fix: allow subdirectory paths in loadStaticCaseData validation

The path traversal check rejected any filename containing `/`, which
blocked curriculum stages from loading data files in subdirectories
like `curriculum/first-sip/stage-1-goal.json`. Changed to only reject
absolute paths (starting with `/`) while still blocking `..` traversal.

Author: chrisdburr

actions/case-data.ts

@@ -11,7 +11,7 @@ export async function loadStaticCaseData(
 	caseFile: string
 ): Promise<{ data: unknown } | { error: string }> {
 	// Validate filename to prevent path traversal
-	if (caseFile.includes("..") || caseFile.includes("/")) {
+	if (caseFile.includes("..") || caseFile.startsWith("/")) {
 		return { error: "Invalid case file name" };
 	}
 

src/__tests__/integration/server-actions.test.ts

@@ -123,15 +123,25 @@ describe("loadStaticCaseData", () => {
 		);
 	});
 
-	it("rejects a filename containing a forward slash", async () => {
+	it("rejects an absolute path starting with /", async () => {
 		const { loadStaticCaseData } = await import("@/actions/case-data");
 
 		expectError(
-			await loadStaticCaseData("subdir/file.json"),
+			await loadStaticCaseData("/etc/passwd"),
 			"Invalid case file name"
 		);
 	});
 
+	it("allows subdirectory paths with forward slashes", async () => {
+		const { loadStaticCaseData } = await import("@/actions/case-data");
+
+		// Subdirectory paths are valid — curriculum stages use them
+		const result = await loadStaticCaseData(
+			"curriculum/first-sip/stage-1-goal.json"
+		);
+		expectSuccess(result);
+	});
+
 	it("returns an error for a file that does not exist", async () => {
 		const { loadStaticCaseData } = await import("@/actions/case-data");
 		const result = await loadStaticCaseData("nonexistent-file-xyz.json");