Feature Request: Context-aware permission evaluation for read-only operations
Problem
The current permission system is pattern-based, matching command strings against whitelist patterns. This requires users to add explicit patterns for every combination of commands, even when all underlying operations are read-only.
Example: A command like:
cd /home/user/projects/myapp && git show e959a466 2>/dev/null | head -50
Gets blocked even though:
git showis whitelisted viaBash(git show:*)headis whitelisted viaBash(head :*)cdis just directory navigation (not destructive)- The pipe and redirect are flow control
The user must add yet another pattern like Bash(cd /home/*/projects/* && git:*) to cover this specific combination.
Proposed Solution
Implement context-aware permission evaluation that analyzes compound commands semantically:
- Parse compound commands - Break down
&&,||,|,;chains into individual operations - Evaluate each operation - Check if each component is a read-only operation
- Allow if all components are read-only - If every part of the compound command is non-destructive, allow execution
Read-only operations would include:
- All git read commands (
git show,git log,git diff,git status,git branch, etc.) - File reading (
cat,head,tail,less,grep, etc.) - Directory navigation (
cd,pushd,popd) - Control structures (
for,if,while,case) when their bodies contain only read operations - Information commands (
ls,find,stat,file,which, etc.) - Pipes and redirects to stdout/stderr
Destructive operations would still require explicit permission:
- File modification (
rm,mv,cp,chmod,chown) - Git write operations (
git push,git commit,git reset --hard) - Package management (
npm install,pip install,apt install) - System changes (
systemctl start/stop,kill, etc.)
Benefits
- Reduced friction - Users don't need to whitelist every possible combination of safe commands
- Better UX - Aligns with user intent ("allow read operations") rather than requiring pattern engineering
- Maintains security - Destructive operations still require explicit approval
- Simpler configuration - Could offer a single toggle like
"allowReadOperations": true
Alternative: Simpler Implementation
If full semantic analysis is too complex, a simpler approach could be:
- Add a "read-only mode" flag for compound commands
- Allow patterns like
Bash(cd:* && git show:*)to match regardless of the specific path - Support pattern composition where if
AandBare allowed,A && Bis automatically allowed
User Story
As a developer, I want Claude Code to understand that chaining read-only operations together is safe, so that I don't have to whitelist every possible combination of safe commands.
---
Environment:
- Claude Code CLI
- Linux/macOS/Windows
Related: Users who set policies like "no need to ask permission for read operations" in their CLAUDE.md still face permission prompts for compound read-only commands.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗