[DOCS] Permission rule wildcard equivalence only documented for Bash, not generalized to all tools
Documentation Type
Unclear/confusing documentation
Documentation Location
https://code.claude.com/docs/en/settings#permission-rule-syntax
https://code.claude.com/docs/en/iam#configuring-permissions
Section/Topic
"Permission rule syntax" section in settings.md and "Configuring permissions" section in iam.md
Current Documentation
The settings page says:
Bash(*)is equivalent toBashand matches all Bash commands. Both syntaxes can be used interchangeably.
The IAM page says:
A rule that is just the tool name matches any use of that tool. For example, addingBashto the allow list allows Claude Code to use the Bash tool without requiring user approval.Bash(*)is equivalent toBashand can be used interchangeably.
What's Wrong or Missing?
The 2.1.20 release notes state: "Changed permission rules like Bash(*) to be accepted and treated as equivalent to Bash"
The phrase "rules like Bash(*)" indicates this equivalence applies to all tools, not just Bash. However, the documentation only explicitly mentions this equivalence for Bash. Users have no way to know whether:
Read(*)is equivalent toReadEdit(*)is equivalent toEditWebFetch(*)is equivalent toWebFetchWrite(*)is equivalent toWriteTask(*)is equivalent toTask- etc.
The pattern should be documented generically so users understand it applies to any tool, not just Bash.
Suggested Improvement
Option A: Generalize the existing statement (recommended)
In both settings.md and iam.md, change the Bash-specific statement to a generic rule:
Before:
Bash(*)is equivalent toBashand matches all Bash commands. Both syntaxes can be used interchangeably.
After:
For any tool,Tool(*)is equivalent toTooland matches all uses of that tool. For example,Bash(*)is equivalent toBash,Read(*)is equivalent toRead, etc. Both syntaxes can be used interchangeably.
Option B: Add a table showing equivalences
Add a table in the "Matching all uses of a tool" section:
| Rule | Equivalent to | Effect |
|:-----|:--------------|:-------|
| Bash | Bash(*) | Matches all Bash commands |
| Read | Read(*) | Matches all file reads |
| Edit | Edit(*) | Matches all file edits |
| WebFetch | WebFetch(*) | Matches all web fetch requests |
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Section | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/settings | Permission rule syntax (line 206) | Only mentions Bash(*) equivalence |
| https://code.claude.com/docs/en/iam | Configuring permissions (line 88) | Only mentions Bash(*) equivalence |
Total scope: 2 pages affected
Related: Claude Code 2.1.20 release notes explicitly mention this as a general feature ("rules like Bash(*)"), not a Bash-specific feature.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗