refactor(core): use standard PlanErrorMessages constant for path access errors

Addresses review feedback by restoring the idiomatic PlanErrorMessages.PATH_ACCESS_DENIED constant inside resolveAndValidatePlanPath instead of a raw 'Security violation' string. This allowed for removing redundant catch-and-translate logic in exit-plan-mode.ts.

packages/core/src/tools/exit-plan-mode.test.ts

@@ -504,7 +504,7 @@ Ask the user for specific feedback on how to improve the plan.`,
       });
 
       expect(result).toBe(
-        `Access denied: plan path (${path.join(mockPlansDir, 'malicious.md')}) must be within the designated plans directory (${mockPlansDir}).`,
+        `Access denied: plan path (malicious.md) must be within the designated plans directory (${mockPlansDir}).`,
       );
     });
 

packages/core/src/tools/exit-plan-mode.ts

@@ -69,12 +69,6 @@ export class ExitPlanModeTool extends BaseDeclarativeTool<
         this.config.getProjectRoot(),
       );
     } catch (e) {
-      if (e instanceof Error && e.message.startsWith('Security violation')) {
-        return `Access denied: plan path (${path.join(
-          this.config.storage.getPlansDir(),
-          params.plan_filename,
-        )}) must be within the designated plans directory (${this.config.storage.getPlansDir()}).`;
-      }
       return e instanceof Error ? e.message : String(e);
     }
 

packages/core/src/utils/planUtils.ts

@@ -67,7 +67,7 @@ export function resolveAndValidatePlanPath(
 
   if (!isSubpath(realPlansDir, realPath)) {
     throw new Error(
-      `Security violation: plan path (${trimmedPath}) must be within the designated plans directory (${plansDir}).`,
+      PlanErrorMessages.PATH_ACCESS_DENIED(trimmedPath, plansDir),
     );
   }