add suggested fix from copilot

Author: paulbalandan

system/Autoloader/Autoloader.php

@@ -93,6 +93,12 @@ class Autoloader
      */
     protected $helpers = ['url'];
 
+    /**
+     * Track if Composer namespaces have been loaded in this initialization.
+     * Resets on each initialize() call to allow tests to load Composer.
+     */
+    private bool $composerLoaded = false;
+
     public function __construct(private readonly string $composerPath = COMPOSER_PATH)
     {
     }
@@ -109,6 +115,8 @@ public function initialize(Autoload $config, Modules $modules)
         $this->classmap = [];
         $this->files    = [];
 
+        $this->composerLoaded = false;
+
         // We have to have one or the other, though we don't enforce the need
         // to have both present in order to work.
         if ($config->psr4 === [] && $config->classmap === []) {
@@ -146,16 +154,36 @@ private function loadComposerAutoloader(Modules $modules): void
             define('VENDORPATH', dirname($this->composerPath) . DIRECTORY_SEPARATOR);
         }
 
-        /** @var ClassLoader $composer */
-        $composer = include $this->composerPath;
+        // Skip if already loaded in this initialization
+        if ($this->composerLoaded) {
+            return;
+        }
 
-        // Should we load through Composer's namespaces, also?
-        if ($modules->discoverInComposer) {
-            $composerPackages = $modules->composerPackages;
-            $this->loadComposerNamespaces($composer, $composerPackages ?? []);
+        // Use advisory file lock to coordinate between parallel processes
+        $lockFile = sys_get_temp_dir() . '/ci_autoload_' . sha1($this->composerPath) . '.lock';
+        $lockFp   = @fopen($lockFile, 'cb');
+        if ($lockFp) {
+            flock($lockFp, LOCK_EX);
         }
 
-        unset($composer);
+        try {
+            /** @var ClassLoader $composer */
+            $composer = include $this->composerPath;
+
+            // Should we load through Composer's namespaces, also?
+            if ($modules->discoverInComposer) {
+                $composerPackages = $modules->composerPackages;
+                $this->loadComposerNamespaces($composer, $composerPackages ?? []);
+                $this->composerLoaded = true;
+            }
+
+            unset($composer);
+        } finally {
+            if ($lockFp) {
+                flock($lockFp, LOCK_UN);
+                fclose($lockFp);
+            }
+        }
     }
 
     /**
@@ -441,7 +469,31 @@ private function loadComposerNamespaces(ClassLoader $composer, array $composerPa
 
             if ($add) {
                 // Composer stores namespaces with trailing slash. We don't.
-                $newPaths[rtrim($namespace, '\\ ')] = $srcPaths;
+                // Validate and absolutize paths to prevent issues in parallel execution
+                $validatedPaths = [];
+                foreach ($srcPaths as $srcPath) {
+                    // Handle relative paths and paths with vendor/composer prefixes
+                    if (! str_starts_with($srcPath, '/') && (strlen($srcPath) < 2 || $srcPath[1] !== ':')) {
+                        // Relative path - make it absolute relative to VENDORPATH
+                        $srcPath = rtrim(VENDORPATH, '/\\') . DIRECTORY_SEPARATOR . ltrim($srcPath, '/\\');
+                    }
+
+                    // Remove /../ patterns to prevent malformed paths
+                    $srcPath = str_replace(['/../', '\\..\\'], DIRECTORY_SEPARATOR, $srcPath);
+
+                    // Use realpath if the path exists to get the canonical absolute path
+                    if (is_dir($srcPath)) {
+                        $srcPath = realpath($srcPath);
+                    }
+
+                    if ($srcPath !== false) {
+                        $validatedPaths[] = $srcPath;
+                    }
+                }
+
+                if ($validatedPaths !== []) {
+                    $newPaths[rtrim($namespace, '\\ ')] = $validatedPaths;
+                }
             }
         }