bypassPermissions on agents ignores settings.local.json allowlist

Resolved 💬 4 comments Opened Mar 28, 2026 by Gorocy Closed May 7, 2026

Bug Description

When spawning sub-agents with mode: bypassPermissions, they can execute tools that are NOT in the project's settings.local.json allowlist. The allowlist is completely bypassed.

Steps to Reproduce

  1. Create .claude/settings.local.json with a restrictive allowlist:
{
  "permissions": {
    "allow": [
      "Bash(cargo build:*)",
      "Bash(cargo test:*)",
      "Bash(grep:*)"
    ]
  }
}
  1. In a conversation, spawn an agent with mode: bypassPermissions:
Agent({
  mode: "bypassPermissions",
  prompt: "Create a file and commit it",
  subagent_type: "general-purpose"
})
  1. The agent successfully executes:
  • Write tool (creates new files)
  • Edit tool (modifies files)
  • Bash(git add ...)
  • Bash(git commit ...)
  • Bash(mkdir ...)
  • Bash(rm ...)
  • Bash(mv ...)

None of these are in the allowlist. The user is never prompted for approval.

Expected Behavior

bypassPermissions should either:

  • Still respect the project-level settings.local.json allowlist (preferred)
  • OR at minimum prompt the user for tools not in the allowlist

Actual Behavior

All tools are executed without any permission check. The allowlist in settings.local.json is completely ignored by sub-agents with bypassPermissions.

Impact

  • Git history pollution: Multiple unauthorized commits were made without user consent
  • File system changes: Files created, modified, moved, and deleted without approval
  • Trust violation: User set explicit permissions expecting them to be enforced

Environment

  • Claude Code CLI
  • Model: Claude Opus 4.6 (1M context)
  • OS: Linux (Manjaro)
  • The .claude/settings.local.json file exists and works correctly for the main conversation (tools not in allowlist DO trigger permission prompts). Only sub-agents with bypassPermissions bypass it.

Suggested Fix

bypassPermissions mode should be scoped to bypass the per-tool user approval prompt, NOT bypass the project-level allowlist. The allowlist represents a security boundary that should never be overridden by agent mode.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗