[BUG] .rooignore exclusions not enforced consistently across tools (read_file bypasses exclusions)

[Zocker1999NET]

Problem (one or two sentences)

The .rooignore file exclusion rules are not consistently enforced - some tools (like read_file) allow reading files that should be excluded, while other tools (like search_files) correctly respect the exclusions.

Context (who is affected and when)

AI agents using Roo Code with a .rooignore file configured to exclude certain files or directories. The exclusion appears to work for some tools but not others, creating an inconsistent security boundary.

Reproduction steps

1. Create a .rooignore file with exclusion patterns (e.g., database-redesign/*.sql or tasks.txt)
2. Use the read_file tool to attempt reading an excluded file
3. Observe that the file content is returned despite being in .rooignore
4. Use the search_files tool to search for the same pattern
5. Observe that search_files correctly returns no results

To provide more context of my repo, this is the .rooignore:

# ==SYNC=AI-AGENT-IGNORE-FILE==
# This file is synchronized across multiple names for different AI agents.
# All variants of this file MUST remain identical.
# Edit any variant and ensure all other variants are updated to match.
# The gitlab-ci pipeline validates that all sync marker files are identical.

# files that should be ignored by AI agents

*.ini
!config.template.ini
tasks.txt
database-redesign/*.sql

Relevant Files in Project:

.gitignore
.gitlab-ci.yml
.rooignore          ← exclusion config being tested
config.ini          ← excluded by .rooignore
config.template.ini
tasks.txt           ← excluded by .rooignore
.roo/
database-redesign/  ← *.sql files excluded by .rooignore

Key Files for the Bug Report:

• .rooignore - The exclusion config file
• tasks.txt - Excluded file that was readable (bug)
• database-redesign/00_version.sql - Excluded file that was readable (bug)

Expected result

Files listed in .rooignore should be blocked from being read by ALL tools, including read_file, search_files, and list_files.

Actual result

read_file: allows reading excluded files (BUG); search_files: correctly blocks excluded files (works as expected); list_files: shows all files regardless of .rooignore (may be intentional for workspace inventory)

Variations tried (optional)

• Tested with database-redesign/*.sql pattern - blocked by search_files but not by read_file
• Tested with tasks.txt - blocked by search_files but not by read_file
• Tested with *.ini - correctly blocked by both tools

App Version

v3.51.1 (7c9722b)

API Provider (optional)

OpenAI Compatible

Model Used (optional)

MiniMax M2.5 229b (self hosted)

Roo Code Task Links (optional)

No response

Relevant logs or errors (optional)

[roomote-v0]

I've analyzed this issue and here's my proposed implementation plan:

Root Cause Analysis

The .rooignore enforcement in RooIgnoreController.validateAccess() has two issues that can cause it to silently allow access to files that should be blocked:

1. Initialization Race Condition (src/core/task/Task.ts)

In Task.ts, the RooIgnoreController is constructed and its initialize() is called fire-and-forget (not awaited):

this.rooIgnoreController = new RooIgnoreController(this.cwd)
this.rooIgnoreController.initialize().catch(...)

Until initialize() completes (which reads .rooignore from disk), rooIgnoreContent is undefined, and validateAccess() returns true for everything:

validateAccess(filePath: string): boolean {
    if (!this.rooIgnoreContent) {
        return true // <-- allows all access before init completes
    }
    ...
}

While this is typically fast, there is no guarantee initialization finishes before the first tool call.

2. Fail-Open Error Handling (src/core/ignore/RooIgnoreController.ts)

The validateAccess() method has a blanket catch that defaults to allowing access on any error:

} catch (error) {
    // Allow access to files outside cwd or on errors (backward compatibility)
    return true
}

This means any unexpected error during path resolution or pattern matching silently bypasses the .rooignore rules.

Proposed Fix

1. Ensure initialization before tool execution - In Task.ts, store the initialization promise and await it in a method that tools can call (or await it directly in the constructor flow). Add an initialized promise to RooIgnoreController that callers can await.

2. Fail closed by default in validateAccess() - Change the outer catch to return false (deny access) instead of true. Handle the specific case of paths outside cwd separately (before the try/catch), so only those get the permissive behavior.

3. Add initialization guard in validateAccess() - If .rooignore content hasn't been loaded yet (initialization not complete), default to denying access rather than allowing it. This follows the security principle of failing closed.

Files to Change

• src/core/ignore/RooIgnoreController.ts - Add initialization state tracking, fix error handling in validateAccess()
• src/core/task/Task.ts - Await the RooIgnoreController initialization promise before proceeding
• Tests in src/core/ignore/__tests__/ - Update tests for new behavior

This approach ensures .rooignore rules are consistently enforced across all tools, including read_file, by eliminating the window where the controller allows all access and by failing closed on errors.

Please mention @roomote in a comment saying that you approve this plan, and I'll proceed with the implementation.

[Zocker1999NET]

because I use roo without an account, here the export of the exchange I had with roo while debugging this:
roo_task_mar-28-2026_12-08-42-am.md