Compare commits

...

3 Commits

Author SHA1 Message Date
Kit Langton 9c616b3252 chore: drop accidentally committed test artifact 2026-05-09 20:15:17 -04:00
Kit Langton 8a5d19c376 feat(httpapi-exercise): add .viaSdk() to drive scenarios through real SDK
The exerciser harness builds requests directly as Request objects, which
means it never exercises the SDK client's auto-injection of
?directory= / ?workspace= on GETs. That's structurally how the entire
#26569 / #26581 family of regressions slipped through — the SDK was
sending requests the typed query schemas didn't accept, but the harness
was sending requests directly.

Add an opt-in `.viaSdk((sdk, ctx) => sdk.X.Y(...))` builder method that
runs the scenario through a real `createOpencodeClient` wired to the
in-process exerciser router. The SDK applies its real request transforms
so route tests catch the SDK-vs-server-shape drift class at write time.

The runner normalizes the SDK's `{data, error, response}` (or thrown
Error with `.cause = {body, status}`) back into the existing `CallResult`
shape so all the existing assertions (`.json()`, `.status()`, `.ok()`,
etc.) continue to work unchanged. Existing `.at(...)` scenarios are
not touched.

Convert two scenarios as proof: `app.agents.via_sdk` and
`command.list.via_sdk` both pass alongside the 139 existing scenarios
(141/141 PASS).

Subsequent PRs will migrate the standalone `httpapi-query-schema-drift`
scenarios into the exerciser using `.viaSdk(...)` and delete that file
as the bug class becomes a structural guarantee inside the harness.
2026-05-09 20:14:46 -04:00
Kit Langton b8ca71d309 fix(task): subagent inherits parent agent's deny rules (Plan Mode security bypass) (#26597)
Co-authored-by: Developer <temp@example.com>
2026-05-09 23:51:55 +00:00
7 changed files with 271 additions and 29 deletions
@@ -0,0 +1,33 @@
import type { Permission } from "../permission"
import type { Agent } from "./agent"
/**
* Build the `permission` ruleset for a subagent's session when it's spawned
* via the task tool. Combines:
*
* 1. The parent **agent's** deny rules — Plan Mode and other agent-level
* restrictions live on the agent ruleset, not on the session, so a
* subagent that only inherited the parent SESSION's permission would
* silently bypass them. (#26514)
* 2. The parent **session's** deny rules and external_directory rules —
* same forwarding the original code already did.
* 3. Default `todowrite` and `task` denies if the subagent's own ruleset
* doesn't already permit them.
*/
export function deriveSubagentSessionPermission(input: {
parentSessionPermission: Permission.Ruleset
parentAgent: Agent.Info | undefined
subagent: Agent.Info
}): Permission.Ruleset {
const canTask = input.subagent.permission.some((rule) => rule.permission === "task")
const canTodo = input.subagent.permission.some((rule) => rule.permission === "todowrite")
const parentAgentDenies = input.parentAgent?.permission.filter((rule) => rule.action === "deny") ?? []
return [
...parentAgentDenies,
...input.parentSessionPermission.filter(
(rule) => rule.permission === "external_directory" || rule.action === "deny",
),
...(canTodo ? [] : [{ permission: "todowrite" as const, pattern: "*" as const, action: "deny" as const }]),
...(canTask ? [] : [{ permission: "task" as const, pattern: "*" as const, action: "deny" as const }]),
]
}
+11 -26
View File
@@ -4,6 +4,7 @@ import { Session } from "@/session/session"
import { SessionID, MessageID } from "../session/schema"
import { MessageV2 } from "../session/message-v2"
import { Agent } from "../agent/agent"
import { deriveSubagentSessionPermission } from "../agent/subagent-permissions"
import type { SessionPrompt } from "../session/prompt"
import { Config } from "@/config/config"
import { Effect, Exit, Schema } from "effect"
@@ -58,41 +59,25 @@ export const TaskTool = Tool.define(
return yield* Effect.fail(new Error(`Unknown agent type: ${params.subagent_type} is not a valid agent type`))
}
const canTask = next.permission.some((rule) => rule.permission === id)
const canTodo = next.permission.some((rule) => rule.permission === "todowrite")
const taskID = params.task_id
const session = taskID
? yield* sessions.get(SessionID.make(taskID)).pipe(Effect.catchCause(() => Effect.succeed(undefined)))
: undefined
const parent = yield* sessions.get(ctx.sessionID)
const parentAgent = parent.agent
? yield* agent.get(parent.agent).pipe(Effect.catchCause(() => Effect.succeed(undefined)))
: undefined
const nextSession =
session ??
(yield* sessions.create({
parentID: ctx.sessionID,
title: params.description + ` (@${next.name} subagent)`,
permission: [
...(parent.permission ?? []).filter(
(rule) => rule.permission === "external_directory" || rule.action === "deny",
),
...(canTodo
? []
: [
{
permission: "todowrite" as const,
pattern: "*" as const,
action: "deny" as const,
},
]),
...(canTask
? []
: [
{
permission: id,
pattern: "*" as const,
action: "deny" as const,
},
]),
...deriveSubagentSessionPermission({
parentSessionPermission: parent.permission ?? [],
parentAgent,
subagent: next,
}),
...(cfg.experimental?.primary_tools?.map((item) => ({
pattern: "*",
action: "allow" as const,
@@ -144,8 +129,8 @@ export const TaskTool = Tool.define(
},
agent: next.name,
tools: {
...(canTodo ? {} : { todowrite: false }),
...(canTask ? {} : { task: false }),
...(next.permission.some((rule) => rule.permission === "todowrite") ? {} : { todowrite: false }),
...(next.permission.some((rule) => rule.permission === id) ? {} : { task: false }),
...Object.fromEntries((cfg.experimental?.primary_tools ?? []).map((item) => [item, false])),
},
parts,
@@ -0,0 +1,141 @@
/**
* Reproducer for opencode issue #26514:
*
* In Plan Mode (the `plan` agent), the main agent's edit/write tools are
* blocked by the plan agent's permission ruleset (`edit: { "*": "deny" }`).
* However, when the plan agent spawns a subagent via the `task` tool, the
* subagent retains full file modification capabilities — a security bypass.
*
* This test replicates the permission ruleset that would govern a
* `general` subagent when launched from a `plan` parent session, mirroring
* the logic in `src/tool/task.ts` (filtered parent permissions ++ runtime
* subagent agent permissions, evaluated as in `session/prompt.ts`).
*
* The expected (secure) behavior is that the subagent inherits the plan
* mode read-only restriction and `edit`/`write` resolve to `deny`. On
* origin/dev this assertion fails because the parent **agent** permissions
* are not propagated to the subagent — only the parent **session**
* permissions are passed through, and Plan Mode's restrictions live on the
* agent, not the session.
*/
import { test, expect, afterEach } from "bun:test"
import { Effect } from "effect"
import { disposeAllInstances, provideInstance, tmpdir } from "../fixture/fixture"
import { WithInstance } from "../../src/project/with-instance"
import { Agent } from "../../src/agent/agent"
import { deriveSubagentSessionPermission } from "../../src/agent/subagent-permissions"
import { Permission } from "../../src/permission"
afterEach(async () => {
await disposeAllInstances()
})
function load<A>(dir: string, fn: (svc: Agent.Interface) => Effect.Effect<A>) {
return Effect.runPromise(provideInstance(dir)(Agent.Service.use(fn)).pipe(Effect.provide(Agent.defaultLayer)))
}
// `deriveSubagentSessionPermission` is imported from production. The test
// exercises the actual helper that task.ts uses to build the subagent's
// session permission, so any regression in that helper trips this test.
test("[#26514] subagent spawned from plan mode inherits read-only restriction (edit denied)", async () => {
await using tmp = await tmpdir()
await WithInstance.provide({
directory: tmp.path,
fn: async () => {
const planAgent = await load(tmp.path, (svc) => svc.get("plan"))
const generalAgent = await load(tmp.path, (svc) => svc.get("general"))
expect(planAgent).toBeDefined()
expect(generalAgent).toBeDefined()
// Sanity: the plan agent itself blocks edit. (Note: `write` and
// `apply_patch` route through the `edit` permission at the runtime
// tool layer — see Permission.disabled / EDIT_TOOLS.)
expect(Permission.evaluate("edit", "/some/file.ts", planAgent!.permission).action).toBe("deny")
// Simulate the plan-mode parent session: in real flow the plan
// session's `permission` field is empty (Plan Mode lives on the agent
// ruleset, not the session). So we pass [] through as the parent
// session permission, exactly like the actual code path.
const parentSessionPermission: Permission.Ruleset = []
const subagentSessionPermission = deriveSubagentSessionPermission({
parentSessionPermission,
parentAgent: planAgent,
subagent: generalAgent!,
})
// Mirror the runtime evaluation in session/prompt.ts (~line 410, 639):
// ruleset: Permission.merge(agent.permission, session.permission ?? [])
const effective = Permission.merge(generalAgent!.permission, subagentSessionPermission)
expect(Permission.evaluate("edit", "/some/file.ts", effective).action).toBe("deny")
expect(Permission.evaluate("edit", "/another/path/index.tsx", effective).action).toBe("deny")
},
})
})
test("[#26514] explore subagent launched from plan mode also stays read-only", async () => {
// Sibling check: even though `explore` is intrinsically read-only, the
// bug surface is the same. Including this case to document that the fix
// should propagate the parent **agent** permissions, not just deny edit
// when the subagent happens to already deny it.
await using tmp = await tmpdir()
await WithInstance.provide({
directory: tmp.path,
fn: async () => {
const planAgent = await load(tmp.path, (svc) => svc.get("plan"))
const explore = await load(tmp.path, (svc) => svc.get("explore"))
expect(planAgent).toBeDefined()
expect(explore).toBeDefined()
const parentSessionPermission: Permission.Ruleset = []
const subagentSessionPermission = deriveSubagentSessionPermission({
parentSessionPermission,
parentAgent: planAgent,
subagent: explore!,
})
const effective = Permission.merge(explore!.permission, subagentSessionPermission)
// Already deny — sanity check.
expect(Permission.evaluate("edit", "/x.ts", effective).action).toBe("deny")
},
})
})
test("[#26514] custom user subagent launched from plan mode bypasses Plan Mode read-only", async () => {
// The most damaging case: a user-defined subagent with default
// permissions (allow-by-default, like `general`). The subagent must NOT
// be able to edit when the parent agent is `plan`.
await using tmp = await tmpdir({
config: {
agent: {
my_subagent: {
description: "A user-defined subagent",
mode: "subagent",
},
},
},
})
await WithInstance.provide({
directory: tmp.path,
fn: async () => {
const planAgent = await load(tmp.path, (svc) => svc.get("plan"))
const my = await load(tmp.path, (svc) => svc.get("my_subagent"))
expect(planAgent).toBeDefined()
expect(my).toBeDefined()
const parentSessionPermission: Permission.Ruleset = []
const subagentSessionPermission = deriveSubagentSessionPermission({
parentSessionPermission,
parentAgent: planAgent,
subagent: my!,
})
const effective = Permission.merge(my!.permission, subagentSessionPermission)
// BUG: on origin/dev edit resolves to "allow" because the plan
// agent's `edit: deny *` rule never reaches the subagent.
expect(Permission.evaluate("edit", "/some/file.ts", effective).action).toBe("deny")
},
})
})
@@ -1,5 +1,6 @@
import { ConfigProvider, Effect, Layer } from "effect"
import { HttpRouter } from "effect/unstable/http"
import { createOpencodeClient } from "@opencode-ai/sdk/v2"
import { parse } from "./assertions"
import { runtime, type Runtime } from "./runtime"
import type { ActiveScenario, Backend, BackendApp, CallResult, CaptureMode, SeededContext } from "./types"
@@ -17,9 +18,47 @@ export function call(
ctx: SeededContext<unknown>,
options: CallOptions = {},
) {
return Effect.promise(async () =>
capture(await app(await runtime(), backend, options).request(toRequest(scenario, ctx)), scenario.capture),
)
return Effect.promise(async () => {
const handler = app(await runtime(), backend, options)
if (scenario.sdkCall) return callViaSdk(handler, scenario, ctx)
return capture(await handler.request(toRequest(scenario, ctx)), scenario.capture)
})
}
/**
* Run the scenario through a real `createOpencodeClient` wired to the
* in-process exerciser router. The SDK applies its real request transforms
* (auto-injected `?directory=...` / `?workspace=...` on GETs, header
* rewrites, etc.), so any drift between what the SDK sends and what the
* server's typed query schemas accept fails the scenario at write time.
*/
async function callViaSdk(handler: BackendApp, scenario: ActiveScenario, ctx: SeededContext<unknown>) {
const sdk = createOpencodeClient({
baseUrl: "http://localhost",
directory: ctx.directory,
fetch: ((input: Request | URL | string, init?: RequestInit) => handler.request(input, init)) as unknown as typeof fetch,
})
let result: unknown
let thrown: unknown
try {
result = await scenario.sdkCall!(sdk, ctx)
} catch (err) {
thrown = err
}
return normalizeSdkResult(result, thrown)
}
function normalizeSdkResult(result: unknown, thrown: unknown): CallResult {
// SDK returns either { data, error, response } when not throwing, or
// throws an Error with `.cause = { body, status }` when throwOnError: true.
const tuple = result as { data?: unknown; error?: unknown; response?: Response } | undefined
const cause = (thrown as { cause?: { status?: number; body?: unknown } } | undefined)?.cause
const response = tuple?.response
const status = response?.status ?? cause?.status ?? (thrown ? 0 : 200)
const contentType = response?.headers.get("content-type") ?? "application/json"
const body = tuple?.data ?? tuple?.error ?? cause?.body ?? thrown
const text = typeof body === "string" ? body : JSON.stringify(body ?? null)
return { status, contentType, body, text, timedOut: false }
}
export function callAuthProbe(
@@ -10,6 +10,7 @@ import type {
ProjectOptions,
RequestSpec,
ScenarioContext,
Sdk,
SeededContext,
TodoScenario,
} from "./types"
@@ -50,6 +51,22 @@ class ScenarioBuilder<S = undefined> {
return this.clone({ request })
}
/**
* Run the scenario through the real SDK client wired to the in-process
* exerciser router. The SDK applies its real request transforms (for example,
* auto-injecting `?directory=...` on GETs when a directory is set) so route
* tests catch the SDK-vs-server-shape drift class at write time instead of
* regression time. Existing `.at(...)` scenarios are unchanged.
*
* The callback may return either an SDK result tuple (`{ data, error,
* response }`) or throw (use `{ throwOnError: true }`); the runner
* normalizes both into the same `CallResult` shape that `.json()` /
* `.status()` / `.ok()` already understand.
*/
viaSdk(sdkCall: (sdk: Sdk, ctx: SeededContext<S>) => Promise<unknown>) {
return this.clone({ sdkCall })
}
probe(authProbe: RequestSpec) {
return this.clone({ authProbe })
}
@@ -167,6 +184,8 @@ class ScenarioBuilder<S = undefined> {
mutates: state.mutates,
reset: state.reset,
auth: state.auth,
// oxlint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- `.seeded(...)` preserves the paired sdkCall/state type inside the builder.
sdkCall: state.sdkCall as ActiveScenario["sdkCall"],
}
}
}
@@ -123,6 +123,19 @@ const scenarios: Scenario[] = [
http.protected.get("/command", "command.list").json(200, array, "status"),
http.protected.get("/agent", "app.agents").json(200, array, "status"),
http.protected.get("/skill", "app.skills").json(200, array, "status"),
// Same /agent route exercised through the real SDK client. Catches the
// SDK-injection class of regressions (`?directory=...` auto-added on GETs)
// that the direct-Request path is structurally blind to. See #26569.
http.protected
.get("/agent", "app.agents.via_sdk")
.viaSdk((sdk) => sdk.app.agents({}, { throwOnError: true }))
.json(200, array, "status"),
// Same /command route via SDK — second proof that the directory injection
// works for any GET under workspace routing.
http.protected
.get("/command", "command.list.via_sdk")
.viaSdk((sdk) => sdk.command.list({}, { throwOnError: true }))
.json(200, array, "status"),
http.protected.get("/lsp", "lsp.status").json(200, array),
http.protected.get("/formatter", "formatter.status").json(200, array),
http.protected.get("/config", "config.get").json(200, undefined, "status"),
@@ -1,10 +1,20 @@
import type { Duration, Effect } from "effect"
import type { createOpencodeClient } from "@opencode-ai/sdk/v2"
import type { Config } from "../../../src/config/config"
import type { Project } from "../../../src/project/project"
import type { Worktree } from "../../../src/worktree"
import type { MessageV2 } from "../../../src/session/message-v2"
import type { SessionID } from "../../../src/session/schema"
/**
* The real generated SDK client used by every consumer (TUI, Desktop, plugins).
* Scenarios that opt into `.viaSdk(...)` get one of these wired to the in-process
* exerciser router so SDK request transforms (auto-injected `?directory=...`,
* header rewrites, etc.) are exercised against real handlers — that's what
* catches the #26569 family.
*/
export type Sdk = ReturnType<typeof createOpencodeClient>
export const OpenApiMethods = ["get", "post", "put", "delete", "patch"] as const
export const Methods = ["GET", "POST", "PUT", "DELETE", "PATCH"] as const
@@ -88,6 +98,7 @@ export type ActiveScenario = {
mutates: boolean
reset: boolean
auth: AuthPolicy
sdkCall?: (sdk: Sdk, ctx: SeededContext<unknown>) => Promise<unknown>
}
export type BuilderState<S> = {
@@ -102,6 +113,7 @@ export type BuilderState<S> = {
mutates: boolean
reset: boolean
auth: AuthPolicy
sdkCall?: (sdk: Sdk, ctx: SeededContext<S>) => Promise<unknown>
}
export type TodoScenario = {