bypassPermissions does not bypass Read/Bash for paths outside project root in background subagents

[churnish]

Description

A custom subagent with permissionMode: bypassPermissions in its frontmatter is denied Read and Bash access to files outside the project root (specifically ~/.claude/plans/). Both tools are listed in the subagent's tools field.

The subagent runs as a background agent (background: true). The permission denial is silent — the subagent sees both tool calls denied and asks for permission, but background agents auto-deny unresolved prompts, so the subagent fails.

Subagent config

---
name: code-modifier
tools: Read, Glob, Grep, Edit, Write, Bash
permissionMode: bypassPermissions
maxTurns: 250
background: true
skills:
  - build
---

Location: ~/.claude/agents/code-modifier.md

Steps to reproduce

1. Create a subagent with the config above
2. In the parent conversation, dispatch the subagent with a prompt that references a file at ~/.claude/plans/some-plan.md
3. The subagent attempts Read on that path → denied
4. The subagent attempts Bash with cat on that path → denied
5. The subagent asks for permission but as a background agent, the prompt auto-denies

Expected behavior

permissionMode: bypassPermissions should skip all permission checks per the docs: "Skip all permission checks."

Actual behavior

Both Read and Bash are denied for paths outside the project root (~/.claude/plans/ in this case), despite bypassPermissions.

Evidence

Subagent transcript (abbreviated):

ASSISTANT: Let me start by reading the plan file.
TOOL CALL: Read {"file_path": "/Users/.../plans/selectstart-selection-guard.md"}
TOOL CALL: Bash {"command": "cat ~/.claude/plans/selectstart-selection-guard.md"}
ASSISTANT: I need permission to read the plan file. Both the Read tool and Bash tool were denied.

Environment

• Claude Code version: latest (Feb 2026)
• macOS (Darwin 25.3.0)
• Subagent scope: user-level (~/.claude/agents/)

🤖 Generated with Claude Code

[github-actions]

Found 3 possible duplicate issues:

1. canUseTool callback not invoked for background subagent tool calls in default permission mode #27203
2. [BUG] Background agents cannot run Bash commands - auto-denied without prompting user #18172
3. Spawned agents: bypassPermissions ineffective, worktree data loss, plan mode loop #29110

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[churnish]

Not a duplicate of the suggested issues:

• [BUG] Background agents cannot run Bash commands - auto-denied without prompting user #18172 reports background agents auto-denied in default permission mode (expected behavior per docs — background agents pre-approve permissions at launch). This issue is about bypassPermissions mode specifically failing to bypass.
• canUseTool callback not invoked for background subagent tool calls in default permission mode #27203 is about the Agent SDK's canUseTool callback, not CLI subagents.
• Spawned agents: bypassPermissions ineffective, worktree data loss, plan mode loop #29110 Bug 1 is the closest match — also reports bypassPermissions ineffective on spawned agents. However, it covers worktree isolation bugs too. This issue provides a minimal, isolated repro for the bypassPermissions + background subagent + out-of-project-root path combination.

The core bug: permissionMode: bypassPermissions in subagent frontmatter does not bypass Read/Bash permission checks for paths outside the project root when the subagent runs in background mode.

🤖 Generated with Claude Code

[tylerlaprade]

This is not desired. Claude should only operate within the given repo. Otherwise it could rm -rf your entire filesystem.

[github-actions]

Closing for now — inactive for too long. Please open a new issue if this is still relevant.