Problem
SubAgentToolPolicy defines a safe list of tools for user-facing subagents (attach_file, file_read, web_fetch, web_search), but IsAllowedForUserFacing() is never called in production code. SubAgentSpawner.ResolveTools() either inherits all tools or uses the profile's whitelist — neither path filters through the policy.
Additionally, SupportsInteractiveApproval is hardcoded to false in SubAgentActor, so any tool that requires approval is auto-denied with "channel_does_not_support_approval". This means even tools on the safe list may not work if they're in the Approval grant tier for the resolved audience.
User impact: subagents can end up with zero usable tools, even when spawned in a Personal audience context.
Immediate Fix (PR #830)
- Enforce
SubAgentToolPolicy at spawn time in SubAgentSpawner.ResolveTools() for user-facing subagents
- Auto-grant safe-list tools so they bypass the approval gate inside subagent context
Future Design Work
Shell access for subagents
The current safe list doesn't include shell_execute, which means subagents can't grep, find, or do basic code exploration. Options discussed:
- Shell command allowlist: A
SubAgentShellPolicy with an explicit allowlist of read-only commands (grep, find, ls, cat, head, tail, wc, diff, git log, git diff, git status, etc.). Checked before ShellCommandPolicy — if the command verb isn't on the allowlist, it's denied for subagents even if ShellCommandPolicy would allow it.
- Single-tier approach: Just add
shell_execute to the safe list and rely on ShellCommandPolicy for guardrails. Simpler but allows write operations via shell.
- Read/write tiers: Rejected — can't cleanly classify arbitrary shell commands as read vs write without a full shell parser.
Supervised subagents with approval relay
Currently subagents are fire-and-forget with no approval capability. A future "supervised" execution mode could relay approval prompts through the parent session, but this requires:
- Actor message routing for approval relay
- UX for nested approval prompts ("your subagent wants to use tool X")
- Timeout handling for blocked subagents
- Distinct from patching
SupportsInteractiveApproval on the current design
This is a separate feature, not a fix for the current enforcement gap.
Files
src/Netclaw.Configuration/SubAgentToolPolicy.cs — safe list definitionsrc/Netclaw.Actors/SubAgents/SubAgentSpawner.cs — tool resolution (no policy enforcement)src/Netclaw.Actors/SubAgents/SubAgentActor.cs:108 — SupportsInteractiveApproval = falsesrc/Netclaw.Actors/Tools/ToolAccessPolicy.cs:194-195 — auto-deny when approval not supported
Problem
SubAgentToolPolicydefines a safe list of tools for user-facing subagents (attach_file,file_read,web_fetch,web_search), butIsAllowedForUserFacing()is never called in production code.SubAgentSpawner.ResolveTools()either inherits all tools or uses the profile's whitelist — neither path filters through the policy.Additionally,
SupportsInteractiveApprovalis hardcoded tofalseinSubAgentActor, so any tool that requires approval is auto-denied with"channel_does_not_support_approval". This means even tools on the safe list may not work if they're in theApprovalgrant tier for the resolved audience.User impact: subagents can end up with zero usable tools, even when spawned in a Personal audience context.
Immediate Fix (PR #830)
SubAgentToolPolicyat spawn time inSubAgentSpawner.ResolveTools()for user-facing subagentsFuture Design Work
Shell access for subagents
The current safe list doesn't include
shell_execute, which means subagents can'tgrep,find, or do basic code exploration. Options discussed:SubAgentShellPolicywith an explicit allowlist of read-only commands (grep,find,ls,cat,head,tail,wc,diff,git log,git diff,git status, etc.). Checked beforeShellCommandPolicy— if the command verb isn't on the allowlist, it's denied for subagents even if ShellCommandPolicy would allow it.shell_executeto the safe list and rely onShellCommandPolicyfor guardrails. Simpler but allows write operations via shell.Supervised subagents with approval relay
Currently subagents are fire-and-forget with no approval capability. A future "supervised" execution mode could relay approval prompts through the parent session, but this requires:
SupportsInteractiveApprovalon the current designThis is a separate feature, not a fix for the current enforcement gap.
Files
src/Netclaw.Configuration/SubAgentToolPolicy.cs— safe list definitionsrc/Netclaw.Actors/SubAgents/SubAgentSpawner.cs— tool resolution (no policy enforcement)src/Netclaw.Actors/SubAgents/SubAgentActor.cs:108—SupportsInteractiveApproval = falsesrc/Netclaw.Actors/Tools/ToolAccessPolicy.cs:194-195— auto-deny when approval not supported