多 Agent 最小权限实践：主 Agent 去权后需补齐 elevated gate

• You run multi-agent architecture (main/router/lanes) and use sessions_spawn delegation.
• You can edit runtime config for elevated policies per channel.

1. Strip privileged tools from `main` first (web/exec/process), keeping only orchestration tools.
2. Set explicit lane allowlist in `tools.agentToAgent.allow` for every delegable target agent.
3. Enable `tools.elevated` and configure `allowFrom.<channel>` with exact runtime identifier.
4. Run end-to-end spawn test from main → router → lane and confirm no `allowed:none` rejection.

• Community post is experiential; exact identifier format can differ by channel/runtime (needs verification).
• Avoid wildcard elevated rules; they defeat least-privilege design.

This tip is aggregated from community/public sources and preserved with attribution.