fix: reject symlinked sub-agent files

[AkaraChen]

Motivation

• Prevent a symlink-following IO vulnerability where listing or saving project-backed *.md sub-agent files could read or overwrite arbitrary filesystem targets.
• Ensure sub-agent file reads and writes only operate on regular files inside an intended sub-agent directory so untrusted repositories cannot exfiltrate or corrupt local files.

Description

• Added path sanity checks to crates/agents/src/sub_agents.rs so parsing now refuses files with any symlink component and requires the final path be a regular non-symlink file (ensure_no_symlink_components, is_regular_file).
• Hardened directory handling so loads refuse symlinked or non-directory agent directories and saves require a safe directory (ensure_safe_sub_agent_dir).
• Replaced direct fs::write with a safe write path that validates the destination and writes via a temporary, create_new file then rename to avoid following symlinks and avoid TOCTOU when possible (assert_safe_destination, write_sub_agent_file, unique_temp_path).
• Added Unix-only regression tests that verify symlinked markdown files are ignored by loads and that saves refuse to overwrite symlink-backed targets.

Testing

• Ran formatting and static checks with cargo fmt --package aghub-agents --check which succeeded.
• Ran git diff --check which reported no whitespace/errors related to the change.
• Attempted to run unit tests with cargo test -p aghub-agents sub_agents (and offline variant) but test execution was blocked by missing cached crates / network access to crates.io, so the new tests were added but could not be executed in this environment.

---

Codex Task

[coderabbitai]

Warning

Review limit reached

@AkaraChen, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 41 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 646f0afd-5046-4a05-bcff-c93c47163092

📥 Commits

Reviewing files that changed from the base of the PR and between 88dc33e and 38b14bb.

📒 Files selected for processing (1)

• crates/agents/src/sub_agents.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-symlink-handling-in-sub-agent-management

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 38b14bbfc4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve existing sub-agent file permissions

When updating an existing sub-agent file with restrictive permissions (for example 0600 in a user's global agent directory), this path unlinks it and renames in a newly-created temp file, so the saved file gets the process's default create mode (0666 & umask) instead of the original mode. That regresses confidentiality compared with the previous fs::write behavior, which truncated the existing inode and kept its permissions.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid path-based reads after symlink checks

When the sub-agent directory is writable by another process, these metadata checks can pass for a regular *.md file and the path can then be swapped to a symlink before the later fs::read_to_string, so loading can still follow the symlink and read an arbitrary target. Since this change is meant to close symlink-backed reads from untrusted project agent directories, the file needs to be opened in a no-follow way (or validated via the opened handle) instead of relying on a separate path check.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep the old file until replacement succeeds

When updating an existing sub-agent, this removes the only committed file before the replacement is in place; if the process is killed here or the subsequent rename fails (for example because the path is concurrently recreated as a directory), the user loses the previous agent definition and is left with only a hidden temp file. Keep the old regular file until the replacement operation has succeeded (or restore it on failure) so a failed save doesn't delete working config.

Useful? React with 👍 / 👎.