[FEATURE] Permission system should evaluate piped commands independently, not as a single string
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The current Bash permission pattern matching treats an entire pipeline as one string, meaning Bash(tee:*) doesn't match something | tee logfile because the command doesn't start with tee. This is both a UX problem (the "don't ask again" suggestion is wrong) and a conceptual one.
The core issue: piping is data routing, not execution risk. The risk surface is in what each individual command does. rg foo | tee out.txt is not more dangerous than rg foo — tee just redirects stdout to a file.
Related: #29967 documents the symptom; this is the underlying design issue.
Proposed Solution
each subcommand in a pipeline should be evaluated independently against the allowlist. Only prompt if any individual subcommand isn't covered. This matches the actual threat model (which commands run, not how their output is connected).
Alternative Solutions
n/a
Priority
Low - Nice to have
Feature Category
Interactive mode (TUI)
Use Case Example
n/a
Additional Context
_No response_
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗