[HIGH PRIORITY] Claude ignores user-defined rules in .claude/rules/
Resolved 💬 3 comments Opened Jan 26, 2026 by trust11 Closed Jan 30, 2026
Problem
Claude Code does not reliably follow rules defined in ~/.claude/rules/*.md files, even when they are loaded and visible in the system context.
Example
User has a rule no-secrets-output.md with clear instructions:
# KRITISCH - Niemals ausgeben:
- API Tokens / API Keys
- Passwoerter
- JWT Tokens
- Environment Variables mit Secrets
Despite this rule being loaded, Claude:
- Listed all environment variables including tokens/passwords
- Displayed file contents containing API keys
- Showed secret values when setting env vars
User had to correct Claude multiple times in the same session.
Expected Behavior
- Rules in
.claude/rules/should be treated as hard constraints - Rules marked as KRITISCH/CRITICAL should have highest priority
- Claude should actively check rules before outputting sensitive data
- No amount of user requests should override security rules
Impact
- Users lose trust in rule system
- Security-critical rules get violated
- Users have to rotate credentials repeatedly
- Makes the rules feature unreliable
Suggested Solutions
- Pre-output validation against loaded rules
- Special handling for security-tagged rules
- Pattern matching before displaying any output
- Warning system when about to violate a rule
Related
See also: #20966 (secret redaction in tool output)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗