[BUG] mode: bypassPermissions on Agent/Task tool has no effect on Bash permission prompts

Resolved 💬 3 comments Opened Mar 8, 2026 by ilanoh Closed Mar 11, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When spawning agents via the Agent tool (or Task in teams) with mode: "bypassPermissions", all Bash commands still trigger interactive permission prompts in the parent session. This makes autonomous multi-agent workflows impossible.

The bug persists across ALL agent spawn configurations:

| Configuration | Result |
|---|---|
| Agent with mode: "bypassPermissions" | Bash prompts still appear |
| Agent with custom subagent_type (.claude/agents/ YAML with permissionMode: bypassPermissions) | Bash prompts still appear |
| Agent with isolation: "worktree" + mode: "bypassPermissions" | Bash denied entirely |
| TeamCreate + Task with mode: "bypassPermissions" | Bash prompts still appear |
| Custom agent YAML with explicit allowed-tools: [Bash] | Bash prompts still appear |

What Should Happen?

Setting mode: "bypassPermissions" on an Agent/Task call should grant the spawned agent full tool access without prompting the parent session user. This is the behavior implied by the mode name.

Steps to Reproduce

  1. Start Claude Code in default permission mode
  2. Spawn an agent:
Agent(
  subagent_type: "general-purpose",
  mode: "bypassPermissions",
  prompt: "Run: node -e 'console.log(1+1)'"
)
  1. Observe: parent session prompts user to approve the Bash(node) command
  2. Expected: command runs without any prompt

Workarounds (all inadequate)

  1. Add Bash(node:*) to settings.local.json: Changes permissions for ALL sessions globally, not just the spawned agent. Unacceptable security tradeoff.
  2. --dangerously-skip-permissions: Too broad, removes all safety for the entire session including the parent.
  3. Run work sequentially in main thread: Defeats the entire purpose of agents and parallelization.

What's Needed

mode: "bypassPermissions" should work as documented for the specific spawned agent, without requiring global or project-level permission file changes. The permission grant should be scoped to the agent instance, not leak into other sessions.

Related Issues

  • #26479 (Agent Teams teammates ignore bypassPermissions)
  • #24073 / #24307 (Delegate Mode strips tools from teammates)
  • #15921 (settings.local.json not respected for Bash/Write/Edit)

Claude Model

Opus 4.6

Is this a regression?

I don't know

Claude Code Version

Latest (March 2026)

Platform

Anthropic API

Operating System

macOS (Darwin, Apple Silicon)

Terminal/Shell

zsh

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗