[codex] Fix macOS path and symlink edge cases

[Ununp3ntium115]

Summary

This PR fixes the macOS/path-related issue reports by hardening path handling and documenting the local development trap around FTS5:

• Disable Git path quoting for path-emitting commands so tracked and changed files under non-ASCII/CJK directories are parsed as UTF-8 paths.
• Preserve path bytes except the final record separator, so valid path names with spaces are not accidentally trimmed while parsing Git output.
• Add realpath containment checks to validatePathWithinRoot so symlinked files and symlinked parent directories cannot escape the project root.
• Skip symlink targets that resolve outside the root during filesystem scanning before they can be queued for indexing.
• Add README contributor setup docs, including npm link, focused test commands, and the macOS Node/FTS5 source-build workaround.

Issue Mapping

• Fixes Files under directories with non-ASCII (CJK) names are silently skipped during indexing #541: Git-visible files under non-ASCII/CJK directories are indexed and detected as changed.
• Fixes Bug: validatePathWithinRoot allows reading files outside project root via symlinks #527: symlink escapes through files or parent directories are blocked before reads/indexing.
• Fixes docs: add Contributing section to README (local dev setup, FTS5 workaround) #305: README now documents local contributor setup and the macOS FTS5 workaround.

Root Cause

Git quotes non-ASCII path bytes by default (core.quotePath=true), returning quoted octal escapes for CJK path segments. CodeGraph parsed that output as normal UTF-8 file paths, so extension checks could silently reject otherwise supported source files.

Path containment also relied on lexical path.resolve checks. A path like src/secret.ts could pass because it was textually inside the project, even if src/secret.ts was a symlink to a file outside the root. The fix keeps the lexical check, then verifies existing targets and nearest existing parents with realpath so both direct symlink files and symlinked directories are rejected.

For contributors, the README only covered end-user installation. That left macOS source builds with no guidance for the node:sqlite / FTS5 mismatch that can appear on some local Node builds.

Validation

• npx -y -p node@22 node ./node_modules/vitest/vitest.mjs run __tests__/extraction.test.ts __tests__/security.test.ts
  • 2 files passed, 317 passed, 2 skipped
• npm run build
• git diff --check

Notes

This PR is split from the Claude installer/MCP guidance fixes so the path/security changes can be reviewed independently.