[DOCS] Permissions docs outdated Bash deny-rule exec-wrapper matching
Documentation Type
Incorrect/outdated documentation
Documentation Location
https://code.claude.com/docs/en/permissions
Section/Topic
#### Process wrappers in the Bash permission rule documentation
Current Documentation
The docs currently say:
Before matching Bash rules, Claude Code strips a fixed set of process wrappers so a rule likeBash(npm test *)also matchestimeout 30 npm test. The recognized wrappers aretimeout,time,nice,nohup, andstdbuf. Barexargsis also stripped, soBash(grep *)matchesxargs grep pattern. This wrapper list is built in and is not configurable.
The page does not mention deny-rule matching for commands wrapped in env, sudo, watch, ionice, setsid, or similar exec wrappers.
What's Wrong or Missing?
Changelog v2.1.113 says: "Security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid and similar exec wrappers".
The current permissions page still documents an older, narrower wrapper list. That makes the Process wrappers section outdated for users configuring Bash deny rules, because it implies wrapper-aware matching only covers timeout, time, nice, nohup, stdbuf, and bare xargs.
Users reading the page do not learn that deny rules now also apply when a command is wrapped in env, sudo, watch, ionice, setsid, and similar exec-wrapper forms.
Suggested Improvement
Update the Process wrappers section in https://code.claude.com/docs/en/permissions to reflect the v2.1.113 behavior change.
At minimum:
- Expand the documented wrapper list to include
env,sudo,watch,ionice,setsid, and similar exec wrappers. - Clarify that this applies to Bash deny-rule matching.
- Add one or two concrete examples showing that a deny rule still matches when the command is wrapped, so users can reason about security policy correctly.
For example, a short note could explain that a deny rule written for the inner command still applies when that command is launched through supported exec wrappers.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/permissions | Process wrappers currently lists a narrower built-in wrapper set and does not reflect the v2.1.113 deny-rule change |
| https://code.claude.com/docs/en/settings | The permissions.deny setting sends readers to the Bash permission limitations in the permissions docs, so this cross-reference should stay aligned |
Total scope: 2 pages affected
Source: Changelog v2.1.113
Exact changelog entry: Security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid and similar exec wrappers
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗