feat(fs): glob — cover the full pattern set + followSymlinks

- leading `!` negates the whole pattern; `[^…]` accepted alongside `[!…]`
  (translated for globset); `\` escaping, `?`, `*`, `**`, `[a-z]`, `{a,b}`
  already covered by globset with literal_separator
- Glob.scan gains followSymlinks (default false); when enabled the walk still
  rejects any entry whose real path leaves the root jail
- types: GlobScanOptions.followSymlinks
- e2e test asserting every pattern (match is pure, no fixtures)

Author: Thanga-Ganapathy

crates/default-providers/src/system_fs.rs

@@ -18,14 +18,24 @@ use walkdir::WalkDir;
 
 use crate::path;
 
-/// Compiles a glob pattern with `literal_separator` so `*` does not cross `/`
-/// while `**` does (the conventional shell/Bun semantics).
-fn glob_matcher(pattern: &str) -> Result<globset::GlobMatcher, ProviderError> {
-    GlobBuilder::new(pattern)
+/// Compiles a glob pattern into a matcher plus a "negated" flag, covering the
+/// full conventional set: `?`, `*` (not crossing `/`), `**` (crossing), `[ab]`,
+/// `[a-z]`, `[!abc]` **and** `[^abc]`, `{a,b}`, `\` escaping, and a leading `!`
+/// that negates the whole pattern.
+fn parse_glob(pattern: &str) -> Result<(globset::GlobMatcher, bool), ProviderError> {
+    // A leading `!` negates; `\!…` is a literal `!` (globset unescapes it).
+    let (negated, body) = match pattern.strip_prefix('!') {
+        Some(rest) => (true, rest.to_string()),
+        None => (false, pattern.to_string()),
+    };
+    // Accept the `[^…]` negated-class form (globset spells it `[!…]`).
+    let body = body.replace("[^", "[!");
+    let matcher = GlobBuilder::new(&body)
         .literal_separator(true)
         .build()
         .map(|g| g.compile_matcher())
-        .map_err(|e| ProviderError::Other(format!("invalid glob pattern {pattern:?}: {e}")))
+        .map_err(|e| ProviderError::Other(format!("invalid glob pattern {pattern:?}: {e}")))?;
+    Ok((matcher, negated))
 }
 
 /// A [`FileSystem`] over the real OS, jailed to `root`. Relative paths resolve
@@ -241,7 +251,8 @@ impl FileSystem for SystemFileSystem {
     }
 
     fn glob_match(&self, pattern: &str, path: &str) -> Result<bool, ProviderError> {
-        Ok(glob_matcher(pattern)?.is_match(path))
+        let (matcher, negated) = parse_glob(pattern)?;
+        Ok(negated ^ matcher.is_match(path))
     }
 
     fn glob_scan(
@@ -251,18 +262,27 @@ impl FileSystem for SystemFileSystem {
         opts: GlobScanOptions,
     ) -> BoxFuture<Result<Vec<String>, ProviderError>> {
         let resolved = self.jailed(&base);
+        let root = self.root.clone();
         Box::pin(async move {
             let base_real = resolved?;
-            let matcher = glob_matcher(&pattern)?;
+            let (matcher, negated) = parse_glob(&pattern)?;
             let mut out = Vec::new();
-            // follow_links(false) keeps the walk from leaving the jail via a
-            // symlink; the base is already confined to root.
-            for entry in WalkDir::new(&base_real).follow_links(false) {
+            // Default: don't follow symlinks (can't leave the jail). When the
+            // caller opts in, follow them but reject any entry whose real path
+            // escapes the root.
+            for entry in WalkDir::new(&base_real).follow_links(opts.follow_symlinks) {
                 let entry = entry.map_err(|e| ProviderError::Other(format!("glob scan: {e}")))?;
                 let path = entry.path();
                 if path == base_real {
                     continue; // skip the base itself
                 }
+                if opts.follow_symlinks
+                    && path::canonicalize(path)
+                        .map(|real| !path::within_root(&real, &root))
+                        .unwrap_or(false)
+                {
+                    continue; // a followed link left the jail
+                }
                 let rel = path.strip_prefix(&base_real).unwrap_or(path);
                 let rel_str = rel.to_string_lossy().replace('\\', "/");
                 if !opts.dot && rel_str.split('/').any(|c| c.starts_with('.')) {
@@ -271,7 +291,7 @@ impl FileSystem for SystemFileSystem {
                 if opts.only_files && !entry.file_type().is_file() {
                     continue;
                 }
-                if matcher.is_match(&rel_str) {
+                if negated ^ matcher.is_match(&rel_str) {
                     out.push(if opts.absolute {
                         path.to_string_lossy().into_owned()
                     } else {

crates/providers/src/lib.rs

@@ -274,6 +274,9 @@ pub struct GlobScanOptions {
     pub absolute: bool,
     /// Yield only files, skipping directories.
     pub only_files: bool,
+    /// Traverse into symlinked directories. The implementation still rejects any
+    /// followed entry whose real path leaves the root jail.
+    pub follow_symlinks: bool,
 }
 
 /// Filesystem access backing `runtime:fs` (DECISIONS D25, SPEC §11).

crates/runtime-cli/tests/modules.rs

@@ -297,6 +297,41 @@ fn runtime_fs_read_write_stat_and_jail() {
     }
 }
 
+#[test]
+fn runtime_fs_glob_covers_all_patterns() {
+    // match() is pure (no FS), so the full pattern set runs without fixtures.
+    let script = "import { Glob } from 'runtime:fs'; const m = (p, s) => new Glob(p).match(s);\
+        const out = [];\
+        out.push('q=' + m('???.ts','foo.ts') + ',' + m('???.ts','foobar.ts'));\
+        out.push('star=' + m('*.ts','index.ts') + ',' + m('*.ts','src/index.ts'));\
+        out.push('globstar=' + m('**/*.ts','src/index.ts'));\
+        out.push('class=' + m('ba[rz].ts','bar.ts') + ',' + m('ba[rz].ts','bat.ts'));\
+        out.push('range=' + m('f[a-c].ts','fb.ts') + ',' + m('f[a-c].ts','fz.ts'));\
+        out.push('negbang=' + m('f[!o]o.ts','fao.ts') + ',' + m('f[!o]o.ts','foo.ts'));\
+        out.push('negcaret=' + m('f[^o]o.ts','fao.ts') + ',' + m('f[^o]o.ts','foo.ts'));\
+        out.push('brace=' + m('{a,b}.ts','a.ts') + ',' + m('{a,b}.ts','c.ts'));\
+        out.push('not=' + m('!index.ts','a.ts') + ',' + m('!index.ts','index.ts'));\
+        out.push('escape=' + m('\\\\!x.ts','!x.ts') + ',' + m('\\\\!x.ts','x.ts'));\
+        console.log(out.join('\\n'));";
+    let out = esrun().arg("-e").arg(script).output().expect("spawn esrun");
+    assert!(out.status.success(), "stderr: {}", stderr(&out));
+    let s = stdout(&out);
+    for expected in [
+        "q=true,false",
+        "star=true,false",
+        "globstar=true",
+        "class=true,false",
+        "range=true,false",
+        "negbang=true,false",
+        "negcaret=true,false",
+        "brace=true,false",
+        "not=true,false",
+        "escape=true,false",
+    ] {
+        assert!(s.contains(expected), "missing {expected:?} in:\n{s}");
+    }
+}
+
 #[test]
 fn unknown_runtime_builtin_module_errors() {
     let out = esrun()

crates/runtime/src/fs_ops.rs

@@ -141,6 +141,7 @@ pub(crate) fn install(engine: &mut dyn Engine, fs: Option<Arc<dyn FileSystem>>)
                 dot: arg_bool(&args, 2),
                 absolute: arg_bool(&args, 3),
                 only_files: arg_bool(&args, 4),
+                follow_symlinks: arg_bool(&args, 5),
             };
             Box::pin(async move {
                 let paths = require(&f)?

crates/runtime/src/runtime_modules/fs.js

@@ -124,6 +124,7 @@ class Glob {
       !!opts.dot,
       !!opts.absolute,
       opts.onlyFiles !== false, // default: files only, like the prior art
+      !!opts.followSymlinks,
     );
     for (const p of JSON.parse(json)) yield p;
   }

types/runtime-fs.d.ts

@@ -41,6 +41,8 @@ declare module "runtime:fs" {
     absolute?: boolean;
     /** Yield only files, skipping directories (default `true`). */
     onlyFiles?: boolean;
+    /** Traverse symlinked directories; entries leaving the root jail are skipped (default `false`). */
+    followSymlinks?: boolean;
   }
 
   /**