Add directory boundary validation for stata_do execution paths

[SepineTam]

Motivation

• Limit execution of Stata dofiles to safe locations by restricting stata_do to the configured dofile folder and working directory to match the security model used by read_log.
• Prevent symlink/path-traversal attacks and provide a clear audit trail when an execution is attempted outside allowed directories.

Description

• Add a reusable helper _is_within_allowed_directories(target_path, allowed_dirs) that resolves paths and checks containment with relative_to() to centralize boundary checks.
• Enforce directory whitelist in stata_do (checked before guard validation) so only files under config.STATA_MCP_FOLDER.DO or config.WORKING_DIR may be executed.
• Return a structured access-denied payload and log a [SECURITY VIOLATION] warning that includes the requested path, resolved path, and the allowed directories.
• Add unit tests covering nested/allowed paths, disallowed paths, symlink pointing outside, and path-traversal cases in tests/test_stata_do_boundary.py.

Testing

• Ran PYTHONPATH=src pytest -q tests/test_stata_do_boundary.py and all tests passed (5 passed).
• Running the combined test command without PYTHONPATH raised ModuleNotFoundError: No module named 'stata_mcp' in this environment, indicating the failure was due to import path setup rather than the code changes.
• pre-commit run --all-files could not be executed in the environment because pre-commit is not installed.

---

Codex Task

[cloudflare-workers-and-pages]

Deploying stata-mcp with    Cloudflare Pages

Latest commit:	4e1e053
Status:	✅  Deploy successful!
Preview URL:	https://f545400b.stata-mcp.pages.dev
Branch Preview URL:	https://codex-add-directory-boundary.stata-mcp.pages.dev

View logs