/ck:judge fails after fresh install with Bash permission-check error
Summary
After a clean install and restart, /ck:judge fails immediately with a Bash permission-check error instead of running codex-review.sh.
Environment
- Local Cavekit install from GitHub
- Plugin enabled in Claude Code
- Fresh reinstall performed before reproducing
- Explicit Bash allow rules already present in
settings.json
Reproduction
- Remove the existing Cavekit install and related Claude plugin artifacts.
- Reclone repo again and run
./install.sh.
- Restart Claude Code.
- Run
/ck:judge.
Clean install done with
sudo rm -f /usr/local/bin/cavekit
rm -rf ~/.claude/plugins/local/cavekit-marketplace
rm -rf ~/.claude/plugins/cache/cavekit-local
rm -f ~/plugins/ck
rm -f ~/.codex/cavekit
find ~/.codex/prompts -maxdepth 1 -type l \( -name 'ck-*.md' -o -name 'bp-*.md' \) -delete 2>/dev/null || true
cd ..
rm -rf ~/.cavekit
git clone https://github.com/JuliusBrussee/cavekit.git ~/.cavekit
cd ~/.cavekit && ./install.sh
Example failure:
/ck:judge
⎿ Error: Shell command permission check failed for pattern "!
"/Users/data/.claude/plugins/local/cavekit-marketplace/ck/scripts/codex-review.sh" ": This command requires approval
Actual Result
Claude Code rejects the command with a permission error for the script codex-review.sh path. The failing pattern includes the leading ! form instead of matching a normal Bash command string.
Expected Result
/ck:judge should run after install without requiring manual permission-rule tweaks.
Relevant Detail
The command definition currently combines these two pieces:
allowed-tools: ["Bash(${CLAUDE_PLUGIN_ROOT}/scripts/codex-review.sh:*)"]and:
```!
"${CLAUDE_PLUGIN_ROOT}/scripts/codex-review.sh" $ARGUMENTS
```That looks like reason its breakin is that:
- the command executes through a fenced
```! block
- the permission metadata uses
Bash(...sh:*) and its difficult to not possible to match this
Seems claude is checking permission against the fenced command block, not the script
The same thing shows in other files like:
setup-build.shbp-config.sh
Related
Issue-7
/ck:judgefails after fresh install with Bash permission-check errorSummary
After a clean install and restart,
/ck:judgefails immediately with a Bash permission-check error instead of runningcodex-review.sh.Environment
settings.jsonReproduction
./install.sh./ck:judge.Clean install done with
Example failure:
Actual Result
Claude Code rejects the command with a permission error for the script
codex-review.shpath. The failing pattern includes the leading!form instead of matching a normal Bash command string.Expected Result
/ck:judgeshould run after install without requiring manual permission-rule tweaks.Relevant Detail
The command definition currently combines these two pieces:
and:
That looks like reason its breakin is that:
```!blockBash(...sh:*)and its difficult to not possible to match thisSeems claude is checking permission against the fenced command block, not the script
The same thing shows in other files like:
setup-build.shbp-config.shRelated
Issue-7