fix: cross-platform absolute path rejection in plugin exporter

Use PurePosixPath + PureWindowsPath to reject absolute paths from both
platforms regardless of the current OS. Fixes Windows CI failure where
/etc/passwd was not detected as absolute.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: danielmeppiel

src/apm_cli/bundle/plugin_exporter.py

@@ -34,8 +34,11 @@
 
 def _validate_output_rel(rel: str) -> bool:
     """Return True when *rel* is safe to write inside the output directory."""
-    p = Path(rel)
-    return not p.is_absolute() and ".." not in p.parts
+    from pathlib import PurePosixPath, PureWindowsPath
+
+    if PurePosixPath(rel).is_absolute() or PureWindowsPath(rel).is_absolute():
+        return False
+    return ".." not in Path(rel).parts
 
 
 _SAFE_BUNDLE_NAME_RE = re.compile(r"[^a-zA-Z0-9._-]")

tests/unit/test_plugin_exporter.py

@@ -142,9 +142,12 @@ def test_rejects_traversal(self):
         assert _validate_output_rel("../escape.md") is False
         assert _validate_output_rel("agents/../../etc/passwd") is False
 
-    def test_rejects_absolute(self):
+    def test_rejects_absolute_unix(self):
         assert _validate_output_rel("/etc/passwd") is False
 
+    def test_rejects_absolute_windows(self):
+        assert _validate_output_rel("C:\\Windows\\System32") is False
+
 
 class TestRenamePrompt:
     def test_strips_prompt_infix(self):