Model ignores MANDATORY rules and memory about Bash command chaining
Claude Code repeatedly chains whitelisted Bash commands using semicolons, pipes, and redirects despite MANDATORY rules in CLAUDE.md and persistent memory explicitly documenting this correction from prior sessions.
Reproduction:
- Add to CLAUDE.md (global): 'NEVER pipe, chain, or redirect whitelisted commands'
- Add a memory file reinforcing this rule
- Use Claude Code across multiple sessions
- Observe that the model still appends
2>&1,; echo ..., or| tailto whitelisted commands
Example (2026-03-16):
What Claude ran (triggered permission prompt):
.venv/bin/ruff check --target-version py314 /dev/null 2>&1; echo "exit: $?"
What it should have run (matches Bash(.venv/bin/*) allow pattern):
.venv/bin/ruff check --target-version py314 /dev/null
Why this matters:
- Claude Code matches the full command string against permission allow-list patterns
- Appending
; echo ...or2>&1breaks the pattern match, triggering an unnecessary permission prompt - The Bash tool already reports exit codes, so the
echowas redundant - The user has corrected this behavior multiple times across sessions
- The model acknowledges the rule, stores it in memory, then violates it again in the same or next session
Impact: Every violation blocks the user with a permission prompt for a command that should be auto-allowed. This erodes trust and wastes time.
Expected behavior: The model should treat MANDATORY rules in CLAUDE.md and persistent memory feedback as hard constraints. Whitelisted commands should always run as standalone Bash calls with no pipes, redirects, semicolons, or chains.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗