Subagent Edit/Write denials on .claude/agents/*.md persist despite project settings.json allowlist + autoMode.allow extensions + defaultMode=acceptEdits
Summary
In a Claude Code session, dispatched subagents (Agent tool withsubagent_type) consistently fail with "Permission to use Edit has
been denied." when attempting Edit or Write on files under the
project's .claude/agents/*.md path, even when the project.claude/settings.json has all of:
permissions.defaultMode: "acceptEdits"permissions.allow: ["Edit(/home/quackdcs/SWEProj/**)", "Write(/home/quackdcs/SWEProj/**)", ...]permissions.autoMode.allow: ["$defaults", "Edit(/home/quackdcs/SWEProj/**) ...", "Write(/home/quackdcs/SWEProj/**) ..."]- Equivalent rules in
.claude/settings.local.json.
The same Edit / Write calls succeed when made directly from the
main session in the same project. The denial is specific to
dispatched subagents.
Repro
- Project at
/home/quackdcs/SWEProjwith the settings.json content
above (every Edit/Write of ** allowed both at project and via
autoMode.allow).
- From the main session, run:
````
Agent(subagent_type="researcher", prompt="Edit /home/quackdcs/SWEProj/.claude/agents/security-engineer.md frontmatter line 4: change 'tools: Read, Grep, Glob, SendMessage' to 'tools: Read, Write, Edit, Grep, Glob, SendMessage'")
- Researcher attempts
Edit. Result: "Permission to use Edit has
been denied." Researcher correctly stops per its no-silent-
substitution clause.
- From the main session, run the same
Editdirectly. Result:
succeeds.
What I checked
permissions.allowglobEdit(/home/quackdcs/SWEProj/**)clearly
matches the path /home/quackdcs/SWEProj/.claude/agents/security-engineer.md.
permissions.denyis empty for Edit / Write.permissions.defaultModeisacceptEdits.permissions.autoMode.allowextension with$defaultswas added
on the hypothesis that the auto-mode classifier was rejecting
these despite the explicit allow rule. Did not change behaviour.
~/.claude/settings.jsonhasdefaultMode: "auto"and
skipAutoPermissionPrompt: true. Setting the project to
acceptEdits should override; if there's a precedence issue
here, that's the bug.
- Other
Editpaths from the same dispatched subagent succeed
(e.g., the researcher edits docs/library/INVENTORY.md cleanly
in the same dispatch). So it's not a subagent-write-blanket-deny
— it's specifically about .claude/agents/*.md paths.
Hypothesis
Either:
- The auto-mode classifier has a hard-coded rule treating
.claude/ paths as sensitive that's not surfaced via documented
permissions.deny or autoMode.allow extension points; OR
- There's a precedence resolution where the global
defaultMode: "auto" + skipAutoPermissionPrompt: true
composes (project settings ignored for some categories), turning
"ask" into "deny silently"; OR
- The
autoMode.allowextension applies to the main session's
classifier but not to dispatched subagents' classifiers.
I don't have visibility into which.
Workaround
The project's tech-lead (= main session per the project's adopted
v0.12.1 main-session-persona rule) does the agent-file edits
directly. Subagents are fine for everything else.
Why this matters
Long-lived projects with role-separated subagents (e.g.,software-engineer, code-reviewer, release-engineer) need to
edit agent contracts as the project evolves. Forcing tech-lead to
do every agent-file edit collapses the role-separation pattern that
the framework relies on. It also makes the officialpermissions.allow glob system look broken from the user's side
(rule visibly matches the path; denial visibly happens; no log
explaining which layer denied).
Project context
Filed from a downstream of occamsshavingkit/sw-dev-team-template
at v0.13.1. Settings path:/home/quackdcs/SWEProj/.claude/settings.json. Discovered
2026-04-25 during a multi-hand-merge dispatch; same denial pattern
hit at least three different subagent dispatches across the
session.
Suggested investigation
- Surface the layer that actually denies: when Edit is denied on a
path that permissions.allow clearly matches, the denial message
should name the rule / classifier responsible. Right now it says
only "Permission to use Edit has been denied."
- Document whether
autoMode.allowextends to dispatched subagent
classifiers or only to the main session.
- If
.claude/paths are intentionally treated as sensitive
regardless of project allowlist, document the rule and provide
a project-level opt-in that subagents inherit.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗