Skip to content

agents: disable Lead run/sub-agent permissions#10

Merged
justinchuby merged 1 commit into
mainfrom
agents/disable-lead-subagent-permissions
Jun 14, 2026
Merged

agents: disable Lead run/sub-agent permissions#10
justinchuby merged 1 commit into
mainfrom
agents/disable-lead-subagent-permissions

Conversation

@justinchuby

Copy link
Copy Markdown
Member

What

Enforce — at the runtime level, not just in the prompt — that the Lead agent has no permission to run programs and no sub-agents. The Lead may still read files for context.

Changes

  • CopilotSdkAdapter — New excludedNativeToolsForRole() helper. For the Lead, the session excludes:

    • write/edit tools (write_file, edit, create, apply_patch, …)
    • all shell/exec tools (bash, write_bash, shell, exec, run_in_terminal, …)
    • all sub-agent launchers (task, subagent, run_subagent, launch_agent, spawn_agent)

    Read tools (view/read_file/grep/glob) remain available. Applied to both spawn and resumeSession. Director/Scout keep their existing write-exclusion behavior and are not stripped of sub-agents.

  • AcpAdapter.createTerminal — Keeps the read-only command allowlist (cat, ls, find, grep, head, tail, wc, echo, flightdeck) for the lead role, blocks shell-metacharacter injection, and rejects any execution with a message to delegate to the Director.

Why

The Lead is the user-facing CEO — it coordinates and delegates, and must not execute work or spawn its own sub-agents. Enforcing this in the runtime guarantees the restriction even if the prompt is ignored. The Lead retains read-only file access so it can understand context. When blocked by a permission, it should hand the task to the Director; on errors, it reports to the user.

Tests

  • Restored/updated lead-command-allowlist.test.ts — read-only commands allowed, execution + injection rejected.
  • Added cases in copilot-sdk-adapter.test.ts — Lead excludes run + sub-agent tools, still excludes writes, keeps read tools; Director keeps sub-agents; non-management roles get no exclusions.

Full server suite: 826 passing, tsc clean. No new lint errors (one pre-existing prefer-const warning at AcpAdapter.ts:236 is unrelated).

The Lead agent must not run programs or spawn sub-agents. Enforce this in
the runtime (not just the prompt):

- CopilotSdkAdapter: add excludedNativeToolsForRole(). The Lead session now
  excludes write/edit tools plus all shell/exec tools and all sub-agent
  (task) launchers. Read tools (view/read_file/grep/glob) remain available
  so the Lead can read files for context. Applied to spawn + resumeSession.
- AcpAdapter.createTerminal: keep the read-only command allowlist for the
  lead role and reject execution with a message to delegate to the Director.

Tests cover the new exclusion helper (Lead excludes run + sub-agent tools,
keeps read tools; Director keeps sub-agents; non-management roles get none).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@justinchuby justinchuby merged commit cd2214f into main Jun 14, 2026
1 of 3 checks passed
@justinchuby justinchuby deleted the agents/disable-lead-subagent-permissions branch June 14, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant