fix: normalize include_paths -- strip backslashes, reject traversal, defense in depth

Sanitizer now matches the validation in IndexConfig.sanitize_paths:
- Backslashes replaced with forward slashes
- Leading/trailing whitespace and slashes stripped
- Path traversal (..) entries rejected
- Non-string and empty entries filtered

2 new tests: traversal rejection, backslash normalization. 35 total pass.

Skipped findings:
- Cache keyed by include_paths: not needed, cache cleared on re-index
- repos.py truthy-only write: already fixed in previous commit
- Test type hints: entire suite has zero, adding to 3 tests is inconsistent

Author: DevanshuNEU

backend/services/dependency_analyzer.py

@@ -144,9 +144,15 @@ def build_dependency_graph(self, repo_path: str, include_paths: List[str] = None
 
         # Sanitize include_paths from DB (could be corrupt jsonb)
         if include_paths:
-            include_paths = [p for p in include_paths if isinstance(p, str) and p.strip()]
-            if not include_paths:
-                include_paths = None
+            cleaned = []
+            for p in include_paths:
+                if not isinstance(p, str):
+                    continue
+                p = p.replace('\\', '/').strip().strip('/')
+                if not p or '..' in p.split('/'):
+                    continue
+                cleaned.append(p)
+            include_paths = cleaned or None
 
         # Discover code files
         code_files = []

backend/tests/test_dependency_analyzer.py

@@ -308,6 +308,27 @@ def test_include_paths_empty_list_scans_everything(self, analyzer, ts_repo):
         file_paths = set(graph['dependencies'].keys())
         assert any('backend' in f for f in file_paths)
 
+    def test_include_paths_traversal_rejected(self, analyzer, ts_repo):
+        """Path traversal attempts should be stripped, not crash"""
+        graph = analyzer.build_dependency_graph(
+            str(ts_repo),
+            include_paths=['../etc/passwd', 'packages/effect', '../../secrets']
+        )
+        file_paths = set(graph['dependencies'].keys())
+        # Traversal entries filtered, only packages/effect remains
+        assert all('packages/effect' in f for f in file_paths)
+        assert len(file_paths) > 0
+
+    def test_include_paths_backslash_normalized(self, analyzer, ts_repo):
+        """Windows-style backslashes should be normalized"""
+        graph = analyzer.build_dependency_graph(
+            str(ts_repo),
+            include_paths=['packages\\effect']
+        )
+        file_paths = set(graph['dependencies'].keys())
+        assert all('packages/effect' in f for f in file_paths)
+        assert len(file_paths) > 0
+
 
 class TestGraphMetrics:
     """Verify graph statistics are correct"""