[BUG] v2.1.59: "Always allow" suggests overly broad wildcard instead of specific subcommand

[naichilab]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

Since v2.1.59, the "Yes, and don't ask again for:" option suggests an overly broad wildcard pattern instead of the specific command that was executed.

For example, running gcloud scheduler jobs list results in the following option being offered:

Yes, and don't ask again for: gcloud scheduler:*

The wildcard gcloud scheduler:* also covers write operations (e.g. gcloud scheduler jobs create, gcloud scheduler jobs delete), which the user never intended to allow. Users may unintentionally grant broader permissions than desired.

What Should Happen?

The prompt should suggest the specific subcommand that was executed, e.g.:

Yes, and don't ask again for: gcloud scheduler jobs list

This is consistent with the likely previous behavior — existing entries in .claude/settings.local.json such as

"Bash(gcloud scheduler jobs list:*)" suggest the old behavior recorded specific subcommands.

Error Messages/Logs

Steps to Reproduce

1. Run a specific gcloud subcommand, e.g.:
   gcloud scheduler jobs list --project=xxx --location=yyy
2. Observe option 2 in the permission prompt:
   "Yes, and don't ask again for: gcloud scheduler:*"

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

No response

Claude Code Version

2.1.61 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

The v2.1.59 changelog states:
"Improved 'always allow' prefix suggestions for compound bash commands to compute smarter per-subcommand prefixes instead of treating the whole command as one"

This change appears to affect single commands with subcommand structure (not just compound commands with &&), resulting in unintended over-permissioning.

[github-actions]

Found 3 possible duplicate issues:

1. [BUG] PermissionRequest hook permission_suggestions inconsistencies with UI #28464
2. Permission "don't ask again" suggests wrong command in piped chains #28036
3. [BUG] Wrong command is reported in "don't ask again for" in "This command requires approval" #27407

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[naichilab]

Thanks for the duplicate suggestions.

After reviewing all three issues, I believe this is a distinct problem:

• [BUG] Wrong command is reported in "don't ask again for" in "This command requires approval" #27407 and Permission "don't ask again" suggests wrong command in piped chains #28036 report incorrect suggestions in piped/compound commands
• [BUG] PermissionRequest hook permission_suggestions inconsistencies with UI #28464 reports inconsistency between the UI and hook data

My issue is specifically about a single, non-compound command (gcloud scheduler jobs list) being grouped into an overly broad wildcard pattern (gcloud scheduler:*), which risks unintentionally allowing write operations. This appears to be a side effect of the v2.1.59 "per-subcommand prefix" change being applied beyond its intended scope.

I'll keep this open as a separate report.

[sstklen]

你的分析完全正確，這確實是獨立的問題。v2.1.59 的 per-subcommand prefix 改動在分組邏輯上過於激進——gcloud scheduler jobs list 這種明確的唯讀操作不應該被歸到 gcloud scheduler:* 這種涵蓋寫入操作的萬用模式。

立即可用的 workaround： 手動編輯 .claude/settings.local.json，將過寬的 wildcard 換成你的 issue 裡提到的精確格式：

把：

"Bash(gcloud scheduler:*)"

換成：

"Bash(gcloud scheduler jobs list:*)"

這樣只允許你實際執行過的唯讀指令，不會意外開放寫入操作的權限。

[github-actions]

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.