Permissions: Glob Patterns & Whitelist — Claude Code Recap Card T04

Two pattern formats

Simple format: matches a tool name or a Bash command.

"permissions": {
  "allow": ["Bash(git *)", "Bash(pnpm *)", "Read", "Edit"],
  "deny":  ["Bash(rm -rf *)", "Bash(sudo *)", "Bash(npm publish)"]
}

Tool-qualified format: matches the file path passed as argument to Read, Edit or Write. More precise than the simple format.

"permissions": {
  "deny": [
    "Read(file_path:*.env*)",
    "Edit(file_path:*.pem)",
    "Write(file_path:*.key)",
    "Read(file_path:*credentials*)"
  ]
}

Glob syntax

Pattern	What matches
`Bash(git *)`	Any git command
`Bash(npm test*)`	`npm test`, `npm test:watch`
`Read(file_path:.env)`	`.env`, `.env.local`, `.env.prod`
`Edit(file_path:src/**)`	All files under `src/`
`Write(file_path:*.key)`	Any `.key` file

Progressive levels

// Level 1 - Read only
{ "autoApproveTools": ["Read", "Grep", "Glob"] }

// Level 2 - Git + package manager
{ "autoApproveTools": ["Read", "Grep", "Glob",
    "Bash(git *)", "Bash(pnpm *)"] }

// Level 3 - Full development
{ "autoApproveTools": ["Read", "Grep", "Glob",
    "Edit", "Write", "Bash(git *)", "Bash(pnpm *)"] }

Behavior of the three categories

Category	Behavior
`allow`	Auto-approved, no prompt
`deny`	Completely blocked
`ask`	Confirmation requested
(default)	Default permission mode

Known limitation

permissions.deny has a documented limit: background indexing can expose file content via system callbacks before permission checks apply (GitHub #4160). For guaranteed secret protection, store these files outside the project directory.

Where to define permissions

~/.claude/settings.json       (global, all projects)
.claude/settings.json         (project, shared with team)
.claude/settings.local.json   (local machine, gitignore)

Priority order: settings.local.json wins over settings.json which wins over global. Use settings.local.json for personal permissions without affecting the team.