✨ feat(agent): block nested sub-agent calls#15575
Merged
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
For client-side sub-agent runs, passing isSubAgent only filters the resolved plugin list before internal_createAgentState adds runtime plugins; if the sub-agent has visual media and uses a non-vision/non-video model, the later visual-understanding injection re-adds LobeAgentManifest.identifier, which exposes callSubAgent/callSubAgents in the sub-agent's tool schema. This violates the new config-side guard and can make the model attempt blocked nested dispatches instead of never seeing those tools.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+599
to
+600
| if (appContext?.isSubAgent) { | ||
| agentConfig.plugins = agentConfig.plugins?.filter((id) => id !== LobeAgentIdentifier); |
There was a problem hiding this comment.
Filter lobe-agent after visual fallback injection
When a server-side sub-agent runs with image/video context on a model that lacks the corresponding capability and visual understanding is configured, this early filter is undone later by the turn-scoped tool injection that appends LobeAgentManifest.identifier for visual analysis. That exposes the whole lobe-agent manifest, including callSubAgent/callSubAgents, to the sub-agent even though the new guard is meant to prevent sub-agents from being configured with sub-agent tools; filter the sub-agent APIs after the visual fallback is added or split visual analysis from the sub-agent tool.
Useful? React with 👍 / 👎.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## canary #15575 +/- ##
==========================================
- Coverage 67.62% 67.62% -0.01%
==========================================
Files 3354 3354
Lines 338663 338740 +77
Branches 36446 35266 -1180
==========================================
+ Hits 229027 229078 +51
- Misses 109445 109471 +26
Partials 191 191
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
fb3e156 to
6fda353
Compare
Sub-agents must not recursively spawn further sub-agents. Plumb an `isSubAgent` flag from the spawning thread through the conversation / operation / tool-call metadata, and refuse nested dispatch at every layer: - streamingExecutor marks the spawned sub-agent context with `isSubAgent` - aiAgent strips the LobeAgent tool from a sub-agent's plugin config - client builtin-tool executor + server tool runtime return a clear error - RuntimeExecutors blocks both single and batch sub-agent dispatch Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ntext Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Group sub-agents are real agent dispatches and must keep the ability to spawn their own sub-agents; only the LobeAgent-tool virtual sub-agent path should carry isSubAgent. Drop the flag from execSubAgentTask. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
6fda353 to
8db338b
Compare
This was referenced Jun 9, 2026
Closed
Closed
Closed
Merged
arvinxx
added a commit
that referenced
this pull request
Jun 10, 2026
# 🚀 LobeHub Release (20260610) **Release Date:** June 10, 2026 **Since v2.2.2:** 131 merged PRs · 13 contributors > This weekly release strengthens agent collaboration across cloud, desktop, CLI, and workspace flows, with steadier runtime behavior and a broader foundation for workspace-scoped data. --- ## ✨ Highlights - **Agent execution across devices** — Unifies per-device working directories, project skill discovery, and sub-agent suspend/resume behavior across server, QStash, and device RPC flows. (#15543, #15566, #15481, #15620, #15591) - **Connector and sandbox platform** — Expands connector permissions, custom OAuth MCP connector onboarding, sandbox provider support, and user-uploaded file sync into cloud sandbox runs. (#15463, #15546, #15184, #15550) - **Desktop and CLI reliability** — Fixes desktop cold-start, auto-update, Windows build, CLI skill discovery, and `lh connect` agent dispatch paths. (#15547, #15525, #15527, #15562, #15632, #15634) - **Pages and sharing** — Refreshes topic sharing, improves Page Editor layout behavior, and routes Page Agent tool execution through the server-side editor path. (#15581, #15556, #15588, #15023, #15610) - **Model availability and provider updates** — Adds user-scoped LobeHub model availability, Claude Fable 5, Qwen thinking preservation, and MiniMax M3 updates. (#15590, #15639, #13494, #15376) --- ## 🏗️ Core Product & Architecture ### Agent Runtime & Heterogeneous Agents - Improves sub-agent lifecycle handling, including async suspend/resume, queue-mode QStash resume delivery, and blocking nested sub-agent calls. (#15481, #15620, #15575) - Stabilizes heterogeneous agent ingestion and streaming with raw stream dumps, per-turn usage, image forwarding on regenerate, and duplicate-text fixes. (#15602, #15577, #15592, #15585) - Adds execution-device and working-directory controls across device RPC, legacy defaults, and remote-spawned Claude Code sessions. (#15543, #15566, #15591, #15572) - Improves runtime diagnostics and compatibility, including Gemini multimodal output capture, abort stream semantics, and trace quality analysis. (#15535, #13677, #15508) --- ## 📱 Platforms, Integrations & UX ### Connectors, Sandbox & Tools - Ships API-level connector tool permissions, custom OAuth MCP connector onboarding, and connector-first runtime execution. (#15463, #15546) - Adds sandbox provider support, cloud sandbox file sync, and safer external URL file input handling with SSRF validation. (#15184, #15550, #12657) - Improves tool visibility and execution with pinned app-fixed tools, ANSI output rendering, gateway-tunneled MCP calls, and automatic headless tool runs. (#15509, #15516, #15469, #15492) ### Desktop, CLI & Web UX - Restores desktop startup and reload behavior, preserves IPC error causes, and keeps the tab bar new-tab action visible across routes. (#15547, #15597, #15638) - Fixes desktop update and build stability for browser quit guards, macOS update signing, and Windows Visual Studio detection. (#15525, #15527, #15562) - Shows the plan-limit upgrade UI on desktop builds. (#15628) - Adds the Agent Run delivery checker and fixes CLI device dispatch plus skill list/search output. (#15489, #15634, #15632) - Refreshes onboarding, auth source preservation, topic UI states, referral/Fable campaign copy, and chat-input control bar behavior. (#15629, #15544, #15573, #15614, #15616, #15617, #15622, #15643) --- ## 🔒 Security, Reliability & Rollout Notes - External URL file input now includes SSRF validation for safer Google file handling. (#12657) - Database workspace-scope migrations are part of this release; self-hosted operators should run the normal migration path before serving the updated app. (#15446, #15465, #15468, #15472) - The release branch was re-cut from `canary` and includes the latest `main` release-version commit so `v2.2.2` is the verified compare base. --- ## 👥 Contributors @ONLY-yours, @sxjeru, @hardy-one, @xujingli, @hezhijie0327, @Coooolfan, @arvinxx, @tjx666, @Innei, @rivertwilight, @rdmclin2, @cy948, @AmAzing129 **Full Changelog**: v2.2.2...release/weekly-20260610-recut-3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sub-agents must not recursively spawn further sub-agents. This plumbs an
isSubAgentflag from the spawning thread through the conversation / operation / tool-call metadata, and refuses nested dispatch at every layer so a sub-agent can neither call nor be configured with the sub-agent tool.streamingExecutormarks the spawned sub-agent context withisSubAgent: true.aiAgentstrips theLobeAgenttool from a sub-agent's plugin config (isSubAgent→ removeLobeAgentIdentifier).@lobechat/builtin-tool-lobe-agent) and the server tool runtime (lobeAgent.ts) both return a clearSub-agent calls cannot be triggered from within another sub-agent.error whenctx.isSubAgent.RuntimeExecutorsblocks both single and batch sub-agent dispatch whenstate.metadata.isSubAgent === true.ConversationContext,AgentExecutionContext, builtin-tool ctx,agentRuntime+toolExecutiontypes.Change Type
How to Test
bunx vitest runon the four touched suites — 166 tests pass:src/server/modules/AgentRuntime/__tests__/RuntimeExecutors.test.tssrc/server/services/toolExecution/serverRuntimes/__tests__/lobeAgent.test.tssrc/store/chat/slices/plugin/action.test.tssrc/store/tool/slices/builtin/executors/index.test.ts🤖 Generated with Claude Code