fix: harden path sandboxing with symlink protection, safe defaults, and sensitive file guards

[anandgupta42]

What does this PR do?

Hardens the security posture of Altimate Code's path sandboxing and permission system, addressing the same class of vulnerabilities that led to CVEs in Codex (GHSA-w5fx-fh39-j5rw, CVSS 8.6) and Claude Code (CVE-2025-54794, CVSS 7.7). Reviewed by 6 AI models (Claude, GPT 5.2 Codex, Gemini 3.1 Pro, Kimi K2.5, MiniMax M2.5, GLM-5).

Five areas of improvement:

1. Symlink escape protection — Filesystem.containsReal() resolves symlinks via realpathSync before checking containment. Rejects paths with unresolved .. segments to prevent divergence between realpathSync (lexical .. normalization) and kernel behavior (follows symlink then applies ..). Also adds isAbsolute(rel) check for Windows cross-drive bypass.

2. Safe permission defaults — Destructive shell/git commands (rm -rf, git push --force, git reset --hard) now prompt before execution instead of running silently. Database DDL (DROP DATABASE, DROP SCHEMA, TRUNCATE) is blocked entirely. Users can override in config.

3. Sensitive file guards — New assertSensitiveWrite() check on write, edit, apply_patch, and move operations that prompts before modifying .env*, .ssh/, .aws/, .git/, credential files, and private keys (.pem, .key) — even inside the project boundary. Case-insensitive on macOS/Windows.

4. Critical fix: realpathSync vs kernel divergence — Gemini 3.1 Pro discovered that realpathSync("project/symlink/..") returns project/ (lexical) while the kernel writes to the parent of the symlink target (outside project). Fixed by rejecting any unresolved path containing .. segments.

5. Documentation — Updated SECURITY.md, permissions docs with 3 recommended configs and rule ordering guidance, and security FAQ with new sections on sensitive file prompts, default command protections, and best practices.

UX Impact

Change	User Impact	What users will notice
Symlink-aware path checks	None	Transparent — only blocks symlinks pointing outside the project
Windows cross-drive fix	None	Only relevant on Windows edge case
.. segment rejection	None	Normal tools already strip .. — only catches crafted paths
Bash defaults: destructive → ask	Low	rm -rf, git push --force, etc. now prompt instead of running silently. "Allow always" available.
Bash defaults: database DDL → deny	Low	DROP DATABASE, TRUNCATE blocked entirely. Override in config if needed.
Sensitive file prompts	Medium	First edit of .env, .ssh/, .aws/, credential files prompts. "Allow always" per-file for the session.

Key UX decisions:

• ask instead of deny for shell/git commands — Blocking rm -rf ./build or git push --force after rebase would break common workflows. Prompting lets users approve safely.
• "Allow always" for sensitive files — Users click once per .env file per session, not on every edit.
• .github NOT in sensitive dirs — CI/CD workflow editing is a core use case; prompting every time would cause approval fatigue.
• Database DDL is the only hard block — DROP DATABASE, DROP SCHEMA, TRUNCATE are almost never intentional in agent context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Documentation update

Issue for this PR

Closes #202

How did you verify your code works?

• 105 tests passing (27 unit + 73 e2e + 5 existing external-directory tests)
• E2E tests use real filesystem operations (symlinks, tmp dirs, real path resolution)
• Test coverage includes:
  • Symlink escape: file symlink, directory symlink, chained symlinks, relative symlinks, symlink/../ kernel divergence attack
  • Path traversal via File.read/File.list
  • Absolute path escape and prefix collision
  • Non-git project worktree safety
  • Sensitive dir/file detection: .git, .ssh, .aws, .env*, credentials, private keys
  • Case-insensitive detection on macOS/Windows
  • Certificate extension detection (.pem, .key, .p12, .pfx)
  • assertSensitiveWrite prompting for sensitive files, no-op for normal files
  • Bash deny defaults evaluation: database DDL denied, shell commands prompted
  • User config override merge semantics (last-match-wins)
  • Windows backslash path handling
• Typecheck passes (4/4 turbo tasks)
• Multi-model code review by 6 models with all findings addressed

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have added tests that prove my fix is effective
• New and existing tests pass locally with my changes

🤖 Generated with Claude Code