Add explicit SCM path rejection to `_validate_relpath_string`

[andrewmusselman]

ASVS Requirement: 13.4.1 — Verify that source control metadata is excluded from deployment or made inaccessible.

Audit Finding: 2.4 — Path Validation Does Not Explicitly Block SCM Paths
Severity: LOW
CWE: CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory)

Description:
The path validation function _validate_relpath_string in atr/form.py prevents path traversal (..) but does not explicitly reject paths containing .git, .svn, or other SCM directory components. While the dotfiles check in atr/tasks/checks/paths.py catches these during release checks and the dot-prefix prevention in atr/storage/writers/release.py blocks directory creation, adding validation at the path parsing layer strengthens defense-in-depth.

Evidence:

# atr/form.py - Path validation
for part in posix_path.parts:
    if part == "..":
        raise ValueError("Parent directory references (..) are not allowed")
    if part == ".":
        raise ValueError("Self directory references (.) are not allowed")
    # MISSING: No check for ".git", ".svn"

Suggested implementation:

Investigate whether this is very low effort, only if so make the change.

_SCM_DIRECTORIES = frozenset({'.git', '.svn', '.hg', '.bzr', '.cvs'})
for part in posix_path.parts:
    if part.lower() in _SCM_DIRECTORIES:
        raise ValueError(f"Access to source control directories ({part}) is not allowed")

Location: atr/form.py