fix: validate local eval path segments

[bg0d-droid]

Summary

• add shared validation for local eval filesystem path segments
• reject empty, traversal, separator, and null-byte identifiers before path construction
• cover local eval set and eval result managers with regression tests

Issue Association

No public GitHub issue. This hardens local eval storage path handling for caller-controlled identifiers.

Testing Plan

• env UV_CACHE_DIR=/tmp/uv-cache uv run --extra test pytest tests/unittests/evaluation/test_local_eval_sets_manager.py tests/unittests/evaluation/test_local_eval_set_results_manager.py

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Response from ADK Triaging Agent

Hello @bg0d-droid, thank you for creating this PR!

We noticed a few items from our contribution guidelines that need to be addressed before this PR can be reviewed:

1. Contributor License Agreement (CLA): It looks like the CLA check has failed. Please sign the Google CLA at https://cla.developers.google.com/.
2. Issue Association: Please associate a GitHub Issue with this PR. If there is no existing issue, please create one first or describe the bug/feature directly within the PR description following the structure of our issue templates.
3. Testing Plan: Please include a dedicated testing plan section in your PR description to outline how the changes were tested.

This information will help reviewers to review your PR more efficiently. Thanks!

[adk-bot]

🚨 CRITICAL COMPLIANCE REFUSAL: GOOGLE CLA NOT SIGNED 🚨

Caution

COMPLIANCE ALERT: The contributor has not signed the Google Contributor License Agreement (CLA) for PR #5993.

According to the repository's legal and security policy, all pull requests from first-time or external contributors must have a valid and verified Google CLA signature before any code analysis, diff retrieval, triaging, or workspace operations can be conducted.

The cla/google status check for this PR has failed, and the google-cla[bot] has requested a signature.

Therefore, legal policy strictly prohibits any further analysis, triage, or review of this pull request. No additional tools have been executed, and no local files or diffs have been accessed.

Next Steps for the Contributor

1. Please navigate to the Google Developer CLA portal to sign or link your agreement.
2. Once signed, the CLA system will re-evaluate and mark the check as verified.
3. After the check passes, we will be happy to resume the triage and analysis!