feat(voyage): implement path-traversal + symlink/dotfile filter on loaded files

plugins/voyage/tests/playground/voyage-playground.test.mjs

@@ -482,3 +482,23 @@ test('voyage-playground.html renderArtifact strips comments before md.render (v4
   const renderIdx = body.indexOf('md.render');
   assert.ok(stripIdx > 0 && stripIdx < renderIdx, 'stripUnsafeComments must run before md.render');
 });
+
+// v4.3 Step 26 — path-traversal + symlink/dotfile filter.
+test('voyage-playground.html declares isProjectPathSafe filter (v4.3 Step 26)', () => {
+  const text = readFileSync(HTML, 'utf-8');
+  assert.match(text, /function\s+isProjectPathSafe\s*\(/, 'isProjectPathSafe() function required');
+  // Must reject the four documented threat-classes
+  assert.match(text, /indexOf\('\.\.'\)/, '..-rejection required');
+  assert.match(text, /indexOf\('node_modules\//, 'node_modules/-rejection required');
+  assert.match(text, /indexOf\('dist\//, 'dist/-rejection required');
+  assert.match(text, /indexOf\('build\//, 'build/-rejection required');
+});
+
+test('voyage-playground.html loadProjectDirectory wires isProjectPathSafe filter (v4.3 Step 26)', () => {
+  const text = readFileSync(HTML, 'utf-8');
+  // Must call the filter before classification, AND track filteredCount
+  assert.match(text, /isProjectPathSafe\(inside\)/, 'isProjectPathSafe must be called on `inside` path');
+  assert.match(text, /filteredCount\+\+/, 'filteredCount tracking required');
+  // aria-live announce must fire when something is filtered
+  assert.match(text, /announce\(filteredCount/, 'filteredCount announce required');
+});