root_policy: /var subtree (/var/log, /var/lib, /var/db) not in deny list

[justrach]

Problem

isIndexableRoot in src/root_policy.zig blocks /var/folders and /var/tmp but neither /var itself nor common subtrees that are catastrophic to index:

• /var/log — logs
• /var/lib — package / database state
• /var/db — system DBs (macOS dslocal etc.)
• /var/spool — mail, cron, print queues

On macOS realPathFile turns /var into /private/var, which is also not blocked (only /private/var/folders is). Pointing the indexer at /var/log on a busy server pulls in gigabytes of logs and is never a valid project root.

Failing Test

test "issue-407: root_policy blocks /var and its non-folders subtree" {
    const root_policy = @import("root_policy.zig");
    try testing.expect(!root_policy.isIndexableRoot("/var"));
    try testing.expect(!root_policy.isIndexableRoot("/var/log"));
    try testing.expect(!root_policy.isIndexableRoot("/var/lib"));
    try testing.expect(!root_policy.isIndexableRoot("/private/var"));
    try testing.expect(!root_policy.isIndexableRoot("/private/var/log"));
}

Verify on main:

$ zig build test 2>&1 | grep "issue-407"
error: 'tests.test.issue-407: root_policy blocks /var and its non-folders subtree' failed

Branch: issue-407-failing-test.

Expected

/var and /private/var (and all their children) return false from isIndexableRoot. The existing carve-outs for /var/tmp and /var/folders become redundant — that's fine, the wider rule subsumes them.

Fix

Replace the granular /var/folders / /var/tmp entries in system_prefixes with /var and /private/var. Real project roots never live under /var.

Related: #406 (same realpath canonicalization gap, but for /etc → /private/etc).

[justrach]

Fixed in v0.2.5801 (commit 41c8a1b): /var subtree (/var/log, /var/lib, /var/db) added to root_policy deny list.