fix(security): restrict subagent toolsets to parent's enabled set (#3269)

The delegate_task tool accepts a toolsets parameter directly from the LLM's function call arguments. When provided, these toolsets are passed through _strip_blocked_tools but never intersected with the parent agent's enabled_toolsets. A model can request toolsets the parent does not have (e.g., web, browser, rl), granting the subagent tools that were explicitly disabled for the parent. Intersect LLM-requested toolsets with the parent's enabled set before applying the blocked-tool filter, so subagents can only receive a subset of the parent's tools. Co-authored-by: dieutx <dangtc94@gmail.com>
2026-04-25 00:51:20 +00:00 · 2026-03-26 14:50:26 -07:00 · 2026-03-26 14:50:26 -07:00 · e5d14445ef
commit e5d14445ef
parent 72250b5f62
2 changed files with 69 additions and 1 deletions
--- a/tools/delegate_tool.py
+++ b/tools/delegate_tool.py
@ -174,8 +174,10 @@ def _build_child_agent(

    # When no explicit toolsets given, inherit from parent's enabled toolsets
    # so disabled tools (e.g. web) don't leak to subagents.
+    parent_toolsets = set(getattr(parent_agent, "enabled_toolsets", None) or DEFAULT_TOOLSETS)
    if toolsets:
-        child_toolsets = _strip_blocked_tools(toolsets)
+        # Intersect with parent — subagent must not gain tools the parent lacks
+        child_toolsets = _strip_blocked_tools([t for t in toolsets if t in parent_toolsets])
    elif parent_agent and getattr(parent_agent, "enabled_toolsets", None):
        child_toolsets = _strip_blocked_tools(parent_agent.enabled_toolsets)
    else: