Claude Architect Certification PrepGet certified in 6 months · start now
P3.3 deep dive · D1 + D2 · Agentic Architectures

Subagent allowedTools and Isolation.

How the parent agent enforces tool whitelists per subagent and how each subagent runs in a fresh context with no chat-history inheritance.

6 prose blocks·4 decisions·5 failure modes·4 exam Qs

Every subagent declares an allowedTools list ([Read, WebSearch, Bash] for research, [Read] only for synthesis). The SDK enforces it. Each subagent runs in a fresh isolated context with no inherited messages. Every fact it needs is embedded in the task prompt. Tool overscoping and history inheritance are the canonical failure modes.

Domain 1 + 2Tool whitelistAnthropic SDK contract
Parent
Multi-Agent Research System
Scope
One sub-pattern of the parent. Slimmer surface, same exam rigour.
Exam
27% D1 · 18% D2. Each decision and failure mode names the canonical distractor.
Canonical patternD1 + D2
01 · The pattern

What it is

An allowedTools list is the SDK-enforced whitelist of tools a subagent can call. It is declared at spawn time as part of the subagent's config: research subagents typically get [Read, WebSearch, Bash], verification gets [Read, WebSearch, Bash] plus a fact-check rubric, and synthesis gets [Read] only. The SDK rejects any tool call outside the list at the runtime level. You don't have to hope the subagent respects a prompt suggestion; the contract is tool-based, not language-based.

Isolation means each subagent runs in a fresh context window with no inherited messages, no parent chat history, and no shared memory between invocations. The coordinator passes context explicitly in the subagent's task prompt: User asked: [query]. Key context: [pinned facts]. Your task: [focused goal]. The subagent's intermediate work (file reads, searches, tool calls) lives in that nested context and is discarded when the subagent returns. Only the final structured summary comes back.

These two mechanisms together are the architectural payoff of the multi-agent pattern. Tool scoping prevents accidental side effects (a reviewer that should only read cannot Edit; a synthesis subagent cannot re-research mid-narrative). Context isolation prevents bloat (50 file reads in a research subagent cost zero tokens in the coordinator). The SDK enforces both at the contract level, which is why the exam treats allowedTools and isolation as load-bearing primitives, not best-effort guidelines.

02 · How it runs

How it works

At spawn time, the coordinator constructs a messages.create (or equivalent) call with three scoping fields: system (role + behavior), tools (the whitelist), and messages: [{role: 'user', content: task_prompt}] (the self-contained task). The SDK initializes a fresh agent context with only those inputs. Inside the subagent's loop, every tool call is checked against allowedTools; calls outside the list are rejected before execution. stop_reason signals when the subagent terminates, and the SDK extracts the final message as the summary.

The synthesis subagent is the canonical example. Its allowedTools is [Read] only. No WebSearch. No Bash. This isn't a prompt instruction; it's an SDK-enforced restriction. Even if the synthesis prompt drifts and the model decides it wants to verify a fact mid-sentence, the WebSearch call is rejected at runtime. The model is forced to either render from the verified-claims JSON or acknowledge a gap. That single restriction caps synthesis latency, prevents re-research, and removes a whole class of fabrication paths.

Isolation is enforced by the spawn semantics, not by the SDK alone. Every subagent's messages array starts empty (except for the coordinator-constructed task prompt). There is no resumption, no continue this conversation mode, no second turn. If the coordinator needs more work, it spawns a brand-new subagent with a fresh task. The subagent is stateless by design. The mistake junior teams make is passing the entire coordinator chat history into the subagent for more context. That actively confuses the subagent (it wasn't part of that conversation) and inflates per-subagent cost without benefit.

03 · Configuration decisions

The 4 decisions

Each row pairs the right answer with the most-tested distractor. The Why column explains the failure mode behind the wrong choice.

DecisionRight answerWrong answerWhy
What allowedTools does the synthesis subagent get?[Read] only. No WebSearch, no Bash, no EditSame as research: [Read, WebSearch, Bash]Synthesis stitches verified findings into a narrative. WebSearch enables re-research mid-narrative (3-5x latency, fabrication risk). Read-only restriction is the architectural detail.
How does the coordinator pass context to a subagent?Explicitly in the task prompt as plain textBy passing the entire coordinator chat historySubagents do not inherit history. Passing prior messages confuses them (they weren't part of that conversation) and inflates token cost. Embed only what the subagent needs.
Coordinator's allowedTools is ['web_search', 'read_document']. Coordinator cannot spawn subagents. Why?Task is missing from the allowedTools list. The SDK requires it for spawningSubagents need a separate subagent_endpoint configThe Task tool is how the coordinator spawns. If it's not in allowedTools, the SDK blocks the spawn call. This is a verbatim CCA-F practice exam question.
A code-review subagent has [Read, Grep, Bash, Edit, Write]. It accidentally modifies a config file. What was the design error?Tool overscoping. A reviewer should never have Edit or WriteThe model misunderstood the prompt. Add stronger prose constraintsTool scope must match the role. Prose can drift; SDK-enforced whitelists cannot. Restrict to the minimum needed for the role.
04 · Failure modes

Where it breaks

5 failure pairs. Each one is one exam pattern. The fix is always architectural, never a prose plea to the model.

Tool overscoping

Retriever subagent has [Read, Grep, WebSearch, Bash, Edit] and accidentally writes a file mid-search. Side effect leaks into the host workspace.

✅ Fix

Restrict to the minimum needed per role. Retriever gets [Read, Grep, Glob, WebSearch]. Reviewer gets [Read, Grep, Bash]. Synthesis gets [Read]. Lint the configs.

History inheritance

Coordinator passes the full chat history into the subagent for context. Subagent gets confused, references conversations it wasn't part of, and produces incoherent output.

✅ Fix

Embed only the facts the subagent needs in a self-contained task prompt. Treat each subagent as starting from zero. Inheritance is not supported and not desirable.

Synthesis with WebSearch enabled

Synthesis subagent has WebSearch in allowedTools. Mid-narrative it decides to re-verify a fact. Latency triples; fabrication risk reappears.

✅ Fix

Synthesis allowedTools = [Read] only. SDK rejects WebSearch at runtime. Forces synthesis to render from verified-claims or acknowledge a gap.

Missing Task tool on coordinator

Coordinator's allowedTools is ['web_search', 'read_document']. Spawning a subagent throws tool not allowed. The whole architecture is dead on launch.

✅ Fix

Add Task to the coordinator's allowedTools. The Task tool is the spawn primitive; without it, no fan-out is possible.

Vague output format

Subagent has no defined output schema. Wanders for 40 turns, returns a plausible essay. Token bill is huge; coordinator can't aggregate cleanly.

✅ Fix

Define a structured output format in the subagent's system prompt ({findings: [{claim, sources}]}). The schema doubles as a stopping cue and an aggregation contract.

05 · Exam patterns

Exam patterns

5 V2 questions wired to this deep dive. Each shows all 4 options with rationale, the mental model under test, and the priority order across distractors.

A research system decomposes 'impact of AI on creative industries' into three subtopics: visual arts, music, writing. The web-search subagent finds results for all three. The synthesis subagent produces a report covering only visual arts. Why?
A web-search subagent times out and returns an empty result list. The coordinator treats this as 'no information available' and moves forward. The final report is incomplete. What is the architectural fix?
A research report cites two conflicting statistics: '45% of creative workers use AI' (Pew) and '12% use AI daily' (McKinsey). Should synthesis pick the more likely one?
Subagent A (academic papers) finds a key research direction. Subagent B (web search) needs that finding to guide its queries. Should A pass it directly to B?
A synthesis subagent needs to verify ~100 facts in a final report. Calling verify_fact sequentially takes 60+ seconds. What is the architectural fix?
06 · Concepts in play

Concepts wired

4 primitives compose this sub-pattern. Each card links to the concept page where the primitive is taught in isolation.

Subagents

Isolation primitive

Concept: subagents

Tool calling

Per-subagent allowedTools whitelist

Concept: tool-calling

Context window

Fresh-context isolation per spawn

Concept: context-window

System prompts

Role + behavior scoping

Concept: system-prompts
07 · Sibling deep dives

Continue the parent

2 more sub-patterns under Multi-Agent Research System. Each one drills into a different load-bearing decision.

Coordinator Routing

How the coordinator decomposes a research query and dispatches subtasks across the hub-and-spoke topology.

The coordinator owns semantic decomposition (not lexical), enumerates every relevant sub-domain before spawning anything, and dispatches research subagents in parallel via a synchronous-fork-then-join pattern. Coverage gaps live in the decomposition step. Not in the subagents.

Read deep dive ↗

Structured Claim-Source Mapping

How verified claims get pinned to their source documents in a structured-output schema so the final report cannot fabricate.

Every verified claim emits as a JSON object with claim_id, claim_text, source_url, source_passage, confidence, and notes. The schema is enforced at the verification step. Synthesis renders citations from the schema and cannot invent attributions because the source text is pinned in-record.

Read deep dive ↗
08 · FAQ

Frequently asked

Can a subagent call another subagent (nested spawn)?
In theory yes; in practice avoid it. Nested subagents complicate context flow, increase latency, and obscure the orchestration graph from the coordinator. Keep the hierarchy shallow: coordinator -> leaf subagents only. If you need meta-research, have the coordinator do the decomposition step explicitly.
How do I pass a large document to a subagent if history isn't inherited?
Embed it in the task prompt as plain text, or pass a path the subagent's Read tool can fetch. The coordinator decides which approach. For documents under ~5k tokens, embed directly. For larger, write to disk and pass the path. Either way, the subagent starts with only what's in its task prompt and tools.
Are allowedTools enforced at runtime or at config-load time?
Both. Config-load validates the list against known tools (catches typos). Runtime checks every individual tool call against the allowedTools whitelist before execution. Tool calls outside the list raise tool not allowed. There is no soft-enforcement path; it's hard-rejected.
P3.3 deep dive · D1 · Agentic Architectures · Deep dive

Subagent allowedTools and Isolation, complete.

You've covered the full ten-section breakdown for this primitive, definition, mechanics, code, false positives, comparison, decision tree, exam patterns, and FAQ. One technical primitive down on the path to CCA-F.

Share your win →