| fix(permission): close plan-mode bypass via subagent and bash ask path
Four fixes to enforce plan mode's read-only contract through subagents:
1. PermissionRuntime: auto-deny tool.checkPermissions "ask" results for
non-read-only tools in plan mode, preventing users from approving
side-effecting commands (e.g. bash mkdir) via the permission prompt.
2. agent tool: downgrade general-purpose subagent to explore preset when
the parent is in plan mode, avoiding wasted turns on denied write tools.
3. SubAgentSession: strip always_on_* and ask_user_question from subagent
registries (they require RunContext/elicitation unavailable in forks),
and apply isDestructive filtering when parent is in plan mode.
4. createLocalGateway: only register always_on_* tools for Always-On
sessions, keeping them out of regular user session tool lists.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 13 天前 |
| fix(permissions): unify skip prompt handling
Persist permission settings through the backend and apply per-turn bypass mode in the gateway so skip prompts consistently reaches tool execution while preserving hard safety denies.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 20 天前 |
| fix(plan): let agents manage plan files
Allow plan mode agents to create and choose markdown plan files under .pilotdeck/plans, and require exit_plan_mode to submit an explicit plan_file_path.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 14 天前 |
| fix(permissions): keep chat grants session-scoped
Chat-side grants for blocked tools should let the current session retry without rewriting global permission settings, so blocked rules still apply elsewhere.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 20 天前 |
| feat(todo): add TodoWrite plan execution flow
Require plan-driven sessions to initialize and refresh TodoWrite checklists before side-effecting tools run, and render markdown todo updates in the web UI.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 15 天前 |