[BUG] Backticks inside heredoc quoted strings trigger false-positive permission prompt
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When Claude generates a git commit command using the heredoc pattern from its own system prompt, backticks that appear inside the quoted heredoc string trigger a permission prompt with the message:
"Command contains backticks (` ``) for command substitution"
The command in question:
git commit -m "$(cat <<'EOF'
fix(supe): fix plan reassign workspace validation and formatting
Remove the workspace existence check from `reassign_plan` — the target
workspace may not exist yet when pre-assigning plans.
EOF
)"
The backticks around reassign_plan are markdown formatting inside a single-quoted heredoc (<<'EOF'). They are not command substitution — they cannot be executed. The 'EOF' quoting explicitly disables all expansion inside the heredoc body, making these backticks purely literal characters.
Relationship to #31373
This is related to but distinct from #31373. That issue reports that the $(...) wrapper itself triggers permission prompts that bypass allow rules. This issue is about the content inside the heredoc — even if the $(...) prompt were resolved (e.g., via allowlist matching), the backtick detection would still fire independently on the literal backticks within the quoted string body.
The two issues compound: #31373 means the $(...) wrapper can't be auto-approved, and this issue means even manual approval gets an additional misleading warning about "command substitution" that isn't actually happening.
To be concrete:
- #31373:
$(cat <<'EOF' ... EOF)triggers a prompt because$(...)is command substitution → this is at least technically correct, the outer$(...)is real substitution - This issue: `
reassign_planinside<<'EOF' ... EOF` triggers "contains backticks for command substitution" → this is incorrect, backticks inside a single-quoted heredoc are inert literal characters
What Should Happen?
The permission checker should not flag backticks that appear inside a quoted heredoc (<<'EOF' ... EOF or <<"EOF" ... EOF). These are string content, not shell operators. The backtick detection heuristic should be context-aware enough to skip content within heredoc bodies.
Error Messages/Logs
"Command contains backticks (`) for command substitution"
Steps to Reproduce
- Open Claude Code in a git repository
- Make some changes to files that have backtick-formatted identifiers in their content
- Ask Claude to commit
- Claude generates:
git commit -m "$(cat <<'EOF' ... some text with backticks ... EOF)" - Permission prompt appears citing backticks as command substitution
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.76
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
The system prompt itself instructs Claude to use the $(cat <<'EOF' ... EOF) heredoc pattern for commit messages. Commit messages routinely contain backtick-formatted code references (function names, variable names, etc.). This means the recommended commit workflow will reliably trigger this false positive whenever the commit message mentions code.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗