Resolve image attachment paths with realpath before reading so symlinks
inside allowed roots cannot escape to arbitrary files. Preserve support for
symlinked project/upload roots and add focused coverage for both cases.
Replace the path.relative guard in isPathInsideDirectory with the
resolve + startsWith(root + sep) idiom so the path-injection barrier
is visible to code scanning; behavior is unchanged.
- enforce a second image trust boundary in the provider builders:
buildClaudeUserContent/buildCodexInputItems only accept files inside
the upload store or the run's working directory (CodeQL path
injection)
- drop an always-true selectedProject check in handleSubmit
- remove the unused resume option from spawnCursor