fix(core): prevent subagent bypass in plan mode (#18484)

This commit is contained in:
Jerop Kipruto
2026-02-06 17:55:00 -05:00
committed by GitHub
parent ee68a10e9c
commit e3796d137a
7 changed files with 120 additions and 45 deletions
@@ -13,6 +13,7 @@ import {
type SafetyCheckerRule,
InProcessCheckerType,
ApprovalMode,
PRIORITY_SUBAGENT_TOOL,
} from './types.js';
import type { FunctionCall } from '@google/genai';
import { SafetyCheckDecision } from '../safety/protocol.js';
@@ -1481,6 +1482,37 @@ describe('PolicyEngine', () => {
});
});
describe('Plan Mode vs Subagent Priority (Regression)', () => {
it('should DENY subagents in Plan Mode despite dynamic allow rules', async () => {
// Plan Mode Deny (1.06) > Subagent Allow (1.05)
const fixedRules: PolicyRule[] = [
{
decision: PolicyDecision.DENY,
priority: 1.06,
modes: [ApprovalMode.PLAN],
},
{
toolName: 'codebase_investigator',
decision: PolicyDecision.ALLOW,
priority: PRIORITY_SUBAGENT_TOOL,
},
];
const fixedEngine = new PolicyEngine({
rules: fixedRules,
approvalMode: ApprovalMode.PLAN,
});
const fixedResult = await fixedEngine.check(
{ name: 'codebase_investigator' },
undefined,
);
expect(fixedResult.decision).toBe(PolicyDecision.DENY);
});
});
describe('shell command parsing failure', () => {
it('should return ALLOW in YOLO mode even if shell command parsing fails', async () => {
const { splitCommands } = await import('../utils/shell-utils.js');