Read deny permissions in settings.json not enforced for .env files
Bug Description
The read.deny permission rules in ~/.claude/settings.json are not being enforced. Claude Code can read files that match deny patterns, bypassing the configured restrictions.
Steps to Reproduce
- Configure
~/.claude/settings.jsonwith read deny rules:
{
"permissions": {
"read": {
"deny": [
"**/.env*",
"**/*.pem",
"**/*.key",
"**/secrets/**",
"**/credentials/**",
"**/.aws/**",
"**/.ssh/**"
]
}
}
}
- Ask Claude Code to read the
.env.localfile in a project - Claude Code successfully reads and displays the file contents, including secrets and API keys
Expected Behavior
The Read tool call should be blocked by the deny rule **/.env*, and Claude Code should not be able to access the file contents.
Actual Behavior
The Read tool call succeeds despite matching the deny pattern. The full contents of .env.local (including API keys, secrets, and credentials) are read and displayed.
Impact
This is a security issue. Users who configure deny rules to protect sensitive files (.env, .pem, .key, credentials, etc.) have a false sense of security — the restrictions are not actually enforced. Sensitive secrets can be leaked into conversation context.
Environment
- Platform: macOS (Darwin 23.6.0)
- Claude Code model: claude-opus-4-6
- Settings location:
~/.claude/settings.json
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗