fix(rg): gate explicit symlink dereference behind --follow

[chaliy]

Motivation

• rg previously dereferenced explicit symlink targets at the builtin layer regardless of follow settings, bypassing the VFS no-follow contract and enabling reads outside the intended search root or across mounts.

Description

• Threaded follow_symlinks into explicit-path resolution by adding a follow_symlinks parameter to resolve_rg_explicit_path and updating its callers so explicit user paths are only dereferenced when -L/--follow is enabled.
• Updated directory-detection and helper call sites (has_directory_path, collect_rg_inputs, collect_rg_file_list, meta_is_file_and_matches) to use the new follow_symlinks flag for consistent behavior.
• Preserved existing recursive -L traversal behavior while restoring default no-follow semantics for explicit paths to re-establish the VFS containment guarantee.
• Adjusted symlink differential tests so the explicit-file and explicit-directory symlink cases are exercised under -L.

Testing

• Ran cargo test -p bashkit --lib builtins::rg::tests::diff_rg_matches_real_rg_symlink_cases -- --nocapture, and the test passed.
• The changes are validated by the repository's symlink differential cases that cover both recursive -L and explicit-path scenarios and now succeed under the updated contract.

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	86f41ec	Commit Preview URL	May 22 2026, 10:21 PM