fix: reject symlinked agents directory

internal/agents/store.go

@@ -18,6 +18,16 @@ type Store struct {
 }
 
 func (s Store) List() ([]AgentDefinition, error) {
+	agentsPath := filepath.Join(s.CodexHome, "agents")
+	if info, err := os.Lstat(agentsPath); err != nil {
+		if os.IsNotExist(err) {
+			return []AgentDefinition{}, nil
+		}
+		return nil, err
+	} else if info.Mode()&os.ModeSymlink != 0 {
+		return nil, codexhome.ErrForbiddenPath
+	}
+
 	agentsDir, err := codexhome.ResolveInside(s.CodexHome, "agents")
 	if err != nil {
 		return nil, err

internal/agents/store_test.go

@@ -179,3 +179,35 @@ func TestListAgentsRejectsSymlinkToNonAgentToml(t *testing.T) {
 		t.Fatalf("non-agent TOML content leaked: %#v", got[0])
 	}
 }
+
+func TestListAgentsRejectsSymlinkedAgentsDirectory(t *testing.T) {
+	root := t.TempDir()
+	if err := os.WriteFile(filepath.Join(root, "config.toml"), []byte(`name = "project-secret"`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Symlink(".", filepath.Join(root, "agents")); err != nil {
+		t.Fatal(err)
+	}
+
+	store := Store{CodexHome: root}
+	got, err := store.List()
+	if err == nil {
+		t.Fatalf("expected symlinked agents directory to be rejected, got %#v", got)
+	}
+	if strings.Contains(err.Error(), "project-secret") {
+		t.Fatalf("symlinked agents directory leaked sensitive content in error: %v", err)
+	}
+	for _, item := range got {
+		if strings.Contains(item.Name, "project-secret") ||
+			strings.Contains(item.Description, "project-secret") ||
+			strings.Contains(item.DeveloperInstructions, "project-secret") ||
+			strings.Contains(item.ParseError, "project-secret") {
+			t.Fatalf("symlinked agents directory leaked sensitive content: %#v", item)
+		}
+		for key, value := range item.ExtraFields {
+			if strings.Contains(key, "project-secret") || strings.Contains(value, "project-secret") {
+				t.Fatalf("symlinked agents directory leaked sensitive extra field: %#v", item.ExtraFields)
+			}
+		}
+	}
+}