fix(Mountain): Improve path security checks and logging for workspace access violations

Signed-off-by: Nikola Hristov <Nikola@PlayForm.Cloud>

Author: NikolaRHristov

Source/Environment/Utility/PathSecurity.rs

@@ -63,16 +63,57 @@ pub fn IsPathAllowedForAccess(ApplicationState:&ApplicationState, PathToCheck:&P
 		return Ok(());
 	}
 
+	// Use canonical paths on both sides so that prefix-matching survives
+	// macOS's `/Volumes/<vol>/...` vs `/private/var/...` resolution and
+	// any symlinked submodule roots. Cocoon's URI strip yields the user-
+	// visible path (`/Volumes/CORSAIR/.../Land/Dependency/...`) while the
+	// workspace folder URL stays as built from `from_directory_path` -
+	// these can disagree on platforms where the resolved canonical path
+	// differs from the URI-derived one (encoded mount-point indirection,
+	// case-insensitive HFS+, etc.). Without this, a workspace with deep
+	// submodule trees rejects every read that walks past the first level
+	// even though the path is a literal descendant of the open folder.
+	let CanonicalPathToCheck = PathToCheck
+		.canonicalize()
+		.unwrap_or_else(|_| PathToCheck.to_path_buf());
 	let IsAllowed = FoldersGuard.iter().any(|Folder| {
-		match Folder.URI.to_file_path() {
-			Ok(FolderPath) => PathToCheck.starts_with(FolderPath),
-			Err(_) => false,
-		}
+		let FolderPath = match Folder.URI.to_file_path() {
+			Ok(P) => P,
+			Err(_) => return false,
+		};
+		let CanonicalFolderPath = FolderPath
+			.canonicalize()
+			.unwrap_or_else(|_| FolderPath.clone());
+		// Try both canonical-canonical AND raw-raw - either match wins.
+		PathToCheck.starts_with(&FolderPath)
+			|| PathToCheck.starts_with(&CanonicalFolderPath)
+			|| CanonicalPathToCheck.starts_with(&FolderPath)
+			|| CanonicalPathToCheck.starts_with(&CanonicalFolderPath)
 	});
 
 	if IsAllowed {
 		Ok(())
 	} else {
+		// Surface the comparison details so a workspace-mismatch bug
+		// (URL-to-path conversion, canonicalisation drift) is debuggable
+		// without rebuilding. Tag is `vfs` so it appears under the
+		// default `short` trace set.
+		let FolderPaths:Vec<String> = FoldersGuard
+			.iter()
+			.map(|F| {
+				F.URI
+					.to_file_path()
+					.map(|P| P.display().to_string())
+					.unwrap_or_else(|_| format!("<bad-uri:{}>", F.URI))
+			})
+			.collect();
+		dev_log!(
+			"vfs",
+			"[PathSecurity] reject path={} canonical={} folders=[{}]",
+			PathToCheck.display(),
+			CanonicalPathToCheck.display(),
+			FolderPaths.join(", ")
+		);
 		Err(CommonError::FileSystemPermissionDenied {
 			Path:PathToCheck.to_path_buf(),
 			Reason:"Path is outside of the registered workspace folders.".to_string(),

Source/Vine/Server/MountainVinegRPCService.rs

@@ -400,6 +400,17 @@ impl MountainService for MountainVinegRPCService {
 				// returns -32000 so Cocoon's shim can convert it to a
 				// proper `vscode.FileSystemError.FileNotFound`.
 				let LowerError = ErrorString.to_lowercase();
+				// "Path is outside of the registered workspace folders" /
+				// "Permission denied" responses come from the path-security
+				// guard in `Environment/Utility/PathSecurity.rs` when an
+				// extension probes a directory outside the open workspace
+				// (Svelte's `enableContextMenu` walks every `package.json`
+				// in the entire workspace tree, including out-of-root
+				// submodule dependencies). From the extension's perspective
+				// these are equivalent to "file not present" and must NOT
+				// count against Cocoon's circuit breaker - a workspace with
+				// many sibling submodules trips the breaker open within the
+				// first few hundred ms of activation otherwise.
 				let LooksLike404 = (MethodName == "FileSystem.ReadFile"
 					|| MethodName == "FileSystem.Stat"
 					|| MethodName == "FileSystem.ReadDirectory")
@@ -408,7 +419,10 @@ impl MountainService for MountainVinegRPCService {
 						|| LowerError.contains("enoent")
 						|| LowerError.contains("no such file or directory")
 						|| LowerError.contains("entity not found")
-						|| LowerError.contains("os error 2"));
+						|| LowerError.contains("os error 2")
+						|| LowerError.contains("path is outside of the registered workspace")
+						|| LowerError.contains("permission denied for operation")
+						|| LowerError.contains("workspace is not trusted"));
 				if LooksLike404 {
 					dev_log!(
 						"grpc-verbose",