[Bug]: Sub-agents bypass CLI permission enforcement (security gap) - v0.14.0 #74
Description
What happened?
First, thanks for a great tool. Using Auggie exclusively for all my development for several months now. Very solid tool together with the context-engine. It gets a lot of things right.
The problem I have found is the following.
CLI permission rules configured in settings.json work correctly for the main agent but are completely ignored by sub-agents. This means commands you've explicitly blocked can still be executed.
The Issue
I discovered that toolPermissions rules don't apply to sub-agents. A command that gets correctly denied for the main agent will execute successfully when a sub-agent runs it.
Why This Matters
If you're relying on toolPermissions to prevent destructive commands (like rm -rf, git push --force, database operations, etc.), sub-agents can bypass those restrictions entirely. This is a security gap.
What did you expect to happen?
Expected Behavior: Permission rules should apply consistently to all agents.
Steps to reproduce
Reproduction Test
I ran a simple test blocking the rm command:
- Created a test file:
touch augment-rm-test-file.txt - Main agent tried
rm augment-rm-test-file.txt→ ✅ BLOCKED ("Tool execution denied") - Verified file still exists → ✅ Still there
- Sub-agent tried the same
rmcommand →⚠️ ALLOWED (return code 0) - Verified file status → Deleted
Results Summary
| Agent | rm Command Result |
|---|---|
| Main agent | ✅ Blocked as expected |
| Sub-agent |
Auggie version
0.14.0 (commit 8aaa2dfb)
Request ID
NA
Environment details
Environment
- OS:
- Shell:
- Tool/CLI version:
Anything else we need to know?
No response