v0.9.1 — search symlink-confinement fix (security)

v0.9.1 — Security: vf-clide search no longer follows symlinks out of the workspace

Security fix — update recommended.

vf-clide's agent search tool recursively walked the workspace using Path::is_dir/is_file,
which follow symlinks. A symlink inside the workspace pointing outside it (e.g. escape → /etc)
was treated as a directory and recursed into, so search could read files outside the workspace
root — reachable with only --yes (read-only auto-approval). The single-path tools
(read_file/write_file) and the search start path were already confined; only the recursive
walk was not.

Fix

search's recursive walk now checks each entry's own type via symlink_metadata (which does not
follow the final component) and skips symlinks entirely — they are neither recursed into nor read.
This closes the confinement hole and also prevents symlink cycles. read_file / write_file / shell
are unchanged.

Scope

• vf-clide 0.2.0 → 0.2.1. Engine unchanged (0.9.0) — no engine/decode/behavior change.
• A regression test (search_does_not_follow_escaping_symlink) pins the fix; vf-clide unit 60/60.
• Verified live @Qwen3-14B-Q4: in a workspace with escape → /etc, search returns only the
  in-workspace files, never /etc/....

If you run the --agent mode with untrusted workspaces, update.