Gate Before Canonicalize

A security check inspects an input for a forbidden form. A downstream subsystem canonicalizes the same input (URL decoding, path-parameter stripping, Unicode normalization, escape resolution) into that forbidden form. The check sees the wrapped representation; the action sees the unwrapped one. The fix is to canonicalize before checking, never after.