[MINOR] validateDocmapPath does not verify that the resolved target is a regular file (e.g., fi.Mode().IsRegular()). While Git cannot store FIFOs/device nodes, if the workspace were tampered with out-of-band, opening a named pipe or special file could cause blocking or unexpected behavior. Adding a regular-file check would harden against such DoS vectors.
[MINOR] Residual TOCTOU remains between the size check (os.Lstat) and later open/parse in review.ParseDocMapConfig, which could theoretically allow a larger file to be swapped in after validation. Low practical risk in CI, but for defense-in-depth consider rechecking after open or using a size-limited reader.
Security Review
[MINOR] Potential TOCTOU: validateDocmapPath validates the fully-resolved path (resolvedPath), but downstream code later opens the file using the original flag value (*docmapFlag). While low-risk in CI, using the validated resolved path for reading would eliminate any check-then-use race.
Security Review
[MINOR] Allowing in-repo symlinks (after EvalSymlinks) introduces a small TOCTOU window: validation is performed on the resolved path but the subsequent read uses the original flag value elsewhere (ParseDocMapConfig). Consider passing the resolved path through to the read to avoid potential race conditions where a symlink target could be changed between validation and use.