Fix a few subtle URI unescaping RFC compliant issues

[jviotti]

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

[cubic-dev-ai]

No issues found across 7 files

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the vendored sourcemeta/core dependency and tightens URI percent-encoding handling to be more RFC 3986–compliant, plus hardens JSON Schema base-dialect resolution.

Changes:

• Unescape only unreserved characters during URI parsing; keep reserved characters percent-encoded.
• Preserve existing percent-encoded triplets during recomposition to avoid double-encoding.
• Add URIEscapeMode::Path and use it when recomposing the path component.
• Emit percent-escapes as two uppercase hex digits (e.g., %0A), and normalize hex case during canonicalization.
• Fully unescape file:// paths when converting to filesystem paths.
• Detect metaschema-chain cycles when computing JSON Schema base_dialect.

Technical Notes: These changes mainly affect edge cases around reserved-character escaping/unescaping and metaschema self-references/cycles.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

path_value.substr(1) drops the leading / when a scheme is present but there’s no authority, which can change scheme:/path into scheme:path (different URI semantics and potentially breaks round-tripping). Could we confirm this is intended for e.g. file:/... / http:/... forms?

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

uri_unescape_all_inplace(path) happens after the Windows-absolute detection (/C:/), so inputs like file:///C%3A/Windows won’t be recognized as Windows paths before separator conversion/leading-slash handling. Consider whether unescaping needs to happen earlier to keep %3A-encoded drive letters working.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}