claude-code - 💡(How to fix) Fix [BUG] --agent mode ignores explicit permissions.allow rules for built-in read-only commands [2 comments, 2 participants]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

When Claude Code is launched with --agent <name>, explicit permissions.allow rules for commands on the built-in read-only list (ls, cat, head, tail, etc.) are silently ignored — the agent prompts for permission anyway. Rules for commands NOT on the built-in list (e.g., Bash(jq *)) work as expected.

In --agent mode:

• The built-in read-only auto-allowlist appears to be suppressed (so ls/cat aren't auto-approved as they would be in a normal session).
• Explicit permissions.allow rules for those same commands are ALSO ignored, even though /permissions lists them as active.
• Explicit rules for commands not on the built-in list DO work normally.

The combination means there is no way to allowlist ls / cat / head / tail / etc. for an agent session: the built-in path is off, and the user-allowlist path appears to no-op for these specific command names. Every basic read-only Bash call prompts, with no documented way to allowlist them.

May be related to #58645 (agent frontmatter allowedTools/disallowedTools ignored for plugin agents), though that issue is about a different permission mechanism (frontmatter, plugin-only) while this one is about permissions.allow from settings.json and reproduces with a local agent too.

What Should Happen?

Per the docs, either:

• Built-in read-only commands run without prompting in every mode (then ls/cat should not prompt), OR
• Explicit permissions.allow rules listed in /permissions are honored (then Bash(ls *)/Bash(cat *) should match and not prompt).

Either way, ls /tmp and cat /etc/hostname should not trigger a prompt.

Error Messages/Logs

Steps to Reproduce

Preconditions: no project .claude/settings.json, no settings.local.json anywhere on disk. Session must be a fresh start (not resumed) so settings are loaded.

1. Create a minimal user-defined agent at ~/.claude/agents/ops-agent.md:

   ---
   name: ops-agent
   description: Minimal repro agent
   ---
   
   You are a helpful assistant.

   (Frontmatter has no tools: field, no permissions block, no deny list.)

2. In ~/.claude/settings.json, add to permissions.allow:

   "Bash(ls *)",
   "Bash(cat *)",
   "Bash(jq *)"

   (the last entry is a stand-in for any command not on the built-in read-only list)

3. Launch a fresh session with the agent:

   claude --agent ops-agent

4. In the agent session, run /permissions and confirm Bash(ls *), Bash(cat *), Bash(jq *) are all listed as active.

5. Have the agent run each of:

   • jq --help → no prompt (expected)
   • ls /tmp → prompts (unexpected)
   • cat /etc/hostname → prompts (unexpected)

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.1.138 (Claude Code)

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

No response