This module implements capability-based security for file operations, providing safe access to the filesystem with explicit permissions. It enforces the principle of least privilege by requiring explicit capabilities for reading from and writing to files.

This security model ensures that the application can only access specific directories that have been explicitly granted access. The capabilities are represented by tokens (FileReadCap and FileWriteCap) that must be passed to functions that interact with the filesystem.

Core principles:

• Files can only be read if they're in a directory allowed by FileReadCap
• Files can only be written if they're in a directory allowed by FileWriteCap
• Capabilities cannot be forged - they must be obtained from authorized sources
• Path traversal attacks are prevented through careful path validation

Example usage:

-- Create capabilities with restricted access
readCap <- mkFileReadCap ["/path/to/project"]
writeCap <- mkFileWriteCap ["/path/to/staging"]

-- Use capabilities for filesystem operations
content <- safeReadFile readCap "/path/to/project/src/main.hs"
safeWriteFile writeCap "/path/to/staging/src-main.hs" content