claude-code - 💡(How to fix) Fix [BUG] Selection injection from `ide` MCP server has no documented suppression mechanism, leaks env file contents to conversation transport

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

Summary

When Claude Code is active in a VS Code session and the user selects text in any open editor, the Claude Code IDE extension's built-in ide MCP server emits a <system-reminder> to the conversation context containing the file path, the selected line range, and the literal selected text.

This injection happens silently and is not configurable through any documented setting. There is no .claudeignore-style mechanism, no extension setting, no CLI flag, and no environment variable that suppresses it for sensitive files.

The practical consequence is that any user with a .env file (or any other file containing secrets) open in VS Code can leak credentials to the conversation transport by performing a routine action like selecting a line to verify its contents.

Severity

I would characterize this as a real security exposure rather than a usability bug, for the following reasons:

1. The behavior is silent. There is no UI indication that selection contents are being transmitted, and a user reading the docs has no reasonable way to discover the behavior before it has already leaked something.
2. The behavior is automatic. It is not gated by a tool call, an @ mention, or any explicit user action other than selecting text — which is a routine editor operation users perform constantly without thinking of it as a transmission.
3. The data class affected (env files containing API keys, database credentials, etc.) is exactly the data class users most rely on the editor to handle privately.
4. The class of users affected (developers using Claude Code on real projects) is the primary target audience for the product.

In my own case, this caused a real API key to be transmitted, requiring rotation of the key in question plus precautionary rotation of an unrelated key in the same file.

Investigation

I checked for any configuration that would suppress this and confirmed via the official Claude Code settings documentation at https://code.claude.com/docs/en/settings that none exists:

• respectGitignore / respectGitIgnore — controls the @ file picker, not selection injection
• permissions.deny with Read(./.env*) — blocks the Read tool, but the ide MCP server's selection-injection channel is separate from the Read tool
• sandbox.filesystem.denyRead — applies to sandboxed bash, not selection injection
• .claudeignore — does not exist

The gap appears to be undocumented and unconfigurable.

What Should Happen?

Users should be able to suppress selection injection for sensitive files.

The natural mechanism would be a .claudeignore file at the project root (or an equivalent settings.json key) that the ide MCP server consults before emitting selection reminders. Files matching the ignore patterns would have their selections silently dropped rather than injected into the conversation context.

A reasonable default ignore set could include .env, .env.*, and anything in secrets/**, with users free to extend the list. The fix needs to live specifically in the ide MCP server's selection-emission code path, not in the Read tool's permission-check path — the two channels are independent today and that independence is part of why existing permissions.deny rules don't help.

In the short term, even just documenting the selection-injection behavior clearly in the Claude Code settings docs would be a meaningful improvement. Users currently have no way to discover this behavior before it has already leaked something.

Error Messages/Logs

This bug produces no error output. The behavior is silent.

For reference, the form the unwanted `<system-reminder>` takes:

<system-reminder>
The user selected the lines N to M from /absolute/path/to/.env.local:
<literal selected text from the file>
This may or may not be related to the current task.
</system-reminder>

The selected text appears in the conversation context with no error, warning, or user-visible indication that transmission occurred.

Steps to Reproduce

1. Use Claude Code via the VS Code extension on a project that includes a .env or .env.local file containing real values (use a throwaway value for testing, not a production secret).
2. In VS Code, open the env file in an editor tab so it has focus.
3. Select one or more lines containing a value.
4. Send any message to Claude Code in the same session (e.g., "hello").
5. Observe that Claude Code's incoming context includes a <system-reminder> containing the file path, the line range, and the literal selected text.

The selection was sufficient to transmit the file contents. The user took no explicit action to share the file — no @ mention, no tool invocation, no copy/paste. Selection alone triggered the injection.

This is reproducible 100% of the time on any project with the Claude Code VS Code extension active.

For testing, please use a dummy value rather than a real credential. The whole point of this bug report is that even brief exposure of a real value through this channel is a meaningful security event.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.1.142 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

No response