[FEATURE] Add `audit` permission level — allow execution with logging

Resolved 💬 3 comments Opened Mar 11, 2026 by dogyearm Closed Mar 15, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The current permission model has three states:

| State | Behavior |
|-------|----------|
| allow | Executes without prompting |
| (unlisted) | Prompts the user every time |
| deny | Blocks completely |

This forces a binary trade-off for commands like curl, python3, and node:

  • allow: Convenient but risky — these commands can bypass other deny rules (e.g. python3 -c "import urllib..." bypasses curl deny)
  • deny: Secure but blocks legitimate use entirely
  • unlisted (prompt every time): Creates prompt fatigue for frequently used commands, leading users to eventually just add them to allow

There is no middle ground for "I trust this enough to run, but I want a record of what happened."

Proposed Solution

Add an audit permission level that:

  1. Executes the command without prompting (same UX as allow)
  2. Logs the full command and context to a local audit log (e.g. ~/.claude/audit.log)
// ~/.claude/settings.json
{
  "permissions": {
    "allow": ["Bash(git *)", "Bash(grep *)"],
    "audit": ["Bash(curl *)", "Bash(python3 *)"],
    "deny": ["Bash(rm -rf *)", "Bash(git push --force *)"]
  }
}

Use Cases

  • curl: Essential for API debugging, but could exfiltrate data. Audit lets developers use it freely while maintaining a trail.
  • python3 / node: Powerful utilities that can bypass deny rules. Audit provides visibility without friction.
  • Team / enterprise environments: Security leads can review audit logs periodically without blocking individual developers.
  • Incident investigation: When something goes wrong, the audit log shows exactly what commands were executed and when.

Alternatives Considered

  • PreToolUse hooks: Can partially achieve logging today, but requires custom shell scripting and isn't a first-class experience. Also doesn't integrate with the permissions UI.
  • Conversation JSONL: Already captures tool calls (#16622), but doesn't provide a dedicated, filterable audit trail focused on sensitive commands.
  • Always prompting (unlisted): Works but creates fatigue. In practice, users either add commands to allow (losing security) or to deny (losing productivity).

Related Issues

  • #32904 — Session-level permission grants are invisible and non-auditable
  • #16622 — Add permission decision logging to conversation JSONL for debugging

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗