* feat(subagents): add disallowedTools field to agent definitions
Add a `disallowedTools` blocklist to agent frontmatter, letting agents
specify tools they should not have access to. Supports exact tool names,
MCP server-level patterns (e.g., `mcp__slack`), and display name aliases.
Applied as a post-filter in AgentCore.prepareTools() after the existing
`tools` allowlist. Persisted through serialize/parse roundtrips.
* docs: document disallowedTools and MCP tool behavior for subagents
Add Tool Configuration section to sub-agents docs explaining:
- tools allowlist and disallowedTools blocklist
- How MCP tools follow the same allowlist/blocklist rules
- MCP server-level patterns in disallowedTools
* fix(subagents): validate disallowedTools in SubagentValidator
Reuse the existing validateTools() method to validate disallowedTools
entries at config validation time, catching non-string and empty entries
before they reach runtime.
* test: remove flaky BaseSelectionList scroll test on Windows
* fix(permissions): match env-prefixed shell commands
Fixes#2846
* fix(core): improve shell command parsing for env vars and multiline commands
- Add dotAll flag to matchesCommandPattern for matching commands with embedded newlines
- Support newline operators in SHELL_OPERATORS for splitCompoundCommand
- Refactor getCommandRoot to skip leading VAR=value assignments
- Add test coverage for multiline commands and env var prefixed commands
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(permissions): tighten shell command parsing
Handle env-prefixed commands and quoted Windows paths consistently.
Keep newline splitting heredoc-aware and avoid false heredoc detection in comments or arithmetic expressions.
* refactor(permissions): simplify fix by reverting splitCompoundCommand rewrite
Remove ~350 lines of heredoc/comment/arithmetic parsing from
splitCompoundCommand that were not needed to fix#2846. Revert to
the original main version, keeping only the core env-var stripping
logic in matchesCommandPattern and getCommandRoot.
This addresses both reviewer concerns:
- heredoc breakage: no longer an issue since splitCompoundCommand is unchanged
- Windows quoted paths: handled correctly by shell-quote parse in getCommandRoot
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
The coreTools configuration was incorrectly restricting all tools including
MCP, Skill, Agent, and other dynamically discovered tools. These tools should
not be subject to the coreTools whitelist as they are either:
- Dynamically discovered from user configuration (MCP tools)
- Essential for system operation (skill, agent, exit_plan_mode, ask_user_question)
This fix introduces a CORE_TOOLS set that explicitly lists built-in tools
subject to coreTools allowlist. Tools not in this set bypass the check.
Fixes#2782
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add buildHumanReadableRuleLabel() to convert raw permission rules into
natural-language descriptions for the 'Always Allow' UI options
- Add PermissionManager.findMatchingDenyRule() to surface which deny rule
caused a tool to be blocked, improving error messages in coreToolScheduler
- Update ToolConfirmationMessage to use friendly labels with i18n support
- Add comprehensive tests for new permission features and multi-directory
search in glob, grep, and ripGrep tools
- Fix integration test for tool-control allowedTools configuration
- Update tool name aliases to map 'task' to 'agent' as legacy alias
- Add proper 'agent' tool name aliases (Agent, AgentTool)
- Update canonical-to-rule display mapping from 'task' to 'Agent'
- Update tests to expect 'agent' instead of 'task'
- Fix debug log message from [TaskTool] to [Agent]
This completes the tool renaming from "task" to "agent" for clarity,
as "agent" better describes the tool's purpose of delegating to
subagents.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Shell commands that are semantically equivalent to file/network tool
operations are now analyzed and matched against Read/Edit/Write/
WebFetch/ListFiles permission rules, preventing agents from bypassing
configured rules via the run_shell_command tool.
New file: packages/core/src/permissions/shell-semantics.ts
- extractShellOperations(cmd, cwd) => ShellOperation[]
- Covers 50+ commands: cat/head/tail/diff/grep/rg/ls/find/tree,
touch/mkdir/cp/mv/rm/chmod/chown/sed/awk/dd/curl/wget + redirects
- Handles transparent prefixes: sudo (-u/-g flag values), env, timeout
(skips DURATION), nohup, nice, time, etc.
- Tokenizer respects single/double quotes and backslash escapes
- Redirect extraction: >, >>, <, 2>, &>
Changes: packages/core/src/permissions/permission-manager.ts
- DECISION_PRIORITY constant for combining decisions
- evaluateSingle(): after base Bash-rule decision, evaluate virtual ops
from shell semantics and return the most restrictive result
- evaluateShellVirtualOps(): evaluate ShellOperation list via evaluateSingle
- hasRelevantRules(): also check virtual ops so confirmation dialog appears
when Read/Edit/etc. rules match equivalent shell commands
Changes: packages/core/src/permissions/index.ts
- Export extractShellOperations and ShellOperation
Tests: packages/core/src/permissions/shell-semantics.test.ts
- 52 unit tests: read/list/write/edit/web_fetch ops, redirections,
prefix commands (sudo -u, timeout DURATION), quotes, variable filtering
