Skip to content

Permission auto-approve should separate read/write/delete operations #69352

Description

@ndrone-winsupply

Problem

When Claude Code prompts for tool permission approval, the "always allow" option uses a wildcard that doesn't distinguish between read and write operations.

Example: Running git branch --show-current (a read-only command) offers git * as the auto-approve option. Accepting that would also auto-approve destructive commands like git push --force, git reset --hard, git clean -f, etc.

This makes the auto-approve option unusable for safety-conscious users — you have to deny every time because the granularity is too coarse.

Expected Behavior

The auto-approve options should separate by operation type. For example:

  • Read-only git: git branch *, git log *, git diff *, git status *, git rev-parse *, git show *
  • Write git: git add *, git commit *, git push *
  • Destructive git: git reset --hard *, git push --force *, git clean -f *, git branch -D *

This way users can auto-approve read operations without inadvertently allowing destructive ones.

Impact

Users who care about safety end up denying most auto-approve prompts, adding friction to every session. The current wildcard grouping defeats the purpose of having granular permissions.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions