GameMod::load() Path Traversal: Malicious Mod Can Read Arbitrary Files on Host System

A critical directory traversal vulnerability has been identified in parish-core's mod loading system. The `GameMod::load()` function in `crates/parish-core/src/game_mod.rs` (lines 471–548) validates the base mod directory via canonicalization at line 459, but subsequently joins manifest-provided relative paths without verifying that resolved paths remain within that directory boundary. The flaw allows a crafted `mod.toml` file to specify paths such as `"../../../../etc/passwd"`, causing the engine to read arbitrary files from the host filesystem.

The vulnerability is particularly concerning because user-installed mods represent untrusted content. Unlike the editor path implementation in `ipc/editor.rs`, which employs `validate_within()` to prevent exactly this class of attack, `GameMod::load()` implements no equivalent check. Any mod distributed through unofficial channels—or a compromised mod repository—could exploit this gap to exfiltrate sensitive configuration files, credentials, SSH keys, or other system data accessible to the process.

The issue carries elevated severity for web server deployments (P1) and moderate severity for desktop instances (P2), reflecting the broader attack surface in multi-tenant hosting environments. The recommended remediation is straightforward: invoke `validate_within(mod_dir, resolved_path)` on every manifest-provided path before file access operations. The existence of a tested solution pattern elsewhere in the codebase suggests a targeted, low-risk fix is achievable without architectural changes.