release-29-06-29-v1#219
Conversation
…213) * feat(augment): discover Augment Code across Auggie CLI, VS Code, JetBrains Add Augment Code (label "augment") to the coding-discovery scanner as a single cross-surface detector returning per-surface rows (Auggie CLI, Augment (VS Code), Augment (<JetBrains IDE>)) that share one ~/.augment config. Mirrors the GitHub Copilot cross-surface pattern. Extraction parity with claude_code/copilot_cli: - settings/permissions: toolPermissions -> allow/deny/ask; hooks preserved in raw_settings (user/managed/project/local scopes) - MCP servers: top-level mcpServers + augment.advanced.mcpServers + flat form - rules/guidelines: .augment-guidelines, .augment/rules/*.{md,mdx}, ~/.augment/rules, ~/.augment/user-guidelines.md, hierarchical AGENTS.md/CLAUDE.md - skills/commands: ~/.augment/skills/<name>/SKILL.md, .augment/commands/*.md Shared ~/.augment config is attached to a single canonical surface (Auggie CLI > VS Code > JetBrains) to avoid duplication; non-canonical surfaces emit bare detection rows. macOS holds the logic; Windows/Linux are thin OS-seam subclasses. Part of WEB-4950 (discovery half). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): address review findings (cross-user skills, rules dup, settings scope) - Owner-key user-scope skills by file_path so a user's skill content can't leak onto another user's row under a root all-users scan (mirrors _copilot_skill_owner_home) - Guard the rules project walk against re-collecting ~/.augment/rules as project scope, matching the settings/skills extractors' user-dir guards - Settings: extract user + managed only; drop the unsurfaceable project/local filesystem walk; include managed scope in the permissions filter - Skip symlinked dirs before the .augment branch in the rules walk - Memo parity for _get_augment_mcp; settings docstring fix - Add regression tests for the cross-user skills leak and rules duplication Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment tests): pin _filesystem_root in project-walk tests for Windows The rules/skills project-walk tests instantiate the macOS extractor and patched only _iter_top_level_dirs, leaving _filesystem_root at "/". On Windows the walk's item.relative_to("/") raises ValueError for a C:\ temp path, so every subdirectory was skipped and project rules/skills were never collected (8 Windows-only unittest failures, all in the rules/skills suites). Pin _filesystem_root to the temp ancestor so relative_to works cross-platform. Production is unaffected: real Windows uses the Windows*AugmentExtractor with the correct filesystem root. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): address PR-bot findings (per-user canonical, MCP memo, dedup, symlink, ownership) Cursor + Greptile inline review follow-ups: - G: canonical Augment surface is now chosen PER USER (keyed by _config_path), not a single global name. A root multi-user scan picks a winner for each user's ~/.augment independently, so a VS Code-only user no longer gets a bare row that drops their config when another user has the CLI. - F: managed-scope-only permissions (org-wide /etc/augment) no longer manufacture a phantom Augment row for a non-owner under root scans (_augment_owned_by_user no longer counts managed permissions as user-owned data). - B: MCP accessor memoization uses a distinct UNSET sentinel so a legitimate cached None (no MCP configured) short-circuits instead of re-running the full MCP walk on every surface. - C: emit at most one "Augment (VS Code)" row per user (prefer stable over nightly) so stable+nightly installs don't create duplicate canonical rows. - A: skills walk skips symlinked dirs before the .augment handling (mirrors the rules/mcp/settings walks) so a symlinked .augment can't be followed. - E: Windows skills walk also skips other-tool config dirs (parity with the macOS base + Windows rules walk). D (Linux rules per-user error guard) was already covered by the macOS base _extract_user_rules try/except that the Linux subclass inherits. Adds per-user-canonical, managed-ownership, MCP-memo, dual-extension, and symlink regression tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): attribute JetBrains rows to the IDE owner under root scans (H2) Under a root MDM all-users scan, MacOSJetBrainsDetector returns every user's IDEs, but the Augment JetBrains row stamped _config_path from the outer scan home — so an IDE owned by user B could be attributed to user A's ~/.augment (wrong permissions/config). Run JetBrains detection once and derive each IDE's owning user from the IDE's own config path (longest-prefix match against the scanned homes), falling back to the scoped/current home. This also removes the prior N-times-redundant rescan. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment tests): make H2 JetBrains-owner assertion separator-agnostic The new H2 regression test hardcoded "/Users/bob/.augment", but production stringifies a Path, so on Windows _config_path is "\\Users\\bob\\.augment" and the literal-POSIX assertion failed (Windows CI). Build the expected value via Path so the separator matches the host OS. Test-only; production is correct. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): guard each user in Linux rules _scan_all_user_homes (Greptile) Parity with LinuxAugmentSkillsExtractor: wrap each per-user extract_for_user in try/except (PermissionError, OSError) so one unreadable home can't abort the whole multi-user rules scan. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): stop duplicate MCP servers from the workspace walk (Greptile) The MCP workspace walk descended into user homes and re-read ~/.augment/settings.json as PROJECT scope — the same servers already collected as USER scope — emitting duplicate MCP servers under two project paths (~/.augment as "user" + the home dir as "project"). Record each user-home ~/.augment collected as user scope and skip it in the workspace walk, matching the rules/settings/skills user-dir guards. Genuine project .augment dirs are still collected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(augment): collect .claude/.agents skills; group user skills by config dir Two follow-ups from dogfooding the Auggie CLI: 1. Auggie loads skills/commands from .augment, .claude AND .agents (per docs.augmentcode.com/cli/skills, in both workspace and home) and honors .claude/commands for Claude compatibility. The Augment skills extractor now sources all three marker dirs (user + project). The same .claude/.agents item is reported under Claude Code / Copilot CLI AND Augment by design — each tool reports what it loads; the backend dedups per (tool, home_user). 2. Group user-scope skills under their CONFIG DIR (~/.augment, ~/.claude, ~/.agents) instead of the bare home. The backend keys an AIToolProject per project path, so the old bare-home key surfaced a spurious "~" project separate from the ~/.augment rules/MCP project; now ~/.augment skills coalesce with that row's rules/MCP, while ~/.claude/~/.agents skills group under their own dir. Still owner-scoped (home is in the path) so the per-user filter prevents cross-user skill leakage under root scans. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(augment): guard symlinked skills/commands subdir in the skills walk The skills project walk symlink-checks the parent .augment dir but then used type_dir.is_dir() on the skills/commands subdir, which follows symlinks — so under a root MDM scan a user could point .augment/skills at an arbitrary dir and have the scanner traverse it. Add the matching `not type_dir.is_symlink()` guard (mirrors the parent-dir guard in the same method). All OSes via the inherited macOS walk. Adds a regression test (symlinked .augment/skills not traversed; real one still collected). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: thatcatfromspace <fake-fam-20260623-0332-e7f7@nonexistent.invalid> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🛡️ Automated Security Review (consensus)2 findings — 2 high-confidence, 0 to triage. Reviewers: Cursor, Claude, Semgrep, Gitleaks. 🔴 Privileged scan executes per-user
|
| if binary is not None: | ||
| try: | ||
| return _parse_cli_version( | ||
| run_command([str(binary), "--version"], VERSION_TIMEOUT) |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: CRITICAL
run_command([str(binary), "--version"], ...) executes a per-user auggie binary discovered under user-writable home paths during all-users scans. In privileged/root scan mode, this allows a low-privileged local user to plant a malicious binary that gets executed with elevated privileges.
Impact: Local privilege escalation to root/administrator and full host compromise during discovery runs.
Reviewed by Cursor Security Reviewer for commit 48b6cda. Configure here.
| self._walk_rules_dir( | ||
| item, find_project_root_func, scope, projects_by_root, current_depth + 1 | ||
| ) | ||
| elif item.is_file() and _is_augment_rule_file(item.name): |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
The rules walker blocks symlinked directories, but still accepts item.is_file() and then reads matching files. Symlinked rule files (for example AGENTS.md or files under .augment/rules) can therefore be dereferenced and ingested without containment checks.
Impact: In privileged scans, a user can point a scanned rule file symlink at sensitive paths outside the intended workspace/config boundary, causing cross-boundary data ingestion/exfiltration.
Reviewed by Cursor Security Reviewer for commit 48b6cda. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.
| best, best_len = home, len(home_norm) | ||
| if best is not None: | ||
| return best | ||
| return self.user_home or Path.home() |
There was a problem hiding this comment.
JetBrains IDE wrong config owner
High Severity
During per-user MDM scans, JetBrains detection returns machine-wide results, but _augment_owner_home_for_path resolves owners scoped to a single user. This causes it to incorrectly assign the scanned user's ~/.augment config path to IDEs belonging to other users, leading to incorrect canonical grouping, permissions, and potentially blocking the actual owner's entry.
Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.
| user_home, user_skills, self._extract_single_rule_file, AUGMENT_ITEM_CONFIGS | ||
| ) | ||
|
|
||
| self._scan_all_user_homes(extract_for_user) |
There was a problem hiding this comment.
User skills follow symlinks
Medium Severity
User-scope Augment skills/commands use extract_augment_user_level_items without symlink checks on ~/.augment, ~/.claude, or ~/.agents skill/command dirs. The project walk in the same extractor skips symlinked .augment and skills/ trees, so a root all-users scan can still traverse a symlinked home skills directory and read arbitrary paths.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.




…#213)
Add Augment Code (label "augment") to the coding-discovery scanner as a single cross-surface detector returning per-surface rows (Auggie CLI, Augment (VS Code), Augment ()) that share one ~/.augment config. Mirrors the GitHub Copilot cross-surface pattern.
Extraction parity with claude_code/copilot_cli:
Shared ~/.augment config is attached to a single canonical surface (Auggie CLI > VS Code > JetBrains) to avoid duplication; non-canonical surfaces emit bare detection rows. macOS holds the logic; Windows/Linux are thin OS-seam subclasses.
Part of WEB-4950 (discovery half).
The rules/skills project-walk tests instantiate the macOS extractor and patched only _iter_top_level_dirs, leaving _filesystem_root at "/". On Windows the walk's item.relative_to("/") raises ValueError for a C:\ temp path, so every subdirectory was skipped and project rules/skills were never collected (8 Windows-only unittest failures, all in the rules/skills suites). Pin _filesystem_root to the temp ancestor so relative_to works cross-platform. Production is unaffected: real Windows uses the Windows*AugmentExtractor with the correct filesystem root.
Cursor + Greptile inline review follow-ups:
D (Linux rules per-user error guard) was already covered by the macOS base _extract_user_rules try/except that the Linux subclass inherits.
Adds per-user-canonical, managed-ownership, MCP-memo, dual-extension, and symlink regression tests.
Under a root MDM all-users scan, MacOSJetBrainsDetector returns every user's IDEs, but the Augment JetBrains row stamped _config_path from the outer scan home — so an IDE owned by user B could be attributed to user A's ~/.augment (wrong permissions/config). Run JetBrains detection once and derive each IDE's owning user from the IDE's own config path (longest-prefix match against the scanned homes), falling back to the scoped/current home. This also removes the prior N-times-redundant rescan.
The new H2 regression test hardcoded "/Users/bob/.augment", but production stringifies a Path, so on Windows _config_path is "\Users\bob\.augment" and the literal-POSIX assertion failed (Windows CI). Build the expected value via Path so the separator matches the host OS. Test-only; production is correct.
Parity with LinuxAugmentSkillsExtractor: wrap each per-user extract_for_user in try/except (PermissionError, OSError) so one unreadable home can't abort the whole multi-user rules scan.
The MCP workspace walk descended into user homes and re-read
/.augment/settings.json as PROJECT scope — the same servers already collected as USER scope — emitting duplicate MCP servers under two project paths (/.augment as "user" + the home dir as "project"). Record each user-home ~/.augment collected as user scope and skip it in the workspace walk, matching the rules/settings/skills user-dir guards. Genuine project .augment dirs are still collected.Two follow-ups from dogfooding the Auggie CLI:
Auggie loads skills/commands from .augment, .claude AND .agents (per docs.augmentcode.com/cli/skills, in both workspace and home) and honors .claude/commands for Claude compatibility. The Augment skills extractor now sources all three marker dirs (user + project). The same .claude/.agents item is reported under Claude Code / Copilot CLI AND Augment by design — each tool reports what it loads; the backend dedups per (tool, home_user).
Group user-scope skills under their CONFIG DIR (~/.augment, ~/.claude,
/.agents) instead of the bare home. The backend keys an AIToolProject per project path, so the old bare-home key surfaced a spurious "" project separate from the ~/.augment rules/MCP project; now ~/.augment skills coalesce with that row's rules/MCP, while/.claude//.agents skills group under their own dir. Still owner-scoped (home is in the path) so the per-user filter prevents cross-user skill leakage under root scans.The skills project walk symlink-checks the parent .augment dir but then used type_dir.is_dir() on the skills/commands subdir, which follows symlinks — so under a root MDM scan a user could point .augment/skills at an arbitrary dir and have the scanner traverse it. Add the matching
not type_dir.is_symlink()guard (mirrors the parent-dir guard in the same method). All OSes via the inherited macOS walk. Adds a regression test (symlinked .augment/skills not traversed; real one still collected).Note
Medium Risk
Large new surface area with whole-disk walks and root multi-user attribution; mistakes could leak another user's skills or duplicate permissions, but behavior mirrors hardened Copilot patterns with dedicated guards and tests.
Overview
Augment Code is added to the coding-discovery scanner: Auggie CLI, Augment (VS Code), and Augment (JetBrains) each emit a detection row while sharing one per-user
~/.augmentconfig. Shared MCP, rules, skills, and permissions are extracted once (memoized walks) and attached only to a canonical surface per_config_path(Auggie CLI → VS Code → JetBrains); other surfaces stay bare inventory rows.New OS-specific detectors and extractors cover settings/permissions (
toolPermissions, user + managed scopes), MCP (top-level and nestedmcpServers), rules/guidelines, and skills/commands (including.augment,.claude, and.agents). macOS holds core logic; Windows/Linux override filesystem and multi-user seams.AIToolsDetectorroutes Augment before the generic JetBrains handler, applies an_augment_owned_by_usergate (managed-only org policy must not create phantom rows), and keys user skills by config dir fromfile_pathto avoid cross-user leakage under root scans. Walks skip symlinked.augmenttrees and user-home dirs already collected as user scope to prevent duplicate MCP/rules.Extensive regression tests cover routing, canonical split, ownership, memoization, and cross-platform smoke.
Reviewed by Cursor Bugbot for commit 48b6cda. Bugbot is set up for automated code reviews on this repo. Configure here.
Greptile Summary
This PR adds Augment Code discovery across the supported tool scanners. The main changes are:
Confidence Score: 4/5
The Augment skills scan can still overcollect through nested symlinked skill directories.
scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py
Security Review
A remaining filesystem-walk issue lets nested symlinked skill directories be followed during privileged Augment scans.
Important Files Changed
Comments Outside Diff (1)
scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py, line 2480-2484 (link)When
~/.augment/skillsis a real directory but contains a symlinked skill directory, the delegated skills walker still follows that child and readsSKILL.mdfrom the symlink target. In a privileged all-users scan, a user can point one nested skill entry at another filesystem location and have that content reported as an Augment skill.Reviews (1): Last reviewed commit: "Discover Augment Code (Auggie CLI + VS C..." | Re-trigger Greptile