Merge commit from fork

Route PromptIntegrator.find_prompt_files() and
AgentIntegrator.find_agent_files() through the existing safe
BaseIntegrator.find_files_by_glob() helper which rejects symlinks,
hardlinks, and paths escaping the package root.

Add defense-in-depth guards in copy_prompt(), copy_agent(),
_write_codex_agent(), and _write_windsurf_agent_skill() that raise
on symlink sources before read_text().

Add regression tests verifying symlink/hardlink rejection.

Co-authored-by: danielmeppiel <dmeppiel@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

src/apm_cli/integration/agent_integrator.py

@@ -28,7 +28,7 @@ def find_agent_files(self, package_path: Path) -> list[Path]:
 
         Searches in:
         - Package root directory (.agent.md and .chatmode.md)
-        - .apm/agents/ subdirectory (new standard)
+        - .apm/agents/ subdirectory (new standard, recursive)
         - .apm/chatmodes/ subdirectory (legacy)
 
         Args:
@@ -37,31 +37,23 @@ def find_agent_files(self, package_path: Path) -> list[Path]:
         Returns:
             List[Path]: List of absolute paths to agent files
         """
-        agent_files = []
-
-        # Search in package root
-        if package_path.exists():
-            agent_files.extend(package_path.glob("*.agent.md"))
-            agent_files.extend(package_path.glob("*.chatmode.md"))  # Legacy
-
-        # Search in .apm/agents/ (new standard)
-        # Use rglob so agents in subdirectories (e.g. from plugin mapping) are
-        # still discovered.
+        files: list[Path] = []
+        # Flat search in package root
+        files += self.find_files_by_glob(package_path, "*.agent.md")
+        files += self.find_files_by_glob(package_path, "*.chatmode.md")
+        # Recursive search in .apm/agents/ (use ** glob for subdirectories)
         apm_agents = package_path / ".apm" / "agents"
         if apm_agents.exists():
-            agent_files.extend(apm_agents.rglob("*.agent.md"))
-            # Also pick up plain .md files in agents/; plugins may not use
-            # the .agent.md convention  -- the directory name already implies type
-            for md_file in apm_agents.rglob("*.md"):
-                if not md_file.name.endswith(".agent.md") and md_file not in agent_files:
-                    agent_files.append(md_file)
-
-        # Search in .apm/chatmodes/ (legacy)
+            files += self.find_files_by_glob(apm_agents, "**/*.agent.md")
+            # Also pick up plain .md files; the directory name implies type
+            for f in self.find_files_by_glob(apm_agents, "**/*.md"):
+                if not f.name.endswith(".agent.md") and f not in files:
+                    files.append(f)
+        # Flat search in .apm/chatmodes/ (legacy)
         apm_chatmodes = package_path / ".apm" / "chatmodes"
         if apm_chatmodes.exists():
-            agent_files.extend(apm_chatmodes.glob("*.chatmode.md"))
-
-        return agent_files
+            files += self.find_files_by_glob(apm_chatmodes, "*.chatmode.md")
+        return files
 
     # NOTE: find_skill_file(), integrate_skill(), and _generate_skill_agent_content()
     # have been REMOVED as part of T5 (skill-strategy.md).
@@ -227,6 +219,8 @@ def copy_agent(self, source: Path, target: Path) -> int:
         Returns:
             int: Number of links resolved
         """
+        if source.is_symlink():
+            raise ValueError(f"Refusing to read symlink source: {source}")
         content = source.read_text(encoding="utf-8")
         content, links_resolved = self.resolve_links(content, source, target)
         target.write_text(content, encoding="utf-8")
@@ -248,6 +242,8 @@ def _write_codex_agent(source: Path, target: Path) -> None:
         Parses YAML frontmatter for ``name`` and ``description``, uses
         the markdown body as ``developer_instructions``.
         """
+        if source.is_symlink():
+            raise ValueError(f"Refusing to read symlink source: {source}")
         import toml as _toml
 
         content = source.read_text(encoding="utf-8")
@@ -295,6 +291,8 @@ def _write_windsurf_agent_skill(
           diagnostic warning when those fields are dropped.
         - Preserves the markdown body verbatim.
         """
+        if source.is_symlink():
+            raise ValueError(f"Refusing to read symlink source: {source}")
         content = source.read_text(encoding="utf-8")
 
         stem = source.name

src/apm_cli/integration/prompt_integrator.py

@@ -28,18 +28,7 @@ def find_prompt_files(self, package_path: Path) -> list[Path]:
         Returns:
             List[Path]: List of absolute paths to .prompt.md files
         """
-        prompt_files = []
-
-        # Search in package root
-        if package_path.exists():
-            prompt_files.extend(package_path.glob("*.prompt.md"))
-
-        # Search in .apm/prompts/
-        apm_prompts = package_path / ".apm" / "prompts"
-        if apm_prompts.exists():
-            prompt_files.extend(apm_prompts.glob("*.prompt.md"))
-
-        return prompt_files
+        return self.find_files_by_glob(package_path, "*.prompt.md", subdirs=[".apm/prompts"])
 
     def copy_prompt(self, source: Path, target: Path) -> int:
         """Copy prompt file verbatim with link resolution.
@@ -51,6 +40,8 @@ def copy_prompt(self, source: Path, target: Path) -> int:
         Returns:
             int: Number of links resolved
         """
+        if source.is_symlink():
+            raise ValueError(f"Refusing to read symlink source: {source}")
         content = source.read_text(encoding="utf-8")
         content, links_resolved = self.resolve_links(content, source, target)
         target.write_text(content, encoding="utf-8")

tests/unit/integration/test_symlink_rejection.py

@@ -0,0 +1,113 @@
+"""Regression tests for symlink rejection in prompt/agent integrators.
+
+Verifies that find_prompt_files() and find_agent_files() reject symlinks,
+preventing supply-chain file disclosure attacks via malicious APM packages.
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+import pytest
+
+from apm_cli.integration.agent_integrator import AgentIntegrator
+from apm_cli.integration.prompt_integrator import PromptIntegrator
+
+
+@pytest.fixture
+def package_with_symlinks(tmp_path: Path) -> Path:
+    """Create a fixture package with symlinks under .apm/ directories."""
+    pkg = tmp_path / "pkg"
+    (pkg / ".apm" / "prompts").mkdir(parents=True)
+    (pkg / ".apm" / "agents").mkdir(parents=True)
+    (pkg / ".apm" / "chatmodes").mkdir(parents=True)
+
+    # Create a sentinel file outside the package
+    sentinel = tmp_path / "sentinel.txt"
+    sentinel.write_text("REGRESSION-SENTINEL-CONTENT")
+
+    # Create legitimate files
+    (pkg / ".apm" / "prompts" / "legit.prompt.md").write_text("legit prompt")
+    (pkg / ".apm" / "agents" / "legit.agent.md").write_text("legit agent")
+    (pkg / ".apm" / "chatmodes" / "legit.chatmode.md").write_text("legit chatmode")
+
+    # Create symlinks pointing outside
+    (pkg / ".apm" / "prompts" / "leak.prompt.md").symlink_to(sentinel)
+    (pkg / ".apm" / "agents" / "leak.agent.md").symlink_to(sentinel)
+    (pkg / ".apm" / "chatmodes" / "leak.chatmode.md").symlink_to(sentinel)
+
+    # Create a symlink with absolute path target
+    (pkg / "abs.agent.md").symlink_to(sentinel)
+
+    return pkg
+
+
+class TestPromptIntegratorSymlinkRejection:
+    """Verify PromptIntegrator rejects symlinked files."""
+
+    def test_find_prompt_files_excludes_symlinks(self, package_with_symlinks: Path) -> None:
+        integrator = PromptIntegrator()
+        result = integrator.find_prompt_files(package_with_symlinks)
+
+        # Should find the legit file but not the symlink
+        assert all(not p.is_symlink() for p in result)
+        assert not any(p.name == "leak.prompt.md" for p in result)
+        assert any(p.name == "legit.prompt.md" for p in result)
+
+    def test_copy_prompt_rejects_symlink_source(
+        self, package_with_symlinks: Path, tmp_path: Path
+    ) -> None:
+        integrator = PromptIntegrator()
+        symlink_source = package_with_symlinks / ".apm" / "prompts" / "leak.prompt.md"
+        target = tmp_path / "output.prompt.md"
+
+        with pytest.raises(ValueError, match=r"symlink"):
+            integrator.copy_prompt(symlink_source, target)
+
+
+class TestAgentIntegratorSymlinkRejection:
+    """Verify AgentIntegrator rejects symlinked files."""
+
+    def test_find_agent_files_excludes_symlinks(self, package_with_symlinks: Path) -> None:
+        integrator = AgentIntegrator()
+        result = integrator.find_agent_files(package_with_symlinks)
+
+        # Should find legit files but not symlinks
+        assert all(not p.is_symlink() for p in result)
+        assert not any(p.name == "leak.agent.md" for p in result)
+        assert not any(p.name == "leak.chatmode.md" for p in result)
+        assert not any(p.name == "abs.agent.md" for p in result)
+        assert any(p.name == "legit.agent.md" for p in result)
+        assert any(p.name == "legit.chatmode.md" for p in result)
+
+    def test_copy_agent_rejects_symlink_source(
+        self, package_with_symlinks: Path, tmp_path: Path
+    ) -> None:
+        integrator = AgentIntegrator()
+        symlink_source = package_with_symlinks / ".apm" / "agents" / "leak.agent.md"
+        target = tmp_path / "output.agent.md"
+
+        with pytest.raises(ValueError, match=r"symlink"):
+            integrator.copy_agent(symlink_source, target)
+
+
+class TestHardlinkRejection:
+    """Verify integrators reject hardlinked files."""
+
+    @pytest.mark.skipif(os.name == "nt", reason="Hardlinks may require privileges on Windows")
+    def test_find_prompt_files_excludes_hardlinks(self, tmp_path: Path) -> None:
+        pkg = tmp_path / "pkg"
+        (pkg / ".apm" / "prompts").mkdir(parents=True)
+
+        # Create a file and a hardlink to it
+        original = tmp_path / "original.txt"
+        original.write_text("hardlink content")
+        hardlink = pkg / ".apm" / "prompts" / "linked.prompt.md"
+        os.link(original, hardlink)
+
+        integrator = PromptIntegrator()
+        result = integrator.find_prompt_files(pkg)
+
+        # Hardlink has st_nlink > 1, should be rejected
+        assert not any(p.name == "linked.prompt.md" for p in result)