Prevent zip path traversal during archive extraction

[joshyorko]

Motivation

• Close a Zip Slip vulnerability where ZIP entry names could escape the intended extraction directory and overwrite arbitrary files during unzip, template unpacking, hololib imports, and other archive ingestion paths.
• Provide a minimal, centralized validation to ensure archive entries do not contain path traversal components that land outside the destination directory.

Description

• Add a zipEntryTarget(directory, entry string) (string, error) helper in operations/zipper.go that builds the candidate target path and rejects entries whose cleaned relative path begins with ...
• Use zipEntryTarget from the parallel extractor (Explode) and the single-threaded extractor (Extract) so all archive extraction flows validate containment before writing.
• Apply the same validation in template unpacking (operations/initialize.go) to cover embedded/template archive handling.
• Add unit tests in operations/zipper_test.go to verify accepting a normal nested path and rejecting a traversal path.

Testing

• Ran gofmt on modified files using gofmt -w to ensure formatting was applied successfully.
• Added tests and attempted GOARCH=amd64 CGO_ENABLED=0 go test ./operations -run 'TestCanConvertSlashes|TestZipEntryTarget', which failed in this environment due to missing generated assets referenced by blobs/embedded.go (setup failure), not due to the change itself.
• Committed the changes after local edits and ran the repository-level formatting and commit steps successfully.

---

Codex Task

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[joshyorko]

Superseded by #97, which stacks this hardening change into the grouped release PR.