprehensive path-traversal security tests documenting
the 10 canonical payloads from the threat model (plan line 891).
The test suite verifies that the resolve_path function in
mcp/root.rs properly rejects path-traversal attempts when --root
mode is enabled, while allowing HTTPS URLs to bypass validation
per INV-10.
Test coverage:
- All 10 traversal payloads rejected when --root is set
- Valid paths within root are accepted
- HTTPS URLs bypass root check
- Symlink escapes are caught
- URL-encoded traversal is rejected
- Special filesystem paths are rejected
- Deep traversal payloads are caught
Acceptance: All 10 tests pass. Current state documented:
Phase 1 (current): paths pass through without --root; validated with --root
Phase 2 (future): --root mode to be wired to MCP server entry point
References: Plan line 891 (TH-02), INV-10 (no file-path params in HTTP mode)
Closes: pdftract-4h06h