diff --git a/.story_kit/stories/upcoming/35_agent_security_and_sandboxing.md b/.story_kit/stories/upcoming/35_agent_security_and_sandboxing.md
new file mode 100644
index 0000000..bf9b51f
--- /dev/null
+++ b/.story_kit/stories/upcoming/35_agent_security_and_sandboxing.md
@@ -0,0 +1,28 @@
+# Story 34: Agent Security and Sandboxing
+
+## User Story
+**As a** supervisor orchestrating multiple autonomous agents,
+**I want to** constrain what each agent can access and do,
+**So that** agents can't escape their worktree, damage shared state, or perform unintended actions.
+
+## Acceptance Criteria
+- [ ] Agent creation accepts an `allowed_tools` list to restrict Claude Code tool access per agent.
+- [ ] Agent creation accepts a `disallowed_tools` list as an alternative to allowlisting.
+- [ ] Agents without Bash access can still perform useful coding work (Read, Edit, Write, Glob, Grep).
+- [ ] Investigate replacing direct Bash/shell access with Rust-implemented tool proxies that enforce boundaries:
+  - Scoped `exec_shell` that only runs allowlisted commands (e.g., `cargo test`, `npm test`) within the agent's worktree.
+  - Scoped `read_file` / `write_file` that reject paths outside the agent's worktree root.
+  - Scoped `git` operations that only work within the agent's worktree.
+- [ ] Evaluate `--max-turns` and `--max-budget-usd` as safety limits for runaway agents.
+- [ ] Document the trust model: what the supervisor controls vs what agents can do autonomously.
+
+## Questions to Explore
+- Can we use MCP (Model Context Protocol) to expose our Rust-implemented tools to Claude Code, replacing its built-in Bash/filesystem tools with scoped versions?
+- What's the right granularity for shell allowlists — command-level (`cargo test`) or pattern-level (`cargo *`)?
+- Should agents have read access outside their worktree (e.g., to reference shared specs) but write access only within it?
+- Is OS-level sandboxing (Docker, macOS sandbox profiles) worth the complexity for a personal tool?
+
+## Out of Scope
+- Multi-user authentication or authorization (single-user personal tool).
+- Network-level isolation between agents.
+- Encrypting agent communication channels (all local).
diff --git a/server/src/agents.rs b/server/src/agents.rs
index 69fb91f..c23cb44 100644
--- a/server/src/agents.rs
+++ b/server/src/agents.rs
@@ -180,6 +180,10 @@ fn run_agent_pty(
     cmd.arg("stream-json");
     cmd.arg("--verbose");
 
+    // Supervised agents don't need interactive permission prompts
+    cmd.arg("--permission-mode");
+    cmd.arg("bypassPermissions");
+
     // Append role as system prompt context
     cmd.arg("--append-system-prompt");
     cmd.arg(format!(