Memory-based security rules not consistently checked before sensitive operations
Claude Code has a memory system for storing user-defined rules (e.g., security policies, workflows, preferences). However, these rules are not consistently consulted during decision-making, especially for security-sensitive operations like credential handling.
Problem
On 2026-04-19, Claude Code had a documented rule in memory: "Never echo passwords to terminal." When passing temporary IPMI credentials via command-line arguments, Claude Code failed to check this rule before executing. The rule existed but was not applied because Claude Code did not proactively consult memory at the decision point.
Impact
- Memory rules become cosmetic (stored but not enforced)
- Security practices are inconsistent
- User false confidence: "I documented the rule, so it will be followed"
- Temporary/test credentials get same weak handling as production credentials
Expected Behavior
Before handling credentials, tokens, secrets, or other sensitive data, Claude Code should:
- Proactively check project/personal memory for relevant rules
- Apply those rules regardless of context ("it's temporary" is not an exception)
- Suggest secure alternatives if about to violate a rule
Current Behavior
Rules sit in memory but are only discovered after the violation, not consulted before the decision.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗