fix(plan-mode): deny bash and scope subagent permission inheritance#33967
fix(plan-mode): deny bash and scope subagent permission inheritance#33967kiltro-dev wants to merge 1 commit into
Conversation
…n inheritance
Plan mode currently relies solely on a system prompt to prevent write
operations via the bash tool. Since the permission system only denies
edit-class tools (edit, write, apply_patch), bash remains unrestricted
and the model can execute arbitrary shell commands including writes.
Changes:
1. agent/agent.ts — Add bash: { "*": "deny" } to the plan agent's
permission config. This blocks direct bash tool use in plan mode via
the permission evaluation layer and hides bash from the tool list
(disabled() correctly maps the 'bash' tool ID to the 'bash' permission
via its fallthrough case).
2. agent/subagent-permissions.ts — Restrict parent deny inheritance to
write-capable permissions (edit, write, apply_patch, bash) instead of
inheriting ALL parent denies. Prior behavior (anomalyco#26597) blindly inherited
every deny rule, which overrode subagents' explicit allows for unrelated
permissions (e.g., explore's bash: allow was silently neutralized).
Fixes anomalyco#22641
Addresses anomalyco#26700
github-actions
Bot
added
needs:compliance
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
|
The following comment was made by an LLM, it may be inaccurate: Based on my search, I found several related PRs that address similar permission inheritance and subagent permission issues:
These PRs tackle related aspects of the permission inheritance problem that this PR addresses. While they're not exact duplicates of PR #33967, they share the same domain (subagent permission inheritance and scope management). You may want to review them to ensure consistency in approach and avoid redundant work. |
kiltro-dev
changed the title
github-actions
Bot
removed
needs:issue
needs:compliance
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
1 similar comment
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
1 participant
Issue for this PR
Closes #22641
Addresses #26700
Type of change
What does this PR do?
Plan mode blocks edit tools via the permission system, but bash is unrestricted because the plan agent config only denies the "edit" permission. The bash tool follows the default
"*": "allow"rule, so the model can run arbitrary shell commands including writes.Fix 1 — agent/agent.ts: Added
bash: { "*": "deny" }to the plan agent permission config. Hides bash from the LLM tool list and throws DeniedError if called.Fix 2 — agent/subagent-permissions.ts: The deriveSubagentSessionPermission function (from #26597) inherited ALL parent deny rules into subagent sessions, overriding subagents like
explorethat explicitly allow bash for read-only operations. Changed to only inherit denies for write-capable permissions (edit, write, apply_patch, bash) plus external_directory rules.How did you verify your code works?
All 95 existing tests pass including the plan-mode-subagent-bypass test suite. The bash: deny from parent IS still inherited (bash is in WRITE_PERMISSIONS), while unrelated denies are not.
Checklist