Claude Code Permission Rule
Claude Code permission rule for tool access control.
Validate with Lintel
npx @lintel/lintel checkA permission rule string that controls tool access in Claude Code. Rules follow the format Tool or Tool(specifier) and appear in:
allow,deny, andaskarrays in settings filesallowed-toolsfields in skills and commandstoolsanddisallowedToolsfields in subagents
Rules are evaluated in order: deny → ask → allow. The first matching rule wins, so deny rules always take precedence. See manage permissions.
Any of
Definitions
Matches Bash tool commands. Supports wildcard patterns with * at any position in the specifier.
Bash— matches all Bash commands (equivalent toBash(*))Bash(npm run build)— matches the exact commandnpm run buildBash(npm run *)— prefix match with word boundary (matchesnpm run testbut notnpm runtime)Bash(npm*)— prefix match without word boundary (matches bothnpm runandnpmrc)Bash(* --version)— suffix matchBash(git * main)— middle wildcard (matchesgit checkout main,git merge main)
The space before * matters: Bash(ls *) enforces a word boundary requiring a space, while Bash(ls*) does not. The legacy :* suffix syntax (e.g. Bash(npm:*)) is equivalent to * but is deprecated — use Bash(npm *) instead. Claude Code is shell-operator aware — a rule like Bash(safe-cmd *) won't match safe-cmd && dangerous-cmd. See Bash permission caveats.
"Bash""Bash(npm run build)""Bash(npm run *)""Bash(git commit *)""Bash(* --version)""Bash(* --help *)""Bash(git * main)""Bash(ls*)"
Matches Read tool operations. Read rules also apply best-effort to other built-in tools that read files, including Grep and Glob.
Specifiers use gitignore pattern syntax with four path types:
| Pattern | Meaning | Example |
|---|---|---|
Read | All file reads | |
Read(./path) or Read(path) | Relative to current directory | Read(*.env) |
Read(/path) | Relative to project root | Read(/src/**/*.ts) |
Read(~/path) | Relative to home directory | Read(~/.zshrc) |
Read(//path) | Absolute filesystem path | Read(//Users/alice/secrets/**) |
* matches files in a single directory; ** matches recursively across directories. Note: /Users/alice/file is relative to the project root — use //Users/alice/file for absolute paths. See Read and Edit rules.
"Read""Read(./.env)""Read(./.env.*)""Read(*.env)""Read(src/**)""Read(/src/**)""Read(~/Documents/*.pdf)""Read(~/.zshrc)""Read(//Users/alice/secrets/**)""Read(./secrets/**)"
Matches Edit tool operations. Edit rules apply to all built-in tools that modify files, including Write. Uses the same gitignore pattern syntax as Read with four path types (./, /, ~/, //).
Edit— all file editsEdit(/src/**/*.ts)— TypeScript files under projectsrc/Edit(/docs/**)— files in<project>/docs/(NOT the filesystem/docs/and NOT<project>/.claude/docs/)Edit(~/.config/**)— files in home config directoryEdit(//tmp/scratch.txt)— absolute path
* matches files in a single directory; ** matches recursively across directories. See Read and Edit rules.
"Edit""Edit(/src/**/*.ts)""Edit(/docs/**)""Edit(~/.config/**)""Edit(//tmp/scratch.txt)"
Matches Write tool operations. Edit rules also apply to Write since Edit covers all built-in tools that modify files. Uses the same gitignore pattern syntax as Read and Edit with four path types (./, /, ~/, //).
* matches files in a single directory; ** matches recursively across directories. See Read and Edit rules.
"Write""Write(/src/**)""Write(~/.config/**)"
Matches WebFetch tool requests. Supports domain-based filtering with the domain: specifier prefix.
WebFetch— all web fetch requestsWebFetch(domain:example.com)— only requests toexample.com
Note: Using WebFetch alone does not prevent network access. If Bash is allowed, Claude can still use curl, wget, or other tools to reach any URL. For reliable URL filtering, consider combining Bash deny rules with WebFetch domain rules. See WebFetch rules.
"WebFetch""WebFetch(domain:example.com)""WebFetch(domain:api.github.com)"
Matches WebSearch tool operations. No specifier support — applies to all web searches. See permission system.
"WebSearch"
Matches Glob tool operations for file pattern matching. Glob is a read-only tool — Read permission rules also apply to Glob on a best-effort basis. See permission system.
"Glob"
Matches Grep tool operations for content searching. Grep is a read-only tool — Read permission rules also apply to Grep on a best-effort basis. See permission system.
"Grep"
Matches Task (subagent) operations. Controls which subagents Claude can spawn.
Task— all subagentsTask(Explore)— the Explore subagent (read-only codebase exploration)Task(Plan)— the Plan subagent (implementation planning)Task(general-purpose)— the general-purpose subagentTask(my-custom-agent)— a custom subagent defined in.claude/agents/
Add to deny rules or use the --disallowedTools CLI flag to disable specific agents. See Task permission rules.
"Task""Task(Explore)""Task(Plan)""Task(general-purpose)""Task(my-custom-agent)""Task(worker, researcher)"
Matches NotebookEdit tool operations for editing Jupyter notebook (.ipynb) cells. See permission system.
"NotebookEdit"
Matches Skill tool invocations. Controls which skills Claude can trigger via the Skill tool.
Skill— all skillsSkill(commit)— the specificcommitskillSkill(my-plugin:my-skill)— a namespaced plugin skill
Skills are invoked as /slash-commands by users or programmatically by other skills. See skills.
"Skill""Skill(commit)""Skill(deploy)""Skill(my-plugin:my-skill)"
Matches MCP (Model Context Protocol) tool operations. MCP tools follow the naming pattern mcp__<server>__<tool> where <server> is the server name configured in Claude Code.
mcp__puppeteer— all tools from thepuppeteerservermcp__puppeteer__*— wildcard matching all tools from thepuppeteerservermcp__puppeteer__puppeteer_navigate— the specificpuppeteer_navigatetool
Server names come from MCP server configuration in .mcp.json, settings files, or plugin manifests. See MCP permission rules.
"mcp__puppeteer""mcp__puppeteer__*""mcp__puppeteer__puppeteer_navigate""mcp__github__create_issue""mcp__slack__send_message"