Function resolve_under_root 

pub fn resolve_under_root(root: &Path, relative: &Path) -> Option<PathBuf>

Validate that a cached-asset local_path stays under root and return the absolute path on success.

The index is trusted to hold relative paths produced by CacheManager::store. This helper defends against corrupted or tampered index.json entries that try to point elsewhere:

• Absolute paths are rejected (because PathBuf::join would discard root for any absolute RHS).
• Paths containing .. components are rejected — we never generate them, so anything with traversal came from outside the crate.
• Lexical containment: the joined path’s components must start with the root’s components.
• Symlink guard: when the resolved path exists on disk, both root and the resolved path are std::path::Path::canonicalized so that any symlink within the cache directory is dereferenced. The canonicalized resolved path must still start with the canonicalized root; if it doesn’t (e.g. a symlink inside the cache dir points outside), the path is rejected.

Returns None when the path is unsafe; callers drop the index entry instead of touching the filesystem.