claude-code - 💡(How to fix) Fix [BUG] Claude Code — Per-Agent Permission Control Gap [2 comments, 2 participants]
ON THIS PAGE
Recommended Tools
×6Utilities matched from this issue’s tags and category — try them while you read without losing context.
GitHub issue graph ai analysis
Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.
The report is written in English Markdown for sharing and archival.
Helpful · Quick feedback
GitHub stats
anthropics/claude-code#54898•Fetched 2026-05-01 05:51:33
Comments
2
Participants
2
Timeline
10
Reactions
0
Author
divakaran5005Participants
![github-actions[bot]](https://avatars.githubusercontent.com/github-actions[bot]?s=32&v=4){kind=small}
github-actions[bot]Timeline (top)
labeled ×7commented ×2unlabeled ×1
Error Message
gas-error-handler → handles error logging gas-error-handler → handles errors in logs/
Error Messages/Logs
Exact Error Observed
| gas-error-handler | YES — "gas-error-handler" | BLOCK (not in approved list) |
Exact Error Observed
| gas-error-handler | YES — "gas-error-handler" | BLOCK (not in approved list) | gas-error-handler → handles error logging, write access to logs folder only.
Root Cause
Why this matters: This level of control gives two things: safety and quality. Safety because no agent can accidentally destroy another agent's work. Quality because each agent is forced to stay in its lane and do only what it is specialized for. What actually happens today: When I remove write access from the main agent to force delegation to subagents — the subagents also lose write access. They are cut off equally. The main agent ignores subagents and writes directly anyway. The specialized agents become useless. I am forced to either give the main agent full dangerous access OR break the entire pipeline. This makes the core value of specialized subagents — better output, safer execution, controlled file ownership — completely unreachable.
Code Example
What We Tried & Why Each Failed
Attempt 1 — Global deny in settings.json:
json{
"permissions": {
"deny": ["Write", "Edit", "Bash"]
}
}
Result: Blocked main agent AND all subagents equally. No agent could write anything. Project completely broken.
Attempt 2 — Path-specific deny in settings.json:
json{
"permissions": {
"deny": ["Write(src/**)","Edit(src/**)"]
}
}
Result: Blocked subagents too. Project-level deny overrides subagent tools: declarations. All 5 subagents failed — gas-script-coder, gas-sheets-builder, gas-code-review, git-agent, cmd-skills-hooks-builder.
Attempt 3 — Subagent tools: field in .md file:
yaml---
name: gas-script-coder
tools: Read, Write, Glob
---
Result: tools: field is overridden by project-level settings.json deny. Subagent declared Write but still could not write. Confirmed by testing all 5 subagents.
Attempt 4 — Separate settings.json per subagent folder:
agents/gas-script-coder/.claude/settings.json → allow Write
Result: These folder-level settings apply only to standalone Claude Code processes — NOT to subagents invoked via Agent() tool inside the main session. Completely ignored.
Attempt 5 — PreToolUse hooks:
Tried to intercept tool calls and check caller identity.
Result: Hook cannot identify whether the caller is main agent or subagent. No caller identity is exposed in hook context. Cannot differentiate.
Root Cause
<br>
Claude Code's permission system is session-wide, not agent-wide.
When a subagent is invoked via Agent() tool:
It loads its .md definition from .claude/agents/
It runs inside the SAME session
It INHERITS the parent session's permission rules
Project-level deny rules CANNOT be overridden by subagent tools: declarations
There is NO way to say "deny main agent only, allow subagent only" for the same path
---
---
# Hook System — src-write-guard Investigation Report
**Last Updated:** 2026-04-30
**Status:** 🔴 ALL APPROACHES FAILED — Debug logging needed to find actual PreToolUse stdin structure
---
## CORE OBJECTIVE
| Actor | src/ Access |
|-------|------------|
| Main agent (the AI talking to you) | BLOCKED — cannot write to src/ directly |
| Any sub-agent (gas-script-coder, gas-sheets-builder, git-flow-expert, etc.) | ALLOWED — can write to src/ |
**Rule:** Main agent must delegate all src/ writes to sub-agents. Cannot bypass via retry or Bash.
---
## SUMMARY — All Approaches (Quick View)
| | Approach 1 | Approach 2 | Approach 3 | Approach 4 |
|---|---|---|---|---|
| Recorder event | `UserPromptSubmit` | `SubagentStart/Stop` | `SubagentStart/Stop` + `SessionEnd` | NONE — no state file |
| Guard event | `Edit\|Write` | `Edit\|Write` | `Edit\|Write` + `Bash` | `Edit\|Write\|Bash` |
| State file logic | exact type match | exact type match | empty = block, non-empty = allow | **NO STATE FILE — tried agent_type from stdin** |
| Bash bypass fixed? | No | No | YES | YES |
| Stale state fixed? | No | No | YES | YES |
| Works for approved agents? | No | No | YES | NO — tested, FAILED |
| **Status** | 🔴 FAILED | 🔴 FAILED | 🟡 READY (not tested) | 🔴 **TESTED — FAILED** |
### Why Each Failed
- **Approach 1:** UserPromptSubmit fires for user messages, not agent messages — state always says "main-agent"
- **Approach 2:** SubagentStop fires BEFORE sub-agent completes its actual write (after user confirmation) — state cleared too early, even approved agents blocked
- **Approach 3:** Uses state file approach with improved logic — still needs testing but more complex than Approach 4
### Approach 4 — TESTED AND FAILED
**Web research claimed:**
- PreToolUse stdin includes `agent_type` for sub-agents
- PreToolUse stdin does NOT have `agent_type` for main agent (field is absent)
**Actual test result: 🔴 FAILED**
**TEST RESULT: 🔴 FAILED — agent_type is NOT present in PreToolUse stdin for sub-agents**
### Lessons from Approach 4 Failure
1. Web research was incorrect — `agent_type` does NOT appear in PreToolUse stdin for sub-agents
2. The PreToolUse JSON structure must be different from what was researched
3. Need to investigate actual PreToolUse stdin structure with debugging
### Next Steps Needed
1. Add debug logging to capture actual PreToolUse stdin structure
2. Find which field(s) actually distinguish main agent from sub-agents
3. Design Approach 5 based on actual observed behavior
---
## FILES TO CHANGE FOR APPROACH 4 (Quick Reference)
| File | Change |
|------|--------|
| `D:\...\src-write-guard.sh` | Replace with APPROACH 4 CANDIDATE script (read agent_type directly from stdin — no state file) |
| `D:\...\settings.json` | Add `src-write-guard.sh` to Bash block + REMOVE `src-agent-recorder.sh` from SubagentStart/SubagentStop (no longer needed) |
| `D:\...\src-agent-recorder.sh` | No longer needed for this purpose — can delete or repurpose |
---
## ONBOARDING FOR NEXT SESSION
If you are continuing this work in a new session, **start here**:
1. Read this report: `.IDE_Plans/hook-src-write-guard-investigation-report.md`
2. Check current state of `settings.json` and `src-write-guard.sh`
3. **Goal:** Main agent blocked from src/, all sub-agents allowed
4. **Do NOT repeat Approach 1** — proven wrong
5. **Do NOT repeat Approach 2** — proven broken
6. **Do NOT repeat Approach 3** — more complex than needed, Approach 4 is simpler but FAILED
7. **Do NOT rely on web research for PreToolUse stdin fields** — research was incorrect
8. **NEXT STEP:** Add debug logging to capture actual PreToolUse stdin structure and find which field distinguishes main vs sub-agent
9. **Design Approach 5** based on actual observed behavior
---
## REMAINING OPEN QUESTIONS
| # | Question | Why it matters | Status |
|---|----------|---------------|--------|
| Q1 | Does PreToolUse stdin have `agent_type`? | **ANSWERED: NO** — Web research was incorrect | 🔴 CONFIRMED ABSENT |
| Q2 | What field(s) in PreToolUse distinguish main vs sub-agent? | **UNKNOWN** — Need debug logging | 🟡 PENDING INVESTIGATION |
| Q3 | Can we identify sub-agents via some other field? | Possibly via `tool`, `prompt`, or other fields | 🟡 PENDING INVESTIGATION |
| Q4 | Debug approach needed | Need to capture actual PreToolUse stdin | 🟡 PENDING — add debug logging |
---
## HISTORY
| Date/Time | Event | Outcome |
|-----------|-------|---------|
| 2026-04-27 AM | Approach 1 (UserPromptSubmit) attempted | 🔴 FAILED — wrong event type |
| 2026-04-27 PM | Approach 2 (SubagentStart/Stop) applied | 🔴 FAILED — SubagentStop clears state before sub-agent writes |
| 2026-04-27 PM | gas-script-coder delegated and blocked | Confirmed approach 2 is fully broken |
| 2026-04-27 PM | Objective changed — allow all sub-agents | New approach needed |
| 2026-04-27 PM | Web research: PreToolUse stdin structure | ✅ FOUND: agent_type is in stdin for sub-agents, absent for main agent |
| 2026-04-27 PM | Approach 4 (direct stdin read) designed | 🟢 SIMPLEST — no state file needed |
| 2026-04-30 | Approach 4 tested | 🔴 FAILED — agent_type NOT in PreToolUse stdin (web research was incorrect) |
---
---
## DETAILED APPROACHES
---
## APPROACH 1 — UserPromptSubmit Recorder 🔴 FAILED
**Intent:** When user types message, record agent_type to state file. PreToolUse reads state file to know who is calling.
**Files changed:** settings.json (UserPromptSubmit hook), src-agent-recorder.sh
**Result:** FAILED — Completely broken
### Why It Failed
- `UserPromptSubmit` fires when USER types a message — not when an agent runs
- The stdin for UserPromptSubmit does NOT contain the running agent's type
- `agent_type` was always null or "main-agent" even when a sub-agent like `gas-script-coder` was running
- State file always said "main-agent" regardless of which agent actually called Write/Edit
- ALL agents (including approved ones) got blocked
### Exact Error Observed
src-write-guard.sh: [HOOK BLOCKED] Only gas-script-coder and gas-script-coder agents can write to src/ folder. Your agent: 'main-agent' is not authorized.
**Lesson learned:** UserPromptSubmit is for user input events, NOT agent execution events. Never use it to track which agent is running.
---
## APPROACH 2 — SubagentStart/SubagentStop Recorder 🔴 FAILED
**Intent:** When a sub-agent starts, record its type to state file. When it stops, clear state. PreToolUse reads state to know who is calling.
**Files changed:** settings.json (SubagentStart/SubagentStop hooks), src-agent-recorder.sh (updated)
**Result:** FAILED — Completely broken — even approved agents cannot write
### What Happened
1. User asked main agent to create src/02_Triggers/readme.md
2. Main agent was blocked (as expected)
3. User delegated to gas-script-coder sub-agent
4. gas-script-coder tried to write src/02_Triggers/readme.md
5. gas-script-coder was ALSO BLOCKED ← NEW FINDING
### The Timing Issue (Root Cause)
Main agent spawns gas-script-coder
→ SubagentStart fires → state = "gas-script-coder" ✓
gas-script-coder asks user: "Should I create readme.md?"
→ User says "yes"
→ SubagentStop fires at this point (gas-script-coder finished its "turn")
→ state file cleared ✗
gas-script-coder actually writes the file
→ PreToolUse fires → reads state file → EMPTY → BLOCKED ✗
**SubagentStop fires BEFORE the sub-agent completes its actual work** — because asking for confirmation is treated as the end of that turn.
**Lesson learned:** SubagentStop fires when the sub-agent asks for confirmation, NOT when it completes its task after confirmation.
---
## APPROACH 3 — New Logic: Empty State = Block, Non-Empty = Allow 🟡 READY FOR TESTING (BUT APPROACH 4 IS SIMPLER)
**Intent:** Remove exact-type checking. Use simple logic: state file has content = sub-agent running = ALLOW. State file is empty = main agent = BLOCK.
**Files to change:** settings.json, src-write-guard.sh
**Result:** NOT YET TESTED — More complex than Approach 4
### What Needs to Change
1. **Add `src-write-guard.sh` to Bash block** — closes the retry bypass gap
2. **Add `SessionEnd` hook** — clears state file so no stale state across sessions
3. **Simplify `src-write-guard.sh` logic** — empty state = block, non-empty = allow
### Why Approach 3 is now OBSOLETE
Approach 4 (below) achieves the same goal without ANY state file — just read `agent_type` directly from PreToolUse stdin. Simpler, fewer failure points.
---
## APPROACH 4 — Direct agent_type Read from PreToolUse stdin 🔴 TESTED — FAILED
**Intent:** No state file needed. PreToolUse stdin already has `agent_type` for sub-agents but NOT for main agent. Use this directly to distinguish main agent from sub-agents.
**Files to change:** settings.json, src-write-guard.sh
**Result:** 🔴 TESTED AND FAILED — `agent_type` does NOT exist in PreToolUse stdin for any agent type
### What Was Tested
1. Deployed Approach 4 script to `.claude/hooks/enforcement/src-write-guard.sh`
2. Tested with gas-script-coder sub-agent
3. **Sub-agent was BLOCKED** — `agent_type` field was absent (empty) in PreToolUse stdin
### Why It Failed
Web research was incorrect. The `agent_type` field does NOT appear in PreToolUse stdin for any agent type (main or sub-agent). The actual PreToolUse JSON structure is different from what was documented online.
### How It Works
PreToolUse fires (for Write, Edit, or Bash to src/)
→ src-write-guard.sh reads stdin JSON
→ Check if agent_type field is present
→ If ABSENT → main agent → BLOCK
→ If PRESENT → sub-agent → check if in approved list → ALLOW or BLOCK
### Why This Works
From Claude Code hooks documentation (verified via web search):
- Sub-agents: PreToolUse stdin includes `"agent_type": "gas-script-coder"` (or whatever type)
- Main agent: PreToolUse stdin does NOT have agent_type field at all (absent, not "main-agent")
- So: `agent_type` absent = main agent = BLOCK, `agent_type` present = sub-agent = check approval
### Behavior Matrix
| Agent | `agent_type` in PreToolUse stdin | Action |
|-------|--------------------------------|--------|
| Main agent | **ABSENT** | BLOCK |
| gas-script-coder | YES — "gas-script-coder" | ALLOW |
| gas-sheets-builder | YES — "gas-sheets-builder" | ALLOW |
| git-flow-expert | YES — "git-flow-expert" | BLOCK (not in approved list) |
| gas-error-handler | YES — "gas-error-handler" | BLOCK (not in approved list) |
---
### CODE CANDIDATE — Approach 4 (BEST)
**File: src-write-guard.sh (APPROACH 4 — NO STATE FILE NEEDED)**
#!/bin/bash
# src-write-guard.sh
# PreToolUse hook: restricts src/ folder writes to only approved sub-agents
#
# Logic (NO state file needed):
# - agent_type IN stdin -> sub-agent is running -> use it directly
# - agent_type NOT in stdin -> main agent -> BLOCK
# - Only gas-script-coder and gas-sheets-builder are allowed
#
# Runs on: Edit, Write, AND Bash (catches retry bypass)
INPUT=$(cat)
if [ -z "$INPUT" ]; then
exit 0
fi
# Extract file_path from PreToolUse JSON
TOOL_INPUT_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [ -z "$TOOL_INPUT_PATH" ] || [ "$TOOL_INPUT_PATH" = "empty" ] || [ "$TOOL_INPUT_PATH" = "null" ]; then
exit 0
fi
# Normalize path: convert Windows backslash to forward slash
NORMALIZED_PATH=$(echo "$TOOL_INPUT_PATH" | sed 's/\\/\//g')
# Check if path contains /src/
if echo "$NORMALIZED_PATH" | grep -q "/src/"; then
# Extract agent_type from stdin — present ONLY for sub-agents
AGENT_TYPE=$(echo "$INPUT" | jq -r '.agent_type // empty')
if [ -z "$AGENT_TYPE" ] || [ "$AGENT_TYPE" = "empty" ] || [ "$AGENT_TYPE" = "null" ]; then
# No agent_type -> main agent (not a sub-agent) -> BLOCK
echo "[HOOK BLOCKED] Main agent cannot write to src/ folder." >&2
echo "Only gas-script-coder and gas-sheets-builder sub-agents are allowed." >&2
exit 2
fi
# agent_type is present — check if approved
if [ "$AGENT_TYPE" = "gas-sheets-builder" ] || [ "$AGENT_TYPE" = "gas-script-coder" ]; then
exit 0
else
echo "[HOOK BLOCKED] Only gas-script-coder and gas-sheets-builder agents can write to src/ folder." >&2
echo "Your agent: '$AGENT_TYPE' is not authorized." >&2
exit 2
fi
fi
exit 0
**File: settings.json (APPROACH 4 CANDIDATE)**
"UserPromptSubmit": [],
"PreToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{ "command": "bash \".../gs-file-restriction-enforcer.sh\"" },
{ "command": "bash \".../unit-test-checker.sh\"" },
{ "command": "bash \".../plan-validator.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
]
},
{
"matcher": "Agent|Bash|Write|Edit|NotebookEdit|Delete|Move|Copy",
"hooks": [
{ "command": "bash \".../subagent-delegation-enforcer.sh\"" },
{ "command": "bash \".../global-rules-enforcer.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
// src-write-guard now runs for Bash too — closes retry bypass
]
}
],
// REMOVE src-agent-recorder.sh from SubagentStart/SubagentStop (no longer needed)
// NO SessionEnd hook needed (no state file to clear)
### What to Remove from settings.json
Remove these from SubagentStart and SubagentStop (no longer needed):
- src-agent-recorder.sh
- src-agent-recorder.sh --clear
---
## SUMMARY TABLE — All Approaches
| | Approach 1 | Approach 2 | Approach 3 | Approach 4 |
|---|---|---|---|---|
| Uses state file | Yes | Yes | Yes | **NO** |
| Needs SubagentStart/Stop | Yes | Yes | Yes | **NO** |
| Reads agent_type from stdin | No | No | No | **YES (but field doesn't exist)** |
| Bash bypass fixed | No | No | Yes | **YES** |
| Stale state issue | Yes | Yes | Yes (SessionEnd fixes) | **NO** |
| Complexity | Medium | High | High | **LOW** |
| Status | 🔴 FAILED | 🔴 FAILED | 🟡 Not tested | 🔴 **TESTED FAILED** |
---
## FILES TO CHANGE FOR APPROACH 4
| File | Action |
|------|--------|
| `src-write-guard.sh` | Replace with Approach 4 candidate script above |
| `settings.json` | 1. Add `src-write-guard.sh` to `Agent\|Bash\|Write\|Edit\|...` block |
| `settings.json` | 2. Remove `src-agent-recorder.sh` from SubagentStart |
| `settings.json` | 3. Remove `src-agent-recorder.sh --clear` from SubagentStop |
| `src-agent-recorder.sh` | Delete or repurpose (no longer needed for this hook) |
---
src-write-guard.sh: [HOOK BLOCKED] Only gas-script-coder and gas-script-coder agents can write to src/ folder. Your agent: 'main-agent' is not authorized.
---
1. User asked main agent to create src/02_Triggers/readme.md
2. Main agent was blocked (as expected)
3. User delegated to gas-script-coder sub-agent
4. gas-script-coder tried to write src/02_Triggers/readme.md
5. gas-script-coder was ALSO BLOCKED ← NEW FINDING
---
Main agent spawns gas-script-coder
→ SubagentStart fires → state = "gas-script-coder" ✓
gas-script-coder asks user: "Should I create readme.md?"
→ User says "yes"
→ SubagentStop fires at this point (gas-script-coder finished its "turn")
→ state file cleared ✗
gas-script-coder actually writes the file
→ PreToolUse fires → reads state file → EMPTY → BLOCKED ✗
---
PreToolUse fires (for Write, Edit, or Bash to src/)
→ src-write-guard.sh reads stdin JSON
→ Check if agent_type field is present
→ If ABSENT → main agent → BLOCK
→ If PRESENT → sub-agent → check if in approved list → ALLOW or BLOCK
---
#!/bin/bash
# src-write-guard.sh
# PreToolUse hook: restricts src/ folder writes to only approved sub-agents
#
# Logic (NO state file needed):
# - agent_type IN stdin -> sub-agent is running -> use it directly
# - agent_type NOT in stdin -> main agent -> BLOCK
# - Only gas-script-coder and gas-sheets-builder are allowed
#
# Runs on: Edit, Write, AND Bash (catches retry bypass)
INPUT=$(cat)
if [ -z "$INPUT" ]; then
exit 0
fi
# Extract file_path from PreToolUse JSON
TOOL_INPUT_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [ -z "$TOOL_INPUT_PATH" ] || [ "$TOOL_INPUT_PATH" = "empty" ] || [ "$TOOL_INPUT_PATH" = "null" ]; then
exit 0
fi
# Normalize path: convert Windows backslash to forward slash
NORMALIZED_PATH=$(echo "$TOOL_INPUT_PATH" | sed 's/\\/\//g')
# Check if path contains /src/
if echo "$NORMALIZED_PATH" | grep -q "/src/"; then
# Extract agent_type from stdin — present ONLY for sub-agents
AGENT_TYPE=$(echo "$INPUT" | jq -r '.agent_type // empty')
if [ -z "$AGENT_TYPE" ] || [ "$AGENT_TYPE" = "empty" ] || [ "$AGENT_TYPE" = "null" ]; then
# No agent_type -> main agent (not a sub-agent) -> BLOCK
echo "[HOOK BLOCKED] Main agent cannot write to src/ folder." >&2
echo "Only gas-script-coder and gas-sheets-builder sub-agents are allowed." >&2
exit 2
fi
# agent_type is present — check if approved
if [ "$AGENT_TYPE" = "gas-sheets-builder" ] || [ "$AGENT_TYPE" = "gas-script-coder" ]; then
exit 0
else
echo "[HOOK BLOCKED] Only gas-script-coder and gas-sheets-builder agents can write to src/ folder." >&2
echo "Your agent: '$AGENT_TYPE' is not authorized." >&2
exit 2
fi
fi
exit 0
---
"UserPromptSubmit": [],
"PreToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{ "command": "bash \".../gs-file-restriction-enforcer.sh\"" },
{ "command": "bash \".../unit-test-checker.sh\"" },
{ "command": "bash \".../plan-validator.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
]
},
{
"matcher": "Agent|Bash|Write|Edit|NotebookEdit|Delete|Move|Copy",
"hooks": [
{ "command": "bash \".../subagent-delegation-enforcer.sh\"" },
{ "command": "bash \".../global-rules-enforcer.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
// src-write-guard now runs for Bash too — closes retry bypass
]
}
],
// REMOVE src-agent-recorder.sh from SubagentStart/SubagentStop (no longer needed)
// NO SessionEnd hook needed (no state file to clear)
---
- src-agent-recorder.sh
- src-agent-recorder.sh --clearRAW_BUFFERClick to expand / collapse
Preflight Checklist
- I have searched existing issues and this hasn't been reported yet
- This is a single bug report (please file separate reports for different bugs)
- I am using the latest version of Claude Code
What's Wrong?
Problem Summary Claude Code currently has no mechanism to restrict the main agent from writing to specific paths while allowing subagents to write to those same paths within the same session. This is a critical gap for teams running specialized multi-agent architectures. The real-world scenario: I have built a fully specialized subagent system:
gas-script-coder → writes Google Apps Script code gas-code-review → reviews code quality gas-testing-agent → writes and runs tests gas-error-handler → handles error logging gas-sheets-builder → builds sheet structures
There is a massive difference in output quality between the main agent directly editing code versus a specialized subagent doing it. The specialized subagent has a focused system prompt, domain expertise, and restricted context — it produces significantly better output for its specific task. What I need:
Main agent = coordinator only → no write access to src/ Each subagent = specialist → write access ONLY to its assigned files/folders Example: gas-script-coder can read everything but write to src/scripts/ but NOT src/sheets/ Example: gas-code-review can read everything but write NOWHERE No subagent can access another subagent's assigned files
Why this matters: This level of control gives two things: safety and quality. Safety because no agent can accidentally destroy another agent's work. Quality because each agent is forced to stay in its lane and do only what it is specialized for. What actually happens today: When I remove write access from the main agent to force delegation to subagents — the subagents also lose write access. They are cut off equally. The main agent ignores subagents and writes directly anyway. The specialized agents become useless. I am forced to either give the main agent full dangerous access OR break the entire pipeline. This makes the core value of specialized subagents — better output, safer execution, controlled file ownership — completely unreachable.
What Should Happen?
Current Architecture (What We Built) Goal:
Main agent = coordinator only → writes ONLY to .IDE_Plans/ Subagents = specialists → write to src/, logs/, tests/
Subagents designed:
gas-script-coder → writes GAS scripts to src/ gas-sheets-builder → builds sheet structures in src/ gas-code-review → reviews code in src/ gas-error-handler → handles errors in logs/ gas-testing-agent → writes tests to tests/
Why this architecture makes sense:
Main agent has full project context but should only coordinate Subagents are specialists — better quality output for focused tasks If main agent writes code directly, it bypasses specialization Parallel subagents = faster execution Isolated context per subagent = cleaner results
=> I have already tried the hooks and Json nothing working.
Error Messages/Logs
What We Tried & Why Each Failed
Attempt 1 — Global deny in settings.json:
json{
"permissions": {
"deny": ["Write", "Edit", "Bash"]
}
}
Result: Blocked main agent AND all subagents equally. No agent could write anything. Project completely broken.
Attempt 2 — Path-specific deny in settings.json:
json{
"permissions": {
"deny": ["Write(src/**)","Edit(src/**)"]
}
}
Result: Blocked subagents too. Project-level deny overrides subagent tools: declarations. All 5 subagents failed — gas-script-coder, gas-sheets-builder, gas-code-review, git-agent, cmd-skills-hooks-builder.
Attempt 3 — Subagent tools: field in .md file:
yaml---
name: gas-script-coder
tools: Read, Write, Glob
---
Result: tools: field is overridden by project-level settings.json deny. Subagent declared Write but still could not write. Confirmed by testing all 5 subagents.
Attempt 4 — Separate settings.json per subagent folder:
agents/gas-script-coder/.claude/settings.json → allow Write
Result: These folder-level settings apply only to standalone Claude Code processes — NOT to subagents invoked via Agent() tool inside the main session. Completely ignored.
Attempt 5 — PreToolUse hooks:
Tried to intercept tool calls and check caller identity.
Result: Hook cannot identify whether the caller is main agent or subagent. No caller identity is exposed in hook context. Cannot differentiate.
Root Cause
<br>
Claude Code's permission system is session-wide, not agent-wide.
When a subagent is invoked via Agent() tool:
It loads its .md definition from .claude/agents/
It runs inside the SAME session
It INHERITS the parent session's permission rules
Project-level deny rules CANNOT be overridden by subagent tools: declarations
There is NO way to say "deny main agent only, allow subagent only" for the same path
---
---
# Hook System — src-write-guard Investigation Report
**Last Updated:** 2026-04-30
**Status:** 🔴 ALL APPROACHES FAILED — Debug logging needed to find actual PreToolUse stdin structure
---
## CORE OBJECTIVE
| Actor | src/ Access |
|-------|------------|
| Main agent (the AI talking to you) | BLOCKED — cannot write to src/ directly |
| Any sub-agent (gas-script-coder, gas-sheets-builder, git-flow-expert, etc.) | ALLOWED — can write to src/ |
**Rule:** Main agent must delegate all src/ writes to sub-agents. Cannot bypass via retry or Bash.
---
## SUMMARY — All Approaches (Quick View)
| | Approach 1 | Approach 2 | Approach 3 | Approach 4 |
|---|---|---|---|---|
| Recorder event | `UserPromptSubmit` | `SubagentStart/Stop` | `SubagentStart/Stop` + `SessionEnd` | NONE — no state file |
| Guard event | `Edit\|Write` | `Edit\|Write` | `Edit\|Write` + `Bash` | `Edit\|Write\|Bash` |
| State file logic | exact type match | exact type match | empty = block, non-empty = allow | **NO STATE FILE — tried agent_type from stdin** |
| Bash bypass fixed? | No | No | YES | YES |
| Stale state fixed? | No | No | YES | YES |
| Works for approved agents? | No | No | YES | NO — tested, FAILED |
| **Status** | 🔴 FAILED | 🔴 FAILED | 🟡 READY (not tested) | 🔴 **TESTED — FAILED** |
### Why Each Failed
- **Approach 1:** UserPromptSubmit fires for user messages, not agent messages — state always says "main-agent"
- **Approach 2:** SubagentStop fires BEFORE sub-agent completes its actual write (after user confirmation) — state cleared too early, even approved agents blocked
- **Approach 3:** Uses state file approach with improved logic — still needs testing but more complex than Approach 4
### Approach 4 — TESTED AND FAILED
**Web research claimed:**
- PreToolUse stdin includes `agent_type` for sub-agents
- PreToolUse stdin does NOT have `agent_type` for main agent (field is absent)
**Actual test result: 🔴 FAILED**
**TEST RESULT: 🔴 FAILED — agent_type is NOT present in PreToolUse stdin for sub-agents**
### Lessons from Approach 4 Failure
1. Web research was incorrect — `agent_type` does NOT appear in PreToolUse stdin for sub-agents
2. The PreToolUse JSON structure must be different from what was researched
3. Need to investigate actual PreToolUse stdin structure with debugging
### Next Steps Needed
1. Add debug logging to capture actual PreToolUse stdin structure
2. Find which field(s) actually distinguish main agent from sub-agents
3. Design Approach 5 based on actual observed behavior
---
## FILES TO CHANGE FOR APPROACH 4 (Quick Reference)
| File | Change |
|------|--------|
| `D:\...\src-write-guard.sh` | Replace with APPROACH 4 CANDIDATE script (read agent_type directly from stdin — no state file) |
| `D:\...\settings.json` | Add `src-write-guard.sh` to Bash block + REMOVE `src-agent-recorder.sh` from SubagentStart/SubagentStop (no longer needed) |
| `D:\...\src-agent-recorder.sh` | No longer needed for this purpose — can delete or repurpose |
---
## ONBOARDING FOR NEXT SESSION
If you are continuing this work in a new session, **start here**:
1. Read this report: `.IDE_Plans/hook-src-write-guard-investigation-report.md`
2. Check current state of `settings.json` and `src-write-guard.sh`
3. **Goal:** Main agent blocked from src/, all sub-agents allowed
4. **Do NOT repeat Approach 1** — proven wrong
5. **Do NOT repeat Approach 2** — proven broken
6. **Do NOT repeat Approach 3** — more complex than needed, Approach 4 is simpler but FAILED
7. **Do NOT rely on web research for PreToolUse stdin fields** — research was incorrect
8. **NEXT STEP:** Add debug logging to capture actual PreToolUse stdin structure and find which field distinguishes main vs sub-agent
9. **Design Approach 5** based on actual observed behavior
---
## REMAINING OPEN QUESTIONS
| # | Question | Why it matters | Status |
|---|----------|---------------|--------|
| Q1 | Does PreToolUse stdin have `agent_type`? | **ANSWERED: NO** — Web research was incorrect | 🔴 CONFIRMED ABSENT |
| Q2 | What field(s) in PreToolUse distinguish main vs sub-agent? | **UNKNOWN** — Need debug logging | 🟡 PENDING INVESTIGATION |
| Q3 | Can we identify sub-agents via some other field? | Possibly via `tool`, `prompt`, or other fields | 🟡 PENDING INVESTIGATION |
| Q4 | Debug approach needed | Need to capture actual PreToolUse stdin | 🟡 PENDING — add debug logging |
---
## HISTORY
| Date/Time | Event | Outcome |
|-----------|-------|---------|
| 2026-04-27 AM | Approach 1 (UserPromptSubmit) attempted | 🔴 FAILED — wrong event type |
| 2026-04-27 PM | Approach 2 (SubagentStart/Stop) applied | 🔴 FAILED — SubagentStop clears state before sub-agent writes |
| 2026-04-27 PM | gas-script-coder delegated and blocked | Confirmed approach 2 is fully broken |
| 2026-04-27 PM | Objective changed — allow all sub-agents | New approach needed |
| 2026-04-27 PM | Web research: PreToolUse stdin structure | ✅ FOUND: agent_type is in stdin for sub-agents, absent for main agent |
| 2026-04-27 PM | Approach 4 (direct stdin read) designed | 🟢 SIMPLEST — no state file needed |
| 2026-04-30 | Approach 4 tested | 🔴 FAILED — agent_type NOT in PreToolUse stdin (web research was incorrect) |
---
---
## DETAILED APPROACHES
---
## APPROACH 1 — UserPromptSubmit Recorder 🔴 FAILED
**Intent:** When user types message, record agent_type to state file. PreToolUse reads state file to know who is calling.
**Files changed:** settings.json (UserPromptSubmit hook), src-agent-recorder.sh
**Result:** FAILED — Completely broken
### Why It Failed
- `UserPromptSubmit` fires when USER types a message — not when an agent runs
- The stdin for UserPromptSubmit does NOT contain the running agent's type
- `agent_type` was always null or "main-agent" even when a sub-agent like `gas-script-coder` was running
- State file always said "main-agent" regardless of which agent actually called Write/Edit
- ALL agents (including approved ones) got blocked
### Exact Error Observed
src-write-guard.sh: [HOOK BLOCKED] Only gas-script-coder and gas-script-coder agents can write to src/ folder. Your agent: 'main-agent' is not authorized.
**Lesson learned:** UserPromptSubmit is for user input events, NOT agent execution events. Never use it to track which agent is running.
---
## APPROACH 2 — SubagentStart/SubagentStop Recorder 🔴 FAILED
**Intent:** When a sub-agent starts, record its type to state file. When it stops, clear state. PreToolUse reads state to know who is calling.
**Files changed:** settings.json (SubagentStart/SubagentStop hooks), src-agent-recorder.sh (updated)
**Result:** FAILED — Completely broken — even approved agents cannot write
### What Happened
1. User asked main agent to create src/02_Triggers/readme.md
2. Main agent was blocked (as expected)
3. User delegated to gas-script-coder sub-agent
4. gas-script-coder tried to write src/02_Triggers/readme.md
5. gas-script-coder was ALSO BLOCKED ← NEW FINDING
### The Timing Issue (Root Cause)
Main agent spawns gas-script-coder
→ SubagentStart fires → state = "gas-script-coder" ✓
gas-script-coder asks user: "Should I create readme.md?"
→ User says "yes"
→ SubagentStop fires at this point (gas-script-coder finished its "turn")
→ state file cleared ✗
gas-script-coder actually writes the file
→ PreToolUse fires → reads state file → EMPTY → BLOCKED ✗
**SubagentStop fires BEFORE the sub-agent completes its actual work** — because asking for confirmation is treated as the end of that turn.
**Lesson learned:** SubagentStop fires when the sub-agent asks for confirmation, NOT when it completes its task after confirmation.
---
## APPROACH 3 — New Logic: Empty State = Block, Non-Empty = Allow 🟡 READY FOR TESTING (BUT APPROACH 4 IS SIMPLER)
**Intent:** Remove exact-type checking. Use simple logic: state file has content = sub-agent running = ALLOW. State file is empty = main agent = BLOCK.
**Files to change:** settings.json, src-write-guard.sh
**Result:** NOT YET TESTED — More complex than Approach 4
### What Needs to Change
1. **Add `src-write-guard.sh` to Bash block** — closes the retry bypass gap
2. **Add `SessionEnd` hook** — clears state file so no stale state across sessions
3. **Simplify `src-write-guard.sh` logic** — empty state = block, non-empty = allow
### Why Approach 3 is now OBSOLETE
Approach 4 (below) achieves the same goal without ANY state file — just read `agent_type` directly from PreToolUse stdin. Simpler, fewer failure points.
---
## APPROACH 4 — Direct agent_type Read from PreToolUse stdin 🔴 TESTED — FAILED
**Intent:** No state file needed. PreToolUse stdin already has `agent_type` for sub-agents but NOT for main agent. Use this directly to distinguish main agent from sub-agents.
**Files to change:** settings.json, src-write-guard.sh
**Result:** 🔴 TESTED AND FAILED — `agent_type` does NOT exist in PreToolUse stdin for any agent type
### What Was Tested
1. Deployed Approach 4 script to `.claude/hooks/enforcement/src-write-guard.sh`
2. Tested with gas-script-coder sub-agent
3. **Sub-agent was BLOCKED** — `agent_type` field was absent (empty) in PreToolUse stdin
### Why It Failed
Web research was incorrect. The `agent_type` field does NOT appear in PreToolUse stdin for any agent type (main or sub-agent). The actual PreToolUse JSON structure is different from what was documented online.
### How It Works
PreToolUse fires (for Write, Edit, or Bash to src/)
→ src-write-guard.sh reads stdin JSON
→ Check if agent_type field is present
→ If ABSENT → main agent → BLOCK
→ If PRESENT → sub-agent → check if in approved list → ALLOW or BLOCK
### Why This Works
From Claude Code hooks documentation (verified via web search):
- Sub-agents: PreToolUse stdin includes `"agent_type": "gas-script-coder"` (or whatever type)
- Main agent: PreToolUse stdin does NOT have agent_type field at all (absent, not "main-agent")
- So: `agent_type` absent = main agent = BLOCK, `agent_type` present = sub-agent = check approval
### Behavior Matrix
| Agent | `agent_type` in PreToolUse stdin | Action |
|-------|--------------------------------|--------|
| Main agent | **ABSENT** | BLOCK |
| gas-script-coder | YES — "gas-script-coder" | ALLOW |
| gas-sheets-builder | YES — "gas-sheets-builder" | ALLOW |
| git-flow-expert | YES — "git-flow-expert" | BLOCK (not in approved list) |
| gas-error-handler | YES — "gas-error-handler" | BLOCK (not in approved list) |
---
### CODE CANDIDATE — Approach 4 (BEST)
**File: src-write-guard.sh (APPROACH 4 — NO STATE FILE NEEDED)**
#!/bin/bash
# src-write-guard.sh
# PreToolUse hook: restricts src/ folder writes to only approved sub-agents
#
# Logic (NO state file needed):
# - agent_type IN stdin -> sub-agent is running -> use it directly
# - agent_type NOT in stdin -> main agent -> BLOCK
# - Only gas-script-coder and gas-sheets-builder are allowed
#
# Runs on: Edit, Write, AND Bash (catches retry bypass)
INPUT=$(cat)
if [ -z "$INPUT" ]; then
exit 0
fi
# Extract file_path from PreToolUse JSON
TOOL_INPUT_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [ -z "$TOOL_INPUT_PATH" ] || [ "$TOOL_INPUT_PATH" = "empty" ] || [ "$TOOL_INPUT_PATH" = "null" ]; then
exit 0
fi
# Normalize path: convert Windows backslash to forward slash
NORMALIZED_PATH=$(echo "$TOOL_INPUT_PATH" | sed 's/\\/\//g')
# Check if path contains /src/
if echo "$NORMALIZED_PATH" | grep -q "/src/"; then
# Extract agent_type from stdin — present ONLY for sub-agents
AGENT_TYPE=$(echo "$INPUT" | jq -r '.agent_type // empty')
if [ -z "$AGENT_TYPE" ] || [ "$AGENT_TYPE" = "empty" ] || [ "$AGENT_TYPE" = "null" ]; then
# No agent_type -> main agent (not a sub-agent) -> BLOCK
echo "[HOOK BLOCKED] Main agent cannot write to src/ folder." >&2
echo "Only gas-script-coder and gas-sheets-builder sub-agents are allowed." >&2
exit 2
fi
# agent_type is present — check if approved
if [ "$AGENT_TYPE" = "gas-sheets-builder" ] || [ "$AGENT_TYPE" = "gas-script-coder" ]; then
exit 0
else
echo "[HOOK BLOCKED] Only gas-script-coder and gas-sheets-builder agents can write to src/ folder." >&2
echo "Your agent: '$AGENT_TYPE' is not authorized." >&2
exit 2
fi
fi
exit 0
**File: settings.json (APPROACH 4 CANDIDATE)**
"UserPromptSubmit": [],
"PreToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{ "command": "bash \".../gs-file-restriction-enforcer.sh\"" },
{ "command": "bash \".../unit-test-checker.sh\"" },
{ "command": "bash \".../plan-validator.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
]
},
{
"matcher": "Agent|Bash|Write|Edit|NotebookEdit|Delete|Move|Copy",
"hooks": [
{ "command": "bash \".../subagent-delegation-enforcer.sh\"" },
{ "command": "bash \".../global-rules-enforcer.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
// src-write-guard now runs for Bash too — closes retry bypass
]
}
],
// REMOVE src-agent-recorder.sh from SubagentStart/SubagentStop (no longer needed)
// NO SessionEnd hook needed (no state file to clear)
### What to Remove from settings.json
Remove these from SubagentStart and SubagentStop (no longer needed):
- src-agent-recorder.sh
- src-agent-recorder.sh --clear
---
## SUMMARY TABLE — All Approaches
| | Approach 1 | Approach 2 | Approach 3 | Approach 4 |
|---|---|---|---|---|
| Uses state file | Yes | Yes | Yes | **NO** |
| Needs SubagentStart/Stop | Yes | Yes | Yes | **NO** |
| Reads agent_type from stdin | No | No | No | **YES (but field doesn't exist)** |
| Bash bypass fixed | No | No | Yes | **YES** |
| Stale state issue | Yes | Yes | Yes (SessionEnd fixes) | **NO** |
| Complexity | Medium | High | High | **LOW** |
| Status | 🔴 FAILED | 🔴 FAILED | 🟡 Not tested | 🔴 **TESTED FAILED** |
---
## FILES TO CHANGE FOR APPROACH 4
| File | Action |
|------|--------|
| `src-write-guard.sh` | Replace with Approach 4 candidate script above |
| `settings.json` | 1. Add `src-write-guard.sh` to `Agent\|Bash\|Write\|Edit\|...` block |
| `settings.json` | 2. Remove `src-agent-recorder.sh` from SubagentStart |
| `settings.json` | 3. Remove `src-agent-recorder.sh --clear` from SubagentStop |
| `src-agent-recorder.sh` | Delete or repurpose (no longer needed for this hook) |Steps to Reproduce
Hook System — src-write-guard Investigation Report
Last Updated: 2026-04-30 Status: 🔴 ALL APPROACHES FAILED — Debug logging needed to find actual PreToolUse stdin structure
CORE OBJECTIVE
| Actor | src/ Access |
|---|---|
| Main agent (the AI talking to you) | BLOCKED — cannot write to src/ directly |
| Any sub-agent (gas-script-coder, gas-sheets-builder, git-flow-expert, etc.) | ALLOWED — can write to src/ |
Rule: Main agent must delegate all src/ writes to sub-agents. Cannot bypass via retry or Bash.
SUMMARY — All Approaches (Quick View)
| Approach 1 | Approach 2 | Approach 3 | Approach 4 | |
|---|---|---|---|---|
| Recorder event | UserPromptSubmit | SubagentStart/Stop | SubagentStart/Stop + SessionEnd | NONE — no state file |
| Guard event | Edit|Write | Edit|Write | Edit|Write + Bash | Edit|Write|Bash |
| State file logic | exact type match | exact type match | empty = block, non-empty = allow | NO STATE FILE — tried agent_type from stdin |
| Bash bypass fixed? | No | No | YES | YES |
| Stale state fixed? | No | No | YES | YES |
| Works for approved agents? | No | No | YES | NO — tested, FAILED |
| Status | 🔴 FAILED | 🔴 FAILED | 🟡 READY (not tested) | 🔴 TESTED — FAILED |
Why Each Failed
- Approach 1: UserPromptSubmit fires for user messages, not agent messages — state always says "main-agent"
- Approach 2: SubagentStop fires BEFORE sub-agent completes its actual write (after user confirmation) — state cleared too early, even approved agents blocked
- Approach 3: Uses state file approach with improved logic — still needs testing but more complex than Approach 4
Approach 4 — TESTED AND FAILED
Web research claimed:
- PreToolUse stdin includes
agent_typefor sub-agents - PreToolUse stdin does NOT have
agent_typefor main agent (field is absent)
Actual test result: 🔴 FAILED
TEST RESULT: 🔴 FAILED — agent_type is NOT present in PreToolUse stdin for sub-agents
Lessons from Approach 4 Failure
- Web research was incorrect —
agent_typedoes NOT appear in PreToolUse stdin for sub-agents - The PreToolUse JSON structure must be different from what was researched
- Need to investigate actual PreToolUse stdin structure with debugging
Next Steps Needed
- Add debug logging to capture actual PreToolUse stdin structure
- Find which field(s) actually distinguish main agent from sub-agents
- Design Approach 5 based on actual observed behavior
FILES TO CHANGE FOR APPROACH 4 (Quick Reference)
| File | Change |
|---|---|
D:\...\src-write-guard.sh | Replace with APPROACH 4 CANDIDATE script (read agent_type directly from stdin — no state file) |
D:\...\settings.json | Add src-write-guard.sh to Bash block + REMOVE src-agent-recorder.sh from SubagentStart/SubagentStop (no longer needed) |
D:\...\src-agent-recorder.sh | No longer needed for this purpose — can delete or repurpose |
ONBOARDING FOR NEXT SESSION
If you are continuing this work in a new session, start here:
- Read this report:
.IDE_Plans/hook-src-write-guard-investigation-report.md - Check current state of
settings.jsonandsrc-write-guard.sh - Goal: Main agent blocked from src/, all sub-agents allowed
- Do NOT repeat Approach 1 — proven wrong
- Do NOT repeat Approach 2 — proven broken
- Do NOT repeat Approach 3 — more complex than needed, Approach 4 is simpler but FAILED
- Do NOT rely on web research for PreToolUse stdin fields — research was incorrect
- NEXT STEP: Add debug logging to capture actual PreToolUse stdin structure and find which field distinguishes main vs sub-agent
- Design Approach 5 based on actual observed behavior
REMAINING OPEN QUESTIONS
| # | Question | Why it matters | Status |
|---|---|---|---|
| Q1 | Does PreToolUse stdin have agent_type? | ANSWERED: NO — Web research was incorrect | 🔴 CONFIRMED ABSENT |
| Q2 | What field(s) in PreToolUse distinguish main vs sub-agent? | UNKNOWN — Need debug logging | 🟡 PENDING INVESTIGATION |
| Q3 | Can we identify sub-agents via some other field? | Possibly via tool, prompt, or other fields | 🟡 PENDING INVESTIGATION |
| Q4 | Debug approach needed | Need to capture actual PreToolUse stdin | 🟡 PENDING — add debug logging |
HISTORY
| Date/Time | Event | Outcome |
|---|---|---|
| 2026-04-27 AM | Approach 1 (UserPromptSubmit) attempted | 🔴 FAILED — wrong event type |
| 2026-04-27 PM | Approach 2 (SubagentStart/Stop) applied | 🔴 FAILED — SubagentStop clears state before sub-agent writes |
| 2026-04-27 PM | gas-script-coder delegated and blocked | Confirmed approach 2 is fully broken |
| 2026-04-27 PM | Objective changed — allow all sub-agents | New approach needed |
| 2026-04-27 PM | Web research: PreToolUse stdin structure | ✅ FOUND: agent_type is in stdin for sub-agents, absent for main agent |
| 2026-04-27 PM | Approach 4 (direct stdin read) designed | 🟢 SIMPLEST — no state file needed |
| 2026-04-30 | Approach 4 tested | 🔴 FAILED — agent_type NOT in PreToolUse stdin (web research was incorrect) |
DETAILED APPROACHES
APPROACH 1 — UserPromptSubmit Recorder 🔴 FAILED
Intent: When user types message, record agent_type to state file. PreToolUse reads state file to know who is calling.
Files changed: settings.json (UserPromptSubmit hook), src-agent-recorder.sh
Result: FAILED — Completely broken
Why It Failed
UserPromptSubmitfires when USER types a message — not when an agent runs- The stdin for UserPromptSubmit does NOT contain the running agent's type
agent_typewas always null or "main-agent" even when a sub-agent likegas-script-coderwas running- State file always said "main-agent" regardless of which agent actually called Write/Edit
- ALL agents (including approved ones) got blocked
Exact Error Observed
src-write-guard.sh: [HOOK BLOCKED] Only gas-script-coder and gas-script-coder agents can write to src/ folder. Your agent: 'main-agent' is not authorized.Lesson learned: UserPromptSubmit is for user input events, NOT agent execution events. Never use it to track which agent is running.
APPROACH 2 — SubagentStart/SubagentStop Recorder 🔴 FAILED
Intent: When a sub-agent starts, record its type to state file. When it stops, clear state. PreToolUse reads state to know who is calling.
Files changed: settings.json (SubagentStart/SubagentStop hooks), src-agent-recorder.sh (updated)
Result: FAILED — Completely broken — even approved agents cannot write
What Happened
1. User asked main agent to create src/02_Triggers/readme.md
2. Main agent was blocked (as expected)
3. User delegated to gas-script-coder sub-agent
4. gas-script-coder tried to write src/02_Triggers/readme.md
5. gas-script-coder was ALSO BLOCKED ← NEW FINDINGThe Timing Issue (Root Cause)
Main agent spawns gas-script-coder
→ SubagentStart fires → state = "gas-script-coder" ✓
gas-script-coder asks user: "Should I create readme.md?"
→ User says "yes"
→ SubagentStop fires at this point (gas-script-coder finished its "turn")
→ state file cleared ✗
gas-script-coder actually writes the file
→ PreToolUse fires → reads state file → EMPTY → BLOCKED ✗SubagentStop fires BEFORE the sub-agent completes its actual work — because asking for confirmation is treated as the end of that turn.
Lesson learned: SubagentStop fires when the sub-agent asks for confirmation, NOT when it completes its task after confirmation.
APPROACH 3 — New Logic: Empty State = Block, Non-Empty = Allow 🟡 READY FOR TESTING (BUT APPROACH 4 IS SIMPLER)
Intent: Remove exact-type checking. Use simple logic: state file has content = sub-agent running = ALLOW. State file is empty = main agent = BLOCK.
Files to change: settings.json, src-write-guard.sh
Result: NOT YET TESTED — More complex than Approach 4
What Needs to Change
- Add
src-write-guard.shto Bash block — closes the retry bypass gap - Add
SessionEndhook — clears state file so no stale state across sessions - Simplify
src-write-guard.shlogic — empty state = block, non-empty = allow
Why Approach 3 is now OBSOLETE
Approach 4 (below) achieves the same goal without ANY state file — just read agent_type directly from PreToolUse stdin. Simpler, fewer failure points.
APPROACH 4 — Direct agent_type Read from PreToolUse stdin 🔴 TESTED — FAILED
Intent: No state file needed. PreToolUse stdin already has agent_type for sub-agents but NOT for main agent. Use this directly to distinguish main agent from sub-agents.
Files to change: settings.json, src-write-guard.sh
Result: 🔴 TESTED AND FAILED — agent_type does NOT exist in PreToolUse stdin for any agent type
What Was Tested
- Deployed Approach 4 script to
.claude/hooks/enforcement/src-write-guard.sh - Tested with gas-script-coder sub-agent
- Sub-agent was BLOCKED —
agent_typefield was absent (empty) in PreToolUse stdin
Why It Failed
Web research was incorrect. The agent_type field does NOT appear in PreToolUse stdin for any agent type (main or sub-agent). The actual PreToolUse JSON structure is different from what was documented online.
How It Works
PreToolUse fires (for Write, Edit, or Bash to src/)
→ src-write-guard.sh reads stdin JSON
→ Check if agent_type field is present
→ If ABSENT → main agent → BLOCK
→ If PRESENT → sub-agent → check if in approved list → ALLOW or BLOCKWhy This Works
From Claude Code hooks documentation (verified via web search):
- Sub-agents: PreToolUse stdin includes
"agent_type": "gas-script-coder"(or whatever type) - Main agent: PreToolUse stdin does NOT have agent_type field at all (absent, not "main-agent")
- So:
agent_typeabsent = main agent = BLOCK,agent_typepresent = sub-agent = check approval
Behavior Matrix
| Agent | agent_type in PreToolUse stdin | Action |
|---|---|---|
| Main agent | ABSENT | BLOCK |
| gas-script-coder | YES — "gas-script-coder" | ALLOW |
| gas-sheets-builder | YES — "gas-sheets-builder" | ALLOW |
| git-flow-expert | YES — "git-flow-expert" | BLOCK (not in approved list) |
| gas-error-handler | YES — "gas-error-handler" | BLOCK (not in approved list) |
CODE CANDIDATE — Approach 4 (BEST)
File: src-write-guard.sh (APPROACH 4 — NO STATE FILE NEEDED)
#!/bin/bash
# src-write-guard.sh
# PreToolUse hook: restricts src/ folder writes to only approved sub-agents
#
# Logic (NO state file needed):
# - agent_type IN stdin -> sub-agent is running -> use it directly
# - agent_type NOT in stdin -> main agent -> BLOCK
# - Only gas-script-coder and gas-sheets-builder are allowed
#
# Runs on: Edit, Write, AND Bash (catches retry bypass)
INPUT=$(cat)
if [ -z "$INPUT" ]; then
exit 0
fi
# Extract file_path from PreToolUse JSON
TOOL_INPUT_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [ -z "$TOOL_INPUT_PATH" ] || [ "$TOOL_INPUT_PATH" = "empty" ] || [ "$TOOL_INPUT_PATH" = "null" ]; then
exit 0
fi
# Normalize path: convert Windows backslash to forward slash
NORMALIZED_PATH=$(echo "$TOOL_INPUT_PATH" | sed 's/\\/\//g')
# Check if path contains /src/
if echo "$NORMALIZED_PATH" | grep -q "/src/"; then
# Extract agent_type from stdin — present ONLY for sub-agents
AGENT_TYPE=$(echo "$INPUT" | jq -r '.agent_type // empty')
if [ -z "$AGENT_TYPE" ] || [ "$AGENT_TYPE" = "empty" ] || [ "$AGENT_TYPE" = "null" ]; then
# No agent_type -> main agent (not a sub-agent) -> BLOCK
echo "[HOOK BLOCKED] Main agent cannot write to src/ folder." >&2
echo "Only gas-script-coder and gas-sheets-builder sub-agents are allowed." >&2
exit 2
fi
# agent_type is present — check if approved
if [ "$AGENT_TYPE" = "gas-sheets-builder" ] || [ "$AGENT_TYPE" = "gas-script-coder" ]; then
exit 0
else
echo "[HOOK BLOCKED] Only gas-script-coder and gas-sheets-builder agents can write to src/ folder." >&2
echo "Your agent: '$AGENT_TYPE' is not authorized." >&2
exit 2
fi
fi
exit 0File: settings.json (APPROACH 4 CANDIDATE)
"UserPromptSubmit": [],
"PreToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{ "command": "bash \".../gs-file-restriction-enforcer.sh\"" },
{ "command": "bash \".../unit-test-checker.sh\"" },
{ "command": "bash \".../plan-validator.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
]
},
{
"matcher": "Agent|Bash|Write|Edit|NotebookEdit|Delete|Move|Copy",
"hooks": [
{ "command": "bash \".../subagent-delegation-enforcer.sh\"" },
{ "command": "bash \".../global-rules-enforcer.sh\"" },
{ "command": "bash \".../src-write-guard.sh\"" }
// src-write-guard now runs for Bash too — closes retry bypass
]
}
],
// REMOVE src-agent-recorder.sh from SubagentStart/SubagentStop (no longer needed)
// NO SessionEnd hook needed (no state file to clear)What to Remove from settings.json
Remove these from SubagentStart and SubagentStop (no longer needed):
- src-agent-recorder.sh
- src-agent-recorder.sh --clearSUMMARY TABLE — All Approaches
| Approach 1 | Approach 2 | Approach 3 | Approach 4 | |
|---|---|---|---|---|
| Uses state file | Yes | Yes | Yes | NO |
| Needs SubagentStart/Stop | Yes | Yes | Yes | NO |
| Reads agent_type from stdin | No | No | No | YES (but field doesn't exist) |
| Bash bypass fixed | No | No | Yes | YES |
| Stale state issue | Yes | Yes | Yes (SessionEnd fixes) | NO |
| Complexity | Medium | High | High | LOW |
| Status | 🔴 FAILED | 🔴 FAILED | 🟡 Not tested | 🔴 TESTED FAILED |
FILES TO CHANGE FOR APPROACH 4
| File | Action |
|---|---|
src-write-guard.sh | Replace with Approach 4 candidate script above |
settings.json | 1. Add src-write-guard.sh to Agent|Bash|Write|Edit|... block |
settings.json | 2. Remove src-agent-recorder.sh from SubagentStart |
settings.json | 3. Remove src-agent-recorder.sh --clear from SubagentStop |
src-agent-recorder.sh | Delete or repurpose (no longer needed for this hook) |
Claude Model
None
Is this a regression?
No, this never worked
Last Working Version
No response
Claude Code Version
2.1.123 (Claude Code)
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
I have built a fully specialized subagent system:
Main agent → coordinator only, reads everything, writes ONLY to /.IDE_Plans/ for planning documents. Must never touch source code directly. gas-script-coder → writes Google Apps Script code, but write access restricted to ONE specific folder only. Can READ everything including PRD documents, architecture files, and all other folders. Write access to its assigned folder only — no other folder. gas-code-review → read-only agent. No write access at all. Only has Read tools. This is already working correctly because read-only is easy to enforce. The problem is write-restricted agents. gas-testing-agent → read-only agent. No writing access. Only reading tools assigned. Working correctly for the same reason. gas-error-handler → handles error logging, write access to logs folder only. gas-sheets-builder → builds sheet structures, write access to its specific assigned folder only. Can read everything but write only to its designated folder.
The pattern across all agents: Every agent can READ everything — PRD documents, plans, all source folders. But each agent can WRITE only to its ONE assigned folder. No agent can write to another agent's folder. This gives full isolation, full context awareness, and zero cross-contamination between agents. The critical broken behavior: When I block the main agent's write access to force it to delegate to subagents — ALL subagents also lose their write access simultaneously. There is no way to block only the main agent. The permission system is session-wide, not agent-wide. Blocking the main agent means blocking everyone. This makes the entire specialized architecture collapse — the very agents that SHOULD be writing cannot write, and the main agent that SHOULD NOT be writing still does it anyway when restrictions are removed. There is no middle ground available today.
extent analysis
TL;DR
The most likely fix involves modifying the src-write-guard.sh script to correctly identify and allow writes from approved sub-agents while blocking the main agent, potentially by finding an alternative method to distinguish between main and sub-agents since the agent_type field in PreToolUse stdin does not exist as previously thought.
Guidance
- Investigate Alternative Identification Methods: Since the
agent_typefield is not present in PreToolUse stdin, explore other fields or methods that could be used to distinguish between the main agent and sub-agents. This might involve deeper inspection of the PreToolUse stdin structure or utilizing other hooks/events. - Debug Logging for PreToolUse Stdin: Implement debug logging to capture the actual structure and content of PreToolUse stdin. This will help in understanding what information is available and how it can be used to identify the calling agent.
- Review Claude Code Documentation and Community Resources: Given that web research provided incorrect information about the
agent_typefield, review official Claude Code documentation and community forums for accurate information on distinguishing between main and sub-agents within hooks. - Consider Custom Solutions or Workarounds: If standard methods do not provide a straightforward solution, consider developing custom scripts or workarounds that can achieve the desired permission control. This might involve using external tools or scripts that can better manage agent permissions.
Example
Given the complexity and the incorrect assumption about the agent_type field, a direct code example cannot be provided without further investigation into the actual structure of PreToolUse stdin and the capabilities of Claude Code's hook system. However, the approach would involve:
- Capturing and logging the PreToolUse stdin to understand its structure.
- Identifying a unique identifier or method to distinguish between main and sub-agents.
- Modifying the
src-write-guard.shscript to use this identifier to allow or block writes accordingly.
Notes
- The solution requires a
Vote matrix · Quick signals
Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Still need to ship something?
×6Another batch ranked right after the header list — different links, same matching logic.
TRENDING
- Feature Request: Configurable per-minute rate limiting (RPM) for models to prevent 429 errors
- Android: Hermes App + Termux install share ~/.hermes and cause silent permission loops
- hermes update emits unicode-animations ANSI demo in non-interactive logs
- hermes update downgrades aiohttp from 3.13.4 to 3.13.3
- npm install warns about deprecated @babel/plugin-proposal-private-methods
- DingTalk inbound media URLs are skipped as unreadable native image paths
- fix(dashboard): ChatPage clears header action buttons on ALL pages, not just Sessions
- [Bug]: check_web_api_key() hardcodes built-in backends — third-party web search plugins silently disabled
- Hermes Web UI 修复经验:GatewayManager 补丁、进程 D 状态、数据库升级问题
- Telegram gateway can silently drop turn after /stop with response=0 chars while internal work continues
- Bug Report: v0.14.0 上下文污染 — 历史回复碎片回注到新请求
- Bug: hermes skills search table truncates Identifier column — install fails with copied value
- [skills-index-watchdog] Skills index is stale or degraded (degraded)
- Discord approval embed not rendering on web/mobile — embed data present in API but invisible
- Idea: Discord voice-channel participation / opt-in auto-join mode
- [Feature]: Claude Code--ultrawork
- build-arm64 job deterministically fails on cold cache (Azure SAS token expires mid-build)
- [Enhancement] computer_use: action=type should fall back to key events for terminal emulators (Ghostty/Terminal.app/iTerm2)
- Feature Request: Session Recovery on Temporary Provider Outage
- [Bug]: Hermes dashboard not working on NixOS (container)
- [Feature]: Add option to ignore @all/@everyone mentions in Feishu group chats
- QQ Bot WebSocket 频繁断开:长时间工具执行阻塞 asyncio 事件循环导致心跳超时
- patch tool: new_string escape sequences (\t) get written literally
- Feature Request: i18n / 多语言支持(国际化)
- Bug: web_crawl schema lets models auto-guess "instructions" instead of asking the user via clarify
- feat: `!command` prefix for direct shell execution (like Claude Code)
- Expose currently-running cron jobs via /api/jobs (or new endpoint)
- [Bug]: Kanban parent-child handoff: scratch workspace GC destroys artifacts before child can read them
- [Bug, Windows] hermes gateway restart loses session context — planned_stop_marker not written before SIGTERM
- [Bug]: Codex→DeepSeek fallback sends assistant turns without reasoning_content → HTTP 400 (require-side cross-provider failover)
- [Bug]: Update got stuck half way, reboot it, then ModuleNotFoundError: No module named 'hermes_cli'
- Kanban dispatcher corrupt-board handling and multi-profile gateway ownership ambiguity
- Gateway can resend a short fallback message when the real final Telegram response was already delivered
- [BUG] Bedrock: Fix 'Invalid API Key format' for presigned URL tokens
- Secret redaction corrupts code syntax in tool output (write_file, execute_code, terminal)
- Unable to connect Ollama Cloud with Pro Subscription to Hermes
- feat: fuzzy substring matching for /skill autocomplete
- PRD: Autonomous market-impact prediction briefing system
- Kanban dashboard should support task/card deep links
- [Feature] Native Feishu CardKit Streaming: consolidate best-in-class implementations
- [Feature]: Inject mental model into context when using Hindsight
- Interactive CLI hides tool output despite display.tool_progress=all, and hermes chat -v does not restore it
- fix(api_server): _handle_responses drops text.format JSON schema — structured output constraints silently ignored
- state.db FTS corruption goes undetected — no integrity check, no repair path
- bug: fallback routing can select text-only models for image requests and hide the primary failure
- feat(kanban): persist worker session_id per run and pass --resume on respawn after unblock
- feat(kanban): support GitHub/OMO lifecycle bridge for Xiyou-style automation
- Expose update-safe TUI/composer hooks for voice transcript and composer events
- Hide or configure voice transcript status rows in editable dictation mode
- [Feature]: Per-Tool / Per-Toolset Approval Policies
- Context compression creates orphan sessions missing from state.db
- messaging platform
- feat: Add read-only / silent monitoring mode for WhatsApp adapter
- double-.hermes path mismatch, the HOME env var leak, and the fallback-notification UX problem
- Bug: Plattform-Bundle name `hermes-yuanbao` in `agent.disabled_toolsets` silently kills ALL tools in gateway path (Telegram + cron), CLI unaffected
- CLI /yolo (in-chat) does not bypass dangerous command approvals — env var freeze + missing enable_session_yolo call
- OpenAI Codex provider crashes with "'NoneType' object is not iterable" (HTTP None)
- DEEPSEEK_API_KEY blocked by env blocklist in gateway process — cron jobs fail with deepseek provider
- fix(feishu): Card action callback routing issues - invalid message_id and unrecognized /card command
- Discord plugin: profiles without explicit `discord:` block silently get `require_mention=true` + `auto_thread=true` (regression in cc8e5ec2a)
- [Bug]: DISCORD_ALLOWED_ROLES ignored by gateway _is_user_authorized — role-authorized users get 'Unauthorized user' rejection
- [Bug]: /new, /clear, and /reset commands freeze the terminal session
- openai-codex subscription backend returns HTTP 200 with response.output=None, causing Slack/cron failures
- RFC: Centralized Model/Provider Registry
- bug: openai-codex provider — TypeError: 'NoneType' object is not iterable on every request (gpt-5.5)
- [Feature]: Source-aware instruction gate — architectural mitigation for indirect prompt injection
- Named custom provider stale_timeout_seconds ignored because runtime provider is normalized to `custom`
- guard test (ignore)
- [Feature]: per-platform LLM request_overrides (extra_body / reasoning_effort / service_tier)
- One-shot smoke: add Flue-backed orchestration fixture
- Gateway should not treat stale Codex app-server progress as final response after post-tool silence
- `docker_run_as_host_user: true` breaks bundled skills: Hermes home is mounted into `/root/.hermes` but the container runs as a non-root user (`HOME=/home/pn`)
- [Bug]: gateway api_server streaming bypasses server-side tool-call loop when chat_template_kwargs.enable_thinking=false (model emits tool name as plain text)
- [Feature]: Pre-install python-telegram-bot in Umbrel Hermes Docker image
- YouTube Shorts filter not working in youtube-content skill
- v0.15.0 PyPI release breaks ALL platforms — plugin.yaml manifests missing from package
- RFC: On-demand tool/skill/MCP discovery — decouple schema registration from process lifecycle
- Pixshelf: local-first stock photo workflow command center
- [Bug]: baoyu infographic skill should not silently bypass image_generate
- Pixshelf v1.5: manual submission tracking for stock agencies
- `hermes config set` silently accepts unknown keys, writing them where the runtime never reads
- Honcho memory prefetch hang on fresh CLI subprocess in v0.15.0 (regression from #27190)
- [Bug] v0.15.0 Docker image: stage2-hook.sh, main-wrapper.sh missing; container_boot module removed
- Feature: Reduce cache-read token overhead for DeepSeek providers — configurable cache_ttl, skills snapshot trimming, memory compaction
- Windows: three bugs from daily use (plugin discovery, gateway exit code, Unicode decode
- holographic memory: HRR silently degrades to FTS5 when numpy is missing
- Make max_tokens configurable for aux vision calls
- Conversation compression desynchronizes session ID between agent context and gateway routing, causing silent message loss
- [Bug]: v0.15.0 Docker image:The TUI cannot be used in the dashboard.
- cron: skip_memory=True blocks fact_store/memory tools from all cron jobs
- TUI: Node.js OOM crash when agent uses browser tools repeatedly
- feat: model_profiles — per-model toolset and memory config
- Automatic background skill patching disrupts active sessions (severe impact on local models)
- ensure_hermes_home() creates root-owned dirs in profile subdirectories when kanban workers are dispatched
- Feature: opt-in webhook bypass for DISCORD_ALLOW_BOTS — allow operator-initiated probes without weakening bot-loop guard
- v0.15.0: Codex requests fail HTTP 400 when participant display_name contains non-ASCII (emoji breaks input[].name pattern)
- Architecture: State Persistence Precedence (Memory vs Skills vs Hooks)
- [Bug]: cronjob tool: create action always fails with "schedule is required for create" even when parameters are provided
- codex-oauth: 'NoneType' object is not iterable in _run_codex_stream (gpt-5.5) — every turn fails non-retryably
- Docs/Config: Plugin local scope enablement ambiguity
- [Bug]: CLI freezes after using /new command (WSL)
- Profile Codex auth can ignore global credential pool when local state is stale
- [workflow-engine] CRITICAL: variable substitution crashes on regex metachars in user input
- [workflow-engine] HIGH: loop and bash nodes leak subprocesses on timeout
- [workflow-engine] HIGH: README documents config env vars the engine never reads
- [workflow-engine] MEDIUM: workflow_run rate limit bypassable via concurrent calls (TOCTOU)
- [workflow-engine] chore: manifest gaps, side-effectful register(), dead code, unauth kanban dispatch
- [mcp_lazy] HIGH: synthetic mcp_server_<name> stub collides with a real MCP server named 'server'
- [mcp_lazy] HIGH: promote_server eager flag documented but never persisted
- [mcp_lazy] MEDIUM: _prev_mode dict leaks and goes stale; not cleared on session evict
- [mcp_lazy] MEDIUM: get_pool has unlocked check-then-set race on pool creation
- [mcp_lazy] MEDIUM: pre_tool_call gives no guidance for unpromoted server-stub calls
- [mcp_lazy] chore: undeclared pre_tool_call hook, nonexistent 'mcp_load_tools' name in docs, missing tests
- [a2a_fleet] CRITICAL: server never auto-starts — register() runs outside an event loop
- [a2a_fleet] CRITICAL: auth_required defaults to false on a cross-machine surface
- [a2a_fleet] HIGH: remove invented disable() hook — loader never calls it, port leaks on reload
- [a2a_fleet] HIGH: plugin.yaml missing kind / provides_tools / requires_env (token env undeclared)
- [a2a_fleet] MEDIUM: tighten wide-open CORS, anonymous /health peer leak, and peer-URL SSRF
- [a2a_fleet] MEDIUM: relocate tests to tests/plugins/ and cover sync-register + auth-default paths
- xai-oauth auxiliary client incorrectly uses Responses API (CodexAuxiliaryClient), causing 403 on compression/vision/web_extract
- [Bug]: Direct Copilot gpt-5.5 large resumes are killed by 12s Codex TTFB watchdog
- [Bug]: `hermes uninstall` does not work on Windows
- TUI: Thinking block leaks raw JSON and Σ character
- Hostinger VPS: migration Hermes Agent → Hermes WebUI impossible (tini + UID mismatch + sessions)
- /goal judge over-continues exploratory goals unless the assistant explicitly says the goal is complete
- /goal auto-continuation can be amplified by preflight compression/session split and resurrect stale task state
- Dashboard infinite reload loop in loopback mode — GET /api/auth/me returns 401 on every page load
- [Bug]: Provider/LLM switch leaves stale encrypted_content causing 400 errors on Telegram sessions
- [Bug]: Infinite reload loop / React state loop on Sessions tab (Firefox + Chrome) — repeated 401 on /api/auth/me (v0.15.0)
- show_reasoning should work independently of streaming in CLI mode
- Feature Request: Strip reasoning/<think> blocks from TTS preprocessing
- mcp add / mcp test raise NameError when mcp package not installed
- v0.14.0 dashboard breaks behind reverse proxies — two regressions
- Skills hub creates empty category directories when no skills installed
- [Bug]: Custom endpoint: ChatCompletions returns content, but Hermes treats response as empty (v0.14.0)
- fix: atomic_replace() fails with EXDEV when HERMES_HOME is a cross-filesystem symlink
- fix(gateway): Feishu session cancellation orphans session guard, permanently blocking messages
- Custom endpoint pricing can overestimate Crof qwen3.5-9b cost by 1,000,000x
- MCP OAuth callback: module-level port global causes port collisions and structural weaknesses vs upstream
- Bug: send_message tool bypasses validate_media_delivery_path security check
- Proposal: Add Mnemosyne to official memory provider documentation
- feat(swarm): support custom verifier/synthesizer body + skills
- Template conversion failed
- Error occurred in the operation of the agent node in the workflow.
- PubSub client overrides Sentinel client when REDIS_USE_SENTINEL is enabled
- Frontend description of the Retrieval node output does not match the actual output
- JSON type input var raise Intenal server error
- cannot extract elements from a scalar
- 负载均衡 为模型配置多组凭据,并自动调用,此功能无法选择
- add models is error
- panic: could not create filter
- Persist partially generated messages when /chat-messages/:task_id/stop is called
- MCP server connection fails with 403 — request never leaves Dify (SSRF proxy suspected)
- Support durable async execution backends for long-running workflow steps
- [Xiaomi MiMo] Credentials validation fails with 400 "Not supported model mimo-v2-flash" when using Token Plan endpoint (v0.0.7)
- After clicking preview on a parent-child segmented knowledge base, it shows 0 chunks
- Retrieval score differs between UI upload (.docx) and API upload (.txt) despite identical chunk content and embedding model
- gemini cli crash again
- Xbox gift card code damage
- Damage caused by the gemini cli crash
- ioctl(2) failed, EBADF (Bad File Descriptor)
- Feat: Support Bun as an alternative runtime/package manager for updates and extensions
- fatal error again!!!!
- ioctl error
- Critical Crash: ioctl(2) failed, EBADF in ShellExecutionService.resizePty
- ioctl(2) failed, EBADF
- v0.44.0 Regression: Critical crash with ioctl(2) failed, EBADF during PTY resize
- Crash on startup: ioctl(2) failed, EBADF in UnixTerminal.resize
- Crash: `ioctl(2) failed, EBADF` in `node-pty` during PTY resize on macOS
- Gemini CLI crashes with `ioctl(2) failed, EBADF` in `node-pty` during `resizePty`
- Remote Role
- ERROR ioctl(2) failed, EBADF /home/mich
- RangeError: Maximum call stack size exceeded
- EBADF Error during folder creationg broke session and terminal glitches
- MAIP / Gargoub Project - Mediterania - North Coast
- Gemini cli crash again in this morning
- ERROR ioctl(2) failed, EBADF
- Verified node install fails — Checksum verification failed (Cloud)
- The extended debugging key did not arrive during registration.
- CollaborationPane unmounts collaboration store on single-user instances, causing permanent "No network connection" state
- Workflow cannot be saved when the name contains "->" (Potentially malicious string)
- automation does not work and does not show an error
- Raj Ai Automation
- Default Data Loader: DOMMatrix is not defined error
- Feature: Per-node execution timestamp overlay on canvas during workflow run
- AI Agent + Vertex `gemini-3.5-flash`: 400 "missing thought_signature" on sequential multi-turn tool calls (post-#24982)
- PDF Loader in Pinecone Vector Store fails due to pdf-parse version conflict (v2 not supported)
- emailReadImap: add UID deduplication, batch size cap, and numeric uid enforcement
- Manual node execution fails with "Could not find a node" when autosave is disabled (N8N_WORKFLOWS_AUTOSAVE_DISABLED)
- Schedule Trigger stopped firing — workflow Published & active, manual executions succeed, no automated fires for 2+ hours
- [MCP SDK] create_workflow_from_code intermittently returns HTTP 500, often as a false negative (workflow persists anyway, causing duplicates on retry)
- Credential-load wedge: workflows using googleApi/jwtAuth credentials silently fail to execute after key rotation
- Google Sheets Trigger every minute is not working manual Execute is working sent email
- [BUG] Plugin marketplace MCP connector remains stuck "still connecting" when mcp-remote requires OAuth
- [redacted at user request]
- Opus 4.7 behavioral regression: loaded instruction-following discipline degraded in recent Claude Code/Cowork updates
- [BUG] Tailscale via Homebrew CLI + Mac App Store GUI, both Macs on macOS, Cowork blocked by VPN detector despite Tailscale being a mesh VPN with no traffic interception
- stopShellPty on tab switch kills active sessions (exit 143) — regression in May 27 build
- [BUG] Long URLs are broken into multiple lines and become unclickable in terminal output
- [BUG] claude rm/stop/reap SIGKILLs background session tree without SIGTERM grace, orphaning git index.lock and similar
- [BUG] Default git workflow in the system prompt was pushed without context or consent
- [MODEL] Inconsistent output quality / Ignoring instructions (overfitting and inappropriate repetition of Korean vocabulary)
- You've hit your weekly limit · resets May 31 at 5pm (Asia/Shanghai)
- Paid yearly subscription silently downgraded to Free with no user action
- [Regression v2.1.153] Plugin bash hooks fail with "echo: write error: Permission denied" on Windows (claude-mem, shell: "bash")
- [BUG] Connector toggles in conversation are not clickable — must click text label instead
- [remote-control] Input from mobile app/browser not reaching host session — output works fine
- Model fails to read/reference CLAUDE.md contents despite being loaded in context
- [BUG] Claude Desktop reinstall destroys Code chat history (transcripts + Recents) while regular Chat history, project files, and memory all survive
- Bypass mode clamps to Accept Edits even with the toggle ON (Claude Code Desktop 1.9255.2 / CC 2.1.149)
- [BUG] TUI input freezes randomly mid-typing — entire prompt becomes unresponsive for minutes
- [BUG] Cowork downloads Linux ELF binary instead of macOS binary on macOS Sonoma 14.8.7 — exit code 132 (SIGILL) on every session
- [Feature Request] Persistent project memory — sessions forget everything on close, forcing users to keep many sessions open
- [Bug] Thread context stale after sleep/resume, returns outdated date and calendar data
- [FEATURE] Add context window usage indicator and warning before auto-compaction
- [BUG] Dictation error: Invalid character in header content ["x-config-keyterms"] on Windows
- [Bug] Anthropic API Error: Server rate limiting despite normal usage
- Does delegating work to `claude -p` subprocesses reduce context accumulation in the parent session?
- [BUG] Claude Code hangs on M1 Mac when terminal says "opening browser to sign in" and browser opens
- [BUG] Claude_Preview MCP preview_start spawns dev server with main-repo cwd instead of session's worktree cwd
- [Bug] Anthropic API Error: Server rate limiting during request execution
- [Bug] Anthropic API Error: Server rate limiting on concurrent requests
- [Bug] Ultraplan ready notification fires before cloud agent completes execution
- [BUG] API 500 ERROR ALL THROUGHOUT THE DAY
- [BUG] Cowork: Live Artifacts folder path changed in 1.9255.2, no automatic migration from Documents\Claude\Artifacts
- [Bug] Auto-compact never triggers despite statusline reporting "100% context used" (v2.1.153, Max sub, 200K mode)
- [BUG] [Desktop / macOS] 'Open in → New Window' detached session: font renders smaller than main, no per-window controls, Cmd+/Cmd- keystrokes routed to main window instead
- Feature request: option to switch between classic and new minimal UI
- [Feature Request] Show timestamps for each message
- [BUG] Terminal corruption when permission prompt appears while navigating Agent Teams agent selection menu
- [FEATURE] Allow users to customize the background color of the Claude desktop app beyond the current light/dark theme presets.
- [BUG] Statusline not displaying on Windows [fixed]
- Background agent UI Stop button is a no-op for stuck agents — process keeps consuming tokens
- Background agents silently die on session pause/resume — no completion notification, no work recovery
- Add option to hide email address from welcome banner
- [BUG] SSH Remote: `projects` field in remote ~/.claude.json becomes null after desktop restart — jsonl files intact, UI shows 'No messages yet' for every session
- [Bug] Claude Code not applying fixes despite claiming to complete tasks
- billing is unfair and poorly documented
- [BUG] Claude Code on the web: declared plugins inactive on first session, require restart to fully load
- [BUG] Restore from archive deleted sessions instead of restoring them
- [BUG] M365 connector fails with AADSTS50011 in Cowork — localhost vs 127.0.0.1 redirect URI mismatch
- claude agents: workflow slash-commands missing from dispatch-input completion (regression-adjacent to #61424)
- Claude Desktop's Info.plist missing TCC usage strings, blocks all EventKit-based MCP servers
- False-positive safety blocks on self-administered governance amendments — request for owner-authority mode for verified professional users
- [BUG] Stop pushing "AUTO"-mode
- [DOCS] Plugin marketplace guide omits `skipLfs` option for git-based sources
- [DOCS] MCP docs omit combined startup notification for MCP server and connector authentication
- [DOCS] Agent view docs omit macOS Privacy & Security identity for background agents
- [DOCS] Npm update docs do not explain release-channel behavior for `claude update`
- [DOCS] Agent SDK docs omit `subagent_type: "claude"` worktree and output persistence behavior
- [DOCS] Background session docs omit `$CLAUDE_JOB_DIR` temp-file behavior
- [FR] mask env-var values in 'claude mcp get <server>' output
- [FR] subagent worktrees should not inherit stale local 'user.email' from prior dispatches
- [BUG] Windows: Grep tool leaks rg.exe + conhost.exe processes (~2000 zombies / 14 GB RAM in long sessions)
- [BUG] Stats dashboard "Peak hour" appears off by one hour
- [BUG] Diff highlight (teal SGR background) bleeds past changed text in 2.1.150–2.1.153
- [FEATURE] confirm before deleting session
- Plugin PostToolUse hooks still silently skip in Claude Desktop / Cowork (re-filing closed #51904)
- /code-review skill: silent fallback to main...HEAD reviews other people's commits, and JSON-only output is hard to read
- Monitor tool doesn't source the shell snapshot like Bash does; PATH-dependent tools (jq, sleep, etc.) fail in Monitor commands on macOS/Nix
- [Bug] Long input lines truncated with ellipsis while typing instead of wrapping in terminal UI
- [FEATURE] VS Code extension: Render submitted user messages as Markdown in chat
- OSC 52 copy from Claude TUI doesn't reach clipboard inside tmux (regression in 2.1.146–2.1.153)
- [BUG] RemoteTrigger create/update returns HTTP 400 with circular error: "event_type is required" / "unknown field event_type"
- [BUG] Option to hide or minimize the built-in "status footer" (multi-line debug/cost panel) [re-raise of #31475]
- [Bug] Feedback submissions being closed without review or action
- [FEATURE] Word-jump cursor navigation in Chat input (option+arrow / bindable actions)
- [FEATURE] ! shell mode: filesystem tab completion
- [BUG] API Error: Usage credits required for 1M context
- claude agents: OSC 52 clipboard emission broken in tmux (regression in 2.1.146–2.1.153)
- CLI crashes on macOS 15 M3 - exit code 1
- [FEATURE] Support Cmd+V image paste from clipboard
- [FEATURE] Enhance claude.ai M365 connector to support MS Planner
- [BUG] Slash command autocomplete hijacks pasted absolute file paths starting with /
- PreToolUse hook `if` filter false-positives on complex Bash commands
- [BUG] Diff panel hangs/whites out
- Feature Request: Support drag-and-drop for binary documents (.wps, .doc, .docx, .xlsx, .pdf) in VS Code extension
- [BUG] activation of 1M context in VSCode
- [FEATURE] Support i18n / language localization for built-in slash command outputs
- Ctrl+V para colar imagens deixou de funcionar no CLI (Windows, PowerShell)
- [FEATURE] Please add Norwegian (Bokmål/Nynorsk) language support to the Claude Code interface
- [BUG] OTel log events (claude_code.user_prompt, api_request_body, tool_decision, hook_execution_complete) emitted with empty trace_id/span_id while sibling spans correlate correctly
- [BUG] Cowork crashes on every message, no VM logs generated, missing AppData\Roaming\Claude
- [FEATURE] first-class session handoff + per-session token budgets for unattended runs
- [FEATURE] Smart paste: convert clipboard code to file reference chips (like Cursor)
- [Feature Request] Restore chat pin functionality to title chat submenu
- [BUG] SIGILL issues with version 2.1.153
- [BUG] Cowork plugin upload fails with generic "Plugin validation failed" when a `description` field in any SKILL.md frontmatter contains angle brackets (`<…>`)
- [BUG] Desktop App 2.1.144+: startup scanner deletes cliSessionId from claude-code-sessions local files on every launch — session not found on disk
- [Feature Request] Add keyboard shortcut to copy last message with proper formatting
- [MODEL] Opus 4.7 not 1M
- Allow naming/renaming background agents in `claude agents` view
- Stale worktrees in .claude/worktrees/ are never cleaned up, consuming massive disk space
- Agent worktrees are never cleaned up, silently consuming disk space
- Subagent worktrees not auto-cleaned when reviewer writes scratch files
- [Bug] Skill initialization hangs for extended duration in Plan Mode
- Claude Desktop writes malformed registry Run entry (nested escaped quotes) - crashes Windows Task Manager and other Run-key parsers
- IME candidate window shows at bottom-right corner instead of caret position (Windows CMD)
- [BUG] Pressing 'Escape' doesn't close the /BTW conversation when the main conversation is asking for approval
- [BUG] Opus 4.7 (1M) intermittently emits empty-string values for tool_use.input fields, killing the session
- FleetView agent UI shows "running" with incrementing elapsed time after agent has returned
- /doctor flags context-scoped cmd+c binding as macOS conflict (false positive)
- [BUG] Text Rendering in Elvish
- Desktop app: Bypass Permissions mode flips to Accept Edits on first prompt (M5 / macOS 26.5)
- [Workaround] Date-Weekday Verification Hook — Prevents Claude from writing wrong weekdays
- [BUG] Claude Code create c:/memfs directory without asking me.
- [BUG] Claude Code's Bash execution waits forever with no processes running
- [BUG] usage stays stuck waiting for 5 hr limit after upgrading to premium seat in team plan
- [Workflow tool] resume cache is unreachable for nontrivial workflows because LLM dispatchers can't transcribe args byte-exactly
- Code review (Preview): "Add a repository" shows no results for private GitHub org repos
- [BUG] /context commands blows up context
- [Feature Request] Add precache expiry hook to enable proactive compaction before token eviction
- [BUG] Context indicator shows 0% at session start despite ~20K+ tokens already loaded
- [Feature Request] Add semantic search for --resume session history
- [Feature Request] Add session search, tagging, and filtering capabilities
- [BUG] Cowork Dispatch reports "desktop not available" on Windows 11 while standard Cowork works normally
- [Bug] Claude Code provides incorrect suggestions with high confidence despite errors
- defaultMode: acceptEdits silently overrides per-path permissions.ask rules for Write/Edit
- [FEATUR configurable tip interval (e.g. tipIntervalSeconds: 30 in settings)E]
- Plugin marketplace fails to load: schema rejects 'displayName' key (v2.1.153)
- claude agents: in-session copy uses broken OSC 52 path while overview correctly uses tmux buffer
- [BUG] Plugin agent descriptions (and custom agents) load unconditionally into context — no parity with disable-model-invocation for skills
- Crashed ultrareview consumed a free credit despite producing zero findings
- [Bug] Character rendering issue - invisible or missing text display
- [BUG] Cowork: processo Claude Code encerra com código 3 — .claude.json não contém token de autenticação (Windows 11 25H2)
- [BUG] 2.1.153 silently discards tools/list response from rmcp 0.12.0 HTTP MCP server (works in 2.1.152, wire-identical handshake)
- VS Code extension: option to auto-resume last session when reopening a workspace folder
- [Bug] Conversation continuation failure
- [BUG] Cowork crashes every time I start a new chat or attempt to continue an existing one in any project. The error displayed is: "Claude Code è andato in crash
- [Bug] Unannounced quota changes
- Native update/install fails with 'socket connection was closed unexpectedly' behind proxy — undici TLS incompatibility
- [BUG] Session name reverting after manual change
- [BUG] 非正常思考,上下文过长时,一直显示思考,点击interrupt按钮失效
- Honor `tools:` frontmatter when an agent is invoked via `@mention` — strip `Task` only when the agent did not declare it
- macOS TCC popup still recurring on v2.1.153 — "2.1.153" would like to access data from other apps
- Claude Code leaks pty handles — exhausts pseudo-terminals on macOS after long session
- [Bug] Agent fails to execute or respond to user input
- [BUG] Persistent "Expecting value: line 1 column 1 (char 0)" JSON parse error after tool execution
- [Feature Request] Implement proactive unit test coverage recommendations for recurring bugs
- VS Code panel lacks status line + terminal lacks image paste in Codespaces, forcing a tradeoff
- `/powerup` only shows ~10 lessons — allow viewing the full catalog
- [Bug] Context contamination after auto-compact with unrelated email draft of Tejo/Sado Basin
- [Bug] VSCode terminal output displays corrupted text with garbled symbols
- [Feature Request] Add LaTeX/KaTeX math rendering to TUI
- [Bug] Sub-agent PR review results not validated by orchestrating agent
- Subagents on Pro 1M tier: trivial probes pass, real workloads fail at first tool call (probe-vs-workload divergence)
- Path-scoped rules and subdirectory CLAUDE.md not loaded when creating new files matching the pattern
- AskUserQuestion: cancelling during extended thinking poisons the whole session with 400 'thinking blocks cannot be modified' (2.1.153); concurrent prompts overwrite each other
- Ideas Missing from Claude Cowork Menu (Windows)
- [BUG_BOUNTY_SAFE_POC_2026] Prompt Injection RCE Test - Command Execution Proof
- [BUG] Cowork scheduled task: execution history row not showing after successful run
- Resuming an extended-thinking session fails permanently with 400 "thinking blocks cannot be modified" (transcript stores thinking text as empty but keeps signature)
- [Bug] Plugin-registered CwdChanged and FileChanged hooks don't fire (settings.json works) — v2.1.153
- Auto-archive on PR merge / branch delete — clarify autoArchiveSessions semantics or add dedicated opt-out
- `claude mcp add` echoes Authorization header value verbatim to stdout, leaks bearer tokens to terminal and session transcripts
- [BUG] Bug report — /insights skill, Claude Code The /insights skill outputs a malformed file path.
- Plugin slash commands render with '*'-inline format instead of two-column, despite matching official plugin shape
- [Bug] Unexpected long text generation without user input or goal
- [Bug] Thinking blocks causing task progression blocked without user modification
- [BUG] (Critical!) contamination by an unknown session simirlar to the report => [Bug] Context contamination after auto-compact with unrelated email draft of Tejo/Sado Basin #63137
- [Critical] Opus 4.7 Korean output degeneration — Korean grammar itself collapses in long contexts
- [BUG] Title: Autocompact buffer persists across /clear — wastes tokens for irrelevant old context
- [Bug] Auto-Compact loses user input before processing in conversation history
- Feature: per-invocation effort parameter + runtime session-config introspection for skills
- Auto-mode classifier mislabels Azure DevOps vote -5 as "Reject" when denying PR vote actions
- [BUG] Claude Desktop and Claude Code CLI never re-register MCP tools after OAuth 2.1 handshake on a remote HTTP server
- [BUG] Workspace file tags leak across sessions
- [BUG] Ink renderer crashes on Windows 11 build 26200 (Canary) duplicate banners, terminal mode leaks, mid-operation aborts
- [BUG] Claude Code Desktop issue
- PTY master fd leak in Claude desktop app exhausts macOS kern.tty.ptmx_max after ~2-3 days
- [BUG] Claude Code — Session Management after Unexpected Interruption
- [Windows] Cowork OpenTelemetry exporter does not initialize - zero events emitted to any destination, including loopback
- [Bug] Opus 4.7: 400 `thinking blocks ... cannot be modified` on long extended-thinking sessions, triggered by history-altering events (scheduled prompts / parallel tool-call cancellation)
- [BUG] API Error: Server is temporarily limiting requests (not your usage limit) · Rate limited
- Multi-plugin custom marketplace: only first plugin registered in installed_plugins.json, skills don't load
- [BUG] Git push through the SDK's git proxy fan-outs into ~500 GitHub REST API calls, exhausting the 5,000/hour budget after a handful of pushes
- [BUG] Claude took liberties it really shouldn't with my global config
- [BUG] Agent window focus lost after navigating with arrow keys, causing scroll deadlock
- [BUG] `--model` flag silently ignored in interactive sessions (works in `--print` only)
- [BUG] Dispatch permanently shows "desktop appears offline" on Windows 11 - never worked on first use
- feat: support per-command enableWeakerNetworkIsolation as safer alternative to dangerouslyDisableSandbox
- /code-review outputs a raw JSON array instead of readable findings
- [BUG] Cowork — Additional allowed domains ignored on Team plan; same domain works on Pro plan
- Haiku
- [Bug] False positive blocking beneficial outcomes in tool execution
- 3P Bedrock SSO: credentials silently expire without triggering re-auth on day 2+
- CLAUDE_AUTOCOMPACT_PCT_OVERRIDE in settings.json env block silently ignored by autocompact logic
- Auto-compaction deletes main session JSONL before verifying summary completion, causing data loss
- [Bug] Claude Code not executing stated actions or producing expected results
- [FEATURE] Deferred Messages — Queue Input for End of Turn
- [BUG] Up/Down arrows in input box navigate history instead of moving cursor — regression in 2.1.149+
- Cancelling a parallel tool-call batch corrupts thinking blocks -> 400 "thinking blocks cannot be modified" permanently wedges the session
- Claude Code caused data loss, then contradicted itself about recovery (two incidents, one session)
- [Bug] Unclear error messages from Claude Code CLI
- [Bug] Agent tool rejecting due to context size limit exceeded
- claude agents: daemon and bg-spare processes spin at ~100% CPU when idle
- [BUG] Compaction fails with "context window limit" error even when context usage is low (e.g., 20%) — regression in v2.1.153
- Remote Control entitlement lost after May 27-28 incident — `Error: Remote Control is not yet enabled for your account` on active Max subscription
- PreToolUse hook exit code 2 does not block Write tool
- [Bug] Thinking blocks in latest assistant message are immutable
- GUI: dispatch file:// and custom-scheme clicks to OS shell handler
- Show current model in statusLine by default
- [Bug] Agent console becomes unresponsive to keyboard input after multiple agents initialized
- [FEATURE] PreToolUse hooks should have a way of updating the environment
- [Bug] Unable to start or use Claude Code CLI
- [BUG] Repository not visible in Claude Code web repo picker
- Session permanently wedged on 400 "thinking blocks cannot be modified" after parallel tool_results
- [Bug] @ autocomplete loses sibling repos after a file edit in multi-repo workspace
- Unclear error message when creating sub-agent without authentication
- [Bug] Anthropic API errors causing frequent failures and high token usage
- [BUG] @ mention file picker only shows packages, not individual files (desktop app - Code tab)
- [Bug] TUI panel footer remains sticky and consumes excessive terminal space
- PR-status polling exhausts GitHub GraphQL rate limit on repos with many open PRs
- [BUG] Windows: welcome panel not shown in some project folders (2.1.153)
- [Bug] Anthropic API Error: thinking blocks corrupted during context compaction with extended thinking enabled
- API 400 "thinking blocks cannot be modified" permanently bricks session during agent activation (interleaved thinking + tool use)
- Right-click Copy copies the whole message instead of the selection; pasted text retains dark background
- Mid-session model switch corrupts conversation when extended thinking is enabled (API 400: 'thinking blocks cannot be modified')
- [BUG] Markdown file links in chat output do not open files when clicked (VS Code extension)
- Stuck retry loop: `400 thinking blocks cannot be modified` on large interleaved-thinking turns using AskUserQuestion
- [FEATURE] Prompt user for approval before auto-compaction proceeds
- Custom MCP connectors not attachable to scheduled routines — no UUID discovery path
- [BUG] Claude in Chrome — Navigation blocked for teams.cloud.microsoft and outlook.cloud.microsoft after Microsoft domain migration**
- [BUG] Claude Desktop — Personal plugins panel renders list but is entirely non-interactive (macOS, v1.9255.2)
- [Bug] error when using Workflows
- [BUG] Persistent "update available" notification despite being on latest version
- [BUG] Sweep Agent from /code-review never completes
- [Bug] Tool calls not executing or returning results
- [FEATURE] Cloud-synced memory and settings across machines
- [Bug] Terminal UI freezes when Ctrl+O view exits during interactive prompt in plan mode
- Continuous api errors when using claude code with Opus 4.7 with thinking on low
- [Feature Request] Add support for installing and using previous Claude Code versions
- [Bug] Extended Thinking: Summarized thinking blocks fail signature validation when resent to API
- [Bug] Anthropic API Error: 'thinking' blocks cannot be modified
- [Bug] Anthropic API Error: Thinking blocks cannot be modified with extended thinking mode
- Feature request: Lazy/on-demand MCP server connections
- [Bug] Tool Arguments Parsed as String Instead of Object
- [Bug] Anthropic API Error: Insufficient context provided
- [Bug] Claude Opus occasionally uses moskovian(russian) orthography instead of Ukrainian in system-prompted responses
- Opus 4.8: backgrounded task completions (subagents AND Bash) crash with 400 "thinking blocks cannot be modified"
- [Bug] Opus 4.7 fabricates stable preferences ("my default") to rationalize arbitrary choices when challenged
- [Bug] Unable to update Claude Code CLI
- [BUG] Desktop app: /remote-control mints link + connects bridge (main.log) but in-chat link/QR panel never renders
- Feature: sessionColor and sessionName in .claude/settings.json
- [BUG] Anthropic API error: thinking blocks
- [FEATURE] Support Remote MCPs in Cowork as in Claude Code
- [Bug] Anthropic API Error: 400 Bad Request with Redacted Thinking - 0 4.7 & 4.8
- [Bug] Anthropic API Error: Cannot modify thinking blocks from different model versions
- Interleaved thinking + multi-tool turn corrupts thinking block (text blanked, signature kept) → permanent 400 'blocks must remain as they were'
- [BUG] Mode/permission changes mid-tool-loop (effortLevel: xhigh) poisons entire session
- Session failure log: Opus 4.6 ignores its own rules for an entire session
- [BUG] "400 Guardrail was enabled" error when using Claude Opus 4.8 with AWS Bedrock
- [Feature Request] Add subagent approach selection option to avoid accidental feedback
- Persistent 400 'thinking blocks in the latest assistant message cannot be modified' — interleaved thinking persisted with empty text + signature bricks sessions
- [BUG] DesktopvsApp
- [BUG] Opus 4.7 cache hit rate collapse after May 27 incident — Messages 1.1k→88.9k in 9 minutes, $630/session
- [Bug] Anthropic API Error: Invalid thinking block format
- [BUG] FUCK CLAUDE
- Opus 4.8 extended thinking: Stop hook block re-entry corrupts thinking blocks → 400
- [Bug] 4.8 Fails when accessing previous model history
- [Bug] Unintended File Modifications During Execution
- [DOCS] Model configuration docs omit lean system prompt default scope and model exceptions
- Add "Always allow globally" option to permission prompts
- Server-side model upgrade (Opus 4.7→4.8) wedges in-flight sessions with `thinking blocks cannot be modified` 400
- [DOCS] AskUserQuestion docs missing multiple-choice prompt decision threshold
- [DOCS] Agent view docs omit shell-command background session launch syntax
- [DOCS] Agent view dispatch input docs incorrectly imply `/logout` dispatches as a prompt
- [DOCS] Claude in Chrome docs omit connected-browser selection behavior
- [DOCS] Plugin docs omit `defaultEnabled: false` for opt-in plugins
- Feature Request: Customizable chat text colors for user and assistant messages
- [DOCS] `/plugin` Discover tab docs omit directory-based suggested plugin pins
- VSCode Chrome integration silently fails: 3 distinct bugs
- [DOCS] MCP stdio docs omit session environment variables
- [Bug] Anthropic API error on second request within session with Claude Opus 4.8
- Cowork emits a blank session "index" handoff on focus when a CLI session is paused awaiting input
- [DOCS] MCP docs omit `claude mcp list/get` pending-approval output for unapproved project servers
- [BUG] /compact fails with 400 error when last assistant turn contains thinking blocks
- [DOCS] `/claude-api` docs omit Opus 4.8 migration guidance
- [DOCS] Fast mode docs still recommend deprecated Opus 4.6 override variable
- [DOCS] Bash tool docs omit `$TMPDIR` consistency across sandboxed and unsandboxed commands
- [Bug] Anthropic API Error: 400 Bad Request on Extended Thinking
- [DOCS] Background session docs omit worktree-isolation behavior for spawned subagents
- Built-in mechanistic self-verification of verifiable claims (symmetric to the auto permission gate)
- [DOCS] Worktree docs do not clarify `worktree.baseRef: "head"` inside linked worktrees
- [BUG] Excessive RAM usage with multiple parallel chats (~10 sessions → 30 GB memory pressure, macOS OOM)
- [DOCS] Managed MCP policy docs omit invalid `allowedMcpServers`/`deniedMcpServers` entry behavior
- [DOCS] Effort docs omit `CLAUDE_CODE_ALWAYS_ENABLE_EFFORT` unsupported-model behavior
- Regression (2.1.147–2.1.150?): resuming an extended-thinking session after a CC update/model-switch → unrecoverable 400, session bricked
- [DOCS] Windows updater docs omit `claude.exe` in-use recovery guidance
- [DOCS] VS Code auto mode docs still tie mode-picker visibility to bypass-permissions setting
- [DOCS] MCP docs omit `/mcp` tool list and detail rendering behavior
- [DOCS] Fine-grained tool streaming docs still describe provider opt-in behavior
- bypassPermissions: session startup reads flat pref, GUI toggle writes per-account pref — they never sync
- [BUG] Claude Desktop Code tab causes disk write limit violation — 8.5GB in 11 min, macOS kills app (M5, v1.9659.1)
- Ultrareview v2.1.96: docs describe /tasks command + claude ultrareview --json subcommand that don't exist; findings hard to read after completion
- I'd be happy to help create a GitHub issue title, but I don't see the error message in your message. Could you please share the specific error you're encountering? That way I can generate an accurate and descriptive issue title for you.
- [BUG] Claude in Chrome `file_upload` rejects all scheduled-task sessions with misleading error (real cause: INVALID_SESSION)
- Extended thinking: signed thinking block 'cannot be modified' (400) permanently wedges session
- RTL text support for Hebrew (and Arabic) in Claude Code
- [Bug] Random errors occurring across multiple operations