Harness file-modification system-reminder leaks file contents -- upstream fix proposal

Date: 2026-05-28 Owner: Bourne / David (escalate to Anthropic Claude Code maintainers) Status: PROPOSAL -- ready for upstream filing

Observed behavior

Claude Code's harness fires a <system-reminder> injection into the conversation transcript whenever it detects that a tracked file has been modified -- either by the assistant (Write/Edit) or external party (user, linter, sub-agent). The reminder contains:

• File path
• Boilerplate sentence noting the change is intentional
• Full contents of the file up to a high truncation threshold (~190 lines observed)

For most files this is great (model gets fresh context on edits). For files containing plaintext secrets, it's a leak surface.

Tonight's leak events

Event 1: Assistant Edit on .env

Goal: add comment block above CLOUDFLARE_API_TOKEN= documenting required scopes. Edit landed at line ~273. Harness then dumped lines 1-168 of .env, exposing 8 high-value secrets: DATABASE_URL, SECRET_KEY, GOOGLE_CLIENT_SECRET, ANTHROPIC_API_KEY, ANTHROPIC_ADMIN_KEY, TIINGO_API_KEY, FRED_API_KEY, DAVID_BYRNE_SMTP_PASS.

Event 2: User modification of .env.rotation_2026_05_28

Recovery path: create gitignored paste-board file for new tokens. User pasted. Within seconds, harness fired modification reminder dumping the FULL file -- 8 freshly-minted tokens in the transcript.

Net: 2 leak events, ~16 distinct secret exposures, forced a 13-secret rotation cycle in one session.

Why existing mitigations were insufficient

After Event 1, memory hook saved: "never Edit .env directly; use docs/*.md". Prevented future .env edits. Did NOT prevent Event 2 because:

• Paste-board was a NEW file with different name (.env.rotation_2026_05_28)
• User modification (not assistant) still triggers the dump
• .env* glob matches secrets-likely file convention universally

The current behavior is a STRUCTURAL leak surface for ANY session touching secrets.

Proposed mitigation (3 options, ranked)

Option 1 (highest leverage): Content redaction for known-secret patterns

When the harness emits file-modification system-reminder, check file path against pattern list:

• .env, .env.*, .env*.local, .env*.production
• secrets/, credentials/
• *_secret.py, *_secrets.py
• *.pem, *.key, *.crt, *.pfx, *.p12, *.jks
• gcloud-credentials*.json, *service-account*.json, *-credentials.json

If matched: include file PATH + DIFF SUMMARY (line count delta, lines-added/lines-removed) but NOT contents. Summary is enough for model to know "user updated 3 lines in .env" without leaking values.

Option 2: User-configurable redaction list

In .claude/settings.json or per-project .claude/redaction.json, user declares files/patterns that should NEVER appear in file-modification reminders.

Pros: zero hardcoded patterns; user controls. Cons: requires user to anticipate; misconfiguration = leak.

Option 3: Opt-IN file-modification reminders

Flip default to opt-IN. Solves secrets case but loses model fresh-context benefit. Too aggressive; Option 1 is better.

Recommendation

Option 1 with sane defaults. Conservative patterns matching >90% probability of containing secrets. Files in those patterns get diff-only summaries; everything else keeps existing behavior.

Operational practice today (until upstream lands)

• NEVER create paste-board files for secrets. Use STDIN-only handoff via scripts/_rotate_via_stdin.py (the safe pattern -- getpass.getpass(), values never touch disk).
• NEVER Edit/Read/Grep .env from assistant context.
• All env-var setup docs go to docs/*.md.

Action

Escalate via GitHub issue at github.com/anthropics/claude-code/issues. Bourne/David coordinates filing + tracks the fix.

Cross-references

• memory/feedback_never_echo_secrets_in_chat_2026_05_27.md
• memory/feedback_no_env_edits_use_docs_2026_05_28.md
• memory/feedback_no_paste_board_files_2026_05_28.md
• memory/project_harness_file_modification_leak_2026_05_28.md (session memo)
• scripts/_rotate_via_stdin.py (safe-pattern reference)
• docs/SECRET_ROTATION_RUNBOOK.md