Skip to content

fix(task): preserve subagent self permissions#27201

Merged
kitlangton merged 1 commit into
anomalyco:devfrom
kitlangton:opencode/subagent-permission-hotfix
May 13, 2026
Merged

fix(task): preserve subagent self permissions#27201
kitlangton merged 1 commit into
anomalyco:devfrom
kitlangton:opencode/subagent-permission-hotfix

Conversation

@kitlangton

@kitlangton kitlangton commented May 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Preserve Plan Mode's inherited edit restriction for subagents.
  • Stop inheriting unrelated parent-agent self-denies like read, bash, and task into delegated subagents.
  • Add regression coverage for controller/executor deny-by-default delegation and parent session deny ceilings.

Test

  • bun run test test/permission-task.test.ts test/agent/plan-mode-subagent-bypass.test.ts
  • bun typecheck
  • push hook: bun turbo typecheck

Fixes #26700
Fixes #26747
Fixes #26758
Fixes #27123

@kitlangton kitlangton enabled auto-merge (squash) May 13, 2026 01:29
@kitlangton kitlangton merged commit c4e676b into anomalyco:dev May 13, 2026
10 checks passed
@github-actions github-actions Bot mentioned this pull request May 13, 2026
Open
This was referenced May 13, 2026
Closed
Closed
Closed
Closed
@OrShmuel22 OrShmuel22 mentioned this pull request May 15, 2026
Open
3 tasks
@Sewer56

Sewer56 commented May 17, 2026

Copy link
Copy Markdown
Contributor

@kitlangton This PR introduces a regression.

Parent agents with scoped edit permissions like:

edit:
  "*": deny
  "specific-pattern": allow

now break subagents that have their own scoped edit allows:

edit:
  "other-pattern": allow

other-pattern can no longer be accessed.

Merging of permissions puts parent's "*": deny last, overwriting any allow rules by child.

@public-static-void public-static-void mentioned this pull request May 25, 2026
Open
3 tasks
@felixnorden felixnorden mentioned this pull request May 28, 2026
Open
6 tasks
mugnimaestra added a commit to mugnimaestra/opencode that referenced this pull request Jun 7, 2026
@mugnimaestra
fix(agent): preserve subagent self-declared tool allows over inherite…
8ad93be 
…d parent denies

deriveSubagentSessionPermission no longer forwards a parent agent's edit deny (or parent-session denies) for any permission the subagent explicitly allows, so custom subagents like general-opus-4.7 (edit: allow) spawned by edit-denying orchestrators keep edit/write access. Built-in explore/general still inherit the Plan Mode ceiling since they don't declare edit: allow. Adds regression tests and documents the recurring regression + invariant in AGENTS.md. Refs anomalyco#26514 anomalyco#27201 anomalyco#27654.
AIALRA-0 pushed a commit to AIALRA-0/opencode-turn-engine that referenced this pull request Jun 10, 2026
@kitlangton
fix(task): preserve subagent self permissions (anomalyco#27201)
21c277a
AIALRA-0 pushed a commit to AIALRA-0/opencode-turn-engine that referenced this pull request Jun 10, 2026
@kitlangton
fix(task): preserve subagent self permissions (anomalyco#27201)
bf37821
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment