[FEATURE] Consolidate exact-match permission entries into patterns

Resolved 💬 1 comment Opened May 20, 2026 by p4checo Closed Jun 20, 2026

Summary

When users approve Bash commands mid-session, each exact command string
is appended to settings.local.json. Over multiple sessions this
accumulates dozens of one-off entries that provide no security value
over a single pattern-based rule.

Current Behavior

Each approval saves the exact command:

"Bash(python3 /path/to/script.py --flag1)",
"Bash(python3 /path/to/script.py --flag2)",
"Bash(ENV_VAR=foo bash /path/to/hook.sh)",
"Bash(ENV_VAR=bar bash /path/to/hook.sh)"

These are variations of the same intent but stored as separate entries.
The file grows unboundedly across sessions.

Desired Behavior

Either (or both):

  1. Pattern inference at approval time — after approving 2-3 similar

commands, offer to generalize: "Allow all python3 /path/to/*?"

  1. Session-end consolidation — before persisting, group exact

entries sharing a common prefix into a glob pattern.

Workaround

A Stop hook that restores settings.local.json from a canonical snapshot,
discarding accumulated entries. Loses any legitimately new permissions.

---

This issue was drafted with the help of Claude Code.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗