Skip to content

release-29-06-29-v1#219

Merged
pugazhendhi-m merged 1 commit into
mainfrom
staging
Jun 29, 2026
Merged

release-29-06-29-v1#219
pugazhendhi-m merged 1 commit into
mainfrom
staging

Conversation

@pugazhendhi-m

@pugazhendhi-m pugazhendhi-m commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

#213)

  • feat(augment): discover Augment Code across Auggie CLI, VS Code, JetBrains

Add Augment Code (label "augment") to the coding-discovery scanner as a single cross-surface detector returning per-surface rows (Auggie CLI, Augment (VS Code), Augment ()) that share one ~/.augment config. Mirrors the GitHub Copilot cross-surface pattern.

Extraction parity with claude_code/copilot_cli:

  • settings/permissions: toolPermissions -> allow/deny/ask; hooks preserved in raw_settings (user/managed/project/local scopes)
  • MCP servers: top-level mcpServers + augment.advanced.mcpServers + flat form
  • rules/guidelines: .augment-guidelines, .augment/rules/*.{md,mdx}, ~/.augment/rules, ~/.augment/user-guidelines.md, hierarchical AGENTS.md/CLAUDE.md
  • skills/commands: ~/.augment/skills//SKILL.md, .augment/commands/*.md

Shared ~/.augment config is attached to a single canonical surface (Auggie CLI > VS Code > JetBrains) to avoid duplication; non-canonical surfaces emit bare detection rows. macOS holds the logic; Windows/Linux are thin OS-seam subclasses.

Part of WEB-4950 (discovery half).

  • fix(augment): address review findings (cross-user skills, rules dup, settings scope)
  • Owner-key user-scope skills by file_path so a user's skill content can't leak onto another user's row under a root all-users scan (mirrors _copilot_skill_owner_home)
  • Guard the rules project walk against re-collecting ~/.augment/rules as project scope, matching the settings/skills extractors' user-dir guards
  • Settings: extract user + managed only; drop the unsurfaceable project/local filesystem walk; include managed scope in the permissions filter
  • Skip symlinked dirs before the .augment branch in the rules walk
  • Memo parity for _get_augment_mcp; settings docstring fix
  • Add regression tests for the cross-user skills leak and rules duplication
  • fix(augment tests): pin _filesystem_root in project-walk tests for Windows

The rules/skills project-walk tests instantiate the macOS extractor and patched only _iter_top_level_dirs, leaving _filesystem_root at "/". On Windows the walk's item.relative_to("/") raises ValueError for a C:\ temp path, so every subdirectory was skipped and project rules/skills were never collected (8 Windows-only unittest failures, all in the rules/skills suites). Pin _filesystem_root to the temp ancestor so relative_to works cross-platform. Production is unaffected: real Windows uses the Windows*AugmentExtractor with the correct filesystem root.

  • fix(augment): address PR-bot findings (per-user canonical, MCP memo, dedup, symlink, ownership)

Cursor + Greptile inline review follow-ups:

  • G: canonical Augment surface is now chosen PER USER (keyed by _config_path), not a single global name. A root multi-user scan picks a winner for each user's ~/.augment independently, so a VS Code-only user no longer gets a bare row that drops their config when another user has the CLI.
  • F: managed-scope-only permissions (org-wide /etc/augment) no longer manufacture a phantom Augment row for a non-owner under root scans (_augment_owned_by_user no longer counts managed permissions as user-owned data).
  • B: MCP accessor memoization uses a distinct UNSET sentinel so a legitimate cached None (no MCP configured) short-circuits instead of re-running the full MCP walk on every surface.
  • C: emit at most one "Augment (VS Code)" row per user (prefer stable over nightly) so stable+nightly installs don't create duplicate canonical rows.
  • A: skills walk skips symlinked dirs before the .augment handling (mirrors the rules/mcp/settings walks) so a symlinked .augment can't be followed.
  • E: Windows skills walk also skips other-tool config dirs (parity with the macOS base + Windows rules walk).

D (Linux rules per-user error guard) was already covered by the macOS base _extract_user_rules try/except that the Linux subclass inherits.

Adds per-user-canonical, managed-ownership, MCP-memo, dual-extension, and symlink regression tests.

  • fix(augment): attribute JetBrains rows to the IDE owner under root scans (H2)

Under a root MDM all-users scan, MacOSJetBrainsDetector returns every user's IDEs, but the Augment JetBrains row stamped _config_path from the outer scan home — so an IDE owned by user B could be attributed to user A's ~/.augment (wrong permissions/config). Run JetBrains detection once and derive each IDE's owning user from the IDE's own config path (longest-prefix match against the scanned homes), falling back to the scoped/current home. This also removes the prior N-times-redundant rescan.

  • fix(augment tests): make H2 JetBrains-owner assertion separator-agnostic

The new H2 regression test hardcoded "/Users/bob/.augment", but production stringifies a Path, so on Windows _config_path is "\Users\bob\.augment" and the literal-POSIX assertion failed (Windows CI). Build the expected value via Path so the separator matches the host OS. Test-only; production is correct.

  • fix(augment): guard each user in Linux rules _scan_all_user_homes (Greptile)

Parity with LinuxAugmentSkillsExtractor: wrap each per-user extract_for_user in try/except (PermissionError, OSError) so one unreadable home can't abort the whole multi-user rules scan.

  • fix(augment): stop duplicate MCP servers from the workspace walk (Greptile)

The MCP workspace walk descended into user homes and re-read /.augment/settings.json as PROJECT scope — the same servers already collected as USER scope — emitting duplicate MCP servers under two project paths (/.augment as "user" + the home dir as "project"). Record each user-home ~/.augment collected as user scope and skip it in the workspace walk, matching the rules/settings/skills user-dir guards. Genuine project .augment dirs are still collected.

  • feat(augment): collect .claude/.agents skills; group user skills by config dir

Two follow-ups from dogfooding the Auggie CLI:

  1. Auggie loads skills/commands from .augment, .claude AND .agents (per docs.augmentcode.com/cli/skills, in both workspace and home) and honors .claude/commands for Claude compatibility. The Augment skills extractor now sources all three marker dirs (user + project). The same .claude/.agents item is reported under Claude Code / Copilot CLI AND Augment by design — each tool reports what it loads; the backend dedups per (tool, home_user).

  2. Group user-scope skills under their CONFIG DIR (~/.augment, ~/.claude, /.agents) instead of the bare home. The backend keys an AIToolProject per project path, so the old bare-home key surfaced a spurious "" project separate from the ~/.augment rules/MCP project; now ~/.augment skills coalesce with that row's rules/MCP, while /.claude//.agents skills group under their own dir. Still owner-scoped (home is in the path) so the per-user filter prevents cross-user skill leakage under root scans.

  • fix(augment): guard symlinked skills/commands subdir in the skills walk

The skills project walk symlink-checks the parent .augment dir but then used type_dir.is_dir() on the skills/commands subdir, which follows symlinks — so under a root MDM scan a user could point .augment/skills at an arbitrary dir and have the scanner traverse it. Add the matching not type_dir.is_symlink() guard (mirrors the parent-dir guard in the same method). All OSes via the inherited macOS walk. Adds a regression test (symlinked .augment/skills not traversed; real one still collected).


Note

Medium Risk
Large new surface area with whole-disk walks and root multi-user attribution; mistakes could leak another user's skills or duplicate permissions, but behavior mirrors hardened Copilot patterns with dedicated guards and tests.

Overview
Augment Code is added to the coding-discovery scanner: Auggie CLI, Augment (VS Code), and Augment (JetBrains) each emit a detection row while sharing one per-user ~/.augment config. Shared MCP, rules, skills, and permissions are extracted once (memoized walks) and attached only to a canonical surface per _config_path (Auggie CLI → VS Code → JetBrains); other surfaces stay bare inventory rows.

New OS-specific detectors and extractors cover settings/permissions (toolPermissions, user + managed scopes), MCP (top-level and nested mcpServers), rules/guidelines, and skills/commands (including .augment, .claude, and .agents). macOS holds core logic; Windows/Linux override filesystem and multi-user seams.

AIToolsDetector routes Augment before the generic JetBrains handler, applies an _augment_owned_by_user gate (managed-only org policy must not create phantom rows), and keys user skills by config dir from file_path to avoid cross-user leakage under root scans. Walks skip symlinked .augment trees and user-home dirs already collected as user scope to prevent duplicate MCP/rules.

Extensive regression tests cover routing, canonical split, ownership, memoization, and cross-platform smoke.

Reviewed by Cursor Bugbot for commit 48b6cda. Bugbot is set up for automated code reviews on this repo. Configure here.

Greptile Summary

This PR adds Augment Code discovery across the supported tool scanners. The main changes are:

  • New Auggie CLI, VS Code, and JetBrains Augment surface detection.
  • Shared Augment extraction for MCP servers, rules, settings, and skills.
  • Linux and Windows Augment subclasses for OS-specific scan seams.
  • Tests for multi-user attribution, duplicate suppression, and symlink handling.

Confidence Score: 4/5

The Augment skills scan can still overcollect through nested symlinked skill directories.

  • The canonical surface and user ownership paths look consistent with the intended multi-user model.
  • The MCP and rules walkers include guards for user-config duplication and top-level symlinks.
  • The skills walker still allows a symlink one level below a real skills directory, which affects privileged scans.

scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py

Security Review

A remaining filesystem-walk issue lets nested symlinked skill directories be followed during privileged Augment scans.

Important Files Changed

Filename Overview
scripts/coding_discovery_tools/ai_tools_discovery.py Adds Augment processing, memoized shared config extraction, per-user canonical surface selection, and ownership filtering.
scripts/coding_discovery_tools/macos/augment/augment.py Adds macOS Augment detection for CLI, VS Code, and JetBrains rows with owner-based config attribution.
scripts/coding_discovery_tools/macos/augment/augment_mcp_config_extractor.py Adds Augment MCP extraction from user and workspace settings with duplicate user-config suppression.
scripts/coding_discovery_tools/macos/augment/augment_rules_extractor.py Adds Augment rule extraction for user and project guideline files with bounded filesystem walking.
scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py Adds Augment skill and command extraction, but nested symlinked skill directories can still be followed.
scripts/coding_discovery_tools/linux/augment/augment_skills_extractor.py Adds Linux-specific seams for the inherited Augment skills extractor.
scripts/coding_discovery_tools/windows/augment/augment_skills_extractor.py Adds Windows-specific seams for the inherited Augment skills extractor.

Comments Outside Diff (1)

  1. scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py, line 2480-2484 (link)

    P1 security Nested Skill Symlinks Still Traverse

    When ~/.augment/skills is a real directory but contains a symlinked skill directory, the delegated skills walker still follows that child and reads SKILL.md from the symlink target. In a privileged all-users scan, a user can point one nested skill entry at another filesystem location and have that content reported as an Augment skill.

Reviews (1): Last reviewed commit: "Discover Augment Code (Auggie CLI + VS C..." | Re-trigger Greptile

…213)

* feat(augment): discover Augment Code across Auggie CLI, VS Code, JetBrains

Add Augment Code (label "augment") to the coding-discovery scanner as a
single cross-surface detector returning per-surface rows (Auggie CLI,
Augment (VS Code), Augment (<JetBrains IDE>)) that share one ~/.augment
config. Mirrors the GitHub Copilot cross-surface pattern.

Extraction parity with claude_code/copilot_cli:
- settings/permissions: toolPermissions -> allow/deny/ask; hooks preserved
  in raw_settings (user/managed/project/local scopes)
- MCP servers: top-level mcpServers + augment.advanced.mcpServers + flat form
- rules/guidelines: .augment-guidelines, .augment/rules/*.{md,mdx},
  ~/.augment/rules, ~/.augment/user-guidelines.md, hierarchical AGENTS.md/CLAUDE.md
- skills/commands: ~/.augment/skills/<name>/SKILL.md, .augment/commands/*.md

Shared ~/.augment config is attached to a single canonical surface
(Auggie CLI > VS Code > JetBrains) to avoid duplication; non-canonical
surfaces emit bare detection rows. macOS holds the logic; Windows/Linux
are thin OS-seam subclasses.

Part of WEB-4950 (discovery half).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): address review findings (cross-user skills, rules dup, settings scope)

- Owner-key user-scope skills by file_path so a user's skill content can't leak
  onto another user's row under a root all-users scan (mirrors
  _copilot_skill_owner_home)
- Guard the rules project walk against re-collecting ~/.augment/rules as project
  scope, matching the settings/skills extractors' user-dir guards
- Settings: extract user + managed only; drop the unsurfaceable project/local
  filesystem walk; include managed scope in the permissions filter
- Skip symlinked dirs before the .augment branch in the rules walk
- Memo parity for _get_augment_mcp; settings docstring fix
- Add regression tests for the cross-user skills leak and rules duplication

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment tests): pin _filesystem_root in project-walk tests for Windows

The rules/skills project-walk tests instantiate the macOS extractor and
patched only _iter_top_level_dirs, leaving _filesystem_root at "/". On
Windows the walk's item.relative_to("/") raises ValueError for a C:\ temp
path, so every subdirectory was skipped and project rules/skills were never
collected (8 Windows-only unittest failures, all in the rules/skills suites).
Pin _filesystem_root to the temp ancestor so relative_to works cross-platform.
Production is unaffected: real Windows uses the Windows*AugmentExtractor with
the correct filesystem root.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): address PR-bot findings (per-user canonical, MCP memo, dedup, symlink, ownership)

Cursor + Greptile inline review follow-ups:

- G: canonical Augment surface is now chosen PER USER (keyed by _config_path),
  not a single global name. A root multi-user scan picks a winner for each
  user's ~/.augment independently, so a VS Code-only user no longer gets a bare
  row that drops their config when another user has the CLI.
- F: managed-scope-only permissions (org-wide /etc/augment) no longer manufacture
  a phantom Augment row for a non-owner under root scans (_augment_owned_by_user
  no longer counts managed permissions as user-owned data).
- B: MCP accessor memoization uses a distinct UNSET sentinel so a legitimate
  cached None (no MCP configured) short-circuits instead of re-running the full
  MCP walk on every surface.
- C: emit at most one "Augment (VS Code)" row per user (prefer stable over
  nightly) so stable+nightly installs don't create duplicate canonical rows.
- A: skills walk skips symlinked dirs before the .augment handling (mirrors the
  rules/mcp/settings walks) so a symlinked .augment can't be followed.
- E: Windows skills walk also skips other-tool config dirs (parity with the
  macOS base + Windows rules walk).

D (Linux rules per-user error guard) was already covered by the macOS base
_extract_user_rules try/except that the Linux subclass inherits.

Adds per-user-canonical, managed-ownership, MCP-memo, dual-extension, and
symlink regression tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): attribute JetBrains rows to the IDE owner under root scans (H2)

Under a root MDM all-users scan, MacOSJetBrainsDetector returns every user's
IDEs, but the Augment JetBrains row stamped _config_path from the outer scan
home — so an IDE owned by user B could be attributed to user A's ~/.augment
(wrong permissions/config). Run JetBrains detection once and derive each IDE's
owning user from the IDE's own config path (longest-prefix match against the
scanned homes), falling back to the scoped/current home. This also removes the
prior N-times-redundant rescan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment tests): make H2 JetBrains-owner assertion separator-agnostic

The new H2 regression test hardcoded "/Users/bob/.augment", but production
stringifies a Path, so on Windows _config_path is "\\Users\\bob\\.augment" and
the literal-POSIX assertion failed (Windows CI). Build the expected value via
Path so the separator matches the host OS. Test-only; production is correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): guard each user in Linux rules _scan_all_user_homes (Greptile)

Parity with LinuxAugmentSkillsExtractor: wrap each per-user extract_for_user in
try/except (PermissionError, OSError) so one unreadable home can't abort the
whole multi-user rules scan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): stop duplicate MCP servers from the workspace walk (Greptile)

The MCP workspace walk descended into user homes and re-read
~/.augment/settings.json as PROJECT scope — the same servers already collected
as USER scope — emitting duplicate MCP servers under two project paths
(~/.augment as "user" + the home dir as "project"). Record each user-home
~/.augment collected as user scope and skip it in the workspace walk, matching
the rules/settings/skills user-dir guards. Genuine project .augment dirs are
still collected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(augment): collect .claude/.agents skills; group user skills by config dir

Two follow-ups from dogfooding the Auggie CLI:

1. Auggie loads skills/commands from .augment, .claude AND .agents (per
   docs.augmentcode.com/cli/skills, in both workspace and home) and honors
   .claude/commands for Claude compatibility. The Augment skills extractor now
   sources all three marker dirs (user + project). The same .claude/.agents item
   is reported under Claude Code / Copilot CLI AND Augment by design — each tool
   reports what it loads; the backend dedups per (tool, home_user).

2. Group user-scope skills under their CONFIG DIR (~/.augment, ~/.claude,
   ~/.agents) instead of the bare home. The backend keys an AIToolProject per
   project path, so the old bare-home key surfaced a spurious "~" project
   separate from the ~/.augment rules/MCP project; now ~/.augment skills coalesce
   with that row's rules/MCP, while ~/.claude/~/.agents skills group under their
   own dir. Still owner-scoped (home is in the path) so the per-user filter
   prevents cross-user skill leakage under root scans.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(augment): guard symlinked skills/commands subdir in the skills walk

The skills project walk symlink-checks the parent .augment dir but then used
type_dir.is_dir() on the skills/commands subdir, which follows symlinks — so
under a root MDM scan a user could point .augment/skills at an arbitrary dir and
have the scanner traverse it. Add the matching `not type_dir.is_symlink()` guard
(mirrors the parent-dir guard in the same method). All OSes via the inherited
macOS walk. Adds a regression test (symlinked .augment/skills not traversed;
real one still collected).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: thatcatfromspace <fake-fam-20260623-0332-e7f7@nonexistent.invalid>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@pugazhendhi-m pugazhendhi-m requested a review from a team June 29, 2026 04:47
@pugazhendhi-m pugazhendhi-m merged commit dd4c665 into main Jun 29, 2026
15 of 16 checks passed
@vigneshsubbiah16

Copy link
Copy Markdown
Contributor

🛡️ Automated Security Review (consensus)

2 findings — 2 high-confidence, 0 to triage. Reviewers: Cursor, Claude, Semgrep, Gitleaks.

🔴 Privileged scan executes per-user auggie binaries without trust checks

scripts/coding_discovery_tools/macos/augment/augment.py (_detect_auggie_cli_for_user, get_version, _iter_scan_homes); scripts/coding_discovery_tools/windows/augment/augment.py (_resolve_binary, inherited get_version)

Impact: Under a root/admin MDM all-users scan, the detector resolves auggie from each user's home (~/.local/bin/auggie, ~/.bun/bin/auggie, nvm paths, Windows npm/WinGet shims) and runs run_command([binary, "--version"], …) as the scanning principal — a local user can plant a malicious executable and achieve privilege escalation when the scanner runs elevated.

Fix: Do not exec binaries from homes the scanner does not trust: skip the version probe (emit "unknown") for non-current-user homes under privileged scans, verify owner/writability before exec, or drop privileges to the target user before invoking.

Flagged by: Claude, Lead


🔴 Nested symlinked skill directories still followed during skills walk

scripts/coding_discovery_tools/macos/augment/augment_skills_extractor.py (~_walk_for_skillsextract_augment_items_from_directory)

Impact: Guards skip symlinked .augment dirs and symlinked skills//commands/ parents, but per-skill subdirectories under a real skills/ dir are enumerated by the shared extract_items_from_directory helper, which can follow a symlinked child (e.g. .augment/skills/x → arbitrary path) and read SKILL.md from the target — enabling cross-path content harvesting under privileged scans.

Fix: Skip symlinked entries at each nested skill subdirectory (mirror _walk_rules_dir's is_symlink() guard), or pass a followlinks=False/symlink filter through extract_items_from_directory in claude_code_skills_helpers.

Flagged by: Claude, Greptile, Lead


Previously acknowledged (not re-flagged)

  • Cross-user skills/rules/MCP/permissions leakage under root scans — addressed in-PR via owner-keying by file_path/_config_path, per-user canonical surface selection, managed-scope ownership gate, and user-dir duplication guards.
  • Symlinked top-level .augment and .augment/skills/commands dirs — addressed in-PR with is_symlink() guards on parent walk entries and the type_dir check; nested child skill symlinks remain open (finding above).
  • Duplicate MCP/rules from re-walking user-home ~/.augment as project scope — addressed in-PR with _scanned_user_augment_dirs / user_augment_dirs skip sets.

🤖 consensus review · reviewers: Cursor,Claude,Semgrep,Gitleaks · head 48b6cda9 · 2026-06-29T04:51Z

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated security orchestration found 2 actionable issues on the current head after module triage and deduplication (1 CRITICAL, 1 HIGH). Inline comments include details and impact.

Open in Web View Automation 

Sent by Cursor Security Agent: Security Reviewer

if binary is not None:
try:
return _parse_cli_version(
run_command([str(binary), "--version"], VERSION_TIMEOUT)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: CRITICAL
run_command([str(binary), "--version"], ...) executes a per-user auggie binary discovered under user-writable home paths during all-users scans. In privileged/root scan mode, this allows a low-privileged local user to plant a malicious binary that gets executed with elevated privileges.
Impact: Local privilege escalation to root/administrator and full host compromise during discovery runs.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 48b6cda. Configure here.

self._walk_rules_dir(
item, find_project_root_func, scope, projects_by_root, current_depth + 1
)
elif item.is_file() and _is_augment_rule_file(item.name):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH
The rules walker blocks symlinked directories, but still accepts item.is_file() and then reads matching files. Symlinked rule files (for example AGENTS.md or files under .augment/rules) can therefore be dereferenced and ingested without containment checks.
Impact: In privileged scans, a user can point a scanned rule file symlink at sensitive paths outside the intended workspace/config boundary, causing cross-boundary data ingestion/exfiltration.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 48b6cda. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.

best, best_len = home, len(home_norm)
if best is not None:
return best
return self.user_home or Path.home()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JetBrains IDE wrong config owner

High Severity

During per-user MDM scans, JetBrains detection returns machine-wide results, but _augment_owner_home_for_path resolves owners scoped to a single user. This causes it to incorrectly assign the scanned user's ~/.augment config path to IDEs belonging to other users, leading to incorrect canonical grouping, permissions, and potentially blocking the actual owner's entry.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.

user_home, user_skills, self._extract_single_rule_file, AUGMENT_ITEM_CONFIGS
)

self._scan_all_user_homes(extract_for_user)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User skills follow symlinks

Medium Severity

User-scope Augment skills/commands use extract_augment_user_level_items without symlink checks on ~/.augment, ~/.claude, or ~/.agents skill/command dirs. The project walk in the same extractor skips symlinked .augment and skills/ trees, so a root all-users scan can still traverse a symlinked home skills directory and read arbitrary paths.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 48b6cda. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants