Security fixes from audit:
- Escape user-supplied strings (ext_relation_id, interface_name) with
url.PathEscape before interpolating into API URL paths, preventing
path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
virtfusion_user_auth_token and virtfusion_user_server_auth_token
resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
to prevent leaking sensitive data from verbose Laravel error responses
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Andrew
ef8fbd530b