fix(security): skip symlinks when pinning repos

[Canvinus]

Summary

• skip symlinks and non-regular files before adding verified repos to IPFS
• resolve the upload root and reject resolved paths outside that root
• add regression tests for symlinked files/directories pointing outside the repo

Verification

• docker run --rm -v /Users/andrey/Documents/SourceScan/verifier-back:/src:ro -w /tmp/work node:24-alpine sh -lc 'cp -a /src/nest/. . && npm ci && npm test -- --runInBand && npm run build'
• 9 Jest suites passed, 41 tests passed
• nest build passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06d8371f21

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve in-repo symlinks when pinning sources

When a verified Git repo contains a symlink whose target is still inside the checked-out repo, this unconditional skip drops that source path from the CID even though the build may have followed it successfully. Since verify.controller.ts stores this CID as the pinned source snapshot after checkout and verification, users fetching the pinned source can get a tree that no longer matches or rebuilds the verified commit; the existing isPathInsideRoot check below can distinguish safe in-repo targets from external ones instead of skipping both.

Useful? React with 👍 / 👎.