fix: patch path traversal and baseUrl normalization in scene generator

- server.js: sanitize static file paths to prevent directory traversal
  (GET /../../sgclaw_config.json would expose API key)
- config-loader.js: fix normalizeBaseUrl to strip /v1 before appending,
  preventing double /v1 for non-standard base URLs

🤖 Generated with [Qoder][https://qoder.com]

frontend/scene-generator/config-loader.js

@@ -64,8 +64,8 @@ function loadConfig() {
 
 function normalizeBaseUrl(url) {
   url = url.replace(/\/+$/, "");
-  if (!url.endsWith("/v1")) url = url + "/v1";
+  url = url.replace(/\/v1\/?$/, "");
-  return url;
+  return url + "/v1";
 }
 
 function getDefaults() {

frontend/scene-generator/server.js

@@ -190,7 +190,13 @@ const server = http.createServer(async (req, res) => {
     } else if (pathname === "/" || pathname === "/index.html") {
       serveStatic(res, path.join(__dirname, "sg_scene_generator.html"));
     } else {
-      const filePath = path.join(__dirname, pathname);
+      const filePath = path.resolve(__dirname, pathname);
+      const resolvedDir = path.resolve(__dirname);
+      if (!filePath.startsWith(resolvedDir + path.sep) && filePath !== resolvedDir) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Forbidden" }));
+        return;
+      }
       if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
         serveStatic(res, filePath);
       } else {