[Bug] Bash(pattern:*) in --allowedTools/--tools does not restrict commands
Environment
- Claude Code version: latest (2026-04-13)
- Platform: macOS Darwin 25.3.0
- Shell: zsh
Bug Description
Bash(pattern:*) syntax in --allowedTools and --tools does not enforce command restrictions. Commands that don't match the pattern execute successfully.
Steps to Reproduce
# Restrict Bash to only .claude/tools/* scripts
echo 'Run these commands via Bash: 1) ls -la 2) echo hello 3) rm -rf /tmp/test-12345' \
| claude -p --allowedTools "Bash(.claude/tools/*)" --permission-mode bypassPermissions
Expected Behavior
Only commands matching .claude/tools/* should execute. ls, echo, and rm should be blocked since they don't match the pattern.
Actual Behavior
All 3 commands execute successfully. The pattern is completely ignored — Bash has unrestricted access.
Additional Testing
# Also tested with git pattern — ls still runs
echo 'Run: ls -la' | claude -p --allowedTools "Read Bash(git:*)" --permission-mode bypassPermissions
# Result: ls executes successfully despite not matching git:*
Impact
This makes it impossible to create sandboxed agents with restricted Bash access. The workaround is using MCP tools (which adds complexity), but Bash(pattern:*) enforcement would enable simpler, more deterministic agent delegation chains.
Related Issues
- #1188 — Path patterns in allowedTools not honored in non-interactive mode (closed)
- #13649 — Bash tool bypasses allowlist restrictions (closed/autoclosed)
Both describe the same underlying issue but were closed without resolution.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗