Read deny permissions in settings.json not enforced for .env files

Resolved 💬 3 comments Opened Feb 11, 2026 by RyanL2 Closed Feb 14, 2026

Bug Description

The read.deny permission rules in ~/.claude/settings.json are not being enforced. Claude Code can read files that match deny patterns, bypassing the configured restrictions.

Steps to Reproduce

  1. Configure ~/.claude/settings.json with read deny rules:
{
  "permissions": {
    "read": {
      "deny": [
        "**/.env*",
        "**/*.pem",
        "**/*.key",
        "**/secrets/**",
        "**/credentials/**",
        "**/.aws/**",
        "**/.ssh/**"
      ]
    }
  }
}
  1. Ask Claude Code to read the .env.local file in a project
  2. Claude Code successfully reads and displays the file contents, including secrets and API keys

Expected Behavior

The Read tool call should be blocked by the deny rule **/.env*, and Claude Code should not be able to access the file contents.

Actual Behavior

The Read tool call succeeds despite matching the deny pattern. The full contents of .env.local (including API keys, secrets, and credentials) are read and displayed.

Impact

This is a security issue. Users who configure deny rules to protect sensitive files (.env, .pem, .key, credentials, etc.) have a false sense of security — the restrictions are not actually enforced. Sensitive secrets can be leaked into conversation context.

Environment

  • Platform: macOS (Darwin 23.6.0)
  • Claude Code model: claude-opus-4-6
  • Settings location: ~/.claude/settings.json

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗