[BUG] `**/` glob prefix in deny rules causes massive context bloat on Linux/WSL but not macOS
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
### Environment
- Platform: Linux (WSL2) --
Linux 6.6.87.2-microsoft-standard-WSL2 - Claude Code: CLI (version 2.1.100)
- Model: claude-opus-4-6 (1M context)
- macOS colleagues do NOT reproduce with identical config
### Description
Using **/ prefix in Read() deny rules in .claude/settings.json causes the context window to balloon to 230%+,
making Claude Code unusable. Replacing with an anchored path (no **/ prefix) keeps context at normal levels.
### Reproduction steps
- Have a Python project with a
.venvdirectory (~40k files) - Add to
.claude/settings.json:
``json``
{
"permissions": {
"deny": [
"Read(**/.venv/**)"
]
}
}
- Start Claude Code and run
/context - Observe context usage at 230%+
- Change the deny rule to:
``json``
"Read(.venv/**)"
- Restart Claude Code and run
/context - Observe context usage is normal (~3%)
### Expected behavior
Both Read(**/.venv/**) and Read(.venv/**) should result in comparable context usage. The **/ prefix should not
cause the entire file tree to be enumerated as individual paths in the sandbox config.
### Observed behavior
The **/ prefix causes glob patterns to be expanded into explicit per-file paths in the sandbox denyOnly list that
is part of the system prompt. For a .venv with ~40k files, this consumes the entire context window.
This is visible in the sandbox filesystem restrictions injected into the system prompt, which contains individual
entries like:
````
"/path/to/project/.venv/lib/python3.12/site-packages/certbot/ssl-dhparams.pem",
"/path/to/project/.venv/lib/python3.12/site-packages/certifi/cacert.pem",
... (thousands more)
### Platform-specific
macOS colleagues with the same .venv size (~40k files), same deny rules, and same Claude Code version do not
experience this issue. This suggests platform-specific behavior in glob expansion or sandbox config generation.
### Workaround
Use anchored paths instead of **/ prefixed patterns:
Read(.venv/**)instead ofRead(**/.venv/**)
This also affects other **/ patterns (e.g. Read(**/*.pem), Read(**/*secret*)) which expand to many individual
.venv file paths, though the impact is smaller when the match count is lower.
What Should Happen?
Both Read(**/.venv/**) and Read(.venv/**) should result in comparable context usage. The **/ prefix should not cause the entire file tree to be enumerated as individual paths in the sandbox config.
Error Messages/Logs
Steps to Reproduce
- Have a Python project with a
.venvdirectory (~40k files) - Add to
.claude/settings.json:
``json``
{
"permissions": {
"deny": [
"Read(**/.venv/**)"
]
}
}
- Start Claude Code and run
/context - Observe context usage at 230%+
- Change the deny rule to:
``json``
"Read(.venv/**)"
- Restart Claude Code and run
/context - Observe context usage is normal (~3%)
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.100
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗