From 403efd7796e0829ddf31c4f06c4ef4eca2c36c1f Mon Sep 17 00:00:00 2001
From: guazi04 <mouqinyang@outlook.com>
Date: Thu, 5 Mar 2026 00:23:54 +0800
Subject: [PATCH] fix: deny bash tool for prometheus agent (#2273)

Prometheus's prometheus-md-only hook only blocks Write/Edit tools, but bash commands (cp, rm, python3 -c, etc.) can bypass file restrictions. This adds bash and interactive_bash to the deny list in tool-config-handler.

- Added bash: deny and interactive_bash: deny to Prometheus tool permissions
- Added 4 new tests covering the deny behavior
---
 .../tool-config-handler.test.ts               | 55 +++++++++++++++++++
 src/plugin-handlers/tool-config-handler.ts    |  2 +
 2 files changed, 57 insertions(+)

diff --git a/src/plugin-handlers/tool-config-handler.test.ts b/src/plugin-handlers/tool-config-handler.test.ts
index 4ba70497ac..c3f176b4fc 100644
--- a/src/plugin-handlers/tool-config-handler.test.ts
+++ b/src/plugin-handlers/tool-config-handler.test.ts
@@ -80,4 +80,59 @@ describe("applyToolConfig", () => {
       })
     })
   })
+
+  describe("#given prometheus agent", () => {
+    describe("#when applying tool config", () => {
+      it("#then should deny bash for prometheus", () => {
+        const params = createParams({ agents: ["prometheus"] })
+
+        applyToolConfig(params)
+
+        const agent = params.agentResult.prometheus as {
+          permission: Record<string, unknown>
+        }
+        expect(agent.permission.bash).toBe("deny")
+      })
+
+      it("#then should deny interactive_bash for prometheus", () => {
+        const params = createParams({ agents: ["prometheus"] })
+
+        applyToolConfig(params)
+
+        const agent = params.agentResult.prometheus as {
+          permission: Record<string, unknown>
+        }
+        expect(agent.permission.interactive_bash).toBe("deny")
+      })
+
+      it("#then should preserve other prometheus permissions", () => {
+        const params = createParams({ agents: ["prometheus"] })
+
+        applyToolConfig(params)
+
+        const agent = params.agentResult.prometheus as {
+          permission: Record<string, unknown>
+        }
+        expect(agent.permission.call_omo_agent).toBe("deny")
+        expect(agent.permission.task).toBe("allow")
+        expect(agent.permission["task_*"]).toBe("allow")
+        expect(agent.permission.teammate).toBe("allow")
+      })
+
+      it("#then should NOT deny bash for other agents", () => {
+        const otherAgents = ["atlas", "sisyphus", "hephaestus", "sisyphus-junior"]
+        const params = createParams({ agents: otherAgents })
+
+        applyToolConfig(params)
+
+        for (const agentName of otherAgents) {
+          const agent = params.agentResult[agentName] as {
+            permission: Record<string, unknown>
+          }
+          expect(agent.permission.bash).toBeUndefined()
+          expect(agent.permission.interactive_bash).toBeUndefined()
+        }
+      })
+    })
+  })
 })
diff --git a/src/plugin-handlers/tool-config-handler.ts b/src/plugin-handlers/tool-config-handler.ts
index 381dbb55c9..755d6c0636 100644
--- a/src/plugin-handlers/tool-config-handler.ts
+++ b/src/plugin-handlers/tool-config-handler.ts
@@ -85,6 +85,8 @@ export function applyToolConfig(params: {
       "task_*": "allow",
       teammate: "allow",
       ...denyTodoTools,
+      bash: "deny",
+      interactive_bash: "deny",
     };
   }
   const junior = agentByKey(params.agentResult, "sisyphus-junior");