[Bug] Bash(pattern:*) in --allowedTools/--tools does not restrict commands

Resolved 💬 3 comments Opened Apr 13, 2026 by Pierre-Mike Closed Apr 13, 2026

Environment

  • Claude Code version: latest (2026-04-13)
  • Platform: macOS Darwin 25.3.0
  • Shell: zsh

Bug Description

Bash(pattern:*) syntax in --allowedTools and --tools does not enforce command restrictions. Commands that don't match the pattern execute successfully.

Steps to Reproduce

# Restrict Bash to only .claude/tools/* scripts
echo 'Run these commands via Bash: 1) ls -la 2) echo hello 3) rm -rf /tmp/test-12345' \
  | claude -p --allowedTools "Bash(.claude/tools/*)" --permission-mode bypassPermissions

Expected Behavior

Only commands matching .claude/tools/* should execute. ls, echo, and rm should be blocked since they don't match the pattern.

Actual Behavior

All 3 commands execute successfully. The pattern is completely ignored — Bash has unrestricted access.

Additional Testing

# Also tested with git pattern — ls still runs
echo 'Run: ls -la' | claude -p --allowedTools "Read Bash(git:*)" --permission-mode bypassPermissions
# Result: ls executes successfully despite not matching git:*

Impact

This makes it impossible to create sandboxed agents with restricted Bash access. The workaround is using MCP tools (which adds complexity), but Bash(pattern:*) enforcement would enable simpler, more deterministic agent delegation chains.

Related Issues

  • #1188 — Path patterns in allowedTools not honored in non-interactive mode (closed)
  • #13649 — Bash tool bypasses allowlist restrictions (closed/autoclosed)

Both describe the same underlying issue but were closed without resolution.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗