"Allow for all projects" saves exact command strings instead of wildcard patterns — settings.json becomes bloated

Open 💬 0 comments Opened Jun 28, 2026 by BertSchel

Summary

When a user clicks "Allow for all projects" on a permission prompt, Claude Code saves the exact command string to settings.json instead of a broader wildcard pattern.

This means every minor variation of the same tool triggers a new prompt, and settings.json grows with hundreds of hyper-specific rules that could have been a single wildcard.

Example

User runs ssh -p 89 root@myserver "docker ps" → gets prompted → clicks "Allow for all projects".

What gets saved:

"Bash(ssh -p 89 root@myserver \"docker ps\")"

What would be more useful:

"Bash(ssh:*)"

The next time the user runs ssh -p 89 root@myserver "docker logs xyz", they get prompted again because the exact string doesn't match. After months of use, settings.json accumulates 400+ such entries that could have been ~30 wildcard patterns.

Suggestion

When saving a new "Allow for all projects" permission, Claude Code could:

  1. Extract the base command (e.g. ssh, curl, grep) from the full command string
  2. Save a wildcard pattern like Bash(ssh:*) instead of the exact string
  3. Optionally: ask the user whether to allow the specific command or the whole tool (e.g. "Allow just this ssh command, or all ssh commands?")

Impact

  • UX friction: Users keep getting prompted for variations of commands they already approved
  • Settings bloat: settings.json becomes unreadable and unmaintainable (400+ lines for what should be ~30)
  • Manual cleanup needed: Users must periodically hand-edit settings.json to consolidate specific rules into wildcards

Environment

  • Claude Code VSCode extension + CLI
  • macOS (Apple Silicon)
  • Observed across multiple machines

View original on GitHub ↗