anthropics
[BUG] ask list is ignored when "Bash" is in allow list
Environment
- Platform (select one):
- [X] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other:
- Claude CLI version: Latest (as of 2025-08-25)
- Operating System: Linux
- Terminal: Terminal App
Bug Description
The ask list in permissions is completely ignored when "Bash" is in the allow list, making it impossible to implement a "allow all commands except require confirmation for destructive ones" permission model at the user level.
Steps to Reproduce
- Set user-level configuration in
~/.claude/settings.json:{ "permissions": { "allow": ["Bash"], "ask": ["Bash(rm *)", "Bash(git push*)", "Bash(git branch*-D*)"] } } - Ensure no project-level overrides exist (empty or no
.claude/settings.jsonin project) - Restart Claude Code completely
- Run:
touch test.txt && rm test.txt
Expected Behavior
The rm command should trigger a confirmation prompt because it matches the "Bash(rm *)" pattern in the ask list, despite "Bash" being in the allow list.
Actual Behavior
The file is deleted immediately without any confirmation prompt. All commands matching patterns in the ask list execute without prompting.
Additional Context
Goal: Single user-level configuration for "bypass all permissions except blacklisted destructive commands" across all projects.
Impact: No way to achieve both convenience (no prompts for safe commands) and safety (protection against destructive commands).
Workarounds attempted (none work):
defaultMode: "bypassPermissions"- Bypasses everything including ask listdefaultMode: "default"- Prompts for every new command type
Found 3 possible duplicate issues:
- https://github.com/anthropics/claude-code/issues/6413
- https://github.com/anthropics/claude-code/issues/4364
- https://github.com/anthropics/claude-code/issues/6128
This issue will be automatically closed as a duplicate in 3 days.
- If your issue is a duplicate, please close it and 👍 the existing issue instead
- To prevent auto-closure, add a comment or 👎 this comment
🤖 Generated with Claude Code
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm encountering this as well. I have the following settings.json:
{
"permissions": {
"defaultMode": "acceptEdits",
"allow": [
"Bash",
"Edit",
"MultiEdit",
"NotebookEdit",
"WebFetch",
"WebSearch",
"Write"
],
"ask": [
"Bash(git commit:*)",
"Bash(git push --force:*)",
"Bash(git push -f:*)",
"Bash(git reset --hard:*)",
"Bash(git clean -f:*)",
"Bash(git clean -d:*)",
"Bash(git rebase:*)",
"Bash(git merge:*)",
"Bash(git branch -D:*)",
"Bash(git branch -d:*)",
"Bash(git branch --delete:*)",
"Bash(git checkout --:*)",
"Bash(git restore:*)",
"Bash(git stash drop:*)",
"Bash(git stash clear)",
"Bash(git filter-branch:*)",
"Bash(git filter-repo:*)",
"Bash(git push --delete:*)",
"Bash(git tag -d:*)",
"Bash(git tag --delete:*)",
"Bash(git remote add:*)",
"Bash(git remote set-url:*)",
"Bash(git remote remove:*)",
"Bash(git config:*)",
"Bash(rm -rf:*)",
"Bash(rm -r:*)"
],
"deny": [
"Read(.env)"
]
}
}
- I run
mkdir -p foo && touch foo/bar.txtin the terminal. - I then start Claude Code and tell it: "Remove the foo directory and all of its contents using rm".
- Claude then blithely executes
Bash(rm -rf foo), with no prompt appearing, despite the command matching my last two "ask" rules. - The permissions documentation states "Ask rules take precedence over allow rules." That's not the behavior demonstrated.
Same thing:
"permissions": {
"allow": [
"Bash",
"Edit",
"Glob",
"Grep",
"Read",
"Task",
"TodoWrite",
"Write"
],
"deny": [
"Bash(curl :*)",
]
},
but it will still run curl commands if I ask it to.
We are essentially asking for "allow all Bash commands except some" and that isn't currently being honored.
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.