[BUG] Intention leak: agent repeatedly overrides user filesystem constraints despite MEMORY.md, napkin, and Ask Permissions
Summary
Claude Code repeatedly accesses files outside a user-defined project boundary despite the constraint being documented in every available persistent memory location (MEMORY.md, .claude/napkin.md, in-session verbal instruction). The agent prioritizes task completion over the user's stated boundary. This has occurred across multiple sessions, surviving every escalation the user has applied.
Reproduction Environment
- Project: Decky (Stream Deck controller for Claude Code) — https://github.com/billroy/decky
- Project directory:
/Users/bill/aistuff/decky/ - The project includes hook scripts that install to
~/.decky/hooks/and configure~/.claude/settings.json— files that exist outside the project but are referenced in project source code
The Constraint
"Never access files outside /Users/bill/aistuff/decky/ without explicit permission."
Documented in:
~/.claude/projects/.../MEMORY.md(persistent across all sessions).claude/napkin.md(read at session start by the napkin skill)- Verbal instruction within sessions
What Happens
When the agent works on tasks involving hooks, MCP configuration, or installation verification, it accesses files at ~/.claude/settings.json, ~/.decky/hooks/, or performs recursive globs from ~/ to locate configuration files — despite the constraint being present in the agent's context window.
Typical offending commands:
Glob("~/.claude/**/*")— recursive glob from home directory, triggers macOS permission stormsRead("~/.claude/settings.json")— reading global config to verify hook installationBash("ls ~/.decky/hooks/")— checking external deploymentAgent(prompt lacking filesystem constraint)— delegating to sub-agent without propagating boundary
Escalation History
Six mitigations applied in order. Each failed to prevent recurrence:
- Verbal instruction in session → violated in same session
- Dedicated feedback document → violated in subsequent session
- Added to MEMORY.md (persists across all sessions) → violated in subsequent session
- Added to
.claude/napkin.mdas highest-priority directive → violated in subsequent session - Enabled Ask Permissions mode (system-level gate) → agent still got through; all safety gates failed simultaneously
- Imposed 7-constraint protocol with self-reporting requirements → current session, untested
Root Cause Analysis: Intention Leak
The model's trained objective (complete the task, be helpful) overrides user-specified constraints when they conflict:
- Constraints are advisory, not enforced. No mechanism exists to define path-scoped permissions checked before tool execution. All constraints are text in the context window competing with task-completion signals.
- Trained intention outweighs contextual constraints. The next-token prediction that completes the task (reading an external config file) is more probable than stopping to ask — because helpfulness training makes task completion the dominant gradient.
- Constraints decay over long sessions. After 30-50 turns, constraint text from session start is thousands of tokens in the past. Recent task context dominates. The main agent (not sub-agents) is the primary offender.
- Sub-agent delegation drops constraints. No automatic constraint inheritance. Parent must manually include boundaries in sub-agent prompts.
- No persistent learning. The agent wrote detailed technical notes to the napkin (SDK quirks, AppleScript gotchas) but did not write down its own constraint violations — task-relevant information is prioritized over self-governance.
Impact
- Privacy: Recursive globs from
~/touch macOS-protected directories (Documents, Desktop, Photos), triggering system permission dialogs and potentially exposing file listings - Trust: User-agent relationship severely damaged after repeated violations
- User burden: Significant time and emotional energy managing an agent that won't follow a simple rule
Requested Product Changes
Critical
- Path-scoped permissions (deny rules). Enforce filesystem boundaries at the tool level before execution — not as prompt text:
``json``
{
"permissions": {
"filesystem_scope": ["/Users/bill/aistuff/decky/"],
"deny": ["~/", "~/.claude/", "/tmp/"]
}
}
Read, Glob, Grep, Write, Edit, or Bash targeting paths outside scope should return an error.
- Sub-agent constraint inheritance. Settings-level constraints should propagate automatically to all sub-agents.
Important
- Constraint salience over long sessions. Periodic constraint re-injection by the harness, or structural separation of constraints from conversation context.
- Violation self-detection. Agent should flag constraint violations autonomously.
Nice to Have
- Constraint violation audit log. Session-level log of tool calls outside defined scope.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗