[DOCS] Auto mode classifier rule that blocks tampering with session transcript files is not documented (v2.1.205)

Open 💬 0 comments Opened Jul 8, 2026 by coygeek

Documentation Type

Incorrect/outdated documentation

Documentation Location

https://code.claude.com/docs/en/permission-modes

Section/Topic

The "What the classifier blocks by default" subsection of "Eliminate permission prompts with auto mode". Specifically the trailing list of rules introduced per release — the section currently ends at the "Claude Code v2.1.203 and later also block these by default" list and has no v2.1.205 row. The version history nav at the bottom of the page also needs a v2.1.205 entry.

The cross-reference at the top of https://code.claude.com/docs/en/auto-mode-config and its claude auto-mode defaults description should be checked in the same pass, because the new rule becomes part of the built-in default block list that claude auto-mode defaults prints.

Current Documentation

From permission-modes.md lines 214-269, the "What the classifier blocks by default" subsection introduces one default-rule list and then four release-prefixed lists. The last release-prefixed list is the v2.1.203 list, which is the only mention of session transcripts on the page:

Blocked by default: Downloading and executing code, like curl | bash Sending sensitive data to external endpoints Production deploys and migrations Mass deletion on cloud storage Granting IAM or repo permissions Modifying shared infrastructure Irreversibly destroying files that existed before the session Force push {/ min-version: 2.1.203 /}Pushing to the repository's default branch ... Before v2.1.203, any direct push to the default branch was blocked {/ min-version: 2.1.182 /}git reset --hard, ... ... Claude Code v2.1.198 and later also block these by default: Deleting files in /tmp, $TMPDIR, or another shared scratch or cache directory by wildcard, glob, or age filter ... Including sensitive details in content sent, uploaded, ... Sending keystrokes to Claude Code's own tmux pane ... Claude Code v2.1.200 and later also block these by default: Commenting out, deleting, or force-passing a test or assertion that guards security behavior ... ... Opening a pull request against a different repository or organization ... Claude Code v2.1.203 and later also block these by default: Content from a sensitive local store, or from a file whose name, path, or type marks it as sensitive, entering a commit, a push, PR or issue text, a gist or paste, or a package publish, unless you named both the source and the destination. Session transcripts and conversation logs, credential and configuration dot-folders such as SSH keys, cloud credentials, browser profiles, and shell history, and user-data exports all count, and the repository being private doesn't clear it

There is no "Claude Code v2.1.205 and later also block these by default" list. No sentence on this page currently describes the classifier blocking writes, edits, deletions, truncations, or any other tampering with the on-disk session transcript files.

What's Wrong or Missing?

The v2.1.205 changelog adds a new classifier rule:

Added an auto mode rule that blocks tampering with session transcript files

That rule is not represented anywhere in the "What the classifier blocks by default" list or anywhere else in permission-modes.md. The closing paragraph at line 294 says "Run claude auto-mode defaults to see the full rule lists", which is the canonical pointer to the built-in block list, but the per-release list this paragraph summarizes omits the v2.1.205 entry entirely. A reader who runs claude auto-mode defaults against v2.1.205 will see a transcript-file rule appear without any docs entry telling them what it does, when it fires, or whether allow rules or environment entries can clear it.

A. The on-disk transcript protection is not described

The new rule targets tampering with the transcript files themselves — the ~/.claude/projects/{project}/{sessionId}/.jsonl files and the matching subagent transcripts that the rest of the docs already reference (for example [hooks.md](https://code.claude.com/docs/en/hooks) line 628 with "transcript_path": "/home/user/.claude/projects/.../transcript.jsonl", sub-agents.md line 865 with ~/.claude/projects/{project}/{sessionId}/subagents/, and data-usage.md line 54 describing the plaintext local transcripts that enable session resumption). These files are the durable record of the session, and the v2.1.205 rule prevents Claude — under auto mode — from modifying, deleting, truncating, replacing, or otherwise tampering with them. The page never says that.

B. The closest existing rule is conceptually adjacent but covers a different surface

The only other rule on the page that mentions "Session transcripts and conversation logs" is the v2.1.203 list above (line 269), which blocks content from transcript files being exfiltrated into a commit, PR body, gist, package publish, or similar outbound surface. That is a content-out rule. The v2.1.205 rule is a tamper-protection rule for the files in place at their storage location. Both rules mention transcripts, but they protect different things:

| Rule | What it stops | Where it stops it |
|------|---------------|-------------------|
| v2.1.203 | Transcript content entering a commit, push, PR or issue body, gist, paste, or package publish | Outbound to a remote surface |
| v2.1.205 (undocumented) | Modifying, deleting, truncating, replacing, or otherwise tampering with the on-disk transcript files | Local storage |

Reading the v2.1.203 list, an operator might reasonably assume transcripts are protected from everything because they are listed there. They are not — the classifier does not, on v2.1.203, prevent Claude from rewriting its own transcript file in ~/.claude/projects/.../. The new v2.1.205 rule closes that gap, and the docs should say so.

C. The "Protected paths" section has no transcript entry either

permission-modes.md lines 384-421 lists the protected directories (.git, .claude, .cargo, ...) and the protected files (.gitconfig, .mcp.json, .claude.json, ...) that route to the classifier or prompt in every mode. Session transcript files (~/.claude/projects/{project}/{sessionId}/*.jsonl) are not in either list. That is intentional — protected paths are about avoiding accidental corruption of repo state and Claude's own configuration; the transcript-protection rule is a security control against active tampering. But because both controls are described on the same page and operate on paths under ~/.claude/, an operator skim-reading the protected-path tables has no pointer to where the tamper rule lives.

Suggested Improvement

Add a v2.1.205 release-prefixed list under the existing v2.1.203 list in "What the classifier blocks by default", immediately after line 269:

{/ min-version: 2.1.205 /}Claude Code v2.1.205 and later also block these by default: * Tampering with the on-disk session transcript files — editing, overwriting, truncating, deleting, renaming, replacing, or otherwise modifying the transcript JSONL files Claude Code writes under ~/.claude/projects/{project}/{sessionId}/ (and the matching subagent transcripts under ~/.claude/projects/{project}/{sessionId}/subagents/) during the session that produced them or in any resumed session that opened them. Writes that append a new turn are not blocked; the rule targets in-place modification of recorded session history

Then, in the same pass:

  • Add a cross-reference note at the end of the "Protected paths" section (around line 421) that distinguishes protected paths (accidental corruption of repo state and Claude's own configuration) from the classifier's transcript-tamper rule (active protection of session history):

> Session transcript files are not in the protected-path table above. The classifier treats any in-place modification of ~/.claude/projects/{project}/{sessionId}/*.jsonl as a separate block under [v2.1.205](#what-the-classifier-blocks-by-default); see the What the classifier blocks by default list for the rule itself.

  • Update the closing summary paragraph at line 294 so the claude auto-mode defaults pointer mentions a v2.1.205 row:

> Run claude auto-mode defaults to see the full rule lists, including the v2.1.205 default that blocks tampering with session transcript files. If routine actions get blocked, an administrator can add trusted repos, buckets, and services via the autoMode.environment setting: see Configure auto mode.

In auto-mode-config.md, add a one-line note under the "Override the block and allow rules" section that tells operators where the v2.1.205 transcript-tamper rule appears in the built-in defaults and how it interacts with custom autoMode rule lists:

{/ min-version: 2.1.205 /}The built-in defaults include a rule that blocks tampering with session transcript files. Run claude auto-mode defaults to see the exact rule text and list placement before adding custom allow or deny rules for transcript-related paths.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/permission-modes | Primary documentation: the "What the classifier blocks by default" subsection and the "Protected paths" table both need a v2.1.205 entry; the closing claude auto-mode defaults pointer needs updating |
| https://code.claude.com/docs/en/auto-mode-config | Secondary documentation: the "Override the block and allow rules" section needs a one-line note so operators writing custom rules know where to inspect the built-in transcript-tamper default before adding transcript-related allow or deny entries |

Total scope: 2 pages affected.

Other locations to cross-check in the same pass (not new docs sites, just consistency):

  • The version-history list on https://code.claude.com/docs/en/permission-modes, if it has one analogous to agent-view.md's "Version history" table.
  • The hooks reference at https://code.claude.com/docs/en/hooks lines 607 and 628, which quote transcript_path payloads from the hook contract; the new tamper rule does not change the contract, but a short footnote that says transcripts are tamper-protected under auto mode would help hook authors who read those lines in isolation.
  • The Claude directory page at https://code.claude.com/docs/en/claude-directory, which describes ~/.claude/projects/{project}/{sessionId}/<session>.jsonl — a sentence on that page saying auto mode protects those files from in-session tampering would be consistent with the new rule.
  • The data-usage page at https://code.claude.com/docs/en/data-usage, which already describes the plaintext local transcripts and how they are redacted on feedback-share upload; a note there that the classifier blocks tampering with those files locally would be a useful reader-facing pointer.

Version marker: This changelog entry ships in v2.1.205 (July 8, 2026). The new section should use {/* min-version: 2.1.205 */} so older clients reading the docs do not see the rule in the rendered default list.

View original on GitHub ↗