Skip to content

fix(plan): deny plan_exit tool in subagent sessions#27887

Open
BYK wants to merge 1 commit into
anomalyco:devfrom
BYK:fix/plan-mode-subagent-escape
Open

fix(plan): deny plan_exit tool in subagent sessions#27887
BYK wants to merge 1 commit into
anomalyco:devfrom
BYK:fix/plan-mode-subagent-escape

Conversation

@BYK
Copy link
Copy Markdown
Contributor

@BYK BYK commented May 16, 2026
edited
Loading

Issue for this PR

Closes #27886, partially addresses #18515

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Subagents spawned via the task tool could call plan_exit because the tools map passed to SessionPrompt.prompt() did not include plan_exit: false. Since SessionPrompt.prompt() overwrites session permissions with the tools map, the deny rules set via deriveSubagentSessionPermission() were silently overridden.

This adds plan_exit: false to the tools map in task.ts so the deny persists through the prompt permission rewrite.

This is a re-filing of #21866 which was auto-closed by the cleanup bot.

How did you verify your code works?

The fix is a one-line addition to the tools map. Verified by code inspection that the tools map now includes plan_exit: false, which prevents subagents from calling the plan_exit tool. The existing test in test/agent/plan-mode-subagent-bypass.test.ts covers the related deriveSubagentSessionPermission logic at the session permission level.

Screenshots / recordings

N/A — backend-only change.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@BYK
fix(plan): deny plan_exit tool in subagent sessions
c12d3f0 
Subagents spawned via the task tool could call plan_exit because the
tools map passed to SessionPrompt.prompt() did not include plan_exit: false.
Since SessionPrompt.prompt() overwrites session permissions with the tools
map, the deny rules set via deriveSubagentSessionPermission were silently
overridden.

Add plan_exit: false to the tools map so the deny persists through the
prompt permission rewrite.
@github-actions github-actions Bot added needs:compliance This means the issue will auto-close after 2 hours. contributor and removed needs:compliance This means the issue will auto-close after 2 hours. labels May 16, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 16, 2026

Thanks for updating your PR! It now meets our contributing guidelines. 👍

@BYK BYK mentioned this pull request May 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Subagent can call plan_exit to escape plan mode

1 participant

@BYK