fix: add main-branch write restrictions for subagents

[marcusquinn]

Summary

• Add main-branch write restriction rule for subagents with write: true
• Prevent subagents invoked via Task tool from bypassing branch protection

Problem

During the t099 session, the agent-review subagent (invoked via Task tool) wrote directly to files in the main repo on the main branch. It has write: true / edit: true in its YAML frontmatter but no bash: true, so it cannot run pre-edit-check.sh. This bypassed branch protection.

Rule

On main/master, subagents may ONLY write to:

• README.md, TODO.md, todo/PLANS.md, todo/tasks/*

All other writes must be returned as proposed edits for the calling agent to apply in a worktree.

Files Changed

File	Change
.agent/tools/build-agent/build-agent.md	Added main-branch write restriction rule to subagent design guidance
.agent/tools/build-agent/agent-review.md	Added Write Restrictions section (exemplar for other subagents)
.agent/AGENTS.md	Added universal subagent write restriction to pre-edit section

Summary by CodeRabbit

• Documentation
  • Added policies clarifying write restrictions for subagents invoked via the Task tool
  • Documented which files can be modified and when proposed edits are required instead of direct writes
  • Updated guidance on subagent capabilities and limitations when operating on primary branches

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security and integrity concern where subagents, particularly those invoked via the Task tool, could bypass branch protection on the main branch. The changes introduce explicit and universal write restrictions for subagents, ensuring that they can only modify designated planning and documentation files when operating on main/master. All other modifications must be handled through proposed edits for the calling agent to apply in a worktree, thereby reinforcing branch protection and maintaining repository integrity.

Highlights

• Universal Subagent Write Restrictions: Introduced a new rule in .agent/AGENTS.md specifying that subagents with write: true can only write to README.md, TODO.md, todo/PLANS.md, and todo/tasks/* when on main/master.
• Exemplar Write Restrictions for agent-review: The agent-review.md file was updated to include a detailed "Write Restrictions" section, serving as a template for other subagents.
• Updated Subagent Design Guidance: The build-agent.md documentation now includes comprehensive guidance on main-branch write restrictions for subagents, explaining the rationale and how to implement these rules.

Changelog

• .agent/AGENTS.md
  • Added a new section detailing universal subagent write restrictions for main/master branches, specifying allowed files and requiring other writes to be returned as proposed edits.
• .agent/tools/build-agent/agent-review.md
  • Introduced a "Write Restrictions (MANDATORY)" section, explicitly listing allowed and blocked files for this specific subagent when on main/master, and clarifying that code changes must be returned as proposed edits.
• .agent/tools/build-agent/build-agent.md
  • Incorporated a new section on "Main-branch write restrictions" into the subagent design guidance, outlining the rules for subagents with write permissions, listing allowed/blocked files, and explaining the necessity of explicitly stating these rules in subagent markdown due to their inability to run pre-edit-check.sh.

Activity

• The pull request was initiated by marcusquinn to fix an issue where subagents could bypass branch protection.
• The changes primarily involve updating documentation files to enforce new write restriction policies for subagents.
• No further review comments or activity are available in the provided context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Three agent policy documentation files are updated to clarify write restrictions for subagents invoked via the Task tool. When on main/master, subagents may only write to specific files (README.md, TODO.md, todo/PLANS.md, todo/tasks/*); other changes must be returned as proposed edits. Subagents cannot execute pre-edit-check.sh. No runtime changes.

Changes

Cohort / File(s)	Summary
Agent Write-Restriction Policies .agent/AGENTS.md, .agent/tools/build-agent/agent-review.md, .agent/tools/build-agent/build-agent.md	Adds policy documentation specifying main/master write restrictions for subagents invoked via Task tool, restricts pre-edit-check.sh execution, and mandates proposed edits for disallowed writes. Provides guidance on guardrails and branch protection.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: strengthen pre-edit-check self-verification wording #181: Modifies pre-edit-check guidance in AGENTS.md; this PR reinforces subagent restrictions on pre-edit-check.sh execution.
• fix: correct path to agent-review.md #237: Updates .agent/tools/build-agent/agent-review.md with write-restrictions section; directly related file and policy changes.
• docs(readme): update Plan+ description to reflect write permissions #113: Reflects changed agent write permissions to TODO.md and todo/; aligns with the allowed-writes list introduced here.

Poem

🤖 Subagents stand at the main-branch gate,
With files they may touch, and worktrees they create.
Pre-edit-checks pass, but not through their hands—
Proposed edits return to the caller's commands.
Safe, predictable, and tidy in stance! ✨

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/subagent-write-restrictions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 2 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 5 19:59:46 UTC 2026: Code review monitoring started
Thu Feb 5 19:59:47 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 2
Thu Feb 5 19:59:47 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Thu Feb 5 19:59:49 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 2
• VULNERABILITIES: 0

Generated on: Thu Feb 5 19:59:51 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request correctly identifies and addresses a potential issue where subagents could bypass branch protection rules. The introduction of write restrictions for subagents on the main branch is a crucial safeguard. The changes across the documentation files are clear and implement this rule. My review includes a few suggestions to enhance the clarity, consistency, and completeness of the new guidelines to ensure they are as effective as possible for both human developers and AI agents.

[gemini-code-assist]

For better readability and consistency with the other updated files in this PR, consider restructuring this rule using a list format. This will make the allowed file paths easier to parse for both humans and agents.

Suggested change

	**Subagent write restrictions**: Subagents invoked via the Task tool cannot run `pre-edit-check.sh` (many lack `bash: true`). When on `main`/`master`, subagents with `write: true` may ONLY write to: `README.md`, `TODO.md`, `todo/PLANS.md`, `todo/tasks/*`. All other writes must be returned as proposed edits for the calling agent to apply in a worktree.
	**Subagent write restrictions**: Subagents invoked via the Task tool cannot run `pre-edit-check.sh` (many lack `bash: true`). When on `main`/`master`, subagents with `write: true` must follow these rules:
	- **Allowed writes**: `README.md`, `TODO.md`, `todo/PLANS.md`, `todo/tasks/*`.
	- **Other writes**: Must be returned as proposed edits for the calling agent to apply in a worktree.

[gemini-code-assist]

The distinction between BLOCKED writes and For code changes could be clearer. The term 'code changes' is a bit narrow, as blocked files also include configs and other non-code files. Combining these two points would make the instruction more concise and remove ambiguity.

Suggested change

	- **BLOCKED writes**: All other files (agent definitions, scripts, configs, code)
	- **For code changes**: Return proposed edits to the calling agent; do NOT write directly. The calling agent will apply them in a worktree.
	- **BLOCKED writes**: For all other files (agent definitions, scripts, configs, code), return proposed edits to the calling agent; do NOT write directly. The calling agent will apply them in a worktree.

[gemini-code-assist]

The guidance for BLOCKED files is incomplete. It states which files are blocked but doesn't specify the alternative action the subagent should take, which is a key part of the rule. To make the guidance comprehensive, please include the instruction to return proposed edits.

Suggested change

	- **BLOCKED**: All other files (code, scripts, configs, agent definitions)
	- **BLOCKED**: All other files (code, scripts, configs, agent definitions). For these files, the subagent must return proposed edits to the calling agent instead of writing directly.