fix(security): add path traversal protection to File.read and File.list

[edlsh]

Summary

Adds path containment checks to File.read() and File.list() to prevent directory traversal attacks (e.g., ../../../etc/passwd).

Problem

The File module constructs paths via path.join(Instance.directory, file) without validating containment. An attacker-controlled path like ../../../etc/passwd resolves to a valid path outside the project directory.

Solution

Uses the existing Filesystem.contains() utility (already used in tool/read.ts, tool/write.ts, etc.) to validate that resolved paths remain within Instance.directory. Throws on violation.

Changes

• packages/opencode/src/file/index.ts: Added containment checks to File.read() and File.list()
• packages/opencode/test/file/path-traversal.test.ts: Added tests for traversal prevention

Known Limitations (documented via TODO)

• Symlinks inside the project can still escape (lexical check only)
• Windows cross-drive paths may bypass the check

These are pre-existing limitations in Filesystem.contains() affecting all current callers and warrant a separate PR.

Testing

bun test test/file/path-traversal.test.ts
# 4 pass, 0 fail