Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [FEATURE] Auto-allow piped/chained commands when all components are individually allowed [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#46868Fetched 2026-04-12 13:30:57
View on GitHub
Comments
1
Participants
2
Timeline
7
Reactions
0
Author
vishalaptevishalapte
Participants
github-actions[bot]github-actions[bot]vishalaptevishalapte
Timeline (top)
labeled ×4commented ×1cross-referenced ×1unlabeled ×1

Root Cause

Piping allowed commands is a routine developer pattern (pylint ... | grep ..., git log ... | head, find ... | wc -l). Prompting on every such combination creates friction that trains users to approve without reading — the opposite of the security intent.

Fix Action

Fix / Workaround

Current workaround

Code Example

def is_allowed(full_command, allow_rules, disallow_rules):
    subcommands = split_by_shell_operators(full_command)  # split on |, &&, ;, ||
    for sub in subcommands:
        sub = sub.strip()
        if matches_any(sub, disallow_rules):
            return False
        if not matches_any(sub, allow_rules):
            return False
    return True

---

{
  "permissions": {
    "allow": [
      "Bash(.venv/bin/pylint:*)",
      "Bash(grep:*)"
    ]
  }
}
RAW_BUFFERClick to expand / collapse

Preflight Checklist

  • I have searched existing requests and this feature hasn't been requested yet
  • This is a single feature request (not multiple features)

Problem Statement

Problem

When individual commands are in the permissions allow list (e.g. Bash(.venv/bin/pylint:*) and Bash(grep:*)), piping or chaining them together (e.g. .venv/bin/pylint apps/ | grep "^apps") still triggers a permission prompt. The matcher evaluates the full compound command string as one unit rather than decomposing it by shell operators.

This means every pipeline of two allowed commands requires manual approval, even though neither component would prompt on its own.

Expected behavior

When a Bash command contains shell operators (|, &&, ;), decompose the compound command into its individual subcommands and check each against the allow list independently. If every subcommand matches an allowed pattern, auto-allow the full command without prompting.

Current workaround

None that works reliably at a global level. Users must either approve each specific compound command one at a time as they encounter it, or avoid piping altogether and run commands separately.

Why this matters

Piping allowed commands is a routine developer pattern (pylint ... | grep ..., git log ... | head, find ... | wc -l). Prompting on every such combination creates friction that trains users to approve without reading — the opposite of the security intent.

Security consideration

The decomposition should respect disallow rules: if any subcommand in the pipeline matches a disallow pattern, the full command should still be blocked. The check is: every component is individually allowed AND no component is individually disallowed.

Proposed Solution

When the Bash permission checker encounters a compound command, split it by shell operators (|, &&, ;, ||) into subcommands, trim each, and check every subcommand independently against the allow and disallow lists. Auto-allow the full command only if every subcommand passes.

Pseudocode:

def is_allowed(full_command, allow_rules, disallow_rules):
    subcommands = split_by_shell_operators(full_command)  # split on |, &&, ;, ||
    for sub in subcommands:
        sub = sub.strip()
        if matches_any(sub, disallow_rules):
            return False
        if not matches_any(sub, allow_rules):
            return False
    return True

Example

Given these settings:

{
  "permissions": {
    "allow": [
      "Bash(.venv/bin/pylint:*)",
      "Bash(grep:*)"
    ]
  }
}
CommandTodayAfter this change
.venv/bin/pylint apps/auto-allowedauto-allowed (no change)
grep -E "^apps"auto-allowedauto-allowed (no change)
.venv/bin/pylint apps/ | grep "^apps"promptsauto-allowed (both components match)
.venv/bin/pylint apps/ && rm -rf /promptsstill prompts (rm -rf / matches no allow rule)

Security consideration

The decomposition should respect disallow rules: if any subcommand in the pipeline matches a disallow pattern, the full command should still be blocked. The check is: every component is individually allowed AND no component is individually disallowed.

Alternative Solutions

No response

Priority

High - Significant impact on productivity

Feature Category

CLI commands and flags

Use Case Example

No response

Additional Context

No response

extent analysis

TL;DR

Implement a Bash permission checker that splits compound commands into subcommands and checks each against allow and disallow lists independently to auto-allow pipelines of allowed commands.

Guidance

  • Modify the permission checker to split compound commands by shell operators (|, &&, ;, ||) into subcommands.
  • Trim each subcommand and check it independently against the allow and disallow lists.
  • Auto-allow the full command only if every subcommand passes both checks.
  • Ensure the decomposition respects disallow rules by blocking the full command if any subcommand matches a disallow pattern.

Example

Given the provided pseudocode, implement the split_by_shell_operators function to correctly split compound commands and integrate it with the is_allowed function to achieve the desired behavior.

Notes

The proposed solution requires careful implementation to handle various edge cases, such as nested shell operators or quoted commands. Thorough testing will be necessary to ensure the solution works as expected.

Recommendation

Apply the proposed workaround by implementing the modified permission checker, as it directly addresses the issue and provides a clear solution to the problem.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

When a Bash command contains shell operators (|, &&, ;), decompose the compound command into its individual subcommands and check each against the allow list independently. If every subcommand matches an allowed pattern, auto-allow the full command without prompting.

#prompt issue#agent setup#task chaining#parallel task#integration issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING