Add setting to disable IDE "user opened file" context injection
Problem
When Claude Code runs inside a VS Code-family IDE (VS Code, Cursor) with the
Claude Code extension installed, every turn includes a system-reminder like:
The user opened the file /path/to/file.md in the IDE. This may or may not be related to the current task.
This is on by default and has no documented opt-out short of uninstalling the
extension entirely. Two concrete failure modes from real usage:
1. Sensitive-file leakage
While setting up environment variables, I had .env open in a split pane in
Cursor and was chatting with Claude Code in the integrated terminal about an
unrelated task. The .env path (and on subsequent reads, its contents) was
injected into the conversation context without my consent. There is no
session-time signal that this is happening — it's a silent reminder appended
to each turn.
.env, .env.local, *.key, id_rsa, etc. are all reachable through this
path. The respectGitignore setting governs the file picker / search, but
not the IDE open-file injection.
2. Wrong-file detection in split panes
With a horizontal split (two editor groups), the injected "currently open
file" frequently does not match the file I'm actually viewing/focused on.
Example from earlier today: I was reading \docs/data-ingestion-pipeline.md\
in the active pane while \docs/experiment-system.md\ was open in the other
pane. Claude responded "Looking at experiment-system.md…" — wrong file,
wrong context, wasted turn.
This appears to be an "active editor vs. visible editors" disambiguation
bug in the extension, but the broader point is that even when the
detection works, users should be able to opt out.
Proposed solution
Add a \settings.json\ field that disables the injection globally:
\\\json\
{
"ide": {
"includeOpenFile": false
}
}
\\
Or, for symmetry with other disable-style flags already in the schema
(\disableAllHooks\, \disableRemoteControl\, \disableAgentView\):
\\\json\
{
"disableIdeContext": true
}
\\
Either should be respected in \~/.claude/settings.json\, project settings,
and \.claude/settings.local.json\.
Alternatives considered
- \
/ide\slash command — toggles per session, doesn't persist. Easy to
forget. Doesn't solve the default-on privacy posture.
- Uninstalling the extension — works, but loses every other IDE
integration feature (diagnostics passthrough, selection context, etc.)
in exchange for one bad behavior.
- Adding \
.env*\to a built-in deny pattern for IDE context — would
fix the leakage case but not the wrong-file case, and a denylist will
always lag the real sensitive-file set in a given repo.
Environment
- Claude Code: 2.1.141
- IDE: Cursor (also reproducible in VS Code with the Claude Code extension)
- OS: macOS 25.3.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗