PowerShell tool: non-overridable "Remove-Item on system path" guard over-blocks legitimate commands (AST target mis-attribution)
Summary
The PowerShell tool blocks legitimate commands with:
Remove-Item on system path '<x>' is blocked. This path is protected from removal.
...when the command contains a Remove-Item and an unrelated token that the
static analyzer mis-attributes as the delete target. The extraction appears to pull
a token from elsewhere in the command line rather than from Remove-Item's own
arguments.
Confirmed mis-attributed shapes
- A later
-replace '\s',''operand → target parsed as''\s','' - A co-occurring REST-URL path segment → target parsed as
'/promote' - A
Join-Path-derived variable pointing at a dangling junction → target parsed as'/'
In each case the actual Remove-Item target is a legitimate, non-system path; the
blocked token comes from an unrelated part of the command.
Impact
The deny is classifierApprovable: false, so it is non-overridable — nopermissions.allow rule and no CLAUDE_CODE_DISABLE_* environment variable bypasses
it. This blocks otherwise-valid diagnostic and file-management commands.
Requested fix
- Scope the
Remove-Itemtarget extraction to that command element's own arguments
(terminate at ; / |), so tokens from later commands or unrelated operands are
not captured; and/or
- Make the guard
classifierApprovableso a reviewed command can proceed.
Workaround
Delete via .NET ([System.IO.File]::Delete / [System.IO.Directory]::Delete) or the
Bash rm tool — the guard keys on the literal cmdlet name remove-item.
Environment
- Claude Code 2.1.198
- Windows, PowerShell tool