pub fn validate_read_path(path: &Path) -> Result<PathBuf>
Sanitize and validate a path that must exist (for reading).
Traversal check → canonicalize → allowlist.