feat: protect URL path integrity from unsafe interpolated values

Path parameters containing `/`, `#`, or other reserved characters would
corrupt the URL structure. A tagged template literal now applies
encodeURIComponent to all interpolated path segments.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: maxholman

lib/process-document.ts

@@ -136,6 +136,30 @@ export async function processOpenApiDocument(
 		moduleSpecifier: "@block65/rest-client",
 	});
 
+	commandsFile.addFunction({
+		name: "encodePath",
+		docs: [
+			{
+				description: wordWrap(
+					"Tagged template literal that applies encodeURIComponent to all interpolated values, protecting path integrity from characters like `/` and `#`.",
+				),
+				tags: [
+					{
+						tagName: "example",
+						text: 'encodePath`/users/${userId}` // "/users/foo%2Fbar"',
+					},
+				],
+			},
+		],
+		parameters: [
+			{ name: "strings", type: "TemplateStringsArray" },
+			{ name: "...values", type: "string[]" },
+		],
+		returnType: "string",
+		statements:
+			"return String.raw({ raw: strings }, ...values.map(encodeURIComponent));",
+	});
+
 	commandsFile.addImportDeclaration({
 		namedImports: ["Jsonifiable"],
 		moduleSpecifier: "type-fest",
@@ -786,9 +810,10 @@ export async function processOpenApiDocument(
 							?.addTypeArgument(queryType.getName());
 					}
 
-					const pathname = `\`${path
-						// .replaceAll(/\{(\w+)\}/g, camelcase)
-						.replaceAll(/{/g, "${")}\``;
+					const hasPathParams = path.includes("{");
+					const pathname = hasPathParams
+						? `encodePath\`${path.replaceAll(/{/g, "${")}\``
+						: `"${path}"`;
 
 					const hasJsonBody = !!jsonBodyType;