9673a9d53c
Merge pull request 'fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass' (#152) from issue-150 into main
Finding #5 (ACK-NOT-VALID): User-facing error messages intentionally reference *docmapFlag (the original --docmap value) rather than the resolved path. Showing the resolved path in errors would confuse users who passed a symlink — they would see a path they never specified. Using the flag value is the correct UX; the resolved path is used internally for all I/O.
Finding #4 (ACK-NOT-VALID): os.Lstat is intentionally used here for consistency with checkStaleDocs, which also uses Lstat to avoid implicit symlink-follow semantics. Switching to os.Stat post-EvalSymlinks would be equivalent at runtime but would create a mixed Stat/Lstat pattern across the same file that could confuse future readers. The deliberate choice is noted in the comment.
Finding #2 (ACK-NOT-VALID): Acknowledged. The reviewer confirms the ModeSymlink removal is correct — the check was genuinely unreachable after filepath.EvalSymlinks, the comment is accurate, and the removal is a deliberate documented choice. No action needed.
Finding #1 (ACK-NOT-VALID): Acknowledged. The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and that "no action is required" — the code comment already labels it defense-in-depth. The narrow hardlink-swap window is a theoretical OS-level limitation, not a defect introduced here. No change needed.
Finding #1 (ACK-NOT-VALID): Acknowledged. The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and that "no action is required" — the code comment already labels it defense-in-depth. No code change needed. (Ref: fix plan comment 27994)
Finding #1 (ACK-NOT-VALID): Acknowledged. The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and that "no action is required" — the code comment already labels it defense-in-depth. No code change needed.
Finding #1 (ACK-NOT-VALID): Acknowledged. The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and that "no action is required" — the code comment already labels it defense-in-depth. No code change needed.
Finding #1 (ACK-NOT-VALID): Acknowledged. The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and that "no action is required" — the code comment already labels it defense-in-depth. No code change needed.
Finding #1 (ACK-NOT-VALID — Review #4814): The reviewer explicitly notes this is a known limitation of the os.SameFile pattern and states "no action is required." The code comment already labels this guard as defense-in-depth. No change needed.
Self-Review: PR #152
Self-review against eb0ff3aa69f152dd995de91c88227d3e32ac2917
Phase 1: Independent Findings
None — diff looks clean.
Reviewed validatedocmap.go and `validatedocmap_t…
Self-Review: PR #152
Self-review against eb0ff3aa69f152dd995de91c88227d3e32ac2917
Phase 1: Independent Findings
None — diff looks clean.
Reviewed validatedocmap.go and `validatedocma…
Self-Review: PR #152
Self-review against eb0ff3aa69f152dd995de91c88227d3e32ac2917
Phase 1: Independent Findings
None — diff looks clean.
Reviewed validatedocmap.go and `validatedocma…
Self-Review: PR #152
Self-review against eb0ff3aa69f152dd995de91c88227d3e32ac2917
Phase 1: Independent Findings
None — diff looks clean.
Reviewed validatedocmap.go and `validatedocmap_…