Wrap all IFileSystem usage in ScopedFileSystem

[Mpdreamz]

Summary

This PR introduces Nullean.ScopedFileSystem as a security boundary around every file system operation in the codebase.

What is ScopedFileSystem?

ScopedFileSystem is a System.IO.Abstractions.IFileSystem decorator that enforces at runtime that no file read or write can escape a configured set of root directories. Any operation targeting a path outside those roots — including paths reached via .. traversal, symlink, or hidden directory — throws a ScopedFileSystemException (extends SecurityException) before the underlying OS call is made. File.Exists / Directory.Exists return false for out-of-scope paths rather than throwing, so probing code stays safe without additional guards.

The library supports:

• Multiple disjoint root directories per instance
• An explicit allowlist for hidden file/folder names (e.g. .git)
• Opt-in OS special-folder access (e.g. Temp, LocalApplicationData)
• Works with any IFileSystem implementation including MockFileSystem

Changes

• New FileSystemFactory in Elastic.Documentation.Configuration:
  • FileSystemFactory.Real — pre-allocated singleton scoped to the working-directory root + Paths.ApplicationData (LocalApplicationData/elastic/docs-builder), with .git folder/file allowlisted and Temp enabled
  • FileSystemFactory.InMemory() — wraps a fresh MockFileSystem in the same options; each call returns a new independent in-memory instance
  • FileSystemFactory.CreateScoped(IFileSystem inner, IEnumerable<string>?) — wraps any FS with optional additional roots (used for plugin extension roots)
  • FileSystemFactory.CreateForUserData() — user-profile scope with .docs-builder allowlisted, used by GitLinkIndexReader (~/.docs-builder/codex-link-index)
• All 33+ new FileSystem() call sites replaced with factory methods; MockFileSystem instances wrapped with FileSystemFactory.CreateScoped(inner)
• CrossLinkFetcher and CheckForUpdatesFilter converted from direct System.IO.File / Directory static calls to IFileSystem injection
• IDocsBuilderExtension gains ExternalScopeRoots (default []); DetectionRulesDocsBuilderExtension implements it to expose detection-rules folder paths so builds that reference rules outside the workspace can widen the scope
• IFileSystem registered as DI singleton (FileSystemFactory.Real) in DocumentationTooling
• Service constructors that previously required the concrete FileSystem type widened to IFileSystem

Test plan

• dotnet build passes (verified)
• docs-builder build completes without ScopedFileSystemException
• docs-builder serve starts and serves docs
• docs-builder build --in-memory works (uses FileSystemFactory.InMemory())
• Changelog commands access files normally

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces a centralized FileSystemFactory and migrates the codebase to use Nullean.ScopedFileSystem instances (scoped read/write/app-data/in-memory) instead of directly instantiating System.IO.Abstractions FileSystem or using raw IFileSystem in many places. Constructors, method parameters, and test setups were updated to accept ScopedFileSystem (or IFileSystem wrapped by the factory). Defaults that previously used new FileSystem() now use factory-provided instances. It also adds the Nullean.ScopedFileSystem package and exposes an ExternalScopeRoots property on IDocsBuilderExtension.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI Command
    participant Factory as FileSystemFactory
    participant Scoped as ScopedFileSystem
    participant Under as Underlying I/O FS
    participant Service as Domain Service
    participant ES as ElasticsearchEndpointConfigurator
    participant Build as BuildService

    CLI->>Factory: request filesystem (RealRead/AppData/InMemory)
    Factory->>Scoped: create/return ScopedFileSystem
    Scoped->>Under: delegate IO operations
    CLI->>Service: invoke operation (passes ScopedFileSystem)
    Service->>ES: ApplyAsync(endpoint, ScopedFileSystem)
    Service->>Build: BuildAll(context, ScopedFileSystem)
    Build->>Scoped: read/write repo files

Loading

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 39.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: wrapping all IFileSystem usage in ScopedFileSystem, which is the core objective of this PR.
Description check	✅ Passed	The description thoroughly explains what ScopedFileSystem is, its benefits, the factory pattern introduced, and provides a comprehensive test plan linked to the changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch scoped-file-system

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

src/tooling/docs-builder/Commands/ChangelogCommand.cs (1)

291-292: ⚠️ Potential issue | 🟠 Major

Bypasses scoped filesystem security boundary.

ChangelogConfigurationLoader is instantiated with new System.IO.Abstractions.FileSystem() instead of using _fileSystem (which is FileSystemFactory.Real). This same pattern repeats at lines 545, 848, and 1107.

This defeats the PR's goal of wrapping all filesystem access in ScopedFileSystem.

🔧 Proposed fix

-		var bundleConfig = await new ChangelogConfigurationLoader(logFactory, configurationContext, new System.IO.Abstractions.FileSystem())
+		var bundleConfig = await new ChangelogConfigurationLoader(logFactory, configurationContext, _fileSystem)
			.LoadChangelogConfiguration(collector, config, ctx);

Apply similar changes at lines 545, 848, and 1107.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/tooling/docs-builder/Commands/ChangelogCommand.cs` around lines 291 -
292, The ChangelogConfigurationLoader is being constructed with a direct new
System.IO.Abstractions.FileSystem() which bypasses the scoped filesystem;
replace that explicit instantiation with the existing injected/created
_fileSystem (FileSystemFactory.Real) when calling new
ChangelogConfigurationLoader(...). Update the same pattern wherever
ChangelogConfigurationLoader is constructed in this file (the other occurrences
that currently use new System.IO.Abstractions.FileSystem()) so all filesystem
access uses the ScopedFileSystem (_fileSystem) and not a fresh FileSystem
instance; ensure the call to LoadChangelogConfiguration(collector, config, ctx)
remains unchanged.

src/tooling/docs-builder/Http/StaticWebHost.cs (1)

97-123: ⚠️ Potential issue | 🔴 Critical

Scoped filesystem boundary is bypassed during request-time file reads

ServeRootIndex/ServeDocumentationFile use System.IO (FileInfo, DirectoryInfo, Path) directly, so scoped checks are skipped at runtime. This can allow serving content through in-root symlinks that resolve outside the allowed scope.

Proposed fix

 public class StaticWebHost
 {
 	public WebApplication WebApplication { get; }
+	private readonly IFileSystem _fileSystem = FileSystemFactory.Real;
 	private readonly string _contentRoot;

 	public StaticWebHost(int port, string? path)
 	{
 		_contentRoot = path ?? Path.Join(Paths.WorkingDirectoryRoot.FullName, ".artifacts", "assembly");
-		var fs = FileSystemFactory.Real;
-		var dir = fs.DirectoryInfo.New(_contentRoot);
+		var dir = _fileSystem.DirectoryInfo.New(_contentRoot);
 		if (!dir.Exists)
 			throw new Exception($"Can not serve empty directory: {_contentRoot}");
-		if (!dir.IsSubPathOf(fs.DirectoryInfo.New(Paths.WorkingDirectoryRoot.FullName)))
+		if (!dir.IsSubPathOf(_fileSystem.DirectoryInfo.New(Paths.WorkingDirectoryRoot.FullName)))
 			throw new Exception($"Can not serve directory outside of: {Paths.WorkingDirectoryRoot.FullName}");
@@
 	private Task<IResult> ServeRootIndex(Cancel _)
 	{
-		var indexPath = Path.Join(_contentRoot, "index.html");
-		var fileInfo = new FileInfo(indexPath);
+		var indexPath = _fileSystem.Path.Join(_contentRoot, "index.html");
+		var fileInfo = _fileSystem.FileInfo.New(indexPath);
 		if (fileInfo.Exists)
 			return Task.FromResult(Results.File(fileInfo.FullName, "text/html"));
@@
 	private async Task<IResult> ServeDocumentationFile(string slug, Cancel _)
 	{
@@
-		var contentRoot = Path.GetFullPath(_contentRoot);
-		var localPath = Path.GetFullPath(Path.Join(contentRoot, slug.Replace('/', Path.DirectorySeparatorChar)));
+		var contentRoot = _fileSystem.Path.GetFullPath(_contentRoot);
+		var localPath = _fileSystem.Path.GetFullPath(Path.Join(contentRoot, slug.Replace('/', Path.DirectorySeparatorChar)));
 		if (!localPath.StartsWith(contentRoot + Path.DirectorySeparatorChar, StringComparison.Ordinal))
 			return Results.NotFound();
-		var fileInfo = new FileInfo(localPath);
-		var directoryInfo = new DirectoryInfo(localPath);
+		var fileInfo = _fileSystem.FileInfo.New(localPath);
+		var directoryInfo = _fileSystem.DirectoryInfo.New(localPath);
 		if (directoryInfo.Exists)
-			fileInfo = new FileInfo(Path.Join(directoryInfo.FullName, "index.html"));
+			fileInfo = _fileSystem.FileInfo.New(Path.Join(directoryInfo.FullName, "index.html"));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/tooling/docs-builder/Http/StaticWebHost.cs` around lines 97 - 123,
ServeRootIndex and ServeDocumentationFile currently validate paths with
Path.GetFullPath/StartsWith but a malicious symlink inside the content root can
still point outside; fix by resolving any symbolic links for both files and
directories before the sandbox check: use FileInfo.ResolveLinkTarget (and
DirectoryInfo.ResolveLinkTarget for directories) in a loop to follow links to
the final target, then compute the finalTargetFullPath and assert it starts with
the sanitized contentRoot + Path.DirectorySeparatorChar; if it does not, return
Results.NotFound(); apply this resolution/validation to the indexPath handling
in ServeRootIndex and to localPath/fileInfo/directoryInfo handling in
ServeDocumentationFile (use _contentRoot, contentRoot, localPath, fileInfo,
directoryInfo identifiers from the diff).

src/tooling/docs-builder/Filters/CheckForUpdatesFilter.cs (1)

65-83: ⚠️ Potential issue | 🟠 Major

Best-effort update check can currently fail the command

ReadAllTextAsync (Line 67) runs outside a catch, and the later write path is inside a try/finally (no catch), so filesystem/security/network exceptions can bubble and fail execution after the main command already ran. This should degrade gracefully.

Proposed fix

 private async ValueTask<Uri?> GetLatestVersion(Cancel ctx)
 {
 	// only check for new versions once per hour
-	if (_stateFile.Exists && _stateFile.LastWriteTimeUtc >= DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)))
-	{
-		var url = await fileSystem.File.ReadAllTextAsync(_stateFile.FullName, ctx);
-		if (Uri.TryCreate(url, UriKind.Absolute, out var uri))
-			return uri;
-	}
+	try
+	{
+		if (_stateFile.Exists && _stateFile.LastWriteTimeUtc >= DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)))
+		{
+			var url = await fileSystem.File.ReadAllTextAsync(_stateFile.FullName, ctx);
+			if (Uri.TryCreate(url, UriKind.Absolute, out var uri))
+				return uri;
+		}
+	}
+	catch
+	{
+		// ignore cache read failures; continue with network check
+	}
 
 	try
 	{
 		var httpClient = new HttpClient(new HttpClientHandler { AllowAutoRedirect = false });
 		var response = await httpClient.GetAsync("https://github.com/elastic/docs-builder/releases/latest", ctx);
 		var redirectUrl = response.Headers.Location;
 		if (redirectUrl is not null && _stateFile.Directory is not null)
 		{
 			// ensure the 'elastic' folder exists.
 			if (!fileSystem.Directory.Exists(_stateFile.Directory.FullName))
 				_ = fileSystem.Directory.CreateDirectory(_stateFile.Directory.FullName);
 			await fileSystem.File.WriteAllTextAsync(_stateFile.FullName, redirectUrl.ToString(), ctx);
 		}
 		return redirectUrl;
 	}
-	// ReSharper disable once RedundantEmptyFinallyBlock
-	// ignore on purpose
-	finally { }
+	catch
+	{
+		// ignore update check failures
+		return null;
+	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/tooling/docs-builder/Filters/CheckForUpdatesFilter.cs` around lines 65 -
83, The ReadAllTextAsync call on _stateFile and the HTTP/file write logic
(HttpClient.GetAsync and fileSystem.File.WriteAllTextAsync) can throw and
currently bubble up; change CheckForUpdatesFilter so both the read and the whole
update-check block catch and swallow non-fatal exceptions (IO, security,
network) and log them instead of rethrowing so the command degrades gracefully;
specifically wrap the ReadAllTextAsync(_stateFile.FullName, ctx) in a try/catch
that returns null on failure, and wrap the HTTP request + WriteAllTextAsync
sequence in a try/catch that logs the exception and continues without failing
the operation.

src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs (1)

53-55: ⚠️ Potential issue | 🔴 Critical

Use fileSystem for file I/O to enforce scope checks.

Line 53–55 use new FileStream() and new StreamWriter() directly instead of the injected IFileSystem abstraction. Line 76 similarly uses File.ReadAllTextAsync() instead of fileSystem.File.ReadAllTextAsync(). This inconsistency bypasses scope enforcement that the ScopedFileSystem abstraction provides elsewhere in the method (e.g., line 71).

Replace all three locations with fileSystem.File.WriteAllTextAsync() and fileSystem.File.ReadAllTextAsync() to maintain consistent scope handling.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs`
around lines 53 - 55, The code directly constructs FileStream and StreamWriter
and calls File.ReadAllTextAsync() which bypasses the injected IFileSystem scope
enforcement; replace the direct FileStream/StreamWriter usage and the
File.ReadAllTextAsync() call with the fileSystem abstraction by using
fileSystem.File.WriteAllTextAsync(outputPath, output) (or equivalent
fileSystem.File.WriteAllTextAsync for the write) and
fileSystem.File.ReadAllTextAsync(...) for the read so that
IncrementalDeployService uses the injected fileSystem consistently (locate the
write sites around the FileStream/StreamWriter creation and the read site that
calls File.ReadAllTextAsync()).

src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs (1)

125-126: ⚠️ Potential issue | 🟠 Major

Use scoped fs.File.Exists() instead of static File.Exists().

Line 125 uses the static File.Exists() while the method accepts an IFileSystem fs parameter that's already used consistently elsewhere (line 73). This breaks the file system abstraction pattern, making the code harder to test and the behavior inconsistent with the scoped semantics you've established.

Proposed fix

-		if (File.Exists(redirectsPath))
+		if (fs.File.Exists(redirectsPath))
 			await githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs`
around lines 125 - 126, The code calls the static File.Exists when it should use
the injected IFileSystem to respect the file-system abstraction; update the
check in the method that uses the IFileSystem parameter (fs) to call
fs.File.Exists(redirectsPath) before awaiting
githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath) so
the behavior is testable and consistent with the other fs usages in
AssemblerBuildService.

🧹 Nitpick comments (1)

src/services/Elastic.Documentation.Assembler/Deploying/DeployUpdateRedirectsService.cs (1)

15-15: Use the injected IFileSystem consistently.

Line 45 uses Directory.GetCurrentDirectory() directly instead of fileSystem.Directory.GetCurrentDirectory(). The constructor accepts IFileSystem for dependency injection, but this direct static call bypasses the abstraction, breaking testability and mockability. The codebase consistently uses the fileSystem.Directory pattern elsewhere (see ChangelogConfigurationLoader, ChangelogFileWriter, etc.).

Replace:

fileSystem.DirectoryInfo.New(Directory.GetCurrentDirectory())

With:

fileSystem.DirectoryInfo.New(fileSystem.Directory.GetCurrentDirectory())

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/services/Elastic.Documentation.Assembler/Deploying/DeployUpdateRedirectsService.cs`
at line 15, In DeployUpdateRedirectsService update the call that creates a
DirectoryInfo so it uses the injected IFileSystem instead of the static
Directory API: replace the use of Directory.GetCurrentDirectory() when
constructing fileSystem.DirectoryInfo.New(...) so it reads
fileSystem.Directory.GetCurrentDirectory(); locate this in the
DeployUpdateRedirectsService constructor/initialization where
fileSystem.DirectoryInfo.New(...) is invoked and make the single-argument change
to use fileSystem.Directory.GetCurrentDirectory() to preserve testability and
consistent IFileSystem usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs`:
- Around line 36-43: The constructor currently allows an injected IFileSystem to
bypass scoping; always wrap the provided or a new FileSystem inside a
ScopedFileSystem to enforce the runtime security boundary. Replace the
null-coalescing that assigns _fileSystem with code that constructs new
ScopedFileSystem(inner: fileSystem ?? new FileSystem(), options: new
ScopedFileSystemOptions(...)) so the injected instance becomes the inner layer;
keep the existing AllowedHiddenFolderNames and AllowedHiddenFileNames in the
ScopedFileSystemOptions and assign the resulting ScopedFileSystem to _fileSystem
in the GitLinkIndexReader constructor.

In `@src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs`:
- Around line 13-16: ReadWithSep currently special-cases a concrete
MockFileSystem and falls back to Sep.FromFile(filePath), which bypasses the
injected IFileSystem (FileSystemFactory.Real / InMemory) and breaks scoped
mocks; update ReadWithSep to accept an IFileSystem parameter (or add an
overload) and use that IFileSystem to read the file/derive the separator instead
of calling Sep.FromFile(filePath), ensuring ReadCsvFile (which already passes
fs) and any callers use the injected IFileSystem; reference ReadCsvFile,
ReadWithSep, IFileSystem, FileSystemFactory.Real / FileSystemFactory.InMemory
and Sep.FromFile when making the change.

---

Outside diff comments:
In
`@src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs`:
- Around line 125-126: The code calls the static File.Exists when it should use
the injected IFileSystem to respect the file-system abstraction; update the
check in the method that uses the IFileSystem parameter (fs) to call
fs.File.Exists(redirectsPath) before awaiting
githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath) so
the behavior is testable and consistent with the other fs usages in
AssemblerBuildService.

In
`@src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs`:
- Around line 53-55: The code directly constructs FileStream and StreamWriter
and calls File.ReadAllTextAsync() which bypasses the injected IFileSystem scope
enforcement; replace the direct FileStream/StreamWriter usage and the
File.ReadAllTextAsync() call with the fileSystem abstraction by using
fileSystem.File.WriteAllTextAsync(outputPath, output) (or equivalent
fileSystem.File.WriteAllTextAsync for the write) and
fileSystem.File.ReadAllTextAsync(...) for the read so that
IncrementalDeployService uses the injected fileSystem consistently (locate the
write sites around the FileStream/StreamWriter creation and the read site that
calls File.ReadAllTextAsync()).

In `@src/tooling/docs-builder/Commands/ChangelogCommand.cs`:
- Around line 291-292: The ChangelogConfigurationLoader is being constructed
with a direct new System.IO.Abstractions.FileSystem() which bypasses the scoped
filesystem; replace that explicit instantiation with the existing
injected/created _fileSystem (FileSystemFactory.Real) when calling new
ChangelogConfigurationLoader(...). Update the same pattern wherever
ChangelogConfigurationLoader is constructed in this file (the other occurrences
that currently use new System.IO.Abstractions.FileSystem()) so all filesystem
access uses the ScopedFileSystem (_fileSystem) and not a fresh FileSystem
instance; ensure the call to LoadChangelogConfiguration(collector, config, ctx)
remains unchanged.

In `@src/tooling/docs-builder/Filters/CheckForUpdatesFilter.cs`:
- Around line 65-83: The ReadAllTextAsync call on _stateFile and the HTTP/file
write logic (HttpClient.GetAsync and fileSystem.File.WriteAllTextAsync) can
throw and currently bubble up; change CheckForUpdatesFilter so both the read and
the whole update-check block catch and swallow non-fatal exceptions (IO,
security, network) and log them instead of rethrowing so the command degrades
gracefully; specifically wrap the ReadAllTextAsync(_stateFile.FullName, ctx) in
a try/catch that returns null on failure, and wrap the HTTP request +
WriteAllTextAsync sequence in a try/catch that logs the exception and continues
without failing the operation.

In `@src/tooling/docs-builder/Http/StaticWebHost.cs`:
- Around line 97-123: ServeRootIndex and ServeDocumentationFile currently
validate paths with Path.GetFullPath/StartsWith but a malicious symlink inside
the content root can still point outside; fix by resolving any symbolic links
for both files and directories before the sandbox check: use
FileInfo.ResolveLinkTarget (and DirectoryInfo.ResolveLinkTarget for directories)
in a loop to follow links to the final target, then compute the
finalTargetFullPath and assert it starts with the sanitized contentRoot +
Path.DirectorySeparatorChar; if it does not, return Results.NotFound(); apply
this resolution/validation to the indexPath handling in ServeRootIndex and to
localPath/fileInfo/directoryInfo handling in ServeDocumentationFile (use
_contentRoot, contentRoot, localPath, fileInfo, directoryInfo identifiers from
the diff).

---

Nitpick comments:
In
`@src/services/Elastic.Documentation.Assembler/Deploying/DeployUpdateRedirectsService.cs`:
- Line 15: In DeployUpdateRedirectsService update the call that creates a
DirectoryInfo so it uses the injected IFileSystem instead of the static
Directory API: replace the use of Directory.GetCurrentDirectory() when
constructing fileSystem.DirectoryInfo.New(...) so it reads
fileSystem.Directory.GetCurrentDirectory(); locate this in the
DeployUpdateRedirectsService constructor/initialization where
fileSystem.DirectoryInfo.New(...) is invoked and make the single-argument change
to use fileSystem.Directory.GetCurrentDirectory() to preserve testability and
consistent IFileSystem usage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 69eead30-c3dd-41dc-9d2a-8e9fc6b20bf1

📥 Commits

Reviewing files that changed from the base of the PR and between dc4a854 and 440ae70.

📒 Files selected for processing (53)

• Directory.Packages.props
• src/Elastic.Codex/Indexing/CodexIndexService.cs
• src/Elastic.Documentation.Configuration/ConfigurationFileProvider.cs
• src/Elastic.Documentation.Configuration/Elastic.Documentation.Configuration.csproj
• src/Elastic.Documentation.Configuration/FileSystemFactory.cs
• src/Elastic.Documentation.Configuration/Paths.cs
• src/Elastic.Documentation.LinkIndex/Elastic.Documentation.LinkIndex.csproj
• src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs
• src/Elastic.Documentation.Links/CrossLinks/CrossLinkFetcher.cs
• src/Elastic.Markdown/Extensions/DetectionRules/DetectionRulesDocsBuilderExtension.cs
• src/Elastic.Markdown/Extensions/IDocsBuilderExtension.cs
• src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs
• src/authoring/Elastic.Documentation.Refactor/Tracking/LocalChangesService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundleAmendService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundlingService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogRemoveService.cs
• src/services/Elastic.Changelog/Bundling/PromotionReportParser.cs
• src/services/Elastic.Changelog/Creation/ChangelogCreationService.cs
• src/services/Elastic.Changelog/Evaluation/ChangelogPrEvaluationService.cs
• src/services/Elastic.Changelog/GithubRelease/GitHubReleaseChangelogService.cs
• src/services/Elastic.Changelog/Rendering/ChangelogRenderingService.cs
• src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs
• src/services/Elastic.Documentation.Assembler/Building/AssemblerSitemapService.cs
• src/services/Elastic.Documentation.Assembler/Configuration/ConfigurationCloneService.cs
• src/services/Elastic.Documentation.Assembler/ContentSources/RepositoryBuildMatchingService.cs
• src/services/Elastic.Documentation.Assembler/ContentSources/RepositoryPublishValidationService.cs
• src/services/Elastic.Documentation.Assembler/Deploying/DeployUpdateRedirectsService.cs
• src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs
• src/services/Elastic.Documentation.Assembler/Indexing/AssemblerIndexService.cs
• src/services/Elastic.Documentation.Assembler/Sourcing/AssemblerCloneService.cs
• src/services/Elastic.Documentation.Isolated/IsolatedIndexService.cs
• src/tooling/docs-builder/Commands/Assembler/AssemblerCommands.cs
• src/tooling/docs-builder/Commands/Assembler/AssemblerIndexCommand.cs
• src/tooling/docs-builder/Commands/Assembler/AssemblerSitemapCommand.cs
• src/tooling/docs-builder/Commands/Assembler/ConfigurationCommands.cs
• src/tooling/docs-builder/Commands/Assembler/ContentSourceCommands.cs
• src/tooling/docs-builder/Commands/Assembler/DeployCommands.cs
• src/tooling/docs-builder/Commands/Assembler/NavigationCommands.cs
• src/tooling/docs-builder/Commands/ChangelogCommand.cs
• src/tooling/docs-builder/Commands/Codex/CodexCommands.cs
• src/tooling/docs-builder/Commands/Codex/CodexIndexCommand.cs
• src/tooling/docs-builder/Commands/Codex/CodexUpdateRedirectsCommand.cs
• src/tooling/docs-builder/Commands/DiffCommands.cs
• src/tooling/docs-builder/Commands/FormatCommand.cs
• src/tooling/docs-builder/Commands/InboundLinkCommands.cs
• src/tooling/docs-builder/Commands/IndexCommand.cs
• src/tooling/docs-builder/Commands/IsolatedBuildCommand.cs
• src/tooling/docs-builder/Commands/MoveCommand.cs
• src/tooling/docs-builder/Commands/ServeCommand.cs
• src/tooling/docs-builder/DocumentationTooling.cs
• src/tooling/docs-builder/Filters/CheckForUpdatesFilter.cs
• src/tooling/docs-builder/Http/InMemoryBuildState.cs
• src/tooling/docs-builder/Http/StaticWebHost.cs

[coderabbitai]

♻️ Duplicate comments (1)

src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs (1)

29-36: ⚠️ Potential issue | 🟠 Major

Enforce scoping even when fileSystem is injected

At Line 35, the null-coalescing assignment allows a caller to pass an unscoped IFileSystem, which bypasses the runtime filesystem security boundary this PR is introducing.

Suggested fix

 public GitLinkIndexReader(string environment, IFileSystem? fileSystem = null, bool skipFetch = false)
 {
 	if (string.IsNullOrWhiteSpace(environment))
 		throw new ArgumentException("Environment must be specified in the codex configuration (e.g., 'internal', 'security').", nameof(environment));

 	_environment = environment;
-	_fileSystem = fileSystem ?? FileSystemFactory.AppData;
+	_fileSystem = fileSystem is null
+		? FileSystemFactory.AppData
+		: FileSystemFactory.CreateScoped(fileSystem);
 	_skipFetch = skipFetch;
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs` around lines 29 -
36, The constructor for GitLinkIndexReader currently assigns _fileSystem =
fileSystem ?? FileSystemFactory.AppData which lets an unscoped IFileSystem
bypass the new runtime security boundary; instead, ensure any injected
fileSystem is converted/wrapped into a scoped instance before assignment (e.g.,
use the FileSystemFactory’s scoping API to produce a scoped IFileSystem for the
given environment) so that _fileSystem always enforces the environment scope
even when a non-null IFileSystem is passed into GitLinkIndexReader.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs`:
- Around line 29-36: The constructor for GitLinkIndexReader currently assigns
_fileSystem = fileSystem ?? FileSystemFactory.AppData which lets an unscoped
IFileSystem bypass the new runtime security boundary; instead, ensure any
injected fileSystem is converted/wrapped into a scoped instance before
assignment (e.g., use the FileSystemFactory’s scoping API to produce a scoped
IFileSystem for the given environment) so that _fileSystem always enforces the
environment scope even when a non-null IFileSystem is passed into
GitLinkIndexReader.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 759c70d1-0db2-47ba-9cb2-e987da938346

📥 Commits

Reviewing files that changed from the base of the PR and between 440ae70 and 4aa7056.

📒 Files selected for processing (6)

• src/Elastic.Documentation.Configuration/ConfigurationFileProvider.cs
• src/Elastic.Documentation.Configuration/FileSystemFactory.cs
• src/Elastic.Documentation.LinkIndex/Elastic.Documentation.LinkIndex.csproj
• src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs
• src/Elastic.Documentation.Links/CrossLinks/CrossLinkFetcher.cs
• src/tooling/docs-builder/Filters/CheckForUpdatesFilter.cs

✅ Files skipped from review due to trivial changes (1)

• src/Elastic.Documentation.LinkIndex/Elastic.Documentation.LinkIndex.csproj

🚧 Files skipped from review as they are similar to previous changes (3)

• src/Elastic.Documentation.Configuration/ConfigurationFileProvider.cs
• src/Elastic.Documentation.Links/CrossLinks/CrossLinkFetcher.cs
• src/Elastic.Documentation.Configuration/FileSystemFactory.cs

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

RFC-nav-v2-migration-overview.md (1)

211-213: Add language specifiers to CLI examples.

Same issue as the main RFC — lines 211, 231, and 243 have fenced code blocks without language specifiers.

📝 Proposed fix

-```
+```shell
 docs-builder assembler apply-nav-restructure --repo docs-content

Apply similarly to lines 231 and 243.

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @RFC-nav-v2-migration-overview.md around lines 211 - 213, The fenced code
blocks containing the CLI command docs-builder assembler apply-nav-restructure
--repo docs-content (and the two other similar blocks at the same spots) lack
language specifiers; update each triple-backtick fence that wraps that command
to include a shell language tag (e.g., ```shell) so the blocks at the
occurrences of "docs-builder assembler apply-nav-restructure --repo
docs-content" render correctly and get shell syntax highlighting.

</details>

</blockquote></details>
<details>
<summary>RFC-nav-v2-migration.md (1)</summary><blockquote>

`392-395`: **Add language specifier to fenced code blocks.**

The CLI command examples at lines 392, 415, and 435 are missing language specifiers, which triggers markdownlint warnings.


<details>
<summary>📝 Proposed fix</summary>

```diff
-```
+```shell
 docs-builder assembler validate-nav-migration
 ```
```

Apply the same fix to lines 435 (`docs-builder assembler apply-nav-restructure`) and the example output blocks at lines 415 and 243.

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@RFC-nav-v2-migration.md` around lines 392 - 395, Add a language specifier
(e.g., "shell") to the fenced code blocks that contain the CLI commands and
example outputs so markdownlint warnings are resolved; update the blocks
containing the commands "docs-builder assembler validate-nav-migration" and
"docs-builder assembler apply-nav-restructure" and the example output blocks
that show CLI results (the blocks containing the example output text) by
changing their opening triple-backticks to include "shell" (or an appropriate
language) so the fenced blocks are correctly annotated.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @src/tooling/docs-builder/Commands/ChangelogCommand.cs:

• Line 42: Replace direct instantiations of System.IO.Abstractions.FileSystem
  passed into ChangelogConfigurationLoader with the scoped filesystem instance:
  use the existing _fileSystem field (or FileSystemFactory.RealRead where
  appropriate) instead of new System.IO.Abstractions.FileSystem() in the
  ChangelogCommand class; update the calls that create a
  ChangelogConfigurationLoader in the Create, Bundle, Remove and GitHubRelease
  command handlers so they pass _fileSystem (or FileSystemFactory.RealRead) to
  ChangelogConfigurationLoader's constructor to ensure all filesystem operations
  are scoped consistently.

---

Nitpick comments:
In @RFC-nav-v2-migration-overview.md:

• Around line 211-213: The fenced code blocks containing the CLI command
  docs-builder assembler apply-nav-restructure --repo docs-content (and the two
  other similar blocks at the same spots) lack language specifiers; update each
  triple-backtick fence that wraps that command to include a shell language tag
  (e.g., ```shell) so the blocks at the occurrences of "docs-builder assembler
  apply-nav-restructure --repo docs-content" render correctly and get shell syntax
  highlighting.

In @RFC-nav-v2-migration.md:

• Around line 392-395: Add a language specifier (e.g., "shell") to the fenced
  code blocks that contain the CLI commands and example outputs so markdownlint
  warnings are resolved; update the blocks containing the commands "docs-builder
  assembler validate-nav-migration" and "docs-builder assembler
  apply-nav-restructure" and the example output blocks that show CLI results (the
  blocks containing the example output text) by changing their opening
  triple-backticks to include "shell" (or an appropriate language) so the fenced
  blocks are correctly annotated.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Path: .coderabbit.yaml

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `97c9a6f7-08bc-486d-bdf2-ee3beb598fee`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 4aa7056b0d34e5c0821b1fff34af2dc4be7b115a and fc45b448e834035363245162b3897030a2cf57a8.

</details>

<details>
<summary>⛔ Files ignored due to path filters (14)</summary>

* `rfc-diagrams/1-v1-architecture-path-flow.png` is excluded by `!**/*.png`
* `rfc-diagrams/1-v1-architecture-path-flow.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/2-per-repo-loading-flow.png` is excluded by `!**/*.png`
* `rfc-diagrams/2-per-repo-loading-flow.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/3-virtual-remap-example.png` is excluded by `!**/*.png`
* `rfc-diagrams/3-virtual-remap-example.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/4-dual-path-providers.png` is excluded by `!**/*.png`
* `rfc-diagrams/4-dual-path-providers.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/5-per-repo-migration-lifecycle.png` is excluded by `!**/*.png`
* `rfc-diagrams/5-per-repo-migration-lifecycle.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/6-dual-validation-build-flow.png` is excluded by `!**/*.png`
* `rfc-diagrams/6-dual-validation-build-flow.svg` is excluded by `!**/*.svg`
* `rfc-diagrams/7-integration-pipeline.png` is excluded by `!**/*.png`
* `rfc-diagrams/7-integration-pipeline.svg` is excluded by `!**/*.svg`

</details>

<details>
<summary>📒 Files selected for processing (34)</summary>

* `RFC-nav-v2-migration-overview.md`
* `RFC-nav-v2-migration.md`
* `src/Elastic.Documentation.Configuration/ConfigurationFileProvider.cs`
* `src/Elastic.Documentation.Configuration/FileSystemFactory.cs`
* `src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs`
* `src/services/Elastic.Changelog/Bundling/ChangelogBundleAmendService.cs`
* `src/services/Elastic.Changelog/Bundling/ChangelogBundlingService.cs`
* `src/services/Elastic.Changelog/Bundling/ChangelogRemoveService.cs`
* `src/services/Elastic.Changelog/Bundling/PromotionReportParser.cs`
* `src/services/Elastic.Changelog/Creation/ChangelogCreationService.cs`
* `src/services/Elastic.Changelog/Evaluation/ChangelogPrEvaluationService.cs`
* `src/services/Elastic.Changelog/GithubRelease/GitHubReleaseChangelogService.cs`
* `src/services/Elastic.Changelog/Rendering/ChangelogRenderingService.cs`
* `src/services/Elastic.Documentation.Assembler/Sourcing/AssemblerCloneService.cs`
* `src/tooling/docs-builder/Commands/Assembler/AssemblerCommands.cs`
* `src/tooling/docs-builder/Commands/Assembler/AssemblerIndexCommand.cs`
* `src/tooling/docs-builder/Commands/Assembler/AssemblerSitemapCommand.cs`
* `src/tooling/docs-builder/Commands/Assembler/ConfigurationCommands.cs`
* `src/tooling/docs-builder/Commands/Assembler/ContentSourceCommands.cs`
* `src/tooling/docs-builder/Commands/Assembler/DeployCommands.cs`
* `src/tooling/docs-builder/Commands/Assembler/NavigationCommands.cs`
* `src/tooling/docs-builder/Commands/ChangelogCommand.cs`
* `src/tooling/docs-builder/Commands/Codex/CodexCommands.cs`
* `src/tooling/docs-builder/Commands/Codex/CodexIndexCommand.cs`
* `src/tooling/docs-builder/Commands/Codex/CodexUpdateRedirectsCommand.cs`
* `src/tooling/docs-builder/Commands/DiffCommands.cs`
* `src/tooling/docs-builder/Commands/FormatCommand.cs`
* `src/tooling/docs-builder/Commands/InboundLinkCommands.cs`
* `src/tooling/docs-builder/Commands/IndexCommand.cs`
* `src/tooling/docs-builder/Commands/IsolatedBuildCommand.cs`
* `src/tooling/docs-builder/Commands/MoveCommand.cs`
* `src/tooling/docs-builder/Commands/ServeCommand.cs`
* `src/tooling/docs-builder/Http/InMemoryBuildState.cs`
* `src/tooling/docs-builder/Http/StaticWebHost.cs`

</details>

<details>
<summary>✅ Files skipped from review due to trivial changes (8)</summary>

* src/tooling/docs-builder/Commands/FormatCommand.cs
* src/tooling/docs-builder/Commands/MoveCommand.cs
* src/tooling/docs-builder/Commands/Assembler/AssemblerSitemapCommand.cs
* src/tooling/docs-builder/Commands/Assembler/AssemblerCommands.cs
* src/tooling/docs-builder/Commands/Assembler/AssemblerIndexCommand.cs
* src/tooling/docs-builder/Commands/Codex/CodexCommands.cs
* src/tooling/docs-builder/Commands/Assembler/DeployCommands.cs
* src/tooling/docs-builder/Http/InMemoryBuildState.cs

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (13)</summary>

* src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs
* src/tooling/docs-builder/Commands/Assembler/ConfigurationCommands.cs
* src/services/Elastic.Changelog/Bundling/ChangelogRemoveService.cs
* src/tooling/docs-builder/Commands/Codex/CodexUpdateRedirectsCommand.cs
* src/services/Elastic.Documentation.Assembler/Sourcing/AssemblerCloneService.cs
* src/tooling/docs-builder/Commands/ServeCommand.cs
* src/tooling/docs-builder/Commands/DiffCommands.cs
* src/services/Elastic.Changelog/Evaluation/ChangelogPrEvaluationService.cs
* src/services/Elastic.Changelog/Bundling/ChangelogBundlingService.cs
* src/services/Elastic.Changelog/GithubRelease/GitHubReleaseChangelogService.cs
* src/tooling/docs-builder/Http/StaticWebHost.cs
* src/tooling/docs-builder/Commands/Assembler/ContentSourceCommands.cs
* src/tooling/docs-builder/Commands/InboundLinkCommands.cs

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/Elastic.Codex/CodexContext.cs (1)

52-53: ⚠️ Potential issue | 🟠 Major

Materialize OutputDirectory from WriteFileSystem, not ReadFileSystem.

You now accept separate read/write filesystems, but OutputDirectory is still created from ReadFileSystem on Line 53. If scopes differ, writes can target a directory that wasn’t resolved in the write scope.

Suggested fix

 		var defaultOutputDirectory = Path.Join(Paths.WorkingDirectoryRoot.FullName, ".artifacts", "codex", "docs");
-		OutputDirectory = ReadFileSystem.DirectoryInfo.New(outputDirectory ?? defaultOutputDirectory);
+		OutputDirectory = WriteFileSystem.DirectoryInfo.New(outputDirectory ?? defaultOutputDirectory);
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Elastic.Codex/CodexContext.cs` around lines 52 - 53, OutputDirectory is
currently materialized using ReadFileSystem.DirectoryInfo.New; change it to use
WriteFileSystem.DirectoryInfo.New so the directory is resolved in the write
scope (replace ReadFileSystem.DirectoryInfo.New(...) with
WriteFileSystem.DirectoryInfo.New(...), applied to the OutputDirectory
assignment that uses defaultOutputDirectory and the optional outputDirectory
parameter). Ensure you reference the same defaultOutputDirectory calculation and
the OutputDirectory property so writes target the write filesystem.

src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs (1)

126-127: ⚠️ Potential issue | 🟠 Major

Use scoped filesystem for existence checks.

Line 126 uses System.IO.File.Exists, which bypasses the scoped filesystem boundary. Use fs.File.Exists(redirectsPath) instead—the same method already uses the scoped filesystem pattern elsewhere, and this ensures consistent boundary enforcement.

Suggested fix

-		if (File.Exists(redirectsPath))
+		if (fs.File.Exists(redirectsPath))
 			await githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs`
around lines 126 - 127, Replace the direct System.IO file existence check with
the scoped filesystem's check: in AssemblerBuildService (method containing the
redirectsPath logic) change the use of File.Exists(redirectsPath) to use the
injected/scoped fs.File.Exists(redirectsPath) so the existence check respects
the scoped filesystem boundary before calling
githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath).

src/services/Elastic.Documentation.Assembler/AssembleContext.cs (1)

60-102: ⚠️ Potential issue | 🟠 Major

Use WriteFileSystem when initializing OutputDirectory.

Line 95 initializes OutputDirectory from ReadFileSystem, but the property represents the output/write directory. Test cases in NavigationRootTests.cs:50 and NavigationBuildingTests.cs:50 pass different read and write filesystem instances, confirming the architecture supports scoped filesystems. Using the wrong instance here breaks scope enforcement.

Fix

-		OutputDirectory = ReadFileSystem.DirectoryInfo.New(output ?? defaultOutputDirectory);
+		OutputDirectory = WriteFileSystem.DirectoryInfo.New(output ?? defaultOutputDirectory);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/services/Elastic.Documentation.Assembler/AssembleContext.cs` around lines
60 - 102, AssembleContext's constructor incorrectly uses ReadFileSystem to
create OutputDirectory; change the creation of OutputDirectory to use
WriteFileSystem.DirectoryInfo.New(output ?? defaultOutputDirectory) so the
output directory is created in the write-scoped filesystem. Keep
CheckoutDirectory created from ReadFileSystem but ensure OutputDirectory and
subsequent OutputWithPathPrefixDirectory are based on WriteFileSystem (refer to
AssembleContext, OutputDirectory, OutputWithPathPrefixDirectory, ReadFileSystem,
WriteFileSystem).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/services/Elastic.Changelog/Rendering/ChangelogRenderingService.cs`:
- Line 73: The field initialization uses FileSystemFactory.RealRead which
prevents writes and causes access denied errors when this service creates
directories or when ChangelogRenderer calls WriteAllTextAsync; change the
initialization of the ScopedFileSystem field (named _fileSystem) to use
FileSystemFactory.RealWrite instead of RealRead so the service can create
directories and write changelog files (keeps same scope as RealRead and avoids
writing .git metadata).

In
`@tests-integration/Elastic.Assembler.IntegrationTests/NavigationBuildingTests.cs`:
- Line 50: AssembleContext is being constructed with the second filesystem
wrapped using FileSystemFactory.WrapToRead, which grants read access to .git
metadata; change the second filesystem argument to use
FileSystemFactory.WrapToWrite(new MockFileSystem()) so the writeFileSystem
parameter gets the correct write-wrapped FS and WriteOptions block .git access
(locate the AssembleContext(...) call and replace
FileSystemFactory.WrapToRead(new MockFileSystem()) with
FileSystemFactory.WrapToWrite(new MockFileSystem())).

In `@tests/Navigation.Tests/Codex/CodexNavigationTestBase.cs`:
- Around line 83-84: The WriteFileSystem property is mistakenly wrapping
_fileSystem with FileSystemFactory.WrapToRead instead of using the write
wrapper; change the WriteFileSystem getter to return
FileSystemFactory.WrapToWrite(_fileSystem) (leave ReadFileSystem as WrapToRead).
Update CodexNavigationTestBase's WriteFileSystem property (and any other test
classes with the same pattern) to use WrapToWrite so write-mode semantics are
applied where tests call WriteFileSystem (e.g., mover.Execute()).

In `@tests/Navigation.Tests/Codex/GroupNavigationTests.cs`:
- Line 142: The WriteFileSystem property is incorrectly returning a read-scoped
wrapper; update the property so it returns a write-scoped wrapper by replacing
the use of FileSystemFactory.WrapToRead(_fs) with
FileSystemFactory.WrapToWrite(_fs), ensuring WriteFileSystem uses the write
scope (which enforces .git restrictions) rather than the read scope for _fs.

---

Outside diff comments:
In `@src/Elastic.Codex/CodexContext.cs`:
- Around line 52-53: OutputDirectory is currently materialized using
ReadFileSystem.DirectoryInfo.New; change it to use
WriteFileSystem.DirectoryInfo.New so the directory is resolved in the write
scope (replace ReadFileSystem.DirectoryInfo.New(...) with
WriteFileSystem.DirectoryInfo.New(...), applied to the OutputDirectory
assignment that uses defaultOutputDirectory and the optional outputDirectory
parameter). Ensure you reference the same defaultOutputDirectory calculation and
the OutputDirectory property so writes target the write filesystem.

In `@src/services/Elastic.Documentation.Assembler/AssembleContext.cs`:
- Around line 60-102: AssembleContext's constructor incorrectly uses
ReadFileSystem to create OutputDirectory; change the creation of OutputDirectory
to use WriteFileSystem.DirectoryInfo.New(output ?? defaultOutputDirectory) so
the output directory is created in the write-scoped filesystem. Keep
CheckoutDirectory created from ReadFileSystem but ensure OutputDirectory and
subsequent OutputWithPathPrefixDirectory are based on WriteFileSystem (refer to
AssembleContext, OutputDirectory, OutputWithPathPrefixDirectory, ReadFileSystem,
WriteFileSystem).

In
`@src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs`:
- Around line 126-127: Replace the direct System.IO file existence check with
the scoped filesystem's check: in AssemblerBuildService (method containing the
redirectsPath logic) change the use of File.Exists(redirectsPath) to use the
injected/scoped fs.File.Exists(redirectsPath) so the existence check respects
the scoped filesystem boundary before calling
githubActionsService.SetOutputAsync("redirects-artifact-path", redirectsPath).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4dfe1b12-c857-4ddc-9ac5-8db10bfa1a73

📥 Commits

Reviewing files that changed from the base of the PR and between 85ec97e and f0782e4.

📒 Files selected for processing (78)

• src/Elastic.Codex/Building/CodexBuildService.cs
• src/Elastic.Codex/CodexContext.cs
• src/Elastic.Codex/Indexing/CodexIndexService.cs
• src/Elastic.Documentation.Configuration/BuildContext.cs
• src/Elastic.Documentation.Configuration/FileSystemFactory.cs
• src/Elastic.Documentation.Configuration/Toc/DocumentationSetFile.cs
• src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs
• src/Elastic.Documentation.Links/CrossLinks/CrossLinkFetcher.cs
• src/Elastic.Documentation/Elastic.Documentation.csproj
• src/Elastic.Documentation/IDocumentationContext.cs
• src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs
• src/authoring/Elastic.Documentation.Refactor/FormatService.cs
• src/authoring/Elastic.Documentation.Refactor/MoveFileService.cs
• src/authoring/Elastic.Documentation.Refactor/Tracking/LocalChangesService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundleAmendService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundlingService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogRemoveService.cs
• src/services/Elastic.Changelog/Bundling/ProfileFilterResolver.cs
• src/services/Elastic.Changelog/Bundling/PromotionReportParser.cs
• src/services/Elastic.Changelog/Creation/ChangelogCreationService.cs
• src/services/Elastic.Changelog/Evaluation/ChangelogPrEvaluationService.cs
• src/services/Elastic.Changelog/GithubRelease/GitHubReleaseChangelogService.cs
• src/services/Elastic.Changelog/Rendering/ChangelogRenderer.cs
• src/services/Elastic.Changelog/Rendering/ChangelogRenderingService.cs
• src/services/Elastic.Changelog/Rendering/Markdown/BreakingChangesMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/ChangelogMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/DeprecationsMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/HighlightsMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/IndexMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/KnownIssuesMarkdownRenderer.cs
• src/services/Elastic.Changelog/Rendering/Markdown/MarkdownRendererBase.cs
• src/services/Elastic.Documentation.Assembler/AssembleContext.cs
• src/services/Elastic.Documentation.Assembler/Building/AssemblerBuildService.cs
• src/services/Elastic.Documentation.Assembler/Building/AssemblerSitemapService.cs
• src/services/Elastic.Documentation.Assembler/ContentSources/RepositoryBuildMatchingService.cs
• src/services/Elastic.Documentation.Assembler/ContentSources/RepositoryPublishValidationService.cs
• src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs
• src/services/Elastic.Documentation.Assembler/Elastic.Documentation.Assembler.csproj
• src/services/Elastic.Documentation.Assembler/Indexing/AssemblerIndexService.cs
• src/services/Elastic.Documentation.Assembler/Navigation/GlobalNavigationService.cs
• src/services/Elastic.Documentation.Isolated/IsolatedBuildService.cs
• src/services/Elastic.Documentation.Isolated/IsolatedIndexService.cs
• src/tooling/docs-builder/Http/DocumentationWebHost.cs
• src/tooling/docs-builder/Http/InMemoryBuildState.cs
• tests-integration/Elastic.Assembler.IntegrationTests/AssemblerConfigurationTests.cs
• tests-integration/Elastic.Assembler.IntegrationTests/DocsSyncTests.cs
• tests-integration/Elastic.Assembler.IntegrationTests/NavigationBuildingTests.cs
• tests-integration/Elastic.Assembler.IntegrationTests/NavigationRootTests.cs
• tests-integration/Elastic.Assembler.IntegrationTests/SiteNavigationTests.cs
• tests/Elastic.ApiExplorer.Tests/Elastic.ApiExplorer.Tests.csproj
• tests/Elastic.ApiExplorer.Tests/ReaderTests.cs
• tests/Elastic.Changelog.Tests/Changelogs/BundleChangelogsTests.cs
• tests/Elastic.Changelog.Tests/Changelogs/ChangelogRemoveTests.cs
• tests/Elastic.Changelog.Tests/Changelogs/ChangelogTestBase.cs
• tests/Elastic.Changelog.Tests/Elastic.Changelog.Tests.csproj
• tests/Elastic.Documentation.Configuration.Tests/CrossLinkRegistryTests.cs
• tests/Elastic.Documentation.Configuration.Tests/DocumentationSetFileTests.cs
• tests/Elastic.Markdown.Tests/Assembler/AssemblerHtmxMarkdownLinkTests.cs
• tests/Elastic.Markdown.Tests/Codex/CodexHtmxCrossLinkTests.cs
• tests/Elastic.Markdown.Tests/Directives/CsvIncludeTests.cs
• tests/Elastic.Markdown.Tests/Directives/DirectiveBaseTests.cs
• tests/Elastic.Markdown.Tests/DocSet/NavigationTestsBase.cs
• tests/Elastic.Markdown.Tests/Elastic.Markdown.Tests.csproj
• tests/Elastic.Markdown.Tests/Inline/ImagePathResolutionTests.cs
• tests/Elastic.Markdown.Tests/Inline/InlneBaseTests.cs
• tests/Elastic.Markdown.Tests/OutputDirectoryTests.cs
• tests/Elastic.Markdown.Tests/RootIndexValidationTests.cs
• tests/Navigation.Tests/Assembler/ComplexSiteNavigationTests.cs
• tests/Navigation.Tests/Assembler/IdentifierCollectionTests.cs
• tests/Navigation.Tests/Assembler/SiteDocumentationSetsTests.cs
• tests/Navigation.Tests/Assembler/SiteNavigationTests.cs
• tests/Navigation.Tests/Codex/CodexNavigationTestBase.cs
• tests/Navigation.Tests/Codex/GroupNavigationTests.cs
• tests/Navigation.Tests/Isolation/PhysicalDocsetTests.cs
• tests/Navigation.Tests/Navigation.Tests.csproj
• tests/Navigation.Tests/TestDocumentationSetContext.cs
• tests/authoring/Framework/CrossLinkResolverAssertions.fs
• tests/authoring/Framework/Setup.fs

✅ Files skipped from review due to trivial changes (9)

• src/Elastic.Documentation/Elastic.Documentation.csproj
• src/services/Elastic.Documentation.Assembler/Elastic.Documentation.Assembler.csproj
• tests/Elastic.ApiExplorer.Tests/Elastic.ApiExplorer.Tests.csproj
• tests/Elastic.Markdown.Tests/Codex/CodexHtmxCrossLinkTests.cs
• tests/Navigation.Tests/Navigation.Tests.csproj
• tests/Elastic.Changelog.Tests/Elastic.Changelog.Tests.csproj
• src/tooling/docs-builder/Http/InMemoryBuildState.cs
• tests/Navigation.Tests/Isolation/PhysicalDocsetTests.cs
• tests/Elastic.Markdown.Tests/Elastic.Markdown.Tests.csproj

🚧 Files skipped from review as they are similar to previous changes (16)

• src/services/Elastic.Documentation.Assembler/Indexing/AssemblerIndexService.cs
• src/services/Elastic.Documentation.Assembler/Deploying/IncrementalDeployService.cs
• src/services/Elastic.Documentation.Assembler/ContentSources/RepositoryBuildMatchingService.cs
• src/authoring/Elastic.Documentation.Refactor/Tracking/LocalChangesService.cs
• src/services/Elastic.Documentation.Assembler/Building/AssemblerSitemapService.cs
• src/services/Elastic.Documentation.Isolated/IsolatedBuildService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundlingService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogBundleAmendService.cs
• src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvReader.cs
• src/services/Elastic.Changelog/Bundling/PromotionReportParser.cs
• src/services/Elastic.Changelog/GithubRelease/GitHubReleaseChangelogService.cs
• src/services/Elastic.Changelog/Bundling/ChangelogRemoveService.cs
• src/Elastic.Documentation.Configuration/FileSystemFactory.cs
• src/Elastic.Documentation.LinkIndex/GitLinkIndexReader.cs
• src/services/Elastic.Changelog/Evaluation/ChangelogPrEvaluationService.cs
• src/services/Elastic.Changelog/Creation/ChangelogCreationService.cs