[BUG] Piped commands prompt for permission despite both components being in allow list (v2.1.77)

Resolved 💬 3 comments Opened Mar 26, 2026 by nateb-effectual-block Closed Mar 30, 2026

Summary

Piped Bash commands prompt for user approval in interactive mode even when both sides of the pipe are explicitly in the permissions.allow list in ~/.claude/settings.json. The same commands auto-approve correctly in -p (non-interactive) mode.

Environment

  • Claude Code v2.1.77
  • macOS (Apple Silicon)
  • Default permission mode (no special mode selected)

Configuration

{
  "permissions": {
    "allow": [
      "Bash(cat:*)",
      "Bash(python3:*)",
      "Bash(gh-api-get:*)",
      "Bash(gh-api-get *)",
      "Bash(jq:*)"
    ]
  }
}

Reproduction

  1. Add the above rules to ~/.claude/settings.json
  2. Start a new interactive session (claude)
  3. Ask the agent to run a piped command where both sides are in the allow list

Prompts for approval (should not):

cat /path/to/file.json | python3 -c "
import json, sys
data = json.load(sys.stdin)
for item in data:
    print(item)
"
gh-api-get "/repos/owner/repo/pulls/123/files?per_page=100" | jq '.[] | select(.filename == "path/to/file.go") | .patch'

Auto-approves correctly (same session):

gh-api-get "/repos/owner/repo/pulls/123/files?per_page=100" | jq '[.[] | {filename, status, changes}]'

Observations

  • Simple single-line pipes sometimes auto-approve, sometimes prompt — the behavior is inconsistent
  • Multiline inline scripts (e.g., python3 -c "..." with newlines) appear more likely to trigger the prompt
  • Commands with file paths inside jq filter strings (e.g., select(.filename == "path/to/file.go")) also trigger prompts
  • The same commands work correctly in -p (non-interactive/print) mode — they auto-approve without prompting
  • The prefix match should succeed since the full command starts with an allowed prefix (e.g., cat, gh-api-get)

Expected Behavior

If a piped command starts with an allowed prefix (matching Bash(command:*)), it should auto-approve without prompting, consistent with how it works in -p mode.

Ideally, compound commands (|, &&, ||, ;) should be parsed into individual components and each matched against the allow list independently (as described in #16561).

Related Issues

  • #16561 — Feature request: parse compound Bash commands and match each component
  • #11775 — Piped commands prompt despite allowed settings (regression of #1271)
  • #29967 — Permission prompt suggests pattern that won't match piped commands
  • #17321 — Allowed write commands still prompt for permission

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗