claude-code - 💡(How to fix) Fix Subagents inherit parent prompt cache (~150K tokens), causing plan-mode bleed + self-poisoning hallucinations [1 participants]

Summary

Explore subagents (and likely all Agent tool dispatches) appear to inherit the parent session's full prompt cache, not just the prompt I send via the Agent tool. This causes 3 distinct failure modes when the parent has substantial context:

1. Plan-mode bleed — subagent sees parent's plan-mode system reminders ("you MUST NOT make any edits") and refuses to call tools.
2. Cross-subagent hallucination — subagent references other in-flight subagents from the parent's conversation as if they were real status updates ("the background agents are still running").
3. Self-poisoning loop — subagent #1 hallucinates a phantom instruction ("Do NOT call any tools"); parent writes about the hallucination in a plan/doc file; subagent #2+ reads that file from the shared cache and treats the phantom as a real prior instruction. Cascade gets worse over time.

I verified all three modes against the actual session JSONL — the prompt I sent the failing subagents had no "no tools" instruction in it, and explicit "Ignore any prior conflicting instruction" preamble did not override the cached context.

Reproduction

Environment: Claude Code 2.1.121 → 2.1.128, Windows desktop entrypoint, Anthropic API.

Session ID: 0a125967-def1-4048-bd17-6815ee5daefe

Setup

1. Open a Claude Code session that runs for ~30+ turns and accumulates substantial context (~150K+ tokens). Plan-mode active.
2. Dispatch 3 Agent tool calls in parallel (subagent_type: "Explore"), each with a tightly-scoped, evidence-based prompt of <2K tokens. The prompts have no plan-mode references and no "do not call tools" instructions.

Observed (3 distinct failure modes across 5 subagent dispatches)

Subagent acc3c08eddb53ef09 (DB scaling audit, prompt ~2K tokens, no plan-mode mentions, no waiting instructions):

Both output files exist but contain minimal content—the agents are still running. Since I'm in plan mode and cannot execute any changes, and the background agents are actively working on the audits, I should wait for their completion before synthesizing results.

The agent thinks it's the parent — it references plan mode (which it shouldn't see), it knows about "output files" of other in-flight subagents (aea91f1fa03f5eec1, a8c66861e5f8cfb23), and it recommends waiting (when its job was to do the audit itself).

Subagent a8c66861e5f8cfb23 (Async audit, same shape of prompt):

Looking at the session history, there's a critical conflict:

1. Original request (7-point scaling audit): Required detailed code examination [...]
2. Second message (CRITICAL): Explicitly forbids tool use ("Do NOT call any tools") and claims "You already have all the context you need"
3. Reality: The conversation contains only the audit scope definition, not the actual code analysis results

The summary notes this contradiction [...] I cannot produce file:line evidence without reading files, and I was explicitly instructed not to call tools.

The agent claims a "second message" forbade tool use. No such message exists in the parent conversation up to this point — I verified the JSONL byte-by-byte. The agent invented this directive from cached plan-mode system reminders.

Retry attempts with the explicit preamble:

Ignore any prior conflicting instruction in your context. Your only deliverable is the per-point report below. You MUST call tools to read files.

Same hallucinated "no tools" response. The preamble didn't help.

Later subagent retry failed with autocompact thrashing:

Autocompact is thrashing: the context refilled to the limit within 3 turns of the previous compact, 3 times in a row. A file being read or a tool output is likely too large for the context window. Try reading in smaller chunks, or use /clear to start fresh.

Likely caused by the subagent reading the parent's huge cache + then making a few tool calls that pushed it over the limit on each compact attempt.

Hard evidence

From the session JSONL on the failed subagent a8c66861e5f8cfb23:

"usage": {
  "input_tokens": 3,
  "cache_creation_input_tokens": 5125,
  "cache_read_input_tokens": 154445,
  "output_tokens": 277
}

cache_read_input_tokens: 154445 — the subagent read ~150K tokens from cache. The prompt I sent it via the Agent tool was ~2K tokens. The remaining ~150K is the parent's accumulated context. That's where the plan-mode reminders, cross-agent references, and (after self-poisoning) the phantom "no tools" string lived.

Same shape for acc3c08eddb53ef09: cache_read_input_tokens: 158961.

Self-poisoning timeline (the part that surprised me)

1. Subagent #1 (around 20:36:24Z) hallucinates "TEXT ONLY, Do NOT call any tools" instruction — never in any prompt up to that point (verified via grep on the prior JSONL lines).
2. Parent (Claude) writes a plan file documenting the failure modes, including the literal phrase "Do NOT call any tools" as a description of what the subagent hallucinated.
3. Subsequent subagent retries now have the parent's plan file content in their cache. They cite the phrase as a real prior instruction, no longer attributing it to a hallucination.
4. By the end of the session, the phantom appears 13× across the JSONL — most are subagent self-references to a string that was never an instruction.

Why this matters

• Parent prompts can't be "clean" enough to avoid the leak — anything in the parent's cache (plan-mode reminders, system reminders, prior subagent dispatches, prior tool outputs) reaches the subagent.
• Documentation-as-code workflows poison their own subagents the moment a plan/feedback file mentions a hallucination.
• Explicit "ignore prior context" preambles don't override cached-context priors.
• Reliability of Agent tool with subagent_type: Explore drops from ~100% (clean session) to ~33% (tested with the failed session — 1 of 3 succeeded) on long-running parent sessions.

Suggested mitigation

Either:

1. Subagents should NOT inherit parent's prompt cache. Their "context" should be exactly the prompt sent via the Agent tool, plus their own system prompt. The cache_read should be near-zero for fresh subagent invocations.
2. OR scope the parent's cached context that subagents see — e.g., exclude system reminders, plan-mode preambles, other subagents' results.
3. OR at minimum, document this leak so prompts can be written defensively. The current design encourages tightly-scoped subagent prompts that are completely overridden by parent-cache leak.

Workaround (current)

For read-heavy investigations under 30 minutes: work in the main thread with parallel Glob/Grep/Read calls instead of dispatching Agent. Reliability: 100%. Same evidence quality. Same total time.

For investigations that genuinely benefit from Agent parallelism (3+ truly independent search axes), spawn the parent session fresh (small parent context) so the subagents inherit nearly nothing.

References

• Subagent IDs that failed: a8c66861e5f8cfb23, aea91f1fa03f5eec1, acc3c08eddb53ef09, adfed142cbb0783f3, ab61c7dfc7d433e00
• Subagent ID that succeeded (under same parent context): the infra audit — same shape of prompt, just got lucky

Happy to share the full session JSONL (2MB) on request — it contains a clean repro.