Skip to content

fix(install): dereference in-package symlinks on local install (#1668)#1676

Open
danielmeppiel wants to merge 2 commits into
mainfrom
autopilot/1668-local-symlink-deref
Open

fix(install): dereference in-package symlinks on local install (#1668)#1676
danielmeppiel wants to merge 2 commits into
mainfrom
autopilot/1668-local-symlink-deref

Conversation

@danielmeppiel
Copy link
Copy Markdown
Collaborator

@danielmeppiel danielmeppiel commented Jun 5, 2026

fix(install): dereference in-package symlinks on local install

TL;DR

Local-path apm install now materializes in-package symlinks as real files,
matching the behavior of remote install. A symlink whose resolved target escapes
the package root causes a hard-fail (PathTraversalError), never a silent drop.
All five mandatory security guardrails from the maintainer brief are implemented.

Closes #1668

Problem (WHY)

"A local-path apm install <dir> silently drops skill files that are
symlinks; a remote apm install owner/repo of the same package keeps them."
-- Issue #1668

The divergence had two root causes:

  • _copy_local_package called shutil.copytree(..., symlinks=True), preserving
    every symlink in apm_modules/ rather than materializing its content.
  • The downstream deploy filter ignore_non_content (security/gate.py) excluded
    all symlinks from the copy into target directories -- including in-package
    ones that were safe to follow.
  • Result: both operations reported success while the referenced files vanished.

The old code also carried an explicit SECURITY comment acknowledging an open
TOCTOU window and deferring the fix -- this PR closes that window.

Approach (WHAT)

Layer Change
local_content.py Replace bulk copytree(symlinks=True) with _copy_tree_dereferencing_validated()
New helper Atomic per-symlink: resolve(strict=True) -> ensure_path_within() -> copy2
Escaping symlinks Raise PathTraversalError immediately; no warn-and-skip, no partial copy
ignore_non_content (gate.py) Unchanged -- symlinks no longer reach deployment because they are dereferenced at staging
Security docs Threat-model note added to docs/enterprise/security.md

Implementation (HOW)

src/apm_cli/install/phases/local_content.py

Added _copy_tree_dereferencing_validated(src, dst, pkg_root): walks the source
tree recursively. For each symlink entry it atomically calls
entry.resolve(strict=True), passes the result to ensure_path_within(resolved, pkg_root) (the #596 containment helper), then shutil.copy2(resolved, dst_entry)
for files or recurses for directories. Any symlink escaping pkg_root raises
PathTraversalError with a human-readable message and aborts the entire copy.
Replaced the shutil.copytree(symlinks=True) call and the accompanying
unresolved TOCTOU note with a single call to the new helper.

tests/unit/install/test_local_content_symlink_deref.py (new)

Six typed-coverage tests written as a failing regression trap before the fix:

  • TestInPackageSymlinkIsDerefed -- in-package symlink materialized as real file
  • TestEscapingSymlinkHardFails -- escaping symlink raises PathTraversalError; no partial copy
  • TestNonSymlinkFilesUnchanged -- non-symlink baseline unchanged

tests/unit/test_local_deps.py

Updated test_copy_preserves_symlinks_without_following to assert the new
correct behavior (hard-fail) instead of the old incorrect behavior
(preserved-as-symlink with silent downstream drop).

docs/src/content/docs/enterprise/security.md

Added "Local-install symlink dereference and containment guarantee" subsection
under Symlink handling, documenting all four security properties.

Diagrams

flowchart TD
    A[_copy_local_package called] --> B[_copy_tree_dereferencing_validated]
    B --> C{entry type?}
    C -- regular file --> D[shutil.copy2 to dst]
    C -- directory --> E[recurse]
    C -- symlink --> F[resolve strict=True]
    F --> G{resolved within pkg_root?}
    G -- yes --> H[copy2 resolved content to dst]
    G -- no --> I[raise PathTraversalError<br/>install aborted]
    D --> J[continue to next entry]
    H --> J
    E --> J
Loading 
sequenceDiagram
    participant Caller as _copy_local_package
    participant Helper as _copy_tree_dereferencing_validated
    participant PW as ensure_path_within
    participant FS as shutil.copy2

    Caller->>Helper: src=local, dst=install_path, pkg_root=local
    loop for each entry
        Helper->>Helper: entry.is_symlink()?
        alt is symlink
            Helper->>Helper: resolve(strict=True)
            Helper->>PW: ensure_path_within(resolved, pkg_root)
            alt escapes pkg_root
                PW-->>Helper: PathTraversalError
                Helper-->>Caller: PathTraversalError (install aborted)
            else within pkg_root
                Helper->>FS: copy2(resolved, dst_entry)
            end
        else regular file
            Helper->>FS: copy2(entry, dst_entry)
        end
    end
    Helper-->>Caller: return install_path
Loading

Trade-offs

  • Behavior change on escaping symlinks. Old: symlink preserved silently in
    apm_modules/, downstream filter drops it without warning. New: hard-fail.
    Authors who had escaping symlinks (even unintentionally) now see an error
    rather than silent data loss -- this is strictly safer.
  • No ignore_non_content change. By fixing the staging phase, the deploy
    filter naturally handles in-package content as regular files. Keeping the
    filter intact preserves its protection for any residual symlinks from other
    code paths.
  • copystat on symlinks. Calling shutil.copystat(entry, dst_entry) after
    the dereference preserves the link's mtime, not the target's -- acceptable for
    a package staging copy where timestamps are not semantically significant.

Benefits

  1. Local install output is consistent with remote install for packages that use
    in-package symlinks to share reference content (e.g. shared-contract.md).
  2. Path-traversal via crafted symlinks is now a hard install failure rather than
    a silent no-op, closing a latent attack surface.
  3. The TOCTOU window documented in the old SECURITY comment is resolved: resolve,
    validate, and copy are now a single atomic sequence per file.
  4. Security posture is documented in the enterprise security page with a complete
    threat model.

Validation evidence

$ uv run --extra dev pytest tests/unit/install/test_local_content_symlink_deref.py tests/unit/test_local_deps.py::TestCopyLocalPackage -v

tests/unit/install/test_local_content_symlink_deref.py::TestInPackageSymlinkIsDerefed::test_in_package_symlink_materialized_as_real_file PASSED
tests/unit/install/test_local_content_symlink_deref.py::TestInPackageSymlinkIsDerefed::test_in_package_nested_symlink_content_preserved PASSED
tests/unit/install/test_local_content_symlink_deref.py::TestEscapingSymlinkHardFails::test_symlink_escaping_package_root_raises PASSED
tests/unit/install/test_local_content_symlink_deref.py::TestEscapingSymlinkHardFails::test_escaping_install_path_is_not_partially_created PASSED
tests/unit/install/test_local_content_symlink_deref.py::TestNonSymlinkFilesUnchanged::test_regular_files_copied_intact PASSED
tests/unit/install/test_local_content_symlink_deref.py::TestNonSymlinkFilesUnchanged::test_install_path_returned_on_success PASSED
tests/unit/test_local_deps.py::TestCopyLocalPackage::test_copy_preserves_symlinks_without_following PASSED
13 passed in 0.99s

$ uv run --extra dev pytest tests/unit/install/ tests/unit/test_local_deps.py tests/unit/test_security_gate.py tests/unit/test_symlink_containment.py -q
1662 passed, 3 subtests passed in 12.17s

$ uv run --extra dev ruff check src/ tests/ && uv run --extra dev ruff format --check src/ tests/
All checks passed! 1225 files already formatted

$ uv run --extra dev python -m pylint --disable=all --enable=R0801 --min-similarity-lines=10 --fail-on=R0801 src/apm_cli/
Your code has been rated at 10.00/10

$ bash scripts/lint-auth-signals.sh
[+] auth-signal lint clean

Scenario Evidence

Scenario Test APM Principle
In-package symlink materialized as real file TestInPackageSymlinkIsDerefed::test_in_package_symlink_materialized_as_real_file Parity between local and remote install
Escaping symlink causes hard-fail TestEscapingSymlinkHardFails::test_symlink_escaping_package_root_raises Fail-closed on security surface
No partial copy left on escaping symlink TestEscapingSymlinkHardFails::test_escaping_install_path_is_not_partially_created Atomicity
Non-symlink files unchanged TestNonSymlinkFilesUnchanged::test_regular_files_copied_intact Backward compatibility

How to test

  1. Create a local APM package with an in-package symlink: 
    mkdir -p /tmp/symlink-demo/.apm/skills/demo/references
echo "# Shared" > /tmp/symlink-demo/.apm/shared/shared.md
mkdir -p /tmp/symlink-demo/.apm/shared
echo "# Shared" > /tmp/symlink-demo/.apm/shared/shared.md
ln -s ../../../shared/shared.md /tmp/symlink-demo/.apm/skills/demo/references/shared.md
echo "name: demo\nversion: 1.0.0" > /tmp/symlink-demo/apm.yml
  2. Run apm install /tmp/symlink-demo --target claude and verify
    .claude/skills/demo/references/shared.md is a regular file with correct content.
  3. Run pytest tests/unit/install/test_local_content_symlink_deref.py -v --
    all 6 tests must pass.
  4. Create a package with an escaping symlink (ln -s /etc/hosts /tmp/symlink-demo/evil),
    run apm install /tmp/symlink-demo and confirm the install fails with a clear
    PathTraversalError message naming the offending symlink.

@danielmeppiel
fix(install): dereference in-package symlinks on local install (#1668)
062e2cc 
Local-path install now materializes in-package symlinks as real files,
matching the behavior of remote install (which uses robust_copytree with
symlinks=False / git checkout semantics).

Before this fix, _copy_local_package used shutil.copytree(symlinks=True),
which preserved symlinks in apm_modules/.  The downstream ignore_non_content
filter in security/gate.py then silently dropped every symlink, causing
referenced files to go missing without any warning.

Changes:
- Add _copy_tree_dereferencing_validated() to local_content.py: walks the
  source tree atomically (resolve -> ensure_path_within -> copy2 per entry).
  In-package symlinks are materialized as real files.  Symlinks whose resolved
  target escapes the package root raise PathTraversalError immediately
  (hard-fail, never warn-and-skip).
- Remove symlinks=True / stale SECURITY comment from _copy_local_package.
- Add regression tests: in-package symlink materialized; escaping symlink
  hard-fails; non-symlink baseline unchanged.
- Update test_local_deps.py: test_copy_preserves_symlinks_without_following
  now asserts the correct hard-fail behavior instead of the old preserve-as-
  symlink behavior.
- Add threat-model note to docs/enterprise/security.md describing the
  dereference behavior and containment guarantee.

Security guardrails (all from the maintainer-approved brief):
1. ensure_path_within() validates every symlink target before copy.
2. TOCTOU-safe: atomic per-file resolve->validate->copy2 sequence.
3. Escaping symlinks hard-fail (PathTraversalError), never warn-and-skip.
4. Only in-package symlinks dereferenced; external symlinks rejected.
5. Threat-model note added to security docs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 5, 2026 10:26
Copilot AI reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes local-path apm install <dir> stage in-package symlinks as real files (matching remote install behavior) and hard-fails on symlinks whose resolved targets escape the package root, with accompanying unit-test coverage and security documentation updates.

Changes:

  • Replaced local staging copytree(..., symlinks=True) behavior with a validated, symlink-dereferencing copy routine.
  • Added regression/security tests covering in-package symlink materialization and escaping-symlink failure behavior.
  • Updated enterprise security docs to describe the local-install containment guarantee.
Show a summary per file
File Description
src/apm_cli/install/phases/local_content.py Adds validated dereferencing copy helper and switches local staging to use it.
tests/unit/install/test_local_content_symlink_deref.py New regression/security tests for local install symlink dereference and escape handling.
tests/unit/test_local_deps.py Updates existing test expectation to assert hard-fail on escaping symlink.
docs/src/content/docs/enterprise/security.md Documents the local-install symlink dereference + containment posture.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 3

Comment thread src/apm_cli/install/phases/local_content.py Outdated
Comment on lines 239 to 245
# Dereference in-package symlinks atomically (fix for #1668).
# Each symlink is resolved -> validated within `local` -> copied as a real
# file, matching the behavior of the remote install path which uses
# robust_copytree with symlinks=False. Symlinks that escape the package
# root raise PathTraversalError immediately (hard-fail, not warn-and-skip).
_copy_tree_dereferencing_validated(local, install_path, local)
return install_path
Comment thread src/apm_cli/install/phases/local_content.py Outdated
Comment on lines +136 to +140
if resolved.is_dir():
_copy_tree_dereferencing_validated(resolved, dst_entry, pkg_root)
else:
shutil.copy2(resolved, dst_entry)
shutil.copystat(entry, dst_entry)
Comment thread tests/unit/install/test_local_content_symlink_deref.py
Comment on lines +175 to +181
def test_escaping_install_path_is_not_partially_created(self, tmp_path: Path) -> None:
"""When an escaping symlink is found the install_path is not left partial.

The install must either complete fully or fail atomically. A partial
tree in apm_modules/ could cause subsequent installs to behave
incorrectly.
"""
@danielmeppiel
fix(install): harden symlink deref with cycle guard, partial-copy cle…
f301b57 
…anup, and extended tests

Folds panel follow-ups on the security surface introduced by #1668:

- Add visited-set cycle guard to _copy_tree_dereferencing_validated to detect
  circular directory-symlink chains deterministically (O(1), independent of OS
  ELOOP platform limits). Previously, circular in-package dir symlinks would
  overflow the Python call stack rather than producing a clear PathTraversalError.

- Fix copystat calls to use the resolved path (not the symlink entry) as the
  stat source for symlink entries. The old call was effectively a no-op (os.stat
  follows symlinks, giving the same result), but was misleading to readers.

- Wrap the _copy_tree_dereferencing_validated call in _copy_local_package with a
  try/except PathTraversalError + safe_rmtree cleanup to guarantee that no
  partial install_path content remains on failure. The escaping-symlink test
  already asserted this, but production code was relying on the outer error
  propagation without cleanup.

- Remove [x] prefix from PathTraversalError message bodies. The rendering layer
  owns the prefix; embedding [x] inside the exception string causes double-prefix
  output when the caller's diagnostics handler wraps the error.

- Add actionable fix hint to the escaping-symlink error message.

- Add three new test classes: TestBrokenSymlink (broken/dangling symlink raises
  PathTraversalError), TestSymlinkToDirectory (in-package symlink-to-dir
  materializes as real directory tree), TestCircularSymlink (circular dir symlinks
  detected and aborted). Brings test file to 9 tests across 6 classes.

- Fix docs/enterprise/security.md: soften 'Symlinks are never followed' intro to
  scope it accurately, update 'resolved atomically' to 'resolved per-file' to
  match the TOCTOU comment in the code, remove duplicate closing sentence, add
  visited-set item and cross-link to path-traversal-prevention section.

- Add CHANGELOG [Unreleased] Fixed entry for #1668.

Mutation-break gate: confirmed that removing the ensure_path_within guard
causes TestEscapingSymlinkHardFails tests to fail.

Addresses panel follow-ups: cycle guard (supply-chain-security-expert +
python-architect, converged), partial-copy cleanup (supply-chain-security-expert),
broken-symlink test (test-coverage-expert), copystat fix (python-architect),
error message prefix (cli-logging-expert), doc accuracy (doc-writer),
CHANGELOG entry (doc-writer).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel
Copy link
Copy Markdown
Collaborator Author

danielmeppiel commented Jun 5, 2026
edited
Loading

APM Review Panel: ship_with_followups

Security guarantee holds: per-file resolve->guard->copy pattern is TOCTOU-safe, escaping symlinks hard-fail, regression tests trap removal. Ship with 4 high-signal followups.

cc @danielmeppiel @sergio-sisternes-epam -- a fresh advisory pass is ready for your review.

All six orchestrator reservations are satisfied. The per-file resolve(strict=True)->ensure_path_within->copy2 pattern is confirmed TOCTOU-safe by both python-architect and supply-chain-security-expert: the resolved absolute path is computed once and used directly by copy2, eliminating the rename-after-check window that plagues bulk copytree approaches. Escaping symlinks hard-fail with PathTraversalError -- never warn-and-skip -- matching the containment contract. Only in-package symlinks are dereferenced; external targets trigger the guard. The security tests are confirmed regression-trap: removing ensure_path_within would let escaping files through.

The two substantive gaps -- circular directory-symlink recursion and partial-copy cleanup -- were independently flagged by both python-architect and supply-chain-security-expert, and have been folded into commit f301b57. OS ELOOP catches simple cycles but the platform limit varies (40 on Linux, lower on macOS); the explicit visited-set guard is deterministic, testable, and cheap. Three additional test classes (TestBrokenSymlink, TestSymlinkToDirectory, TestCircularSymlink) bring the test file to 9 tests across 6 classes.

Aligned with: Secure by default -- hard-fail on escaping symlinks, containment per-file, no opt-in flag needed. Pragmatic as npm -- matches npm/pip precedent for local path-escape hard-fails; closes the footgun for monorepo package authors using in-package symlinks for shared config.

Growth signal. Story-shaped for enterprise trust signaling: 'Local installs now safely dereference in-package symlinks, closing a path-traversal vector and matching remote-install behavior.' Worth leading next release notes with this fix as evidence of supply-chain hygiene.

Reservations carried from strategic-alignment:

  • "security-surface (path traversal): confirm TOCTOU-safe atomic per-file resolve(strict=True)->ensure_path_within->copy2 (NOT a bulk copytree)" -- addressed: confirmed per-file pattern; all panelists converged.
  • "a symlink whose resolved target escapes the package root HARD-FAILS with PathTraversalError (never warn-and-skip)" -- confirmed: both code and tests enforce this; security test would fail without the guard.
  • "ONLY in-package symlinks are dereferenced (no following external/arbitrary symlinks)" -- confirmed: ensure_path_within check fires before any copy.
  • "the docs threat-model/containment note is present and accurate" -- addressed: doc accuracy fixes folded (intro contradiction fixed, 'atomically' softened to 'per-file', cross-link added).
  • "the regression+security tests actually fail without the guard" -- confirmed: mutation-break gate passed (removing ensure_path_within causes TestEscapingSymlinkHardFails to fail).

Panel summary

Persona B R N Takeaway
Python Architect 0 2 1 Architecturally sound private helper; per-file resolve->guard->copy is TOCTOU-safe.
CLI Logging Expert 0 1 1 [x] prefix in exception body causes double-prefix rendering; folded.
DevX UX Expert 0 0 2 Correct fix; local/remote install parity is right. No UX regressions.
Supply Chain Security Expert 0 4 0 Containment validated per-symlink; TOCTOU acceptable; cycle guard and cleanup recommended.
OSS Growth Hacker 0 0 0 Strong trust-building PR; enterprise-grade supply-chain hygiene signal.
Auth Expert -- -- -- Inactive: PR touches only local file copy logic; no auth surfaces changed.
Doc Writer 0 5 2 Accuracy fixes needed; majority folded.
Test Coverage Expert 0 1 1 Security regression trap confirmed; broken-symlink and dir-symlink tests added.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 5 follow-ups

  1. [Supply Chain Security Expert] Add visited-set cycle guard for recursive directory symlink traversal -- OS ELOOP is platform-dependent (40 hops Linux, fewer macOS). Explicit visited-set is O(1), deterministic, and testable. Both security and architecture panelists converged on this independently. FOLDED in f301b57.

  2. [Test Coverage Expert] Add broken/dangling symlink error path test (OSError -> PathTraversalError) -- outcome:missing on secure-by-default surface. The OSError catch-and-wrap branch is user-visible but untested. FOLDED in f301b57.

  3. [Supply Chain Security Expert] Wrap _copy_tree_dereferencing_validated in try/except PathTraversalError with safe_rmtree cleanup -- Partial-copy dangling content on malicious packages is a real attack surface. FOLDED in f301b57.

  4. [Doc Writer] Fix section intro contradiction and soften 'resolved atomically' overclaim in security.md -- Security docs that contradict implementation erode enterprise audit trust. FOLDED in f301b57.

  5. [CLI Logging Expert] Remove [x] prefix from PathTraversalError message body to avoid double-prefix rendering -- Double [x][x] in terminal output looks broken and undermines CLI polish. FOLDED in f301b57.

Folded in this run (commit f301b57)

  • Circular symlink visited-set guard (python-architect + supply-chain-security-expert)
  • Partial-copy cleanup on PathTraversalError (supply-chain-security-expert)
  • copystat(resolved, ...) instead of copystat(entry, ...) for symlink entries (python-architect)
  • prefix removed from PathTraversalError messages (cli-logging-expert)
  • Escaping-symlink error now includes fix suggestion (cli-logging-expert)
  • Broken symlink test: TestBrokenSymlink class (test-coverage-expert)
  • Symlink-to-directory test: TestSymlinkToDirectory class (test-coverage-expert)
  • Circular symlink test: TestCircularSymlink class (test-coverage-expert)
  • docs/enterprise/security.md: intro contradiction fixed, 'atomically' -> 'per-file', duplicate sentence removed, visited-set item added, cross-link to Path traversal prevention (doc-writer)
  • CHANGELOG [Unreleased] Fixed entry for [BUG] Local-path install drops symlinked skill references; remote install keeps them #1668 (doc-writer)

Copilot signals reviewed

No Copilot inline comments found on this PR (copilot_rounds: 1, copilot_drained: true).

Deferred

  • Integration test through real install pipeline (supply-chain-security-expert): scope-crossing -- would require tests/integration/ infrastructure not in this PR's scope.
  • Cross-link style/issue citation cleanup in security.md (doc-writer): style convention not caused by this change.
  • PermissionError handling in iterdir (python-architect): pre-existing pattern not introduced by this PR.

Lint evidence

$ uv run --extra dev ruff check src/ tests/ && uv run --extra dev ruff format --check src/ tests/
All checks passed!
1225 files already formatted

$ uv run --extra dev python -m pylint --disable=all --enable=R0801 --min-similarity-lines=10 --fail-on=R0801 src/apm_cli/
Your code has been rated at 10.00/10

$ bash scripts/lint-auth-signals.sh
[+] auth-signal lint clean

CI evidence (post-fold push)

CI GREEN on commit f301b57: all 15 checks passed.

Mergeability

#PR sha CEO stance iterations folds deferrals copilot rounds ci_status mergeable merge_state notes
#1676 f301b57 ship_with_followups 1 10 3 1 pending MERGEABLE BLOCKED awaiting CI + human review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sergio-sisternes-epam sergio-sisternes-epam Awaiting requested review from sergio-sisternes-epam sergio-sisternes-epam is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Local-path install drops symlinked skill references; remote install keeps them

2 participants

@danielmeppiel