pub fn is_path_within_root(path: &Path, root: &Path) -> bool
Check if a path is within the project root (for sandbox enforcement)