Background agents cannot perform write operations despite settings allow rules

Resolved 💬 7 comments Opened Mar 29, 2026 by wotpsycho Closed May 1, 2026

Description

Background agents (launched via the Agent tool with run_in_background: true) cannot perform any write operations, even when those operations are explicitly in the permissions.allow list in settings.json. Read-only operations from the allow list work fine.

Reproduction

  1. Add these to ~/.claude/settings.json:
{
  "permissions": {
    "allow": [
      "Bash(git status *)",
      "Bash(mkdir *)",
      "Bash(unzip *)",
      "Bash(touch *)",
      "Bash(echo *)"
    ]
  }
}
  1. Launch a background agent:
Launch a background agent that runs these commands one at a time and reports success/failure: 1) git status 2) mkdir -p /tmp/test 3) unzip --help 4) touch /tmp/test.txt 5) echo hello > /tmp/test2.txt

Results

| Command | Type | Result |
|---------|------|--------|
| git status | read-only | pass |
| unzip --help | read-only (no file write) | pass |
| mkdir -p /tmp/test | write (filesystem) | fail |
| mkdir -p ./test | write (working dir) | fail |
| touch /tmp/test.txt | write | fail |
| echo hello > /tmp/test.txt | write | fail |

The Write tool is also denied for background agents, not just Bash writes.

Running the same agent in the foreground (without run_in_background) — all operations succeed (with interactive prompts where needed).

Expected behavior

According to the subagents documentation:

Before launching, Claude Code prompts for any tool permissions the subagent will need, ensuring it has the necessary approvals upfront.

However, no pre-approval prompt fires before the background agent launches. The agent simply starts and then all write operations are auto-denied.

Operations that are in the permissions.allow list should be auto-approved for background agents the same way they are for foreground agents, without requiring an interactive prompt.

Additional context

  • Read-only allow-listed Bash commands DO work in background agents, confirming the allow list IS read
  • The issue is specifically with write operations (Bash writes + Write tool)
  • additionalDirectories / allowedDirectories with /tmp configured — no effect
  • Tested across fresh sessions and --continue sessions — same behavior
  • Claude Code version: 2.1.81
  • Platform: macOS Darwin 23.6.0

Workaround

Run agents in the foreground instead of background. Foreground agents can prompt for write permissions interactively.

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗