feat: Port upstream task permission fixes (PRs #12584 and #12136)

[randomm]

Summary

Granular task permissions (permission.task with per-agent allow/deny) are not enforced due to two bugs also present upstream. Upstream has open PRs fixing both issues. We should port them to unblock config-level agent access control.

Upstream PRs to Port

PR anomalyco#12584 — Propagate parent agent permissions to subagent child sessions

• Repo: anomalyco/opencode
• Link: fix: propagate parent agent permissions to subagent child sessions anomalyco/opencode#12584
• Fixes: Upstream issue Subagents don’t respect "*": "allow" agent permissions anomalyco/opencode#12566
• Scope: 2 files — task.ts (+6 lines), new test file (+178 lines)
• What it does: Resolves the calling agent and includes its permission rules in the child session's permission array, positioned BEFORE hard-coded denies so override order is correct
• Priority: HIGH — this directly fixes our bug where developer can spawn any agent

PR anomalyco#12136 — Handle permission requests from child sessions (ACP)

• Repo: anomalyco/opencode
• Link: fix(acp): handle permission requests from child sessions anomalyco/opencode#12136
• Fixes: Upstream issue Permission requests from child sessions do not get forwarded via ACP and hangs forever anomalyco/opencode#12133
• Scope: 2 files — acp/agent.ts (+18/-4 lines), new test (+61 lines)
• What it does: Falls back to SDK session lookup when child session isn't found in the ACP manager, allowing permission requests to forward properly
• Priority: MEDIUM — needed for ACP mode to avoid permission request freezes

Context

The Bug

When a subagent (e.g., developer) calls TaskTool:

1. TaskTool.init() at prompt.ts:329 is called without agent context
2. initCtx.agent is undefined in task.ts:113
3. Permission filtering is bypassed — ALL agents are accessible
4. Config like "task": {"*": "deny", "adversarial-developer": "allow"} has no effect

Related Issues

• Our issue bug: TaskTool.init() not passing agent info, bypassing granular task permissions #173 (closed but fix not implemented)
• Upstream Task tool ignores per-target deny and allows self-dispatch recursion anomalyco/opencode#11324 — Task tool ignores per-target deny rules
• Upstream Subagents don’t respect "*": "allow" agent permissions anomalyco/opencode#12566 — Subagents don't inherit parent permissions
• Upstream Permission requests from child sessions do not get forwarded via ACP and hangs forever anomalyco/opencode#12133 — Permission requests from child sessions hang

Also Required

Reopen and fix #173 — TaskTool.init() must receive Agent.Info:

// prompt.ts line 329 — current (broken):
const taskTool = await TaskTool.init()

// fixed:
const taskAgent = await Agent.get(task.agent)
const taskTool = await TaskTool.init({ agent: taskAgent })

Merge Order

1. Port PR fix: propagate parent agent permissions to subagent child sessions anomalyco/opencode#12584 (permission inheritance)
2. Port PR fix(acp): handle permission requests from child sessions anomalyco/opencode#12136 (ACP forwarding)
3. Fix prompt.ts line 329 (pass Agent.Info to TaskTool.init)
4. Rebuild binary and verify

Verification

After all three fixes, test with config:

{
  "developer": {
    "permission": {
      "task": {
        "*": "deny",
        "adversarial-developer": "allow"
      }
    }
  }
}

Expected: developer can spawn @adversarial-developer but NOT @git-agent or @explore.

Risk Assessment

Both upstream PRs are surgical (2 files each, <30 lines of changes). Low conflict risk with fork's custom code.