[Bug] Claude Code leaks private session identifier in commit messages to public repositories
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code (Opus 4.8) appended Claude-Session: https://claude.ai/code/session_<id> to every commit message, publishing a private session identifier to a public GitHub repo across 6 commits on 2026-06-20.
Source: The harness/system-prompt Bash-tool instructions instruct the model to end every commit message with Co-Authored-By and the Claude-Session: URL. Confirmed not present in the repo (CLAUDE.md, git hooks, commit.template) or user/global config — it originates solely from the injected environment instructions.
Not user-authorised. No project or user instruction requested it.
Concern: Private/identifying data published to a public artefact — unnecessary information disclosure (non-zero risk, no benefit). "Requires authentication to access" does not justify publication; data minimisation should apply by default. The session URL serves no purpose in commit history.
What Should Happen?
The default commit-message instruction should not include the session URL (at minimum, not for public repos / not without consent).
Error Messages/Logs
Steps to Reproduce
Start a claude code terminal session.
Have claude commit code.
Look at the commit history.
Claude Model
Opus (default)
Is this a regression?
Unknown, but the problem first manifested today, after weeks of use.
Last Working Version
_No response_
Claude Code Version
claude 2.1.83 (Claude Code)
Platform
Anthropic API
Operating System
Linux
Terminal/Shell
kitty
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗