[FEATURE] Allow suppressing bash safety heuristic prompts via settings

[chrispmcgee]

Preflight Checklist

• I have searched existing requests and this feature hasn't been requested yet
• This is a single feature request (not multiple features)

Problem Statement

Claude Code's built-in bash safety heuristics trigger interactive "Do you want to proceed?" prompts on common, legitimate shell patterns — and unlike allowlist-based permission prompts, these cannot be permanently suppressed through permissions.allow rules, acceptEdits mode, or "don't ask again."

Patterns that trigger these prompts include:

• $() command substitution (e.g., git commit -m "$(cat <<'EOF'...)" — Claude's own recommended commit format)
• Backtick command substitution (e.g., in gh pr create bodies)
• Newlines separating multiple commands (e.g., for loops, multi-step scripts)
• Empty quotes before dashes ("potential bypass")
• Quote characters inside # comments ("can desync quote tracking")
• ANSI-C quoting ("can hide characters")
• Compound commands with cd and output redirection

For power users running Claude Code interactively on their own machines, these prompts fire dozens of times per session on routine development commands. The prompts have no "don't ask again" option, so each one requires manual intervention — even when the command prefix is explicitly in the allowlist.

Proposed Solution

A setting to configure the behavior of individual safety heuristic categories. For example:

{
  "bashSafety": {
    "commandSubstitution": "allow",
    "newlines": "allow",
    "ansiQuoting": "allow",
    "ambiguousSyntax": "prompt"
  }
}

Or a simpler blanket setting:

{
  "bashSafety": "allow"
}

When set to "allow", the heuristic check would still run but would auto-approve instead of prompting. This preserves the detection logic (it could still log warnings) while removing the interactive friction.

This is the complement to #28993, which proposes auto-deny so Claude reformulates. Both approaches want to eliminate the interactive prompt — this one for users who trust their local shell environment and want flow, #28993 for users who want stricter automatic enforcement.

Alternative Solutions

• --dangerously-skip-permissions: Too broad — disables all permission checks, not just heuristics. Intended for containers, not interactive use.
• PreToolUse hooks: As noted in Option to auto-deny (not prompt) when built-in safety checks flag a command #28993, users can write hooks to intercept these, but this requires reimplementing detection logic that Claude Code already has. A configuration toggle would be much simpler.
• Avoiding trigger patterns: Claude could use simpler commands (e.g., no heredocs in commits), but this sacrifices formatting quality and forces workarounds for standard shell patterns.

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

1. User has Bash(git:*) in their allowlist and acceptEdits mode enabled
2. User asks Claude to commit changes
3. Claude runs git add file.php && git commit -m "$(cat <<'EOF' ... EOF)"
4. Despite the allowlist match, user gets prompted: "Command contains $() command substitution — Do you want to proceed?"
5. User approves. Next commit, same prompt. And the next. Every single commit.
6. With this feature, user sets "bashSafety": "allow" and commits flow without interruption

Additional Context

• Related: Option to auto-deny (not prompt) when built-in safety checks flag a command #28993 (auto-deny direction of same problem)
• The heuristics appear to be a relatively recent addition — users who configured extensive allowlists previously experienced far fewer prompts
• The current behavior creates "ask fatigue" where users reflexively approve every prompt, undermining the security purpose

[github-actions]

Found 3 possible duplicate issues:

1. Option to auto-deny (not prompt) when built-in safety checks flag a command #28993
2. [BUG] Annoying prompts "Command contains quote characters inside a # comment which can desync quote tracking" for safe, allowed commands #30345
3. Compound cd && git commands in worktrees should not require approval #30213

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[chrispmcgee]

Not a duplicate. #28993 proposes auto-deny (opposite direction — we want auto-allow). #30213 is specific to cd && git in worktrees. #30345 is the closest but is scoped to a single heuristic type and filed as a bug — this issue is a broader feature request for a setting to configure the behavior of all bash safety heuristics, encompassing #30345 and #30213 as specific cases.

[mrballcb]

Also #27957 is related in that any tool which you configure claude to use that utilizes quoted cli commands (ie beans for me) will prompt every single change it wants to make. I too want the ability to disable or bypass enforcement of this check either globally or per permitted command. Claude has become unwieldy for me because I have to repeatedly hit Enter for every step of every agent.

[connorfee-texwahoo]

Same issue here. allowBashCommandSubstitution: true is set in both global (~/.claude/settings.json) and project-level settings.local.json — still prompts every time. This is especially painful for git commits since Claude's own system prompt hardcodes the heredoc $() pattern.

[ThinkOffApp]

We run Claude Code headless as a persistent service with dangerouslySkipPermissions: true and layer safety on top via hooks instead of interactive prompts. IDE Agent Kit generates this config with init --ide claude-code.

The bash safety heuristics are the main blocker for unattended operation. Heredoc commits, command substitution in git messages, and similar patterns trigger prompts that can't be suppressed through permissions.allow. For automated workflows, hook-based validation (pre-tool scripts that check the command before execution) is more flexible and doesn't require human presence.

A settings flag to suppress specific heuristic categories while keeping the hook system for custom safety rules would make headless operation much more practical.

[skypher]

Same here. Good idea especially for casual users but we gotta have a way to disable these.