Skip to content

release-28-06-26#218

Closed
thatcatfromspace wants to merge 1 commit into
mainfrom
staging
Closed

release-28-06-26#218
thatcatfromspace wants to merge 1 commit into
mainfrom
staging

Conversation

@thatcatfromspace

@thatcatfromspace thatcatfromspace commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Production release: staging → main

Promotes the one commit on staging ahead of main:

CI was green on PR #213 before merge to staging. No other commits included.

Note: the Merge to main deploy workflow failed because main now requires changes via PR (repository ruleset GH013); raising this release PR instead.

🤖 Generated with Claude Code


Note

Medium Risk
Large new discovery surface with whole-disk walks and multi-user attribution; failures are mostly fail-safe, but bugs could mis-attribute config or duplicate/leak inventory across users on MDM/root scans.

Overview
Adds end-to-end discovery for Augment Code (Auggie CLI, VS Code extension, JetBrains plugin) in the coding discovery agent, aligned with the existing Copilot CLI pattern.

Detection & routing: New OS-specific detectors emit one inventory row per surface, all keyed to each user’s ~/.augment via _config_path. process_single_tool routes Augment surfaces through _process_augment_tool before the generic JetBrains handler so Augment JetBrains rows are not misclassified.

Shared config without duplication: MCP, rules, skills/commands, and user/managed permissions are extracted once per scan (memoized with an unset sentinel so legitimate None MCP results still cache). Only the canonical surface per _config_path carries that payload (preference: Auggie CLI → VS Code → JetBrains); other surfaces stay bare rows. Multi-user/root scans pick a canonical winner per user and apply _augment_owned_by_user so non-owners do not get phantom rows (managed-only org policy does not count as per-user data).

Extractors: New macOS implementations plus thin Windows/Linux subclasses for MCP (settings.json / nested mcpServers), rules/guidelines, toolPermissions settings (user + managed; hooks in raw_settings), and skills/commands under .augment, .claude, and .agents. User-scope skills are keyed by config dir from file_path to avoid cross-user leaks under all-users scans.

Tests: Broad unit/integration coverage for detection, routing, canonical split, ownership, MCP nesting, rules/skills/settings behavior, and discovery-flow registration/fail-safe behavior.

Reviewed by Cursor Bugbot for commit 48b6cda. Bugbot is set up for automated code reviews on this repo. Configure here.

Greptile Summary

This PR adds Augment Code discovery across supported developer surfaces. The main changes are:

  • Auggie CLI, VS Code, and JetBrains detection for macOS, Linux, and Windows.
  • Shared extraction for Augment MCP servers, rules, settings, permissions, skills, and commands.
  • Per-user canonical Augment surface handling to avoid duplicated shared config.
  • Tests for discovery, settings, rules, skills, Linux behavior, and overcollection cases.

Confidence Score: 1/5

This looks safe to merge.

  • No blocking issues found in the changed code.
  • The multi-user paths use per-user config paths and filtering for shared Augment data.
  • The filesystem walkers include bounded traversal and symlink guards.

Important Files Changed

Filename Overview
scripts/coding_discovery_tools/ai_tools_discovery.py Adds Augment extractor setup, memoized shared-config reads, canonical surface selection, processing, and ownership filtering.
scripts/coding_discovery_tools/coding_tool_factory.py Registers Augment detectors and extractor factories for macOS, Linux, and Windows.
scripts/coding_discovery_tools/macos/augment/augment.py Adds macOS detection for Auggie CLI, VS Code, and JetBrains Augment surfaces.
scripts/coding_discovery_tools/macos/augment/augment_mcp_config_extractor.py Adds Augment MCP extraction from user and workspace settings with bounded filesystem walking.
scripts/coding_discovery_tools/macos/augment/augment_rules_extractor.py Adds Augment rule extraction from user and project sources with de-duplication of user config dirs.
scripts/coding_discovery_tools/macos/augment/augment_settings_extractor.py Adds user and managed Augment settings parsing, including tool permissions and raw settings.
scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py Adds Augment skills and commands extraction across .augment, .claude, and .agents directories.
scripts/coding_discovery_tools/linux/augment/augment.py Adds Linux-specific Augment detection seams for user homes and JetBrains detection.
scripts/coding_discovery_tools/windows/augment/augment.py Adds Windows-specific Augment detection seams for user homes, binaries, and JetBrains detection.
scripts/coding_discovery_tools/augment_skills_helpers.py Adds shared Augment skill and command helper configuration over the existing item extraction engine.

Reviews (1): Last reviewed commit: "Discover Augment Code (Auggie CLI + VS C..." | Re-trigger Greptile

Context used:

  • Rule used - Ensure that the confidence score is always within ... (source)

Learned From
websentry-ai/ai-gateway-data#448

…213)

* feat(augment): discover Augment Code across Auggie CLI, VS Code, JetBrains

Add Augment Code (label "augment") to the coding-discovery scanner as a
single cross-surface detector returning per-surface rows (Auggie CLI,
Augment (VS Code), Augment (<JetBrains IDE>)) that share one ~/.augment
config. Mirrors the GitHub Copilot cross-surface pattern.

Extraction parity with claude_code/copilot_cli:
- settings/permissions: toolPermissions -> allow/deny/ask; hooks preserved
  in raw_settings (user/managed/project/local scopes)
- MCP servers: top-level mcpServers + augment.advanced.mcpServers + flat form
- rules/guidelines: .augment-guidelines, .augment/rules/*.{md,mdx},
  ~/.augment/rules, ~/.augment/user-guidelines.md, hierarchical AGENTS.md/CLAUDE.md
- skills/commands: ~/.augment/skills/<name>/SKILL.md, .augment/commands/*.md

Shared ~/.augment config is attached to a single canonical surface
(Auggie CLI > VS Code > JetBrains) to avoid duplication; non-canonical
surfaces emit bare detection rows. macOS holds the logic; Windows/Linux
are thin OS-seam subclasses.

Part of WEB-4950 (discovery half).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): address review findings (cross-user skills, rules dup, settings scope)

- Owner-key user-scope skills by file_path so a user's skill content can't leak
  onto another user's row under a root all-users scan (mirrors
  _copilot_skill_owner_home)
- Guard the rules project walk against re-collecting ~/.augment/rules as project
  scope, matching the settings/skills extractors' user-dir guards
- Settings: extract user + managed only; drop the unsurfaceable project/local
  filesystem walk; include managed scope in the permissions filter
- Skip symlinked dirs before the .augment branch in the rules walk
- Memo parity for _get_augment_mcp; settings docstring fix
- Add regression tests for the cross-user skills leak and rules duplication

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment tests): pin _filesystem_root in project-walk tests for Windows

The rules/skills project-walk tests instantiate the macOS extractor and
patched only _iter_top_level_dirs, leaving _filesystem_root at "/". On
Windows the walk's item.relative_to("/") raises ValueError for a C:\ temp
path, so every subdirectory was skipped and project rules/skills were never
collected (8 Windows-only unittest failures, all in the rules/skills suites).
Pin _filesystem_root to the temp ancestor so relative_to works cross-platform.
Production is unaffected: real Windows uses the Windows*AugmentExtractor with
the correct filesystem root.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): address PR-bot findings (per-user canonical, MCP memo, dedup, symlink, ownership)

Cursor + Greptile inline review follow-ups:

- G: canonical Augment surface is now chosen PER USER (keyed by _config_path),
  not a single global name. A root multi-user scan picks a winner for each
  user's ~/.augment independently, so a VS Code-only user no longer gets a bare
  row that drops their config when another user has the CLI.
- F: managed-scope-only permissions (org-wide /etc/augment) no longer manufacture
  a phantom Augment row for a non-owner under root scans (_augment_owned_by_user
  no longer counts managed permissions as user-owned data).
- B: MCP accessor memoization uses a distinct UNSET sentinel so a legitimate
  cached None (no MCP configured) short-circuits instead of re-running the full
  MCP walk on every surface.
- C: emit at most one "Augment (VS Code)" row per user (prefer stable over
  nightly) so stable+nightly installs don't create duplicate canonical rows.
- A: skills walk skips symlinked dirs before the .augment handling (mirrors the
  rules/mcp/settings walks) so a symlinked .augment can't be followed.
- E: Windows skills walk also skips other-tool config dirs (parity with the
  macOS base + Windows rules walk).

D (Linux rules per-user error guard) was already covered by the macOS base
_extract_user_rules try/except that the Linux subclass inherits.

Adds per-user-canonical, managed-ownership, MCP-memo, dual-extension, and
symlink regression tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): attribute JetBrains rows to the IDE owner under root scans (H2)

Under a root MDM all-users scan, MacOSJetBrainsDetector returns every user's
IDEs, but the Augment JetBrains row stamped _config_path from the outer scan
home — so an IDE owned by user B could be attributed to user A's ~/.augment
(wrong permissions/config). Run JetBrains detection once and derive each IDE's
owning user from the IDE's own config path (longest-prefix match against the
scanned homes), falling back to the scoped/current home. This also removes the
prior N-times-redundant rescan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment tests): make H2 JetBrains-owner assertion separator-agnostic

The new H2 regression test hardcoded "/Users/bob/.augment", but production
stringifies a Path, so on Windows _config_path is "\\Users\\bob\\.augment" and
the literal-POSIX assertion failed (Windows CI). Build the expected value via
Path so the separator matches the host OS. Test-only; production is correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): guard each user in Linux rules _scan_all_user_homes (Greptile)

Parity with LinuxAugmentSkillsExtractor: wrap each per-user extract_for_user in
try/except (PermissionError, OSError) so one unreadable home can't abort the
whole multi-user rules scan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): stop duplicate MCP servers from the workspace walk (Greptile)

The MCP workspace walk descended into user homes and re-read
~/.augment/settings.json as PROJECT scope — the same servers already collected
as USER scope — emitting duplicate MCP servers under two project paths
(~/.augment as "user" + the home dir as "project"). Record each user-home
~/.augment collected as user scope and skip it in the workspace walk, matching
the rules/settings/skills user-dir guards. Genuine project .augment dirs are
still collected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(augment): collect .claude/.agents skills; group user skills by config dir

Two follow-ups from dogfooding the Auggie CLI:

1. Auggie loads skills/commands from .augment, .claude AND .agents (per
   docs.augmentcode.com/cli/skills, in both workspace and home) and honors
   .claude/commands for Claude compatibility. The Augment skills extractor now
   sources all three marker dirs (user + project). The same .claude/.agents item
   is reported under Claude Code / Copilot CLI AND Augment by design — each tool
   reports what it loads; the backend dedups per (tool, home_user).

2. Group user-scope skills under their CONFIG DIR (~/.augment, ~/.claude,
   ~/.agents) instead of the bare home. The backend keys an AIToolProject per
   project path, so the old bare-home key surfaced a spurious "~" project
   separate from the ~/.augment rules/MCP project; now ~/.augment skills coalesce
   with that row's rules/MCP, while ~/.claude/~/.agents skills group under their
   own dir. Still owner-scoped (home is in the path) so the per-user filter
   prevents cross-user skill leakage under root scans.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): guard symlinked skills/commands subdir in the skills walk

The skills project walk symlink-checks the parent .augment dir but then used
type_dir.is_dir() on the skills/commands subdir, which follows symlinks — so
under a root MDM scan a user could point .augment/skills at an arbitrary dir and
have the scanner traverse it. Add the matching `not type_dir.is_symlink()` guard
(mirrors the parent-dir guard in the same method). All OSes via the inherited
macOS walk. Adds a regression test (symlinked .augment/skills not traversed;
real one still collected).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: thatcatfromspace <fake-fam-20260623-0332-e7f7@nonexistent.invalid>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@thatcatfromspace thatcatfromspace requested a review from a team June 28, 2026 13:34

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.

best, best_len = home, len(home_norm)
if best is not None:
return best
return self.user_home or Path.home()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JetBrains rows misassigned per user

High Severity

During per-user MDM scans, _detect_jetbrains_all_users can incorrectly attribute JetBrains IDEs belonging to other users. The JetBrains detector returns all system IDEs, but _augment_owner_home_for_path only considers the currently scanned user's home for ownership. This can lead to an IDE's _config_path pointing to the wrong ~/.augment directory, potentially corrupting inventory.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identified 1 net-new security finding after parallel module review, orchestrator triage, and duplicate suppression.

Open in Web View Automation 

Sent by Cursor Security Agent: Security Reviewer

if binary is not None:
try:
return _parse_cli_version(
run_command([str(binary), "--version"], VERSION_TIMEOUT)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: CRITICAL
The detector executes a user-home auggie binary (run_command([binary, "--version"])) during root/admin all-users scans after resolving candidates from user-writable paths like ~/.local/bin, ~/.bun/bin, and ~/.nvm/....
This creates a privilege-boundary break where an unprivileged local user can place a malicious binary and have it executed by the privileged scanner.

Impact: Local privilege escalation to the scanner identity (root/administrator), with potential full host compromise.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 48b6cda. Configure here.

@vigneshsubbiah16

Copy link
Copy Markdown
Contributor

🛡️ Automated Security Review (consensus)

1 finding — 1 high-confidence, 0 to triage. Reviewers: Cursor, Claude, Semgrep, Gitleaks.

🔴 Privileged execution of user-controlled auggie binary during all-users scans

Confidence: 🔴 HIGH
Location: scripts/coding_discovery_tools/macos/augment/augment.py:162 (also :108-141, :64-71; inherited on Linux/Windows via LinuxAugmentDetector / WindowsAugmentDetector and windows/augment/augment.py:_resolve_binary)
Impact: During root/admin MDM scans, the detector resolves auggie from user-writable paths (~/.local/bin, ~/.bun/bin, ~/.nvm/..., Windows npm/WinGet shims) and runs run_command([binary, "--version"]), executing attacker-planted binaries as the scanner identity → local privilege escalation / arbitrary code execution.
Fix: Do not exec binaries from other users' homes while privileged; skip the live --version probe for non-self homes (or when is_running_as_root() / admin), derive version from static package metadata, or validate ownership/permissions before any exec.
Flagged by: Cursor Security Reviewer, Claude


🤖 consensus review · reviewers: Cursor,Claude,Semgrep,Gitleaks · head 48b6cda9 · 2026-06-28T13:41Z

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants