feat(subagent): enforce transitive constraint propagation across delegation chains#4681
Merged
Conversation
…gation chains
Addresses constraint drift (arXiv:2605.10481): safety constraints set at
orchestration time were silently dropped when a subagent spawned its own
subagents, allowing trust-level and tool-allowlist escalation deep in
delegation chains.
Changes:
- Add `max_trust_level: Option<SkillTrustLevel>` and
`inherited_tool_allowlist: Option<HashSet<String>>` to `SpawnContext`
- Add `apply_constraint_propagation(def, ctx)` in zeph-subagent that:
- Clamps executor trust via `min_trust` (narrows only, never raises)
- Intersects AllowList with parent set; replaces InheritAll with parent set
- Converts DenyList to AllowList(parent \ deny_entries) when parent
allowlist is present (fail-closed)
- Logs constraint narrowing at `info` level for auditability
- Add `set_effective_trust` delegation in `FilteredToolExecutor` so the
cap reaches `PolicyGateExecutor` (previously hit the trait default no-op)
- Fix `PolicyGateExecutor::set_effective_trust` to clamp via `min_trust`
instead of unconditional assignment
Known limitation: the `resume()` path does not apply constraint
propagation; documented in source.
Closes #3993
28afea4 to
06838c5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes constraint drift (arXiv:2605.10481): safety constraints (
trust_level,tool_allowlist) set at orchestration time were silently dropped when a sub-agent spawned its own sub-agents, allowing trust and tool escalation deep in delegation chains.max_trust_levelandinherited_tool_allowlisttoSpawnContextapply_constraint_propagationnarrows executor trust viamin_trust(never raises) and intersects tool allowlistsFilteredToolExecutor::set_effective_trustnow delegates to innerPolicyGateExecutor(previously hit the trait default no-op)PolicyGateExecutor::set_effective_trustclamps viamin_trustinstead of unconditional assignmentAllowListinfolevel for auditabilityKnown limitation: the
resume()path does not apply constraint propagation (documented in source).Test plan
cargo build --workspacepassescargo clippy --workspace --features "desktop,ide,server,chat,pdf,scheduler" -- -D warnings— 0 warningscargo nextest run --workspace --lib --bins— 10327/10327 passCloses #3993