Two follow-ups discovered while pre-flighting local platform spin-up
(internal#77 dev-department extraction):
VALIDATOR (closes task #231)
Previous validate-tree.py used Path.resolve() everywhere — Python's
realpath equivalent that follows symlinks. Caused false positives on
parent template's cross-repo symlink (dev-lead → sibling repo):
validator reported 'resolves outside repo root' even though the
platform's resolveYAMLIncludes (workspace-server/internal/handlers/
org_include.go) accepts the path because filepath.Abs/Rel operate on
path STRINGS, not on the realpath.
Fix: introduce _abs_no_symlink_resolve() helper using os.path.abspath
(string-only) and _is_inside_root() that mirrors Go's filepath.Rel +
HasPrefix idiom. All places where the validator emulates the platform
security check now use these helpers; Path.resolve() is reserved for
cases that need realpath semantics (none currently).
Verified: validator now passes on parent template's dev-lead symlink
(was previously a hard error), still rejects truly-out-of-root
references (e.g. ../../../etc/passwd-style escapes).
LOCAL E2E SETUP SCRIPT (DX win)
New .molecule-ci/scripts/local-e2e-setup.sh — bootstraps the
/tmp/local-e2e-deploy/ sibling-clone fixture used by
workspace-server's TestLocalE2E_* tests. Idempotent (pulls latest)
with --fresh to wipe and re-clone. Exits non-zero with diagnostics
if the parent template's dev-lead symlink is missing or broken
(catches stale parent-template clones from before PR #5).
Refs:
internal#77 — extraction RFC
task #231 — validator-vs-platform symlink semantics
Hongming GO 2026-05-08 ('go' on the 3 pre-spin-up optimizations)
