fix: restrict write and apply_patch permissions for plan mode#8360
fix: restrict write and apply_patch permissions for plan mode#8360shssoichiro wants to merge 1 commit into
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| external_directory: { | ||
| [path.join(Global.Path.data, "plans", "*")]: "allow", | ||
| }, | ||
| apply_patch: { |
There was a problem hiding this comment.
WARNING: These new apply_patch/write rules do not enforce the plan-mode restriction.
WriteTool and ApplyPatchTool both call ctx.ask({ permission: "edit", ... }), so the path check still comes from the existing edit rules. PermissionNext.disabled() also maps write to edit, but not apply_patch, which means this block leaves apply_patch exposed to the model while not changing the runtime restriction. The fix likely needs to reuse the edit permission for apply_patch tool gating instead of adding separate apply_patch/write entries here.
There was a problem hiding this comment.
Oh. Well then this patch isn't needed.
Code Review SummaryStatus: 1 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Other Observations (not in diff)Issues found in unchanged code that cannot receive inline comments: None. Files Reviewed (1 files)
Reviewed by gpt-5.4-20260305 · 453,687 tokens |
|
Closing this PR — its guidance and changes have been incorporated into PR #8417, which takes a more comprehensive approach to hardening plan mode permissions (including sub-agent restriction propagation, read-only bash enforcement, and MCP tool access). Thanks for identifying the |
1 participant
Context
This was discovered while debugging #8358. The permissions in
agent.tswere restricting the directories where the Plan agent can use the Edit tool, but not the ApplyPatch and Write tools. This change also applies the restrictions to ApplyPatch and Write to ensure that Plan mode cannot edit outside of the plans directory.Get in Touch
ExpedientFalcon on Discord.