anthropics
[FEATURE] More Flexible Permission Wildcards
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Current permission syntax in .claude/settings.local.json only supports simple prefix matching with wildcards. This makes it impossible to create specific permission patterns that need to match commands with multiple variable segments.
The permission system uses prefix matching, so wildcards only work at the end of patterns:
{
"allowedCommands": [
"cargo build*", // ✓ Works - matches any cargo build command
"docker exec*", // ✓ Works - but too permissive
"plink*" // ✓ Works - but allows ANY remote command
]
}
This limitation forces users to choose between:
- Being overly permissive (security risk)
- Constantly updating permissions for dynamic values (maintenance burden)
- Not using Claude Code for certain workflows (reduced productivity)
Proposed Solution
Support * wildcards at any position in command patterns:
-
*matches one or more non-space tokens - Multiple wildcards allowed per pattern
- Final
*matches all remaining arguments (preserves current behavior)
Example syntax:
{
"allowedCommands": [
"docker exec * bash -c \"cd /workspace/server && cargo*\"",
"plink -batch -ssh root@* -pw * \"/etc/init.d/myApp status\""
]
}
This provides:
- Precision: Grant specific permissions for workflows where parts of commands change dynamically
- Maintainability: No need to update permissions for every container rebuild or new IP address
- Security: More specific than blanket "exec*" or "plink*" which would allow dangerous commands
Alternative Solutions
No response
Priority
High - Significant impact on productivity
Feature Category
Configuration and settings
Use Case Example
DevContainer Operations with Dynamic Container IDs
When working with VS Code devcontainers, container IDs change every time they're rebuilt. Users need to run build commands inside these containers without knowing the ID in advance.
Current workaround (too permissive):
{
"allowedCommands": [
"docker exec*" // Allows ANY command in ANY container - security risk
]
}
Desired configuration:
{
"allowedCommands": [
"docker ps --format*",
"docker exec * bash -c \"cd /workspace/server && cargo*\"",
"docker exec * bash -c \"cd /workspace/server && RUSTFLAGS=* cargo zigbuild*\""
]
}
Real-world commands that should match:
# Find the running container
docker ps --format '{{.ID}}\t{{.Image}}'
# Build with cross-compilation
docker exec 583f3a5274eb bash -c "cd /workspace/server && RUSTFLAGS='-C target-feature=+crt-static' cargo zigbuild --release --target armv7-unknown-linux-musleabihf --bins"
# Regular build
docker exec 583f3a5274eb bash -c "cd /workspace/server && cargo build --release"
# Run tests
docker exec 583f3a5274eb bash -c "cd /workspace/server && cargo test"
Commands that should NOT match (security protection):
# Wrong directory
docker exec 583f3a5274eb bash -c "cd /tmp && rm -rf /"
# Not a cargo command
docker exec 583f3a5274eb bash -c "cd /workspace/server && rm -rf target"
Remote PLC Management via PuTTY plink
Managing services and monitoring applications on remote PLCs with different IPs requires SSH commands where the IP address and certain parameters change.
Current workaround (too permissive):
{
"allowedCommands": [
"plink*" // Allows ANY SSH command to ANY host - major security risk
]
}
Desired configuration:
{
"allowedCommands": [
"plink -batch -ssh root@* -pw * \"/etc/init.d/myApp status\"",
"plink -batch -ssh root@* -pw * \"/etc/init.d/myApp restart\"",
"plink -batch -ssh root@* -pw * \"tail -n * /media/sd/app/myApp/server.log\"",
"plink -batch -ssh root@* -pw * \"tail -n * /home/myApp/server.log\"",
"plink -batch -ssh root@* -pw * \"ps aux | grep myApp\""
]
}
Real-world commands that should match:
# Check service status on any PLC
plink -batch -ssh [email protected] -pw mypassword "/etc/init.d/myApp status"
# Restart service on different PLC
plink -batch -ssh [email protected] -pw mypassword "/etc/init.d/myApp restart"
# View logs with different line counts
plink -batch -ssh [email protected] -pw mypassword "tail -n 50 /media/sd/app/myApp/server.log"
plink -batch -ssh [email protected] -pw mypassword "tail -n 100 /home/myApp/server.log"
Commands that should NOT match (security protection):
# Dangerous command
plink -batch -ssh [email protected] -pw mypassword "rm -rf /"
# Wrong service
plink -batch -ssh [email protected] -pw mypassword "/etc/init.d/other-app restart"
# Unauthorized path
plink -batch -ssh [email protected] -pw mypassword "tail -n 50 /etc/passwd"
Additional Context
No response
Found 3 possible duplicate issues:
- https://github.com/anthropics/claude-code/issues/2719
- https://github.com/anthropics/claude-code/issues/5503
- https://github.com/anthropics/claude-code/issues/6798
This issue will be automatically closed as a duplicate in 3 days.
- If your issue is a duplicate, please close it and 👍 the existing issue instead
- To prevent auto-closure, add a comment or 👎 this comment
🤖 Generated with Claude Code
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
All of those are bug reports and or assume the config file is supposed to already allow multiple wildcards.
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
Please keep this open. There are so many commands I have to babysit claude for because I can only do prefix wildcards.
