Permission Rules: Syntax & Wildcards

3 MIN READ | UPDATED: 2026-06-16

While modes set the baseline, rules allow you to fine-tune exactly what Claude can and cannot do.

Basic Syntax

Rules follow the format Tool or Tool(specifier).

Example	Matches
`Bash`	All Bash commands
`Bash(npm run build)`	Exactly that command
`Read(./.env)`	Reads the local `.env` file
`WebFetch(domain:example.com)`	Web fetches for that domain

Wildcards

* can match one or more tokens.

Bash(npm run *): Matches any npm run command.
Bash(git * main): Matches git checkout main, git merge main, etc.
Bash(ls*): Matches ls, lsof, and ls -la.

Word Boundaries

Bash(ls *) vs Bash(ls*):

Bash(ls *) matches ls -la (note the space), but not lsof.
Bash(ls*) matches both.

Note: For Bash rules, Claude automatically strips process wrappers like timeout, nice, and nohup before matching.

← PREVIOUS LESSON Switching Methods & Cycle Order

NEXT LESSON → Rule Precedence & Evaluation Logic