Feature/compound command validation#27928
Open
Agentscreator wants to merge 2 commits intoanthropics:mainfrom
Open
Feature/compound command validation#27928Agentscreator wants to merge 2 commits intoanthropics:mainfrom
Agentscreator wants to merge 2 commits intoanthropics:mainfrom
Conversation
Addresses issue where compound shell commands (using &&, ||, ;, |) are not
clearly displayed in permission prompts, making it difficult to understand
what operations are being approved.
Changes:
- Add command_parser.py utility to parse and split compound commands
- Enhance rule_engine.py with 'is_compound' operator and template variables
- Add {{COMMAND_BREAKDOWN}} and {{BASE_COMMANDS}} template support
- Create example rules for warning and blocking compound commands
- Add comprehensive documentation and quick start guides
- Include integration tests validating all functionality
Features:
- Automatically detects compound commands with &&, ||, ;, | operators
- Breaks down commands into individual components with clear explanations
- Handles quoted strings correctly (e.g., echo "hello && world")
- Supports flexible policies: warn, block, or customize
- No restart required - rules activate immediately
Example output:
1. First: `sleep 10`
2. THEN (if successful): `echo done`
3. OR (if failed): `echo failed`
This improves transparency and security by showing exactly what will execute
and in what order, addressing user concerns about permission system clarity.
Fixes: Compound command permission visibility issue
Feedback ID: c85e77e9-9801-4315-84ef-64466ddb9a12
Update all documentation files to use the correct product name 'Claude Code' instead of 'Kiro' for consistency and clarity.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When Claude Code asks for permission to run compound shell commands (for example, sleep 10 && do-something-else), it often shows a vague prompt like “sleep *” or treats the whole chain as one command. This hides what will actually run and undermines security and user trust.
Users have reported low confidence in approving commands when they can’t clearly see what operations are included.
Solution
This PR adds compound command parsing to the hookify plugin. Commands using &&, ||, ;, or | are automatically detected and broken into clear, readable steps before permission is requested.
Instead of a vague prompt, users see a warning that a compound command was detected along with a breakdown of each operation and how it will execute. This makes it obvious what’s being approved.
What’s included
The change introduces a compound command parser, a new is_compound rule operator, and new template variables for rendering command breakdowns. It also includes example rules for warning or blocking compound commands, plus documentation and a quick start guide.
New files cover parsing logic, tests, examples, and documentation. Existing rule engine logic and the README were updated to support the feature.
Key features
Detects &&, ||, ;, and | operators
Shows a clear, ordered breakdown of commands
Correctly handles quoted strings
Supports warn or block policies
Activates immediately with no restart
Fully tested
Usage
Copy the example compound command validator rule into your local hookify config. The rule takes effect immediately.
Testing
All unit and integration tests pass.
Benefits
This improves transparency, reduces the risk of approving dangerous commands, and increases trust by clearly showing what will execute. Users gain more control and better visibility into shell behavior.
Backward compatibility
No breaking changes. Existing rules continue to work, the feature is opt-in, and no new dependencies were added.
Related feedback
ID: c85e77e9-9801-4315-84ef-64466ddb9a12