Description
SubAgentManager::resume() does not accept a SpawnContext and therefore never calls apply_constraint_propagation. Resumed sessions inherit the agent definition's static policy only, ignoring any orchestration-layer constraints that were applied at original spawn time.
This is documented as a known limitation in the doc comment at crates/zeph-subagent/src/manager.rs:1613, but there is no tracking issue.
Reproduction Steps
- Spawn a sub-agent with
SpawnContext { max_trust_level: Some(SkillTrustLevel::Quarantined), .. } — constraints are applied.
- Agent terminates (completes or errors).
- Call
SubAgentManager::resume(task_id, ...) to restart it.
- Observe: the resumed session gets the definition's default trust level, not
Quarantined.
Expected Behavior
resume() should enforce the same constraints as the original spawn() call, or refuse to resume if constraint context is unavailable.
Actual Behavior
Resumed sessions bypass max_trust_level and inherited_tool_allowlist caps entirely. An agent originally spawned as Quarantined can resume with full Trusted access.
Environment
- Version: v0.21.3 (HEAD 957211b)
- File:
crates/zeph-subagent/src/manager.rs:1613
Proposed Fix
Either:
- Add an optional
SpawnContext parameter to resume() and call apply_constraint_propagation when provided, or
- Persist the original
SpawnContext constraint fields alongside the agent record and re-apply them on resume.
The doc comment already notes: "If constraint enforcement is required on a resumed session, cancel and re-spawn instead of resuming."
Description
SubAgentManager::resume()does not accept aSpawnContextand therefore never callsapply_constraint_propagation. Resumed sessions inherit the agent definition's static policy only, ignoring any orchestration-layer constraints that were applied at original spawn time.This is documented as a known limitation in the doc comment at
crates/zeph-subagent/src/manager.rs:1613, but there is no tracking issue.Reproduction Steps
SpawnContext { max_trust_level: Some(SkillTrustLevel::Quarantined), .. }— constraints are applied.SubAgentManager::resume(task_id, ...)to restart it.Quarantined.Expected Behavior
resume()should enforce the same constraints as the originalspawn()call, or refuse to resume if constraint context is unavailable.Actual Behavior
Resumed sessions bypass
max_trust_levelandinherited_tool_allowlistcaps entirely. An agent originally spawned asQuarantinedcan resume with fullTrustedaccess.Environment
crates/zeph-subagent/src/manager.rs:1613Proposed Fix
Either:
SpawnContextparameter toresume()and callapply_constraint_propagationwhen provided, orSpawnContextconstraint fields alongside the agent record and re-apply them on resume.The doc comment already notes: "If constraint enforcement is required on a resumed session, cancel and re-spawn instead of resuming."