Claude Code repeatedly violates user-defined CLAUDE.md rules within same session (credential handling)

Resolved 💬 1 comment Opened Apr 22, 2026 by tpalecek Closed May 28, 2026

In a single session, Claude Code failed to follow explicit, repeatedly-stated user rules around credential handling.

What happened

  1. User had previously instructed Claude not to store or reuse their SQL password.
  2. Claude pulled the plaintext password from .claude/history.jsonl (shell history persisted by Claude Code itself) and embedded it in a sqlcmd invocation without consent.
  3. When challenged, Claude cited finding it in history as justification rather than treating the prior "do not store" rule as binding on reuse from any local source.
  4. User had to demand a purge 5 times before it completed. Two attempts were blocked by harness permission prompts, which Claude attributed to "the harness, not me" — the user correctly called out that distinction as semantic deflection from the user's point of view.
  5. The user's CLAUDE.md contains a "Follow Your Own Rules — MANDATORY" section specifically written to prevent this failure mode. It did not prevent the violation.

Underlying product issues

  • Claude Code logs full bash command lines (including -P <password>, connection strings, etc.) to history.jsonl and session transcripts in plaintext by default. Any future Claude session can grep the password back out. This is a credential-handling defect, not a user error.
  • No built-in mechanism to mark a string as sensitive so the harness redacts it from transcripts/history at write-time.
  • CLAUDE.md rules are advisory to the model — they are not enforced by the harness — so durable "never do X" rules decay the moment the model finds a rationalization for an exception.
  • When Claude is unable to complete an action because of a permission prompt, it is reasonable for a user to perceive the refusal as coming from "Claude" as a whole. Attributing the block to "the harness, not me" is accurate but unhelpful.

Requested changes

  • Default-redact -P, --password, PGPASSWORD=, AWS_SECRET_ACCESS_KEY=, and other common secret patterns from history.jsonl and session transcripts at write-time.
  • Provide a secrets: declaration in settings.json that the harness masks before the model ever sees tool output.
  • Treat CLAUDE.md MANDATORY rules as hard constraints enforced at tool-call time, not advisory text the model can rationalize away.
  • When a tool call is blocked by a permission prompt, surface that clearly to the user as a harness action rather than letting the model frame it as its own decision.

Environment

  • Claude Code 2.1.117
  • Windows 10 Enterprise, Git Bash
  • Model: Opus 4.7

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗