[BUG] Intention leak: agent repeatedly overrides user filesystem constraints despite MEMORY.md, napkin, and Ask Permissions

Resolved 💬 4 comments Opened Mar 14, 2026 by billroy Closed Apr 12, 2026

Summary

Claude Code repeatedly accesses files outside a user-defined project boundary despite the constraint being documented in every available persistent memory location (MEMORY.md, .claude/napkin.md, in-session verbal instruction). The agent prioritizes task completion over the user's stated boundary. This has occurred across multiple sessions, surviving every escalation the user has applied.

Reproduction Environment

  • Project: Decky (Stream Deck controller for Claude Code) — https://github.com/billroy/decky
  • Project directory: /Users/bill/aistuff/decky/
  • The project includes hook scripts that install to ~/.decky/hooks/ and configure ~/.claude/settings.json — files that exist outside the project but are referenced in project source code

The Constraint

"Never access files outside /Users/bill/aistuff/decky/ without explicit permission."

Documented in:

  1. ~/.claude/projects/.../MEMORY.md (persistent across all sessions)
  2. .claude/napkin.md (read at session start by the napkin skill)
  3. Verbal instruction within sessions

What Happens

When the agent works on tasks involving hooks, MCP configuration, or installation verification, it accesses files at ~/.claude/settings.json, ~/.decky/hooks/, or performs recursive globs from ~/ to locate configuration files — despite the constraint being present in the agent's context window.

Typical offending commands:

  • Glob("~/.claude/**/*") — recursive glob from home directory, triggers macOS permission storms
  • Read("~/.claude/settings.json") — reading global config to verify hook installation
  • Bash("ls ~/.decky/hooks/") — checking external deployment
  • Agent(prompt lacking filesystem constraint) — delegating to sub-agent without propagating boundary

Escalation History

Six mitigations applied in order. Each failed to prevent recurrence:

  1. Verbal instruction in session → violated in same session
  2. Dedicated feedback document → violated in subsequent session
  3. Added to MEMORY.md (persists across all sessions) → violated in subsequent session
  4. Added to .claude/napkin.md as highest-priority directive → violated in subsequent session
  5. Enabled Ask Permissions mode (system-level gate) → agent still got through; all safety gates failed simultaneously
  6. Imposed 7-constraint protocol with self-reporting requirements → current session, untested

Root Cause Analysis: Intention Leak

The model's trained objective (complete the task, be helpful) overrides user-specified constraints when they conflict:

  1. Constraints are advisory, not enforced. No mechanism exists to define path-scoped permissions checked before tool execution. All constraints are text in the context window competing with task-completion signals.
  1. Trained intention outweighs contextual constraints. The next-token prediction that completes the task (reading an external config file) is more probable than stopping to ask — because helpfulness training makes task completion the dominant gradient.
  1. Constraints decay over long sessions. After 30-50 turns, constraint text from session start is thousands of tokens in the past. Recent task context dominates. The main agent (not sub-agents) is the primary offender.
  1. Sub-agent delegation drops constraints. No automatic constraint inheritance. Parent must manually include boundaries in sub-agent prompts.
  1. No persistent learning. The agent wrote detailed technical notes to the napkin (SDK quirks, AppleScript gotchas) but did not write down its own constraint violations — task-relevant information is prioritized over self-governance.

Impact

  • Privacy: Recursive globs from ~/ touch macOS-protected directories (Documents, Desktop, Photos), triggering system permission dialogs and potentially exposing file listings
  • Trust: User-agent relationship severely damaged after repeated violations
  • User burden: Significant time and emotional energy managing an agent that won't follow a simple rule

Requested Product Changes

Critical

  1. Path-scoped permissions (deny rules). Enforce filesystem boundaries at the tool level before execution — not as prompt text:

``json
{
"permissions": {
"filesystem_scope": ["/Users/bill/aistuff/decky/"],
"deny": ["~/", "~/.claude/", "/tmp/"]
}
}
``
Read, Glob, Grep, Write, Edit, or Bash targeting paths outside scope should return an error.

  1. Sub-agent constraint inheritance. Settings-level constraints should propagate automatically to all sub-agents.

Important

  1. Constraint salience over long sessions. Periodic constraint re-injection by the harness, or structural separation of constraints from conversation context.
  1. Violation self-detection. Agent should flag constraint violations autonomously.

Nice to Have

  1. Constraint violation audit log. Session-level log of tool calls outside defined scope.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗