"""Path validation utilities."""

from pathlib import Path

from app.config import get_settings


def validate_log_path(log_path: str) -> str:
    """Validate that a log path is within allowed directories.

    Resolves the path to its canonical form (resolving symlinks) and checks
    that it is relative to one of the allowed log directories from settings.

    Args:
        log_path: The log path to validate.

    Returns:
        The validated log path (unchanged).

    Raises:
        ValueError: If the path is outside allowed log directories.
    """
    settings = get_settings()
    try:
        resolved_path = Path(log_path).resolve()
    except (OSError, RuntimeError) as e:
        raise ValueError(f"Cannot resolve path {log_path!r}: {e}") from e

    for allowed_dir in settings.allowed_log_dirs:
        allowed_path = Path(allowed_dir).resolve()
        try:
            resolved_path.relative_to(allowed_path)
            return log_path
        except ValueError:
            continue

    allowed_dirs_str = ", ".join(settings.allowed_log_dirs)
    raise ValueError(
        f"Log path {log_path!r} is outside allowed directories: {allowed_dirs_str}"
    )