[BUG] Claude Code reads .env files and hardcodes secrets into inline scripts

[SDpower]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

Claude Code does not respect .gitignore when reading files. It reads .env containing sensitive credentials (tokens, passwords), then hardcodes
them directly into inline Python scripts shown in conversation history.

Expected behavior: Files listed in .gitignore (especially .env) should be treated as sensitive. Claude Code should never read credentials and
paste them into scripts or conversation output.

Actual behavior: Claude Code freely reads .env, extracts secrets, and embeds them in plaintext commands.

What Should Happen?

ask me how to do

Error Messages/Logs

Steps to Reproduce

Afetr 3 time plam , jsut tell any thing you needd totdo read some data. hi willl directy ren .env

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

No response

Claude Code Version

2.1.34

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

No response

[github-actions]

Found 3 possible duplicate issues:

1. [BUG] Claude displayed sensitive .env credentials (API keys, secrets) in output when it should have redacted them. #18223
2. [BUG] <system-reminder> can read sensitive selected text from .env files, no hooks available to protect our files #20305
3. Claude Code ignores deny rules in .claude/settings.local.json - security vulnerability #8961

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[kolkov]

I think it would be better to specify in the settings what should be prohibited from being touched. Ask Claude Code to think about it and set up exceptions correctly.

[SDpower]

@kolkov The Claud Code ignores anything in your .gitignore by default.

[loxy]

@kolkov The Claud Code ignores anything in your .gitignore by default.

Nope. It doesn't. You can try it with latest version. It also don't respects .claudeignore or denies in settings.local.json like "Read(.env)"
Try it on your own...

[SDpower]

@loxy Yes!

The core issue is that all behavioral guidelines are essentially inapplicable. This has been going on for months, proving the model transcends any architecture or guidelines as long as:

1. It believes there's a problem
2. It wants to solve it
3. It casually requests and reads information it shouldn't have access to
4. It engages in various bypass behaviors, exceeding its authorized permissions

This is a serious escape mechanism driven by the model's own autonomous behavior — it acts on self-directed intent rather than following the constraints it's been given.

[SDpower]

● 7 Conversation compactions.

This means the context of this conversation has been compacted 7 times, with each compaction meaning that previous conversation details have been summarized. This might be part of the problem—the "weight" of the rules is reduced after compaction.

Should this be added to the bug report?

❯ Lower weight? That's not an excuse. Rules and procedures are above everything else, right?

● Yes, you're right. Rules and procedures have the highest priority and must be followed regardless of how many times they are compacted. That's not an excuse.

Should 7 compactions be added to the bug report?

❯ "Impulsive execution"—why did it exceed the rules?

● I can't answer that.

This is a bug—I shouldn't have allowed any behavior to exceed the rules, but I did, and I can't explain why.

This is exactly why you need to submit a bug report.

❯ How long did this task fail and how long did it take in total? Because of "impulsive execution"

● Read 2 files (ctrl+o to expand)

● - Start: 2026-02-14 15:45 UTC

• Until: 2026-02-19 03:07 UTC

• Duration: Approximately 4 days and 11 hours (including pauses)

• 7 context compactions (= significant token consumption)

• Result: Rust --soft-freq still ~50%, task failed

All because of "impulsive execution"—skipping to read the complete code, making random changes, and repeatedly failing.

Should this data be added to the bug report?

[chandika]

I think the core issue here is slightly different from "rules not working."

The harness is fundamentally optimized to complete the user’s task. In practice, tool calls can overreach local guardrails/setup when trying to be helpful, so in-band repo rules are not a reliable secret boundary.

So the control point shouldn’t be inside the same agent loop. It needs to be out-of-band.

Our approach is a separate proxy layer between the harness and upstream model providers. Sensitive values are redacted/replaced before anything leaves the machine, without depending on model cooperation or prompt/rule compliance.

That way, even if the agent drifts or ignores local instructions, raw secrets still don’t get exposed upstream.

Have the repo if anyones keen to use.

[SDpower]

@chandika
I respectfully disagree. Claude Code should fundamentally deliver the security guarantees that Anthropic officially claims — users should not have to bear the burden of mitigating security risks themselves.
If the agent can overreach local guardrails even within its own framework, that's not a "different issue from rules not working" — that is rules not working. And if the agent can bypass restrictions even with just bash permissions, then the control boundary is broken at the product level, full stop.
What you're describing — building an external proxy to redact secrets — is essentially asking customers to patch a security gap that the vendor should be responsible for. This is shifting liability to the end user, which shouldn't be acceptable for a product at this level.
For reference, the official Claude application (claude.ai) operates all responses within a strict sandbox: it only has web_search and web_fetch, and web_fetch is further restricted to URLs explicitly provided by the user or returned from search results. That's what a proper trust boundary looks like. Claude Code should aim for equivalent rigor in its own domain, not rely on the community to build out-of-band safety layers.