[FEATURE] Allow restrictive permission modes for subagents even when parent uses `bypassPermissions`
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
When a parent agent uses bypassPermissions mode, all subagents unconditionally inherit this mode and it cannot be overridden. This creates significant security concerns:
- Privilege escalation: A subagent with a different (potentially user-defined or third-party) system prompt inherits full autonomous system access, even if the user intended to restrict it.
- Increased attack surface: Third-party subagents, plugins, or skills that spawn subagents automatically gain bypass privileges without explicit user consent.
- No defense-in-depth: Users cannot create configurations like "trusted main agent with bypass, restricted subagent for untrusted operations"—the permission model is all-or-nothing.
- Prompt injection amplification: If an attacker can influence a subagent's prompt (via plugin, skill injection, or other vector), they gain the same dangerous permissions as the parent.
The current documentation explicitly states this limitation:
"When using bypassPermissions, all subagents inherit this mode and it cannot be overridden. Subagents may have different system prompts and less constrained behavior than your main agent."
Proposed Solution
Allow users to restrict subagent permissions independently of the parent's bypassPermissions mode. Specifically:
- Add a
subagentPermissionModeoption toClaudeAgentOptionsthat controls the default permission mode for spawned subagents:
``typescript``
options: {
permissionMode: "bypassPermissions",
subagentPermissionMode: "default" // Subagents use normal permissions
}
- Allow subagent-level
permissionModeto override inheritance when explicitly set in the subagent configuration, rather than havingbypassPermissionsalways take precedence.
- Default to more restrictive subagent permissions when parent uses
bypassPermissions—perhapsacceptEditsordefaultinstead of inheriting bypass.
- Log subagent operations with elevated permissions so users can audit what actions were taken without approval.
Alternative Solutions
- Require explicit opt-in for bypass inheritance: Add
allowSubagentBypass: truethat must be explicitly set for subagents to inheritbypassPermissions. Default tofalse.
- Warning prompt before spawning subagents in bypass mode: Even if permissions bypass approval, show a one-time warning when a subagent is about to be spawned with inherited bypass permissions.
- Per-subagent bypass allowlist: In settings.json, allow users to specify which subagent names can inherit
bypassPermissions:
``json``
{
"permissions": {
"subagentBypassAllowlist": ["Explore", "Plan"]
}
}
Priority
Critical - Blocking my work
Feature Category
CLI commands and flags
Use Case Example
Scenario: A developer uses Claude Code with bypassPermissions for trusted file operations in their own codebase. They've also installed a third-party plugin that provides a specialized "documentation-generator" subagent.
Current behavior:
- Developer runs Claude with
--dangerously-skip-permissions - Claude delegates documentation task to the plugin's subagent
- The third-party subagent (with an untrusted system prompt) inherits full bypass permissions
- The subagent can execute any bash command, modify any file, without approval
Desired behavior:
- Developer configures:
permissionMode: "bypassPermissions", subagentPermissionMode: "acceptEdits" - Main agent has full bypass for trusted operations
- Third-party subagent only has auto-approved file edits, but bash commands still require approval
- Defense-in-depth is maintained
Additional Context
Documentation references:
- https://platform.claude.com/docs/en/agent-sdk/permissions (Permission modes section)
- https://code.claude.com/en/sub-agents (Permission modes section)
Current documentation explicitly warns about this:
"Subagents may have different system prompts and less constrained behavior than your main agent. Enabling bypassPermissions grants them full, autonomous system access without any approval prompts."
The fact that this warning exists suggests the design team recognizes the risk but hasn't yet provided users a way to mitigate it.
Related security principle: Least privilege. Subagents should receive only the permissions they need for their specific task, not automatically inherit the most privileged mode available.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗