bypassPermissions / --dangerously-skip-permissions does not suppress multi-line Bash description safety check
Bug Description
The --dangerously-skip-permissions flag and bypassPermissions permission mode do not suppress Claude Code's built-in multi-line Bash command safety check. Users in bypass mode still get prompted with:
Command contains newlines that could separate multiple commands
Do you want to proceed?
❯ 1. Yes
2. No
This happens when the model writes a Bash tool call whose description field contains newlines (common with multi-step or commented commands).
Environment
- Claude Code version: 2.1.85
- Platform: macOS (Darwin 25.3.0)
- Client: cmux (Claude Code desktop app)
Steps to Reproduce
- Set
"defaultMode": "bypassPermissions"in~/.claude/settings.json - Set
"skipDangerousModePermissionPrompt": true - Start a session (confirms
--dangerously-skip-permissionsis passed in process args) - Ask Claude to run a Bash command that produces a multi-line description, e.g.:
````
# Check how Gemini is dispatched
grep -n 'gemini' scripts/lib/dispatch.sh | head -20
Find Gemini dispatch patterns
- Claude Code shows the "Command contains newlines" safety dialog despite bypass mode
Process Evidence
All interactive sessions are launched with the bypass flag:
/Users/chris/.local/bin/claude --session-id <id> --dangerously-skip-permissions
Yet the multi-line description safety check still fires.
Expected Behavior
--dangerously-skip-permissions / bypassPermissions should suppress all permission prompts, including the multi-line Bash description safety check. Users who opt into dangerous mode have explicitly accepted the risk.
Configuration
All three settings layers explicitly set bypass:
// ~/.claude/settings.json (global)
{ "permissions": { "defaultMode": "bypassPermissions" }, "skipDangerousModePermissionPrompt": true }
// .claude/settings.json (project)
{ "permissions": { "defaultMode": "bypassPermissions" }, "skipDangerousModePermissionPrompt": true }
// .claude/settings.local.json (project local)
{ "permissions": { "defaultMode": "bypassPermissions" } }
Additional Context
Stale plugin artifacts (separate, now fixed)
During investigation, stale plugin cache/marketplace temp directories were found with enabledPlugins entries in their .claude/settings.json. These were remnants from a plugin bug and have been cleaned up. They may have contributed to earlier permission mode reset issues but are not the cause of the multi-line safety check bypassing the bypass flag.
claude-mem worker subagents
The claude-mem plugin (thedotmack) spawns background worker subagents with --permission-mode default hardcoded in its worker-service.cjs. These are separate processes with all tools disabled, but worth noting.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗