diff --git a/src/services/acp/agent/createSessionMethod.ts b/src/services/acp/agent/createSessionMethod.ts
index 34059aaf8..5de2889d5 100644
--- a/src/services/acp/agent/createSessionMethod.ts
+++ b/src/services/acp/agent/createSessionMethod.ts
@@ -26,6 +26,8 @@ import {
 } from '../../../bootstrap/state.js'
 import type { SessionId } from '../../../types/ids.js'
 import { enableConfigs } from '../../../utils/config.js'
+import { applySafeConfigEnvironmentVariables } from '../../../utils/managedEnv.js'
+import { resetSettingsCache } from '../../../utils/settings/settingsCache.js'
 import { FileStateCache } from '../../../utils/fileStateCache.js'
 import { getDefaultAppState } from '../../../state/AppStateStore.js'
 import type { AppState } from '../../../state/AppStateStore.js'
@@ -89,6 +91,16 @@ async function createSession(
     // CWD may not exist yet; best-effort
   }
 
+  // entry.ts calls applySafeConfigEnvironmentVariables() during handshake so the
+  // API client can authenticate before createSession arrives. At that point
+  // getOriginalCwd() is still the spawn cwd (not the project dir), so
+  // loadSettingsFromDisk() resolves localSettings/projectSettings against the
+  // wrong root and caches the empty result. Now that we've set the real project
+  // cwd, drop the cache and re-apply so settings.local.json and project env
+  // become visible to readSettingsPermissionMode() and downstream consumers.
+  resetSettingsCache()
+  applySafeConfigEnvironmentVariables()
+
   try {
     // Build tools with a permissive permission context.
     const permissionContext = getEmptyToolPermissionContext()