docs(windows): audit path normalization

[oferchen]

Summary

Static-analysis audit of how oc-rsync handles Windows path inputs at every entry point: CLI parsing, flist encode/decode, daemon sanitization, local-copy planning, and symlink safety. Tracks task #1842.

Documents one HIGH-severity bug, one MEDIUM, three LOW, and one INFORMATIONAL finding.

Path-Form Map

The audit tabulates the 12 path forms a Windows user can pass on the command line and traces each through CLI parse -> wire bytes -> receiver decode -> on-disk result, comparing against upstream rsync 3.4.1's Cygwin behaviour. Forms covered:

• Drive-letter absolute (C:\foo\bar) and drive-relative (C:foo\bar)
• UNC (\\server\share\foo) and verbatim long-path (\\?\C:\foo, \\?\UNC\server\share)
• Mixed-slash drive-letter (C:/foo/bar)
• Cygwin (/cygdrive/c/foo) and MSYS (/c/foo) - oc-rsync is native Win32, so these are NOT translated.
• Relative with backslash (foo\bar\baz) and forward slash (foo/bar/baz)
• Trailing dot, DOS reserved names, single-colon SSH, drive-letter alone (C:)

Findings

#	Severity	Subject
F1	HIGH	Backslash leaks into wire-encoded filenames on Windows -> Linux push
F2	MEDIUM	transfer_role::operand_is_remote duplicates engine::local_copy::operand_is_remote and lacks \\?\ extended-prefix detection
F3	LOW	Symlink safety checks only POSIX-style absolute paths
F4	LOW	name_bytes() non-Unix branch performs UTF-8 lossy round-trip
F5	LOW	strip_leading_slashes non-Unix branch uses to_string_lossy
F6	INFO	Trailing dots, spaces, DOS reserved names forwarded verbatim (matches upstream)

In-PR Fix

None - this is an audit-only PR. The HIGH-severity finding F1 requires a wire-format change with new golden-byte tests and is filed as a follow-up. The audit document includes the full follow-up task list with severity ratings and concrete fix directions.

Test plan

• cargo fmt --all (no code changes)
• CI fmt+clippy
• CI nextest (stable)
• CI Windows / macOS / Linux musl

Closes nothing yet; tracks #1842 with follow-ups.