| fix(permission): close plan-mode bypass via subagent and bash ask path
Four fixes to enforce plan mode's read-only contract through subagents:
1. PermissionRuntime: auto-deny tool.checkPermissions "ask" results for
non-read-only tools in plan mode, preventing users from approving
side-effecting commands (e.g. bash mkdir) via the permission prompt.
2. agent tool: downgrade general-purpose subagent to explore preset when
the parent is in plan mode, avoiding wasted turns on denied write tools.
3. SubAgentSession: strip always_on_* and ask_user_question from subagent
registries (they require RunContext/elicitation unavailable in forks),
and apply isDestructive filtering when parent is in plan mode.
4. createLocalGateway: only register always_on_* tools for Always-On
sessions, keeping them out of regular user session tool lists.
Co-authored-by: Cursor <cursoragent@cursor.com>
| 13 天前 |