[BUG] Respect `allowed-tools` when using combined / piped tool commands

Resolved 💬 13 comments Opened May 23, 2025 by adamavenir Closed Sep 10, 2025

Environment

  • Platform (select one): Anthropic API
  • Claude CLI version: 1.0.2
  • Operating System: macOS 15.4.1
  • Terminal: all

Bug Description

allowed-tools doesn't seem to be respected by commands combined by | && ;.

Steps to Reproduce

Here's a snippet of one section of my allowed-tools settings:
<img width="394" alt="Image" src="https://github.com/user-attachments/assets/41289f8d-6b4c-4f6f-b819-75a3a17d3e41" />

You can see I have nothing denied:
<img width="520" alt="Image" src="https://github.com/user-attachments/assets/c4af8319-2954-4dbe-9c4e-c6214d614eab" />

But none of these allowed tool permissions are honored if the command is combined (even if combining two allowed commands), nor will they allow me to accept the combination.

<img width="607" alt="Image" src="https://github.com/user-attachments/assets/0d2fd7bc-8f7b-4f6d-aa87-896df426ff0d" />

<img width="542" alt="Image" src="https://github.com/user-attachments/assets/4061c0b3-2334-49db-be6f-c976f1235444" />

<img width="680" alt="Image" src="https://github.com/user-attachments/assets/a90a4275-4a79-4e8b-9d5f-95f0497f7d64" />

The end result is repeatedly approving benign tool usage that has already been allowed—chiefly "run tests and grep"

Expected Behavior

I absolutely understand and respect the security consideration of only honoring allowed-tools for commands without | && ; , but let me suggest:

  1. If a user has approved the initial command _and_ the command used after the pipe, it should be allowed by default. It's completely surprising behavior otherwise. Similarly, if a user manually sets a pattern of * it is reasonable to expect that means literally anything—and if that * ends at one of | && ; that should be clear when manually creating patterns.
  2. Perhaps there should be a setting to explicitly enable honoring allowed-tools rules for combined/piped commands—if you see reasons that the specific combination is a unique attack vector. (Which is totally plausible; I haven't thought about it.)
  3. In the absence of any of the above, we should specifically have patterns for combined commands.

Actual Behavior

Requires approval again for commands I have technically already approved.

Additional Context

This functionality is especially necessary in Claude 4 (and as Claude Code has seemed to have gained some better internal prompts for handling massive test runs by parsing them with greps), as Claude tends to run a _lot_ more commands filtered by pipes.

View original on GitHub ↗

This issue has 13 comments on GitHub. Read the full discussion on GitHub ↗