Compound bash commands should evaluate each command's permissions independently
Summary
When using Bash(git *) in the permission allow list, a compound command like cd /some/path && git checkout -b branch requires manual approval because the command starts with cd, not git. But splitting it into two separate tool calls (cd then git) bypasses the check entirely.
Current behavior
Permission patterns match against the entire command string. So Bash(git *) only matches commands that start with git. A compound command like cd foo && git status doesn't match Bash(git *) or Bash(cd *) — it seems to need its own pattern.
Expected behavior
Each command in a compound statement (&&, ||, ;) should be evaluated independently against the allow list. If every individual command would be permitted on its own, the compound should be auto-approved.
Why it matters
- The current behavior adds friction without adding security (users/agents just split into separate calls)
- It forces unnecessary approval prompts for common patterns like navigating to a project directory before running a command
- It makes permission management harder — users would need to anticipate every possible
cd * && <tool> *combination
Environment
- Claude Code on Windows 11 (bash shell)
- Permission rules in
.claude/settings.local.json
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗