Agent Teams: subagent crashes with <Box> in <Text> Ink error on sensitive-path Edit/Write
Summary
Claude Code 2.1.117 and 2.1.118 subagents spawned in experimental Agent Teams mode crash with an Ink rendering error whenever the subagent issues an Edit or Write tool call targeting a file inside a "sensitive" path (e.g. .claude/commands/). Crash is reproducible, does not depend on mode: bypassPermissions, and does not fire on Read of the same path — only on Edit/Write.
Reproduction
- Enable experimental teams:
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1in~/.claude/settings.json. - Parent session started with
--dangerously-skip-permissions. - From parent, spawn a subagent via the
Agenttool:
````
Agent({
subagent_type: "general-purpose",
team_name: "<any>",
name: "<any>"
})
- In the spawn prompt, direct the subagent to
EditorWriteany file inside.claude/commands/or another sensitive path. - Subagent crashes the moment the tool call is processed.
Error
ERROR <Box> can't be nested inside <Text> component
at createInstance (cli.js:495:249)
at BU (cli.js:477:57938)
at gTH (cli.js:477:87786)
at XWH (cli.js:477:86997)
at bgH (cli.js:477:85896)
at Ir (cli.js:477:85717)
at MWH (cli.js:477:82456)
at T_ (cli.js:477:6497)
at hH (cli.js:477:4980)
at eH (cli.js:477:5281)
The Ink host-config createInstance rejects an ink-box created while the parent context has isInsideText: true. Almost certainly a <Box> element nested inside a <Text> wrapper within the sensitive-file Edit confirmation / preview UI component.
Differential matrix (all tested on 2.1.117, same session)
| mode | Target path | Result |
|---|---|---|
| (none) | /tmp/<file> | pass |
| (none) | <worktree>/tmp/<file> | pass |
| (none) | .claude/commands/<file> (Read only) | pass |
| (none) | .claude/commands/<file> (Edit) | crash |
| bypassPermissions | /tmp/<file> | pass |
| bypassPermissions | .claude/commands/<file> (Edit) | crash |
What was ruled out
- Permission prompts. Parent runs with
--dangerously-skip-permissions; no prompt fires before the crash. - Custom statusline. Removing
statusLineconfig did not change behavior. - Worktree path. Crash fires whether spawn CWD is main repo or worktree.
- Workload volume. Light workloads (single Edit) crash identically to heavy workloads.
mode: bypassPermissionsitself. Non-bypass spawns crash identically on sensitive-path Edit.- Skill load. Probes that loaded
bmad-agent-devand probes that did not both crash when the Edit targets a sensitive path.
Environment
- Claude Code: 2.1.117 (also reproduces on 2.1.118)
- OS: macOS (Darwin 25.4.0)
- Terminal: tmux (subagents use
backendType: "tmux") - Experimental feature:
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1
Workaround
Parent session performs edits on sensitive paths. Team subagents are restricted to edits on non-sensitive paths (code, docs, tests). Reviewer subagents (Read-only) remain safe.
Impact
Blocks any workflow where team subagents must edit Claude Code config files (.claude/commands/, .claude/skills/, ~/.claude/settings.json, etc.). Because experimental Agent Teams is foundational to multi-agent pipelines, this bug blocks self-modifying pipeline rewrites and similar infrastructure work.
Likely area to inspect
The JSX rendering the sensitive-file Edit confirmation/preview in the subagent TUI. Most likely a <Box> placed inside a <Text> parent, only reachable when isSensitivePath(target) is true. Read paths are fine, so the bug is specifically in the Edit/Write confirmation render path, not the tool itself.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗