@nathapp/nax 0.42.6 → 0.42.8

package/dist/nax.js

@@ -18992,6 +18992,11 @@ class SpawnAcpSession {
       "--file",
       "-"
     ];
+    getSafeLogger()?.info("acp-adapter", "Sending prompt", {
+      session: this.sessionName,
+      permission: this.permissionMode,
+      cmd: cmd.join(" ")
+    });
     getSafeLogger()?.debug("acp-adapter", `Sending prompt to session: ${this.sessionName}`);
     const proc = _spawnClientDeps.spawn(cmd, {
       cwd: this.cwd,
@@ -19075,6 +19080,7 @@ class SpawnAcpClient {
   model;
   cwd;
   timeoutSeconds;
+  permissionMode;
   env;
   pidRegistry;
   constructor(cmdStr, cwd, timeoutSeconds, pidRegistry) {
@@ -19088,6 +19094,7 @@ class SpawnAcpClient {
     this.agentName = lastToken;
     this.cwd = cwd || process.cwd();
     this.timeoutSeconds = timeoutSeconds || 1800;
+    this.permissionMode = "approve-reads";
     this.env = buildAllowedEnv2();
     this.pidRegistry = pidRegistry;
   }
@@ -19126,7 +19133,7 @@ class SpawnAcpClient {
       cwd: this.cwd,
       model: this.model,
       timeoutSeconds: this.timeoutSeconds,
-      permissionMode: "approve-all",
+      permissionMode: this.permissionMode,
       env: this.env,
       pidRegistry: this.pidRegistry
     });
@@ -19403,6 +19410,11 @@ class AcpAgentAdapter {
     }
     sessionName ??= buildSessionName(options.workdir, options.featureName, options.storyId, options.sessionRole);
     const permissionMode = options.dangerouslySkipPermissions ? "approve-all" : "approve-reads";
+    getSafeLogger()?.info("acp-adapter", "Permission mode resolved", {
+      permission: permissionMode,
+      dangerouslySkipPermissions: options.dangerouslySkipPermissions ?? false,
+      stage: options.featureName ? "run" : "plan"
+    });
     const session = await ensureAcpSession(client, sessionName, this.name, permissionMode);
     if (options.featureName && options.storyId) {
       await saveAcpSession(options.workdir, options.featureName, options.storyId, sessionName);
@@ -20200,14 +20212,27 @@ var init_chain = __esm(() => {
 });
 
 // src/utils/path-security.ts
-import { isAbsolute, join as join5, normalize, resolve } from "path";
+import { realpathSync } from "fs";
+import { dirname, isAbsolute, join as join5, normalize, resolve } from "path";
+function safeRealpath(p) {
+  try {
+    return realpathSync(p);
+  } catch {
+    try {
+      const parent = realpathSync(dirname(p));
+      return join5(parent, p.split("/").pop() ?? "");
+    } catch {
+      return p;
+    }
+  }
+}
 function validateModulePath(modulePath, allowedRoots) {
   if (!modulePath) {
     return { valid: false, error: "Module path is empty" };
   }
-  const normalizedRoots = allowedRoots.map((r) => resolve(r));
+  const normalizedRoots = allowedRoots.map((r) => safeRealpath(resolve(r)));
   if (isAbsolute(modulePath)) {
-    const absoluteTarget = normalize(modulePath);
+    const absoluteTarget = safeRealpath(normalize(modulePath));
     const isWithin = normalizedRoots.some((root) => {
       return absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root;
     });
@@ -20216,7 +20241,7 @@ function validateModulePath(modulePath, allowedRoots) {
     }
   } else {
     for (const root of normalizedRoots) {
-      const absoluteTarget = resolve(join5(root, modulePath));
+      const absoluteTarget = safeRealpath(resolve(join5(root, modulePath)));
       if (absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root) {
         return { valid: true, absolutePath: absoluteTarget };
       }
@@ -20496,7 +20521,7 @@ function isPlainObject2(value) {
 }
 
 // src/config/path-security.ts
-import { existsSync as existsSync4, lstatSync, realpathSync } from "fs";
+import { existsSync as existsSync4, lstatSync, realpathSync as realpathSync2 } from "fs";
 import { isAbsolute as isAbsolute2, normalize as normalize2, resolve as resolve3 } from "path";
 function validateDirectory(dirPath, baseDir) {
   const resolved = resolve3(dirPath);
@@ -20505,7 +20530,7 @@ function validateDirectory(dirPath, baseDir) {
   }
   let realPath;
   try {
-    realPath = realpathSync(resolved);
+    realPath = realpathSync2(resolved);
   } catch (error48) {
     throw new Error(`Failed to resolve path: ${dirPath} (${error48.message})`);
   }
@@ -20519,7 +20544,7 @@ function validateDirectory(dirPath, baseDir) {
   }
   if (baseDir) {
     const resolvedBase = resolve3(baseDir);
-    const realBase = existsSync4(resolvedBase) ? realpathSync(resolvedBase) : resolvedBase;
+    const realBase = existsSync4(resolvedBase) ? realpathSync2(resolvedBase) : resolvedBase;
     if (!isWithinDirectory(realPath, realBase)) {
       throw new Error(`Path is outside allowed directory: ${dirPath} (resolved to ${realPath}, base: ${realBase})`);
     }
@@ -20543,19 +20568,19 @@ function validateFilePath(filePath, baseDir) {
     if (!existsSync4(resolved)) {
       const parent = resolve3(resolved, "..");
       if (existsSync4(parent)) {
-        const realParent = realpathSync(parent);
+        const realParent = realpathSync2(parent);
         realPath = resolve3(realParent, filePath.split("/").pop() || "");
       } else {
         realPath = resolved;
       }
     } else {
-      realPath = realpathSync(resolved);
+      realPath = realpathSync2(resolved);
     }
   } catch (error48) {
     throw new Error(`Failed to resolve path: ${filePath} (${error48.message})`);
   }
   const resolvedBase = resolve3(baseDir);
-  const realBase = existsSync4(resolvedBase) ? realpathSync(resolvedBase) : resolvedBase;
+  const realBase = existsSync4(resolvedBase) ? realpathSync2(resolvedBase) : resolvedBase;
   if (!isWithinDirectory(realPath, realBase)) {
     throw new Error(`Path is outside allowed directory: ${filePath} (resolved to ${realPath}, base: ${realBase})`);
   }
@@ -21899,7 +21924,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@nathapp/nax",
-    version: "0.42.6",
+    version: "0.42.8",
     description: "AI Coding Agent Orchestrator \u2014 loops until done",
     type: "module",
     bin: {
@@ -21972,8 +21997,8 @@ var init_version = __esm(() => {
   NAX_VERSION = package_default.version;
   NAX_COMMIT = (() => {
     try {
-      if (/^[0-9a-f]{6,10}$/.test("deb8333"))
-        return "deb8333";
+      if (/^[0-9a-f]{6,10}$/.test("5dc5b37"))
+        return "5dc5b37";
     } catch {}
     try {
       const result = Bun.spawnSync(["git", "rev-parse", "--short", "HEAD"], {
@@ -24452,7 +24477,7 @@ var init_constitution = __esm(() => {
 });
 
 // src/pipeline/stages/constitution.ts
-import { dirname } from "path";
+import { dirname as dirname2 } from "path";
 var constitutionStage;
 var init_constitution2 = __esm(() => {
   init_constitution();
@@ -24462,7 +24487,7 @@ var init_constitution2 = __esm(() => {
     enabled: (ctx) => ctx.config.constitution.enabled,
     async execute(ctx) {
       const logger = getLogger();
-      const ngentDir = ctx.featureDir ? dirname(dirname(ctx.featureDir)) : `${ctx.workdir}/nax`;
+      const ngentDir = ctx.featureDir ? dirname2(dirname2(ctx.featureDir)) : `${ctx.workdir}/nax`;
       const result = await loadConstitution(ngentDir, ctx.config.constitution);
       if (result) {
         ctx.constitution = result;
@@ -25259,6 +25284,7 @@ var init_story_context = __esm(() => {
 });
 
 // src/execution/lock.ts
+import { unlink } from "fs/promises";
 import path8 from "path";
 function getSafeLogger3() {
   try {
@@ -25292,7 +25318,7 @@ async function acquireLock(workdir) {
         });
         const fs2 = await import("fs/promises");
         await fs2.unlink(lockPath).catch(() => {});
-        lockData2 = undefined;
+        lockData2 = null;
       }
       if (lockData2) {
         const lockPid = lockData2.pid;
@@ -25330,18 +25356,14 @@ async function acquireLock(workdir) {
 async function releaseLock(workdir) {
   const lockPath = path8.join(workdir, "nax.lock");
   try {
-    const file2 = Bun.file(lockPath);
-    const exists = await file2.exists();
-    if (exists) {
-      const proc = Bun.spawn(["rm", lockPath], { stdout: "pipe" });
-      await proc.exited;
-      await Bun.sleep(10);
-    }
+    await unlink(lockPath);
   } catch (error48) {
-    const logger = getSafeLogger3();
-    logger?.warn("execution", "Failed to release lock", {
-      error: error48.message
-    });
+    if (error48.code !== "ENOENT") {
+      const logger = getSafeLogger3();
+      logger?.warn("execution", "Failed to release lock", {
+        error: error48.message
+      });
+    }
   }
 }
 var init_lock = __esm(() => {
@@ -25684,17 +25706,17 @@ async function autoCommitIfDirty(workdir, stage, role, storyId) {
     });
     const gitRoot = (await new Response(topLevelProc.stdout).text()).trim();
     await topLevelProc.exited;
-    const { realpathSync: realpathSync3 } = await import("fs");
+    const { realpathSync: realpathSync4 } = await import("fs");
     const realWorkdir = (() => {
       try {
-        return realpathSync3(workdir);
+        return realpathSync4(workdir);
       } catch {
         return workdir;
       }
     })();
     const realGitRoot = (() => {
       try {
-        return realpathSync3(gitRoot);
+        return realpathSync4(gitRoot);
       } catch {
         return gitRoot;
       }
@@ -26986,7 +27008,7 @@ var init_session_runner = __esm(() => {
 });
 
 // src/tdd/verdict-reader.ts
-import { unlink } from "fs/promises";
+import { unlink as unlink2 } from "fs/promises";
 import path9 from "path";
 function isValidVerdict(obj) {
   if (!obj || typeof obj !== "object")
@@ -27186,7 +27208,7 @@ async function readVerdict(workdir) {
 async function cleanupVerdict(workdir) {
   const verdictPath = path9.join(workdir, VERDICT_FILE);
   try {
-    await unlink(verdictPath);
+    await unlink2(verdictPath);
   } catch {}
 }
 var VERDICT_FILE = ".nax-verifier-verdict.json";
@@ -30912,14 +30934,15 @@ function installSignalHandlers(ctx) {
   process.on("SIGINT", sigintHandler);
   process.on("SIGHUP", sighupHandler);
   process.on("uncaughtException", uncaughtExceptionHandler);
-  process.on("unhandledRejection", (reason) => unhandledRejectionHandler(reason));
+  const rejectionWrapper = (reason) => unhandledRejectionHandler(reason);
+  process.on("unhandledRejection", rejectionWrapper);
   logger?.debug("crash-recovery", "Signal handlers installed");
   return () => {
     process.removeListener("SIGTERM", sigtermHandler);
     process.removeListener("SIGINT", sigintHandler);
     process.removeListener("SIGHUP", sighupHandler);
     process.removeListener("uncaughtException", uncaughtExceptionHandler);
-    process.removeListener("unhandledRejection", (reason) => unhandledRejectionHandler(reason));
+    process.removeListener("unhandledRejection", rejectionWrapper);
     logger?.debug("crash-recovery", "Signal handlers unregistered");
   };
 }
@@ -33695,7 +33718,7 @@ var init_sequential_executor = __esm(() => {
 });
 
 // src/execution/status-file.ts
-import { rename, unlink as unlink2 } from "fs/promises";
+import { rename, unlink as unlink3 } from "fs/promises";
 import { resolve as resolve8 } from "path";
 function countProgress(prd) {
   const stories = prd.userStories;
@@ -33744,7 +33767,7 @@ async function writeStatusFile(filePath, status) {
   }
   const tmpPath = `${resolvedPath}.tmp`;
   try {
-    await unlink2(tmpPath);
+    await unlink3(tmpPath);
   } catch {}
   await Bun.write(tmpPath, JSON.stringify(status, null, 2));
   await rename(tmpPath, resolvedPath);
@@ -65836,7 +65859,18 @@ async function planCommand(workdir, config2, options) {
       throw new Error(`[plan] No agent adapter found for '${agentName}'`);
     const interactionBridge = createCliInteractionBridge();
     const pidRegistry = new PidRegistry(workdir);
-    logger?.info("plan", "Starting interactive planning session...", { agent: agentName });
+    const dangerouslySkipPermissions = config2?.execution?.dangerouslySkipPermissions ?? false;
+    const permissionMode = dangerouslySkipPermissions ? "approve-all" : "approve-reads";
+    const resolvedModel = config2?.plan?.model ?? "balanced";
+    logger?.info("plan", "Starting interactive planning session", {
+      agent: agentName,
+      model: resolvedModel,
+      permission: permissionMode,
+      workdir,
+      feature: options.feature,
+      timeoutSeconds
+    });
+    const planStartTime = Date.now();
     try {
       await adapter.plan({
         prompt,
@@ -65845,15 +65879,15 @@ async function planCommand(workdir, config2, options) {
         timeoutSeconds,
         interactionBridge,
         config: config2,
-        modelTier: config2?.plan?.model ?? "balanced",
-        dangerouslySkipPermissions: config2?.execution?.dangerouslySkipPermissions ?? false,
+        modelTier: resolvedModel,
+        dangerouslySkipPermissions,
         maxInteractionTurns: config2?.agent?.maxInteractionTurns,
         featureName: options.feature,
         pidRegistry
       });
     } finally {
       await pidRegistry.killAll().catch(() => {});
-      logger?.info("plan", "Interactive session ended");
+      logger?.info("plan", "Interactive session ended", { durationMs: Date.now() - planStartTime });
     }
     if (!_deps2.existsSync(outputPath)) {
       throw new Error(`[plan] Agent did not write PRD to ${outputPath}. Check agent logs for errors.`);
@@ -66140,7 +66174,7 @@ import { join as join13 } from "path";
 // src/commands/common.ts
 init_path_security2();
 init_errors3();
-import { existsSync as existsSync10, readdirSync as readdirSync2, realpathSync as realpathSync2 } from "fs";
+import { existsSync as existsSync10, readdirSync as readdirSync2, realpathSync as realpathSync3 } from "fs";
 import { join as join11, resolve as resolve6 } from "path";
 function resolveProject(options = {}) {
   const { dir, feature } = options;
@@ -66148,7 +66182,7 @@ function resolveProject(options = {}) {
   let naxDir;
   let configPath;
   if (dir) {
-    projectRoot = realpathSync2(resolve6(dir));
+    projectRoot = realpathSync3(resolve6(dir));
     naxDir = join11(projectRoot, "nax");
     if (!existsSync10(naxDir)) {
       throw new NaxError(`Directory does not contain a nax project: ${projectRoot}
@@ -66207,7 +66241,7 @@ function findProjectRoot(startDir) {
     const naxDir = join11(current, "nax");
     const configPath = join11(naxDir, "config.json");
     if (existsSync10(configPath)) {
-      return realpathSync2(current);
+      return realpathSync3(current);
     }
     const parent = join11(current, "..");
     if (parent === current) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nathapp/nax",
-  "version": "0.42.6",
+  "version": "0.42.8",
   "description": "AI Coding Agent Orchestrator — loops until done",
   "type": "module",
   "bin": {

package/src/agents/acp/adapter.ts

@@ -453,6 +453,11 @@ export class AcpAgentAdapter implements AgentAdapter {
 
     // 2. Permission mode follows dangerouslySkipPermissions, default is "approve-reads". or should --deny-all be the default?
     const permissionMode = options.dangerouslySkipPermissions ? "approve-all" : "approve-reads";
+    getSafeLogger()?.info("acp-adapter", "Permission mode resolved", {
+      permission: permissionMode,
+      dangerouslySkipPermissions: options.dangerouslySkipPermissions ?? false,
+      stage: options.featureName ? "run" : "plan",
+    });
 
     // 3. Ensure session (resume existing or create new)
     const session = await ensureAcpSession(client, sessionName, this.name, permissionMode);

package/src/agents/acp/spawn-client.ts

@@ -138,6 +138,11 @@ class SpawnAcpSession implements AcpSession {
       "-",
     ];
 
+    getSafeLogger()?.info("acp-adapter", "Sending prompt", {
+      session: this.sessionName,
+      permission: this.permissionMode,
+      cmd: cmd.join(" "),
+    });
     getSafeLogger()?.debug("acp-adapter", `Sending prompt to session: ${this.sessionName}`);
 
     const proc = _spawnClientDeps.spawn(cmd, {
@@ -254,6 +259,7 @@ export class SpawnAcpClient implements AcpClient {
   private readonly model: string;
   private readonly cwd: string;
   private readonly timeoutSeconds: number;
+  private readonly permissionMode: string;
   private readonly env: Record<string, string | undefined>;
   private readonly pidRegistry?: PidRegistry;
 
@@ -270,6 +276,7 @@ export class SpawnAcpClient implements AcpClient {
     this.agentName = lastToken;
     this.cwd = cwd || process.cwd();
     this.timeoutSeconds = timeoutSeconds || 1800;
+    this.permissionMode = "approve-reads";
     this.env = buildAllowedEnv();
     this.pidRegistry = pidRegistry;
   }
@@ -326,7 +333,7 @@ export class SpawnAcpClient implements AcpClient {
       cwd: this.cwd,
       model: this.model,
       timeoutSeconds: this.timeoutSeconds,
-      permissionMode: "approve-all", // Default for resumed sessions
+      permissionMode: this.permissionMode,
       env: this.env,
       pidRegistry: this.pidRegistry,
     });

package/src/cli/plan.ts

@@ -125,7 +125,18 @@ export async function planCommand(workdir: string, config: NaxConfig, options: P
     if (!adapter) throw new Error(`[plan] No agent adapter found for '${agentName}'`);
     const interactionBridge = createCliInteractionBridge();
     const pidRegistry = new PidRegistry(workdir);
-    logger?.info("plan", "Starting interactive planning session...", { agent: agentName });
+    const dangerouslySkipPermissions = config?.execution?.dangerouslySkipPermissions ?? false;
+    const permissionMode = dangerouslySkipPermissions ? "approve-all" : "approve-reads";
+    const resolvedModel = config?.plan?.model ?? "balanced";
+    logger?.info("plan", "Starting interactive planning session", {
+      agent: agentName,
+      model: resolvedModel,
+      permission: permissionMode,
+      workdir,
+      feature: options.feature,
+      timeoutSeconds,
+    });
+    const planStartTime = Date.now();
     try {
       await adapter.plan({
         prompt,
@@ -134,15 +145,15 @@ export async function planCommand(workdir: string, config: NaxConfig, options: P
         timeoutSeconds,
         interactionBridge,
         config,
-        modelTier: config?.plan?.model ?? "balanced",
-        dangerouslySkipPermissions: config?.execution?.dangerouslySkipPermissions ?? false,
+        modelTier: resolvedModel,
+        dangerouslySkipPermissions,
         maxInteractionTurns: config?.agent?.maxInteractionTurns,
         featureName: options.feature,
         pidRegistry,
       });
     } finally {
       await pidRegistry.killAll().catch(() => {});
-      logger?.info("plan", "Interactive session ended");
+      logger?.info("plan", "Interactive session ended", { durationMs: Date.now() - planStartTime });
     }
     // Read back from file written by agent
     if (!_deps.existsSync(outputPath)) {

package/src/execution/crash-signals.ts

@@ -134,7 +134,8 @@ export function installSignalHandlers(ctx: SignalHandlerContext): () => void {
   process.on("SIGINT", sigintHandler);
   process.on("SIGHUP", sighupHandler);
   process.on("uncaughtException", uncaughtExceptionHandler);
-  process.on("unhandledRejection", (reason) => unhandledRejectionHandler(reason));
+  const rejectionWrapper = (reason: unknown) => unhandledRejectionHandler(reason);
+  process.on("unhandledRejection", rejectionWrapper);
 
   logger?.debug("crash-recovery", "Signal handlers installed");
 
@@ -143,7 +144,7 @@ export function installSignalHandlers(ctx: SignalHandlerContext): () => void {
     process.removeListener("SIGINT", sigintHandler);
     process.removeListener("SIGHUP", sighupHandler);
     process.removeListener("uncaughtException", uncaughtExceptionHandler);
-    process.removeListener("unhandledRejection", (reason) => unhandledRejectionHandler(reason));
+    process.removeListener("unhandledRejection", rejectionWrapper);
     logger?.debug("crash-recovery", "Signal handlers unregistered");
   };
 }

package/src/execution/lock.ts

@@ -5,6 +5,7 @@
  * Prevents concurrent runs in the same directory.
  */
 
+import { unlink } from "node:fs/promises";
 import path from "node:path";
 import { getLogger } from "../logger";
 
@@ -49,7 +50,7 @@ export async function acquireLock(workdir: string): Promise<boolean> {
     if (exists) {
       // Read lock data
       const lockContent = await lockFile.text();
-      let lockData: { pid: number };
+      let lockData: { pid: number } | null;
       try {
         lockData = JSON.parse(lockContent);
       } catch {
@@ -61,7 +62,7 @@ export async function acquireLock(workdir: string): Promise<boolean> {
         const fs = await import("node:fs/promises");
         await fs.unlink(lockPath).catch(() => {});
         // Fall through to create a new lock
-        lockData = undefined as unknown as { pid: number };
+        lockData = null;
       }
 
       if (lockData) {
@@ -88,6 +89,7 @@ export async function acquireLock(workdir: string): Promise<boolean> {
       pid: process.pid,
       timestamp: Date.now(),
     };
+    // NOTE: Node.js fs used intentionally — Bun.file()/Bun.write() lacks O_CREAT|O_EXCL atomic exclusive create
     const fs = await import("node:fs");
     const fd = fs.openSync(lockPath, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY, 0o644);
     fs.writeSync(fd, JSON.stringify(lockData));
@@ -114,18 +116,14 @@ export async function acquireLock(workdir: string): Promise<boolean> {
 export async function releaseLock(workdir: string): Promise<void> {
   const lockPath = path.join(workdir, "nax.lock");
   try {
-    const file = Bun.file(lockPath);
-    const exists = await file.exists();
-    if (exists) {
-      const proc = Bun.spawn(["rm", lockPath], { stdout: "pipe" });
-      await proc.exited;
-      // Wait a bit for filesystem to sync (prevents race in tests)
-      await Bun.sleep(10);
-    }
+    await unlink(lockPath);
   } catch (error) {
-    const logger = getSafeLogger();
-    logger?.warn("execution", "Failed to release lock", {
-      error: (error as Error).message,
-    });
+    // Ignore ENOENT (already gone), log others
+    if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+      const logger = getSafeLogger();
+      logger?.warn("execution", "Failed to release lock", {
+        error: (error as Error).message,
+      });
+    }
   }
 }

package/src/utils/path-security.ts

@@ -2,7 +2,8 @@
  * Path security utilities for nax (SEC-1, SEC-2).
  */
 
-import { isAbsolute, join, normalize, resolve } from "node:path";
+import { realpathSync } from "node:fs";
+import { dirname, isAbsolute, join, normalize, resolve } from "node:path";
 
 /**
  * Result of a path validation.
@@ -23,16 +24,32 @@ export interface PathValidationResult {
  * @param allowedRoots - Array of absolute paths that are allowed as roots
  * @returns Validation result
  */
+/** Resolve symlinks for a path that may not exist yet (fall back to parent dir). */
+function safeRealpath(p: string): string {
+  try {
+    return realpathSync(p);
+  } catch {
+    // Path doesn't exist — resolve the parent directory instead
+    try {
+      const parent = realpathSync(dirname(p));
+      return join(parent, p.split("/").pop() ?? "");
+    } catch {
+      return p;
+    }
+  }
+}
+
 export function validateModulePath(modulePath: string, allowedRoots: string[]): PathValidationResult {
   if (!modulePath) {
     return { valid: false, error: "Module path is empty" };
   }
 
-  const normalizedRoots = allowedRoots.map((r) => resolve(r));
+  // Resolve symlinks in each root
+  const normalizedRoots = allowedRoots.map((r) => safeRealpath(resolve(r)));
 
   // If absolute, just check against roots
   if (isAbsolute(modulePath)) {
-    const absoluteTarget = normalize(modulePath);
+    const absoluteTarget = safeRealpath(normalize(modulePath));
     const isWithin = normalizedRoots.some((root) => {
       return absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root;
     });
@@ -42,7 +59,7 @@ export function validateModulePath(modulePath: string, allowedRoots: string[]):
   } else {
     // If relative, check if it's within any root when resolved relative to that root
     for (const root of normalizedRoots) {
-      const absoluteTarget = resolve(join(root, modulePath));
+      const absoluteTarget = safeRealpath(resolve(join(root, modulePath)));
       if (absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root) {
         return { valid: true, absolutePath: absoluteTarget };
       }