Subagent Edit/Write denials on .claude/agents/*.md persist despite project settings.json allowlist + autoMode.allow extensions + defaultMode=acceptEdits

Resolved 💬 3 comments Opened Apr 25, 2026 by occamsshavingkit Closed Apr 29, 2026

Summary

In a Claude Code session, dispatched subagents (Agent tool with
subagent_type) consistently fail with "Permission to use Edit has
been denied." when attempting Edit or Write on files under the
project's .claude/agents/*.md path, even when the project
.claude/settings.json has all of:

  • permissions.defaultMode: "acceptEdits"
  • permissions.allow: ["Edit(/home/quackdcs/SWEProj/**)", "Write(/home/quackdcs/SWEProj/**)", ...]
  • permissions.autoMode.allow: ["$defaults", "Edit(/home/quackdcs/SWEProj/**) ...", "Write(/home/quackdcs/SWEProj/**) ..."]
  • Equivalent rules in .claude/settings.local.json.

The same Edit / Write calls succeed when made directly from the
main session in the same project. The denial is specific to
dispatched subagents.

Repro

  1. Project at /home/quackdcs/SWEProj with the settings.json content

above (every Edit/Write of ** allowed both at project and via
autoMode.allow).

  1. From the main session, run:

``
Agent(subagent_type="researcher", prompt="Edit /home/quackdcs/SWEProj/.claude/agents/security-engineer.md frontmatter line 4: change 'tools: Read, Grep, Glob, SendMessage' to 'tools: Read, Write, Edit, Grep, Glob, SendMessage'")
``

  1. Researcher attempts Edit. Result: "Permission to use Edit has

been denied." Researcher correctly stops per its no-silent-
substitution clause.

  1. From the main session, run the same Edit directly. Result:

succeeds.

What I checked

  • permissions.allow glob Edit(/home/quackdcs/SWEProj/**) clearly

matches the path /home/quackdcs/SWEProj/.claude/agents/security-engineer.md.

  • permissions.deny is empty for Edit / Write.
  • permissions.defaultMode is acceptEdits.
  • permissions.autoMode.allow extension with $defaults was added

on the hypothesis that the auto-mode classifier was rejecting
these despite the explicit allow rule. Did not change behaviour.

  • ~/.claude/settings.json has defaultMode: "auto" and

skipAutoPermissionPrompt: true. Setting the project to
acceptEdits should override; if there's a precedence issue
here, that's the bug.

  • Other Edit paths from the same dispatched subagent succeed

(e.g., the researcher edits docs/library/INVENTORY.md cleanly
in the same dispatch). So it's not a subagent-write-blanket-deny
— it's specifically about .claude/agents/*.md paths.

Hypothesis

Either:

  1. The auto-mode classifier has a hard-coded rule treating

.claude/ paths as sensitive that's not surfaced via documented
permissions.deny or autoMode.allow extension points; OR

  1. There's a precedence resolution where the global

defaultMode: "auto" + skipAutoPermissionPrompt: true
composes (project settings ignored for some categories), turning
"ask" into "deny silently"; OR

  1. The autoMode.allow extension applies to the main session's

classifier but not to dispatched subagents' classifiers.

I don't have visibility into which.

Workaround

The project's tech-lead (= main session per the project's adopted
v0.12.1 main-session-persona rule) does the agent-file edits
directly. Subagents are fine for everything else.

Why this matters

Long-lived projects with role-separated subagents (e.g.,
software-engineer, code-reviewer, release-engineer) need to
edit agent contracts as the project evolves. Forcing tech-lead to
do every agent-file edit collapses the role-separation pattern that
the framework relies on. It also makes the official
permissions.allow glob system look broken from the user's side
(rule visibly matches the path; denial visibly happens; no log
explaining which layer denied).

Project context

Filed from a downstream of occamsshavingkit/sw-dev-team-template
at v0.13.1. Settings path:
/home/quackdcs/SWEProj/.claude/settings.json. Discovered
2026-04-25 during a multi-hand-merge dispatch; same denial pattern
hit at least three different subagent dispatches across the
session.

Suggested investigation

  • Surface the layer that actually denies: when Edit is denied on a

path that permissions.allow clearly matches, the denial message
should name the rule / classifier responsible. Right now it says
only "Permission to use Edit has been denied."

  • Document whether autoMode.allow extends to dispatched subagent

classifiers or only to the main session.

  • If .claude/ paths are intentionally treated as sensitive

regardless of project allowlist, document the rule and provide
a project-level opt-in that subagents inherit.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗