Support denyMainOnly permission scope: restrict tools to subagents only
Problem
When a tool is denied (via deniedTools in settings or hook deny decision), the restriction applies equally to the main conversation and all subagents. There is no way to deny a tool to the main conversation while allowing subagents to use it.
Use Case
I want to restrict write-access MCP tools (e.g., patch_object, delete_object) so the main conversation LLM cannot call them directly, but specialized subagents — which have focused prompts and limited tool sets — can. This provides a safety layer: the main conversation must delegate writes to purpose-built agents rather than calling write tools directly.
Example settings (desired behavior):
{
"permissions": {
"denyMainOnly": ["mcp__server__patch_object", "mcp__server__delete_object"]
}
}
Current Behavior
deniedTools/denyblocks the tool for both main and subagents- PreToolUse hooks cannot distinguish main from subagent — all fields (
session_id,transcript_path,permission_mode, env vars) are identical - No workaround exists short of process tree inspection (fragile)
Proposed Solution
Add a permission scope that denies tools to the main conversation but allows subagents to use them. Possible approaches:
- New permission list:
denyMainOnly— denied for main conversation, allowed for subagents - Subagent override:
allowForSubagentslist that overridesdenywhen called from a subagent - Hook context field: Add
is_subagent/caller/agent_depthto PreToolUse hook input so hooks can make the decision themselves
Option 1 or 2 would be the cleanest — no hook scripting needed.
Why This Matters
Subagents are the natural delegation mechanism in Claude Code. Being able to restrict the main conversation to read-only while letting specialized agents write is a practical safety pattern, especially for MCP tools that modify external systems.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗