Permission system doesn't match Claude's natural Bash generation patterns (multi-line scripts, variable-assignment prefixes)

Resolved 💬 2 comments Opened Jun 25, 2026 by dbbrandt Closed Jun 25, 2026

Summary

Claude Code's permission system evaluates Bash commands by matching the first token of the command string against an allowlist. Claude (the model) routinely generates two shell patterns that break this matching, causing spurious permission prompts even when every constituent command would individually be auto-allowed or is in the project allowlist.

Triggering patterns

1. Multi-line scripts

Claude frequently batches related commands into a single Bash call using newlines:

cd /path/to/project
echo "=== checking ==="
grep -rn "pattern" crates/
cargo test -p my-crate

The permission system sees the first token (cd) and then evaluates the rest as an opaque script block. Even though cd, echo, grep are all auto-allowed, the multi-line structure causes a prompt.

2. Variable-assignment prefixes

Claude uses shell variable assignments to avoid repeating long values:

B=http://localhost:8080/api/v1; curl $B/health; curl $B/accounts

The permission system sees B=http://... as the first token. It doesn't match any allowlist pattern (even Bash(curl *) won't help), so it always prompts.

Expected behavior

One of:

A. Parser-side fix — Walk the compound command AST. For &&-chains, semicolons, and newline-separated statements, check each constituent command independently. A multi-line script is auto-allowed if every statement in it is auto-allowed. A VAR=value; cmd prefix should resolve to cmd as the effective command.

B. Generation-side fix — Update model behavior (system prompt / fine-tuning) so Claude Code sessions default to patterns the permission system can evaluate: &&-chained single-line commands and inlined values instead of shell variable prefixes.

C. Both — Ideal: fix the parser to handle compound forms, and update generation to produce parseable output.

Impact

This causes a high rate of unnecessary prompts during normal development sessions — particularly when working across project directories (the cd /path && ... pattern appears in nearly every multi-step investigation). Users end up either approving dozens of safe operations one by one, or adding an instruction file as a workaround (which is how I discovered this issue).

Current workaround

Adding the following to ~/.claude/CLAUDE.md instructs the model to avoid these patterns:

## Bash command style

Avoid multi-line Bash scripts in a single tool call — use `&&`-chained single-line commands
or separate sequential Bash calls instead.

Avoid shell variable-assignment prefixes as the first token (`B=url; curl $B/...`) —
inline values directly so the permission system can match the actual command.

This works but it's a user-space patch for what is fundamentally a tool-level inconsistency.

Environment

  • Claude Code (claude-opus-4-8)
  • macOS Darwin 24.6.0

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗