[DOCS] Incorrect use of "./" in permissions examples (e.g., Read(./.env))

Resolved 💬 4 comments Opened Aug 16, 2025 by 178inaba Closed Jan 6, 2026

In the official documentation for Claude Code, the permissions examples include entries like:

{
  "permissions": {
    "deny": [
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)"
    ]
  }
}

https://docs.anthropic.com/en/docs/claude-code/settings

However, the ./ prefix does not work as intended.
Like .gitignore, the ./ form does not mean "from the current directory"—it will only match a literal file named ./.env, which is not useful in practice.

To correctly block .env files:

Use "Read(/.env)" to deny only the root-level .env

Or use "Read(.env)" (or a glob like "Read(.env.*)") to deny .env files at any level

I believe the documentation should be updated to remove ./ from the examples, as it may confuse users and lead to ineffective permission settings.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗