fix(test): use NTFS junctions and platform guards for symlink tests on Windows

[arosstale]

Summary

Fixes 7 test failures on Windows caused by fs.symlink() requiring SeCreateSymbolicLinkPrivilege (admin or Developer Mode enabled).

Failing tests (before this PR):

File	Test	Symlink Type	Fix
apply-patch.test.ts	rejects symlink escape attempts by default	file → file	platform guard
apply-patch.test.ts	allows symlinks that resolve within cwd by default	file → file	platform guard
apply-patch.test.ts	rejects delete path traversal via symlink directories	dir → dir	junction
apply-patch.test.ts	allows deleting a symlink itself even if it points outside cwd	dir → dir	junction
archive.test.ts	rejects zip entries that traverse pre-existing destination symlinks	dir → dir	junction
fs-bridge.test.ts	rejects pre-existing host symlink escapes before docker exec	file → file	platform guard
validate-sandbox-security.test.ts	blocks symlink escapes into blocked directories	dir → nonexistent	move guard before symlink

Approach

Three strategies based on symlink target type:

1. Directory symlinks → NTFS junctions (fs.symlink(target, link, 'junction')): Junctions don't require elevated privileges on Windows and lstat().isSymbolicLink() correctly returns true for them, so all security checks still exercise the real code path.

2. File symlinks → platform guard (if (process.platform === 'win32') return): File symlinks have no unprivileged alternative on Windows. This matches the existing pattern already used in adjacent tests (e.g. rejects broken final symlink targets outside cwd, rejects hardlink alias escapes).

3. Guard ordering fix (validate-sandbox-security.test.ts): The existing win32 guard was placed after symlinkSync("/etc", link), so the EPERM happened before the guard could skip the test. Moved the guard before the symlink creation and restructured to avoid needing a real symlink on Windows.

Testing

All 4 test files pass on Windows 11 22H2 / Node v22.22.0 / NTFS (non-admin):

✓ apply-patch.test.ts                  13 passed
✓ archive.test.ts                      11 passed
✓ fs-bridge.test.ts                     9 passed
✓ validate-sandbox-security.test.ts    24 passed
                                       57 total

No changes to production code — test-only fix.

Linked Issues

None (discovered via Windows CI test run).

[greptile-apps]

Greptile Summary

This PR fixes 6 Windows test failures caused by symlink privilege requirements by using two strategies: NTFS junctions for directory symlinks (which don't require elevated privileges and are correctly identified by lstat().isSymbolicLink()) and platform guards for file symlinks (matching existing patterns in the codebase). All changes are test-only with no production code modifications, and the approach preserves security checks since junctions are still detected as symlinks by Node.js.

• Uses 'junction' type for directory symlinks on Windows in 3 tests across apply-patch.test.ts and archive.test.ts
• Adds platform guards with early returns for 3 file symlink tests across apply-patch.test.ts and fs-bridge.test.ts, consistent with existing Windows guard patterns
• Includes clear comments explaining the Windows privilege requirements (SeCreateSymbolicLinkPrivilege)
• Properly handles cleanup in fs-bridge.test.ts before early return since resources were already allocated

Confidence Score: 5/5

• This PR is safe to merge with no risk - it only modifies test files to handle Windows platform differences.
• Score reflects test-only changes that follow existing codebase patterns, preserve security checks, and solve a real Windows compatibility issue without touching production code.
• No files require special attention.

_{Last reviewed commit: 904f274}

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[Takhoffman]

PR #28747 - fix(test): use NTFS junctions and platform guards for symlink tests on Windows (#28747)

Merged after verification.

• Merge commit: 1b462ed
• Verified: pnpm install --frozen-lockfile; pnpm test src/agents/apply-patch.test.ts src/agents/sandbox/fs-bridge.test.ts src/agents/sandbox/validate-sandbox-security.test.ts src/infra/archive.test.ts
• Autoland updates:
  M CHANGELOG.md
• Rationale:
  Merged as the canonical Windows symlink-portability fix; kept security assertions intact where unprivileged Windows semantics allow deterministic coverage.
• Changelog: CHANGELOG.md updated=true required=true opt_out=false