Permission matcher does not resolve tilde (~) in file paths before glob matching

Resolved 💬 3 comments Opened Feb 17, 2026 by wordify-nick Closed Feb 21, 2026

Bug Description

When the Edit/Write tool emits a file path using ~/ (e.g., ~/code/project-feature/file.php), the permission matcher does not expand the tilde to the absolute home directory path before comparing against allowed permission glob patterns. This causes the edit to require manual approval even though a matching allow pattern exists.

Steps to Reproduce

  1. Configure an Edit permission allow pattern with an absolute path glob:

``
Edit(path:/home/user/code/project-*/**)
``

  1. Have an agent submit an Edit tool call where the path uses ~/:

``
Update(~/code/project-feature/src/SomeFile.php)
``

  1. The permission prompt appears despite the pattern matching the resolved path.

Workaround

Adding duplicate permission patterns using ~/:

Edit(path:~/code/project-*/**)

This works — edits with ~/ paths are then auto-allowed. But users shouldn't need to maintain duplicate patterns.

Verified Behavior

Tested all combinations in the same session:

| Path in tool call | Permission pattern | Prompted? |
|---|---|---|
| /home/user/code/project-feature/file.php | Edit(path:/home/user/code/project-*/**) | No |
| ~/code/project-feature/file.php | Edit(path:/home/user/code/project-*/**) | Yes (bug) |
| ~/code/project-feature/file.php | Edit(path:~/code/project-*/**) | No (workaround) |

Context

This commonly occurs when using agent teams with git worktrees. Teammates work in sibling directories outside the main project root. The allow pattern covers worktree paths via a wildcard (e.g., project-*/**), but agents sometimes emit ~/ paths instead of fully resolved absolute paths, bypassing the permission match.

Suggested Fix

Either:

  1. Normalize paths in the permission matcher — resolve ~ before glob comparison (more robust).
  2. Enforce absolute paths in tool calls — ensure Edit/Write always resolve ~ before passing to the permission system.

Option 1 is more robust since it handles the issue regardless of what the agent emits.

Note on CLAUDE.md

CLAUDE.md files always prompt for permission regardless of path patterns (presumably intentional security behavior). Don't use CLAUDE.md for testing this — use any other file.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗