Koda-core File Mutation Paths Expose Symlink Escape and TOCTOU Race Conditions in Sandbox Isolation

A critical security review has identified overlapping vulnerabilities in the file mutation paths of koda-core, specifically within `koda-core/src/tools/file_tools.rs`. The flaw stems from a fundamental mismatch between logical path validation and actual filesystem operations: code relies on `safe_resolve_path` for access control, but subsequent mutations use `tokio::fs` functions that follow symlinks, bypassing the intended boundary enforcement.

The first vulnerability class involves symlink escape via the final target. An attacker can construct a path that appears logically under the project root—passing the `safe_resolve_path` check through logical cleaning and prefix validation—but where the final filename or a parent directory resolves via symlink to a location outside the project. When `tokio::fs::write` executes, it mutates that external target, not the validated path. The second issue compounds the first: a Time-of-Check-Time-of-Use (TOCTOU) race exists between the validation step and the actual syscall. An attacker with filesystem access could replace a directory with a symlink between the check and the write, redirecting the mutation to an unintended location. While sandboxed workers have separate symlink-escape mitigations, the local, no-sandbox, and in-process mutation paths lack equivalent enforcement, leaving those execution modes exposed.

The issue was surfaced during architecture review #1265 and classified as a Tier 1 security item (P0/P1 priority #2), indicating an urgent hardening requirement. The vulnerability affects any deployment relying on local filesystem mutations without sandbox isolation, particularly in CI/CD pipelines, local development environments, or systems where koda-core operates in-process. Without remediation, malicious or compromised input could escape intended directory boundaries, leading to unauthorized file writes, data corruption, or privilege escalation depending on the target filesystem permissions. The recommended mitigation involves enforcing symlink resolution at the point of mutation rather than relying on pre-validation alone, closing the race window that allows exploitation between check and use operations.