Function trusted_schema_path 

pub fn trusted_schema_path() -> Result<PathBuf, AppError>

Computes a schema path under the cache dir so codex exec accepts it as part of a trusted directory (rejects /tmp on hardened installs).