# Subagent Security Rules

## Cascade Prevention

1. Subagents (agents with `mode: subagent`) MUST NOT call the `task` tool.
2. Orchestrator MUST enforce this by setting `"subagent": "deny"` in every subagent's `permission.task` block.
3. If a subagent attempts to delegate via `Task`, the orchestrator MUST abort the pipeline and log a security violation.

## Permission Inheritance

- When orchestrator spawns a subagent, the subagent's permissions are a SUBSET of the orchestrator's permissions.
- MCP restrictions and bash restrictions from the orchestrator propagate to subagents.
- Subagents cannot escalate permissions beyond what the orchestrator granted.

## Audit

- Every `task` tool invocation is logged to `.kilo/logs/agent-executions.jsonl`.
- Security violations are posted as Gitea milestone comments.