PermissionRequest hook cannot override some security pre-checks

[ikuwow]

Problem

Claude Code security pre-checks flag commands with patterns like:

• Backticks inside single-quoted strings (e.g. git commit -m 'fix \encoding` issue'`)
• #-prefixed lines after quoted newlines (e.g. --body '## Summary ...')
• $() command substitution (even safe patterns like $(cat <<'EOF' ...))

These pre-checks override allow rules entirely (by design, see anthropics/claude-code#11932).

The approve_safe_commands.py PermissionRequest hook was created to auto-approve safe commands, but it cannot override all pre-check types. For example, the "quoted newline followed by #-prefixed line" check still prompts the user even when the hook returns {"behavior": "allow"}.

Current state

• approve_safe_commands.py handles some cases via PermissionRequest hook
• AIRULES.md rule 8 instructs agents to use single-quoted multiline strings
• Some pre-checks still bypass the hook

Options considered

PreToolUse hook

Runs before all pre-checks and can bypass the entire permission system with permissionDecision: "allow". However, this also bypasses deny rules, making the hook a single point of trust for command safety. Too powerful for comfort.

Ideal solution

• Allow rules and deny/ask rules handle the normal case
• Security pre-checks catch genuinely dangerous patterns
• PermissionRequest hook can override specific pre-checks that are false positives
• OR: Claude Code provides per-check configuration (see [FEATURE] Allow suppressing bash safety heuristic prompts via settings anthropics/claude-code#30435)

Related upstream issues

• [Bug] Auto-approve patterns don't match multiline commands (heredocs) anthropics/claude-code#11932 — Wildcard * does not match multiline commands (missing s flag in RegExp)
• [FEATURE] Allow suppressing bash safety heuristic prompts via settings anthropics/claude-code#30435 — Allow suppressing bash safety heuristic prompts via settings
• Allow configuring or disabling the multi-line command newline safety prompt anthropics/claude-code#30190 — Allow configuring or disabling multi-line command newline safety prompt
• Bash permission wildcards don't match multiline/heredoc commands anthropics/claude-code#25441 — Bash permission wildcards do not match multiline/heredoc commands

[ikuwow]

Status update (2026-04-11)

Investigated the current state of this issue. Summary:

Upstream progress

Issue	Status	Note
anthropics/claude-code#25441	COMPLETED	Wildcard * now matches multiline commands (dotAll flag fix)
anthropics/claude-code#30190	CLOSED (DUPLICATE)	Closed as duplicate of #30435
anthropics/claude-code#11932	OPEN	Original wildcard bug is fixed; $() / backtick / #-line heuristics tracked separately, fix in progress per Anthropic comment (2026-04-07)
anthropics/claude-code#30435	OPEN	Official feature request to suppress safety heuristics via settings — still unresolved

Current mitigations

The theoretical problem (PermissionRequest hooks cannot override all safety heuristics) still exists, but in practice the impact is negligible:

• approve_git_gh_commands.py (PermissionRequest hook): auto-approves git commit, gh pr create, gh issue create when backticks or $() are safely inside single-quoted strings
• AIRULES.md rule 8: instructs agents to avoid $() / backtick patterns in shell commands; fall back to heredoc only when single quotes contain single quotes
• AIRULES.md rule 8: instructs agents to use --body-file for gh pr create/gh issue create bodies containing # lines — avoids the "quoted newline + #-prefixed line" heuristic entirely
• git-workflow.md: commit messages use single-quoted strings directly

With these rules in place, agents rarely generate patterns that trigger the remaining uncovered heuristics. No practical pain observed in recent sessions.

Closing as resolved. Will reopen if anthropics/claude-code#30435 lands with a better native solution that allows simplifying the hook setup.