Claude Code's Deny List Bypass: How to Protect Your Codebase from Compound Commands

Claude Code's deny lists only check the first token of compound commands, allowing dangerous actions like 'git clean' to slip through. Here's how to protect yourself. Claude Code's Deny List Bypass: How to Protect Your Codebase from Compound Commands The Vulnerability — First-Token-Only Evaluation A critical flaw in Claude Code's permission system allows dangerous commands to bypass deny lists when chained with other operations. The deny rule evaluator only checks the first token of a Bash command. If you've added git clean to your deny list, it will block git clean -fd but allow git fetch && git pull && git clean -fd . This isn't theoretical. Two independent reports (GitHub issues #36637 and #31523) document the same root cause. The problem affects both deny lists and allow lists — the parser evaluates only the initial command token, then permits or blocks the entire compound expression based on that single check. Why This Matters for Your Daily Workflow Claude naturally chains comman