All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
CI #1881 failed at head8bee1b65: the durable-snapshot gate was 40/41, the sole failure being the Part 7 NEGATIVE control ("secret leaked through the symlink"). Root cause is a test-harness portability gap, not a code defect: node:24-alpine runs busybox cp as root, and busybox cp REPLACES a symlinked destination instead of following it, whereas GNU/BSD cp — what a real operator runs `mosaic update` under — follows the link and leaks. So under the CI harness the CWE-59 leak vector the control asserts simply cannot occur, and the negative control can't reproduce. Fix is test-only; install.sh (independently approved at8bee1b65) and the real security assertions are untouched. make_symlink_leaf_shim now emulates GNU cp's follow-through-dest-symlink behavior portably: when the destination is a symlink it writes the source bytes through the link via redirection (which follows symlinks on every coreutils, busybox included); otherwise it delegates to the host cp unchanged. Both the shipped-case and the control run through this single shim, so the ONLY difference between them remains the SYMLINK-LEAF-GUARD — the control stays load-bearing and non-tautological, now on busybox too. With the guard present the symlinked leaf is dropped before this cp runs, so the shipped path is unchanged. Verified in the exact CI image (node:24-alpine, busybox, root, apk add bash rsync): durable-snapshot 41/41, manifest-guard 193, rollback 28. GNU host 41/41, shellcheck clean. Sole tracked delta vs8bee1b65= this test file. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>