[Fix] Use fileURLToPath for file:// URL parsing in artifact handler

[samzong]

Summary

Replace naive url.replace('file://', '') with Node.js standard fileURLToPath() to correctly parse file:// URLs in the artifact:save-image-url IPC handler, closing a path traversal vector.

Type of change

• [Fix] bug fix

Why is this needed?

url.replace('file://', '') strips the scheme but leaves the host component intact. A URL like file://localhost/tmp/evil.png becomes localhost/tmp/evil.png, which resolve() turns into a CWD-relative path — bypassing the workspace boundary check. This is a path traversal vulnerability.

Additionally, new URL(url).pathname (the obvious alternative) does not decode percent-encoded characters (%20 stays %20) and produces wrong paths on Windows (/C:/path instead of C:\path). fileURLToPath from node:url handles both correctly and is the Node.js canonical API for this conversion.

What changed?

• Added import { fileURLToPath } from 'node:url'
• Replaced resolve(url.replace('file://', '')) with resolve(fileURLToPath(url))

Architecture impact

• Owning layer: main
• Cross-layer impact: none
• Invariants touched from docs/architecture-invariants.md: none
• Why those invariants remain protected: change is confined to a single IPC handler's URL parsing; no new data flows, no schema changes

Linked issues

N/A

Validation

• pnpm lint
• pnpm test
• pnpm check:ui-contract
• pnpm check (full suite: lint + architecture + ui-contract + renderer-copy + i18n + dead-code + format + typecheck + test)
• pnpm build
• Manual smoke test

Commands, screenshots, or notes:

pnpm check — all gates passed

Screenshots or recordings

No UI changes.

Release note

• No user-facing change. Release note is NONE.

NONE

Checklist

• The PR title uses at least one approved prefix: [Feat], [Fix], [UI], [Docs], [Refactor], [Build], or [Chore]
• The summary explains both what changed and why
• Validation reflects the commands actually run for this PR
• Architecture impact is described and references any touched invariants
• Cross-layer changes are explicitly justified
• The release note block is accurate

[github-actions]

Hi @samzong,
Thanks for your pull request!
If the PR is ready, use the /auto-cc command to assign Reviewer to Review.
We will review it shortly.

Details

Instructions for interacting with me using comments are available here.
If you have questions or suggestions related to my behavior, please file an issue against the gh-ci-bot repository.