fix: reject symlinked agents directory

internal/agents/store_test.go

@@ -179,3 +179,35 @@ func TestListAgentsRejectsSymlinkToNonAgentToml(t *testing.T) {
 		t.Fatalf("non-agent TOML content leaked: %#v", got[0])
 	}
 }
+
+func TestListAgentsRejectsSymlinkedAgentsDirectory(t *testing.T) {
+	root := t.TempDir()
+	if err := os.WriteFile(filepath.Join(root, "config.toml"), []byte(`name = "project-secret"`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Symlink(".", filepath.Join(root, "agents")); err != nil {
+		t.Fatal(err)
+	}
+
+	store := Store{CodexHome: root}
+	got, err := store.List()
+	if err == nil {
+		t.Fatalf("expected symlinked agents directory to be rejected, got %#v", got)
+	}
+	if strings.Contains(err.Error(), "project-secret") {
+		t.Fatalf("symlinked agents directory leaked sensitive content in error: %v", err)
+	}
+	for _, item := range got {
+		if strings.Contains(item.Name, "project-secret") ||
+			strings.Contains(item.Description, "project-secret") ||
+			strings.Contains(item.DeveloperInstructions, "project-secret") ||
+			strings.Contains(item.ParseError, "project-secret") {
+			t.Fatalf("symlinked agents directory leaked sensitive content: %#v", item)
+		}
+		for key, value := range item.ExtraFields {
+			if strings.Contains(key, "project-secret") || strings.Contains(value, "project-secret") {
+				t.Fatalf("symlinked agents directory leaked sensitive extra field: %#v", item.ExtraFields)
+			}
+		}
+	}
+}