[DOCS] Incorrect use of "./" in permissions examples (e.g., Read(./.env))
Resolved 💬 4 comments Opened Aug 16, 2025 by 178inaba Closed Jan 6, 2026
In the official documentation for Claude Code, the permissions examples include entries like:
{
"permissions": {
"deny": [
"Read(./.env)",
"Read(./.env.*)",
"Read(./secrets/**)"
]
}
}
https://docs.anthropic.com/en/docs/claude-code/settings
However, the ./ prefix does not work as intended.
Like .gitignore, the ./ form does not mean "from the current directory"—it will only match a literal file named ./.env, which is not useful in practice.
To correctly block .env files:
Use "Read(/.env)" to deny only the root-level .env
Or use "Read(.env)" (or a glob like "Read(.env.*)") to deny .env files at any level
I believe the documentation should be updated to remove ./ from the examples, as it may confuse users and lead to ineffective permission settings.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗