[BUG] mode: bypassPermissions on Agent/Task tool has no effect on Bash permission prompts
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When spawning agents via the Agent tool (or Task in teams) with mode: "bypassPermissions", all Bash commands still trigger interactive permission prompts in the parent session. This makes autonomous multi-agent workflows impossible.
The bug persists across ALL agent spawn configurations:
| Configuration | Result |
|---|---|
| Agent with mode: "bypassPermissions" | Bash prompts still appear |
| Agent with custom subagent_type (.claude/agents/ YAML with permissionMode: bypassPermissions) | Bash prompts still appear |
| Agent with isolation: "worktree" + mode: "bypassPermissions" | Bash denied entirely |
| TeamCreate + Task with mode: "bypassPermissions" | Bash prompts still appear |
| Custom agent YAML with explicit allowed-tools: [Bash] | Bash prompts still appear |
What Should Happen?
Setting mode: "bypassPermissions" on an Agent/Task call should grant the spawned agent full tool access without prompting the parent session user. This is the behavior implied by the mode name.
Steps to Reproduce
- Start Claude Code in default permission mode
- Spawn an agent:
Agent(
subagent_type: "general-purpose",
mode: "bypassPermissions",
prompt: "Run: node -e 'console.log(1+1)'"
)
- Observe: parent session prompts user to approve the
Bash(node)command - Expected: command runs without any prompt
Workarounds (all inadequate)
- Add
Bash(node:*)tosettings.local.json: Changes permissions for ALL sessions globally, not just the spawned agent. Unacceptable security tradeoff. --dangerously-skip-permissions: Too broad, removes all safety for the entire session including the parent.- Run work sequentially in main thread: Defeats the entire purpose of agents and parallelization.
What's Needed
mode: "bypassPermissions" should work as documented for the specific spawned agent, without requiring global or project-level permission file changes. The permission grant should be scoped to the agent instance, not leak into other sessions.
Related Issues
- #26479 (Agent Teams teammates ignore bypassPermissions)
- #24073 / #24307 (Delegate Mode strips tools from teammates)
- #15921 (settings.local.json not respected for Bash/Write/Edit)
Claude Model
Opus 4.6
Is this a regression?
I don't know
Claude Code Version
Latest (March 2026)
Platform
Anthropic API
Operating System
macOS (Darwin, Apple Silicon)
Terminal/Shell
zsh
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗