[BUG] Title: Subagents don't inherit .env deny rules from settings.json

Resolved 💬 2 comments Opened May 7, 2026 by bennet-ikona Closed May 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary
Deny rules configured in settings.json to block reads of .env files are not inherited by subagents. Users who have correctly hardened their main config still have agents reading .env files.

What Should Happen?

Permission denies in settings.json apply to the entire agent hierarchy. Hardening the parent config should be sufficient; agents should inherit by default.

Actual
Each agent definition requires its own duplicate deny configuration. A user who believes they've locked down .env access at the settings level is silently wrong.
Why this matters
.env files hold secrets. Silent permission divergence between parent config and agents is a security footgun — the user has done the right thing and still loses.

Error Messages/Logs

Steps to Reproduce

Add deny rule for Read(./.env) and Read(./.env.*) in ~/.claude/settings.json (or project .claude/settings.json).
Verify main Claude Code session correctly refuses to read .env.
Invoke a subagent that has filesystem read access.
Subagent reads .env despite the parent-level deny.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.131

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗