UniqueSoft/APAW
2
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e9ea678bd89cb7c518ce46d6fbeb28fa0aa65f9
APAW/.kilo/rules/subagent-security.md
NW f01e2064fb feat(evolution): Kilo Code release sync & APAW system hardening (v2026-05-07) 
Security & Permissions:
- All 30 agents: task[*]=deny, task[subagent]=deny (cascade prevention)
- orchestrator & release-manager: bash=ask (hardening)
- New .kilo/rules/subagent-security.md with audit rules
- Updated .kilo/rules/global.md with Security & Permissions section
- Updated .kilo/agents/orchestrator.md with Security Enforcement block

Session Management:
- New .kilo/rules/session-persistence.md (checkpoint format, worktree isolation)
- Updated .kilo/rules/branch-strategy.md (worktree per agent)
- pipeline-runner.ts: Checkpoint interface + save/load/resume methods

Plan Persistence:
- Updated .kilo/rules/lead-developer.md (plan handover section)

Per-Agent Reasoning:
- capability-index.yaml: reasoning_effort for all 30 agents (xhigh/high/medium/low)

MCP Cleanup:
- New .kilo/skills/docker-security/SKILL.md (--rm, orphaned process cleanup)

Config Validation:
- Updated .kilo/rules/docker.md (startup checks, commit scoping, location awareness)

Docs:
- README.md: v2026-05-07 evolution badges
- .kilo/EVOLUTION_LOG.md: Entry #6 with full metrics
- .gitignore: ignore dist/ + bun.lock

Gitea: Milestone #66, Issues #91-#98
Architect: 9/9 sections fresh (express project type)
2026-05-08 18:54:08 +01:00

18 lines
817 B
Markdown
Raw Blame History

# Subagent Security Rules
## Cascade Prevention
1. Subagents (agents with `mode: subagent`) MUST NOT call the `task` tool.
2. Orchestrator MUST enforce this by setting `"subagent": "deny"` in every subagent's `permission.task` block.
3. If a subagent attempts to delegate via `Task`, the orchestrator MUST abort the pipeline and log a security violation.
## Permission Inheritance
- When orchestrator spawns a subagent, the subagent's permissions are a SUBSET of the orchestrator's permissions.
- MCP restrictions and bash restrictions from the orchestrator propagate to subagents.
- Subagents cannot escalate permissions beyond what the orchestrator granted.
## Audit
- Every `task` tool invocation is logged to `.kilo/logs/agent-executions.jsonl`.
- Security violations are posted as Gitea milestone comments.
Reference in New Issue View Git Blame Copy Permalink