Handoffs are secure by default since PR #1848. The target agent only receives tools shared with the source agent. Use
tool_policy_mode="passthrough" only when you intentionally need legacy behaviour.Quick Start
1
Secure by default
No extra configuration needed —
handoff(target) already enforces intersect mode.2
Block dangerous tools
Always strip specific tool names regardless of mode.
3
Opt into legacy passthrough
4
Full HandoffConfig
How It Works
Modes
Configuration Options
HandoffToolPolicy
handoff() shorthand kwargs
Common Patterns
Gatekeeper → automation (secure default)
Always block destructive tools
Passthrough with selective block list
Best Practices
Default to intersect for least-privilege
Default to intersect for least-privilege
Leave
tool_policy_mode unset unless you have a specific reason to use passthrough. Intersect mode prevents silent privilege escalation.Always block known dangerous tools
Always block known dangerous tools
Even in intersect mode, add
blocked_tools for tools like execute_code or shell_access if they appear in the shared set.Fix the source toolset, not the policy
Fix the source toolset, not the policy
If intersect mode leaves the target without a needed tool, add that tool to the source agent rather than switching to passthrough.
Test handoff boundaries in security tests
Test handoff boundaries in security tests
Verify that a gatekeeper handoff cannot invoke tools the source agent does not hold.
Migration Note
Related
Agent Handoffs
Core handoff patterns and delegation
Handoff Filters
Filter context passed during handoff
Handoff Configuration
Full HandoffConfig reference

