chore(compile): tighten link_resolver._resolve_path input guards

[sergio-sisternes-epam]

Context

Follow-up to the link_resolver._resolve_path containment hardening landed in the dogfooding PR (commit 79389ab on feat/792-dogfood-apm, closes #695 / #792). Surfaced during the supply-chain-security review of that change -- not exploitable in the current call paths, but worth fixing so we don't regress later.

Findings

Minor 1 -- empty-string input returns base_path instead of None

_resolve_path("") follows the Path(base_dir) / "" branch and returns the base directory. Not exploitable today because every caller does an .exists() check on the returned path, but semantically wrong (an empty link should resolve to nothing).

Fix: add an early guard at the top of _resolve_path:

if not path or not path.strip():
    return None

Minor 2 -- whitespace-only input (same class)

_resolve_path(" ") hits the same code path as empty-string. The same guard covers it.

Minor 3 -- regression test gaps

Add test cases for:

• empty string ("")
• whitespace-only (" ")
• embedded NUL byte
• backslash traversal on POSIX (foo\\..\\..\\etc\\passwd)
• file:// URI on POSIX
• non-existent relative target (the happy path of "link resolves but target missing")

Current containment code handles these correctly; tests lock in that behaviour.

Scope

• Single file: src/apm_cli/compilation/link_resolver.py
• Single test file: tests/unit/compilation/test_link_resolver.py
• No API change, no behaviour change for valid inputs.

Labels

good first issue, compilation, security-hardening

[github-actions]

Triage decision

accept

Proposed labels

theme/security
area/content-security
type/bug
status/accepted
priority/low
good first issue

Milestone

0.9.4

Suggested next action

Open a PR implementing the two-line empty/whitespace guard in src/apm_cli/compilation/link_resolver.py and adding the six test cases enumerated in the issue body; the scope is a single source file and its test file.

Suggested issue comment

Thanks for the thorough write-up and the clearly scoped follow-up, @sergio-sisternes-epam.

The link_resolver input hardening is a natural next step after the containment work from #695/#792. Having an explicit early return for empty and whitespace-only inputs removes a "semantically wrong but not yet exploitable" edge case before a future caller can rely on the current (incorrect) behavior.

The proposed fix is concise and complete:

```python
if not path or not path.strip():
    return None

This covers both Minor 1 and Minor 2 in one guard. The test matrix you have laid out (empty string, whitespace-only, embedded NUL, backslash traversal, `(redacted) URI, non-existent relative target) is exactly what the current containment code needs to lock in its guarantees.

Triaged as type/bug (semantically incorrect return value) in the area/content-security surface. This is also marked good first issue -- the scope is narrow (one source file, one test file), the fix is already specified, and the test cases are enumerated. Anyone looking to make their first contribution to APM's compilation internals is welcome to pick this up.

Next step: Open a PR against main targeting src/apm_cli/compilation/link_resolver.py and tests/unit/compilation/test_link_resolver.py. Please reference this issue in the PR description. If you pick it up yourself, just leave a comment here so others know it is in progress.

## Per-lens notes (collapsed)

<details>
<summary>DevX UX Expert -- User-Need Reviewer</summary>

The request maps to a clear code-correctness chore in the compilation pipeline with no user-facing surface change. The user task is preventing semantically wrong behavior (`_resolve_path("")` returning `base_path` instead of `None`) before a future caller relies on it. The proposed two-line guard is idiomatic Python and the test matrix covers the boundary cases that matter for a path-resolution function. Scope is appropriately narrow: one source file, one test file, no API or behavior change for valid inputs. No UX concerns.

</details>

<details>
<summary>Supply Chain Security Expert -- Risk-Surface Reviewer</summary>

This directly targets `link_resolver._resolve_path`, a path-resolution function in the compilation pipeline that was already surfaced in a supply-chain security review. The two gaps (empty string, whitespace-only input returning `base_path`) are not exploitable today because every caller checks `.exists()` on the result, but the semantically wrong return value is a latent bug that could regress if callers change. The test additions for NUL byte, backslash traversal, and `(redacted) URI are the right boundary cases for a path containment guard. `theme/security` is required. `area/content-security` is the correct area -- link resolution controls what content APM includes during compilation. No new attack surface introduced.

</details>

<details>
<summary>OSS Growth Hacker -- Contributor-Tone Reviewer</summary>

Not activated -- author is a COLLABORATOR with prior contributions to the repository; the comment does not require first-timer warmth tuning, and the `good first issue` label already signals the contribution opportunity to external contributors who may pick this up.

</details>

<details>
<summary>Python Architect -- Architecture Reviewer</summary>

Not activated -- the issue scope is a single function with a two-line early-return guard and a set of additional test cases; no cross-cutting design decision, interface change, data model change, or new primitive is involved. The proposed fix is a straightforward local guard that does not affect any caller contracts.

</details>

<details>
<summary>Doc Writer -- Documentation Reviewer</summary>

Not activated -- the fix makes no user-facing behavior change and introduces no new CLI flags, primitives, or concepts. No docs pages need to be added or updated. The existing reference docs and README are unaffected.

</details>

<details>
<summary>APM CEO -- Triage Arbiter</summary>

Clean `accept`. Both specialist lenses agree: this is a supply-chain-security-review-sourced hardening task with a precisely scoped fix and a comprehensive test matrix. No disagreements to arbitrate. Theme: `theme/security`. Area: `area/content-security`. Type: `type/bug` (semantically incorrect return value, not exploitable today but wrong). Priority: `priority/low` (not exploitable in current call paths; worth fixing before it compounds). Milestone: `0.9.4` (current active patch, 39 open issues, created 2026-04-26). `good first issue` is well-earned -- narrow scope, fix already specified, test cases enumerated. Comment tone: technically direct and collegial; this is a COLLABORATOR who understands the codebase.

</details>

```json triage-decision
{
  "decision": "accept",
  "decision_detail": "",
  "theme": "theme/security",
  "areas": ["area/content-security"],
  "type": "type/bug",
  "status": "status/accepted",
  "priority": "priority/low",
  "preserved_labels": ["good first issue"],
  "milestone": "0.9.4",
  "next_action": "Open a PR implementing the two-line empty/whitespace guard in src/apm_cli/compilation/link_resolver.py and adding the six test cases enumerated in the issue body.",
  "comment_markdown": "Thanks for the thorough write-up and the clearly scoped follow-up, @sergio-sisternes-epam.\n\nThe link_resolver input hardening is a natural next step after the containment work from #695/#792. Having an explicit early return for empty and whitespace-only inputs removes a \"semantically wrong but not yet exploitable\" edge case before a future caller can rely on the current (incorrect) behavior.\n\nThe proposed fix is concise and complete:\n\n```python\nif not path or not path.strip():\n    return None\n```\n\nThis covers both Minor 1 and Minor 2 in one guard. The test matrix you have laid out (empty string, whitespace-only, embedded NUL, backslash traversal, `(redacted) URI, non-existent relative target) is exactly what the current containment code needs to lock in its guarantees.\n\nTriaged as `type/bug` (semantically incorrect return value) in the `area/content-security` surface. This is also marked `good first issue` -- the scope is narrow (one source file, one test file), the fix is already specified, and the test cases are enumerated. Anyone looking to make their first contribution to APM's compilation internals is welcome to pick this up.\n\n**Next step:** Open a PR against `main` targeting `src/apm_cli/compilation/link_resolver.py` and `tests/unit/compilation/test_link_resolver.py`. Please reference this issue in the PR description. If you pick it up yourself, just leave a comment here so others know it is in progress."
}

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Generated by Triage Panel for issue #841 · ● 817.5K · ◷