[BUG] Project settings.json deny rules not enforced in Task subagents

Resolved 💬 2 comments Opened Feb 19, 2026 by escapism101 Closed Feb 19, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Project-level permission deny rules defined in .claude/settings.json are not applied to subagents spawned via the Task tool. This allows subagents to read files that the project owner has explicitly denied access to, including files containing sensitive credentials.

What Should Happen?

Deny rules in .claude/settings.json should be inherited and enforced by all subagents spawned via the Task tool, identical to how they are enforced in the parent session.

Actual behavior:

Subagents bypass project-level deny rules entirely. The denied file is read, its contents (including credentials) are sent to the API, and no permission prompt or block occurs.

Error Messages/Logs

Steps to Reproduce

  1. Create a project with a .claude/settings.json containing a deny rule, e.g.:

```json
{
"permissions": {
"deny": [
"Read(./config.json)"
]
}
}


2. Ask Claude Code to perform a broad task that triggers use of the Task tool with an Explore or general-purpose subagent (e.g., "explore the codebase").

3. The subagent reads the denied file without being blocked, and its contents are transmitted to Anthropic's API as part of the subagent's model context.

### Claude Model

Sonnet (default)

### Is this a regression?

I don't know

### Last Working Version

_No response_

### Claude Code Version

2.1.47

### Platform

Anthropic API

### Operating System

Ubuntu/Debian Linux

### Terminal/Shell

Other

### Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗