[DOCS] Permissions and settings docs missing bash auto-approval allowlist enumeration
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/settings
Section/Topic
Bash permissions / auto-approval section
Current Documentation
settings.md references autoAllowBashIfSandboxed (a sandbox-specific auto-approval toggle) but contains no list of commands that are built-in to the bash auto-approval allowlist.
permissions.md covers permission rule syntax (e.g., Bash(...) patterns) but makes no mention of commands that are approved automatically without user configuration.
security.md mentions "allowlisting frequently used safe commands" generically but provides no list.
No documentation page in the mirror enumerates which bash commands are pre-approved by default, nor explains the concept of a built-in auto-approval allowlist distinct from user-configured Bash(...) permission rules.
What's Wrong or Missing?
A. No page documents the bash auto-approval allowlist
Claude Code automatically approves a set of safe, read-only commands without requiring user permission rules. This built-in allowlist is a significant feature — it determines which commands run without any prompt. No documentation page explains that this allowlist exists, how it works, or what commands it contains.
B. New commands added in v2.1.71 are undocumented
Changelog v2.1.71 added fmt, comm, cmp, numfmt, expr, test, printf, getconf, seq, tsort, and pr to the allowlist. These additions confirm the allowlist is actively maintained, but the complete list (before and after this addition) is nowhere documented. Users cannot know which commands they need to add explicit Bash(...) rules for vs. which are already allowed.
C. Conceptual gap between allowlist and user rules
permissions.md documents how users write Bash(git:*) or Bash(npm run *) rules. It does not explain that a separate, pre-configured allowlist already handles many common Unix commands. Without this context, users may write redundant rules or be confused about why some commands don't require approval.
Suggested Improvement
Add a section to settings.md (or permissions.md) titled "Built-in bash auto-approval allowlist" that:
- Explains the concept: Claude Code pre-approves a set of safe commands that run without prompting, separate from user-configured
Bash(...)rules. - Lists all commands currently on the allowlist (including the v2.1.71 additions:
fmt,comm,cmp,numfmt,expr,test,printf,getconf,seq,tsort,pr). - Clarifies the relationship to
autoAllowBashIfSandboxed(which enables a broader auto-approve mode within sandboxes) vs. the default allowlist that applies in all modes.
Example addition to settings.md:
## Built-in bash auto-approval allowlist
Claude Code automatically approves a set of safe, read-only Unix commands
without requiring user permission rules. These commands run without a
permission prompt regardless of your `Bash(...)` configuration:
[list of commands]
To allow additional commands, add `Bash(<pattern>)` rules to your
`permissions.allow` setting. See [Permissions](permissions) for syntax.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/settings | References autoAllowBashIfSandboxed but no allowlist enumeration |
| https://code.claude.com/docs/en/permissions | Covers Bash(...) rule syntax but no mention of built-in allowlist |
| https://code.claude.com/docs/en/security | Mentions allowlisting generically without a list |
Total scope: 3 pages affected
Source: Changelog v2.1.71
Exact changelog entry:
"Addedfmt,comm,cmp,numfmt,expr,test,printf,getconf,seq,tsort, andprto the bash auto-approval allowlist"
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗