[BUG] Permission glob matching still fails on '- sequence in arguments (re: #22581, #16449)
Summary
This is a follow-up to #22581 and #16449, both of which were closed as inactive.
The bug is still present as of v2.1.49.
Bash permission rules fail to match commands when an argument contains the
character sequence '- (single quote followed by hyphen), even though the
glob pattern matches the command path correctly.
Environment
- Claude Code version: 2.1.49
- OS: macOS (Darwin 25.2.0)
- Architecture: arm64
Steps to Reproduce
Add permission rule to .claude/settings.local.json:
{
"permissions": {
"allow": ["Bash(sqlite3:*)"]
}
}
Run commands in Claude Code:
# WORKS — no permission prompt:
sqlite3 mydb.db "SELECT 1"
sqlite3 mydb.db "SELECT -1"
sqlite3 mydb.db "SELECT 'test'"
sqlite3 mydb.db "SELECT 'a', 'b'"
# FAILS — prompts for permission despite matching Bash(sqlite3:*):
sqlite3 mydb.db "SELECT '-1'"
sqlite3 mydb.db "SELECT datetime('now', '-7 days')"
Expected Behavior
All commands should auto-match Bash(sqlite3:*) since they start with sqlite3.
The glob pattern should match against the command prefix, not parse or validate argument contents.
Actual Behavior
Any command with '- in the argument string triggers a permission prompt, even though the command itself matches the rule.
Ablation Table
| Command | Result |
|---|---|
| sqlite3 db "SELECT 1" | ✅ Auto-allowed |
| sqlite3 db "SELECT -1" | ✅ Auto-allowed |
| sqlite3 db "SELECT 'test'" | ✅ Auto-allowed |
| sqlite3 db "SELECT 'a', 'b'" | ✅ Auto-allowed |
| sqlite3 db "SELECT coalesce('a', 'b')" | ✅ Auto-allowed |
| sqlite3 db "SELECT '-1'" | ❌ Prompts |
| sqlite3 db "SELECT coalesce('a', '-1')" | ❌ Prompts |
| sqlite3 db "SELECT datetime('now', '-7 days')" | ❌ Prompts |
The triggering pattern is specifically '- (single quote immediately followed by hyphen).
Root Cause Hypothesis
The '- sequence is likely being interpreted as a glob character class
(e.g., '[a-z]' style range syntax) rather than as literal characters in an argument string.
Impact
This breaks permission rules for any tool that accepts SQLite datetime modifiers such asdatetime('now', '-7 days') or datetime('now', '-1 month') — a very common pattern for
date-range queries. Users must manually approve every such invocation, defeating the purpose
of the allow rule.
References
- #22581 — closed as inactive
- #16449 — closed as inactive
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗