Skip to content

fix: address PR #11798 feedback on rooignore enforcement (#11797)#11799

Closed
roomote[bot] wants to merge 2 commits intofix/rooignore-enforcement-11797from
fix/rooignore-enforcement-11797-followup
Closed

fix: address PR #11798 feedback on rooignore enforcement (#11797)#11799
roomote[bot] wants to merge 2 commits intofix/rooignore-enforcement-11797from
fix/rooignore-enforcement-11797-followup

Conversation

@roomote
Copy link
Contributor

@roomote roomote bot commented Feb 28, 2026
edited
Loading

Related GitHub Issue

Closes: #11797

This PR attempts to address the feedback from @frbrdan-code on PR #11798.

Description

Addresses all 4 review comments on the rooignore enforcement PR:

  1. FileWatcher cwd mismatch (Comment 1): The FileWatcher fallback new RooIgnoreController(workspacePath) was never initialized, meaning .rooignore patterns would not load for incremental re-indexing when the manager's controller was not passed. Added ignoreControllerIsOwned flag and initialize() call for the fallback path.

  2. validateAccess behavior change for outside-cwd paths (Comment 2): Updated security spec tests to expect false (denial) for paths outside cwd, matching the new fail-closed behavior. Spot-checked all callers -- they pass relative or within-cwd paths, so the behavior change is safe.

  3. Scanner controller passthrough test (Comment 3): Added two tests: one verifying the provided RooIgnoreController is used (and not re-initialized), another verifying fallback creation and initialization when none is provided.

  4. filteredResults guard clause clarity (Comment 4): Added clarifying comment that the !result.payload check is a structural guard clause, not an ignore decision.

Test Procedure

  • cd src && npx vitest run core/ignore/__tests__/RooIgnoreController.security.spec.ts -- 11 passed
  • cd src && npx vitest run core/ignore/__tests__/RooIgnoreController.spec.ts -- 24 passed
  • cd src && npx vitest run services/code-index/processors/__tests__/scanner.spec.ts -- 12 passed
  • cd src && npx vitest run core/tools/__tests__/codebaseSearchTool.spec.ts -- 3 passed
  • All lint and type checks pass

Pre-Submission Checklist

  • Issue Linked: This PR is linked to an approved GitHub Issue.
  • Scope: Changes are focused on addressing the 4 review comments.
  • Self-Review: Performed a thorough self-review.
  • Testing: New and updated tests cover all changes.
  • Documentation Impact: No documentation updates required.
  • Contribution Guidelines: Read and agree.

Documentation Updates

  • No documentation updates are required.

Additional Notes

Feedback and guidance are welcome.

Interactively review PR in Roo Code Cloud

@roomote
fix: enforce .rooignore rules for codebase indexing, file reads, and …
91f662a 
…file listing

- Harden validateAccess() to fall back to original path when realpath
  resolves outside cwd (fixes submodule/symlink bypass)
- Change error handling in validateAccess() to fail closed (deny access)
  instead of fail open
- Add .rooignore post-filtering in CodebaseSearchTool to exclude ignored
  files from search results even if they were previously indexed
- Pass RooIgnoreController from manager through service-factory to scanner
  so the scanner reuses the workspace-root controller instead of creating
  its own from the scan directory
- Add tests for realpath-outside-cwd fallback, fail-closed error handling,
  and CodebaseSearchTool rooignore filtering

Fixes #11797
@roomote
fix: address PR feedback on rooignore enforcement (#11797)
2c4bd4c 
1. FileWatcher: initialize fallback RooIgnoreController in initialize()
   so .rooignore rules load even when manager controller is not passed.
   Added ignoreControllerIsOwned flag to track ownership.

2. validateAccess: update security spec tests to expect denial for
   paths outside cwd, matching the new fail-closed behavior.

3. Scanner: add passthrough test verifying that provided controller
   is used (and not re-initialized) vs fallback creation.

4. CodebaseSearchTool: add clarifying comment on guard clause that
   drops payload-less entries (structural no-op, not ignore decision).
@roomote roomote bot mentioned this pull request Feb 28, 2026
Open
@roomote roomote bot force-pushed the fix/rooignore-enforcement-11797 branch from 91f662a to ba42cbd Compare February 28, 2026 15:43
@roomote
Copy link
Contributor Author

roomote bot commented Feb 28, 2026

Closing this PR - changes have been squashed into a single commit on PR #11798 as requested.

@roomote roomote bot closed this Feb 28, 2026
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Feb 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph will be requested when the pull request is marked ready for review hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs will be requested when the pull request is marked ready for review daniel-lxs is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roomote