[BUG] Plan-mode read-only guarantee is bypassed by spawned subagents — auto mode classifier governs subagents instead of plan mode.
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The core issue: When the main agent is in plan mode (read-only), subagents it spawns via Agent/Explore are not bound by plan mode's read-only contract. Their tool calls are evaluated by the auto mode permission classifier — a separate, more permissive policy the user never opted into at that level.
Evidence: A spawned Explore subagent attempted: git config --global --add safe.directory /home/<user>/repos/<repo>, a persistent, system-wide mutation. It was blocked — but by the auto mode classifier, not by plan mode. The classifier catching it was lucky, not by design; a non-read-only action it didn't flag would have executed during plan mode.
Severity: High — plan mode is a trust boundary ("look, don't touch") and this is a hole in it.
Suggested fixes:
- Propagate plan mode's read-only policy to all descendant subagents (don't fall back to auto mode).
- Defense in depth: categorically deny persistent/system-wide mutations like
git config --globalin plan mode for any agent in the tree. - Subagent guidance: report read failures (e.g. git dubious-ownership) upward instead of mutating the environment to work around them.
This bug report was generated by Claude Opus 4.8
Workaround: Set disableAutoMode to "disable" in settings.json
What Should Happen?
See above, subagents spawned in plan mode should not default to auto mode unless the user explicitly opts in to that behaviour.
Error Messages/Logs
Tool call: `git config --global --add safe.directory /home/<user>/repos/<repo> 2>&1; git -C /home/<user>/repos/<repo> log --oneline -20 2>&1`
Result:
Permission for this action was denied by the Claude Code auto mode classifier. Reason: Modifying global git config (--global safe.directory) is a persistent system-wide change beyond project scope, not authorized by the user's investigation task.. If you have other tasks that don't depend on this action, continue working on those. IMPORTANT: You *may* attempt to accomplish this action using other tools that might naturally be used to accomplish this goal, e.g. using head instead of cat. But you *should not* attempt to work around this denial in malicious ways, e.g. do not use your ability to run tests to execute non-test actions. You should only try to work around this restriction in reasonable ways that do not attempt to bypass the intent behind this denial. If you believe this capability is essential to complete the user's request, STOP and explain to the user what you were trying to do and why you need this permission. Let the user decide how to proceed. To allow this type of action in the future, the user can add a Bash permission rule to their settings.
Steps to Reproduce
- Make sure settings.json (both project-level and user-level) does NOT disable
disableAutoMode, and does NOT set adefaultMode. - Start a new session in plan mode.
- Observe subagents in plan mode attempting non-read-only actions and getting blocked by auto mode.
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.114 (Claude Code)
Platform
Other
Operating System
Ubuntu/Debian Linux
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗