fix(cache): handle root base directory path checks

cache.go

@@ -99,7 +99,7 @@ func (c *Cache) Path(key string) (string, error) {
 		return "", coreerr.E("cache.Path", "failed to get absolute path for key", err)
 	}
 
-	if !core.HasPrefix(absPath, absBase+pathSeparator()) && absPath != absBase {
+	if !core.HasPrefix(absPath, core.Path(absBase, "")) && absPath != absBase {
 		return "", coreerr.E("cache.Path", "invalid cache key: path traversal attempt", nil)
 	}
 
@@ -261,13 +261,12 @@ func GitHubRepoKey(org, repo string) string {
 }
 
 func joinPath(segments ...string) string {
-	return normalizePath(core.JoinPath(segments...))
+	return core.JoinPath(segments...)
 }
 
 func pathAbs(path string) (string, error) {
-	path = normalizePath(path)
 	if core.PathIsAbs(path) {
-		return core.CleanPath(path, pathSeparator()), nil
+		return core.CleanPath(path, core.Env("DS")), nil
 	}
 
 	cwd, err := os.Getwd()
@@ -277,18 +276,3 @@ func pathAbs(path string) (string, error) {
 
 	return core.Path(cwd, path), nil
 }
-
-func normalizePath(path string) string {
-	if pathSeparator() == "/" {
-		return path
-	}
-	return core.Replace(path, "/", pathSeparator())
-}
-
-func pathSeparator() string {
-	sep := core.Env("DS")
-	if sep == "" {
-		return "/"
-	}
-	return sep
-}

cache_test.go

@@ -129,3 +129,15 @@ func TestPathTraversalRejected(t *testing.T) {
 		t.Error("expected error for path traversal key, got nil")
 	}
 }
+
+func TestPathAllowsRootBaseDir(t *testing.T) {
+	m := coreio.NewMockMedium()
+	c, err := cache.New(m, "/", 1*time.Minute)
+	if err != nil {
+		t.Fatalf("failed to create cache: %v", err)
+	}
+
+	if _, err := c.Path("session/root-cache"); err != nil {
+		t.Fatalf("expected path under root base dir, got error: %v", err)
+	}
+}