fix(security): prevent path traversal via symlinks in File.read and File.list

[Ashwinhegde19]

This PR fixes a security issue where File.read and File.list could follow symlinks outside the project directory due to lexical path checks. This allows potential path traversal. The code now resolves real paths and verifies containment before access.

Fixes: Fixes #8313

What changed:

Updated File.read to use fs.promises.realpath() before reading.

Updated File.list to resolve paths before listing.

Added regression tests under packages/opencode/test/security/symlink.test.ts.