Harden secret safety, DB rebuild/doctor correctness, and safety-critical ingest behaviors.
fulfills).bun test integration tests that spawn the CLI with --project --json --no-tui.bun:sqlite (don’t rely on external sqlite3 CLI).bun run check and bun test (and any targeted tests you added).{
"salientSummary": "Hardened git ingest to skip symlinks and added structured skip counts; fixed db doctor to be non-creating and to expose healthStatus/needsRebuild. Added regression tests for symlink escape and doctor side effects.",
"whatWasImplemented": "Implemented symlink-safe file ingestion using lstat/realpath guards; added URL redaction utility used by CLI outputs and persisted locators; updated db doctor to avoid creating missing DBs and to report degraded health when manifests failed or fingerprint mismatched.",
"whatWasLeftUndone": "",
"verification": {
"commandsRun": [
{"command": "bun run check", "exitCode": 0, "observation": "typecheck + biome passed"},
{"command": "bun test", "exitCode": 0, "observation": "all tests passed"}
],
"interactiveChecks": [
{"action": "bun run src/index.ts db doctor --project --json --no-tui (in temp dir)", "observed": "reports dbExists=false without creating .nya-cli"}
]
},
"tests": {
"added": [
{"file": "tests/safety-symlink.test.ts", "cases": [{"name": "skips tracked symlinks", "verifies": "VAL-SAF-001, VAL-SAF-002"}]}
]
},
"discoveredIssues": []
}