Compound commands of individually-allowed safe commands prompt with incorrect safety reason

Resolved 💬 3 comments Opened Feb 24, 2026 by GraemeF Closed Feb 24, 2026

Description

Compound bash commands using && to chain individually-allowed, read-only commands trigger a permission prompt with an incorrect safety reason.

Example

Command: git status && echo "---" && pwd

Permission rules configured in .claude/settings.local.json:

{
  "permissions": {
    "allow": [
      "Bash(git status:*)",
      ...278 other rules...
    ]
  }
}

Prompt shown:

Command contains quoted characters in flag names

Do you want to proceed?
❯ 1. Yes
  2. No

Two problems

1. Compound commands don't match individual allow rules

Each command in the chain (git status, echo "---", pwd) is either explicitly in the allow list or is a harmless read-only command. The compound command should be auto-approved since every component is individually allowed.

This appears to be a consequence of the v2.1.7 fix for "wildcard permission rules matching compound commands containing shell operators", which was a legitimate security fix but has the side effect of blocking entirely safe compound commands where every individual command is already permitted.

2. The stated safety reason is incorrect

The reason "Command contains quoted characters in flag names" does not accurately describe the command. The "---" in echo "---" is a string argument to echo, not a flag name containing quoted characters. The safety classifier appears to be misidentifying this as something like --flag="value".

Expected behaviour

  • Compound commands where every individual command matches an existing allow rule should be auto-approved
  • When a command does prompt, the stated reason should accurately describe why it was flagged

Environment

  • Claude Code version: ~2.1.49+
  • OS: macOS (Darwin 25.3.0)
  • Permission mode: Custom allow list (278 rules in .claude/settings.local.json)

Related issues

  • #25441 — Bash permission wildcards don't match multiline/heredoc commands
  • #16180 — Permission bypass when commands are chained with && (the original security fix)
  • #20449 — Allow rules not preventing permission prompts for file-modifying commands
  • #6850 — settings.local.json allow not working

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗