Memory-based security rules not consistently checked before sensitive operations

Resolved 💬 1 comment Opened Apr 19, 2026 by mikesibiu Closed May 26, 2026

Claude Code has a memory system for storing user-defined rules (e.g., security policies, workflows, preferences). However, these rules are not consistently consulted during decision-making, especially for security-sensitive operations like credential handling.

Problem

On 2026-04-19, Claude Code had a documented rule in memory: "Never echo passwords to terminal." When passing temporary IPMI credentials via command-line arguments, Claude Code failed to check this rule before executing. The rule existed but was not applied because Claude Code did not proactively consult memory at the decision point.

Impact

  • Memory rules become cosmetic (stored but not enforced)
  • Security practices are inconsistent
  • User false confidence: "I documented the rule, so it will be followed"
  • Temporary/test credentials get same weak handling as production credentials

Expected Behavior

Before handling credentials, tokens, secrets, or other sensitive data, Claude Code should:

  1. Proactively check project/personal memory for relevant rules
  2. Apply those rules regardless of context ("it's temporary" is not an exception)
  3. Suggest secure alternatives if about to violate a rule

Current Behavior

Rules sit in memory but are only discovered after the violation, not consulted before the decision.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗