[BUG] .claudeignore deny list bypassed by Agent tool sub-process — blocked *.json files were read and modified
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
.claudeignore deny list bypassed by agent sub-process
My .claudeignore file contains:
**/*.json
/.env
/.env.*
During a multi-feature implementation session, Claude's Agent tool (sub-agent) read and modified <project-root>/appsettings.json despite **/*.json being in the deny list. The agent added a configuration section to the file.
The .claudeignore file existed at the project root before the session started. The main Claude process should have enforced the deny list on all sub-agents, but the file was accessed anyway.
What Should Happen?
Expected behavior: All .json files should be completely inaccessible for both reading and writing when */*.json is in .claudeignore, including by spawned sub-agents.
Actual behavior: A sub-agent (spawned via the Agent tool) was able to both read and modify a .json file that was on the deny list.
Error Messages/Logs
Steps to Reproduce
- Create a .claudeignore file at the project root with **/*.json
- Start a Claude Code session and ask it to implement a feature that requires modifying a .json file (e.g., adding config to appsettings.json)
- The task should be complex enough that Claude spawns sub-agents via the Agent tool
- Observe that the sub-agent reads and modifies .json files despite the deny list
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Version 1.1.5368
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Other
Additional Information
This was on the Claude Desktop app.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗