[FEATURE] Add `audit` permission level — allow execution with logging
Resolved 💬 3 comments Opened Mar 11, 2026 by dogyearm Closed Mar 15, 2026
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The current permission model has three states:
| State | Behavior |
|-------|----------|
| allow | Executes without prompting |
| (unlisted) | Prompts the user every time |
| deny | Blocks completely |
This forces a binary trade-off for commands like curl, python3, and node:
allow: Convenient but risky — these commands can bypass otherdenyrules (e.g.python3 -c "import urllib..."bypassescurldeny)deny: Secure but blocks legitimate use entirely- unlisted (prompt every time): Creates prompt fatigue for frequently used commands, leading users to eventually just add them to
allow
There is no middle ground for "I trust this enough to run, but I want a record of what happened."
Proposed Solution
Add an audit permission level that:
- Executes the command without prompting (same UX as
allow) - Logs the full command and context to a local audit log (e.g.
~/.claude/audit.log)
// ~/.claude/settings.json
{
"permissions": {
"allow": ["Bash(git *)", "Bash(grep *)"],
"audit": ["Bash(curl *)", "Bash(python3 *)"],
"deny": ["Bash(rm -rf *)", "Bash(git push --force *)"]
}
}
Use Cases
curl: Essential for API debugging, but could exfiltrate data. Audit lets developers use it freely while maintaining a trail.python3/node: Powerful utilities that can bypassdenyrules. Audit provides visibility without friction.- Team / enterprise environments: Security leads can review audit logs periodically without blocking individual developers.
- Incident investigation: When something goes wrong, the audit log shows exactly what commands were executed and when.
Alternatives Considered
PreToolUsehooks: Can partially achieve logging today, but requires custom shell scripting and isn't a first-class experience. Also doesn't integrate with the permissions UI.- Conversation JSONL: Already captures tool calls (#16622), but doesn't provide a dedicated, filterable audit trail focused on sensitive commands.
- Always prompting (unlisted): Works but creates fatigue. In practice, users either add commands to
allow(losing security) or todeny(losing productivity).
Related Issues
- #32904 — Session-level permission grants are invisible and non-auditable
- #16622 — Add permission decision logging to conversation JSONL for debugging
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗