pub fn validate_read_path(path: &Path) -> Result<PathBuf>
Validate a path is safe for reading (must exist, be under allowed base).