pub fn read_capped(path: &Path) -> Result<String>Expand description
Read path to a String, but refuse files larger than
MAX_INPUT_FILE_BYTES.
Why this exists: a 50 MiB hostile YAML allocates ~150 MiB peak inside
serde_yaml (triple-parse + a serde_yaml::Value for every node).
Capping at the filesystem boundary keeps that allocation pre-empted —
we never even hand the bytes to the YAML parser.
metadata follows symlinks; that is fine here because callers that
need an explicit symlink fence call read_capped_with_symlink_fence
instead, which canonicalises before calling this.
Returned [io::Error]s use InvalidData for the size-cap rejection so
callers can distinguish IO failure from cap rejection if they want.