Back to Signal Feed
CodeTracked since May 21, 2026

Enforce agent-level deny permissions over session approvals

A critical permission-resolution bug was fixed so agent-configured deny rules for actions like `bash` are no longer bypassed by session-level permission approvals, which previously allowed forbidden operations to run in the same session.

agent-level deny rulessession-level permission approvalspermission resolution orderfindLast

What Happened

  • A critical permission-resolution bug was fixed so agent-configured deny rules for actions like `bash` are no longer bypassed by session-level permission approvals, which previously allowed forbidden operations to run in the same session.
  • A critical permission-resolution bug was fixed so agent-configured deny rules for actions like `bash` are no longer bypassed by session-level permission approvals, which previously allowed forbidden operations to run in the same session.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

The patch changes Kilo’s permission engine to always append agent deny rules after session rules and apply that ordering for all agent types, while also fixing the disabled-check path so blanket denies (`pattern: "*"`) are matched explicitly; this removes a bypass where session allowlist decisions could overshadow agent denies.

Why Track This

Why It Matters

Developers and operators can keep using session approvals without fear that a previously denied command (for example, shell execution) will run anyway, so policy enforcement stays intact during agent tool calls and security boundaries are more reliable. Technically, `findLast` now resolves agent denies last in the merged rule chain and applies them across all modes, with blanket-deny matching corrected to avoid false positives from non-blanket rules; this should be monitored for any new precedence regressions when new agent modes or permission types are added.

Impact

Developers and operators can keep using session approvals without fear that a previously denied command (for example, shell execution) will run anyway, so policy enforcement stays intact during agent tool calls and security boundaries are more reliable. Technically, `findLast` now resolves agent denies last in the merged rule chain and applies them across all modes, with blanket-deny matching corrected to avoid false positives from non-blanket rules; this should be monitored for any new precedence regressions when new agent modes or permission types are added.

What To Watch Next

  • Watch whether agent-level deny rules becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: session_approval_shadowing, new_agent_mode_regression.
Open Topic TimelineOpen Technical EventOpen Original Sourcesession_approval_shadowing / new_agent_mode_regression / blanket_deny_pattern_misapplication / rule_merge_order_changes

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

Kilo-Org/kilocode PR #10390: fix(cli): enforce agent-level deny permissions for all agents

The update changes permission merging and lookup so explicit agent denies are evaluated last and globally across agents, and it tightens blanket-deny matching logic to pattern "*" only.