[BUG] Deny rules with // prefix for absolute paths incorrectly match substring in any path
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Deny rules using the // prefix (documented as absolute path matching) incorrectly match any path containing the specified substring, rather than only matching the absolute path.
For example, adding Edit(//dev/**) to deny edits to /dev/... (the device filesystem) also blocks edits to ~/dev/myproject/... because the path contains /dev/.
What Should Happen?
Edit(//dev/**) should only match absolute paths starting with /dev/, not paths that happen to contain /dev/ as a substring elsewhere in the path.
Error Messages/Logs
None - edits are silently blocked due to deny rule match.
Steps to Reproduce
- Create a project in a directory containing
/dev/in its path (e.g.,~/dev/myproject/) - Add to
.claude/settings.json:
{
"permissions": {
"deny": [
"Edit(//dev/**)",
"Write(//dev/**)"
]
}
}
- Ask Claude to edit any file in the project
- Expected: Edit succeeds (project path
~/dev/...is not/dev/...) - Actual: Edit is blocked because
//dev/**matches the substring/dev/in~/dev/myproject/file.ts
Claude Model
Opus 4.5
Is this a regression?
I don't know
Claude Code Version
2.1.25
Platform
Anthropic API
Operating System
macOS (Darwin 25.2.0)
Terminal/Shell
zsh
Additional Information
The // prefix is documented as a way to specify absolute paths in permission patterns. The current behavior appears to perform substring matching rather than anchored path matching.
Affected rules in my config:
Edit(//dev/**)Write(//dev/**)- Potentially any
//prefixed rule where the path segment appears elsewhere
Workaround: Remove the //dev/** deny rules if your working directory contains /dev/ in its path.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗