Skip to content

fix(agent): block task agents from spawning subagents#690

Open
gewenyu99 wants to merge 1 commit into
mainfrom
hotfix/no-subagent-dispatch
Open

fix(agent): block task agents from spawning subagents#690
gewenyu99 wants to merge 1 commit into
mainfrom
hotfix/no-subagent-dispatch

Conversation

@gewenyu99

@gewenyu99 gewenyu99 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Problem

Changes

Test plan

@gewenyu99 @claude
fix(agent): block task agents from spawning subagents
040d571 
A dispatched subagent runs as a nested query that bypasses wizardCanUseTool
(the Bash allowlist and .env block) and the read/sandbox limits, so a single
spawn escapes every restriction — it can run arbitrary shell and read outside
the project (~/.claude, other repos, transcripts). Task agents do not need
subagents for the integration flow.

Remove the general-purpose subagent definition so there is nothing to dispatch,
and hard-deny the Agent/Task tool in wizardCanUseTool as defense in depth.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci error-tracking-upload-source-maps
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci error-tracking-upload-source-maps/android
  • /wizard-ci error-tracking-upload-source-maps/cicd-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-nested-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-gitlab-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-ssh-vps-node-raw
  • /wizard-ci error-tracking-upload-source-maps/flutter
  • /wizard-ci error-tracking-upload-source-maps/ios
  • /wizard-ci error-tracking-upload-source-maps/next
  • /wizard-ci error-tracking-upload-source-maps/next-no-posthog
  • /wizard-ci error-tracking-upload-source-maps/node-raw
  • /wizard-ci error-tracking-upload-source-maps/node-rollup
  • /wizard-ci error-tracking-upload-source-maps/node-rollup-typescript-plugin
  • /wizard-ci error-tracking-upload-source-maps/node-webpack
  • /wizard-ci error-tracking-upload-source-maps/nuxt-3-6
  • /wizard-ci error-tracking-upload-source-maps/nuxt-4-3
  • /wizard-ci error-tracking-upload-source-maps/react-native
  • /wizard-ci error-tracking-upload-source-maps/react-vite
  • /wizard-ci error-tracking-upload-source-maps/rust
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

@gewenyu99 Graphite App

gewenyu99 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@gewenyu99

gewenyu99 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator Author

/wizard-ci basic-integration/next-js

@gewenyu99 gewenyu99 marked this pull request as ready for review June 18, 2026 23:30
@gewenyu99 gewenyu99 requested a review from sarahxsanders June 18, 2026 23:30
@wizard-ci-bot

wizard-ci-bot Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

🧙 Wizard CI Results

Trigger ID: 7f7712c
Workflow: View run

App Confidence PR YARA
basic-integration/next-js/15-app-router-saas 4/5 #1977 (logs)
basic-integration/next-js/15-app-router-todo 4/5 #1978 (logs)
basic-integration/next-js/15-pages-router-saas 4/5 #1980 (logs)
basic-integration/next-js/15-pages-router-todo 4/5 #1979 (logs)

Configuration

Setting Value
Wizard ref hotfix/no-subagent-dispatch
Context Mill ref main
PostHog ref master

Search for trigger ID 7f7712c in wizard-workbench PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarahxsanders sarahxsanders sarahxsanders approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gewenyu99 @sarahxsanders