[BUG] ask list is ignored when "Bash" is in allow list

[orpheuslummis]

Environment

• Platform (select one):
  • Anthropic API
  • AWS Bedrock
  • Google Vertex AI
  • Other:
• Claude CLI version: Latest (as of 2025-08-25)
• Operating System: Linux
• Terminal: Terminal App

Bug Description

The ask list in permissions is completely ignored when "Bash" is in the allow list, making it impossible to implement a "allow all commands except require confirmation for destructive ones" permission model at the user level.

Steps to Reproduce

1. Set user-level configuration in ~/.claude/settings.json:

   {
     "permissions": {
       "allow": ["Bash"],
       "ask": ["Bash(rm *)", "Bash(git push*)", "Bash(git branch*-D*)"]
     }
   }

2. Ensure no project-level overrides exist (empty or no .claude/settings.json in project)
3. Restart Claude Code completely
4. Run: touch test.txt && rm test.txt

Expected Behavior

The rm command should trigger a confirmation prompt because it matches the "Bash(rm *)" pattern in the ask list, despite "Bash" being in the allow list.

Actual Behavior

The file is deleted immediately without any confirmation prompt. All commands matching patterns in the ask list execute without prompting.

Additional Context

Goal: Single user-level configuration for "bypass all permissions except blacklisted destructive commands" across all projects.

Impact: No way to achieve both convenience (no prompts for safe commands) and safety (protection against destructive commands).

Workarounds attempted (none work):

• defaultMode: "bypassPermissions" - Bypasses everything including ask list
• defaultMode: "default" - Prompts for every new command type

[github-actions]

---

Found 3 possible duplicate issues:

1. [BUG] Claude Calls rm command without having permission to do so #6413
2. [BUG] CRITICAL BUG: Commands execute BEFORE user approval #4364
3. [BUG] Always asking for executing bash #6128

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

---

[cwardgar]

I'm encountering this as well. I have the following settings.json:

{
  "permissions": {
    "defaultMode": "acceptEdits",
    "allow": [
      "Bash",
      "Edit",
      "MultiEdit",
      "NotebookEdit",
      "WebFetch",
      "WebSearch",
      "Write"
    ],
    "ask": [
      "Bash(git commit:*)",
      "Bash(git push --force:*)",
      "Bash(git push -f:*)",
      "Bash(git reset --hard:*)",
      "Bash(git clean -f:*)",
      "Bash(git clean -d:*)",
      "Bash(git rebase:*)",
      "Bash(git merge:*)",
      "Bash(git branch -D:*)",
      "Bash(git branch -d:*)",
      "Bash(git branch --delete:*)",
      "Bash(git checkout --:*)",
      "Bash(git restore:*)",
      "Bash(git stash drop:*)",
      "Bash(git stash clear)",
      "Bash(git filter-branch:*)",
      "Bash(git filter-repo:*)",
      "Bash(git push --delete:*)",
      "Bash(git tag -d:*)",
      "Bash(git tag --delete:*)",
      "Bash(git remote add:*)",
      "Bash(git remote set-url:*)",
      "Bash(git remote remove:*)",
      "Bash(git config:*)",
      "Bash(rm -rf:*)",
      "Bash(rm -r:*)"
    ],
    "deny": [
      "Read(.env)"
    ]
  }
}

• I run mkdir -p foo && touch foo/bar.txt in the terminal.
• I then start Claude Code and tell it: "Remove the foo directory and all of its contents using rm".
• Claude then blithely executes Bash(rm -rf foo), with no prompt appearing, despite the command matching my last two "ask" rules.
• The permissions documentation states "Ask rules take precedence over allow rules." That's not the behavior demonstrated.

[Nxt3]

Same thing:

  "permissions": {
    "allow": [
      "Bash",
      "Edit",
      "Glob",
      "Grep",
      "Read",
      "Task",
      "TodoWrite",
      "Write"
    ],
    "deny": [
      "Bash(curl :*)",
    ]
  },

but it will still run curl commands if I ask it to.

We are essentially asking for "allow all Bash commands except some" and that isn't currently being honored.

[github-actions]

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.