Replace trivial resolve_path with volume map

Maps container paths to host paths using the docker-compose volume layout
(/workspace -> CONDUIT_HOST_WORKSPACE, /home/claude -> CONDUIT_HOST_HOME).
Relative paths resolve against CONTAINER_PATH. Paths outside all known
volumes throw rather than silently pass through.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/helpers.mjs

@@ -1,15 +1,34 @@
 import { spawnSync } from "child_process";
 import path from "path";
 
-const WORKSPACE_ROOT = process.env.CONDUIT_ROOT || "/workspace";
+const CONTAINER_PATH = "/workspace";
 
-// Resolve a path param relative to WORKSPACE_ROOT, preventing traversal.
+// Maps container path prefixes to host paths.
+// Derived from docker-compose.yml volumes:
+//   ./workspace   -> /workspace
+//   ./claude-home -> /home/claude
+// Override host paths via env vars when running outside the default layout.
+const VOLUME_MAP = {
+	"/workspace":    process.env.CONDUIT_HOST_WORKSPACE  || CONTAINER_PATH,
+	"/home/claude":  process.env.CONDUIT_HOST_HOME       || "/home/claude",
+};
+
+// Translate a container-side path to its host-side equivalent using VOLUME_MAP.
+// Relative paths are resolved against CONTAINER_PATH first.
+// Throws if the path escapes all known volumes.
 export function resolve_path(user_path) {
-	const resolved = path.resolve(WORKSPACE_ROOT, user_path.replace(/^\//, ""));
-	if (!resolved.startsWith(WORKSPACE_ROOT)) {
-		throw new Error(`Path escapes workspace root: ${user_path}`);
+	const abs = path.isAbsolute(user_path)
+		? user_path
+		: path.join(CONTAINER_PATH, user_path);
+
+	for (const [container_prefix, host_prefix] of Object.entries(VOLUME_MAP)) {
+		if (abs === container_prefix || abs.startsWith(container_prefix + "/")) {
+			const relative = abs.slice(container_prefix.length);
+			return host_prefix + relative;
+		}
 	}
-	return resolved;
+
+	throw new Error(`Path is outside all known volumes: ${user_path}`);
 }
 
 // Execute a binary with an argument list — no shell interpolation.