Validate desk names from Clay effects

[tiller-tolbus]

Per convo with @joemfb, unix.c is not guaranteed to prevent disastrous outcomes from malformed %ergo effects coming from Clay, such as attempts to write to .urb or .run.

Desired case is that there is, at least, a hard-coded and unified list of paths that Vere will not write to as the result of a Clay effect.

Such a unified list of paths should also include a .host directory so that providers have a safe place to put pier-specific files that won't be touched by the runtime.

[joemfb]

Rather than an explicit whitelist, ensuring that clay mountpoint names (ie, desks) conform to (sane %tas) is probably the simplest way to accomplish this. That would need to be done in each of the desk-relevant effect handlers in unix.c: u3_unix_ef_ergo(), u3_unix_ef_ogre(), u3_unix_ef_*() ...