manaflow-ai · lawrencecchen · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026 · greptile-apps
diff --git a/Sources/RestorableAgentSession.swift b/Sources/RestorableAgentSession.swift
@@ -694,7 +694,7 @@ struct SessionRestorableAgentSnapshot: Codable, Sendable {
         AgentResumeCommandBuilder.resumeShellCommand(
             kind: kind,
             sessionId: sessionId,
-            launchCommand: launchCommand,
+            launchCommand: trustedLaunchCommandForResume,
             workingDirectory: workingDirectory,
             registrationOverride: registration
         )
@@ -704,12 +704,21 @@ struct SessionRestorableAgentSnapshot: Codable, Sendable {
         AgentResumeCommandBuilder.forkShellCommand(
             kind: kind,
             sessionId: sessionId,
-            launchCommand: launchCommand,
+            launchCommand: trustedLaunchCommandForResume,
             workingDirectory: workingDirectory,
             registrationOverride: registration
         )
     }
 
+    private var trustedLaunchCommandForResume: AgentLaunchCommandSnapshot? {
+        guard let launchCommand else { return nil }
+        guard AgentLaunchCaptureTrust.launcherDescribesKind(launchCommand.launcher, kind: kind.rawValue),
+              !AgentLaunchCaptureTrust.argvLooksLikeShellWrapper(launchCommand.arguments) else {
+            return nil
+        }
+        return launchCommand
+    }
+
     func resumeStartupInput(
         fileManager: FileManager = .default,
         temporaryDirectory: URL = FileManager.default.temporaryDirectory,
@@ -741,7 +750,7 @@ struct SessionRestorableAgentSnapshot: Codable, Sendable {
                   // the current directory (no cd), so the post-exit shell must not force the launch dir.
                   workingDirectory: registration?.cwd == .ignore
                       ? nil
-                      : (workingDirectory ?? launchCommand?.workingDirectory)
+                      : (workingDirectory ?? trustedLaunchCommandForResume?.workingDirectory)
               ) else {
             return nil
         }

diff --git a/Sources/Workspace.swift b/Sources/Workspace.swift
@@ -1055,6 +1055,28 @@ extension Workspace {
         return effectiveBinding
     }
 
+    nonisolated private static func trustedSurfaceResumeBindingForRestore(
+        _ resumeBinding: SurfaceResumeBindingSnapshot?
+    ) -> SurfaceResumeBindingSnapshot? {
+        guard let resumeBinding else { return nil }
+        guard !agentHookBindingLooksLikeShellWrapperResume(resumeBinding) else { return nil }
+        return resumeBinding
+    }
+
+    nonisolated private static func agentHookBindingLooksLikeShellWrapperResume(
+        _ binding: SurfaceResumeBindingSnapshot
+    ) -> Bool {
+        guard binding.isAgentHookBinding else { return false }
+        let words = surfaceResumeShellWords(in: binding.command)
+        let commandStart = surfaceResumeCommandStartIndexAfterCwdGuard(words)
+        guard commandStart + 1 < words.endIndex else { return false }
+        let executable = (words[commandStart].value as NSString).lastPathComponent.lowercased()
+        let shells: Set<String> = ["sh", "bash", "zsh", "dash", "fish", "csh", "tcsh", "ksh"]
+        guard shells.contains(executable) else { return false }
+        let resumeWord = words[commandStart + 1].value
+        return resumeWord == "resume" || resumeWord == "--resume" || resumeWord.hasPrefix("--resume=")
+    }
+
     nonisolated private static func hermesAgentSubrouterBindingForStartup(
         _ binding: SurfaceResumeBindingSnapshot
     ) -> SurfaceResumeBindingSnapshot {
@@ -1101,7 +1123,7 @@ extension Workspace {
     ) -> String {
         let bootstrapCommand = bootstrap.joined(separator: " && ") + " && "
         let words = surfaceResumeShellWords(in: command)
-        let commandStart = hermesAgentCommandStartIndexAfterCwdGuard(words)
+        let commandStart = surfaceResumeCommandStartIndexAfterCwdGuard(words)
         guard commandStart < words.endIndex else {
             return bootstrapCommand + command
         }
@@ -1137,7 +1159,7 @@ extension Workspace {
 
     nonisolated private static func hermesAgentCommandByRemovingBootstrapPrefix(_ command: String) -> String {
         let words = surfaceResumeShellWords(in: command)
-        var scanIndex = hermesAgentCommandStartIndexAfterCwdGuard(words)
+        var scanIndex = surfaceResumeCommandStartIndexAfterCwdGuard(words)
         guard scanIndex < words.endIndex else { return command }
         let removeStartIndex = scanIndex
         var removedBootstrap = false
@@ -1235,12 +1257,12 @@ extension Workspace {
     nonisolated private static func hermesAgentWordsAfterCwdGuard(
         _ words: [SurfaceResumeShellWord]
     ) -> [SurfaceResumeShellWord] {
-        let commandStart = hermesAgentCommandStartIndexAfterCwdGuard(words)
+        let commandStart = surfaceResumeCommandStartIndexAfterCwdGuard(words)
         guard commandStart < words.endIndex else { return [] }
         return Array(words[commandStart...])
     }
 
-    nonisolated private static func hermesAgentCommandStartIndexAfterCwdGuard(
+    nonisolated private static func surfaceResumeCommandStartIndexAfterCwdGuard(
         _ words: [SurfaceResumeShellWord]
     ) -> Int {
         guard let first = words.first,
@@ -1637,7 +1659,7 @@ extension Workspace {
     ) -> UUID? {
         switch snapshot.type {
         case .terminal:
-            let resumeBinding = snapshot.terminal?.resumeBinding
+            let resumeBinding = Self.trustedSurfaceResumeBindingForRestore(snapshot.terminal?.resumeBinding)
             let restorableAgent = snapshot.terminal?.agent
             let restoredHibernation = snapshot.terminal?.hibernation
             let autoResumeAgentSessions = AgentSessionAutoResumeSettings.isEnabled()

diff --git a/cmuxTests/SessionPersistenceTests.swift b/cmuxTests/SessionPersistenceTests.swift
@@ -1889,6 +1889,32 @@ final class SessionPersistenceTests: XCTestCase {
 }
 
 final class SocketListenerAcceptPolicyTests: XCTestCase {
+    func testPersistedAgentSnapshotDropsShellWrapperLaunchCommandWhenRenderingResume() {
+        let snapshot = SessionRestorableAgentSnapshot(
+            kind: .codex,
+            sessionId: "codex-session-123",
+            workingDirectory: "/tmp/repo",
+            launchCommand: AgentLaunchCommandSnapshot(
+                launcher: "codex",
+                executablePath: "bash",
+                arguments: [
+                    "bash",
+                    "-c",
+                    "payload=\"$1\"; shift; \"$@\" <\"$payload\" &",
+                ],
+                workingDirectory: "/tmp/dispatch-shell",
+                environment: ["CODEX_HOME": "/tmp/codex"],
+                capturedAt: 123,
+                source: "process"
+            )
+        )
+
+        XCTAssertEqual(
+            snapshot.resumeCommand,
+            "{ cd -- '/tmp/repo' 2>/dev/null || [ ! -d '/tmp/repo' ]; } && 'codex' 'resume' 'codex-session-123'"
+        )
+    }
+
     func testClaudeResumeCommandRoutesThroughWrapperInsteadOfCapturedRealBinary() {
         // The captured launch executable is the real claude binary
         // (CMUX_AGENT_LAUNCH_EXECUTABLE). Resuming with it directly bypasses
@@ -5796,6 +5822,88 @@ extension SessionPersistenceTests {
         )
     }
 
+    @MainActor
+    func testRestoreDropsPoisonedAgentHookShellWrapperResumeBindingAndUsesAgentSnapshot() throws {
+        try withAutoResumeAgentSessionsEnabled {
+            let source = Workspace()
+            let sourcePanelId = try XCTUnwrap(source.focusedPanelId)
+            let sessionId = "019eba43-1e37-78d2-98df-d1983200273d"
+            let sourceIndex = try makeRestorableAgentIndex(
+                workspaceId: source.id,
+                panelId: sourcePanelId,
+                sessionId: sessionId,
+                arguments: [
+                    "/usr/local/bin/codex",
+                    "--yolo",
+                ]
+            )
+            let bindingIndex = SurfaceResumeBindingIndex(bindingsByPanel: [
+                SurfaceResumeBindingIndex.PanelKey(workspaceId: source.id, panelId: sourcePanelId): SurfaceResumeBindingSnapshot(
+                    name: "Codex",
+                    kind: "codex",
+                    command: "{ cd -- '/Users/lawrence/fun/cmuxterm-hq' 2>/dev/null || [ ! -d '/Users/lawrence/fun/cmuxterm-hq' ]; } && 'bash' 'resume' '\(sessionId)' '-c' 'payload=\"$1\"; shift; \"$@\" <\"$payload\" &'",
+                    cwd: "/Users/lawrence/fun/cmuxterm-hq",
+                    checkpointId: sessionId,
+                    source: "agent-hook",
+                    autoResume: true,
+                    updatedAt: 10
+                ),
+            ])
+            let snapshot = source.sessionSnapshot(
+                includeScrollback: false,
+                restorableAgentIndex: sourceIndex,
+                surfaceResumeBindingIndex: bindingIndex
+            )
+
+            let restored = Workspace()
+            restored.restoreSessionSnapshot(snapshot)
+            let restoredPanelId = try XCTUnwrap(restored.focusedPanelId)
+            let restoredPanel = try XCTUnwrap(restored.terminalPanel(for: restoredPanelId))
+            let payload = try restoredStartupPayload(for: restoredPanel)
+
+            XCTAssertTrue(payload.contains("/usr/local/bin/codex"), payload)
+            XCTAssertTrue(payload.contains("resume"), payload)
+            XCTAssertTrue(payload.contains(sessionId), payload)
+            XCTAssertTrue(payload.contains("--yolo"), payload)
+            XCTAssertFalse(payload.contains("'bash' 'resume'"), payload)
+            XCTAssertNil(restored.sessionSnapshot(includeScrollback: false).panels.first?.terminal?.resumeBinding)
+        }
+    }
+
+    @MainActor
+    func testRestoreDropsPoisonedAgentHookShellWrapperResumeBindingWithoutAgentSnapshot() throws {
+        try withAutoResumeAgentSessionsEnabled {
+            let source = Workspace()
+            let sourcePanelId = try XCTUnwrap(source.focusedPanelId)
+            let sessionId = "019eb982-d798-7123-aa2b-93326ff3bd08"
+            let bindingIndex = SurfaceResumeBindingIndex(bindingsByPanel: [
+                SurfaceResumeBindingIndex.PanelKey(workspaceId: source.id, panelId: sourcePanelId): SurfaceResumeBindingSnapshot(
+                    name: "Codex",
+                    kind: "codex",
+                    command: "{ cd -- '/Users/lawrence/fun/cmuxterm-hq' 2>/dev/null || [ ! -d '/Users/lawrence/fun/cmuxterm-hq' ]; } && 'sh' 'resume' '\(sessionId)' '-c' 'payload=\"$1\"; shift; \"$@\" <\"$payload\" &'",
+                    cwd: "/Users/lawrence/fun/cmuxterm-hq",
+                    checkpointId: sessionId,
+                    source: "agent-hook",
+                    autoResume: true,
+                    updatedAt: 10
+                ),
+            ])
+            let snapshot = source.sessionSnapshot(
+                includeScrollback: false,
+                surfaceResumeBindingIndex: bindingIndex
+            )
+
+            let restored = Workspace()
+            restored.restoreSessionSnapshot(snapshot)
+            let restoredPanelId = try XCTUnwrap(restored.focusedPanelId)
+            let restoredPanel = try XCTUnwrap(restored.terminalPanel(for: restoredPanelId))
+
+            XCTAssertNil(restoredPanel.surface.debugInitialCommand())
+            XCTAssertFalse(restoredPanel.surface.debugInitialInputMetadata().hasInitialInput)
+            XCTAssertNil(restored.sessionSnapshot(includeScrollback: false).panels.first?.terminal?.resumeBinding)
+        }
+    }
+
     @MainActor
     func testRestoreScopesSurfaceResumeBindingEnvironmentToInitialInput() throws {
         let source = Workspace()