Path::starts_with is component-aware but does not resolve .., so
/allowed/../etc/passwd would pass the check. Add normalize_path() that
lexically resolves . and .. components without touching the filesystem
so the check works on non-existent paths too. Add regression test.
std::fs::write fails when the destination parent does not exist.
Add create_dir_all before the write so apps can store files in
nested paths (e.g. config/sub/settings.json) without pre-creating
directories. Add regression test for the nested-path case.
New crate. Per-session file proxy that gates filesystem access to an
explicit allowlist of paths passed at startup.
Usage: weft-file-portal <socket_path> [--allow <path>]...
Listens on a Unix domain socket. Each connection receives newline-
delimited JSON requests and returns newline-delimited JSON responses.
File content is base64-encoded. Operations: read, write, list.
Empty allowlist rejects all requests; paths checked with starts_with.
7 unit tests covering access control, read/write roundtrip, and list.
