fix: resolve macOS location filtering failures with symlink canonicalization

arimxyer · claude · arimxyer · commit d7752f98ba45 · 2025-10-21T16:56:37.000-04:00
Fixed location-based credential filtering on macOS where /var is a symlink to /private/var, causing path mismatches between stored and filtered paths. Root cause: - Usage tracking stored paths from os.Getwd() as /var/folders/... - Location filtering resolved paths to /private/var/folders/... - Paths didn't match despite being the same directory Changes: 1. internal/vault/vault.go (lines 614-625) - Resolve symlinks when recording usage locations - Use filepath.EvalSymlinks() to get canonical path - Ensures stored paths are in canonical form 2. cmd/list.go (lines 175-221) - Resolve symlinks in filterCredentialsByLocation - Apply EvalSymlinks to both filter path and credential locations - Compare canonical paths instead of raw paths This ensures both stored and filtered paths are in canonical form, fixing all location filtering tests on macOS. Fixes: - TestListByLocation/T037_Location_Exact_Path - TestListByLocation/T039_Location_Recursive - TestListByLocation/T041_Location_JSON_Format 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/cmd/list.go b/cmd/list.go
@@ -179,6 +179,13 @@ func filterCredentialsByLocation(metadata []vault.CredentialMetadata, location s
 		return nil, fmt.Errorf("failed to resolve path: %w", err)
 	}
 
+	// Resolve symlinks to get canonical path (fixes macOS /var -> /private/var symlink issue)
+	canonicalLocation, err := filepath.EvalSymlinks(absLocation)
+	if err != nil {
+		// If symlink resolution fails (e.g., path doesn't exist), use absolute path
+		canonicalLocation = absLocation
+	}
+
 	filtered := make([]vault.CredentialMetadata, 0)
 
 	for _, meta := range metadata {
@@ -191,17 +198,24 @@ func filterCredentialsByLocation(metadata []vault.CredentialMetadata, location s
 				continue
 			}
 
+			// Resolve symlinks to get canonical path
+			canonicalCredLocation, err := filepath.EvalSymlinks(absCredLocation)
+			if err != nil {
+				// If symlink resolution fails, use absolute path
+				canonicalCredLocation = absCredLocation
+			}
+
 			matched := false
 
 			if recursive {
 				// T047: Recursive mode - check if credential location is under the specified location
 				// Use filepath.HasPrefix logic (check if credLocation starts with location)
-				if absCredLocation == absLocation || strings.HasPrefix(absCredLocation, absLocation+string(filepath.Separator)) {
+				if canonicalCredLocation == canonicalLocation || strings.HasPrefix(canonicalCredLocation, canonicalLocation+string(filepath.Separator)) {
 					matched = true
 				}
 			} else {
 				// T046: Exact match mode - credential location must exactly match
-				if absCredLocation == absLocation {
+				if canonicalCredLocation == canonicalLocation {
 					matched = true
 				}
 			}
diff --git a/internal/vault/vault.go b/internal/vault/vault.go
@@ -611,10 +611,17 @@ func (v *VaultService) RecordFieldAccess(service, field string) error {
 		return ErrCredentialNotFound
 	}
 
-	// Get current working directory
+	// Get current working directory and resolve symlinks for canonical path
+	// (fixes macOS /var -> /private/var symlink matching issue)
 	location, err := os.Getwd()
 	if err != nil {
 		location = "unknown"
+	} else {
+		// Resolve symlinks to canonical path
+		if canonical, err := filepath.EvalSymlinks(location); err == nil {
+			location = canonical
+		}
+		// If symlink resolution fails, keep the original path
 	}
 
 	// Try to get git repo info
