[BUG] Claude is ignoring `allow` permissions in global `settings.json`

[mieubrisse]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report
• I am using the latest version of Claude Code

What's Wrong?

The Bash permission pattern Bash(ls *) in settings.json is not matching the command ls -la ~/.claude/, requiring user approval despite the pattern being in the allow list.

When Claude attempts to execute ls -la ~/.claude/, the user is prompted for permission even though Bash(ls *) is explicitly configured in the permissions.allow array.

What Should Happen?

The command ls -la ~/.claude/ should be automatically allowed without requiring user approval, as it should match the pattern Bash(ls *) which is intended to allow any ls command with any arguments.

Error Messages/Logs

No error messages - the command simply requires manual approval instead of being auto-approved by the permission pattern.

Steps to Reproduce

1. Add Bash(ls *) to the permissions.allow array in ~/.claude/settings.json:

   {
     "permissions": {
       "allow": [
         "Bash(ls *)"
       ]
     }
   }

2. Start a Claude Code session
3. Request Claude to execute ls -la ~/.claude/
4. Observe that Claude prompts for permission approval

Expected: Command executes without permission prompt
Actual: User is prompted to approve the command

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Claude Code Version

Latest (as of 2026-01-14)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

Current settings.json configuration:

{
  "permissions": {
    "allow": [
      "Bash(grep *)",
      "Bash(ls *)",
      "Bash(pwd *)",
      "Bash(mkdir *)",
      ...
    ]
  }
}

Settings file location: ~/.claude/settings.json (symlinked to ~/app/dotfiles/claude/settings.json)

System info:

• OS Version: Darwin 24.4.0
• Platform: darwin

Hypotheses about the issue:

1. Tilde expansion timing: The pattern may be evaluated before shell tilde (~) expansion occurs, causing the literal string ~/.claude/ not to match the expected pattern
2. Wildcard matching edge case: The wildcard * in Bash(ls *) may not properly handle certain combinations of flags and path arguments
3. Pattern precedence or parsing: There may be an issue with how the command string is parsed before pattern matching

Questions for clarification:

1. Is Bash(ls *) expected to match ls -la ~/.claude/?
2. What is the correct pattern syntax to allow all ls commands regardless of flags and paths?
3. Should multiple patterns be required (e.g., both Bash(ls) and Bash(ls *), or Bash(ls:*))?
4. Is there a known limitation with special characters (tilde, dots) in path arguments affecting pattern matching?

Related patterns that also exist in the allow list and work correctly:

• Bash(grep *) - appears to work
• Bash(pwd *) - appears to work
• Bash(git status *) - appears to work

[mdbudnick]

I am having a similar issue. I would like Claude to run read and node project commands without asking for permission each time, but it is still asking for permission it has been granted. There's nothing in my hooks that would prevent this.

The project level .claude/settings.local.json is being respected, but should be allowed by the global settings.json permissions already.

{
  "permissions": {
    "allow": [
      "Bash(npm run convert:*)",
      "Bash(npm run build:*)",
      "Bash(node dist/test-runner.js:*)",
      "Bash(tee:*)"
    ]
  }
}

claude --version
2.1.7 (Claude Code)

Here are my global settings.json permissions (no, it was not trying to read the denied files). I have not tested them all, this is just to show my configuration:

 "permissions": {
    "deny": [
      "Read(.envrc)",
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)",
      "Read(./config/credentials.json)",
      "Read(./build)",
      "Read(~/.aws/**)"
    ],
    "allow": [
      "Bash(npm run *)",
      "Bash(npm test*)",
      "Bash(npm install*)",
      "Bash(npm ci*)",
      "Bash(pnpm *)",
      "Bash(yarn *)",
      "Bash(npx *)",
      "Bash(gh pr *)",
      "Bash(gh issue *)",
      "Bash(gh repo view*)",
      "Bash(gh api *)",
      "Bash(gh run list*)",
      "Bash(gh run view *)",
      "Bash(gh run watch *)",
      "Bash(gh workflow *)",
      "Bash(git status*)",
      "Bash(git diff*)",
      "Bash(git log*)",
      "Bash(git branch*)",
      "Bash(git show*)",
      "Bash(git fetch*)",
      "Bash(git remote*)",
      "Bash(git rev-parse*)",
      "Bash(git ls-files*)",
      "Bash(ls *)",
      "Bash(ls)",
      "Bash(cat *)",
      "Bash(head *)",
      "Bash(tail *)",
      "Bash(wc *)",
      "Bash(file *)",
      "Bash(which *)",
      "Bash(pwd)",
      "Bash(tsc *)",
      "Bash(tsc)",
      "Bash(eslint *)",
      "Bash(prettier *)",
      "Bash(jest *)",
      "Bash(vitest *)",
      "Bash(node *)",
      "Glob","Bash(node *)",
      "Grep",
      "Read",
      "WebFetch",
      "WebSearch"
    ]
  },

[mieubrisse]

Now it's ignoring it for mkdir.

In my global ~/.claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(mkdir *)",

I asked Claude to create a project-specific .claude/settings.json in the repo, and got:

 Bash command

   mkdir -p /Users/odyssey/code/prompt-generator/.claude
   Create .claude directory

 Do you want to proceed?
 ❯ 1. Yes
   2. Yes, and always allow access to prompt-generator/ from this project
   3. No

[mieubrisse]

Would be great to get someone from Anthropic to explain why it's just not working

[mdbudnick]

Issues with permissions are pretty critical.

[lucasmccomb]

Would love a fix for this :)

[richardkmichael]

I'm seeing this too, Claude 2.1.12 (npm).

Suspiciously, in the permission prompt choice 2: /tmp has become tmp/. This is what /tmp means in the settings permission "notation" (whereas actual /tmp would be: //tmp). I asked Claude: List files in /tmp.

 $ cat .claude/settings.local.json
{
  "permissions": {
    "allow": [
      "Bash(ls:*)"
    ]
  }
}

But being prompted:

⏺ Bash(ls /tmp/tts_notify_*)
  ⎿  Running…

 Bash command

   ls /tmp/tts_notify_*
   List TTS notify temp files

 Do you want to proceed?
 ❯ 1. Yes
   2. Yes, allow reading from tmp/ from this project
   3. No

 Esc to cancel · Tab to add additional instructions

[janderland]

I'm having the same issues when trying to allow running the miniserve binary:

 {
    "permissions": {
      "allow": [
        "Bash(miniserve:*)"
      ]
    }
  }

Added to both the project and global config, but Claude always asks for permission.