Add ILocalRefPolicy to validate local file reference paths against data rootsb/compute-auth

Restrict local-ref file paths to the server's data directories to prevent
a local process from reading arbitrary files via crafted local references.
The policy uses weakly_canonical + prefix matching (fail-closed when no
policy is configured). Handle-based refs bypass the policy since they
rely on OS handle security.

0 files changed, 0 insertions, 0 deletions