[BUG] FOR THE LOVE OF GOD AND ALL THATS HOLY -STOP THE PERMISSION PROMPTS!!!!!
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
TLDR
I have to sit in front of my computer like a money pressing Yes to permission prompts when running /code-review and other parallel agent tasks...
---
Title: Compound command permission prompts cannot be overridden by allowedTools or permissions.allow
Description:
I have extensive allowedTools and permissions.allow entries in my ~/.claude/settings.json that individually allow git, find, gh, cd, and other commands. Despite this, compound commands with cd && trigger mandatory security prompts that cannot be overridden.
Three separate issues:
- Broad wildcards in allowedTools don't work
bash(cd && git ) does NOT match commands like cd /path && git remote get-url origin. Each git subcommand needs its own explicit entry:
"allowedTools": [
"bash(cd && git log )",
"bash(cd && git diff )",
"bash(cd && git show )",
"bash(cd && git remote )",
// ... 20+ entries needed
]
Expected: bash(cd && git ) should match any cd <path> && git <subcommand> <args> pattern.
- Some compound command security gates cannot be overridden at all
Even with explicit allowedTools entries, certain compound commands still prompt:
cd /path && find . -name "CLAUDE.md" -type f 2>/dev/null | head -50
Triggers: "Compound command contains cd with output redirection - manual approval required to prevent path resolution bypass"
cd /path && git show abc123 -- file.swift | head -80
Triggers: "Compound commands with cd and git require approval to prevent bare repository attacks"
I have bash(cd && find ), bash(cd && git show ), Bash(git:), Bash(find:), and Bash(cd:*) all in my settings. The user has explicitly opted in to allowing these commands, but the hardcoded security checks override user permissions.
Expected: If a user has explicitly allowed both the individual commands AND the compound pattern, the security check should be satisfied.
- Plugins spawn agents that ignore user permission settings
The code-review plugin spawns parallel agents that each trigger these compound command prompts. The user's ~/.claude/CLAUDE.md instructs Claude to use mode: "bypassPermissions" on agents, but plugin-spawned agents don't respect this.
This makes code review on multi-project setups (where cd /path && git is routine) extremely painful — you have to sit and press Enter through dozens of prompts.
Impact:
- I have ~80 broad permission patterns in permissions.allow plus ~30 compound patterns in allowedTools
- I still get prompted 10-20 times during a single code review run
- Each prompt requires manual intervention, making unattended agent work impossible
- The only workaround is --dangerously-skip-permissions which is too broad
Environment:
- Claude Code v2.1.92
- macOS
- Using git worktrees (which increases cd && git compound commands since agents reference the main repo path)
Suggested fix:
- Support broad wildcards in allowedTools: bash(cd && git ) should work
- Make allowedTools / permissions.allow override ALL compound command security gates — if I've allowed the individual commands, trust the compound
- Let plugins respect user-level agent permission preferences
What Should Happen?
Expected: If a user has explicitly allowed both the individual commands AND the compound pattern, the security check should be satisfied.
Error Messages/Logs
Steps to Reproduce
Steps to Reproduce:
- Create ~/.claude/settings.json with these permissions:
{
"permissions": {
"allow": [
"Bash(git:*)",
"Bash(find:*)",
"Bash(cd:*)",
"Bash(gh:*)"
]
},
"allowedTools": [
"bash(cd && git )",
"bash(cd && find )",
"bash(cd && gh )"
]
}
- Open Claude Code in any git repository:
cd ~/any-git-repo
claude
- Ask Claude to run a compound command with cd and git:
Run this command: cd ~/any-git-repo && git log --oneline -5
Result: Prompted with "Compound commands with cd and git require approval to prevent bare repository attacks" — despite both Bash(git:) and bash(cd && git *) being in the allow list.
- Ask Claude to run a compound command with output redirection:
Run this command: cd ~/any-git-repo && find . -name "*.md" -type f 2>/dev/null | head -10
Result: Prompted with "Compound command contains cd with output redirection - manual approval required to prevent path resolution bypass" — despite bash(cd && find ) being in the allow list.
- For the plugin issue: Install the code-review plugin, open a repo with an open PR, and run /code-review. The plugin spawns parallel agents that each trigger these same compound command prompts repeatedly, requiring 10-20 manual approvals per review.
Expected result for all steps: No permission prompt, since the user has explicitly allowed these commands in settings.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Claude Code is up to date (2.1.92)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗