[DOCS] Permissions page does not document `WebFetch(domain:*.example.com)` wildcard subdomain matching syntax
Documentation Type
Missing documentation
Documentation Location
https://code.claude.com/docs/en/permissions
Section/Topic
The "WebFetch" examples (around line 80) and the "WebFetch" subsection in the tool reference list (around line 255–260)
Current Documentation
WebFetch(domain:example.com) | Matches fetch requests to example.com
* WebFetch(domain:example.com) matches fetch requests to example.com
The wildcard patterns section (~line 82–107) only describes Bash rule wildcards, not WebFetch domain rules.
What's Wrong or Missing?
The v2.1.172 release notes ship a fix to wildcard subdomain matching:
Fixed WebFetch(domain:*.example.com) wildcard domain rules never matching subdomains in allow, deny, and ask position
WebFetch(domain:*.example.com) now correctly matches sub.example.com, a.b.example.com, etc. The page never documents the syntax at all, so users couldn't write the rule that now works.
Suggested Improvement
Update the WebFetch example and bullet to:
WebFetch(domain:example.com)| Matches fetch requests to example.com exactlyWebFetch(domain:*.example.com)| Matches example.com and any subdomain (e.g.api.example.com,docs.example.com)
And add a short note in the WebFetch section:
Use*.example.com(wildcard at the start, with the dot) to match the apex domain and all of its subdomains. Bare*is not supported inWebFetch(domain:...)rules; the wildcard must be on the leftmost label.
Impact
Medium - Makes feature difficult to understand
Additional Context
Version: v2.1.172. The same release also fixed Read(secrets-*/config.json) mid-pattern wildcards being rejected at startup, but the Permissions page's Bash/file rule section already shows mid-pattern *; only WebFetch domain rules need new text.