pub struct StoreContainment { /* private fields */ }Expand description
Hot-loop companion to ensure_path_within_store: identical per-candidate
semantics, amortized cost. The single-shot gate re-canonicalizes the store
root and walks the candidate’s whole parent chain via canonicalize on
every call — two realpath(3) chains per candidate, which at a 10k-file scan
set dominates the scan itself. This helper canonicalizes the root ONCE at
construction and memoizes each distinct parent directory’s canonical form
(scan candidates cluster into a few dozen type/shard folders), so the
common candidate — an existing, non-symlink file in a known folder — costs
one lstat(2) and a prefix check. Symlink leaves, missing files, and other
corners fall back to the same full peel-resolution the single-shot gate
runs, so no candidate gets a weaker check: a poisoned path still resolves
(or fails) exactly as before.