#19507: security: block prototype pollution in template path resolver

## Summary - Block `__proto__`, `constructor`, and `prototype` segments in template expression path resolution (`getByPath`) - Prevent prototype pollution attacks via hook transform templates - Add `BLOCKED_PATH_SEGMENTS` set for efficient lookup ## Security Impact Prevents prototype pollution which could lead to arbitrary property injection on `Object.prototype`, potentially enabling RCE or data exfiltration through crafted webhook payloads. ## Test plan - [x] Unit tests for `__proto__` path blocking - [x] Unit tests for `constructor` path blocking - [x] Unit tests for nested `prototype` path blocking - [x] Verify legitimate deep paths still resolve correctly <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds critical prototype pollution protection to template path resolution by blocking `__proto__`, `constructor`, and `prototype` segments in `getByPath`. The security check correctly happens after array indexing but before object property access, preventing attacks via crafted webhook payloads while preserving legitimate deep path access like `messages[0].subject`. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The security fix is correctly implemented with proper placement of the check after array indexing, comprehensive test coverage for all blocked segments and nested cases, and verification that legitimate paths still work - No files require special attention _{Last reviewed commit: c218084} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->