[BUG] `attribution.sessionUrl` should default to `false` (opt-in)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Title
attribution.sessionUrl should default to false (opt-in), not true — default-on session links leak into public repos
Summary
Claude Code appends a Claude-Session: https://claude.ai/code/session_<id> trailer to commits by default. This link points to the full conversation that produced the commit, including any confidential content discussed in it. Since commit messages routinely end up in public git history (GitHub, public self-hosted git servers), this is a default that predictably leaks private-conversation links to the public internet — with no warning at commit time.
Confirmed suppression mechanism (already exists, defaults on)
Verified directly against the installed CLI binary (v2.1.197):
{
"attribution": {
"commit": "",
"pr": "",
"sessionUrl": false
}
}
attribution.sessionUrl— "Whether to append the claude.ai session link to commits and PRs created from web or Remote Control sessions (default: true)."- Env var equivalent:
CLAUDE_CODE_SUPPRESS_SESSION_ATTRIBUTION. - Code path: session URL is appended unless
attribution.sessionUrl === falseis explicitly set.
So the fix already exists as a toggle — this issue is asking for the default to change, not new functionality.
Real-world impact
We audited our own git history on 2026-07-12 and found a public GitHub repo (and its public self-hosted Gitea mirror) containing 17 commits with 2 distinct session IDs, exposed for several days before we caught it via manual review — not via any product warning. Remediated on our end via git filter-repo + force-push. Not asking for any action on our specific repos here — flagging because the default is the actual bug.
Related open issues (revocation gap makes the default even more important)
There is currently no working way to revoke a session once its URL is out:
- #67201 —
claude session delete <id>doesn't exist - #26904 — request for a
/deletecommand - #25304 — related session-management request
- #25249 — web UI "delete session" reportedly fails with
not_found_error
Even where local/UI deletion "succeeds," the session appears to remain resumable server-side via claude --resume <id>. Combined with a default-on public link, there is currently no way to undo an accidental exposure — which makes getting the default right upfront the only real mitigation.
Ask
- Flip
attribution.sessionUrldefault tofalse. - Consider a one-time, dismissible warning at commit time if a public remote is detected and
sessionUrlattribution is enabled, for users who do opt in. - (Tracked separately with Anthropic's DPO) A real session-revocation mechanism, since disabling future leaks doesn't address already-published links.
Happy to share the exact commits/repos affected (redacted) if useful for reproduction.
What Should Happen?
- Flip
attribution.sessionUrldefault tofalse. - Consider a one-time, dismissible warning at commit time if a public remote is detected and
sessionUrlattribution is enabled, for users who do opt in. - (Tracked separately with Anthropic's DPO) A real session-revocation mechanism, since disabling future leaks doesn't address already-published links.
Error Messages/Logs
Steps to Reproduce
Confirmed suppression mechanism (already exists, defaults on)
Verified directly against the installed CLI binary (v2.1.197):
{
"attribution": {
"commit": "",
"pr": "",
"sessionUrl": false
}
}
attribution.sessionUrl — "Whether to append the claude.ai session link to commits and PRs created from web or Remote Control sessions (default: true)."
Env var equivalent: CLAUDE_CODE_SUPPRESS_SESSION_ATTRIBUTION.
Code path: session URL is appended unless attribution.sessionUrl === false is explicitly set.
So the fix already exists as a toggle — this issue is asking for the default to change, not new functionality.
Claude Model
Not sure / Multiple models
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.197
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Xterm
Additional Information
_No response_