fix(#141): harden checkStaleDocs against path traversal

Export review.ValidateDocPath and use it in checkStaleDocs before
calling os.Stat. Add filepath.Clean + filepath.Rel confinement check
as defense-in-depth to ensure doc paths from PR-controlled YAML
cannot probe filesystem locations outside repoRoot.

Also add tests covering: ../../etc/passwd, /etc/passwd, ../outside,
a valid present path, and a valid missing path.

Addresses security finding from security-review-bot on PR #142.

review/docmap.go

@@ -257,7 +257,7 @@ type docEntry struct {
 // If the path is a directory, all .md files under it are returned.
 // If it's a file, a single entry is returned.
 func loadDocEntries(ctx context.Context, fetcher DocFetcher, owner, repo, docPath string) ([]docEntry, error) {
-	if err := validateDocPath(docPath); err != nil {
+	if err := ValidateDocPath(docPath); err != nil {
 		return nil, fmt.Errorf("doc path %q rejected: %w", docPath, err)
 	}
 
@@ -310,11 +310,11 @@ func readFileBytes(path string) ([]byte, error) {
 	return os.ReadFile(path)
 }
 
-// validateDocPath rejects doc paths that could cause path traversal via the
+// ValidateDocPath rejects doc paths that could cause path traversal via the
 // VCS API (absolute paths, any ".." segment). Defense-in-depth: the VCS API
 // should already scope paths to the repo, but we validate locally to avoid
 // any quirk in backend path handling.
-func validateDocPath(p string) error {
+func ValidateDocPath(p string) error {
 	if filepath.IsAbs(p) {
 		return fmt.Errorf("absolute paths not allowed")
 	}