[DOCS] `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1` environment variable is missing from the docs
Documentation Type
other
Documentation Location
https://code.claude.com/docs/en/env-vars
Section/Topic
| Page | URL | Why affected |
|------|-----|--------------|
| Environment variables | https://code.claude.com/docs/en/env-vars | Primary reference for all CLAUDE_CODE_* vars; CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is absent from the table |
| Security | https://code.claude.com/docs/en/security | Documents built-in protections; credential scrubbing from subprocesses is a security control |
| Hooks | https://code.claude.com/docs/en/hooks | Hook commands run as subprocesses; users configuring hooks need to know this option exists |
| MCP | https://code.claude.com/docs/en/mcp | MCP stdio servers are explicitly called out as affected; no mention of the scrub flag |
Current Documentation
The environment variables reference page (env-vars) lists all supported CLAUDE_CODE_* variables in a table. CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is not listed anywhere in the table or in any prose on that page. The security, hooks, and MCP pages likewise make no mention of this flag or the credential-stripping behavior it enables.
What's Wrong or Missing?
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB should be documented in the environment variables reference with a clear description of:
- What setting it to
1does (strips Anthropic API keys and cloud provider credentials from the environment inherited by subprocesses) - Which subprocess types are affected (Bash tool executions, hook commands, MCP stdio servers)
- Which credential families are scrubbed (Anthropic keys such as
ANTHROPIC_API_KEY, and cloud provider credentials such as AWS, GCP, and Azure env vars)
The security page should cross-reference this variable as part of the built-in protections for credential isolation in agentic contexts.
Suggested Improvement
- Open https://code.claude.com/docs/en/env-vars
- Search the page (Ctrl+F / Cmd+F) for
SUBPROCESS_ENV_SCRUB - Observe: no results
- Open https://code.claude.com/docs/en/security and repeat
- Observe: no results
Impact
Medium - Makes feature difficult to understand
Additional Context
- Type: Missing documentation
- Severity: High — a security-relevant feature added in v2.1.83 is entirely undiscoverable through the official docs
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗