fix(cortex-common): fix validate_path_safe macOS symlink resolution

On macOS, temporary directories like /var/folders/... are actually symlinks
to /private/var/folders/... When validate_path_safe validates a non-existent
path, it would normalize (not canonicalize) the path, keeping /var/... format,
but the root would be canonicalized to /private/var/...

This caused the starts_with check to fail because /var/... doesn't start
with /private/var/...

Fix: When a non-existent path has an existing parent directory, canonicalize
the parent to resolve symlinks, then join with the filename.

Author: factorydroid

cortex-common/src/path_utils.rs

@@ -231,7 +231,27 @@ pub fn validate_path_safe(path: &Path, root: &Path) -> PathResult<PathBuf> {
         } else {
             canonical_root.join(path)
         };
-        normalize_path(&absolute_path)
+        let normalized = normalize_path(&absolute_path);
+
+        // If the parent directory exists, canonicalize it to resolve symlinks
+        // (important for macOS where /var -> /private/var)
+        if let Some(parent) = normalized.parent() {
+            if parent.exists() {
+                if let Ok(canonical_parent) = parent.canonicalize() {
+                    if let Some(file_name) = normalized.file_name() {
+                        canonical_parent.join(file_name)
+                    } else {
+                        normalized
+                    }
+                } else {
+                    normalized
+                }
+            } else {
+                normalized
+            }
+        } else {
+            normalized
+        }
     };
 
     // Final validation: ensure path is within root