fix(task): respect agent permission config for todowrite tool#19125
fix(task): respect agent permission config for todowrite tool#19125rekram1-node merged 12 commits intoanomalyco:devfrom
Conversation
The todowrite and todoread tools were hardcoded as denied for all subagents, preventing users from enabling them via agent permission configuration even when explicitly allowed. This change follows the existing pattern used for the task permission by checking if the agent has explicit allow rules for todowrite/ todoread before applying the default deny. Changes: - Add hasTodoWritePermission and hasTodoReadPermission checks - Conditionally include deny rules in session creation - Conditionally include false values in tools object Fixes anomalyco#19101
The todowrite tool was hardcoded as denied for all subagents, preventing users from enabling it via agent permission configuration even when explicitly allowed. This change follows the existing pattern used for the task permission by checking if the agent has explicit allow rules for todowrite before applying the default deny. Note: todoread tool was removed from this fix as it does not exist - the todowrite tool returns the todo list in its output, serving as the read mechanism. Fixes anomalyco#19101
The todowrite tool was hardcoded as denied for all subagents, preventing users from enabling it via agent permission configuration even when explicitly allowed. This change follows the existing pattern used for the task permission by checking if the agent has explicit allow rules for todowrite before applying the default deny. Note: todoread tool was removed from this fix as it does not exist - the todowrite tool returns the todo list in its output, serving as the read mechanism. Fixes anomalyco#19101
…ge conflict) Remove todoread references - the tool doesn't exist.
|
The following comment was made by an LLM, it may be inaccurate: Based on my search, I found a potentially related PR: PR #18202: fix(task): preserve subagent todo permissions This PR appears to be related as it also addresses subagent todo/todowrite permissions. The current PR (#19125) builds on similar logic by respecting agent permission configuration for the todowrite tool, while PR #18202 also dealt with preserving todo permissions for subagents. However, since these are addressing the same domain (subagent todo permissions), it would be worth checking if they conflict or if one supersedes the other. |
packages/opencode/src/tool/task.ts
Outdated
| if (!agent) throw new Error(`Unknown agent type: ${params.subagent_type} is not a valid agent type`) | ||
|
|
||
| const hasTaskPermission = agent.permission.some((rule) => rule.permission === "task") | ||
| const hasTodoWritePermission = agent.permission.some((rule) => rule.permission === "todowrite" && rule.action === "allow") |
There was a problem hiding this comment.
do we really want check allow here? because if the agent added ask, it should be respected, right? right now you will still deny it...
maybe keep consistent with the task check just checking if there agent is changing the permission
There was a problem hiding this comment.
Adding "ask" in a (non-interactive) subagent session would likely have undesirable results if respected.
There was a problem hiding this comment.
Changed as per your suggestion on Discord.
3 participants
Issue for this PR
Closes #19101
Type of change
What does this PR do?
The todowrite tool was hardcoded as denied for all subagents, preventing users from enabling them via agent permission configuration even when explicitly allowed.
This change follows the existing pattern used for the task permission by checking if the agent has explicit allow rules for the todowrite tool before applying the default deny.
Changes:
How did you verify your code works?
Manual A/B testing,
bun test,bun typecheck.Screenshots / recordings
No UI changes.
Checklist