Evaluate scanner symlink policy: skip or bound out-of-root directory symlinks

[coderabbitai]

Background

During the review of PR #570 (release v1.0.0), a behavior-pinning test test_symlink_to_outside_directory_is_traversed in src/python/tests/unittests/test_system/test_scanner.py was flagged and then clarified by @nitrobass24.

SystemScanner currently follows directory symlinks by default (DirEntry.is_dir() uses follow_symlinks=True), including symlinks that point outside the configured scan root. This is intentional: it supports legitimate symlinked seedbox layouts and the scanner is read-only, so the risk profile differs from write/destructive paths.

Out-of-root realpath guards are already applied on destructive surfaces (delete_process.py, extract.py), but deliberately not in the read-only scanner.

Discussion points

• Should SystemScanner be given an option to restrict traversal to targets whose resolved path stays within the scan root?
• Should out-of-root symlinks be skipped silently, skipped with a log warning, or remain fully traversed (current behavior)?
• Are there seedbox layouts in the wild that legitimately symlink to directories outside the configured local path?
• The cyclic-symlink case (test_cyclic_symlink_terminates_with_error) shows the OS raises ELOOP; document whether that is sufficient protection or whether an explicit guard is wanted.

References

• PR Release v1.0.0 - First stable release #570 review comment: Release v1.0.0 - First stable release #570 (comment)
• Test file: src/python/tests/unittests/test_system/test_scanner.py (lines 654–687)

/cc @nitrobass24