f01e2064fb
Security & Permissions: - All 30 agents: task[*]=deny, task[subagent]=deny (cascade prevention) - orchestrator & release-manager: bash=ask (hardening) - New .kilo/rules/subagent-security.md with audit rules - Updated .kilo/rules/global.md with Security & Permissions section - Updated .kilo/agents/orchestrator.md with Security Enforcement block Session Management: - New .kilo/rules/session-persistence.md (checkpoint format, worktree isolation) - Updated .kilo/rules/branch-strategy.md (worktree per agent) - pipeline-runner.ts: Checkpoint interface + save/load/resume methods Plan Persistence: - Updated .kilo/rules/lead-developer.md (plan handover section) Per-Agent Reasoning: - capability-index.yaml: reasoning_effort for all 30 agents (xhigh/high/medium/low) MCP Cleanup: - New .kilo/skills/docker-security/SKILL.md (--rm, orphaned process cleanup) Config Validation: - Updated .kilo/rules/docker.md (startup checks, commit scoping, location awareness) Docs: - README.md: v2026-05-07 evolution badges - .kilo/EVOLUTION_LOG.md: Entry #6 with full metrics - .gitignore: ignore dist/ + bun.lock Gitea: Milestone #66, Issues #91-#98 Architect: 9/9 sections fresh (express project type)
817 B
817 B
Subagent Security Rules
Cascade Prevention
- Subagents (agents with
mode: subagent) MUST NOT call thetasktool. - Orchestrator MUST enforce this by setting
"subagent": "deny"in every subagent'spermission.taskblock. - If a subagent attempts to delegate via
Task, the orchestrator MUST abort the pipeline and log a security violation.
Permission Inheritance
- When orchestrator spawns a subagent, the subagent's permissions are a SUBSET of the orchestrator's permissions.
- MCP restrictions and bash restrictions from the orchestrator propagate to subagents.
- Subagents cannot escalate permissions beyond what the orchestrator granted.
Audit
- Every
tasktool invocation is logged to.kilo/logs/agent-executions.jsonl. - Security violations are posted as Gitea milestone comments.