Function validate_path 

pub fn validate_path(
    path_str: &str,
    ctx: &PathContext,
) -> Result<PathBuf, String>

Validates a path with canonicalization and prefix checking.

For existing paths, resolves symlinks via canonicalize() to prevent symlink-based escapes. For non-existent paths (writes), canonicalizes the parent directory and appends the filename.

CWD Independence (R-C26-01)

This function is CWD-independent: no std::env::current_dir() fallback. Two calls with the same path but different CWD produce identical results or identical errors. Relative paths that do not exist and whose parent does not exist are rejected because they cannot be resolved without CWD.

Arguments

• path_str - Path string to validate
• ctx - Validation context with allowed prefixes and requirements

Returns

• Ok(PathBuf) - Resolved path (canonical if possible)
• Err(String) - Validation error message (does not leak allowed prefixes)

Errors

Returns an error string if the path is empty, contains null bytes, contains control characters, traverses parent directories, does not exist (when required), is not a regular file (when required), cannot be resolved without CWD, or is outside allowed directories.