Permissions: Glob Patterns & Whitelist

Two pattern formats

Simple format: matches a tool name or a Bash command.

"permissions": {
  "allow": ["Bash(git *)", "Bash(pnpm *)", "Read", "Edit"],
  "deny":  ["Bash(rm -rf *)", "Bash(sudo *)", "Bash(npm publish)"]
}

Tool-qualified format: matches the file path passed as argument to Read, Edit or Write. More precise than the simple format.

"permissions": {
  "deny": [
    "Read(file_path:*.env*)",
    "Edit(file_path:*.pem)",
    "Write(file_path:*.key)",
    "Read(file_path:*credentials*)"
  ]
}

Glob syntax

Progressive levels

// Level 1 - Read only
{ "autoApproveTools": ["Read", "Grep", "Glob"] }

// Level 2 - Git + package manager
{ "autoApproveTools": ["Read", "Grep", "Glob",
    "Bash(git *)", "Bash(pnpm *)"] }

// Level 3 - Full development
{ "autoApproveTools": ["Read", "Grep", "Glob",
    "Edit", "Write", "Bash(git *)", "Bash(pnpm *)"] }

Behavior of the three categories

Known limitation

permissions.deny has a documented limit: background indexing can expose file content via system callbacks before permission checks apply (GitHub #4160). For guaranteed secret protection, store these files outside the project directory.

Native file search: bfs and ugrep (v2.1.117)

On macOS and Linux, Claude Code now uses native bfs (Breadth-First Search) and ugrep binaries instead of the Glob and Grep tools for file discovery and content search. This delivers approximately 40% faster file operations with no configuration required. The glob pattern syntax in settings.json remains unchanged.

Where to define permissions

~/.claude/settings.json       (global, all projects)
.claude/settings.json         (project, shared with team)
.claude/settings.local.json   (local machine, gitignore)

Priority order: settings.local.json wins over settings.json which wins over global. Use settings.local.json for personal permissions without affecting the team.