Bash allow patterns fail to match compound commands, complex quoting, and long SSH commands
Summary
Bash(cmd *) allow patterns in settings.json fail to match commands that contain compound operators, complex quoting, redirects, or are very long — even when the first token clearly matches. These commands prompt the user for approval despite being in the allow list.
Reproduction
settings.json contains:
"allow": [
"Bash(/c/Windows/System32/OpenSSH/ssh.exe *)",
"Bash(echo *)",
"Bash(file *)",
"Bash(stat *)",
"Bash(ls *)",
"Bash(git *)"
]
Commands that still prompt "Allow Claude to Run...?":
1. Compound commands (&&)
file /tmp/test.pdf && wc -c /tmp/test.pdf
Both Bash(file *) and Bash(wc *) are in the allow list.
2. Command substitution ($(...))
echo "RESUME_MARKER_260402T$(date +%H%M%S)"
Bash(echo *) is in the allow list.
3. Long SSH commands with embedded quoting
/c/Windows/System32/OpenSSH/ssh.exe mkim@100.76.113.12 "ls -la ~/.tmux/scripts/ && echo '---' && head -2 ~/.tmux.conf && echo '...' && tail -2 ~/.tmux.conf"
Bash(/c/Windows/System32/OpenSSH/ssh.exe *) is in the allow list. Confirmed in a brand-new session (not a mid-session cache issue).
4. Redirects and pipes
ls -la ~/.codex/ 2>/dev/null | head -5
git -C "D:/D_Repositories/MHdotfiles" push 2>&1
Both Bash(ls *) and Bash(git *) are in the allow list.
Expected behavior
Bash(cmd *) should match any command string starting with cmd followed by anything, regardless of &&, |, $(...), 2>&1, heredocs, or command length.
Environment
- Claude Code v2.1.87 (Desktop app, Windows 10)
- Permission mode:
acceptEdits - Settings with ~200 allow patterns and PreToolUse hook
Workaround
Approve once per session — the session-scoped rule remembers the exact command. No settings.json fix is possible.
Related
- #43187 — JSONL should record permission prompt events (for systematic auditing)
🤖 Generated with Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗