[DOCS] Permissions and settings docs missing bash auto-approval allowlist enumeration

Open 💬 5 comments Opened Mar 7, 2026 by coygeek

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/settings

Section/Topic

Bash permissions / auto-approval section

Current Documentation

settings.md references autoAllowBashIfSandboxed (a sandbox-specific auto-approval toggle) but contains no list of commands that are built-in to the bash auto-approval allowlist.

permissions.md covers permission rule syntax (e.g., Bash(...) patterns) but makes no mention of commands that are approved automatically without user configuration.

security.md mentions "allowlisting frequently used safe commands" generically but provides no list.

No documentation page in the mirror enumerates which bash commands are pre-approved by default, nor explains the concept of a built-in auto-approval allowlist distinct from user-configured Bash(...) permission rules.

What's Wrong or Missing?

A. No page documents the bash auto-approval allowlist

Claude Code automatically approves a set of safe, read-only commands without requiring user permission rules. This built-in allowlist is a significant feature — it determines which commands run without any prompt. No documentation page explains that this allowlist exists, how it works, or what commands it contains.

B. New commands added in v2.1.71 are undocumented

Changelog v2.1.71 added fmt, comm, cmp, numfmt, expr, test, printf, getconf, seq, tsort, and pr to the allowlist. These additions confirm the allowlist is actively maintained, but the complete list (before and after this addition) is nowhere documented. Users cannot know which commands they need to add explicit Bash(...) rules for vs. which are already allowed.

C. Conceptual gap between allowlist and user rules

permissions.md documents how users write Bash(git:*) or Bash(npm run *) rules. It does not explain that a separate, pre-configured allowlist already handles many common Unix commands. Without this context, users may write redundant rules or be confused about why some commands don't require approval.

Suggested Improvement

Add a section to settings.md (or permissions.md) titled "Built-in bash auto-approval allowlist" that:

  1. Explains the concept: Claude Code pre-approves a set of safe commands that run without prompting, separate from user-configured Bash(...) rules.
  2. Lists all commands currently on the allowlist (including the v2.1.71 additions: fmt, comm, cmp, numfmt, expr, test, printf, getconf, seq, tsort, pr).
  3. Clarifies the relationship to autoAllowBashIfSandboxed (which enables a broader auto-approve mode within sandboxes) vs. the default allowlist that applies in all modes.

Example addition to settings.md:

## Built-in bash auto-approval allowlist

Claude Code automatically approves a set of safe, read-only Unix commands
without requiring user permission rules. These commands run without a
permission prompt regardless of your `Bash(...)` configuration:

[list of commands]

To allow additional commands, add `Bash(<pattern>)` rules to your
`permissions.allow` setting. See [Permissions](permissions) for syntax.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/settings | References autoAllowBashIfSandboxed but no allowlist enumeration |
| https://code.claude.com/docs/en/permissions | Covers Bash(...) rule syntax but no mention of built-in allowlist |
| https://code.claude.com/docs/en/security | Mentions allowlisting generically without a list |

Total scope: 3 pages affected

Source: Changelog v2.1.71

Exact changelog entry:

"Added fmt, comm, cmp, numfmt, expr, test, printf, getconf, seq, tsort, and pr to the bash auto-approval allowlist"

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗