[BUG] global/local settings.json allow permissions are not respected by Claude Code
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Piped bash commands prompt for permission even when ALL individual components are already allowed in settings.json.
I have many bash commands allowed in my global settings.json:
"Bash(ls:*)",
"Bash(awk:*)",
"Bash(wc:*)",
"Bash(echo:*)"
Each command works fine individually:
ls /some/path- works without promptingawk --version- works without prompting
But piped commands prompt for permission even when ALL components are allowed:
ls /some/path | awk '{print $1}'- prompts for permissionecho "test" | wc -l- prompts for permission
This is because the permission system uses prefix matching on the entire command string. Bash(awk:*) only matches commands that START with awk, not commands where awk appears after a pipe.
What Should Happen?
If I run cmd1 | cmd2 | cmd3 and each of cmd1, cmd2, cmd3 individually matches an allowed pattern, the full piped command should be allowed without prompting. Same for &&, ||, and ;.
Steps to Reproduce
- Add bash command permissions to global or local settings.json:
``json``
{
"permissions": {
"allow": [
"Bash(ls:*)",
"Bash(awk:*)",
"Bash(wc:*)",
"Bash(echo:*)"
]
}
}
- Ask Claude Code to run a simple allowed command like
ls /tmp- it runs without prompting - Ask Claude Code to run a piped command like
ls /tmp | wc -l- it prompts for permission despite bothlsandwcbeing individually allowed
Claude Model
Not sure / Multiple models
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.0.61 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
I created a PreToolUse hook for a workaround, you can run npx claude-code-plus to get this behavior installed on your machine: claude-code-plus.
20 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Would love a fix for this :)
Looking forward for a fix on this.
At least make sure Claude Code himself is aware of this bug.
Any news on this? This bug is very annoying...
For anyone still having issues with this, Anthropic shipped _some_ improvements in 2.1.0, but it still doesn't work well enough.
I encourage you to try claude-code-plus, I solved this in a more sophisticated way than their conservative approach while still being safe, and soon will ship an update that allows you to do regular expressions for permissions.
The way it works is that it parses the commands, regardless of how complex they are and breaks them down into their individual parts and compares each individual part to the permissions. Read some of the tests to get an idea on how we handle complex scenarios.
This also is not respected:
"allow": [
"Write(./**)",
],
"ask": [
"Write"
],
will always ask for permission even when creating new files in project dirs
To me, the problem is solved with the new 2.1.19 Claude Code release.
still happening for me, I think it depends on pipe order -- find | grep, grep | head etc
really annoying, especially for /code-review:code-review plugin
Only fix really is to exit, run with --resume --dangerously-skip-permissions temporarily
Still broken.
Still an issue ; (
Same with explore agent, This problem is making me crazy, because I have to authorize every order (and I can't authorize them all...) 30 times in a row each time Explore is called.
@nbapps @TianyuDu try https://github.com/damusix/ai-tools, in particular:
auto-approve-compound-bashIt should reduce it quite a bit. There are 2 permission guards: The one you allow / deny, and the one that you cannot override (CC detects
cd && gitcombinations that are not overridable, for example)Hooks in
~/.claude/settings.jsonwork globally regardless of project-level settings — they're a reliable alternative when permissions don't apply at the project level.Unlike permission rules, hooks fire at every level (user and project) and aren't overridden by project settings. If your allow/deny rules are being ignored at the project level, moving the logic into hooks is the most reliable workaround.
Quick setup:
npx cc-safe-setupinstalls 8 hooks in user-level settings.still facing this issue
@bcherny Can you please prioritize this? It's open since 2025 and makes Claude Code a complete pain to use. I have to constantly manually approve basic commands such as
findorcmake.still an issue. Super weird because this:
works as expected (no prompt for any bash command, eg.
touch ~/file.txt)but this
still requires my approval when running
touch ~/file.txtfor instance.@ChristianTrummer99 try
Bash(touch:*), you have a missing colon in the second example.I've tried this too. Doesn't make a difference.
here's my actual settings file:
I suspect the harness's handling of sandboxing is what causes this issue.
Try out claude-code-plus
npx claude-code-plus, I've been using it for ~4 months and it solved all my issues. Admittedly, I don't use any of the sandboxing features, but I don't think it should be relevant to this issue.