"Allow for all projects" saves exact command strings instead of wildcard patterns — settings.json becomes bloated
Summary
When a user clicks "Allow for all projects" on a permission prompt, Claude Code saves the exact command string to settings.json instead of a broader wildcard pattern.
This means every minor variation of the same tool triggers a new prompt, and settings.json grows with hundreds of hyper-specific rules that could have been a single wildcard.
Example
User runs ssh -p 89 root@myserver "docker ps" → gets prompted → clicks "Allow for all projects".
What gets saved:
"Bash(ssh -p 89 root@myserver \"docker ps\")"
What would be more useful:
"Bash(ssh:*)"
The next time the user runs ssh -p 89 root@myserver "docker logs xyz", they get prompted again because the exact string doesn't match. After months of use, settings.json accumulates 400+ such entries that could have been ~30 wildcard patterns.
Suggestion
When saving a new "Allow for all projects" permission, Claude Code could:
- Extract the base command (e.g.
ssh,curl,grep) from the full command string - Save a wildcard pattern like
Bash(ssh:*)instead of the exact string - Optionally: ask the user whether to allow the specific command or the whole tool (e.g. "Allow just this ssh command, or all ssh commands?")
Impact
- UX friction: Users keep getting prompted for variations of commands they already approved
- Settings bloat:
settings.jsonbecomes unreadable and unmaintainable (400+ lines for what should be ~30) - Manual cleanup needed: Users must periodically hand-edit
settings.jsonto consolidate specific rules into wildcards
Environment
- Claude Code VSCode extension + CLI
- macOS (Apple Silicon)
- Observed across multiple machines