fix(compiler): validate asset output paths

[AdrianoCLeao]

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/nestjs/nest/blob/master/CONTRIBUTING.md
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[ ] CI related changes
[ ] Other... Please describe:

What is the current behavior?

The assets pipeline computes copy and unlink destinations from
"compilerOptions.assets[].outDir" without checking whether the final resolved
path remains inside the project directory.

As a result, a project configuration can point asset output to a parent or
absolute external directory. nest build may then copy files outside the
workspace, and watch mode may remove the corresponding external destination on
asset unlink.

Issue Number: #3456

What is the new behavior?

AssetsManager now resolves the final asset destination against the project
root before any filesystem write or unlink is performed.

The helper refuses to process asset destinations that are:

• equal to the project root
• relative paths that escape the project directory
• absolute paths outside the project directory

This validation is used for both asset copy operations and watch-mode unlink
operations.

Regression tests were added for valid internal destinations and rejected
external destinations.

Does this PR introduce a breaking change?

[ ] Yes
[x] No

[kamilmysliwiec]

lgtm