TASK-016: Validate delete_log_path query parameter with allowlist

- Extract path validation logic into shared helper function in
  backend/app/utils/path_utils.py (validate_log_path)
- Refactor AddLogPathRequest to use the helper function
- Apply the same validation to DELETE /api/config/jails/{name}/logpath
  endpoint by validating the log_path query parameter
- Return HTTP 422 with descriptive error if validation fails
- Add comprehensive unit tests for path validation
- Update Backend-Development.md with usage examples

This prevents path-traversal attacks on the delete_log_path endpoint
by ensuring all log paths are within allowlisted directories.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/app/routers/jail_config.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import shlex
 from typing import Annotated
 
-from fastapi import APIRouter, Path, Query, Request, status
+from fastapi import APIRouter, HTTPException, Path, Query, Request, status
 
 from app.dependencies import (
     AppDep,
@@ -33,6 +33,7 @@ from app.services import (
     filter_config_service,
     jail_config_service,
 )
+from app.utils.path_utils import validate_log_path
 from app.utils.runtime_state import (
     clear_activation_record,
     clear_pending_recovery,
@@ -248,10 +249,19 @@ async def delete_log_path(
         log_path: Absolute path to the log file to remove (query parameter).
 
     Raises:
+        HTTPException: 422 when the log path is outside allowed directories.
         HTTPException: 404 when the jail does not exist.
         HTTPException: 400 when the command is rejected.
         HTTPException: 502 when fail2ban is unreachable.
     """
+    try:
+        validate_log_path(log_path)
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=str(e),
+        ) from e
+
     await config_service.delete_log_path(socket_path, name, log_path)