pub fn validate_path_within(
root: &Path,
relative: &str,
) -> Result<PathBuf, String>Expand description
Validate that a relative path stays within root.
Rejects: parent-dir traversal (.. as a path component, not as a
substring — so file..py is allowed), absolute paths, drive-letter
prefixes, leading separators, null bytes, and (when root exists)
any path whose canonical form escapes root via a planted symlink.