Skip to content

fix(guardrails): resolve team single-task deadlock and permission deny ordering #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
terisuke merged 4 commits into from
Apr 6, 2026
Merged

fix(guardrails): resolve team single-task deadlock and permission deny ordering #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9952a4e
fix(permission): reorder deny rules after wildcards for findLast comp…
terisuke Apr 5, 2026
680593e
fix(team): allow single-task delegation and reduce big() false positi…
terisuke Apr 5, 2026
eebe893
fix(permission): reorder deny rules after wildcards for findLast comp…
terisuke Apr 6, 2026
e055d63
fix(permission): correct .env.example allow position after deny rules…
terisuke Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions packages/guardrails/managed/opencode.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,25 @@
"external_directory": "ask",
"bash": {
"*": "ask",
"node *": "allow",
"npm *": "allow",
"npx *": "allow",
"bun *": "allow",
"git status*": "allow",
"git diff*": "allow",
"git log*": "allow",
"git show*": "allow",
"git branch*": "allow",
"git remote*": "allow",
"git stash*": "allow",
"gh *": "allow",
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bash allow patterns git branch*, git remote*, and git stash* also match mutating/destructive subcommands (e.g. git branch -D, git remote add/remove, git stash drop/pop) and will bypass permission prompting. Consider narrowing these patterns to read-only forms or changing them to ask to keep guardrails conservative.

Suggested change
"gh *": "allow",
"gh *": "ask",

Copilot uses AI. Check for mistakes.
"ls *": "allow",
"pwd": "allow",
"which *": "allow",
"echo *": "allow",
"cat *": "ask",
"rm -rf *": "deny",
"rm -r *": "deny",
"sudo *": "deny",
"curl * | sh*": "deny",
"wget * | sh*": "deny"
Expand Down
6 changes: 6 additions & 0 deletions packages/guardrails/profile/agents/implement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,18 @@ permission:
question: allow
plan_enter: allow
bash:
"*": ask
"git checkout -- *": deny
"git merge *": deny
"git push --force*": deny
"git push * --force*": deny
"git reset --hard*": deny
"gh pr merge *": deny
"rm -rf *": deny
"rm -r *": deny
"sudo *": deny
"curl * | sh*": deny
"wget * | sh*": deny
---

Implement changes in bounded increments.
Expand Down
18 changes: 18 additions & 0 deletions packages/guardrails/profile/opencode.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,25 @@
"external_directory": "ask",
"bash": {
"*": "ask",
"node *": "allow",
"npm *": "allow",
"npx *": "allow",
"bun *": "allow",
"git status*": "allow",
"git diff*": "allow",
"git log*": "allow",
"git show*": "allow",
"git branch*": "allow",
"git remote*": "allow",
"git stash*": "allow",
"gh *": "allow",
Comment on lines +91 to +94
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bash allow patterns git branch*, git remote*, and git stash* also match mutating/destructive subcommands (e.g. git branch -D, git remote add/remove, git stash drop/pop) and will bypass permission prompting. Consider narrowing these patterns to read-only forms or changing them to ask to keep guardrails conservative.

Suggested change
"git branch*": "allow",
"git remote*": "allow",
"git stash*": "allow",
"gh *": "allow",
"git branch*": "ask",
"git remote*": "ask",
"git stash*": "ask",
"gh *": "ask",

Copilot uses AI. Check for mistakes.
"ls *": "allow",
"pwd": "allow",
"which *": "allow",
"echo *": "allow",
"cat *": "ask",
"rm -rf *": "deny",
"rm -r *": "deny",
"sudo *": "deny",
"git checkout -- *": "deny",
"git merge *": "deny",
Expand Down
2 changes: 1 addition & 1 deletion packages/guardrails/profile/plugins/guardrail.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,7 +437,7 @@ export default async function guardrail(input: {
if ((item.tool === "edit" || item.tool === "write") && file && code(file)) {
const count = await budget()
if (count >= 4) {
const err = `context budget exceeded after ${count} source reads; narrow scope or delegate before editing`
const err = `context budget exceeded after ${count} source reads; call the team tool to delegate this edit to an isolated worker, or narrow scope`
await mark({ last_block: item.tool, last_file: rel(input.worktree, file), last_reason: err })
throw new Error(text(err))
}
Expand Down
9 changes: 7 additions & 2 deletions packages/guardrails/profile/plugins/team.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,11 @@ function mut(cmd: string) {
function big(text: string) {
const data = text.trim()
if (!data) return false
// Exempt read-only investigation requests that start with investigation verbs
// and do NOT contain write-intent keywords
const readOnly = /^\s*(investigate|diagnose|explain|analyze|check|status|report|describe|show|list|review|audit|inspect|確認|調査|分析|説明|レビュー)/i.test(data)
&& !/(implement|create|rewrite|patch|refactor|fix|add|edit|write|modify|実装|改修|修正|追加)/i.test(data)
if (readOnly) return false
const plan = (data.match(/^\s*([-*]|\d+\.)\s+/gm) ?? []).length
const impl = /(implement|implementation|build|create|add|fix|refactor|rewrite|patch|parallel|subagent|team|background|worker|修正|実装|追加|改修|並列|サブエージェント|チーム)/i.test(
data,
Expand Down Expand Up @@ -475,7 +480,7 @@ export default async function team(input: {
},
async execute(args, ctx) {
defs(args.tasks)
if (args.tasks.length < 2) throw new Error("team requires at least two tasks")
if (args.tasks.length < 1) throw new Error("team requires at least one task")
ctx.metadata({
title: "team run",
metadata: {
Expand Down Expand Up @@ -738,7 +743,7 @@ export default async function team(input: {
messageID: out.message.id,
type: "text",
text:
"Parallel implementation policy is active for this request. Before any edit, write, apply_patch, or mutating bash call, you MUST call the `team` tool and fan out at least two worker tasks. Mark tasks that should edit code with `write: true`; those tasks will be isolated in git worktrees and merged back when possible. Use `background` only for side work that should keep running after this turn.",
"Parallel implementation policy is active for this request. Before any edit, write, apply_patch, or mutating bash call, you MUST call the `team` tool and fan out at least one worker task. Mark tasks that should edit code with `write: true`; those tasks will be isolated in git worktrees and merged back when possible. Use `background` only for side work that should keep running after this turn.",
})
},
"tool.execute.before": async (
Expand Down
Loading