[BUG] Piped commands prompt for permission despite both components being in allow list (v2.1.77)
Resolved 💬 3 comments Opened Mar 26, 2026 by nateb-effectual-block Closed Mar 30, 2026
Summary
Piped Bash commands prompt for user approval in interactive mode even when both sides of the pipe are explicitly in the permissions.allow list in ~/.claude/settings.json. The same commands auto-approve correctly in -p (non-interactive) mode.
Environment
- Claude Code v2.1.77
- macOS (Apple Silicon)
- Default permission mode (no special mode selected)
Configuration
{
"permissions": {
"allow": [
"Bash(cat:*)",
"Bash(python3:*)",
"Bash(gh-api-get:*)",
"Bash(gh-api-get *)",
"Bash(jq:*)"
]
}
}
Reproduction
- Add the above rules to
~/.claude/settings.json - Start a new interactive session (
claude) - Ask the agent to run a piped command where both sides are in the allow list
Prompts for approval (should not):
cat /path/to/file.json | python3 -c "
import json, sys
data = json.load(sys.stdin)
for item in data:
print(item)
"
gh-api-get "/repos/owner/repo/pulls/123/files?per_page=100" | jq '.[] | select(.filename == "path/to/file.go") | .patch'
Auto-approves correctly (same session):
gh-api-get "/repos/owner/repo/pulls/123/files?per_page=100" | jq '[.[] | {filename, status, changes}]'
Observations
- Simple single-line pipes sometimes auto-approve, sometimes prompt — the behavior is inconsistent
- Multiline inline scripts (e.g.,
python3 -c "..."with newlines) appear more likely to trigger the prompt - Commands with file paths inside jq filter strings (e.g.,
select(.filename == "path/to/file.go")) also trigger prompts - The same commands work correctly in
-p(non-interactive/print) mode — they auto-approve without prompting - The prefix match should succeed since the full command starts with an allowed prefix (e.g.,
cat,gh-api-get)
Expected Behavior
If a piped command starts with an allowed prefix (matching Bash(command:*)), it should auto-approve without prompting, consistent with how it works in -p mode.
Ideally, compound commands (|, &&, ||, ;) should be parsed into individual components and each matched against the allow list independently (as described in #16561).
Related Issues
- #16561 — Feature request: parse compound Bash commands and match each component
- #11775 — Piped commands prompt despite allowed settings (regression of #1271)
- #29967 — Permission prompt suggests pattern that won't match piped commands
- #17321 — Allowed write commands still prompt for permission
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗