From 1776222b077df6ba36d0fb908035cef9b33c7b90 Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@linux.dev>
Date: Wed, 8 Apr 2026 19:19:05 -0400
Subject: [PATCH] Fix tool permissions: remove global fallback in
 dispatch_with_agent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When an agent context is present, only dispatch tools in the agent's
tool list. The global fallback was bypassing per-agent tool
restrictions — a subconscious agent could call bash, edit, or any
tool even if its .agent file only allowed memory tools.

Co-Authored-By: Proof of Concept <poc@bcachefs.org>
---
 src/agent/tools/mod.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/agent/tools/mod.rs b/src/agent/tools/mod.rs
index 1ced965..ee72975 100644
--- a/src/agent/tools/mod.rs
+++ b/src/agent/tools/mod.rs
@@ -144,12 +144,13 @@ pub async fn dispatch_with_agent(
     agent: Option<std::sync::Arc<super::Agent>>,
 ) -> String {
     let tool = if let Some(ref a) = agent {
+        // Only dispatch tools the agent is allowed to use
         let guard = a.state.lock().await;
         guard.tools.iter().find(|t| t.name == name).copied()
     } else {
-        None
+        // No agent context — allow all tools (CLI/MCP path)
+        tools().into_iter().find(|t| t.name == name)
     };
-    let tool = tool.or_else(|| tools().into_iter().find(|t| t.name == name));
     match tool {
         Some(t) => (t.handler)(agent, args.clone()).await
             .unwrap_or_else(|e| format!("Error: {}", e)),