[BUG] Invalid "Bash(*)" permission pattern blocks all npm/npx commands

[klappi91]

Bug Report: Invalid "Bash(*)" permission pattern blocks all npm/npx commands

Description

AutoClaude uses "Bash(*)" in .claude_settings.json, which is invalid syntax according to Claude Code's IAM documentation. This causes all npm/npx/node commands to be blocked, even though the code comments suggest the bash_security_hook should handle validation.

Location

• File: apps/backend/core/client.py
• Line: 294
• Branch: develop

Current (Broken) Code

security_settings = {
    "permissions": {
        "allow": [
            # ...
            "Bash(*)",  # ❌ INVALID - no command prefix!
            # ...
        ]
    }
}

Expected Code

security_settings = {
    "permissions": {
        "allow": [
            # ...
            "Bash(npm:*)",
            "Bash(npx:*)",
            "Bash(node:*)",
            "Bash(python3:*)",
            "Bash(pnpm:*)",
            "Bash(yarn:*)",
            # Or dynamically from PACKAGE_MANAGER_COMMANDS
            # ...
        ]
    }
}

Evidence

1. Claude Code Documentation: https://code.claude.com/docs/en/iam.md

   "Bash permission patterns use prefix matches. The wildcard :* only works at the end of a pattern to match any continuation."

2. Valid Examples from Docs:

   • Bash(npm run test:*) ✅
   • Bash(git:*) ✅
   • Bash(*) ❌ (no command prefix)

Impact

• All npm/npx/node commands fail with: "Command 'npm' is not in the allowed commands for this project"
• bash_security_hook is never executed (Bash tool itself is blocked)
• Users must manually fix .claude_settings.json in every worktree

Reproduction

1. Start any AutoClaude task
2. Try to run npx create-next-app
3. Command is blocked despite sandbox enabled

Proposed Fix

Replace "Bash(*)" with proper prefix patterns:

Option 1: Static list

"allow": [
    "Bash(npm:*)",
    "Bash(npx:*)",
    "Bash(node:*)",
    "Bash(python3:*)",
    # ... from BASE_COMMANDS + detected package managers
]

Option 2: Dynamic (recommended)

# Build from PACKAGE_MANAGER_COMMANDS + BASE_COMMANDS
bash_permissions = []
for pm in detected_package_managers:
    for cmd in PACKAGE_MANAGER_COMMANDS[pm]:
        bash_permissions.append(f"Bash({cmd}:*)")

for cmd in BASE_COMMANDS:
    bash_permissions.append(f"Bash({cmd}:*)")

security_settings = {
    "permissions": {
        "allow": [
            *bash_permissions,
            # ...
        ]
    }
}

Workaround

Users can manually fix .claude_settings.json with:

{
  "permissions": {
    "allow": [
      "Bash(npm:*)",
      "Bash(npx:*)",
      "Bash(node:*)"
    ]
  }
}

Related Issues

• Issue Security profile created after agent starts in worktrees, blocking npm/jest commands #222 (different timing bug, now closed)
• The bash_security_hook in security/hooks.py is well-implemented but never runs due to this bug

Environment

• AutoClaude version: 2.7.1
• OS: All platforms (Linux/macOS/Windows)
• Claude Code: Latest version

Additional Context

The code includes this comment:

# Bash permission granted here, but actual commands are validated
# by the bash_security_hook (see security.py for allowed commands)

However, the permission is NOT actually granted because "Bash(*)" is invalid syntax. The security hook never gets a chance to run because the Bash tool itself is blocked at the permission level.

[github-actions]

👋 Thanks for opening your first issue!

A maintainer will triage this soon. In the meantime:

• Make sure you've provided all the requested info
• Join our Discord for faster help

[joelfuller2016]

@openhands-agent Please fix the invalid Bash permission pattern.

Issue Summary: "Bash(*)" is invalid syntax per Claude Code IAM documentation, blocking all npm/npx/node commands.

Location: apps/backend/core/client.py:294

Current (Broken):

"Bash(*)",  # Invalid - no command prefix

Required Fix:
Replace with proper prefix patterns:

"Bash(npm:*)",
"Bash(npx:*)",
"Bash(node:*)",
"Bash(python3:*)",
"Bash(pnpm:*)",
"Bash(yarn:*)",

Or dynamically build from PACKAGE_MANAGER_COMMANDS + BASE_COMMANDS:

bash_permissions = []
for cmd in detected_commands:
    bash_permissions.append(f"Bash({cmd}:*)")

Target Branch: develop

[0ui-labs]

I investigated this issue and found that the error message comes from a different place than expected:

Error source: project/__init__.py:100 in is_command_allowed()

return False, f"Command '{command}' is not in the allowed commands for this project"

Called from: bash_security_hook in security/hooks.py

The .claude_settings.json with Bash(*) is passed to the SDK, but the actual command validation happens in the hook via SecurityProfile.get_all_allowed_commands().

npm/npx are only added to allowed commands if the project analyzer detects them (by finding package.json or detecting Node.js in the stack). The error suggests the SecurityProfile doesn't include npm - possibly because:

1. Project analyzer didn't run or didn't detect npm
2. SecurityProfile cache (.auto-claude-security.json) is stale or missing
3. Edge case in project detection logic

Would be helpful to see from the original reporter (@klappi91):

• Does the project have a package.json in the root?
• What does .auto-claude-security.json contain (if it exists)?
• Is this a fresh project or an existing one?

The Bash(*) pattern might still be worth changing for correctness per Claude Code IAM docs, but based on my code analysis, it won't fix this specific issue since the hook is clearly running (otherwise we wouldn't see this specific error message).

---

Code flow for reference:

create_client()
  → writes .claude_settings.json with Bash(*)
  → sets up bash_security_hook as PreToolUse hook

When Bash tool is called:
  → bash_security_hook runs
  → calls is_command_allowed(cmd, profile)
  → checks profile.get_all_allowed_commands()
  → npm only in list if detected by ProjectAnalyzer
  → if not found → "Command 'npm' is not in the allowed commands"

[JanWe92]

@0ui-labs I have the same issue. To answer your questions:

Does the project have a package.json in the root?

• I had a blank main branch while auto-claude has been initialized. In other branches the package.json existed.

What does .auto-claude-security.json contain (if it exists)?

• Where should the file be located? I could not find it in the project.

Is this a fresh project or an existing one?

• It was a fresh project (in the main branch). I already had some branches where code (and the package.json) existed.

Can I re-inilialize the project analyzer?

[0ui-labs]

Re: Can I re-initialize the project analyzer?

@JanWe92 Yes, you can re-initialize the project analyzer by deleting the cached security profile:

# Delete the cached security profile from project root
rm .auto-claude-security.json

Why this happens:
The ProjectAnalyzer runs when Auto-Claude initializes and creates a security profile based on detected files. On an empty main branch without package.json, npm/npx commands are not added to the allowlist. This profile is then cached in .auto-claude-security.json.

Alternative workarounds:

1. Add package.json first - Create a minimal package.json in your main branch before initializing Auto-Claude
2. Manual edit - Add npm/npx to the allowed_commands array in .auto-claude-security.json

Location of the file:

• Usually in project root: your-project/.auto-claude-security.json
• Or in spec directory: .auto-claude/specs/XXX/.auto-claude-security.json

After deletion, the next agent session will re-analyze your project with the current branch state.