Allow unmatched quotes in Bash allowlist patterns for SSH commands #16638
Description
Problem
When allowing SSH commands that pass quoted arguments to remote hosts, the allowlist pattern needs to include an opening quote without a closing quote, since the closing quote comes after the wildcard portion.
For example, to allow:
ssh robot1-control -- 'kubectl get pods -n default'The natural allowlist pattern would be:
"Bash(ssh robot1-control -- 'kubectl get:*)"However, the settings validator rejects this with:
Unmatched ' in Bash pattern. Ensure all quotes are properly paired
Why this matters
SSH commands with quoted arguments are common for ensuring proper argument handling on the remote host. The current validation makes it impossible to allowlist these patterns - even manually editing settings.json doesn't work because Claude Code validates the file on startup and refuses to load it.
Users are forced to either:
- Not quote the remote command (which can cause issues with argument parsing)
- Approve each command individually every session
Suggested solution
Allow unmatched quotes in Bash allowlist patterns when they appear before the :* wildcard suffix, since the quote is part of the literal prefix being matched.
Related issues
- [FEATURE] More Flexible Permission Wildcards #9408 - More flexible permission wildcards (broader scope)
- [FEATURE] Regex/glob support for Bash permission patterns #13154 - Regex/glob support for Bash permission patterns (broader scope)
Environment
- macOS
- Claude Code (latest)