fix: prevent silent ancestor resolution from malformed YAML paths

When malformed YAML creates resource paths like `"../../base - ../../shared/prod"`,
`FileLoader.New()` was silently resolving these to existing ancestor directories
through path normalization instead of failing appropriately. This could cause
resources to be loaded from unintended locations, which can be especially dangerous
in CI/CD environments (#5979).

Added validation in `FileLoader.New()` to check directory existence before
allowing path normalization, preventing the silent "ancestor snapping" behavior.

Before:
```
=== RUN   TestNewLoaderMalformedPath
    fileloader_test.go:223:
        	Error Trace:	/Users/wbuckner/dev/kustomize/api/internal/loader/fileloader_test.go:223
        	Error:      	"must build at directory: not a valid directory: '/shared/prod' doesn't exist" does not contain "does not exist"
        	Test:       	TestNewLoaderMalformedPath
--- FAIL: TestNewLoaderMalformedPath (0.00s)
FAIL
FAIL	sigs.k8s.io/kustomize/api/internal/loader	0.757s
FAIL
```

After:
```
=== RUN   TestNewLoaderMalformedPath
--- PASS: TestNewLoaderMalformedPath (0.00s)
PASS
ok  	sigs.k8s.io/kustomize/api/internal/loader	(cached)
```

Author: willbuckner

api/internal/loader/fileloader.go

@@ -167,7 +167,15 @@ func (fl *FileLoader) New(path string) (ifc.Loader, error) {
 	if filepath.IsAbs(path) {
 		return nil, fmt.Errorf("new root '%s' cannot be absolute", path)
 	}
-	root, err := filesys.ConfirmDir(fl.fSys, fl.root.Join(path))
+
+	// Check if the intended directory exists before allowing normalization
+	// to prevent silent resolution to ancestor directories from malformed paths
+	intendedPath := fl.root.Join(path)
+	if !fl.fSys.Exists(intendedPath) || !fl.fSys.IsDir(intendedPath) {
+		return nil, fmt.Errorf("directory '%s' does not exist", path)
+	}
+
+	root, err := filesys.ConfirmDir(fl.fSys, intendedPath)
 	if err != nil {
 		return nil, errors.WrapPrefixf(err, "%s", ErrRtNotDir.Error())
 	}

api/internal/loader/fileloader_test.go

@@ -207,6 +207,27 @@ func TestNewEmptyLoader(t *testing.T) {
 	require.Error(t, err)
 }
 
+func TestNewLoaderMalformedPath(t *testing.T) {
+	require := require.New(t)
+	l1, err := makeLoader().New("foo/project")
+	require.NoError(err)
+
+	// Test malformed path that would previously resolve to an ancestor directory
+	// This simulates the bug where malformed YAML like:
+	// resources:
+	// - ../../base
+	//  - ../../shared/prod
+	// becomes: "../../base - ../../shared/prod"
+	_, err = l1.New("../../base - ../../shared/prod")
+	require.Error(err)
+	require.Contains(err.Error(), "does not exist")
+
+	// Also test other malformed patterns that should fail
+	_, err = l1.New("nonexistent/path")
+	require.Error(err)
+	require.Contains(err.Error(), "does not exist")
+}
+
 func TestNewRemoteLoaderDoesNotExist(t *testing.T) {
 	_, err := makeLoader().New("https://example.com/org/repo")
 	require.ErrorContains(t, err, "fetch")