Feature: per-command scoped permissions
Resolved 💬 3 comments Opened Feb 26, 2026 by emilmalmsten Closed Mar 1, 2026
Feature Request
Allow scoping permission rules to specific slash commands (skills).
Problem
Currently, the allow/deny lists in settings.local.json apply globally to all commands. There's no way to grant a specific slash command additional permissions without granting them to every command.
Use Case
For example, a /deploy command might need Bash(docker *) permissions, but I don't want every command to have access to Docker. Today, the only options are:
- Allow it globally (too permissive)
- Leave it denied and get prompted every time (friction)
Proposed Solution
Support scoped permissions in the settings file, something like:
{
"permissions": {
"allow": ["Glob", "Grep", "Read"],
"commands": {
"deploy": {
"allow": ["Bash(docker *)"]
},
"allow-permission": {
"allow": ["Edit(.claude/settings.local.json)"]
}
}
}
}
When a slash command runs, its scoped permissions would be merged with the global ones. This would allow giving specific commands elevated access without broadly opening up permissions.
Alternatives Considered
- Documenting restrictions in the skill prompt (relies on LLM compliance, not enforced)
- Keeping commands out of global allow and approving manually each time (adds friction)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗