Option to auto-deny (not prompt) when built-in safety checks flag a command

[gotrevor-notarize]

Problem

When Claude Code detects potentially risky command syntax, it prompts the user for approval rather than auto-denying. For example:

 Bash command

   echo "foo $(whoami)"
   Compound command with command substitution

 Command contains $() command substitution

The user is then asked whether to proceed.

CC would easily re-write this without command substitution, given the chance. Currently, though, CC does not have the chance until the user intervenes to approve.

As an option the command should be auto-denied, and Claude should reformulate (e.g., run the commands as separate Bash calls).

Current workaround

PreToolUse hooks with exit 2 can auto-block specific patterns. But this requires the user to reimplement detection that CC already has built in.

Proposed solution

A setting (in settings.json or .claude/settings.json) to change the behavior of CC's built-in safety warnings from "prompt" to "deny". Something like:

{
  "bashSafetyMode": "strict"
}

Or more granularly, per warning type:

{
  "bashSafety": {
    "commandSeparators": "deny",
    "ambiguousSyntax": "deny"
  }
}

When set to "deny", CC would:

1. Auto-reject the command (same as a PreToolUse hook returning exit 2)
2. Receive the denial reason as an error message
3. Reformulate the command to avoid the flagged pattern

The goal of this pattern is to avoid ask fatigue when a re-write by CC would pass easily.

Why this matters

• The prompt creates a false choice: the user either approves something CC flagged as risky, or manually denies it every time. Auto-deny removes the friction and the risk of accidental approval.
• CC already has the detection logic — this is purely about exposing the behavior as configurable.

[github-actions]

Found 3 possible duplicate issues:

1. [FEATURE] Sandbox denial should stop agent, not auto-retry with bypass prompt #24416
2. Support timeout + auto-deny on permissionDecision: ask from hooks #26142
3. [FEATURE] Permission deny list: blacklist specific commands without LLM hooks #26862

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[gotrevor-notarize]

#26142
^^ This is actually a really good idea, and if applied to automatic permission requests, would also solve the problem here.

More explicitly, the ask would be for any automatic permission prompt to either:

• time out with deny after a timeout
• auto-deny [currently lacking] (approval timeout=0)
• auto-approve (currently --dangerously-skip-permissions)

Perhaps --safely-deny-permissions ???

[aaronbrethorst]

I am prompted repeatedly to approve or deny "Command contains $() command substitution" permission checks in the most recent versions of Claude Code. I understand the purpose of this security feature—and appreciate it—but Claude Code needs to be smarter about not using these substitutions as a result.

[yurukusa]

Hook workaround: auto-deny instead of prompting
A PreToolUse hook can auto-deny risky patterns that would normally trigger a prompt:

set -euo pipefail
INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
[ -z "$COMMAND" ] && exit 0
echo "$COMMAND" | grep -qE '\|\s*(bash|sh|zsh)\b' && { echo "BLOCKED: Pipe to shell." >&2; exit 2; }
echo "$COMMAND" | grep -qE '(curl|wget)\s.*\|\s*(bash|sh|python|node)' && { echo "BLOCKED: Remote execution." >&2; exit 2; }
echo "$COMMAND" | grep -qE '\beval\s' && { echo "BLOCKED: eval." >&2; exit 2; }
echo "$COMMAND" | grep -qE '(rm|mv|cp|chmod)\s.*\$\(' && { echo "BLOCKED: Command sub in destructive cmd." >&2; exit 2; }
echo "$COMMAND" | grep -qE 'rm\s+.*\*' && { echo "BLOCKED: Wildcard rm." >&2; exit 2; }
exit 0

This converts "ask the user" into "deny and reformulate" — Claude gets the exit 2 signal, sees the error message, and rewrites the command using safer alternatives. No user interaction needed.
The key advantage over auto-approve: Claude learns to avoid these patterns entirely rather than having them silently allowed.

[github-actions]

Closing for now — inactive for too long. Please open a new issue if this is still relevant.