🤖 fix: enforce agent task queue + depth tool gating

- Queue agent tasks without creating worktrees until dequeued.
- Persist queued prompts in metadata and render them in queued workspaces without auto-resume/backoff.
- Disable task/task_* tools once maxTaskNestingDepth is reached.

Signed-off-by: Thomas Kosiewski <tk@coder.com>

---
_Generated with `mux` • Model: unknown • Thinking: unknown_
<!-- mux-attribution: model=unknown thinking=unknown -->

Change-Id: Icf17d2634b2aff2061f75b44fdd8a6b63b887247

Author: ThomasK33

src/browser/components/AIView.tsx

@@ -73,6 +73,7 @@ import { ReviewsBanner } from "./ReviewsBanner";
 import type { ReviewNoteData } from "@/common/types/review";
 import { PopoverError } from "./PopoverError";
 import { ConnectionStatusIndicator } from "./ConnectionStatusIndicator";
+import { useWorkspaceContext } from "@/browser/contexts/WorkspaceContext";
 
 interface AIViewProps {
   workspaceId: string;
@@ -99,6 +100,7 @@ const AIViewInner: React.FC<AIViewProps> = ({
   status,
 }) => {
   const { api } = useAPI();
+  const { workspaceMetadata } = useWorkspaceContext();
   const chatAreaRef = useRef<HTMLDivElement>(null);
 
   // Track which right sidebar tab is selected (listener: true to sync with RightSidebar changes)
@@ -134,6 +136,14 @@ const AIViewInner: React.FC<AIViewProps> = ({
   const { statsTabState } = useFeatureFlags();
   const statsEnabled = Boolean(statsTabState?.enabled);
   const workspaceState = useWorkspaceState(workspaceId);
+  const meta = workspaceMetadata.get(workspaceId);
+  const isQueuedAgentTask = Boolean(meta?.parentWorkspaceId) && meta?.taskStatus === "queued";
+  const queuedAgentTaskPrompt =
+    isQueuedAgentTask && typeof meta?.taskPrompt === "string" && meta.taskPrompt.trim().length > 0
+      ? meta.taskPrompt
+      : null;
+  const shouldShowQueuedAgentTaskPrompt =
+    Boolean(queuedAgentTaskPrompt) && (workspaceState?.messages.length ?? 0) === 0;
   const aggregator = useWorkspaceAggregator(workspaceId);
   const workspaceUsage = useWorkspaceUsage(workspaceId);
 
@@ -727,6 +737,14 @@ const AIViewInner: React.FC<AIViewProps> = ({
                   }
                 />
               )}
+              {shouldShowQueuedAgentTaskPrompt && (
+                <QueuedMessage
+                  message={{
+                    id: `queued-agent-task-${workspaceId}`,
+                    content: queuedAgentTaskPrompt ?? "",
+                  }}
+                />
+              )}
               {workspaceState?.queuedMessage && (
                 <QueuedMessage
                   message={workspaceState.queuedMessage}
@@ -775,7 +793,7 @@ const AIViewInner: React.FC<AIViewProps> = ({
           onMessageSent={handleMessageSent}
           onTruncateHistory={handleClearHistory}
           onProviderConfig={handleProviderConfig}
-          disabled={!projectName || !workspaceName}
+          disabled={!projectName || !workspaceName || isQueuedAgentTask}
           isCompacting={isCompacting}
           editingMessage={editingMessage}
           onCancelEdit={handleCancelEdit}

src/common/orpc/schemas/project.ts

@@ -50,6 +50,14 @@ export const WorkspaceConfigSchema = z.object({
   taskThinkingLevel: ThinkingLevelSchema.optional().meta({
     description: "Thinking level used for this agent task (used for restart-safe resumptions).",
   }),
+  taskPrompt: z.string().optional().meta({
+    description:
+      "Initial prompt for a queued agent task (persisted only until the task actually starts).",
+  }),
+  taskTrunkBranch: z.string().optional().meta({
+    description:
+      "Trunk branch used to create/init this agent task workspace (used for restart-safe init on queued tasks).",
+  }),
   mcp: WorkspaceMCPOverridesSchema.optional().meta({
     description: "Per-workspace MCP overrides (disabled servers, tool allowlists)",
   }),

src/common/orpc/schemas/workspace.ts

@@ -2,6 +2,8 @@ import { z } from "zod";
 import { RuntimeConfigSchema } from "./runtime";
 import { WorkspaceAISettingsSchema } from "./workspaceAiSettings";
 
+const ThinkingLevelSchema = z.enum(["off", "low", "medium", "high", "xhigh"]);
+
 export const WorkspaceMetadataSchema = z.object({
   id: z.string().meta({
     description:
@@ -38,6 +40,27 @@ export const WorkspaceMetadataSchema = z.object({
     description:
       'If set, selects an agent preset for this workspace (e.g., "research" or "explore").',
   }),
+  taskStatus: z.enum(["queued", "running", "awaiting_report", "reported"]).optional().meta({
+    description:
+      "Agent task lifecycle status for child workspaces (queued|running|awaiting_report|reported).",
+  }),
+  reportedAt: z.string().optional().meta({
+    description: "ISO 8601 timestamp for when an agent task reported completion (optional).",
+  }),
+  taskModelString: z.string().optional().meta({
+    description: "Model string used to run this agent task (used for restart-safe resumptions).",
+  }),
+  taskThinkingLevel: ThinkingLevelSchema.optional().meta({
+    description: "Thinking level used for this agent task (used for restart-safe resumptions).",
+  }),
+  taskPrompt: z.string().optional().meta({
+    description:
+      "Initial prompt for a queued agent task (persisted only until the task actually starts).",
+  }),
+  taskTrunkBranch: z.string().optional().meta({
+    description:
+      "Trunk branch used to create/init this agent task workspace (used for restart-safe init on queued tasks).",
+  }),
   status: z.enum(["creating"]).optional().meta({
     description:
       "Workspace creation status. 'creating' = pending setup (ephemeral, not persisted). Absent = ready.",

src/node/config.ts

@@ -358,6 +358,12 @@ export class Config {
               aiSettings: workspace.aiSettings,
               parentWorkspaceId: workspace.parentWorkspaceId,
               agentType: workspace.agentType,
+              taskStatus: workspace.taskStatus,
+              reportedAt: workspace.reportedAt,
+              taskModelString: workspace.taskModelString,
+              taskThinkingLevel: workspace.taskThinkingLevel,
+              taskPrompt: workspace.taskPrompt,
+              taskTrunkBranch: workspace.taskTrunkBranch,
             };
 
             // Migrate missing createdAt to config for next load
@@ -403,6 +409,12 @@ export class Config {
             // Preserve tree/task metadata when present in config (metadata.json won't have it)
             metadata.parentWorkspaceId ??= workspace.parentWorkspaceId;
             metadata.agentType ??= workspace.agentType;
+            metadata.taskStatus ??= workspace.taskStatus;
+            metadata.reportedAt ??= workspace.reportedAt;
+            metadata.taskModelString ??= workspace.taskModelString;
+            metadata.taskThinkingLevel ??= workspace.taskThinkingLevel;
+            metadata.taskPrompt ??= workspace.taskPrompt;
+            metadata.taskTrunkBranch ??= workspace.taskTrunkBranch;
             // Migrate to config for next load
             workspace.id = metadata.id;
             workspace.name = metadata.name;
@@ -429,6 +441,12 @@ export class Config {
               aiSettings: workspace.aiSettings,
               parentWorkspaceId: workspace.parentWorkspaceId,
               agentType: workspace.agentType,
+              taskStatus: workspace.taskStatus,
+              reportedAt: workspace.reportedAt,
+              taskModelString: workspace.taskModelString,
+              taskThinkingLevel: workspace.taskThinkingLevel,
+              taskPrompt: workspace.taskPrompt,
+              taskTrunkBranch: workspace.taskTrunkBranch,
             };
 
             // Save to config for next load
@@ -456,6 +474,12 @@ export class Config {
             aiSettings: workspace.aiSettings,
             parentWorkspaceId: workspace.parentWorkspaceId,
             agentType: workspace.agentType,
+            taskStatus: workspace.taskStatus,
+            reportedAt: workspace.reportedAt,
+            taskModelString: workspace.taskModelString,
+            taskThinkingLevel: workspace.taskThinkingLevel,
+            taskPrompt: workspace.taskPrompt,
+            taskTrunkBranch: workspace.taskTrunkBranch,
           };
           workspaceMetadata.push(this.addPathsToMetadata(metadata, workspace.path, projectPath));
         }

src/node/services/agentPresets.ts

@@ -30,10 +30,10 @@ const RESEARCH_PRESET: AgentPreset = {
     "Rules:",
     "- Do not edit files.",
     "- Do not run bash commands unless explicitly enabled (assume it is not).",
-    "- If you need repository exploration beyond file_read, delegate to an Explore sub-agent via the task tool.",
+    "- If the task tool is available and you need repository exploration beyond file_read, delegate to an Explore sub-agent.",
     "",
     "Delegation:",
-    '- Use: task({ subagent_type: "explore", prompt: "..." }) when you need repo exploration.',
+    '- If available, use: task({ subagent_type: "explore", prompt: "..." }) when you need repo exploration.',
     "",
     "Reporting:",
     "- When you have a final answer, call agent_report exactly once.",
@@ -66,10 +66,10 @@ const EXPLORE_PRESET: AgentPreset = {
     "Rules:",
     "- Do not edit files.",
     "- Treat bash as read-only: prefer commands like rg, ls, cat, git show, git diff (read-only).",
-    "- If you need external information, delegate to a Research sub-agent via the task tool.",
+    "- If the task tool is available and you need external information, delegate to a Research sub-agent.",
     "",
     "Delegation:",
-    '- Use: task({ subagent_type: "research", prompt: "..." }) when you need web research.',
+    '- If available, use: task({ subagent_type: "research", prompt: "..." }) when you need web research.',
     "",
     "Reporting:",
     "- When you have a final answer, call agent_report exactly once.",

src/node/services/aiService.ts

@@ -51,6 +51,7 @@ import type { MCPServerManager, MCPWorkspaceStats } from "@/node/services/mcpSer
 import type { TaskService } from "@/node/services/taskService";
 import { buildProviderOptions } from "@/common/utils/ai/providerOptions";
 import type { ThinkingLevel } from "@/common/types/thinking";
+import { DEFAULT_TASK_SETTINGS } from "@/common/types/tasks";
 import type {
   StreamAbortEvent,
   StreamDeltaEvent,
@@ -344,6 +345,36 @@ function parseModelString(modelString: string): [string, string] {
   return [providerName, modelId];
 }
 
+function getTaskDepthFromConfig(
+  config: ReturnType<Config["loadConfigOrDefault"]>,
+  workspaceId: string
+): number {
+  const parentById = new Map<string, string | undefined>();
+  for (const project of config.projects.values()) {
+    for (const workspace of project.workspaces) {
+      if (!workspace.id) continue;
+      parentById.set(workspace.id, workspace.parentWorkspaceId);
+    }
+  }
+
+  let depth = 0;
+  let current = workspaceId;
+  for (let i = 0; i < 32; i++) {
+    const parent = parentById.get(current);
+    if (!parent) break;
+    depth += 1;
+    current = parent;
+  }
+
+  if (depth >= 32) {
+    throw new Error(
+      `getTaskDepthFromConfig: possible parentWorkspaceId cycle starting at ${workspaceId}`
+    );
+  }
+
+  return depth;
+}
+
 export class AIService extends EventEmitter {
   private readonly streamManager: StreamManager;
   private readonly historyService: HistoryService;
@@ -1199,7 +1230,23 @@ export class AIService extends EventEmitter {
         }
       }
 
+      const cfg = this.config.loadConfigOrDefault();
+      const taskSettings = cfg.taskSettings ?? DEFAULT_TASK_SETTINGS;
+      const taskDepth = getTaskDepthFromConfig(cfg, workspaceId);
+      const shouldDisableTaskToolsForDepth = taskDepth >= taskSettings.maxTaskNestingDepth;
+
       const agentPreset = getAgentPreset(metadata.agentType);
+      const agentSystemPrompt = agentPreset
+        ? shouldDisableTaskToolsForDepth
+          ? [
+              agentPreset.systemPrompt,
+              "",
+              "Nesting:",
+              `- Task delegation is disabled in this workspace (taskDepth=${taskDepth}, maxTaskNestingDepth=${taskSettings.maxTaskNestingDepth}).`,
+              "- Do not call task/task_await/task_list/task_terminate.",
+            ].join("\n")
+          : agentPreset.systemPrompt
+        : undefined;
 
       // Build system message from workspace metadata
       const systemMessage = await buildSystemMessage(
@@ -1210,7 +1257,7 @@ export class AIService extends EventEmitter {
         effectiveAdditionalInstructions,
         modelString,
         mcpServers,
-        agentPreset ? { variant: "agent", agentSystemPrompt: agentPreset.systemPrompt } : undefined
+        agentSystemPrompt ? { variant: "agent", agentSystemPrompt } : undefined
       );
 
       // Count system message tokens for cost tracking
@@ -1303,10 +1350,18 @@ export class AIService extends EventEmitter {
         mcpTools
       );
 
-      // Preset tool policy must be applied last so callers cannot re-enable restricted tools.
-      const effectiveToolPolicy = agentPreset
-        ? [...(toolPolicy ?? []), ...agentPreset.toolPolicy]
-        : toolPolicy;
+      const depthToolPolicy: ToolPolicy = shouldDisableTaskToolsForDepth
+        ? [
+            { regex_match: "task", action: "disable" },
+            { regex_match: "task_.*", action: "disable" },
+          ]
+        : [];
+
+      // Preset + depth tool policies must be applied last so callers cannot re-enable restricted tools.
+      const effectiveToolPolicy =
+        agentPreset || depthToolPolicy.length > 0
+          ? [...(toolPolicy ?? []), ...(agentPreset?.toolPolicy ?? []), ...depthToolPolicy]
+          : toolPolicy;
 
       // Apply tool policy FIRST - this must happen before PTC to ensure sandbox
       // respects allow/deny filters. The policy-filtered tools are passed to