diff --git a/cache_test.go b/cache_test.go
index 2a4e06e..c630f2c 100644
--- a/cache_test.go
+++ b/cache_test.go
@@ -102,3 +102,28 @@ func TestCacheDefaults(t *testing.T) {
 		t.Fatal("expected cache instance")
 	}
 }
+
+func TestGitHubKeys(t *testing.T) {
+	key := cache.GitHubReposKey("myorg")
+	if key != "github/myorg/repos" {
+		t.Errorf("unexpected GitHubReposKey: %q", key)
+	}
+
+	key = cache.GitHubRepoKey("myorg", "myrepo")
+	if key != "github/myorg/myrepo/meta" {
+		t.Errorf("unexpected GitHubRepoKey: %q", key)
+	}
+}
+
+func TestPathTraversalRejected(t *testing.T) {
+	m := coreio.NewMockMedium()
+	c, err := cache.New(m, "/tmp/cache-traversal", 1*time.Minute)
+	if err != nil {
+		t.Fatalf("failed to create cache: %v", err)
+	}
+
+	_, err = c.Path("../../etc/passwd")
+	if err == nil {
+		t.Error("expected error for path traversal key, got nil")
+	}
+}
diff --git a/docs/architecture.md b/docs/architecture.md
index 51e0e01..b2199b0 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -179,7 +179,7 @@ paths, then checks that the result is still a prefix of the base:
 
 ```go
 if !strings.HasPrefix(absPath, absBase) {
-    return "", fmt.Errorf("invalid cache key: path traversal attempt")
+    return "", coreerr.E("cache.Path", "invalid cache key: path traversal attempt", nil)
 }
 ```