[BUG] `**/` glob prefix in deny rules causes massive context bloat on Linux/WSL but not macOS

Resolved 💬 2 comments Opened Apr 10, 2026 by ondrej-cerny-adastra Closed May 23, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

### Environment

  • Platform: Linux (WSL2) -- Linux 6.6.87.2-microsoft-standard-WSL2
  • Claude Code: CLI (version 2.1.100)
  • Model: claude-opus-4-6 (1M context)
  • macOS colleagues do NOT reproduce with identical config

### Description

Using **/ prefix in Read() deny rules in .claude/settings.json causes the context window to balloon to 230%+,
making Claude Code unusable. Replacing with an anchored path (no **/ prefix) keeps context at normal levels.

### Reproduction steps

  1. Have a Python project with a .venv directory (~40k files)
  2. Add to .claude/settings.json:

``json
{
"permissions": {
"deny": [
"Read(**/.venv/**)"
]
}
}
``

  1. Start Claude Code and run /context
  2. Observe context usage at 230%+
  1. Change the deny rule to:

``json
"Read(.venv/**)"
``

  1. Restart Claude Code and run /context
  2. Observe context usage is normal (~3%)

### Expected behavior

Both Read(**/.venv/**) and Read(.venv/**) should result in comparable context usage. The **/ prefix should not
cause the entire file tree to be enumerated as individual paths in the sandbox config.

### Observed behavior

The **/ prefix causes glob patterns to be expanded into explicit per-file paths in the sandbox denyOnly list that
is part of the system prompt. For a .venv with ~40k files, this consumes the entire context window.

This is visible in the sandbox filesystem restrictions injected into the system prompt, which contains individual
entries like:
``
"/path/to/project/.venv/lib/python3.12/site-packages/certbot/ssl-dhparams.pem",
"/path/to/project/.venv/lib/python3.12/site-packages/certifi/cacert.pem",
... (thousands more)
``

### Platform-specific

macOS colleagues with the same .venv size (~40k files), same deny rules, and same Claude Code version do not
experience this issue. This suggests platform-specific behavior in glob expansion or sandbox config generation.

### Workaround

Use anchored paths instead of **/ prefixed patterns:

  • Read(.venv/**) instead of Read(**/.venv/**)

This also affects other **/ patterns (e.g. Read(**/*.pem), Read(**/*secret*)) which expand to many individual
.venv file paths, though the impact is smaller when the match count is lower.

What Should Happen?

Both Read(**/.venv/**) and Read(.venv/**) should result in comparable context usage. The **/ prefix should not cause the entire file tree to be enumerated as individual paths in the sandbox config.

Error Messages/Logs

Steps to Reproduce

  1. Have a Python project with a .venv directory (~40k files)
  2. Add to .claude/settings.json:

``json
{
"permissions": {
"deny": [
"Read(**/.venv/**)"
]
}
}
``

  1. Start Claude Code and run /context
  2. Observe context usage at 230%+
  1. Change the deny rule to:

``json
"Read(.venv/**)"
``

  1. Restart Claude Code and run /context
  2. Observe context usage is normal (~3%)

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.100

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗