[FEATURE] Permission system should evaluate piped commands independently, not as a single string

Open 💬 7 comments Opened Mar 11, 2026 by graehl

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The current Bash permission pattern matching treats an entire pipeline as one string, meaning Bash(tee:*) doesn't match something | tee logfile because the command doesn't start with tee. This is both a UX problem (the "don't ask again" suggestion is wrong) and a conceptual one.
The core issue: piping is data routing, not execution risk. The risk surface is in what each individual command does. rg foo | tee out.txt is not more dangerous than rg foo — tee just redirects stdout to a file.
Related: #29967 documents the symptom; this is the underlying design issue.

Proposed Solution

each subcommand in a pipeline should be evaluated independently against the allowlist. Only prompt if any individual subcommand isn't covered. This matches the actual threat model (which commands run, not how their output is connected).

Alternative Solutions

n/a

Priority

Low - Nice to have

Feature Category

Interactive mode (TUI)

Use Case Example

n/a

Additional Context

_No response_

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗