fix(security): prevent alias depth bypass in YAML validator

The global 'seen' set allowed anchored subtrees validated at a shallow
depth to be skipped when later referenced via alias at a greater depth.
This could let effective nesting exceed MaxYAMLDepth, enabling DoS.

Fix: replace the single 'seen' set with two tracking maps:
- validated (node -> min depth): only short-circuits when current depth
  <= previously validated depth; re-checks at deeper contexts.
- visiting (node -> bool): per-path recursion stack for true cycle
  detection (breaks alias loops without suppressing depth checks).

Add TestYAMLAliasDepthBypass that constructs a document with an
anchored 15-level subtree referenced via alias under 6 levels of
nesting, verifying the combined effective depth (22) is rejected.

Addresses security-review-bot findings on review #2774.

docs/DESIGN-57-yaml-persona.md

@@ -9,7 +9,7 @@ JSON is awkward for persona files that contain multi-line text (identity, severi
 - Backwards compatibility: existing JSON personas must continue to work
 - Security: protect against DoS via deeply nested YAML (AIKIDO-2024-10486)
 - Consistency: use `.yaml` extension (not `.yml`)
-- Library: use `github.com/goccy/go-yaml` v1.16.0+ (approved in CONVENTIONS.md); has built-in depth protection via `MaxYAMLDepth`/`MaxYAMLNodes` constants
+- Library: use `github.com/goccy/go-yaml` v1.16.0+ (approved in CONVENTIONS.md); we implement custom AST-based depth/node-count checks for precise alias-aware validation
 
 ## Proposed Approach
 
@@ -63,7 +63,7 @@ func checkYAMLDepth(node *yaml.Node, depth, maxDepth int) error {
 }
 ```
 
-The `github.com/goccy/go-yaml` library provides built-in depth protection via `MaxYAMLDepth` and `MaxYAMLNodes` decoder options. We use these instead of a manual depth-checking walk.
+We implement a custom AST-based depth/node-count walk (`checkYAMLDepth`) rather than relying on library decoder options. This gives us precise control over how depth is counted across aliases and anchors, with a depth-aware validated map to prevent alias depth bypass.
 
 ## State/Data Model
 

review/persona_test.go

@@ -484,7 +484,6 @@ func TestYAMLDeeplyNestedRejection(t *testing.T) {
 	}
 }
 
-
 func TestYAMLEmptyFileRejection(t *testing.T) {
 	dir := t.TempDir()