fix: disallow runaway subagent chains#5659
Merged
alexhancock merged 1 commit intomainfrom Nov 10, 2025
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds runtime protection to prevent subagents from creating nested subagent chains. When a subagent (identified by SessionType::SubAgent) attempts to call tools that would create other subagents, an INVALID_REQUEST error is returned instead.
- Adds validation in
dispatch_tool_callto block subagent creation tools when invoked from a subagent context - Blocks
DYNAMIC_TASK_TOOL_NAME_PREFIXandSUBAGENT_EXECUTE_TASK_TOOL_NAMEtools for subagents
Comment on lines
+415
to
+427
| if session.session_type == crate::session::SessionType::SubAgent | ||
| && (tool_call.name == DYNAMIC_TASK_TOOL_NAME_PREFIX | ||
| || tool_call.name == SUBAGENT_EXECUTE_TASK_TOOL_NAME) | ||
| { | ||
| return ( | ||
| request_id, | ||
| Err(ErrorData::new( | ||
| ErrorCode::INVALID_REQUEST, | ||
| "Subagents cannot create other subagents".to_string(), | ||
| None, | ||
| )), | ||
| ); | ||
| } |
There was a problem hiding this comment.
This check doesn't prevent subagents from creating sub-recipe tasks, which also spawn subagents. Sub-recipe tools (with names like subrecipe__create_task_*) create sessions with SessionType::SubAgent and should also be blocked. Consider checking self.sub_recipe_manager.is_sub_recipe_tool(&tool_call.name) in addition to the existing conditions.
DOsinga
approved these changes
Nov 10, 2025
Collaborator
DOsinga
left a comment
DOsinga
left a comment
There was a problem hiding this comment.
we can go with this for now since we need something, but it should ideally be done in should_enabled_subagents I think
jamadeo
pushed a commit
that referenced
this pull request
Nov 11, 2025
tiensi
added a commit
to tiensi/goose
that referenced
this pull request
Nov 11, 2025
* main: (83 commits) silence copilot on minor text issues (block#5665) fix: disallow runaway subagent chains (block#5659) chore: remove usage of non-existent env var for log dir (block#5658) clarify agent instructions (block#5655) feat: add check-everything for unified style checks (block#5650) Show errors on failure (block#5643) custom instructions for copilot reviews (block#5646) fix: prevent repeated 404 errors when accessing deleted sessions (block#5644) Flake.nix corrected main (block#5600) fix: goose recipe list can return duplicated entries (block#5645) fix: bedrock creds refresh (block#5599) Fix Claude Code provider to default to Auto mode (block#5638) (block#5642) Scheduler cleanup (block#5571) Better search paths and handling of CLI providers (block#5554) docs: description required for "Add Extension" in cli - phase 2 (block#5635) Remove some logging (block#5631) Use session IDs as task IDs for subagents instead of UUIDs (block#5398) Fix the naming (block#5628) fix: default tetrate model is broken, replace with haiku-4.5 (block#5535) (block#5587) Fetch less and use the right SHA (block#5621) ...
michaelneale
added a commit
that referenced
this pull request
Nov 11, 2025
* main: silence copilot on minor text issues (#5665) fix: disallow runaway subagent chains (#5659) chore: remove usage of non-existent env var for log dir (#5658) clarify agent instructions (#5655) feat: add check-everything for unified style checks (#5650) Show errors on failure (#5643) custom instructions for copilot reviews (#5646) fix: prevent repeated 404 errors when accessing deleted sessions (#5644) Flake.nix corrected main (#5600) fix: goose recipe list can return duplicated entries (#5645) fix: bedrock creds refresh (#5599)
Surendhar-N-D
pushed a commit
to Surendhar-N-D/goose
that referenced
this pull request
Nov 17, 2025
arul-cc
pushed a commit
to arul-cc/goose
that referenced
this pull request
Nov 17, 2025
BlairAllan
pushed a commit
to BlairAllan/goose
that referenced
this pull request
Nov 29, 2025
Signed-off-by: Blair Allan <Blairallan@icloud.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We need to disable subagents being able to create other subagents. It might be cleaner to not even advertise the tool, but looks like it would be a bigger refactor to do so
@tlongwell-block @DOsinga Let me know if this looks like a good fix to you for the immediate term
Demo: