pub fn resolve_program(program: &Path) -> PathBufExpand description
Resolve program to the exact canonical path the allowlist matches against,
so a caller can execute the same file it vetted (I15). The allowlist
check canonicalizes (resolving symlinks and ..), but if the spawn used the
raw, un-canonicalized path the OS would re-resolve it at exec time — letting
an allowlisted symlink be repointed during the confirmation window (TOCTOU).
Spawning this resolved path instead binds the decision to the execution.
Falls back to the path as-given when it cannot be resolved (then the gate has
already refused it, since it cannot match a real reviewed file).