Critical Path Traversal in aos-workspace MCP Server Exposes Full Filesystem Read

A critical path traversal vulnerability in the `aos-workspace` MCP server allows any authenticated client to read arbitrary files from the host's entire filesystem. The flaw, located in the `index.js` file, stems from a failure to validate that a resolved file path remains within the intended workspace root directory (`AOS_ROOT`). An attacker can simply send a request with a path argument like `../../../etc/passwd` or `../../../Windows/System32/config/SAM`, and the server will return the contents of those sensitive system files.

The vulnerability exists on lines 80-81 of the `system/infra/mcp/servers/aos-workspace/index.js` file. The code uses `path.join()` to combine the `AOS_ROOT` with the user-supplied `args.path`, but it does not subsequently check if the resulting `fullPath` is still contained within `AOS_ROOT`. This oversight allows directory traversal sequences (`../`) to escape the workspace boundary entirely. The server only checks if the file exists before serving it, making exploitation trivial for any MCP client with access.

The impact is severe: any MCP client can read the entire filesystem of the server hosting the vulnerable component. This could lead to the exposure of configuration files, secrets, databases, and other critical system data. The provided fix demonstrates the necessary validation, using `path.resolve()` and checking that the final path string begins with the resolved `AOS_ROOT` directory, thereby preventing path traversal outside the designated workspace.