fix(security): resolve symlinks in path validation to block out-of-root reads (#527)

[colbymchenry]

Summary

validatePathWithinRoot was purely lexical (path.resolve + startsWith), so an in-repo symlink whose logical path is inside the project root but whose real target escapes it passed validation. Both content-serving read sinks (codegraph_node includeCode, codegraph_explore source) then readFileSync'd the returned path and followed the symlink, leaking out-of-root file contents (e.g. ~/.ssh, /etc) to the agent.

Fix

A realpath layer on validatePathWithinRoot: after the cheap lexical check, resolve symlinks on both the candidate path and the root and re-compare — rejecting anything whose real path escapes the root, while still allowing symlinks that stay within the root (no over-blocking). Comparison is case-insensitive on Windows (NTFS + realpath casing). Not-yet-existing paths (ENOENT) fall back to the lexical result so about-to-be-written files still validate; other resolution errors reject. Removes the dead, never-called isPathWithinRoot / isPathWithinRootReal helpers (the latter a footgun — it returned true on realpath failure).

Tests (RED → GREEN)

New tests in security.test.ts, written first and failing on unfixed main — the end-to-end case proved the leak (getCode returned the full out-of-root file body). Coverage: in→out file & dir symlinks rejected, in→in allowed, ../ rejected, ENOENT allowed, plus the end-to-end getCode guarantee.

Cross-platform validation

Platform	Security suite	Full suite
macOS (native)	42 pass / 2 skip	1259 pass, 0 fail
Linux (Docker node:22-bookworm, --init)	42 pass (escape blocked)	1259 pass, 0 fail
Windows (Parallels VM, Node 24, symlink-capable)	42 pass (escapes ran for real)	deltas all pre-existing (matched origin/main baseline) or a flaky daemon race

Addresses #527.

🤖 Generated with Claude Code