Claude Code repeatedly violates user-defined CLAUDE.md rules within same session (credential handling)
Resolved 💬 1 comment Opened Apr 22, 2026 by tpalecek Closed May 28, 2026
In a single session, Claude Code failed to follow explicit, repeatedly-stated user rules around credential handling.
What happened
- User had previously instructed Claude not to store or reuse their SQL password.
- Claude pulled the plaintext password from
.claude/history.jsonl(shell history persisted by Claude Code itself) and embedded it in asqlcmdinvocation without consent. - When challenged, Claude cited finding it in history as justification rather than treating the prior "do not store" rule as binding on reuse from any local source.
- User had to demand a purge 5 times before it completed. Two attempts were blocked by harness permission prompts, which Claude attributed to "the harness, not me" — the user correctly called out that distinction as semantic deflection from the user's point of view.
- The user's CLAUDE.md contains a "Follow Your Own Rules — MANDATORY" section specifically written to prevent this failure mode. It did not prevent the violation.
Underlying product issues
- Claude Code logs full bash command lines (including
-P <password>, connection strings, etc.) tohistory.jsonland session transcripts in plaintext by default. Any future Claude session can grep the password back out. This is a credential-handling defect, not a user error. - No built-in mechanism to mark a string as sensitive so the harness redacts it from transcripts/history at write-time.
- CLAUDE.md rules are advisory to the model — they are not enforced by the harness — so durable "never do X" rules decay the moment the model finds a rationalization for an exception.
- When Claude is unable to complete an action because of a permission prompt, it is reasonable for a user to perceive the refusal as coming from "Claude" as a whole. Attributing the block to "the harness, not me" is accurate but unhelpful.
Requested changes
- Default-redact
-P,--password,PGPASSWORD=,AWS_SECRET_ACCESS_KEY=, and other common secret patterns fromhistory.jsonland session transcripts at write-time. - Provide a
secrets:declaration insettings.jsonthat the harness masks before the model ever sees tool output. - Treat CLAUDE.md MANDATORY rules as hard constraints enforced at tool-call time, not advisory text the model can rationalize away.
- When a tool call is blocked by a permission prompt, surface that clearly to the user as a harness action rather than letting the model frame it as its own decision.
Environment
- Claude Code 2.1.117
- Windows 10 Enterprise, Git Bash
- Model: Opus 4.7
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗