Built-in Plan agent ignores parent settings.json permissions and repeatedly prompts for pre-approved tools
Description
The built-in Plan agent repeatedly asks for permissions for tools that are already approved in my root ~/.claude/settings.json file. This makes the Plan agent workflow frustrating and interrupts the planning process.
Environment
- Claude Code Version: 2.0.28+ (Plan agent introduced in this version)
- Platform: macOS (Darwin 25.0.0)
- Configuration: Extensive permissions.allow list in
~/.claude/settings.json
Current Behavior
When Claude Code invokes the built-in Plan agent (subagent), it repeatedly requests permissions for Bash tools that are already approved in my root settings.json file.
I've noticed that it happens most often with piped (|) commands.
Expected Behavior
Built-in subagents like Plan should inherit or respect the permissions already configured in settings.json, similar to how the main Claude conversation respects these settings.
Root Cause Analysis
Based on documentation review:
- Subagents have their own separate tool permissions
- The
toolsfield inheritance (when omitted) only applies to custom subagents - Built-in subagents like Plan have predefined tool configurations that don't inherit from parent settings
- Users cannot customize built-in subagent permissions
Related Issues
This issue is related to but distinct from:
- #5465 - Task subagents fail to inherit permissions (MCP-specific)
- #4801 - Need better way to restrict subagent tool use
- #4750 - Ambiguity in Subagent Behavior in Plan Mode
- #8395 - User-Level Agent Rules and Rule Propagation
However, this specifically affects built-in agents like Plan, not just custom subagents or MCP scenarios.
Proposed Solution
- Option A: Built-in subagents should inherit permissions from parent
settings.jsonby default - Option B: Provide a way to configure built-in subagent permissions (e.g.,
.claude/agents/plan.override.md) - Option C: Add a setting like
"builtinAgentsInheritPermissions": true
Workarounds Attempted
None available. Cannot modify built-in agent configurations.
Impact
- Interrupts workflow with repeated permission prompts
- Makes Plan mode less useful despite being a valuable feature
- Undermines the purpose of pre-configuring extensive permission lists
19 Comments
For example:
<img width="680" height="194" alt="Image" src="https://github.com/user-attachments/assets/2ab107d6-a344-4f9f-bbd7-c5dffeebc985" />
Even if I have
findandheadinpermissions.allow.+1 Happening consistently for me as well. Have looked for syntax errors/typos in
settings.local.json(which makes the whole file get silently ignored, but that's another problem) and--dangerously-skip-permissions, neither of which allow the plan agent to operate without checking for every permissions.This is a critical bug IMO because the expected workaround for users is to opt in to
--dangerously-skip-permissionswhich we know is, as the flag states, dangerous. This is potential liability for Anthropic.@brendanstennett I agree this should be treated as a critical bug.
Until they fix it, I was able to fix this by adding this permission:
Thanks @PaulRBerg
Sadly, just a "Do anything you want with Bash" is just a very risky workaround. I've been using devcontainers to help alleviate the risks associated as well.
I know it's risky. But the alternative is to give 200+ approvals every day for commands that I have already approved. That would be a massive slowdown in productivity.
I urge the Anthropic team to fix this bug ASAP 🙏
I can't approve hundreds of sub-agent requests a day either I shouldn't have to resort to unsafe operations to work around it.
Can someone from Anthropic please address this critical bug?
This is happening for me as well, it's a bad user experience
This one makes it hard to justify using task / sub agents currently, it adds so much friction, and the hack is too risky to allow all.
The friction is really unbearable. Using containers and skipping permissions is great to avoid broad system access, but doesn't mitigate the risk of destructive behavior (unless you wanna read everything CC does, which also goes against the idea of autonomous agents).
The irony is that while this isn't fixed, CC waits for input instead of working and burning tokens. Anthropic is not losing money on that, but still, they could earn much more.
This is quite painful, doing a PR with sub-agents can take hours of babysitting. I can try the work @PaulRBerg mentioned in his comment https://github.com/anthropics/claude-code/issues/10906#issuecomment-3591863059 - but that is a broad permission.
+1 — Same issue. I use a carefully curated
permissions.allowin globalsettings.json(WebSearch, safe read-only git commands, specialized converter scripts). None of these propagate to Task sub-agents. The workaround of allowing all Bash is not acceptable from a security perspective. A permission inheritance model (parent allows → sub-agent inherits, with optional restriction) would solve this cleanly.Another manifestation of this: custom agents with explicitly declared skills in their config still prompt for permission to read the SKILL.md files.
For example, a QA agent config with:
Still prompts to read
.claude/skills/agent-browser/SKILL.mdevery time the agent is launched. The main session loads skills implicitly without any permission prompt, but subagents don't get the same treatment — even when the skill is explicitly declared in the agent's own configuration.Expected: if a skill is declared in the agent config, the corresponding SKILL.md should be read without prompting, same as the main session.
I have the same issue AFAICT ...
I have a skill that spawns an agent team. One of the agents is directed to read a file for some additional context (it's like 30k of rules; so I don't want it in the spawning/controlling agent's context). No matter what I've added to settings.json I'm always prompted to read the file. Claude itself is like 🤷 file an issue (after several attempts to debug).
#14956 & #26479 are possibly related.
Practically unusable today with the number of permissions prompts I am receiving. Example of an agent command that is repeatedly getting denied. There is no reason this needs to be a compound command or be prefixed with a directory change but despite my best efforts, I have not be able to instruct it to do anything else. Happening in sub-agents.
If it's the case that it's simply just not recommended to use Claude Code with anything other than
--dangerously-skip-permissionsI think you just need to come out and say that. The permission system is completely broken.I am also experiencing this with a slight variation on the details.
Important details, TL;DR:
Steps to reproduce:
Note I am only being prompted for agent/sub-agent "Write" tasks when it wants to create and populate the markdown file.
Until Anthropic fixes permission inheritance, a
PermissionRequesthook can auto-approve tool calls that match your existing allow list — without the nuclear option of"Bash"(allow-all).Create
~/.claude/hooks/auto-approve-safe.sh:Then in
~/.claude/settings.json:PermissionRequestfires for every permission prompt, including from subagents and Plan mode{"decision":"approve"}→ prompt is skipped{}→ normal prompt appearsFor piped/compound commands that trigger extra prompts, you can add patterns like:
This gives you the same granularity as
permissions.allowbut for subagents. You control exactly which patterns are auto-approved — no blanket"Bash"needed.Possibly related to #39834 (open) — "Permission glob for Bash does not match when it should". Reports the same symptom (allowlisted permission globs not matching) but narrows the scope to glob pattern matching rather than plan mode specifically. May share the same root cause.
Same root cause as #18950 — subagents don't fully inherit
permissions.allowpatterns. Hooks are the fix because they propagate reliably to all subagents including the Plan agent.Place in
~/.claude/settings.json:This handles the piped commands that trigger most Plan agent prompts — the hook splits on
|and checks each component individually.