[Bug] Auto-approve patterns don't match multiline commands (heredocs)

[michaelgrafwebdev]

Description

Auto-approve patterns in settings.json and agent auto_approve_patterns frontmatter fail to match multiline commands containing heredocs or newlines.

Reproduction

1. Add pattern to settings.json:

"permissions": {
  "allow": [
    "Bash(echo '"
  ]
}

2. Run a command that starts with that prefix but contains newlines:

echo 'chore: Update files

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>' > /tmp/file.txt

3. Expected: Command auto-approves (prefix matches)
4. Actual: Prompts for approval

Patterns Tested (all failed)

• Bash(echo ' - pure prefix
• Bash(echo:*) - colon wildcard
• Bash(echo *) - space wildcard
• Bash(cat > /tmp/*) - with redirect
• Agent frontmatter auto_approve_patterns

Impact

• Cannot auto-approve git commit workflows that use multiline messages
• Subagents always prompt for heredoc commands
• Breaks autonomous agent workflows

Environment

• Claude Code v2.0.30
• macOS
• Pattern location: ~/.claude/settings.json and agent frontmatter

Suggested Fix

Either:

1. Match patterns against first line only (before first newline)
2. Document that multiline commands cannot be auto-approved
3. Add a flag for multiline pattern matching

[zielinski-k-marek]

Same issue as OP. Cannot set allowed on multiline bash command.
Claude Code asks for permission every time and cannot auto approve for session.

If this is by design please document it and provide rationale.

However most useful bash commands for autonomous agent workflows are multiline so essentially the only solution left is --dangerously-skip-permissions flag. In my opinion current behaviour defeats the purpose of tool permissions, because we're back at all or nothing.

Environment

• Claude Code v2.0.42
• wsl

[fgoni]

How to whitelist this type of commands that are running multiline, or heredoc?
Keeps asking permissions no matter how many allows you try.

[tabletenniser]

+1 to this. Also encountered this issue where even though I have Bash(aws:*) listed in my allowed tools, but Claude keeps asking me for approval when it generates a multi-line command like:

aws athena start-query-execution \
  --work-group "primary" \
  --result-configuration 'OutputLocation=s3://aws-athena-query-results...' \
  ......

It says This Bash command contains multiple operations. The following parts require approval: --work-group..., which isn't correct.

[sldx]

Hey guys, please fix this bug, it's super annoying. I have to accept every command that the DevBrowser skill is doing to automate/test in the browser.
It makes for a really, really bad experience. Basically, I'm forced to run with dangerously skip permissions.

[kostyay]

Please fix this bug, super annoying!