Function safe_join 

pub fn safe_join(base: &Path, input: &str) -> Option<PathBuf>

Join input onto base, returning None if input would escape base.

Accepts only relative inputs that stay within base. The returned path is guaranteed to start with base and to contain no .. (Component::ParentDir) component.

Rejected (returns None):

• any input containing a NUL byte,
• absolute paths and Windows drive / UNC prefixes (Component::RootDir, Component::Prefix),
• any .. that pops above base.

Accepted (returns Some):

• . and the empty string resolve to base itself,
• balanced a/../b walks that stay at or below base.

The check is purely lexical — it does not touch the filesystem and does not resolve symlinks. Symlink-boundary enforcement belongs to the cap-std layer.