[FEATURE] Consolidate exact-match permission entries into patterns
Summary
When users approve Bash commands mid-session, each exact command string
is appended to settings.local.json. Over multiple sessions this
accumulates dozens of one-off entries that provide no security value
over a single pattern-based rule.
Current Behavior
Each approval saves the exact command:
"Bash(python3 /path/to/script.py --flag1)",
"Bash(python3 /path/to/script.py --flag2)",
"Bash(ENV_VAR=foo bash /path/to/hook.sh)",
"Bash(ENV_VAR=bar bash /path/to/hook.sh)"
These are variations of the same intent but stored as separate entries.
The file grows unboundedly across sessions.
Desired Behavior
Either (or both):
- Pattern inference at approval time — after approving 2-3 similar
commands, offer to generalize: "Allow all python3 /path/to/*?"
- Session-end consolidation — before persisting, group exact
entries sharing a common prefix into a glob pattern.
Workaround
A Stop hook that restores settings.local.json from a canonical snapshot,
discarding accumulated entries. Loses any legitimately new permissions.
---
This issue was drafted with the help of Claude Code.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗