# `Agentic.Workspace.PathValidator`

Validates workspace paths are within the allowed base directory.

All workspace directories must be direct children of the configured
`:workspace_base_dir`. This prevents path traversal attacks and ensures
workspaces cannot write to arbitrary filesystem locations.

# `base_dir`

Returns the expanded base directory for all workspaces.

# `from_slug`

Generates a safe workspace path from a slug.

The slug must match `^[a-z0-9][a-z0-9-]*$`. Returns `{:ok, path}` or
`{:error, reason}`.

# `validate`

Validates that a workspace path is safe and within the base directory.

Rules:
1. Expanded path must be a direct child of base_dir
2. Must not escape via `..` traversal (checked after expansion)
3. Must not be the base_dir itself
4. Directory name must match `^[a-z0-9][a-z0-9-]*$`

Returns `{:ok, expanded_path}` or `{:error, reason}`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*