Path Traversal Vulnerability in minimax_cli/acp/server.py Exposes Sensitive System Files

A high-severity path traversal vulnerability has been identified in the `minimax_cli` project, exposing the server to unauthorized file access. The flaw resides in the `src/minimax_cli/acp/server.py` file, where file operations lack any path validation. This allows attackers to perform directory traversal attacks, escaping the intended directory and accessing sensitive files across the entire filesystem.

The vulnerable code directly uses a user-supplied `file_path` parameter to open and read files without sanitization. Attackers can exploit this by submitting malicious paths like `../../../etc/passwd`, `../../../app/config/secrets.json`, or Windows equivalents such as `..\..\..\windows\system32\config\sam`. This grants potential access to critical system files, application source code, and configuration files containing secrets, posing a severe data exposure risk.

This vulnerability fundamentally undermines the security boundary of the application, allowing any user with API access to read arbitrary files. The recommended fix involves implementing strict path validation and sanitization, resolving user-supplied paths against a secure base directory to prevent traversal. Until patched, the system remains vulnerable to source code disclosure and credential theft from exposed configuration files.