Rodin
b22de19aa1
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 25s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 41s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 48s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 54s
Finding #1 [MAJOR]: replace os.Stat with os.Lstat in checkStaleDocs to prevent symlink traversal. Symlinks under repoRoot could probe arbitrary host file existence; Lstat never follows them. Symlinked docs are now treated as stale. Finding #2 [MINOR]: resolve --repo-root with filepath.Abs + filepath.EvalSymlinks before passing to checkStaleDocs, so a symlinked repo-root cannot bypass the filepath.Rel escape guard. Finding #3 [NIT]: reject backslashes in ValidateDocPath to prevent Windows platform edge cases where a path separator may be normalised differently by the host OS or VCS backend. Tests added: - TestCheckStaleDocs_SymlinkOutside: symlink inside repo → outside - TestCheckStaleDocs_SymlinkInsideRepo: intra-repo symlink also rejected - TestRunValidateDocmap_SymlinkRepoRoot: symlinked --repo-root resolves OK - TestValidateDocPath_Backslash: backslash paths rejected - Backslash cases added to TestValidateDocPath invalid slice All go test ./... pass, go vet ./... clean.