fix: enforce .rooignore rules for codebase indexing, search results, and file listing

[roomote]

Related GitHub Issue

Closes: #11797

Description

This PR attempts to address Issue #11797 where .rooignore rules were not being enforced for codebase indexing, file reads, or environment file listing. Feedback and guidance are welcome.

Three interconnected fixes:

1. Harden validateAccess() in RooIgnoreController.ts: When realpathSync resolves a path outside cwd (common with git submodules and symlinks), the code now falls back to the original absolute path for relative path computation instead of producing ../ paths that the ignore library cannot match. The outer catch block now fails closed (deny access) instead of silently allowing access on errors.

2. Add .rooignore post-filtering in CodebaseSearchTool.ts: Search results from the vector store are now filtered through task.rooIgnoreController.validateAccess() before being returned to the LLM. This ensures files that were indexed before being added to .rooignore (or that bypassed filtering during indexing) are excluded from search results.

3. Pass RooIgnoreController from manager to scanner via service-factory: The scanner previously created its own RooIgnoreController using the scan directory path, which could differ from the workspace root where .rooignore lives. Now the manager's controller is passed through to the scanner, ensuring consistent .rooignore enforcement.

Note on environment_details lock icons: Fix 1 directly addresses the missing lock icons in the environment_details file listing, since formatResponse.formatFilesList calls validateAccess() on the same RooIgnoreController. The existing responses-rooignore.spec.ts tests verify this behavior.

Test Procedure

• Added new unit tests for validateAccess covering:
  • Paths resolving outside cwd via realpathSync (submodule scenario) -- falls back to original path
  • Paths outside cwd now denied (fail closed)
  • Unexpected errors in validateAccess now deny access (fail closed)
• Added new codebaseSearchTool.spec.ts test file covering:
  • Filtering out rooignored files from search results
  • Returning "no results" when all results are filtered
  • Passing all results through when no controller is set
• All existing tests pass with no regressions (45 tests across 4 test files)

Run tests:

cd src && npx vitest run core/ignore/__tests__/RooIgnoreController.spec.ts
cd src && npx vitest run core/tools/__tests__/codebaseSearchTool.spec.ts
cd src && npx vitest run core/prompts/__tests__/responses-rooignore.spec.ts
cd src && npx vitest run services/code-index/processors/__tests__/scanner.spec.ts

Pre-Submission Checklist

• Issue Linked: This PR is linked to an approved GitHub Issue (see "Related GitHub Issue" above).
• Scope: My changes are focused on the linked issue (one major feature/fix per PR).
• Self-Review: I have performed a thorough self-review of my code.
• Testing: New and/or updated tests have been added to cover my changes.
• Documentation Impact: No documentation updates are required.
• Contribution Guidelines: I have read and agree to the Contributor Guidelines.

Documentation Updates

• No documentation updates are required.

Additional Notes

• The behavior change for paths outside cwd (now denied instead of allowed) is intentional -- this is a security-focused "fail closed" approach. If there are legitimate use cases for accessing files outside cwd while .rooignore is active, this could be revisited.
• The scanner constructor change is backward-compatible -- the rooIgnoreController parameter is optional, and the scanner falls back to creating its own if none is provided.

Interactively review PR in Roo Code Cloud

[frbrdan-code]

LGTM