diff --git a/agent/claude_wrapper.py b/agent/claude_wrapper.py
index 05dd054f..338fb53b 100644
--- a/agent/claude_wrapper.py
+++ b/agent/claude_wrapper.py
@@ -104,9 +104,13 @@ async def ask_claude(message: str, session_id: str) -> ClaudeResult:
         "json",
         "--allowed-tools",
         allowed_tools,
-        # Auto-approve any tool that's in --allowed-tools.
+        # CRITICAL: dontAsk auto-DENIES anything outside --allowed-tools.
+        # Do NOT use bypassPermissions here — that mode ignores the whitelist
+        # entirely and lets the model call Bash/Write/Edit/etc. (verified
+        # the hard way: it wrote /tmp/owned.sh when prompted to).
+        # See https://code.claude.com/docs/en/permission-modes.md
         "--permission-mode",
-        "bypassPermissions",
+        "dontAsk",
     ]
 
     logger.info(