diff --git a/hive-ag3nt/prompts/claude-settings.json b/hive-ag3nt/prompts/claude-settings.json
index 612237d..7fdf437 100644
--- a/hive-ag3nt/prompts/claude-settings.json
+++ b/hive-ag3nt/prompts/claude-settings.json
@@ -1,5 +1,8 @@
 {
   "autoCompactEnabled": false,
   "autoMemoryEnabled": false,
-  "effortLevel": "medium"
+  "effortLevel": "medium",
+  "permissions": {
+    "deny": ["WebFetch", "WebSearch", "Task", "TodoWrite"]
+  }
 }
diff --git a/hive-ag3nt/src/mcp.rs b/hive-ag3nt/src/mcp.rs
index 26a5962..e252d10 100644
--- a/hive-ag3nt/src/mcp.rs
+++ b/hive-ag3nt/src/mcp.rs
@@ -601,10 +601,13 @@ pub const SERVER_NAME: &str = "hyperhive";
 /// in this list literally doesn't exist in the session (claude won't even
 /// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents
 /// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
-/// finer-grained allow-list system for shell command patterns. Edit later
-/// as our trust model evolves.
+/// finer-grained allow-list system for shell command patterns. `TodoWrite`
+/// is omitted because the todo list lives in claude's in-process session
+/// state and silently evaporates on /compact or session reset — agents
+/// should plan in /state notes instead. Edit later as our trust model
+/// evolves.
 pub const ALLOWED_BUILTIN_TOOLS: &[&str] =
-    &["Bash", "Edit", "Glob", "Grep", "Read", "TodoWrite", "Write"];
+    &["Bash", "Edit", "Glob", "Grep", "Read", "Write"];
 
 /// Which MCP tool surface to advertise via `--allowedTools`. The agent
 /// list is the strict subset of the manager list, so we just thread the