agents: disable Lead run/sub-agent permissions#10
Merged
Conversation
The Lead agent must not run programs or spawn sub-agents. Enforce this in the runtime (not just the prompt): - CopilotSdkAdapter: add excludedNativeToolsForRole(). The Lead session now excludes write/edit tools plus all shell/exec tools and all sub-agent (task) launchers. Read tools (view/read_file/grep/glob) remain available so the Lead can read files for context. Applied to spawn + resumeSession. - AcpAdapter.createTerminal: keep the read-only command allowlist for the lead role and reject execution with a message to delegate to the Director. Tests cover the new exclusion helper (Lead excludes run + sub-agent tools, keeps read tools; Director keeps sub-agents; non-management roles get none). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Enforce — at the runtime level, not just in the prompt — that the Lead agent has no permission to run programs and no sub-agents. The Lead may still read files for context.
Changes
CopilotSdkAdapter— NewexcludedNativeToolsForRole()helper. For the Lead, the session excludes:write_file,edit,create,apply_patch, …)bash,write_bash,shell,exec,run_in_terminal, …)task,subagent,run_subagent,launch_agent,spawn_agent)Read tools (
view/read_file/grep/glob) remain available. Applied to bothspawnandresumeSession. Director/Scout keep their existing write-exclusion behavior and are not stripped of sub-agents.AcpAdapter.createTerminal— Keeps the read-only command allowlist (cat,ls,find,grep,head,tail,wc,echo,flightdeck) for theleadrole, blocks shell-metacharacter injection, and rejects any execution with a message to delegate to the Director.Why
The Lead is the user-facing CEO — it coordinates and delegates, and must not execute work or spawn its own sub-agents. Enforcing this in the runtime guarantees the restriction even if the prompt is ignored. The Lead retains read-only file access so it can understand context. When blocked by a permission, it should hand the task to the Director; on errors, it reports to the user.
Tests
lead-command-allowlist.test.ts— read-only commands allowed, execution + injection rejected.copilot-sdk-adapter.test.ts— Lead excludes run + sub-agent tools, still excludes writes, keeps read tools; Director keeps sub-agents; non-management roles get no exclusions.Full server suite: 826 passing,
tscclean. No new lint errors (one pre-existingprefer-constwarning atAcpAdapter.ts:236is unrelated).