add canonical path validation to skill loader

[bug-ops]

Summary

• Add validate_path_within to skill loader that canonicalizes paths and verifies they stay within the skills base directory
• Integrate validation in SkillRegistry::load before reading skill metadata, rejecting symlinks that escape the skills directory
• Add unit tests for symlink-based path traversal rejection and legitimate path acceptance

Closes #307

Test plan

• cargo nextest run -p zeph-skills — 67 tests pass
• cargo clippy --workspace -- -D warnings — clean

[codecov-commenter]

Codecov Report

❌ Patch coverage is 73.91304% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/zeph-skills/src/loader.rs	76.19%	10 Missing ⚠️
crates/zeph-skills/src/registry.rs	50.00%	2 Missing ⚠️

@@            Coverage Diff             @@
##             main     #322      +/-   ##
==========================================
- Coverage   80.32%   80.32%   -0.01%     
==========================================
  Files          99       99              
  Lines       24053    24099      +46     
==========================================
+ Hits        19321    19357      +36     
- Misses       4732     4742      +10     

Files with missing lines	Coverage Δ
crates/zeph-skills/src/registry.rs	90.37% <50.00%> (-0.89%)	⬇️
crates/zeph-skills/src/loader.rs	96.32% <76.19%> (-3.29%)	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.