pub fn normalize_under_root(root: &Path, candidate: &Path) -> Result<PathBuf>
Normalise a user-supplied path so it stays under root. Rejects absolute inputs and any traversal that would escape root.
root