security: validate raw path in moveToTrash before filepath.Abs resolves traversal

filepath.Abs resolves ".." components, so the existing validatePath call
on the resolved path could never catch traversal attempts. Move validation
before Abs to reject raw input with "..", keeping the post-Abs check as
defense-in-depth.

cmd/analyze/delete_test.go

@@ -5,6 +5,7 @@ package main
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
@@ -82,6 +83,17 @@ func TestMoveToTrashNonExistent(t *testing.T) {
 	}
 }
 
+func TestMoveToTrashRejectsTraversal(t *testing.T) {
+	// Verify the full production path rejects ".." before filepath.Abs resolves it.
+	err := moveToTrash("/tmp/fakedir/../../../etc/passwd")
+	if err == nil {
+		t.Fatal("expected error for path with traversal components")
+	}
+	if !strings.Contains(err.Error(), "traversal") {
+		t.Fatalf("expected traversal error, got: %v", err)
+	}
+}
+
 func TestValidatePath(t *testing.T) {
 	tests := []struct {
 		name    string