[BUG] ask list is ignored when "Bash" is in allow list

Environment

• Platform (select one):
  • Anthropic API
  • AWS Bedrock
  • Google Vertex AI
  • Other:
• Claude CLI version: Latest (as of 2025-08-25)
• Operating System: Linux
• Terminal: Terminal App

Bug Description

The ask list in permissions is completely ignored when "Bash" is in the allow list, making it impossible to implement a "allow all commands except require confirmation for destructive ones" permission model at the user level.

Steps to Reproduce

1. Set user-level configuration in ~/.claude/settings.json:

   {
     "permissions": {
       "allow": ["Bash"],
       "ask": ["Bash(rm *)", "Bash(git push*)", "Bash(git branch*-D*)"]
     }
   }

2. Ensure no project-level overrides exist (empty or no .claude/settings.json in project)
3. Restart Claude Code completely
4. Run: touch test.txt && rm test.txt

Expected Behavior

The rm command should trigger a confirmation prompt because it matches the "Bash(rm *)" pattern in the ask list, despite "Bash" being in the allow list.

Actual Behavior

The file is deleted immediately without any confirmation prompt. All commands matching patterns in the ask list execute without prompting.

Additional Context

Goal: Single user-level configuration for "bypass all permissions except blacklisted destructive commands" across all projects.

Impact: No way to achieve both convenience (no prompts for safe commands) and safety (protection against destructive commands).

Workarounds attempted (none work):

• defaultMode: "bypassPermissions" - Bypasses everything including ask list
• defaultMode: "default" - Prompts for every new command type