fix: deny bash/interactive_bash for Prometheus agent (#2273)

[guazi04]

Reopened from #2298 — see discussion there for why the alternative approach (Option A, bash command analyzer in #2403) is not viable.

Summary

Closes #2273 — Prometheus agent can bypass file write restrictions via bash/interactive_bash tools.

Context

The prometheus-md-only hook blocks Write and Edit tools, but Prometheus can still modify files via bash commands (cp, rm, python3 -c, etc.).

Three approaches were considered:

Option	Approach	Status
A	Enhance hook to parse/intercept bash commands	Implemented in #2403 — 424-line tokenizer still has 8 security bypasses after 2 review rounds. Bash syntax is too complex for static analysis.
B	Strengthen agent prompt to not work around restrictions	Unreliable — the original issue shows the model explicitly reasoning around the hook
C (this PR)	Deny bash tools, rely on existing read-only tools	Minimal, zero attack surface

Why Option C works

Prometheus needs bash for one thing: inspecting the codebase. But we already have purpose-built read-only tools:

Bash command	Existing tool	Advantage
cat, head, tail	Read (with offset/limit)	Line numbers, pagination
grep, rg	Grep	Regex, output modes, file filtering
find, ls	Glob	Pattern matching, sorted by mtime
—	lsp_goto_definition, lsp_find_references, lsp_symbols	Semantic code understanding

Oracle, Librarian, and Explore are all read-only agents that operate without bash — and they work well. Prometheus would follow the same proven pattern.

Changes

• src/plugin-handlers/tool-config-handler.ts — Added bash and interactive_bash deny rules to Prometheus agent permissions
• src/plugin-handlers/tool-config-handler.test.ts — Added 4 new tests verifying the deny behavior for both tools

Testing

• 4 new tests, all passing
• Existing tests unaffected

---

Summary by cubic

Deny bash and interactive_bash for the Prometheus agent to stop command-based write/edit bypasses and keep the agent read-only. Closes #2273.

• Bug Fixes
  • Set bash and interactive_bash to "deny" for Prometheus in src/plugin-handlers/tool-config-handler.ts.
  • Kept other Prometheus permissions unchanged; other agents remain unaffected.
  • Added 4 tests to verify deny behavior and ensure no regression for other agents.

^{Written for commit 403efd7. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Auto-approved: Simple targeted change to deny bash tools for Prometheus with comprehensive tests ensuring no impact on other agents. Low risk and follows a proven pattern.}