Path traversal via unsanitized logs_dir in chat session handler. logs_dir passed directly to os.makedirs() and file path construction without boundary validation. Enables arbitrary directory creation and file write.

Affected file: src/instructlab/model/chat.py lines 858-863.
Upstream notification: security-reporting bounced.