This commit is contained in:
vominh1919 2026-04-24 19:24:26 -05:00 committed by GitHub
commit 0a959d1174
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -158,7 +158,12 @@ class SubdirectoryHintTracker:
self._add_path_candidate(token, candidates)
def _is_valid_subdir(self, path: Path) -> bool:
"""Check if path is a valid directory to scan for hints."""
"""Check if path is a valid directory to scan for hints.
Only allows directories inside the configured working_dir to prevent
unrelated instruction files from being injected into the agent context
(e.g., an AGENTS.md from a completely different project).
"""
try:
if not path.is_dir():
return False
@ -166,6 +171,15 @@ class SubdirectoryHintTracker:
return False
if path in self._loaded_dirs:
return False
# Scope to workspace — only scan directories inside working_dir
try:
path.relative_to(self.working_dir)
except ValueError:
logger.debug(
"Skipping subdirectory hint for %s: outside working_dir %s",
path, self.working_dir,
)
return False
return True
def _load_hints_for_directory(self, directory: Path) -> Optional[str]: