pub async fn ensure_path_within_workspace_resolved(
candidate: &Path,
workspace_root: &Path,
) -> Result<PathBuf>Expand description
Ensure a candidate path is inside the workspace root, resolving symlinks component by component.
This is the strict, filesystem-aware tier of workspace containment. On top
of the lexical check performed by ensure_path_within_workspace, it
walks each component of the candidate below the workspace root and:
- canonicalizes every existing component and verifies the resolved path still starts with the canonical workspace root (catches symlinks that point outside the workspace);
- tolerates nonexistent tail components (paths about to be created);
- rejects traversal through a file component (e.g.
file.txt/child).
The candidate must already be lexically inside workspace_root (both
sides are normalized before comparison).
Returns the normalized candidate path on success.