DEV Community

TerminalBlog
TerminalBlog

Posted on • Originally published at terminalblog.com

Your Claude Code May Ask 700+ Permission Prompts Per Session — Here's How to Check

Your Claude Code May Ask 700+ Permission Prompts Per Session — Here's How to Check

If you use Claude Code for multi-session orchestration — running parallel workflows, fan-out subagents, or status checks across worktrees — you may have noticed something maddening: hundreds of permission prompts. For commands that only read files.

A freshly filed issue (#76718) documents a compound-command permission bug that makes multi-session workflows nearly unusable. The reporter approved over 700 prompts across two days of running parallel-session workflows. Every single prompt was for a non-mutating chain like cd X && git status -sb && echo --- && git log --oneline -5 && echo --- && gh pr list.

The bug is that its permission engine evaluates compound commands as single units, not by their individual segments. Even when every segment (cd, git status, echo, gh pr list) has a matching allow rule, the compound chain still prompts. The system caps at roughly 5 saved rules per compound command, so a 6-segment chain of individually-allowlisted reads still hits the user with a dialog.

The report is labeled bug, has repro, platform:windows, area:bash, and area:permissions — the full stack of flags that says Anthropic can reproduce it and knows where the fix lives.

Are you affected?

You're affected if you use compound commands (chained with &&, ||, ;, |, or &) in Claude Code sessions, especially in multi-session or fan-out workflows. The bug is confirmed on Windows (Max plan) but the permission architecture is cross-platform.

# Quick repro: run an individually-allowlisted compound chain
claude -p "cd /tmp && ls && echo ok"

# If prompted despite Bash(cd:*), Bash(ls:*), Bash(echo:*) being allowlisted,
# you are hitting the compound-command ceiling
Enter fullscreen mode Exit fullscreen mode

Look for the warning signs: mid-run prompts that interrupt a parallel fan-out, or an "allowlist" file that's grown past 700+ entries from clicking "Allow" hundreds of times.

The fix

There's no official fix yet, but the reporter shares a working workaround — a custom PreToolUse hook that parses compound commands, splits on shell operators, and auto-allows provably non-destructive chains:

# PreToolUse hook logic (Python pseudocode)
def on_pre_tool_use(tool_use):
    if tool_use.name == "Bash":
        segments = split_compound(tool_use.input)
        if all(is_read_only(s) for s in segments):
            return {"permission_decision": "allow"}
    return None  # fall through to normal prompt
Enter fullscreen mode Exit fullscreen mode

The reporter's hook allows only chains where every segment is provably non-destructive — cd, ls, git status/log/diff, gh pr list, echo — while falling through to normal prompting for anything with rm, reset, --force, branch -D, write redirects, or credential-store paths.

Requested fixes from the report (any would resolve this):

  1. Auto-approve compound commands when every decomposed segment matches an allow rule — remove the ~5-rule ceiling
  2. Don't score cd into a workspace subdirectory as a gating path-read
  3. Ship a built-in "safe read-only command" auto-allow that survives chaining

Why it happened

Claude Code's permission system splits compound commands on &&, ||, ;, |, and &, then evaluates each segment against the allowlist. But evaluation caps at roughly 5 saved rules per compound command, so a 6-segment chain always prompts. Worse, cd into a workspace subdirectory is scored as a path-read operation, not as Bash(cd:*), so it doesn't match the common allow rule users expect. The net effect: no amount of allowlist tuning fixes it for longer chains.

Beyond the annoyance, this is a security concern. Flooding users with hundreds of benign prompts trains a rubber-stamp reflex — users start clicking "Allow" without reading. That degrades the security value of prompts that should stop you — an rm -rf, a force-push, a destructive script. The system teaches users to ignore it.

FAQ

Q: Can I just enable "Allow all" to skip the prompts?
A: You can, but it bypasses all permission gating — including mutations you'd want to catch. The PreToolUse hook is safer because it auto-allows only non-destructive commands while still prompting on actual changes.

Q: Does this affect single-session Claude Code use?
A: Less noticeable, but yes. Any compound command longer than ~5 segments triggers a prompt even if every segment is individually allowlisted. Single-command users hit it less often because chains tend to be shorter.

Q: Will the fix remove the ~5-rule ceiling?
A: That's one of three requested fixes. If Anthropic removes the ceiling, compound commands where every segment is already allowlisted would pass through silently — preserving security for mutations while eliminating the false prompts.

Top comments (0)