The FilePrefix/CheckPath guard forbids absolute paths and '..' traversal so a
remote client cannot make the broker/writer write outside their run directory.
Offline processing (rugnux -o, and the viewer writing next to the input file)
supplies its own trusted local path, so that guard should not apply to it.
Add a trusted opt-in that leaves the broker/writer path untouched:
- DatasetSettings/DiffractionExperiment::FilePrefixTrusted() sets the prefix
without CheckPath (FilePrefix() = CheckPath + FilePrefixTrusted).
- FileWriter gains a trusted_path ctor flag that skips its own CheckPath.
- Rugnux uses both. Broker/writer never set them, so their behaviour is
identical; this only widens what the offline CLI/viewer may write.
Previously 'rugnux -o /abs/path' threw ('Path cannot start with slash') while
building the _process.h5; the .mtz/.cif already bypassed the guard.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>