[BUG] FOR THE LOVE OF GOD AND ALL THATS HOLY -STOP THE PERMISSION PROMPTS!!!!!

Resolved 💬 5 comments Opened Apr 6, 2026 by friskygeek Closed May 18, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

TLDR

I have to sit in front of my computer like a money pressing Yes to permission prompts when running /code-review and other parallel agent tasks...

---
Title: Compound command permission prompts cannot be overridden by allowedTools or permissions.allow

Description:

I have extensive allowedTools and permissions.allow entries in my ~/.claude/settings.json that individually allow git, find, gh, cd, and other commands. Despite this, compound commands with cd && trigger mandatory security prompts that cannot be overridden.

Three separate issues:

  1. Broad wildcards in allowedTools don't work

bash(cd && git ) does NOT match commands like cd /path && git remote get-url origin. Each git subcommand needs its own explicit entry:

"allowedTools": [
"bash(cd && git log )",
"bash(cd && git diff )",
"bash(cd && git show )",
"bash(cd && git remote )",
// ... 20+ entries needed
]

Expected: bash(cd && git ) should match any cd <path> && git <subcommand> <args> pattern.

  1. Some compound command security gates cannot be overridden at all

Even with explicit allowedTools entries, certain compound commands still prompt:

cd /path && find . -name "CLAUDE.md" -type f 2>/dev/null | head -50

Triggers: "Compound command contains cd with output redirection - manual approval required to prevent path resolution bypass"

cd /path && git show abc123 -- file.swift | head -80

Triggers: "Compound commands with cd and git require approval to prevent bare repository attacks"

I have bash(cd && find ), bash(cd && git show ), Bash(git:), Bash(find:), and Bash(cd:*) all in my settings. The user has explicitly opted in to allowing these commands, but the hardcoded security checks override user permissions.

Expected: If a user has explicitly allowed both the individual commands AND the compound pattern, the security check should be satisfied.

  1. Plugins spawn agents that ignore user permission settings

The code-review plugin spawns parallel agents that each trigger these compound command prompts. The user's ~/.claude/CLAUDE.md instructs Claude to use mode: "bypassPermissions" on agents, but plugin-spawned agents don't respect this.

This makes code review on multi-project setups (where cd /path && git is routine) extremely painful — you have to sit and press Enter through dozens of prompts.

Impact:

  • I have ~80 broad permission patterns in permissions.allow plus ~30 compound patterns in allowedTools
  • I still get prompted 10-20 times during a single code review run
  • Each prompt requires manual intervention, making unattended agent work impossible
  • The only workaround is --dangerously-skip-permissions which is too broad

Environment:

  • Claude Code v2.1.92
  • macOS
  • Using git worktrees (which increases cd && git compound commands since agents reference the main repo path)

Suggested fix:

  1. Support broad wildcards in allowedTools: bash(cd && git ) should work
  2. Make allowedTools / permissions.allow override ALL compound command security gates — if I've allowed the individual commands, trust the compound
  3. Let plugins respect user-level agent permission preferences

What Should Happen?

Expected: If a user has explicitly allowed both the individual commands AND the compound pattern, the security check should be satisfied.

Error Messages/Logs

Steps to Reproduce

Steps to Reproduce:

  1. Create ~/.claude/settings.json with these permissions:

{
"permissions": {
"allow": [
"Bash(git:*)",
"Bash(find:*)",
"Bash(cd:*)",
"Bash(gh:*)"
]
},
"allowedTools": [
"bash(cd && git )",
"bash(cd && find )",
"bash(cd && gh )"
]
}

  1. Open Claude Code in any git repository:

cd ~/any-git-repo
claude

  1. Ask Claude to run a compound command with cd and git:

Run this command: cd ~/any-git-repo && git log --oneline -5

Result: Prompted with "Compound commands with cd and git require approval to prevent bare repository attacks" — despite both Bash(git:) and bash(cd && git *) being in the allow list.

  1. Ask Claude to run a compound command with output redirection:

Run this command: cd ~/any-git-repo && find . -name "*.md" -type f 2>/dev/null | head -10

Result: Prompted with "Compound command contains cd with output redirection - manual approval required to prevent path resolution bypass" — despite bash(cd && find ) being in the allow list.

  1. For the plugin issue: Install the code-review plugin, open a repo with an open PR, and run /code-review. The plugin spawns parallel agents that each trigger these same compound command prompts repeatedly, requiring 10-20 manual approvals per review.

Expected result for all steps: No permission prompt, since the user has explicitly allowed these commands in settings.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Claude Code is up to date (2.1.92)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗