fix(core): prevent subagent bypass in plan mode

[jerop]

Increase Plan Mode policy priorities to ensure they override dynamic subagent rules. Subagents are registered with priority 1.05 (PRIORITY_SUBAGENT_TOOL), so Plan Mode deny rules are updated to 60 (1.060) and explicit allows to 70 (1.070).

Closes #18482

[gemini-code-assist]

Summary of Changes

Hello @jerop, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where dynamic subagent rules could inadvertently bypass the policy restrictions enforced within Plan Mode. By elevating the priority of Plan Mode's deny and allow policies, the system now guarantees that Plan Mode's operational constraints are consistently applied, preventing unauthorized subagent actions and enhancing overall security and predictability.

Highlights

• Policy Priority Adjustment: Increased the priority of Plan Mode policies to ensure they take precedence over dynamically registered subagent rules. The catch-all DENY rule for Plan Mode is now set to priority 60 (transformed to 1.060), and explicit ALLOW rules are set to priority 70 (transformed to 1.070).
• Subagent Priority Constant: Introduced a new constant, PRIORITY_SUBAGENT_TOOL, with a value of 1.05, to explicitly define the priority for dynamically registered subagent tools. This constant is now used in the agent registry.
• Policy Documentation Update: Updated internal comments in config.ts and plan.toml to reflect the new priority tiers for Plan Mode policies, improving clarity on policy evaluation order.
• Enhanced Test Coverage: Added new regression and integration tests to policy-engine.test.ts and toml-loader.test.ts to explicitly verify that Plan Mode policies correctly override subagent rules, confirming the intended behavior of the priority changes.

Changelog

• packages/core/src/agents/registry.ts
  • Refactored subagent rule priority assignment to use the new PRIORITY_SUBAGENT_TOOL constant.
• packages/core/src/policy/config.ts
  • Updated comments to document the new priority levels for Plan Mode's catch-all DENY (60) and explicit ALLOW (70) policies.
• packages/core/src/policy/policies/plan.toml
  • Increased the priority of the Plan Mode catch-all DENY rule from 20 to 60.
  • Increased the priority of various explicit ALLOW rules (e.g., glob, read_file) within Plan Mode from 50 to 70.
• packages/core/src/policy/policy-engine.test.ts
  • Added a new regression test to confirm that Plan Mode DENY rules successfully override subagent ALLOW rules.
• packages/core/src/policy/toml-loader.test.ts
  • Added a new integration test to verify that built-in Plan Mode policies correctly override dynamic subagent rules, while still permitting explicitly allowed tools.
• packages/core/src/policy/types.ts
  • Introduced the PRIORITY_SUBAGENT_TOOL constant (1.05) to standardize the priority for dynamically registered subagent tools.

Activity

• The pull request was created by jerop.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses a potential security bypass in Plan Mode by increasing the priority of the corresponding policy rules. The changes are logical, and the inclusion of regression tests is excellent. The suggestions to the plan.toml file to improve maintainability by consolidating several repetitive rule definitions, in line with the repository's guidelines, have been retained.

[github-actions]

Size Change: +131 B (0%)

Total Size: 23.8 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	23.8 MB	+131 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}