[BUG] IDE extension bypasses .claudeignore and settings.json deny rules (Auto-attach context leak)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The VS Code extension automatically injects the currently open file and any text selection into the conversation context for every single prompt. Crucially, this happens even if the file is explicitly listed in .claudeignore AND denied in .claude/settings.json permissions. While Claude Code correctly blocks its own tools from reading ignored files, the IDE extension completely bypasses these rules by injecting the file contents into the context just because the tab happens to be open in the editor unless I remember to explicitly remove it from the session prompt. This creates a significant security risk by exposing files the user explicitly wanted hidden, alongside unnecessary token drain and context poisoning (by including an unrelated file).
This is extremely irritating because files are constantly being included accidentally and also raises significant security concerns.
What Should Happen?
- The extension must respect .claudeignore and settings.json deny rules across all context injection paths, not just direct tool calls.
- To prevent context poisoning, there must be a persistent setting to disable auto-attachment entirely (e.g., claude-code.autoAttachContext: false), making IDE file inclusion an opt-in feature rather than forced opt-out.
Error Messages/Logs
N/A: This is a logic bypass and data leak bug rather than an application crash.
Steps to Reproduce
- Add a sensitive file to .claudeignore (e.g., secrets.txt).
- Add a deny rule for the same file in .claude/settings.json.
- Open secrets.txt so it is the active tab in VS Code.
- Submit any prompt to the Claude Code VS Code sidebar chat.
- Observe that the contents of secrets.txt are injected into the prompt context, completely bypassing both the ignore and deny rules.
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.118
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Other
Additional Information
I am opening this as a bug report because the original thread tracking this behaviour (#24726) was submitted with a [FEATURE] prefix and subsequently labelled as an enhancement. Because of that classification, it appears to have fallen off the triage radar. However, actively bypassing explicitly defined .claudeignore rules is not a missing feature; it is an active bug with severe security and privacy implications that needs urgent review.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗