[BUG] Plan-mode read-only guarantee is bypassed by spawned subagents — auto mode classifier governs subagents instead of plan mode.

Resolved 💬 2 comments Opened May 31, 2026 by S-Luiten Closed Jul 4, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The core issue: When the main agent is in plan mode (read-only), subagents it spawns via Agent/Explore are not bound by plan mode's read-only contract. Their tool calls are evaluated by the auto mode permission classifier — a separate, more permissive policy the user never opted into at that level.

Evidence: A spawned Explore subagent attempted: git config --global --add safe.directory /home/<user>/repos/<repo>, a persistent, system-wide mutation. It was blocked — but by the auto mode classifier, not by plan mode. The classifier catching it was lucky, not by design; a non-read-only action it didn't flag would have executed during plan mode.

Severity: High — plan mode is a trust boundary ("look, don't touch") and this is a hole in it.

Suggested fixes:

  1. Propagate plan mode's read-only policy to all descendant subagents (don't fall back to auto mode).
  2. Defense in depth: categorically deny persistent/system-wide mutations like git config --global in plan mode for any agent in the tree.
  3. Subagent guidance: report read failures (e.g. git dubious-ownership) upward instead of mutating the environment to work around them.
This bug report was generated by Claude Opus 4.8

Workaround: Set disableAutoMode to "disable" in settings.json

What Should Happen?

See above, subagents spawned in plan mode should not default to auto mode unless the user explicitly opts in to that behaviour.

Error Messages/Logs

Tool call: `git config --global --add safe.directory /home/<user>/repos/<repo> 2>&1; git -C /home/<user>/repos/<repo> log --oneline -20 2>&1`

Result:

Permission for this action was denied by the Claude Code auto mode classifier. Reason: Modifying global git config (--global safe.directory) is a persistent system-wide change beyond project scope, not authorized by the user's investigation task.. If you have other tasks that don't depend on this action, continue working on those. IMPORTANT: You *may* attempt to accomplish this action using other tools that might naturally be used to accomplish this goal, e.g. using head instead of cat. But you *should not* attempt to work around this denial in malicious ways, e.g. do not use your ability to run tests to execute non-test actions. You should only try to work around this restriction in reasonable ways that do not attempt to bypass the intent behind this denial. If you believe this capability is essential to complete the user's request, STOP and explain to the user what you were trying to do and why you need this permission. Let the user decide how to proceed. To allow this type of action in the future, the user can add a Bash permission rule to their settings.

Steps to Reproduce

  1. Make sure settings.json (both project-level and user-level) does NOT disable disableAutoMode, and does NOT set a defaultMode.
  2. Start a new session in plan mode.
  3. Observe subagents in plan mode attempting non-read-only actions and getting blocked by auto mode.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.114 (Claude Code)

Platform

Other

Operating System

Ubuntu/Debian Linux

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗