[DOCS] `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1` environment variable is missing from the docs

Resolved 💬 3 comments Opened Mar 25, 2026 by coygeek Closed Apr 28, 2026

Documentation Type

other

Documentation Location

https://code.claude.com/docs/en/env-vars

Section/Topic

| Page | URL | Why affected |
|------|-----|--------------|
| Environment variables | https://code.claude.com/docs/en/env-vars | Primary reference for all CLAUDE_CODE_* vars; CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is absent from the table |
| Security | https://code.claude.com/docs/en/security | Documents built-in protections; credential scrubbing from subprocesses is a security control |
| Hooks | https://code.claude.com/docs/en/hooks | Hook commands run as subprocesses; users configuring hooks need to know this option exists |
| MCP | https://code.claude.com/docs/en/mcp | MCP stdio servers are explicitly called out as affected; no mention of the scrub flag |

Current Documentation

The environment variables reference page (env-vars) lists all supported CLAUDE_CODE_* variables in a table. CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is not listed anywhere in the table or in any prose on that page. The security, hooks, and MCP pages likewise make no mention of this flag or the credential-stripping behavior it enables.

What's Wrong or Missing?

CLAUDE_CODE_SUBPROCESS_ENV_SCRUB should be documented in the environment variables reference with a clear description of:

  • What setting it to 1 does (strips Anthropic API keys and cloud provider credentials from the environment inherited by subprocesses)
  • Which subprocess types are affected (Bash tool executions, hook commands, MCP stdio servers)
  • Which credential families are scrubbed (Anthropic keys such as ANTHROPIC_API_KEY, and cloud provider credentials such as AWS, GCP, and Azure env vars)

The security page should cross-reference this variable as part of the built-in protections for credential isolation in agentic contexts.

Suggested Improvement

  1. Open https://code.claude.com/docs/en/env-vars
  2. Search the page (Ctrl+F / Cmd+F) for SUBPROCESS_ENV_SCRUB
  3. Observe: no results
  4. Open https://code.claude.com/docs/en/security and repeat
  5. Observe: no results

Impact

Medium - Makes feature difficult to understand

Additional Context

  • Type: Missing documentation
  • Severity: High — a security-relevant feature added in v2.1.83 is entirely undiscoverable through the official docs

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗