claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 10 hours ago verified publisher icon anthropics

[DOCS] In settings to deny rules override allow rules or the other way round?

Open xpluscal opened this issue 1 month ago • 3 comments

Documentation Type

Unclear/confusing documentation

Documentation Location

https://code.claude.com/docs/en/settings#permission-settings

Section/Topic

Permission Settings

Current Documentation

allow Array of permission rules to allow tool use. Note: Bash rules use prefix matching, not regex [ "Bash(git diff:*)" ]
ask Array of permission rules to ask for confirmation upon tool use. [ "Bash(git push:*)" ]
deny Array of permission rules to deny tool use. Use this to also exclude sensitive files from Claude Code access. Note: Bash patterns are prefix matches and can be bypassed (see Bash permission limitations) [ "WebFetch", "Bash(curl:*)", "Read(./.env)", "Read(./secrets/**)" ]

allow Array of permission rules to allow tool use. Note: Bash rules use prefix matching, not regex [ "Bash(git diff:)" ] ask Array of permission rules to ask for confirmation upon tool use. [ "Bash(git push:)" ] deny Array of permission rules to deny tool use. Use this to also exclude sensitive files from Claude Code access. Note: Bash patterns are prefix matches and can be bypassed (see Bash permission limitations) [ "WebFetch", "Bash(curl:*)", "Read(./.env)", "Read(./secrets/**)" ]

What's Wrong or Missing?

From the docs it is unclear if allow rules precede deny rules or not.

Example:

{
  "permissions": {
    "allow": [
      "Bash(ls:*)",
      "Bash(pwd)"
    ],
    "deny": [
      "Bash(*)"
    ]
  }
}

Which one here takes precedence? Thanks!

Suggested Improvement

Be clear as to how allow vs deny works.

Impact

High - Prevents users from using a feature

Additional Context

This has significant impact on security posture and using claude code / the agent sdk in production.

xpluscal avatar Nov 15 '25 00:11 xpluscal

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/6970
  2. https://github.com/anthropics/claude-code/issues/11132
  3. https://github.com/anthropics/claude-code/issues/6527

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

github-actions[bot] avatar Nov 15 '25 00:11 github-actions[bot]

I support that this should be explicitly noted in the docs

GomezDerek avatar Nov 15 '25 01:11 GomezDerek

Hi, did you find a workaround for this ?

Specially for Read(files), the deny seems to take precedence. Allow is useless for files for now.

Se we can't have a whitelist of files

CallisteH avatar Dec 10 '25 10:12 CallisteH